Embed Size (px)
Citation preview
SPREE: A Spoofing Resistant GPS Receiver
Aanjhan Ranganathan, Hildur Olafsdottir, Srdjan CapkunDepartment of Computer Science
ETH Zurich, Switzerland
Abstract
Global Positioning System (GPS) is used ubiquitously ina wide variety of applications ranging from navigationand tracking to modern smart grids and communicationnetworks. However, it has been demonstrated that mod-ern GPS receivers are vulnerable to signal spoofing at-tacks. For example, today it is possible to change thecourse of a ship or force a drone to land in an hostilearea by simply spoofing GPS signals. Several counter-measures have been proposed in the past to detect GPSspoofing attacks. These countermeasures offer protec-tion only against naive attackers. They are incapable ofdetecting strong attackers such as those capable of seam-lessly taking over a GPS receiver, which is currently re-ceiving legitimate satellite signals, and spoofing them toan arbitrary location. Also, there is no hardware plat-form that can be used to compare and evaluate the effec-tiveness of existing countermeasures in real-world sce-narios. In this work, we present SPREE, which is, to thebest of our knowledge, the first GPS receiver capable ofdetecting all spoofing attacks described in literature. Ournovel spoofing detection technique called auxiliary peaktracking enables detection of even a strong attacker capa-ble of executing the seamless takeover attack. We imple-ment and evaluate our receiver against three different setsof GPS signal traces and show that SPREE constrainseven a strong attacker (capable of seamless takeover at-tack) from spoofing the receiver to a location not morethan 1 km away from its true location. This is a signif-icant improvement over modern GPS receivers that canbe spoofed to any arbitrary location. Finally, we releaseour implementation and datasets to the community forfurther research and development.
1 Introduction
Today, a number of security- and safety-critical applica-tions rely on Global Positioning Systems (GPS) [24] for
positioning and navigation. A wide-range of applicationssuch as civilian and military navigation, people and assettracking, emergency rescue and support, mining and ex-ploration, atmospheric studies, smart grids, modern com-munication systems use GPS for localization and timing.GPS is a satellite based navigation system that consists ofmore than 24 satellites orbiting at more than 20,000 kmabove the earth. Each satellite continuously broadcastsdata called “navigation messages” containing its precisetime of transmission and the satellites location. The GPSreceiver on the ground receives each of the navigationmessages and estimates their time of arrival. Based onthe time of transmission that is contained in the naviga-tion message itself and its time of arrival, the receivercomputes its distance to each of the visible satellites.Once the receiver acquires the navigation messages fromat-least four satellites, the GPS receiver estimates its ownlocation and precise time using the standard technique ofmultilateration.
However, the civilian GPS navigation messages thatare transmitted by the satellites lack any form of signalauthentication. This is one of the prime reasons GPS isvulnerable to signal spoofing attacks. In a GPS spoof-ing attack, an attacker transmits specially crafted signalsidentical to those of the satellites but at a higher powerthat is sufficient enough to overshadow the legitimatesatellite signals. The GPS receiver then computes a falselocation and time based on the stronger spoofing signaltransmitted by the attacker. As a result, today, it is pos-sible to spoof a GPS receiver to any arbitrary location.For example, researchers have demonstrated the insecu-rity of GPS-based navigation by diverting the course ofa yacht using spoofed GPS signals [8]. A similar hijackwas also successfully executed on a drone using a GPSspoofer that costs less than $1000. More recently, re-searchers demonstrated a GPS signal generator that canbe built for less than $300 [3]. The increasing availabil-ity of low-cost radio hardware platforms [1] make it fea-sible to execute such attacks with less than few hundred
1
arX
iv:1
603.
0546
2v1
[cs
.CR
] 1
7 M
ar 2
016
dollars worth of hardware equipment. More advancedattacks were demonstrated in [26, 31] in which the at-tackers takeover a target receiver that is already locked(continuously receiving navigation messages) on to au-thentic satellite signals without the receiver noticing anydisruption or loss of navigation data. It was shown thata variety of commercial GPS receivers were vulnerableand in some cases even caused permanent damage to thereceivers. It is thus evident that these threats are real andit is important to secure GPS from such signal spoofingattacks.
Although spoofing attacks can be, to a certain extent,mitigated by adding cryptographic authentication to thenavigation messages (e.g., military GPS systems wherethe spreading codes are secret), their use requires distri-bution and management of shared secrets, which makesthem impractical for majority of applications. Even withcryptographic authentication, the system is not protectedagainst relay attacks where an attacker simply recordsand replays the radio signals to the receiver [27]. Sev-eral countermeasures that did not require cryptographicauthentication were proposed in recent years either to de-tect or to mitigate signal spoofing attacks. They rely ondetecting anomalies in certain physical characteristics ofthe signal such as received satellite signal strength, am-bient noise floor levels, automatic gain control [9] valuesand other data that are readily available as receiver ob-servables on modern GPS receivers. Some other coun-termeasures leveraged the signal’s spatial characteris-tics [25, 30] such as the received GPS signal’s directionor angle of arrival. All the above mentioned counter-measures are ineffective against attackers capable of ma-nipulating navigation message contents in real time or aseamless takeover attack [26, 31]. Additionally, majorityof these solutions are not reliable in an environment withstrong multipath (signal copies that reach the receiverwith a time delay due to reflections in the environmentetc.) or in the case of a mobile receiver. Moreover, todaythere is no receiver platform that can be used to compareand evaluate the effectiveness of these countermeasuresin real-world scenarios.
In this work, we present a novel GPS receiver whichwe refer to as SPREE and make the following contri-butions: SPREE is to the best of our knowledge, thefirst commercially off the shelf, single-antenna, receivercapable of detecting or significantly limiting all knownGPS spoofing attacks described in literature. SPREEdoes not rely on GPS signal authentication and can there-fore be used to detect both civilian and military GPSspoofing attacks. Additionally, it is designed to be stan-dalone and does not depend on other hardware such asantennas, additional sensors or alternative sources of lo-cation information (like maps or inertial navigation sys-tems). In SPREE, we introduce a novel spoofing detec-
tion technique called auxiliary peak tracking that lim-its even a strong attacker (e.g., seamless takeover) frombeing able to move (spoof) a receiver to any arbitrarylocation or time. We leverage the presence of authen-tic signals in addition to the attacker’s signals to de-tect spoofing attacks. We implement SPREE by modi-fying an open source software-defined GPS receiver [15]and evaluate it against different signal data sets includ-ing the de-facto standard of publicly available reposi-tory of GPS signal spoofing traces (Texas Spoofing Bat-tery (TEXBAT) [17]). Furthermore, we evaluate SPREEagainst COTS GPS simulators and our own traces ob-tained through an extensive wardriving effort of over 200km. Our analysis shows that SPREE can reliably detectany manipulations to the navigation message contents.In addition, SPREE severely limits even strong attackerscapable of taking over a receiver that is currently locked(receiving and decoding) on to legitimate satellite signalswithout being noticed. Our evaluations showed that sucha strong attacker could offset the SPREE’s location to amaximum of 1 km away from its true location. Finally,we release our implementation and a set of recorded GPSsignal traces used for evaluating SPREE to the commu-nity for further research and development.
2 GPS Overview
2.1 GPS Satellite SystemGPS comprises more than 24 satellites orbiting the earthat more than 20,000 km above the ground. Each satelliteis equipped with high-precision atomic clocks and hencethe timing information available across all the satellitesare in near-perfect synchronization. Each satellite trans-mits messages referred to as the navigation messages thatare spread using pseudorandom codes that are unique toa specific satellite.
The navigation data transmitted by each of the satel-lites consists of a 1500 bit long data frame which is di-vided into 5 subframes [11]. Subframes 1, 2 and 3 carrythe same data across each frame. The data contained insubframes 4 and 5 is split into 25 pages and is transmittedover 25 navigation data frames. The navigation data istransmitted at 50bps with the duration of each subframebeing 6 seconds. Each frame lasts 30 seconds and theentire navigation message, containing 25 such frames,takes 12.5 minutes to be received completely by a re-ceiver. The first subframe mainly contains satellite clockinformation. The second and third subframes contain theephemeris i.e., information related to the satellite’s or-bit and is used in computing the satellite position. Sub-frames 4 and 5 contain the almanac data i.e., the satelliteorbital and clock information with reduced precision forall satellites.
2
C/A code
correlator
channels
Acquisition
Nav. Message
decoders
(per channel)
Tracking
PVT
estimator
Figure 1: GPS receiver architecture. The RF front-end(not shown in Fig) preprocesses the received satellite sig-nals. The acquisition module searches for any visiblesatellite signals and if detected forwards it to the track-ing module. The tracking module decodes the navigationdata which is used in estimating the position, velocityand time.
2.2 GPS Receiver
A typical GPS receiver consists of four main buildingblocks: (i) RF front-end, (ii) Acquisition module, (iii)Tracking module and (iv) Position, Velocity, Time (PVT)estimator module. The RF front-end block pre-processesthe received satellite signals and forwards it to the acqui-sition module. The acquisition module is responsible forsearching for any satellite signals and forwarding the sig-nal to the tracking module when a visible satellite signalis detected. The tracking module decodes and extractsthe navigation data from the acquired signal and sends itto the PVT estimator module for computing the receiverslocation and time.
The acquisition module searches for satellite signalsby correlating its own replica of the pseudorandom codecorresponding to each of the satellites. In addition, thecarrier frequency of the satellite signals can differ fromits true value due to the relative motion of the satelliteand the receiver itself (doppler effect). Thus, in order todetect any visible satellite signal, the receiver performsa two-dimensional search. First, it has to search throughall possible delays (phase) of the pseudorandom code.Second, the receiver must account for frequency errorsthat occur due to the doppler effect and other environ-mental interferences. Figure 2 shows the output of a sig-nal acquisition phase. If the code and doppler searchesresult in a peak above a certain threshold the GPS re-ceiver then switches to tracking and demodulating thenavigation message data. The decoded data is used toestimate the receiver’s range or distance from each ofthe visible satellites. In-order to determine the range, thereceiver needs the satellite signal’s transmission and re-ception time. The transmission time of each subframe isfound in the navigation message and the reception timeis estimated by the receiver. It is important to note thatthe satellite clocks are in tight synchronization with eachother while the receiver’s clock (not using atomic crys-tals) contain errors and biases. Due to the receiver’s
−10−5
05
10 0
500
1000
Figure 2: GPS Signal Acquisition. The result of the cor-relation for a real satellite signal acquisition.
clock bias, the estimated ranges are referred to as pseudo-ranges. The receiver requires at-least four pseudorangesto estimate its position after eliminating the effect of re-ceiver clock bias.
3 GPS Spoofing Attacks
A GPS signal spoofing attack is a physical-layer attackin which an attacker transmits specially crafted radiosignals that are identical to authentic satellite signals.Civilian GPS is easily vulnerable to signal spoofing at-tacks. This is due to the lack of any signal authenticationand the publicly known spreading codes for each satel-lite, modulation schemes and data structure. In a signalspoofing attack, the objective of an attacker may be toforce a target receiver to (i) compute a false geographiclocation, (ii) compute a false time or (iii) disrupt the re-ceiver by transmitting unexpected data. Due to the lowpower of the legitimate satellite signal at the receiver,the attacker’s spoofing signals can trivially overshadowthe authentic signals. During a spoofing attack, the GPSreceiver locks (acquires and tracks) on to the strongersignal i.e., the attacker’s signals, ignoring the legitimatesatellite signals. This results in the receiver computinga false position, velocity and time based on the spoofingsignals.
An attacker can influence the receiver’s position andtime estimate in two ways: (i) manipulating the contentsof the navigation messages (e.g., location of satellites,navigation message transmission time) and/or (ii) mod-ify the arrival time of the navigation messages. The at-tacker can manipulate the arriving time by temporallyshifting the navigation message signals while transmit-ting the spoofing signals. We classify the different typesof spoofing attacks based on how synchronous (in time)and consistent (with respect to the contents of the navi-gation messages) the spoofing signals are in comparisonto the legitimate GPS signals currently being received atthe receiver’s true location.
3
GPS receiverSignal spoofer
Figure 3: Spoofing attack. The attacker uses a commer-cial GPS simulator to transmit signals identical to legit-imate satellite signals but with a higher power to over-shadow the legitimate signals. The receiver computes afalse location and time based on the spoofing signals.
Non-Coherent and Modified Message Contents: In thistype of a attack, the attacker’s signals are both unsyn-chronized and contain different navigation message datain comparison to the authentic signals. Attackers whouse GPS signal generators [2, 4] to execute the spoofingattack typically fall under this category. An attackerwith little know-how can execute a spoofing attack usingthese simulators due to their low complexity, portabilityand ease of use. Some advanced GPS signal generatorsare even capable of recording and replaying signals,however not in real-time. In other words, the attackeruses the simulator to record at one particular time ina given location and later replays it. Since they arereplayed at a later time, the attacker’s signals are notcoherent and contain different navigation message datathan the legitimate signals currently being received.
Non-Coherent but Unmodified Message Contents: Inthis type of attack, the navigation message contentsof the transmitted spoofing signals are identical tothe legitimate GPS signals currently being received.However, the attacker temporally shifts the spoofingsignal thereby manipulating the spoofing signal’s timeof arrival at the target receiver. For example, attackerscapable of real-time record and replay of GPS signalsfall under this category as they will have the samenavigation contents as that of the legitimate GPS signals,however shifted in time. The location or time offsetcaused by such an attack on the target receiver dependson the time delay introduced both by the attacker anddue to the propagation time of the relayed signal. Theattacker can precompute these delays and successfullyspoof a receiver to a desired location.
Coherent but Modified Message Contents: The attackergenerates spoofing signals that are synchronized tothe authentic GPS signals. However, the contents ofthe navigation messages are not the same as that of
the currently seen authentic signals. For example,attacks such as those proposed in [26] can be classifiedunder this category. Nighswander et al. [26] presenta Phase-Coherent Signal Synthesizer (PCSS) that iscapable of generating a spoofing signal with the samecode phase as the legitimate GPS signal that the targetreceiver is currently locked on to. Additionally, theattacker modifies the contents of the navigation messagein real-time (and with minimal delay) and replays itto the target receiver. A variety of commercial GPSreceivers were shown to be vulnerable to this attack andin some cases, it even caused permanent damage to thereceivers.
Coherent and Unmodified Message Contents: Here, theattacker does not modify the contents of the navigationmessage and is completely synchronized to the authenticGPS signals. Even though the receiver locks on to theattacker’s spoofing signals (due to the higher power),there is no change in the location or time computedby the target receiver. Therefore, this is not an attackin itself but is an important first step in executing theseamless takeover attack.
3.1 Seamless Takeover Attack
The seamless takeover attack is considered one of thestrongest attacks in literature. In a majority of applica-tions, the target receiver is already locked on to the legit-imate GPS satellite signals. The goal of an attacker is toforce the receiver to stop tracking the authentic GPS sig-nals and lock on to the spoofing signals without causingany signal disruption or data loss. This is because the tar-get receiver can potentially detect the attack based on theabrupt loss of GPS signal. Consider the example of a shipon its way from the USA to the UK as shown in Figure 4.The GPS receiver on the ship is currently locked on tothe legitimate satellite signals. In a seamless takeoverattack, first, the attacker transmits spoofing signals thatare synchronized with the legitimate satellite signals andare at a power level lower than the received satellite sig-nals. The receiver is still locked on to legitimate satellitesignals due to the higher power and hence there is nochange in the ship’s route. The attacker then graduallyincreases the power of the spoofing signals until the tar-get receiver stops tracking the authentic signal and lockson to the attacker’s spoofing signals. Note that duringthis takeover, the receiver does not see any loss of lock,in other words, the takeover was seamless. Even thoughthe target receiver is now locked on to the attacker, thereis still no change in the route as the spoofing signals areboth coherent with the legitimate satellite signals as wellas there is no modification to the contents of the naviga-
4
- spoofing signals are synced to satellite signals- no change in the course of the ship
- attacker slowly increasesspoofing signal's power - receiver locks to attacker's signal
- attacker manipulates thespoofing signal - receiver computes falseposition; ship gets diverted
Figure 4: Seamless takeover attack. The receiver is locked on to the legitimate satellite signals. The spoofing signal issynchronized with the legitimate signal and has the same navigation contents. Next, the attacker slowly increases thepower of the spoofing signal. The receiver stops tracking the legitimate signals and locks on to the attacker’s signal.Finally, the attacker temporally shifts the spoofing signal causing the receiver to compute a false location and therebychanging the ship’s route.
tion message itself. Now, the attacker begins to manip-ulate the spoofing signal such that the receiver computesa false location and begins to alter its course. The at-tacker can either slowly introduce a temporal shift fromthe legitimate signals or directly manipulate the naviga-tion message contents to slowly deviate the course of theship to a hostile destination. Tippenhauer et al. [31] de-scribe the requirements for an attacker to execute a seam-less takeover and move the target receiver towards theintended location.
3.2 Performance of Existing Countermea-sures
In this section, we discuss existing countermeasuresand describe their effectiveness against various types ofspoofing attacks. A number of countermeasures werebased on detecting anamolies in the physical-layer char-acteristics of the received signal. In addition to the esti-mated position, velocity and time, modern GPS receiversoutput information pertaining to certain physical-layercharacteristics directly as receiver observables. Mod-ern GPS receivers can be configured to output, for ex-ample, automatic gain control (AGC) values, receivedsignal strength (RSS) from individual satellites, carrierphase values, estimated noise floor levels etc. A numberof previous works [9, 10, 33] proposed using some of theabove mentioned receiver observables to realize spoofingawareness in a GPS receiver. For example, in [33] the au-thors suggest monitoring the absolute and relative signalstrength of the received satellite signals for anomalies,number of visible satellites (should not be high), simulta-neous acquisition of satellite signals, etc. Other counter-measures such as detecting sudden changes to the AGCvalues were also proposed for detecting GPS spoofing
attacks. Automatic Gain Controller (AGC) is a hard-ware module that varies the gain of the internal amplifierdepending on the strength of the received signal. Suchcountermeasure are at best capable of detecting attackerswho transmit their spoofing signal at very high power.They are ineffective against attackers who have bettercontrol over their spoofing signal.
Several spoofing detection strategies based on analyz-ing the distortions present in the output of the receiver’scorrelation function were proposed in [28, 36]. In anideal noise-free environment, the correlation output hasminimal distortions. The authors argue that during aspoofing attack, the attacker’s signal would distort theoutput of the correlators, which can be used to detect theattack itself. However, the correlation output is also dis-torted due to multipath signals that arrive a few nanosec-onds later than the direct signal. Wesson et al. [36]showed that it is indeed difficult to distinguish betweenthe distortions caused due to a spoofing attack and a le-gitimate multipath signal. Spoofing detection techniquesbased on the differences in the inherent spatial character-istics of the received signal such as direction or angle ofarrival [13, 25, 29] also face the same challenge of reli-ably distinguishing between legitimate multipath signalsand a spoofing attack. Additionally, they also require ad-ditional hardware modifications to the GPS receiver. Tosummarize, although several countermeasures have beenproposed in literature to detect spoofing attacks, thereis no countermeasure today that is effective in detect-ing strong attackers such as a seamless takeover attack.Moreoever, there is no platform that can be used to com-pare and evaluate the effectiveness of existing counter-measures in real-world scenarios. Today, it is still pos-sible to spoof a victim receiver to any arbitrary locationwithout being detected.
5
4 SPREE – A Spoofing Resilient GPS Re-ceiver
The design of SPREE is largely motivated by the lack ofa GPS receiver capable of detecting or constraining allthe spoofing attacks known in literature. In this section,we present the design of SPREE, the first GPS receivercapable of detecting or constraining all known spoofingattacks. Our receiver design consists of two key compo-nents: (i) Auxiliary Peak Tracker (APT) and (ii) Navi-gation Message Inspector (NAVI) module. First, we de-scribe the auxiliary peak tracking module, a novel coun-termeasure which plays a vital role in constraining evena strong attacker capable of a seamless takeover. The keyfeature of APT is that it acquires and tracks not only thestrongest received satellite signal but also the weaker sig-nals that may be present in the environment. Second, weintroduce a navigation message inspector (NAVI) whichinspects the decoded contents of the navigation messagefrom every satellite and reports any discrepancies. Weshow that NAVI is capable of detecting attackers whomodify the contents of the navigation message. TheAuxiliary Peak Tracker protects SPREE from attackerswho are not synchronized (non-coherent) to the legiti-mate GPS signals currently being received and the Navi-gation Message Inspector prevents attackers from modi-fying the contents of the navigation message. The combi-nation of auxiliary peak tracking and the navigation mes-sage inspector enables SPREE to reliably detect all typesof spoofing attacks.
4.1 Auxiliary Peak Tracking (APT)
In this section, we describe the details of our proposedAuxiliary Peak Tracking technique, which is one ofSPREE’s key features that makes it resilient to spoof-ing attacks. Typically, GPS receivers have multiple ac-quisition and tracking modules to simultaneously searchand track different satellites. Each set of acquisition andtracking module is called a channel and each satellite sig-nal is acquired and tracked by only one channel. Forexample, a 24-channel GPS receiver can simultaneouslysearch for 24 satellites thereby shortening the time to ac-quire a position fix when compared to a 4-channel re-ceiver. In other words, the receiver searches for a satel-lite by allocating each channel to one specific satellite.The receiver acquires or searches for a particular satel-lite signal by correlating its own replica of that specificsatellite’s pseudorandom code with the received signal.If the search results in a correlation value above a cer-tain threshold, the receiver then switches to tracking anddemodulating the navigation message data. It is impor-tant to note that GPS receivers acquire and track onlythe satellite signal that produces the strongest correla-
Acquistion Tracking Decoding
channel 1Sat X
Acquistion Tracking Decoding
channel 2
corr
elation
doppler codephase
Figure 5: Auxiliary Peak Tracking (APT): SPREE usesmore than one channel to acquire, track and decode eachsatellite’s signal. This enables tracking of signals thatproduce weaker acquisition correlation peaks.
tion peak and ignore any weaker correlation peaks asnoise.
In SPREE, we allocate more than one channel to thesame satellite. This means that in addition to tracking thesignal that results in the strongest correlation, SPREEcan also track weaker correlation peaks (if present) forthe same satellite. In other words, SPREE does notrestrict itself to the satellite signals that produces themaximum correlation, but it also detects and trackssignals that produces weaker correlation (Figure 5).
Spoofing detection by tracking auxiliary peaks: TheAuxiliary Peak Tracker protects SPREE from attackerswho are not synchronized to the authentic GPS signals.Recall that the attacker transmits spoofing signals witha higher power such that the authentic GPS signals areovershadowed. Even though the spoofing signals havesuccessfully overshadowed the authentic signals, theyare still present in the environment and it is difficultfor an attacker to completely annihilate them. In orderto completely annihilate authentic GPS signals, the at-tacker first needs to know the precise location (cm level)of the receiver. Furthermore, he needs to annihilate allthe multipath components of the GPS signal at the re-ceiver. This means that the attacker should be able totransmit nulling signals such that they cancel both thedirect GPS signal and all the possible multipath compo-nents at the receiver. In case the receiver is in motion,the attacker must be able to predict the exact trajectoryof the receiver. Given the difficulty of completely an-nihilating authentic satellite signals, they will appear asauxiliary peaks when the attacker’s spoofing signals arenon-coherent or in other words not synchronized with theauthentic satellite signals. We provide a more detailedanalysis on how SPREE’s APT module enables detectionof even the strong seamless takeover attackers in Sec-tion 6.
6
TOW: X+6TOW: X
Internal
clock
Received
subframesSubframe 1 Subframe 2
~6 s
Figure 6: SPREE compares the received TOW to its in-ternal clock and validates whether TOW is increased in6 s intervals.
4.2 Navigation Message Inspector (NAVI)The Navigation Message Inspector module inspects thedecoded navigation data for consistency and sanity andis key to protecting the GPS receiver from attackers whomodify the contents of the navigation message.
Time of Week (TOW) and Receiver’s Clock: Oneof the key parameters that an attacker can modifyin-order to spoof a target receiver’s location or time isthe transmission time of the navigation messages. Thenavigation data transmitted by each of the satellites aredivided into 5 subframes. Each subframe begins with ahandover word which contains a truncated version of thetime of week (TOW) at which the satellite transmittedthat particular subframe. Each subframe lasts for about6 seconds and since the TOW is transmitted once everysubframe, it can only increase in steps of 6 seconds. Weleverage the internal clock of SPREE’s hardware andthe fact that the TOW can only change in steps of 6s todetect spoofing attacks (Figure 6). SPREE records thereceived GPS week and time of week with its internalclock count and raises an alarm if the difference in thetime elapsed internally doesn’t match the newly receivedGPS time of week.
Satellite Orbital Positions: In addition to the trans-mission time of the navigation message, an attacker canalso modify the satellite’s position in the orbit. TheGPS receiver estimates the satellite’s position from theephemeris data. For example, Nighswander et al [26]demonstrated that it is possible to modify the ephemerisdata such that the receiver estimates the satellite to bein the middle of the earth. The authors executed suchan attack by setting the square root of the semi-majoraxis of the satellites orbit to 0. In our design, anattacker cannot execute such manipulations as SPREEcontinuously monitors and evaluates any changes to theorbital parameters.
Almanac & Ephemeris Data: SPREE continuouslymonitors the decoded navigation data from all the visiblesatellites and performs a number of consistency checks.The almanac and ionospheric model data should be the
same across all the navigation frames received from allthe satellites. In addition, whenever feasible SPREEleverages the availability of navigation data such asephemeris, almanac and the ionospheric models fromthird-party sources to compare the data decoded by theGPS receiver. This data is then compared against theinformation received from the satellites and is used todetect spoofing attacks.
Thus, SPREE’s navigation message inspector inde-pendently protects the receiver from attackers capable ofmodifying the navigation message. By combining theNAVI and APT modules, SPREE detects or constraintsall types of attacks capable of spoofing the receiver’s lo-cation and time.
5 Implementation
We implemented SPREE based on GNSS-SDR [15], anopen source software defined GPS receiver. GNSS-SDRis written in C++ and can be configured to processsignals received directly from a radio hardware platformsuch as USRP [1] or from a file source. GNSS-SDRworks with a range of hardware platforms and signalrecorders such as USRP, SiGe GN3S Sampler, NSLPrimo [6], IFEN’s NavPort [7] etc. The architecture ofGNSS-SDR largely resembles the design of a typicalGPS receiver as described in Section 2. It consists ofa signal source and a conditioner module which areresponsible for interfacing with the underlying receiverhardware or file source. Similar to typical GPS receivers,GNSS-SDR also consists of several channels; each in-dividual channel managing all the signal processingrelated to a single satellite. In GNSS-SDR, the channelis a software module that encapsulates the functions ofacquisition, tracking and navigation message decodingblocks. All the channels then report to a module thatestimates the pseudoranges and a number of otherobservables. Finally, if enough information is available,the receiver calculates a position, velocity and time. Aconfiguration file allows the user to chose operationalparameters such as the sampling frequency, the algo-rithms to use for each processing block, signal sourceetc. We modified the acquisition and tracking modules ofGNSS-SDR to realize SPREE. First, we implement theauxiliary peak tracking system within the GPS receiversacquisition module. Recall that the auxiliary peaktracker enables the receiver to track multiple signals ofthe same satellite instead of limiting it to the strongestcomponent only. We implement the navigation messageinspector which checks the consistency and sanity of theextracted navigation data within the tracking module ofthe receiver.
7
Auxiliary Peak Tracking (APT): In SPREE, when aparticular satellite is assigned to a channel, all local peaksof the acquisition correlation function, which are above acertain threshold are collected and stored for processing.This is in contrast to the modern receivers only choosingthe highest correlation peak. Each local peak is then as-signed to a different channel in descending order of mag-nitude for tracking. The maximum number of channelsthat can track the same satellite is made configurable atrun time. The number of channels that can be assignedto track the same satellite will influence the number ofpeaks that can be evaluated at the same time.
If SPREE is successful in acquiring more than onepeak, it records the differences in their arrival times i.e.,the separation between two peaks. If the difference ismore than the maximum acceptable time difference,τmax, SPREE detects a spoofing attack. The value τmaxis set in the configuration file. This check is doneeach time a new navigational message is received.The arrival time is computed in the tracking module,where it is estimated based on the sample counter ofGNSS-SDR and fine tuned based on the code phase ofthe satellite signal. After an auxiliary peak has beenacquired, tracked and evaluated for signs of spoofingand none are found it is dropped and the channelis free to acquire another auxiliary peak to evalu-ate. If the peak remains it will be evaluated again whena channel is free and all other peaks have been evaluated.
Navigation Message Inspector (NAVI): In GNSS-SDR, a telemetry decoder is responsible for decodingthe contents of the received navigational message. First,SPREE records the time of week decoded from each ofthe received navigation message subframes. If the differ-ence in time of week present in consecutive subframesdoes not match with its internal clock count (morethan 6 s difference due to the minimum resolution),SPREE raises an alarm. Next, the stored navigation datafor each of the visible satellites is compared with thecontents of the preceding navigation message for thatparticular satellite. If there is a discrepancy betweenthese two values, SPREE notes it as a possible spoofingattack. Also, SPREE compares the navigational datafrom all satellites with each other for any discrepanciesin the almanac and ephemeris data. Recall that, thealmanac and ionospheric model data should be the sameacross all the navigation frames received from all thesatellites. If configured to do so and if possible, it canalso compare the time, almanac, ephemeris and theionospheric model data received from the satellites todata received from third-party sources using the SecureUser Plane Location (SUPL) protocol. These checksare done each time a new navigation message is received.
GPStraces
config
file
Spoofing Resistant
GPS Receiver
(SPREE)
Figure 7: Evaluation Setup: A configuration file speci-fied vital system parameters such as input source, sourcesignal sampling rate and configuration of the spoofingdetection module.
In addition to the above modules, we also implementseveral existing countermeasures described in Section 3to facilitate real-world performance evaluations. How-ever, we restrict our discussion to our main contributions,the APT and NAVI module as they enable reliable detec-tion of all known spoofing attacks in literature. It is im-portant to note that SPREE adds no additional require-ments on the underlying hardware and supports all theplatform and file sources supported by GNSS-SDR.
6 Security Evaluation
In this section, we evaluate SPREE and present itssecurity guarantees. Figure 7 shows our evaluationsetup. A configuration file is used to select SPREE’sparameters including those needed by the spoofingdetection module. In our evaluations, the GPS signaltraces (spoofing and clean) were recorded and stored infiles and later input to SPREE. We evaluated SPREEagainst three different sets of GPS signals: (i) a publicrepository of spoofing traces (TEXBAT) [17], (ii) signalsrecorded through our own wardriving effort and (iii)spoofing signals generated using COTS GPS simulators.
6.1 GPS TracesGPS Simulator: First, we evaluated the performanceof SPREE against our own spoofing signals generatedusing commercially available GPS simulators. Specif-ically, we used Spectracom’s GSG-5 Series advancedGPS simulator [2] in order to generate our spoofingsignals. One of the key features of the simulator is itsability to generate multipath signals for any satellite.It is even possible to configure the multipath’s powerlevels and time offset i.e., the extra distance travelledby the multipath relative to the original line-of-sight(LOS) signal. The GPS simulator traces were mainlyused to evaluate the ability of SPREE to robustly detectauxiliary peaks. In addition, we used the GPS simulatortraces to simulate attackers capable of manipulating the
8
12
3
4
Figure 8: Our wardriving setup with a front-end con-sisting of a (1) a active conical GPS antenna and a (2)USRP N210. The signals were recorded using a (3) lap-top. The recording were periodically moved to an (4)external hard disk.
content of the navigation messages.
Texas Spoofing Test Battery (TEXBAT): TEX-BAT [17] is a set of digital recordings containing GPSspoofing tests conducted by the University of Texas atAustin. TEXBAT is the only publicly available datasetand the de-facto standard for testing spoofing resilienceof GPS receivers. TEXBAT includes two clean (spoofingfree) data sets in addition to spoofing scenarios based onthe location and time of the clean GPS traces. The setof spoofing traces contain a wide variety of scenariosincluding take-over attacks where either the time orposition of the target receiver is spoofed. The spoofingsignals are closely code-phase aligned with the authenticsignals. Furthermore, the carrier phase of the seamlesstakeover scenarios are aligned with the authentic signalsduring the takeover.
Wardriving: In addition to using TEXBAT scenarios,we collected our own GPS traces through an extensivewardriving effort. We used the wardriving dataset toevaluate SPREE’s behaviour in a non-adversarial (onlylegitimate GPS signals present) scenario and determinehow reliable is SPREE with respect to false alarms. Thesetup used for recording the GPS signals during thewardriving effort is shown in 8. The front end of thesetup consists of an active conical GPS antenna and abias-tee. We used an USRP N210 and GNURadio andrecorded raw GPS signals into an external hard disk. Thesignals were sampled at 10MHz and stored in complexdata format. The setup itself was powered through thecar’s power outlet. We recorded the GPS signals at vari-ous locations: (i) An open field, (ii) parking lot of a smallvillage, (iii) driving on a highway, (iv) driving inside acity, (v) inside a city with neighbouring tall buildings and(vi) inside a forest with dense tree cover.
Trace 1
Trace 2
Trace 3
Seamles
s 1
Seamles
s 20
0.2
0.4
0.6
0.8
1
Max
imum
Spo
ofed
Dis
tanc
e [k
m]
Figure 9: Spoofing detection in TEXBAT dataset.SPREE detected auxiliary peaks in all the spoofingtraces. The maximum location offset the attacker couldcause before being detected was less than a kilometer.
6.2 Security EvaluationRecall that an attacker can influence the receiver’s esti-mates by either manipulating the contents of the naviga-tion messages or temporally shifting the navigation mes-sage signals while transmitting the spoofing signals.
Detecting Non-coherent Attackers: Recall that a non-coherent attacker’s spoofing signal is not synchronizedwith the authentic satellite signals. Even though thereceiver might be locked on to the attacker’s spoofingsignals, the authentic signals will appear as auxiliarypeaks due to the Auxiliary Peak Tracking module. Theeffectiveness of detecting such non-coherent spoofingattacks depends on the ability of the APT moduleto detect and track auxiliary peaks. First, using ourown GPS simulator traces, we tested the ability of theAPT module to detect and track multiple acquisitioncorrelation peaks. Specifically, we leveraged the abilityof the simulator to generate duplicate copies of a satellitesignal at different time intervals away from the originalsignal. We generated signal copies spaced between 50nsto 1000ns and determined that our receiver was able toreliably detect and track auxiliary peaks spaced 500nsor more. In some scenarios, it was able to track peaksmuch closer, however not reliably (over multiple runs).Thus, we configured APT module to track auxiliarypeaks that are separated by more than 500ns. The choiceof 500ns separation between two peaks for spoofingdetection is supported by two additional reasons:(i) During signal acquisition (searching for satellitesignals), GPS receivers shift their correlator typicallyby half a chip1 period i.e., 500ns. This means thatmost modern receivers can reliably track peaks that areseparated by 500ns and no additional hardware changesare required to implement SPREE in modern receivers.
1A chip is one bit of the pseudorandom code
9
correlation
doppler codephase
correlation
dopplercodephase
correlation
dopplercodephase
Figure 10: Detecting seamless take over attack. As the attacker begins to drift the spoofing signal away with theintention of changing the course of the ship, SPREE will detect the auxiliary peak produced by the legitimate satellitesignal and rise an alarm.
(ii) Several prior works on modelling GNSS multipathsignals [12, 18, 21, 23] show that most GPS multipathsare delayed by less than 300 − 400ns. This meansthat it is highly unlikely to observe an auxiliary peakcaused due to legitimate multipath signals occurringat more than 500ns away from the line-of-sight signalpeak. Moreover, the attenuation and polarization shiftintroduced in the legitimate signals due to reflectionsthat are a few hundred metres away would make thesignal untrackable. We proceeded to evaluate SPREEagainst the TEXBAT set of GPS spoofing signal tracesdescribed previously. SPREE detected auxiliary peaksin all the traces containing spoofing signals and failedto detect any auxiliary peaks for the clean non-spoofingtraces. Based on the separation of auxiliary peaks at thetime of detection, we evaluated the maximum possiblelocation offset an attacker could have caused withoutbeing detected and present it in Figure 9. In the case ofthe seamless takeover attacks, the maximum deviationan attacker could introduce in SPREE was about 400m. It is important to note that traces 1, 2 and 3 containspoofing signals that are not as closely synced as theseamless takeover traces and hence the larger valuesfor maximum spoofed distance. For completeness, weprocessed our wardriving traces that represent clean,non-spoofing scenarios for any false alarms. SPREE didnot detect any auxiliary peaks.
Detecting Navigation Message Modifications: Wewill now analyze SPREE’s resilience against attackerswho modify the contents of the navigation message.The key parameters that an attacker can manipulate inthe navigation data are the time of transmission and thesatellite’s orbital information present in the almanac andephemeris.
Modifying TOW: As described in Section 4.2, the valueof TOW can be altered only in steps of 6 seconds.SPREE leverages the internal clock of the hardwarereceiver to continuously compare the received TOWdata against its internal clock count. SPREE raises analarm if the difference in the time elapsed internallydoesn’t match the newly received GPS time of weekinformation. We note that even a watch crystal todayhas an error rating of approximately 10 ppm which is adrift of less than a second in one day. Therefore a driftof 6s can be easily detected even without a thermallycontrolled crystal oscillators (TCXO2) that is presentin modern hardware receiver platforms. We evaluatedSPREE against such an attack using two GPS simulatorseach spoofing the same satellite however with differentTOW data and SPREE successfully detected the attack.Both the simulators were synchronized to the samereference clock signal. We used this setup to evaluateSPREE’s resilience to attacks described in [26] suchas arbitrary manipulation of week numbers and datedesynchronization attacks.
Modifying Ephemeris Data: The attacker can alsomanipulate the ephemeris data to force the receiverto malfunction. Ephemeris data gets updated onceevery two hours and contain precise satellite orbitalinformation including satellite clock biases. However,it was shown in [26] that it is trivial to force a receiverto accept ephemeris changes whenever possible. SinceSPREE’s NAVI module keeps track of the elapsed timeusing the receiver’s internal clock, it can be configuredto ignore any ephemeris updates within the 2-hour timeinterval. It is also important to note that any changesto the satellite orbital information or in general the
2Modern TCXOs have error ratings between 1− 100ppb and areavailable for under $10
10
0 20 40 60 80
Constellation
0
0.5
1
1.5
2
Max
imum
Cha
nge
[km
]
Figure 11: Maximum location offset. An analysis of 73satellite constellations (as observed during wardriving)show that a strong attacker can cause a maximum loca-tion offset of less than 1 km in majority of the scenariosbefore being detected.
ephemeris data can be compared against ephemeris dataavailable from third-party sources [5]. Additionally,SPREE is capable of recording the ephemeris datareceived from all satellites in the past and notify if thereis any unexpected change in the ephemeris data values.
Detecting Seamless Takeover Attack: As describedpreviously, a seamless takeover attack is an attack inwhich the attacker takes control of the victim receiverwithout any disruption to its current state. This typeof attacker is one of the strongest attackers known inliterature and no existing countermeasure is effectivein detecting the seamless takeover attack. We will nowsee how SPREE enables detecting a seamless takeoverattack. Consider the same example of a ship on itsway from United States to the UK, currently lockedon to legitimate satellite signals. The attacker beginsa seamless takeover by transmitting spoofing signalsthat are synced to the legitimate satellite signals but at alower power level. The output of the acquisition moduleis shown in Figure 10. Notice that the legitimate satellitesignal (shown in green) is stronger than the spoofingsignal but are synchronised to each other. Now theattacker, increases the spoofing signals power and takesover the receiver. Note that, even though the receiver islocked on to the attacker, there is still no change in routeyet. This is because the attacker is both synchronisedto the legitimate signals and is transmitting the samenavigation message. Now, the attacker begins to driftthe spoofing signal away with the intention of changingthe course of the ship. At this point, a typical GPSreceiver will ignore any weaker correlation peaks thatexist and compute its location based on the attackerssignal. However, SPREE will detect an auxiliary peakand rise an alarm.
Maximum position offset: Recall that, SPREE detectsany modifications to the contents of the navigationmessage and tracks peaks of the same satellite thatare separated by more than 500ns. This value wassetup after extensive experiments using signals fromGPS simulators and our own wardriving efforts asdescribed previously. This means that the attackeris limited to temporally shifting his spoofing signalsby at most 500ns which results in a 150m changein the pseudorange estimated by the receiver for thatspecific satellite. It is important to note that the effectof this change in pseudorange caused by the attackeron the receiver’s final position estimate depends onthe constellation of the satellites. We collected all thedifferent constellations observed during our wardrivingand evaluated the effect of temporally shifting thesatellite pseudoranges by 150m. Our analysis accountedfor all possible pseudorange changes an attacker canintroduce on all combinations of visible satellites. Weanalyzed over 73 different satellite constellations, eachone with four satellites, and calculated the maximumpossible location offset an attacker could introduce.Our results are shown in Figure 11. On an average themaximum position deviation was 455m. This meansthat e.g., in the ship hijack scenario, it would not bepossible for an attacker to deviate the course of the shipby more than 455m. Note that, we limited our analysisto constellations consisting of only four visible satellites,which is the most favourable for an attacker. In mostenvironments, more than four satellites will be visible,which will further constrain how much the attacker canchange the victim’s position. Furthermore, we observedthat the constellations that allow the attacker to spoofthe receiver more than 1 km away, comprised satellitesat very low elevation angles. Therefore, configuringSPREE to only accept satellite signals with a minimumelevation angle will potentially constrain the attackerfurther.
7 Discussion
Integrating SPREE into commercial receivers: Oneof the main differences between SPREE and a commer-cial GPS receiver is that unlike commercial receiverswhich track one satellite per channel, SPREE uses multi-ple channels to track the same satellite. This means thatwithout any hardware changes i.e., for the same numberof acquisition and tracking channels, our spoofing-awarereceiver will track less number of satellites than its ca-pable of. In order to do this, two changes are necessary:(i) allocate a minimum of two channels for every visiblesatellite signal (one for the authentic GPS signal andone that keeps searching for a potential spoofing signal)
11
and (ii) search the entire range of time delays for weakeracquisition peaks. The number of channels allocatedper visible satellite signal can be easily modified inthe firmware. However, as mentioned before, thiswill limit the number of satellites that the receiver cansimultaneously acquire and track. Modern receiverstypically have 32 − 128 channels capable of tracking32 − 128 satellites simultaneously3 and allocating twochannels for each satellite will reduce the number ofsatellites that can be tracked by half. In reality, this is nota problem since the typical number of visible satellitesat any time instant is not more than 10 or 11. In orderto track auxiliary peaks, we keep a list of all auxiliarypeaks found during the acquisition in a float array. Thenumber of floats stored is 2 · Fs
1000 for each acquisition,where Fs denotes the sampling rate. This means thatfor a sampling rate of 10 MHz each acquisition requiresan additional ≈ 19.5kB of storage. We believe this tobe negligible when compared to the available RAM inmost of the modern receivers today. There is practicallyno performance overhead in detecting changes to thecontents of the navigation message by an attacker. Theonly waiting time is the time (≈ 6s) needed to receiveand decode the new subframe completely. Hence ourdesign modifications can be easily integrated into amodern GPS receiver with only a firmware upgrade anddoes not require any changes to the underlying hardware.
Probability of False Alarms: False alarms can becaused due to an event that forced SPREE to believeit is being spoofed. In the case of the auxiliary peaktracking module, the arrival of a legitimate multipath sig-nal with a delay of more than 500ns and with a signalstrength greater than the acquisition threshold will resultin SPREE raising a spoofing alert. This is unlikely to becaptured by the GPS receiver due to the following rea-sons: (i) change in polarization–GPS signals are typi-cally right hand polarized and any reflections causes achange in the polarization of the signal. Majority of GPSreceiver antennas are configured to received the directright hand circularly polarized signals and attenuate re-flected signals. (ii) Propagation path loss–Since the mul-tipath signals travel a few hundred metres more than thedirect line of sight signal, the signals undergo more at-tenuation due to propagation path loss. Also, reflectionsfrom surfaces themselves may cause the GPS signal toattenuate and therefore, given the received power levelsof direct line of sight GPS signals on the ground, mul-tiple reflections would eventually only make the signaluntrackable. In addition, auxiliary peaks caused by legit-imate multipaths tend to be momentary and untrackablein contrast to a peak caused by a seamless takeover at-
3sometimes used in receiver’s capable of using more than one satel-lite navigation system such as GLONASS
tack. Recall that, SPREE did not detect any auxiliarypeak beyond the set τmax of 500ns on the traces collectedduring our wardriving effort. In fact, an analysis of thetemporal behaviour of multipath signals against spoofingsignals can enable distinct identification of peaks causeddue to a spoofing signal. Note that, even after detect-ing auxiliary peaks, it is currently difficult to distinctlyidentify the peak caused by the spoofing signal and thatcaused by the legitimate signal. Thus the results of thetemporal behavioural analysis can help the receiver to ig-nore or internally cancel the spoofing signal and therebybuilding better resilience to spoofing attacks.
8 Related Work
The work that comes closest to SPREE is the design of aninline anti-spoofing device [20]. The device connects be-tween the GPS antenna and a GPS receiver and uses com-plex correlation peak distortion techniques to identifyspoofing signals. As demonstrated in [36], such counter-measures face the challenge of distinguishing spoofingsignals from real-world channel effects and are ineffec-tive against seamless takeover attackers. Also, the de-vice is incapable of detecting attackers who modify thecontents of the navigation messages. Several works [19,22, 35] propose solutions that are cryptographic in na-ture and therefore require modifications to the GPS in-frastructure. Incorporating cryptographic authenticationinto civilian GPS, similar to military GPS, could to anextent mitigate spoofing attacks. However this wouldrequire distribution and management of shared secretswhich makes it infeasible for a large set of applications.Additionally, cryptographic authentication does not pro-tect against signal replay attacks where an attacker sim-ply records legitimate GPS signals at one location and re-plays it to the victim receiver [27]. Some other proposalsdepended on additional hardware such as additional re-ceivers, alternative navigation systems, sensors etc. Tip-penhauer et al. [31] proposed the use of multiple syn-chronized GPS receivers to detect spoofing. They showthat spoofing a set of synchronized GPS receivers, withknown relative distances or geometrical constellation re-stricts the number of locations from where an attackercan transmit the spoofing signals. Cross-validation ofthe position estimates against alternate navigation sys-tems such as Galileo [16] were also proposed. However,a simulator that can spoof both GPS and Galileo will eas-ily defeat this countermeasure. Data from other sensorscan also be used to cross validate GPS navigation so-lutions. For example, inertial measurement units (e.g.,accelerometer, gyroscope, compass) have already beenproposed as alternative ways to navigate during tempo-rary GPS outages [14, 32, 34]. The main drawback ofinertial navigation units is the accumulating error of the
12
sensor measurements. These accumulated sensor mea-surement errors affect the estimated position and veloc-ity over longer duration of time and hence limit the max-imum time an IMU can act independently.
9 Conclusion
In this paper, we presented SPREE, the first GPS receiverthat detects all known spoofing attacks. We designed, im-plemented and evaluated SPREE against different sets ofsignal traces and showed that even a strong attacker ca-pable of a seamless takeover cannot deviate the receiverby more than 1 km. This is a vast improvement over cur-rent GPS receivers that can be spoofed to any arbitrarylocation in the world. Finally, we release our implemen-tation and the GPS dataset used in our evaluations to theresearch community.
References
[1] Ettus research llc. http://www.ettus.com/.
[2] GSG-xx Series Multi-channel advanced GNSSsimulator. http://www.spectracomcorp.com/.
[3] Hacking A Phone’s GPS May Have Just Got Easier.http://www.forbes.com/sites/parmyolson/2015/08/07/gps-spoofing-hackers-defcon/.
[4] LabSat GPS Simulator. http://www.labsat.co.uk/.
[5] NASA’s archive of space geodesy data.http://cddis.gsfc.nasa.gov/.
[6] NSL Primo GNSS SDR Front End.http://www.nsl.eu.com/primo.html.
[7] SX3 GNSS Software Receiver.http://www.ifen.com.
[8] UT Austin Researchers SuccessfullySpoof an $80 million Yacht at Sea.http://news.utexas.edu/2013/07/29/ut-austin-researchers-successfully-spoof-an-80-million-yacht-at-sea.
[9] AKOS, D. M. Who’s afraid of the spoofer?gps/gnss spoofing detection via automatic gain con-trol (agc). Navigation 59, 4 (2012), 281–290.
[10] BASTIDE, F., AKOS, D., MACABIAU, C., ANDROTURIER, B. Automatic gain control (agc) as aninterference assessment tool. In Proceedings of the16th International Technical Meeting of the Satel-lite Division of The Institute of Navigation (IONGPS/GNSS 2003) (2001), pp. 2042–2053.
[11] BORRE, K., AKOS, D. M., BERTELSEN, N.,RINDER, P., AND JENSEN, S. H. A software-defined GPS and Galileo receiver: a single-frequency approach. Springer Science & BusinessMedia, 2007.
[12] BRAASCH, M. S. Performance comparison ofmultipath mitigating receiver architectures. InAerospace Conference, 2001, IEEE Proceedings.(2001), vol. 3, IEEE, pp. 3–1309.
[13] BROUMANDAN, A., JAFARNIA-JAHROMI,A., DEHGHANIAN, V., NIELSEN, J., ANDLACHAPELLE, G. Gnss spoofing detection inhandheld receivers based on signal spatial cor-relation. In Position Location and NavigationSymposium (PLANS), 2012 IEEE/ION (2012),IEEE, pp. 479–487.
[14] FARRELL, J., AND BARTH, M. The global po-sitioning system and inertial navigation, vol. 61.McGraw-Hill New York, 1999.
[15] FERNANDEZ–PRADES, C., ARRIBAS, J.,CLOSAS, P., AVILES, C., AND ESTEVE, L.GNSS-SDR: An open source tool for researchersand developers. In Proc. of the ION GNSS 2011Conference (2011).
[16] HOFMANN-WELLENHOF, B., LICHTENEGGER,H., AND WASLE, E. GNSS–global navigationsatellite systems: GPS, GLONASS, Galileo, andmore. Springer Science & Business Media, 2007.
[17] HUMPHREYS, T. E., BHATTI, J. A., SHEPARD,D. P., AND WESSON, K. D. The texas spoofingtest battery: Toward a standard for evaluating gnsssignal authentication techniques. In Proceedings ofthe ION GNSS Meeting (2012).
[18] KONG, S.-H. Statistical analysis of urban gpsmultipaths and pseudo-range measurement errors.Aerospace and Electronic Systems, IEEE Transac-tions on 47, 2 (2011), 1101–1113.
[19] KUHN, M. G. An asymmetric security mecha-nism for navigation signals. In Information Hiding(2005).
[20] LEDVINA, B. M., BENCZE, W. J., GALUSHA, B.,AND MILLER, I. An in-line anti-spoofing devicefor legacy civil gps receivers. In Proceedings of the2010 international technical meeting of the Insti-tute of Navigation (2001), pp. 698–712.
13
[21] LEHNER, A., AND STEINGASS, A. Theland mobile satellite navigation multipath channel–a statistical analysis. In Proc. of the 2nd Work-shop on Positioning, Navigation and Communica-tion (WPNC05) & 1st Ultra-Wideband Expert Talk(UET05) (2005), pp. 119–126.
[22] LO, S. C., AND ENGE, P. K. Authenticating avia-tion augmentation system broadcasts.
[23] MANANDHAR, D., SHIBASAKI, R., AND TORI-MOTO, H. Gps reflected signal analysis using soft-ware receiver. Positioning (2006).
[24] MISRA, P., AND ENGE, P. Global Positioning Sys-tem: Signals, Measurements and Performance Sec-ond Edition. Lincoln, MA: Ganga-Jamuna Press,2006.
[25] MONTGOMERY, P. Y., HUMPHREYS, T. E., ANDLEDVINA, B. M. Receiver-autonomous spoof-ing detection: Experimental results of a multi-antenna receiver defense against a portable civil gpsspoofer. In Proceedings of the ION InternationalTechnical Meeting (2009).
[26] NIGHSWANDER, T., LEDVINA, B. M., DIA-MOND, J., BRUMLEY, R., AND BRUMLEY, D. Gpssoftware attacks. In ACM Conference on Computerand Communications Security (2012), pp. 450–461.
[27] PAPADIMITRATOS, P., AND JOVANOVIC, A.Gnss-based positioning: Attacks and countermea-sures. In Military Communications Conference,2008. MILCOM 2008. IEEE (2008), IEEE, pp. 1–7.
[28] PHELTS, R. E. Multicorrelator techniques for ro-bust mitigation of threats to GPS signal quality.PhD thesis, Stanford University, 2001.
[29] PSIAKI, M. L., OHANLON, B. W., BHATTI,J. A., SHEPARD, D. P., AND HUMPHREYS, T. E.Civilian gps spoofing detection based on dual-receiver correlation of military signals. Proceed-ings of the Institute of Navigation GNSS (IONGNSS 2011) (2011).
[30] PSIAKI, M. L., POWELL, S. P., AND OHANLON,B. W. Gnss spoofing detection using high-frequency antenna motion and carrier-phase data.In Proceedings of the ION GNSS+ Meeting (2013),pp. 2949–2991.
[31] TIPPENHAUER, N. O., POPPER, C., RAS-MUSSEN, K. B., AND CAPKUN, S. On the re-quirements for successful gps spoofing attacks. In
Proceedings of the 18th ACM conference on Com-puter and communications security (2011), ACM,pp. 75–86.
[32] TITTERTON, D., WESTON, J., ET AL. StrapdownInertial Navigation Technology. 2-nd Edition. IET,2004.
[33] WARNER, J. S., AND JOHNSTON, R. G. Gpsspoofing countermeasures. Homeland SecurityJournal (2003).
[34] WENDEL, J., MEISTER, O., SCHLAILE, C., ANDTROMMER, G. F. An integrated GPS/MEMS-IMUnavigation system for an autonomous helicopter.Aerospace Science and Technology 10, 6 (2006),527–533.
[35] WESSON, K., ROTHLISBERGER, M., ANDHUMPHREYS, T. Practical cryptographic civil gpssignal authentication. Navigation (2012).
[36] WESSON, K., SHEPARD, D., BHATTI, J., ANDHUMPHREYS, T. E. An evaluation of the vesti-gial signal defense for civil gps anti-spoofing. InProceedings of the ION GNSS Meeting (2011).
Appendix
Trace Set DescriptionTrace 1 (ds3) Static Matched Time PushTrace 2 (ds2) Static Overpowered Time PushTrace 3 (ds4) Static Matched Position Push
Seamless 1 (ds7) Seamless Carrier Phase AlignedSeamless 2 (ds8) Security Code Estimation Replay
Table 1: TEXBAT Spoofing Traces as mapped in Fig-ure 9
14
