Upload
vuongngoc
View
213
Download
0
Embed Size (px)
Citation preview
SESSION ID:SESSION ID:
#RSAC
Guy Buesnel
Evolution of Deliberate Threats to Satellite Navigation Systems
MBS-F01
PNT Security TechnologistSpirent Communications plcWith acknowledgement to my colleague David DeSanto for material on responsible disclosure
#RSAC
Why are Satellite Navigation Systems vulnerable?
2
GNSS satellites orbit the earth in Medium Earth Orbits (GPS, GLONASS, Galileo, Beidou)
Transmit navigation messages to surface of Earth at low power (think 40W light bulb on satellite)
Vulnerable to specific threats due to the low RF power of the transmitted signals
Approx 12,550 miles
#RSAC
Overview of specific Satellite Navigation (GNSS) vulnerabilities
3
Overvi
What are the main Satellite Navigation System vulnerabilities?
#RSAC
4
GPS Jamming
“15 of the 19 Critical Infrastructure & Key Resources Sectors have some degree of GPS timing usage”
• Power Grids
• Energy Plants
• Sub-Stations
• Air Traffic
• Maritime
• Logistics
• Transport
• ATMS
• Stock Exchange
• Internet Banking
• Core Optical NW
• Wireless Backhl.
• Broadcasting
• DataCentres
#RSAC
5
Real Life GPS jamming incidents (1)FBI Cyber Division – Private Industry Notification October 2014
Auto thieves shipping vehicles to China used GPS jammers placed in shipping containers in an attempt to thwart tracking of the containers, according to July 2014 information from the National Insurance Crime Bureau.
In 46 reported incidents, the thieves placed one or more GPS jammers in cargo containers with stolen automobiles.
Cargo thieves in North Florida used GPS jammers with a stolen refrigerated trailer containing a temperature controlled shipment
In this incident, the hauling tractors were swapped out by the cargo thieves. The Miami based suspects were ultimately stopped and apprehended by the Florida Highway Patrol in mid-Florida on a routine vehicle stop -the shipment was recovered intact.
Discovered, hidden inside of the trailer’s refrigerator unit, were portable GPS jamming devices hooked unobtrusively to a battery located inside the unit
Real Life GPS jamming incidents (2)
6
Commercial Aviation 2013-2016
Over 70 incidents of GPS jamming reported by pilots through NASA’s Aviation Safety Reporting System (ASRS)One incident – Philadelphia North East Airport (PNE) – FCC Agents seized a GPS jammer from a truck driver and smashed it with a sledgehammer after numerous reports of jammingMarseille Airport (LFML) 2016 – RNAV approaches to RWY 31L/13R and 31R/13L withdrawn due to GPS interference making them unusableManila Airport (NAIA) – Reports of GPS Receiver interference close to Airport by arriving/departing aircraft
Real Life GPS jamming incidents (3)
7
Source: http://www.gps.gov/news/ &http://www.uscg.mil/hq/cg5/cg545/alerts/0116.pdf
“This past summer, multiple outbound vessels from a non-U.S. port suddenly lost GPS signal reception. The net effect was various alarms and a loss of GPS input to the ship’s surface search radar, gyro units and Electronic Chart Display & Information System (ECDIS), resulting in no GPS data for position fixing, radar over ground speed inputs, gyro speed input and loss of collision avoidance capabilities on the radar display.”
#RSAC
8
GPS Jamming trial 2010 – Project STAVOG
1mW Jammer
• False Position
• Autopilot may turn vessel
• No Alarms
• Hazardously Misleading
Information
>1mw Jammer
• Chart Displays Impacted
• AIS incorrect
• Differential GPS failure
• Sat and Voice Comms impact
• Distress System Fail
• Ship Radar and Gyro!
Source: GLA, UK
#RSAC
9
GPS jamming and unexpected behaviour
Michael Robinson – DEFCON 23, August 2015
- Knocking my Neighbor’s Kid’s cruddy drone offline
Demonstrated effect of disrupted (jammed) GPS Signal on a drone…
Noticed that the video feed from the drone started to jitter when he started to jam….
GPS Interference can cause unexpected behaviour in an unprotected system
GPS jamming doesn’t always deny GPS –sometimes it just degrades it to the point where unexpected results occur….
#RSAC
10
How clean is the GPS spectrum today?
Spirent Paignton, UK Spirent San Jose, USGerman Airport JAPAN
#RSAC
11
How easy is it to get hold of a GPS jammer?
#RSAC
12
Replicating GPS Signals - Spoofing
X
Authentic GPS Signals from satellitesFaked GPS Signals
X
True PVTFalse PVT
• Aim of Spoofing (1) – Deceive the receiver into believing it is at a location that is different to its true position or fool it into reporting incorrect timing pulse/information
#RSAC
13
Replicating GPS Signals - Spoofing
• Aim of Spoofing (2) – Send a faked navigation message to the target device with the aim of causing a system or device malfunction
#RSAC
14
Real examples of GPS Spoofing (1)
#RSAC
15
Real examples of GPS Spoofing (2)
• Pokémon GO
From primitive to sophisticated - GPS hacking in six weeks…
#RSAC
16
How easy is it to get hold of a GPS spoofer?
#RSAC
17
Using an SDR as a GNSS Transmitter
• Low-cost Software Defined Radio boards are easy to procure – not designed for “Reverse Radio Hacking” but ideally suited as a platform to do this
• Used with Open Source Code - readily available on the internet for–
• GPS transmitter (spoofer or repeater)• GPS Receiver (legitimate)
• Previous attempts at GPS spoofing have all used more expensive custom hardware
GNSS Segment Errors
18
• January 2016 - For more than five hours, the time broadcast by 15 satellites in the GPS network was 13 (or 13.7)microseconds short of standard Universal Co-ordinated Time (UTC)
• (the data was also months out of date and should have been rejected by receivers…)• “GPS error caused '12 hours of problems' for companies - Thousands of users known to
be affected worldwide – 12 hours of disruption occurred to users world wide including those in the telecoms and broadcast industries…”
• http:w.bbc.co.uk/news/technology-35491962
• 01 April 2014 – All GLONASS satellites started to transmit wrong broadcast messages. The satellite positions derived from these BM were wrong by up to ± 200 kilometres in x, y, z co-ordinates.
• Problems lasted for up to 10 hours. Impact on affected users was severe…• “Bad ephemerides were uploaded to the satellites”…..
#RSAC
19
Mitigation Techniques – Benchmark testing Fixed jammer Moving receiver Receiver moves on a path directly
across jammer location Aim: How close can the tracking
receiver approach the interference source before it starts to lose accuracy? When does the receiver start outputting accurate data again?
DUTInterference
Source
1000m 1000m
DUT
#RSAC
20
Mitigation Techniques
Risk Assessment Test vs threats
Implement mitigation strategy
Detection and characterisation of environment
Test DUT with Scenarios relevant to those Threats
#RSAC
Evolution of GNSS hacking
21
Information Security categories apply to GNSS situation(Source: SANS Institute)
Unstructured Hacker
Structured Hacker
Organised crime/industrial espionage
Insider
Unfunded terrorist group
Funded terrorist group
Nation State
GNSS threat evolution has strong parallels with evolution of Information Security threats (Theunissen, 2014)
Like
ly S
ever
ity
of
impa
ct
Low
Very High
#RSACHistory within the Information Security Community
22
There has been much debate within the community for the past 20 years
Initially, exploits were kept hidden and sharing was limited
The emergence of online forums brought the birth of full disclosure
After several years of full disclosure, a movement began for responsible disclosure
Responsible disclosure, like full disclosure, was also met with some criticism
Nondisclosure has been practiced in recent years by a limited part of the community or by companies trying to profit off of vulnerability research
#RSACPossible framework for GNSS vulnerability reporting
23
To build the best possible reporting framework, there are two options:-
The GNSS community can build its own solution separate from the Information Security community
It can control the reporting structure and leave the system as close to nondisclosure as possible
This may limit product vendor exposure however as outlined this leads to a false sense of security
The GNSS community can leverage the infrastructure put in place by the Information Security community
Responsible disclosure is in fact the correct course of action
This will allow security researchers and product vendors to disclose vulnerabilities publicly
This will lead to community driven support in improving security within the GNSS industry
#RSAC
What you can do after this presentation
24
Next Week –Does your business use GPS for precise time or position information? Find out….
In three months – Find out how many GPS systems your business hasHow many antennas are used? Where are the antennas? Do you have any mechanisms to cope if GPS is degraded or denied in any way?
Within Six months –Determine what real-world threats to GPS pose your organisation the most threat. Start planning an approach to increase your resilience to GPS denial or degradationWork with your appropriate government infrastructure protection group to assure proper preparedness
25
Thank you for your time
http://www.spirent.com/Solutions/Robust-PNT
Join the GNSS Vulnerabilities group on LinkedIn to find out more about GNSS jamming and spoofing the discussion
Image source Twitter/SimonOstler as published in Hack.com