Challenges of Practical Civil GNSS Security

Todd Humphreys, UT Austin

Civil Navigation and Timing Security Splinter Meeting |Portland, Oregon | September 23, 2010

Emerging Threat: Civil GPS Spoofing

Civil GPS Spoofing Testbed at UT Austin

Data bit latency defense Phase trauma monitoring Dual-frequency tracking

Spoofer

Defender

Video Demonstration of Spoofing Attack(not embedded; see posted video)

Thoughts on the Way Forward for Civil GNSS Authentication More signals means more inherent security, but probably insufficient

Some civil cryptographic authentication scheme is likely required “Signal definition inertia is enormous” – Tom Stansell Navigation message authentication (NMA) appears to be best, practical

option (advocated by Logan Scott in 2003, others since) Goal of cryptographic authentication: force adversary to use directional

antennas in a replay attack Preliminary evaluation of NMA for L2C suggests optimism, but strategy

is not water-tight Cryptography is the easy part

Hard Part: Defend Against Security Code Replay Attack

>500 MHz FPGAs enablenear-zero-delay replay attack Soft W-bit

Estimation Hard W-bit Estimation

Effect on Target Receiver C/NoSoft W-bit

Estimation Hard W-bit Estimation

Spoofing Detection as a Hypothesis Testing Problem (Soft W Estimation)

Spoofing detection depends critically on good estimates of nominal (C/No)s and (C/No)r

Final Observations Must defend against following spoofing strategy: (1)

soften up target with low-grade jamming, (2) begin soft-estimate replay attack, (3) transition to hard-estimate replay attack

A J/N meter is indispensable in spoofing detection to eliminate the possibility that the receiver’s estimate of its own nominal C/No (in the absence of spoofing) has been altered

Solar radio bursts, unintentional/intentional jamming will tend to trigger spoofing alarms

Spoofing detection is challenging for dynamic platforms because of the volatility in the nominal C/No