Secure Motion Verification using the Doppler Effect

Matthias Schäfer† Patrick Leu‡ Vincent Lenders∗ Jens Schmitt††University of Kaiserslautern ‡trivo systems ∗armasuisse

Germany Switzerland Switzerland{schaefer, jschmitt}@cs.uni-kl.de patrick.leu@trivo.ch vincent.lenders@armasuisse.ch

ABSTRACTFuture transportation systems highly rely on the integrity ofspatial information provided by their means of transporta-tion such as vehicles and planes. In critical applications (e.g.collision avoidance), tampering with this data can result inlife-threatening situations. It is therefore essential for thesafety of these systems to securely verify this information.While there is a considerable body of work on the secureverification of locations, movement of nodes has only re-ceived little attention in the literature. This paper proposesa new method to securely verify spatial movement of a mo-bile sender in all dimensions, i.e., position, speed, and di-rection. Our scheme uses Doppler shift measurements fromdifferent locations to verify a prover’s motion. We provideformal proof for the security of the scheme and demonstrateits applicability to air traffic communications. Our resultsindicate that it is possible to reliably verify the motion ofaircraft in currently operational systems with an equal errorrate of zero.

1. INTRODUCTIONToday’s economy highly relies on the effectiveness of the

transportation system. However, the capacity of the trans-portation system is pushed to its limits by the ever grow-ing number of vehicles and airplanes. The solution to thisproblem lies in more autonomous means of transportation.Since machines can react faster and more accurately thanhumans, the minimum separation of vehicles can be reducedto increase the density, and, thus, the capacity of roads andairspace [1, 2].

To enable autonomous air and ground navigation applica-tions such as collision avoidance, platooning, or automaticcruise control, new standards and technologies have beenpublished to provide position, speed and direction of mov-ing vehicles [3, 4]. However, as demonstrated in [5, 6, 7],integrity breaches due to malicious tampering with this datacan result in life-threatening situations. Consequently, it is

Permission to make digital or hard copies of all or part of this work for personal orclassroom use is granted without fee provided that copies are not made or distributedfor profit or commercial advantage and that copies bear this notice and the full citationon the first page. Copyrights for components of this work owned by others than theauthor(s) must be honored. Abstracting with credit is permitted. To copy otherwise, orrepublish, to post on servers or to redistribute to lists, requires prior specific permissionand/or a fee. Request permissions from permissions@acm.org.

WiSec’16 , July 18 - 22, 2016, Darmstadt, Germany© 2016 Copyright held by the owner/author(s). Publication rights licensed to ACM.ISBN 978-1-4503-4270-4/16/07. . . $15.00

DOI: http://dx.doi.org/10.1145/2939918.2939920

essential for the safety of these systems to securely verifythe integrity of the motion information.

A considerable body of work exists in the area of secureverification of locations, which could be used to verify mo-tion in terms of changes in position over time, [8, 9, 10, 11,12, 13]. These approaches, however, have been designed toverify position claims, not claims about speed and directionof movement, i.e., the velocity. As a consequence, such apoint-wise verification of the velocity using location verifi-cation schemes only allows for verifying the average veloc-ity between two positions. This is a fundamental drawbackwhich renders this approach useless for time-critical applica-tions (e.g. collision avoidance) since these applications oftenrely not only on the integrity of positions, but also on exactvelocities of other vehicles at a particular instant in time.Such applications require solutions for securely verifying in-stantaneous velocity.

In this paper, we propose using the Doppler effect to se-curely verify the instantaneous velocity. The Doppler effectis a well-known technique to infer the relative speed of mov-ing objects in classical radar systems [14]. It has also beenused for passive emitter localization and motion estimationin [15, 16, 17, 18, 19].

Similarly, our approach relies on the Doppler shift, butuses it to verify the location and velocity of transmitters ina secure way. The key idea of our scheme is to measurethe Doppler shift of a signal at multiple positions simulta-neously. While an attacker may attempt to manipulate itstransmission frequency to fool a single receiver, it cannot im-itate the effect of motion in the frequency domain for morethan two receivers at once.

We show that by using Doppler shift measurements fromat least three different locations, we can securely verify alllocation and velocity claims. We provide formal proof for thesecurity of our scheme, derive the theoretical requirements,and investigate the feasibility of verifying motion claims inoperational real-world systems.

Our experimental results with air traffic control signalsdemonstrate that our approach can be used to significantlyenhance the security of air traffic management systems. Inparticular, we provide means for measuring the Doppler shiftof air traffic signals using off-the-shelf software-defined ra-dios. Additional simulations using real air traffic motiondata confirm that the accuracy of our setup is sufficient tosecurely verify the position and velocity of aircraft with anequal error rate of zero.

The rest of the paper is organized as follows. The next sec-tion introduces the problem of motion verification and our

135

p

~v

px

θx90◦

prover

verifier

velocity

~vx

Figure 1: Notation and values used by our verifica-tion scheme to determine the Doppler shift.

basic verification scheme. It is then followed by a formal se-curity analysis in Section 3. The feasibility of our scheme inthe context of air traffic communication is evaluated in Sec-tion 4 and we provide a comparison with related solutions inSection 6. The transfer of our findings to other technologiessuch as vehicular networks and more sophisticated attackermodels are discussed in Section 7.

2. MOTION VERIFICATIONSimilar to the related problems of location verification [8]

and track verification [13], we define the problem of motionverification as follows. A set of verifiers V wish to verifywhether a moving prover’s claimed motion in space C is true.A motion claim is a tuple C = (p,~v), where p denotes theprover’s location and ~v its velocity vector. To differentiatethe problem of motion verification from location verification,we demand that the prover claims to move with a speed thatis not zero, i.e., v = |~v| > 0.

2.1 System ModelWe consider a system in which a moving prover contin-

uously broadcasts a wireless signal on a predefined centerfrequency f0. The signal carries the prover’s current mo-tion claim C = (p,~v). A stationary receiver X is located atposition px. As illustrated in Figure 1, we define ~vx as theradial velocity of the prover towards X, and θx as the anglebetween ~v and ~vx. We can now calculate the change rate ofthe prover’s distance to X, the so called radial speed, as

vx = cos (θx) · v .

Note that the radial speed becomes vx = v if the provermoves exactly towards X (i.e. θx = 0◦) and vx = −v if itmoves away from X (θx = 180◦).

Due to the Doppler effect, X receives the signal with afrequency offset which depends on the radial speed. Ac-cordingly, X receives the motion claim C on the frequency

fx =f0

1− vxc

,

where c is the propagation speed of the prover’s signal. TheDoppler frequency shift (or simply Doppler shift) can thenbe calculated as

δx = f0 − fx =f0

1− cvx

.

2.2 Verification MethodThe basic idea of our scheme is to measure the frequency

of a prover’s signal at different locations and cross-check its

conformance with the reported motion claim. From a proto-col’s viewpoint, as soon as one verifier detects a mismatch,it sends an alarm and we consider an attack detected.

To be more precise, each verifier X ∈ V located at (theknown) position px measures the center frequency fx of eachmotion claim C = (p,~v). It then checks the following verifi-cation condition:

fx?=

f01− vx

c

, (1)

where the radial speed vx is derived from C as explained inSection 2.1.

It is worth noting that our scheme neither relies on anysort of time synchronization among the nodes, nor does itrequire specialized hardware such as sectorized antennas. Inaddition, it is completely passive and does not require anyadditional communication. We conclude that our schemeis lightweight in the sense of verification speed (considersonly single measurement), cost-efficiency, and scalability.As demonstrated in Section 4, the Doppler shift can bemeasured with simple commercial of-the-shelf hardware andthere is no need to, e.g., allocate expensive RF spectrumbandwidth for dedicated verification communication. Ex-cept for the case of an attack, our scheme does in fact notrequire any exchange of control messages at all.

3. SECURITY ANALYSISFor simplicity, we only consider two-dimensional Carte-

sian coordinates and vectors in our analysis. Extending ourresults to three dimensions is straightforward.

3.1 Attacker ModelWe consider a single attacker A which is stationary and

located at position pa. By stationary, we mean that A’svelocity vector ~va = ~0, where ~0 denotes the null vectorof length |~0| = 0. We further assume that the attackeronly uses one antenna and cannot launch distributed at-tacks from multiple locations. However, it can arbitrarilyadjust its transmission frequency and we do not impose anyrestrictions on the attacker’s knowledge. In particular, Aknows the exact locations of all verifiers. The attacker’sgoal is to successfully claim a motion different from its realone. This means, it broadcasts a false motion claim Ca withCa = (p,~v) 6= (pa,~0). An attack is considered successful ifEquation 1 is satisfied for all verifiers X ∈ V.

For ease of presentation, we start our security analysiswith the trivial case of a single verifier and extend it step-by-step by adding more verifiers. We assume that due to thelow system requirements of our scheme, cheap hardware en-ables deployments with large enough numbers of verifiers toachieve a coverage sufficient to provide security. As shownin the following analysis, our scheme already provides rea-sonable security if all positions of interest are covered by atleast two verifiers.

3.2 Case V = {X}In case of a single verifier X, a stationary attacker has to

imitate the Doppler effect with respect to X by adaptingits transmission frequency fa accordingly. In order to suc-cessfully claim Ca, it simply transmits Ca on the frequencyexpected by X according to Equation 1 (i.e. fa = fx). Since

136

p1

px

py

~v1

p2~v2

prover’s claim C1

verifiers

Figure 2: Example scenario with two verifiers at pxand py and two motion claims C1 = (p1, ~v1) and C2 =(p2, ~v2) which are not verifiable using our scheme.Note that the velocity vectors always bisect the an-gle between the claimed position and the two veri-fiers when moving on a hyperbola.

the radial velocity of A and X is zero, X receives the sig-nal on the expected frequency and the attack will not bedetected. In this way, the attacker can successfully pretendarbitrary motions.

3.3 Case V = {X,Y }In order to delude two verifiers, the attacker has to find a

false motion claim Ca and a transmission frequency whichboth match X’s and Y ’s expectations at the same time. Thismeans for a given motion claim Ca, the attacker’s transmis-sion frequency fa must satisfy the following two equations:

fa =f0

1− vxc

and fa =f0

1− vyc

It is easy to see that the two equations can only be satisfiedif there is a motion claim Ca with vx = vy. In terms ofphysical effects, this means that the attacker can only claimmotions where the Doppler effect observed by X equals thatobserved by Y (i.e. fx = fy). By replacing vx and vy bytheir definitions from Section 2.1, we can reduce the problemto finding a motion claim with

θx = θy (2)

This, in turn, holds only for Ca = (p,~v) where ~v bisects theclock- or counterclockwise angle between ~vx and ~vy. An al-ternative, yet still geometric interpretation of this constraintis that the attacker can only claim motions where vector ~vis tangential to one arm of the hyperbola with focus pointspx and py and a semi-major axis length of half the differenceof the distances from p to the foci. Figure 2 illustrates thisfor two verifiers and two motion claims C1 and C2.

We postulate that this constraint will already provide suf-ficient or even strong security for many scenarios since at-tackers are forced to claim motion along hyperbolas to stayundetected. Especially in the vehicular network scenario, itis rather unlikely that roads satisfy Equation 2. Even if thesystem faces hyperbolic roads, a proper positioning of thetwo verifiers can prevent legitimate occurrences of Equation2. In addition to that, if we assume that X and Y knoweach other’s positions, they can simply check Equation 2 ina first step. In case it is satisfied, they should consider thetrack claim suspicious. In case it is not satisfied, the verifierscan securely proceed with the normal verification procedure,i.e., they check Equation 1.

3.4 Case V = {X,Y, Z}Analogously to the previous case and assuming that the

prover is not moving, we can conclude that an attacker fac-ing three verifiers is limited to motion claims which resultin equal Doppler shift at each verifier, i.e. vx = vy = vz.It is clear that the attacker’s options for p are now furtherreduced to positions on one of the extensions of the line seg-ments −−→papb with pa, pb ∈ {px, py, pz} and pa 6= pb. In otherwords, at least two verifiers must lie on a straight line fromthe perspective of the claimed location p.

Proof Let us assume that there are no verifiers X,Y ∈V such that a straight line exists which intersects px, py,and p. This implies that the angle between ~vx and ~vy isdifferent for all pairs of verifiers X,Y ∈ V. We know fromthe previous case that the attacker has to bisect all theseangles in order to satisfy Equation 1 for all three verifiers.As it is impossible to bisect two different angles which shareone vector simultaneously, any velocity vector will violateEquation 1 for at least one verifier. �

As explained above, subsequent motion claims have tocomply with their predecessors in order to stay undetectedfor a certain period of time. Extending the considerationsof Section 3.3 to three verifiers leads us to the conclusionthat the attacker is now restricted to claiming motion alongall three pairwise hyperbolas simultaneously and, thus, thepairwise hyperbolas must be equal. This, however, is onlythe case if all focus points (the verifiers) lie on one straightline since then, either θx = θy = θz = 0◦ or θx = θy = θz =180◦ holds.

3.5 ConclusionFor any V with |V| > 1, we can conclude from the analysis

in the previous sections that our verification scheme is securefor single motion claims C = (p,~v) if there are two verifiersX,Y ∈ V with different expected radial speeds vx 6= vy.

It is worth noting that this condition can be guaranteedwith an appropriate positioning of verifiers. For instance,covering any location of interest by at least four verifiersin a constellation different from a triangle or a straight lineensures that for every motion claim there is at least one veri-fier which expects a radial velocity different from the others.The same holds if all locations of interest are enclosed by atleast three verifiers. The latter scenario is used in our sim-ulations below (Section 5.4).

If historical motion claims are considered as well, we canadditionally conclude that our scheme is secure if there aretwo verifiers X,Y ∈ V and the prover is not claiming tomove along a hyperbola with foci px and py. If there aremore than two verifiers it is secure.

4. FEASIBILITY STUDYReal-world measurements are naturally prone to noise in-

duced by hardware and the environment. We are specificallyinterested in whether we are able to build a real-world sys-tem with a sufficient accuracy to reliably detect violationsof Equation 1. We have therefore selected the scenario of airtraffic communication to test the applicability of our schemein a real-world environment.

We are considering the Automatic Dependent Surveillance-Broadcast (ADS-B). The ADS-B protocol is a key compo-nent of the next generation air transportation system which

137

is currently being deployed [20]. In ADS-B, aircraft de-termine their three-dimensional position and velocity usingsatellite navigation systems such as GPS. They periodicallybroadcast this information on the secondary surveillanceradar frequency 1090 MHz.

As demonstrated in [5] and [6], ADS-B has serious securityissues due to the lack of authentication mechanisms or en-cryption. More precisely, integrity of information providedby ADS-B cannot be guaranteed since it is possible to spoofADS-B signals even with low-cost commercial off-the-shelfhardware. These security problems are aggravated by thelong development, certification, and deployment cycles inaviation (usually 20-30 years) which render solutions requir-ing changes to the infrastructure useless in the short or evenmedium term [21]. Consequently, passive schemes (such asours) are of special importance for aviation since they canrun side by side with the existing infrastructure without anychanges.

4.1 ADS-B EnvironmentAs mentioned above, it is important to verify ADS-B data

without requiring any changes to the standard or the infras-tructure (including equipment in aircraft). Consequently,our scheme has to cope with ADS-B as it is. For this rea-son, we start our analysis with a short characterization ofthe ADS-B environment. We used dataset of air traffic posi-tions from all over the world collected by the OpenSky Net-work1. The dataset was based on about 500 million recordedtransponder messages.

In ADS-B, GPS-based velocity and position reports areeach broadcast twice per second [3]. Since normal aircraft(e.g. airliners) usually move on quasi-linear tracks withinshort periods of time, we can interpolate missing velocity (orposition) information for each received report. As demon-strated below, a simple linear interpolation achieves a suffi-cient accuracy for movements in the en-route airspace (alti-tudes above 9 km). Thus, we can consider both position andvelocity reports as a motion claim and obtain an expectedrate of about 4 claims per second.

Since the Doppler shift directly depends on the velocityof a target, we are particularly interested in typical speedsof aircraft. One thing we observed is that aircraft fly atdifferent speeds depending on the altitude. For instance, theaverage velocity at altitudes below 9 km is 161 m/s while athigher altitudes, the so called en-route airspace, the averagevelocity is about 230 m/s.

The en-route airspace is of special interest to us sincemost aircraft are usually at high altitudes. In particular,the dataset from the OpenSky Network contained almosttwice as many positions from the en-route airspace thanfrom the lower airspace. That is because aircraft usuallyclimb directly to the en-route airspace after the start andonly descend to lower altitudes for landing. Hence, we canassume that velocities of about 230 m/s are typical for theair traffic scenario.

A second factor affecting our verification scheme with re-spect to expected Doppler shifts and number of verifiers re-quired to cover a certain area is the range of a receiver.As shown in Figure 8, reception ranges are usually between300-400 km if there is a clear line-of-sight. This allows fora large coverage of the en-route airspace with a relativelysmall numbers of receivers.

1https://opensky-network.org

7 7.2 7.4 7.6 7.8 8 8.2Longitude

46.6

46.8

47

47.2

47.4

Latit

ude

Bern

Thun

Figure 3: Tracks of the 17 flights observed with twoUSRPs located in Bern and Thun. Each USRP mea-sured the frequency of incoming signals.

In the following sections, we show how off-the-shelf software-defined radios can be used as verifiers in this environment.Our results indicate that our scheme is a promising candi-date for considerably improving the security of ADS-B .

4.2 Experimental SetupIn order to investigate the challenges and accuracy of

Doppler shift measurements of ADS-B messages, we de-ployed two software-defined radios (Ettus USRP X300) attwo sites in Switzerland (Bern and Thun) which are about25 km apart. Both USRPs used a GPS-disciplined, oven-controlled crystal oscillator (GPSDO) as a clock source anda sample rate of 10 MHz. They provide I/Q samples with aresolution of 14 bit for both in-phase and quadrature compo-nent. The radio front-ends (SBX-120 daughterboards) weretuned to the center frequency of ADS-B (1090 MHz). Eachsetup recorded all ADS-B messages along with their raw I/Qsamples using a modified version of the GNU Radio-basedsoftware receiver for transponder signals gr-air-modes2.

After recording ADS-B signals for eight hours, we joinedboth datasets and identified all messages that were receivedby both USRPs based on their reception time and transpon-der ID. We then process the data with an ADS-B decoderbased on the library provided by the OpenSky Network3 toextract accurate three-dimensional position, velocity, andheading information from these messages. Figure 3 showsthe position reports and the locations of the receivers. Asa final processing step, we used linear interpolation to es-timate the positions for non-position messages and velocityas well as heading for non-velocity messages.

With this setup and preprocessing steps, we collected overthe course of about 8 hours a set of 2427 ADS-B messagesfrom 17 different aircraft. Each message is assigned to athree-dimensional transmitter location (p), a velocity vec-tor (~v) and the raw signal data as received by each of thereceivers.

4.3 Results: Frequency of ArrivalThe first step of our analysis was to investigate the noise

level in frequency of arrival (FOA) measurements. A com-mon approach to determine the FOA of a signal is to firsttranslate it to its frequency domain representation using thediscrete Fourier transform and then identify the peak fre-quency. This methodology requires evenly spaced samples

2https://github.com/bistromath/gr-air-modes3https://github.com/openskynetwork/java-adsb

138

Figure 4: Pulse-position modulation of Mode Sreplies and ADS-B messages [22].

of the signal. In ADS-B, however, a pulse position modula-tion is used and the signal of interest arrives only in shortbursts of 0.5 µs with either no, 0.5 µs spacing, or 1 µs spac-ing (see Figure 4). Since we are only interested in the peakfrequency of these short bursts and not in the plain spec-trum, we discard the samples between the pulses to reducethe spectral noise. This filtering results in an incompletesample set. Unfortunately, algorithms for calculating thespectral representation of a signal based on incomplete sam-ples have generally a higher computational complexity thanthe fast Fourier transform (FFT). The Lomb-Scargle peri-odigram, as a common approach, scales at O(N2) whereas incontrast, the computational cost of the FFT only increasesby O(N logN) [23]. Hence, for efficiency reasons, we useda linear interpolation to fill the gaps and argue that it issufficiently accurate since the expected Doppler shift is inthe range of a few hundred Hertz while the gaps are at most1 µs wide. To be more precise, if the aircraft moves directlytowards the verifier at a speed of 230 m/s, the Doppler shiftis 836 Hz. A gap of 1 µs corresponds to only 0.0836% of acomplete oscillation of the Doppler shift frequency and theerror caused by the linear interpolation is therefore assumedto be negligible. In summary, our FOA estimation is basedon a continuous approximation of the original pulsed signalto amplify the signals spectral effect.

Let x(n) be the n-th I/Q sample of the interpolated signalas received by X and F{x} its frequency domain represen-tation that results from the discrete Fourier transform. Weestimated the FOA by determining the peak frequency in thefrequency domain representation of the interpolated signal:

fx = arg maxf

|F{x}(f)| (3)

By finally subtracting the expected Doppler shift from fx,we obtained the deviation of the measured from the expectedFOA, corresponding to the measurement error when thereis no attack.

The results are shown in Figure 5 and Table 1. Figure5a shows the empirical cumulative distribution functions(ECDF) of the FOAs measured by the receiver in Bern andseparated by aircraft. There are several notable observa-tions.

First, while the messages of some aircraft vary around acentral frequency within a range of less than 10 kHz, otherscover the whole spectrum from -300 kHz to 300 kHz. Weobserved the same patterns for the respective aircraft in theFOAs of the second receiver in Thun. In fact, the outliersof both receivers (all values above the 10% percentile of theabsolute error) coincide 90%. On the contrary, the standarddeviation of the differences between the two receivers wasless than 500 Hz for other aircraft (see Table 1). We conclude

-80 -60 -40 -20 0 20 40 60 80Frequency (kHz)

0

0.2

0.4

0.6

0.8

1

ECD

F

(a) ECDFs of the deviation of the measured FOA of thereceiver in Bern from the expected frequency.

-2 -1 0 1 2Frequency Difference (kHz)

0

0.2

0.4

0.6

0.8

1

ECD

F

(b) ECDFs of the differences of the FOAs between the tworeceivers.

Figure 5: Aircraft-wise results of the frequency ofarrival measurements desribed in Section 4.3.

that transponders installed in aircraft differ significantly instability.

Secondly, the center frequencies of the transponders differsignificantly as indicated by the horizontal difference of theECDFs in Figure 5a. Consequently, we must assume thatthe actual transmission frequency is different from 1090 MHzas the transponders are obviously not calibrated or synchro-nized (e.g. using GPS).

Thirdly, the median difference of the FOAs of all transpon-ders is always close to 500 Hz (see Figure 5b). Since this off-set is independent of the transponder, we can assume thatdespite the use of the GPSDO, the radio front-ends of thereceivers were not tuned to the exact same center frequency.In addition, as Table 1 shows, the median difference staysconstantly around 450 ± 50 Hz for all flights and thus forthe whole duration of our measurements (8h). This sug-gests that the frequency offset of the two receivers can beassumed to be constant over longer periods of time.

We can conclude from the above findings that directlyapplying our verification method (Equation 1) to transpon-der signals is not practical in the ADS-B scenario due to anunacceptably high noise level. Nevertheless, we can distin-guish three kinds of noise that need to be addressed in orderto achieve a sufficient accuracy. Therefore, we propose anadapted version of our verification scheme in the next sec-tion. It is specifically tailored to dealing with the specialconditions of ADS-B signals.

139

A/C 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

min 302 -109e3 -229 -62 100 171 -35e3 -306 -1328 -18e3 -280e3 130 71 45 -33e3 25 -14e3mean 434 -868 442 431 441 483 525 733 524 1413 -4117 490 473 479 -139 499 595median 431 419 454 445 434 464 448 513 504 534 475 494 470 473 416 500 512max 558 92e3 880 714 960 786 30e3 18e3 1499 18e3 265e3 819 1024 836 2094 844 19e3std 53 28e3 131 131 134 121 5625 1979 322 8002 59e3 136 152 132 3899 132 5742

Table 1: Measurement results: minimum, mean, median, maximum, and standard deviation of the sets ofdifferences fx − fy per aircraft (A/C). All values are provided in Hz.

5. ADAPTED VERIFICATION SCHEMEIn accordance with the above observations, we can model

realistic frequency of arrival measurements with

fx = f0 + δx + εx + εt + ε/2

where εx is a constant frequency offset of the receiver’s radiofront-end, εt is a constant frequency offset of the transmit-ter, δx the Doppler shift (see Section 2.1), and ε a randomvariable representing twice the random measurement noise.Under the assumption that the random measurement noiseis additive, the frequency-difference of arrival (FDOA) attwo verifiers X and Y is then

fx − fy = (f0 + δx + εx + εt)− (f0 + δy + εy + εt) + ε

= δx − δy + (εx − εy)︸ ︷︷ ︸=εxy

+ε (4)

The idea of our adapted scheme is to verify this FDOAinstead of the FOA. As Equation 4 shows, this has the ad-vantage that the actual transmission frequency (f0+εt) doesnot affect the verification. The sources of noise are reducedto the relative frequency offsets of the receivers εxy and therandom noise ε.

As shown in the previous section, we can assume εxy tobe constant over a sufficient amount of time. This allows usto learn εxy a priori in a calibration phase, for instance byexploiting signals from test transponders which are alreadywidely deployed for the calibration of secondary surveillanceradar infrastructures. We therefore assume εxy to be knownat runtime.

The adapted FDOA-based verification scheme works asfollows. For all pairs of verifiers X and Y which satisfy oneof the conditions of Section 3.5, we check for each receivedADS-B message∣∣(fx − fy)− (δx − δy)− εxy

∣∣ ?< T (5)

where T is a pre-defined threshold which depends on themeasurement error and the expected FDOA. Note that ifthere is no measurement error ε and offset εxy, the left-hand side of Equation 5 becomes zero for legitimate motionclaims.

5.1 SecurityAs we know from the previous analysis, if one of the re-

quirements summarized in Section 3.5 is met, the verifiersexpect different Doppler shifts, that is δx 6= δy for at leasttwo verifiers X and Y . Let fa be the attacker’s transmissionfrequency. The FDOA measured by X and Y then is

fx − fy = (fa + εx + εt)− (fa + εy + εt) + ε

= εxy + ε

Plugging this into Equation 5 yields∣∣(fx − fy)− (δx − δy)− εxy∣∣

= |(εxy + ε)− (δx − δy)− εxy|

= |ε− (δx − δy)|

?< T (6)

We analyze the security of the adapted scheme by consid-ering the false acceptance and false alarm rate. Equations5 and 6 show that, generally speaking, false alarms occurwhen ε exceeds T and fake claims become falsely acceptedwhen the absolute difference of ε and the expected FDOA isbelow T . We therefore say that T is optimal if it satisfies

ε < T < |ε− (δx − δy)| (7)

We can conclude that the adapted scheme is secure if Texists. In practice, however, such optimal T do often notexist since either the measurement error does not have anupper bound or the expected FDOA is not high enough todominate the measurement error. The scheme can then onlyprovide statistical guarantees based on the distribution of εand the expected FDOAs. To analyze this further, the nextsection provides a realistic error model based on our real-world measurements.

5.2 Measuring the FDOAThe highest FDOA occurs if an aircraft moves exactly

on the line between two verifiers. If we assume a speed of230 m/s, the difference in radial speed is 460 m/s and theexpected FDOA is about 1.6 kHz. Our previous measure-ments have shown that the accuracy of the above method isnot sufficient. Since the maximum frequency difference ex-ceeded 1.6 kHz (see Table 1), an optimal T does not exist.The goal of this section is to find a method to determine theFDOA accurately enough for secure verification real flights.

A common approach to estimate the FDOA directly fromthe I/Q samples is determining the offset with the maxi-mum cross-correlation of the frequency domain representa-tions F{x}(f) and F{y}(f) of X’s and Y ’s signals [15]. Anefficient way to find this offset (and thus the FDOA) is ap-plying the convolution theorem:

fx − fy ≈ arg maxf

|F{x∗y}(f)|

where ∗ denotes the complex conjugate. In summary, wecan estimate the FDOA by calculating the discrete Fouriertransform of the product of the conjugated I/Q samples ofone signal and the I/Q samples of the other signal.

The drawback of this method is that it requires the trans-mission of raw signal data to at least one node in the net-work. While exchanging I/Q samples at a sample rate of

140

-1500 -1000 -500 0 500Frequency offset (Hz)

0

50

100

150

200

250

300

350µ: -468.07σ: 90.36ν: 5.11

Figure 6: Histograms of the FDOA of all messageswith (red; narrow) and without (blue; wide) Dopplercompensation. The distribution is fitted by a t-location-scale distribution with location µ, scale σ,and shape ν.

-800 -600 -400 -200 0 200 400 600 800t location-scale distribution

-1000

-500

0

500

FDO

A s

ampl

es

Figure 7: Q-Q plot comparing the random measure-ment error to the fitted t-distribution shown in Fig-ure 6 after subtracting the estimated constant tun-ing offset.

10 MHz appears inefficient at first, we argue that this isnot a problem for ADS-B messages. I/Q samples of USRPsare 32 bit wide4. Combined with a sample rate of 10 MHz,we obtain a total of 1200 samples per ADS-B packet. Asa matter of fact, only about 580 of these samples actuallyconvey information due to the pulse-based modulation usedin ADS-B. Altogether, only 2320 bytes of signal data perverifier and message need to be exchanged to be able to usethe above method.

5.3 FDOA ResultsThe measured frequency offsets according to this method

are shown in Figure 6. After removing the estimated Dopplershift in the FDOA measurements, the left over error is dis-tributed around εxy = −468.07 Hz. Subtracting the con-stant offset εxy results in a random measurement noise εwhich is well-fitted by a t-distribution with scaling σ =90.36 Hz and ν = 5.11 degrees of freedom (compare Fig-ure 7).

The improvement achieved with this method is consid-erable. In particular, directly measuring the FDOA withthe above method turns out to be much more robust in thepresence of the highly unstable transponder signals. As thestatistics in Table 2 show, some transponders are still morestable than others, but the variance dropped significantly.For example, if we consider the standard deviation as a mea-sure of stability, aircraft 1 still performs best and aircraft 2

4In fact, it is only 28 bit wide since the ADC has an I/Qresolution of 14 bit but we skip this optimization for thesake of simplicity.

worst (compare Table 1) while the standard deviation of air-craft 2 is decreased by a factor of over 200. A closer lookat the outliers below -345.45 Hz and above 374.8 Hz (99%were between these values) did not reveal any dependenceon the signal-to-noise ratio or the bit confidence as definedin [3] and therefore rejects the hypothesis that temporal ef-fects (e.g. higher noise levels) affects some flights more thanothers. We therefore confirm for our further analysis thatthe measurement error ε is independent and identically dis-tributed for one transponder.

The highest error observed was max(|fx−fy|) = 918.82 Hz.In terms of speed, a difference in the FDOA of 918.82 Hzcorresponds to a difference in radial speed of 253 m/s. Asmentioned above, the maximum difference in radial speedin the air traffic scenario is 460 m/s and the maximum ex-pected FDOA 1.6 kHz. This combined with the result ofour security analysis of the adapted scheme (Section 5.1)suggests, that our setup is not able to perfectly distinguishbenign and fake motion claims without false alarms since

|δx − δy| ≤ 2 ·max(|fx − fy|)

and Equation 7 can therefore not be satisfied. However, theprobability for such outliers is extremely low. In particular,the probability for a measurement error greater then T Hzis

P (|ε| > T ) = 1−∫ T−T

P (ε = e) de (8)

If we assume that the underlying distribution of ε matchesthe fitted t-distribution above (compare Figure 7), the prob-ability for errors, e.g, above 538 Hz (see results in Section5.4) is

P (|ε| > 538 Hz) ≈ 0.0018

Hence, if we use a threshold T = 538 Hz, the expectedfalse alarm rate is 0.16%. If we extend our scheme suchthat an alarm is only raised if Equation 5 is violated by twosuccessive motion claims of an aircraft, the average falsealarm rate drops quadratically to P (|ε| > T )2 ≈ 0.0003%.

The same holds for the probability of accepting an at-tacker’s motion claim. A false location claim becomes ac-cepted by the verifiers X and Y if |ε− (δx − δy)| < T . Theprobability for this inequality to be satisfied can be boundedas follows (T ≥ 0):

P (|ε− (δx − δy)| < T ) = P (|(δx − δy)− ε| < T )

≤ P (|δx − δy| − |ε| < T )

= P (|ε| > |δx − δy| − T )

= 1−∫ |δx−δy|−TT −|δx−δy|

P (ε = e) de

If we assume the expected FDOA of a fake motion claimis 1200 Hz and T = 538 Hz, the probability of a false ac-ceptance is lower than or equal to 0.0676%. If we requirethe acceptance of two successive motion claims for successfulverification, the probability of an attacker not being detecteddrops to 4.5728 · 10−5%.

In order to strengthen these theoretical findings and tofinally demonstrate that our setup is – despite the residualmeasurement error – capable of verifying real-world motionsat reasonable false alarm/acceptance rates, we conductedsimulations with real-world motion data and present the re-sults in the next section.

141

A/C 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

min -180 -390 -636 -707 -483 -246 -263 -312 -295 -415 -268 -263 -288 -448 -551 -319 -303max 117 368 254 222 250 274 241 919 344 375 299 345 379 382 422 294 416std 52 138 113 100 95 105 69 137 104 103 73 117 116 131 183 112 117

Table 2: Frequency-difference of arrival measurement results: minimum, maximum, and standard deviationof the FDOA per aircraft (A/C) minus the constant offset of εxy = −468.07 Hz. All values are provided in Hz.

Figure 8: Locations and ranges of the three receiversused for our analysis.

Figure 9: The receiver locations and the flights usedfor our simulations.

5.4 Performance in the Real WorldWhile the previous sections concentrated on identifying

and quantifying the challenges of the air traffic scenario andthe capabilities of our USRP-based setup, this section aimsat combining all our findings and investigates the perfor-mance of our setup in a realistic environment. We are par-ticularly interested in the false acceptance rate and falsealarm rate with real-world motion claims. For this purpose,we conducted the following simulations using real air trafficmotion data.

We first selected three receivers of the OpenSky Network.Their locations and ranges are shown in Figure 8. They arelocated closely to major Central European airports (Frank-furt, Munich, and Zurich) and the triangle between them isfully covered by all three receivers. We have chosen thembased on their constellation. The triangle constellation isgenerally good for our verification scheme as on the onehand, it produces high FDOAs of signals sent from within

800 1000 1200 1400 1600 1800Expected FDOA (Hz)

0

2000

4000

6000

8000

10000

12000

Figure 10: The expected frequency-difference of ar-rivals of our dataset from the OpenSky Network.

0 500 1000 1500Threshold (Hz)

0

20

40

60

80

100Fa

lse

Alar

ms/

Acce

pts

(%) False Acceptance Ratio

False Alarm Ratio

0.07% False Accept Ratio0.1% False Alarm Ratio

Figure 11: The false alarm and false acceptance ra-tios of our simulation for different thresholds. Eachof the 402,627 motion claims was tested individually.

the triangle, and on the other hand, there is always a pair ofreceivers which satisfies the verification requirements (Sec-tion 3.5). We then fetched 24 hours (16/03/2016) of statevectors5 from the en-route airspace (above an altitude of9 km) of the triangle from the OpenSky Network’s database.In total, we obtained 402,627 state vectors from 866 differentaircraft. The total set of state vectors is shown in Figure 9.We refer to these state vectors as motion claims from hereon.

For each motion claim and each pair of receivers, we cal-culated the expected FDOA. We know from the previousanalysis that our verification scheme performs best whenthe expected FDOA is high. Therefore, we identified foreach motion claim the pair of receivers with the highestexpected FDOA and used this pair for verification. TheFDOAs of the receiver pairs with the highest difference areshown in Figure 10. In the next step of our simulation, we

5A state vector consists of aggregated ADS-B position andvelocity information within a second from one aircraft. Seehttps://opensky-network.org/impala-tables.

142

0 500 1000 1500Threshold (Hz)

0

20

40

60

80

100Fa

lse

Alar

ms/

Acce

pts

(%) False Acceptance Ratio

False Alarm Ratio

538 Hz 622 Hz

Figure 12: The false alarm and false acceptance ra-tios of our simulation for different thresholds us-ing two successive motion claims. The gray intervalmarks the thresholds for which both false acceptanceand false alarm ratio dropped to zero.

added to each FDOA value a random measurement errorfrom the t-distribution with σ = 90.36 Hz and ν = 5.11 andtested whether it would have been falsely accepted (dishon-est prover) or falsely rejected (honest prover) for differentthresholds. The results are shown in Figure 11. We can sum-marize that if the three verifiers verified each motion claimindividually, the best performing threshold would have beenT = 610 Hz with a false alarm ratio of 0.1% and a falseacceptance ratio of 0.07%. In absolute numbers, 304 of the402,627 motion claims were falsely accepted and 366 falselyrejected.

We then repeated the simulation but instead of verifyingeach motion claim individually, we considered two succes-sive motion claims at a time. In the simulation of an honestprover, we rejected a motion claim if Equation 5 was violatedby both claims. Conversely, in the simulation of a dishonestprover, we accepted a claim if the claim and its precedingclaim both satisfied Equation 5. The results for all thresh-olds are provided in Figure 12. Both rates dropped to zerofor thresholds T ∈ [538, 622]. In other words, by using twosuccessive motion claims instead of one, our scheme detectedall attacks while producing no false alarms.

6. RELATED WORKSeveral methods have been proposed to securely verify the

location of an emitter. Distance bounding protocols [24, 8, 9,10] are two-way ranging protocols that rely on cryptographictechniques to enable a verifier to establish an upper boundon the physical distance to a prover. Mutlilateration is apassive localization technique based on the time differenceof arrival (TDoA) of signals at geographically distributedstations that can be used for location verification [25, 26,27]. However, these approaches only allow for verificationof the position of a target, not its velocity and heading.In order to verify the motion of an object, multiple succes-sive measurements are required to estimate the velocity andheading of the target. Thus, these approaches can only ver-ify the average velocity and heading between the consideredmessages. In contrast, our scheme can be applied to singlemessages which allows for verification of the instantaneousmotion.

Schafer et al. have proposed a method to securely verifythe track of an aircraft [13]. By validating the inter-arrival

times of successive location claims, their method can de-tect false track claims without requiring time synchroniza-tion among the sensors. While the requirements imposed onthe hardware are equal to those of our scheme, secure trackverification requires at least 40 ADS-B messages to reliablydetect spoofing attacks in the presence of noise. In compar-ison, our evaluation showed that our approach can detectspoofing attacks with a single message in 0.07% of the casesand only needed a second message for an equal error rate of0%.

Ghose and Lazos have proposed using Doppler shift mea-surements for verifying air traffic navigation information[19]. They proposed a scheme in which benign aircraft verifythe velocity of other aircraft by estimating their radial veloc-ity through Doppler shift measurements. However, they as-sume in their attacker model that an attacker cannot adjustthe transmission frequency below the frequency tolerance ofreceivers for transponder signals of 312.5 kHz. In contrast,we do not put any limitations on the attackers frequencyaccuracy. It is worth noting here that an attacker using acommercial off-the-shelf software-defined radio (e.g. USRP)can achieve a frequency accuracy in the order of ±0.01 Hz[28]. Therefore and in contrast to this work, our scheme isresistant to attackers which modify their center frequenciesto mimic the Doppler effect.

7. DISCUSSION

7.1 A Look Ahead: Vehicular NetworksWe have shown in the previous sections that motion veri-

fication based on FDOA measurements are not only feasiblebut also realistic for securely verifying motion of aircraft.However, ground vehicle scenarios consider much lower ve-locities. In vehicular networks, the expected radial speed ofa car relative to a receiver located at the side of the road isabout 15 m/s in cities and 35 m/s on highways. This meansthat Doppler shifts of radio waves in the vehicular scenariowould be around 36 Hz in cities and 127 Hz on highways inthe best cases. Measuring such a small Doppler shift accu-rately enough in the ultra high frequency (UHF) band wouldrequire extremely accurate hardware.

For that reason, we envision instead a system that relies onsound waves (e.g. ultra sound) for motion verification. TheDoppler shift of sound waves is much higher than electro-magnetic waves due to the low propagation speed (340 m/s).If we assume a transmission frequency of 19 kHz and a radialspeed of 15 m/s, the frequency shift would be 922 Hz.

As a proof of concept, we conducted a simple experimentto analyze the accuracy of measuring the Doppler shift withsound waves. We used the built-in speakers and microphoneof two off-the-shelf laptops as sender and receiver, and gen-erated a tone with decreasing frequency from 20 kHz downto 2 kHz using the GNU Radio6 toolkit. The receiving lap-top used the method described in Section 4.3 to determinethe FOA of the signal.

The results are shown in Figure 13. While half of themeasurements experienced an error even below 1 Hz, themaximum absolute measurement error was 17.58 Hz. Thiscorresponds to a radial speed of about 1 km/h. We can con-clude that sound is a suitable medium for verifying velocitieseven below walking speed. It is worth noting that we used

6https://gnuradio.org

143

0 5 10 15 20Tx Frequency (kHz)

-20

-10

0

10

20D

iffer

ence

Rx

& T

x Fr

eq. (

Hz)

Figure 13: Measurement error of frequency of ar-rival measurements of sound waves with differentfrequencies. We used off-the-shelf laptops as trans-mitter and receiver.

here the FOA as opposed to the FDOA used in the air trafficscenario. Therefore, we could directly apply the basic verifi-cation scheme presented in Section 2.2 without calibration,synchronization, or communication between verifiers.

7.2 LimitationsSimilar to location and track verification schemes which

are based on signal arrival measurements, our motion veri-fication scheme is not secure when faced with a mobile at-tacker or an attacker using several antennas (see e.g. [8,13]). The reason is that the proof provided in Section 3 isbased on the fact that all verifiers measure the same fre-quency. However, this assumption does not hold anymore ifthe attacker is either able to move or use multiple antennasto adjust the frequencies for each verifier individually.

In order to spoof a motion different from the real one, amobile attacker needs to find a path and transmission fre-quency which results exactly in the expected received fre-quencies at all verifiers. Yet, such an attack can be con-sidered rather unlikely in the air traffic scenario, becausethe attacker must be able to move at a speed of up to sev-eral hundred m/s to produce the same difference in receivedfrequencies. Thus, a mobile attacker can only be realizedby an extremely agile and fast aircraft which significantlyreduces the feasibility of potential attacks. Similar attacklimitations apply to vehicular networks as well since groundvehicles are forced to move along predefined paths (roads).

Attackers using several antennas remain an open problem.If the attacker is able to fully control the received frequencyat each receiver, it can trivially spoof any motion. One wayto defend against such attacks could be the use of coveredverifiers which are located at positions unknown to the at-tacker [12]. When the verifier locations are secret, attackershave no means to determine the expected frequencies andare therefore limited to guessing with a low probability ofsuccess.

8. CONCLUSIONSIn this paper, we presented a method to securely verify the

motion of a moving prover including the combination of po-sition, speed, and direction of movement. Our scheme usesDoppler shift measurements from multiple positions. In ourformal security analysis of the scheme, we proved the secu-rity of the underlying scheme and then adapted it to be able

to deal with realistic noisy measurement data. Finally, wedemonstrated the practicality of our adapted scheme withsimulations based on real-world air traffic motion data.

In our evaluation, we identified challenges specific to theair traffic scenario. In particular, we found that transpon-ders used in aircraft generate extremely noisy signals whichmakes passively measuring Doppler shifts difficult. However,our measurements and simulations strongly suggest that ouradapted scheme based on the FDOA is able to verify air traf-fic over a large area with an equal error rate of zero.

9. REFERENCES[1] P. Varaiya, “Smart cars on smart roads: problems of

control,” IEEE Transactions on Automatic Control,vol. 38, no. 2, Feb 1993.

[2] E. A.Lester, “Benefits and incentives for ADS-Bequipage in the National Airspace System,” Sep. 2007,Massachusetts Institute of Technology.

[3] RTCA Inc., “Minimum Operational PerformanceStandards for 1090 MHz Extended Squitter AutomaticDependent Surveillance – Broadcast (ADS-B) andTraffic Information Services – Broadcast (TIS-B),”DO-260B with Corrigendum 1, Dec. 2011.

[4] J. Ploeg, B. Scheepers, E. V. Nunen, N. V. de Wouw,and H. Nijmeijer, “Design and experimental evaluationof cooperative adaptive cruise control,” in Proceedingsof the International IEEE Conference on IntelligentTransportation Systems, ser. ITSC 11, Oct. 2011.

[5] Andrei Costin and Aurelien Francillon, “Ghost is inthe Air(traffic): On insecurity of ADS-B protocol andpractical attacks on ADS-B devices,” Black Hat USA,Jul. 2012.

[6] M. Schafer, V. Lenders, and I. Martinovic,“Experimental Analysis of Attacks on Next GenerationAir Traffic Communication,” in Applied Cryptographyand Network Security (ACNS). Springer, Jun. 2013.

[7] B. DeBruhl, S. Weerakkody, B. Sinopoli, andP. Tague, “Is your commute driving you crazy?: Astudy of misbehavior in vehicular platoons,” inProceedings of the 8th ACM Conference on Security &Privacy in Wireless and Mobile Networks (WiSec),ser. WiSec ’15, Jun. 2015.

[8] N. Sastry, U. Shankar, and D. Wagner, “Secureverification of location claims,” in Workshop onWireless Security (WiSe). ACM, 2003.

[9] D. Singelee and B. Preneel, “Location verificationusing secure distance bounding protocols,” in IEEEInternational Conference on Mobile Adhoc and SensorSystems Conference (MASS). IEEE, Nov. 2005.

[10] S. Capkun and J.-P. Hubaux, “Secure positioning ofwireless devices with application to sensor networks,”in International Conference on ComputerCommunications (INFOCOM). IEEE, March 2005.

[11] L. Lazos, R. Poovendran, and S. Capkun, “ROPE:Robust Position Estimation in Wireless SensorNetworks,” in ACM/IEEE International Symposiumon Information Processing in Sensor Networks(IPSN), Apr. 2005.

[12] S. Capkun, K. Rasmussen, M. Cagalj, andM. Srivastava, “Secure location verification withhidden and mobile base stations,” IEEE Transactions

144

on Mobile Computing, vol. 7, no. 4, pp. 470–483, Apr.2008.

[13] M. Schafer, V. Lenders, and J. Schmitt, “Secure TrackVerification,” in Proceedings of the IEEE Symposiumon Security and Privacy, Jul. 2015.

[14] M. I. Skolnik, “Radar Handbook,” McMcGraw-Hill,1970.

[15] A. Amar and A. J. Weiss, “Localization of narrowbandradio emitters based on doppler frequency shifts,”IEEE Transactions on Signal Processing, vol. 56,no. 11, pp. 5500–5508, 2008.

[16] Y. T. Chan and J. J. Towers, “Passive localizationfrom Doppler-shifted frequency measurements,” IEEETransactions on Signal Processing, vol. 40, no. 10, pp.2594–2598, 1992.

[17] C. Couvreur and Y. Bresler, “Doppler-based motionestimation for wide-band sources from single passivesensor measurements,” 1997 IEEE InternationalConference on Acoustics, Speech, and SignalProcessing, vol. 5, pp. 3537–3540, 1997.

[18] B. Kusy, I. Amundson, J. Sallai, P. Volgyesi,A. Ledeczi, and X. Koutsoukos, “RF dopplershift-based mobile sensor tracking and navigation,”ACM Transactions on Sensor Networks, vol. 7, no. 1,pp. 1–32, 2010.

[19] N. Ghose and L. Lazos, “Verifying ads-b navigationinformation through doppler shift measurements,” inIEEE/AIAA 34th Digital Avionics SystemsConference (DASC), Sep. 2015.

[20] M. Strohmeier, M. Schafer, M. Fuchs, V. Lenders, andI. Martinovic, “Opensky: A swiss army knife for airtraffic security research,” in Proceedings of the 34thIEEE/AIAA Digital Avionics Systems Conference,ser. DASC, September 2015.

[21] M. Strohmeier, M. Schafer, R. Pinheiro, V. Lenders,and I. Martinovic, “On perception and reality inwireless air traffic communications security,”arXiv:1602.08777 [cs.CR], Feb. 2016.

[22] International Standards and Recommended Practices,Annex 10: Aeronautical Telecommunications, 4th ed.,International Civil Aviation Organization (ICAO),2007, Volume IV: Surveillance and CollisionAvoidance Systems.

[23] R. H. D. Townsend, “Fast calculation of thelomb-scargle periodogram using graphics processingunits,” The Astrophysical Journal Supplement Series,2010.

[24] S. Brands and D. Chaum, “Distance-boundingprotocols,” in Proceedings of the Workshop on theTheory and Application of Cryptographic Techniques(EUROCRYPT). Springer Berlin Heidelberg, May1994.

[25] A. Smith, R. Cassell, T. Breen, R. Hulstrom, andC. Evers, “Methods to Provide System-Wide ADS-BBack-Up, Validation and Security ,” in IEEE/AIAADigital Avionics Systems Conference, Oct. 2006.

[26] K. Pourvoyeur and R. Heidger, “Secure ADS-B usagein ATC tracking,” in Tyrrhenian InternationalWorkshop on Digital Communications - EnhancedSurveillance of Aircraft and Vehicles(TIWDC/ESAV). IEEE, Sep. 2014, pp. 35–40.

[27] M. Strohmeier, V. Lenders, and I. Martinovic, “On theSecurity of the Automatic DependentSurveillance-Broadcast Protocol,” IEEECommunications Surveys & Tutorials, no. 99, 2014.

[28] USRP X300 and X310 Configuration Guide, EttusResearch, accessed March 2016. [Online]. Available:https://goo.gl/EqqLqE

145