Why  We  Should  Build  a   Secure  Posi+oning  Infrastructure

Keynote  -­‐  ACM  Conference  on  Security  and  Privacy  in  Wireless  and  Mobile  Networks  (WiSec)  &  Workshop  on  RFID  Security  

Srdjan  Čapkun Department  of  Computer  Science  

ETH  Zurich,  Switzerland  

June  24,  2015

All photographs, imagery, media belong to their respective owners/creators.

…  

IoT,  Smart  Homes,  Smart  Healthcare,  Smart  Grids,  Smartphones,  Drones,  Autonomous  Cars,  Vehicular  Networks,  Cyber-­‐Physical  Systems,  …    

Various Internet Sources.

IDs  and  LocaOons

We  want  every  device/thing  (big  and  small)  to  be  able  to  have/  obtain  an  ID  (e.g.,  IP)  and  to  be  remotely  accessible.  We  further  want  to  assign  idenOOes  securely,  securely  map  them  to  other  IDs  (e.g.,  DNSSec)  and  be  able  to  remotely  verify  these  idenOOes  (authenOcaOon).  

We  want  every  device/thing  (big  and  small)  to  be  able  to  calculate  its  locaOon  (e.g.,  geographic)  and  this  locaOon  informaOon  should  be  remotely  accessible.      We  further  want  to  obtain  locaOons  securely  (secure  posiOoning),  securely  map  them  to  other  labels  (e.g.,  geo-­‐>office_locaOons)  and  remotely  verify  locaOon  claims  (locaOon  verificaOon).

What  Would  We  Want  out  of  A  Secure  Posi4oning  Infrastructure?

FuncOonal

IPSN  /  Microso\  posiOoning  challenge,  2015    

• Short/Mid/Long  Range  PosiOoning  (In/Outdoor)  • Infrastructure  free  posiOoning  (P2P,  Ad-­‐Hoc)  • High  Precision  and  Coverage  • Remote  Access  to  LocaOon  InformaOon

h`p://galileognss.eu/

Basic  S&P

Spoofing  Resilience:  device  can  obtain  its  true  LocaOon

LocaOon  and  IdenOty  Privacy  

Incorrect  locaOon   esOmated  by  the  drone

Drone A`ackerSpoofing  signal

One  Can  Verify  LocaOons   of  Others  (Remotely)  

Are  you  at  home?

Hm  …  how  can  I  be  sure?

Parol  officer Ex  inmate  home

Ex  inmate

Yes,  I  am  at  home!GPS  satellites

Availability

• Robust  to  Interference  /  e.g.,  Jamming    • Robust  to  Failures  (no  Central  Point  of  Failure)

http://foreignpolicy.com/2014/08/09/they-shoot-satellites-dont-they/

http://www.economist.com/news/international/21582288-satellite-positioning-data-are-vitalbut-signal-surprisingly-easy-disrupt-out

PoliOcal  /  Regulatory

• Controlled  by  ‘Local’  AuthoriOes

http://www.esa.int/Our_Activities/Navigation/The_future_-_Galileo/Why_Europe_needs_Galileo

The  European  Commission  (EC)  esOmates  that  6-­‐7%  of  European  GDP  –  around  800  billion  by  value  –  is  already  dependent  on  satellite  naviga4on.  But  European  users  have  no  alternaOve  today  other  than  to  take  their  posiOons  from  US  GPS  or  Russian  Glonass  satellites.  

Satellite  posiOoning  has  already  become  the  standard  means  of  navigaOng.  If  the  signals  were  switched  off  or  degraded  tomorrow,  …    As  the  use  of  satellite  navigaOon  spreads,  the  implica4ons  of  a  signal  failure  will  be  even  greater,  jeopardising  not  only  the  efficient  running  of  transport  systems,  but  also  human  safety.

European  independence  is  the  chief  reason  for  taking  this  major  step.  

Ideal  ProperOes  of  a  (Secure)  PosiOoning  Infrastructure

Basic  S&P  • Spoofing  Resilience:  Device  can  Obtain  its  True  LocaOon  • One  Can  Verify  LocaOon  of  Others  (Remotely)  • Protects  LocaOon  and  IdenOty  Privacy  Func4onal  • Short/Mid/Long  Range  PosiOoning  (In/Outdoor)  • Infrastructure  free  posiOoning  (P2P,  Ad-­‐Hoc)  • High  Precision  and  Coverage  • Remote  Access  to  LocaOon  InformaOon  Availability  • Robust  to  Interference  /  e.g.,  Jamming    • Robust  to  A`acks  on  Infrastructure  Poli4cal  /  Regulatory    • Controlled  by  Local  AuthoriOes  • …  

Today’s  Posi4oning  Systems

GPS  security  

GPS  signal  generators  LegiOmate  GPS  signals  overshadowed    • GPS  signal  weak  at  surface  (10-­‐15  W)  • the  original  signal  appears  as  noise

http://www.bbc.com/news/technology-18643134 http://www.csmonitor.com/World/Middle-East/2011/1215/Exclusive-Iran-hijacked-US-drone-says-Iranian-engineer-Video

GNSS:  Analysis  Basic  S&P  -­‐  Limited  Spoofing  Resilience  -­‐  No  LocaOon  VerificaOon    +  Protects  LocaOon  and  IdenOty  Privacy  

Func4onal  -­‐  Outdoor  only  -­‐  No  Infrastructure  free  posiOoning  (P2P,  Ad-­‐Hoc)  +  High  Precision  and  Coverage  ?  Remote  Access  to  LocaOon  InformaOon  

Availability  -­‐  Not  robust  to  Interference  /  e.g.,  Jamming    -­‐/+  Robust  to  A`acks  on  Infrastructure  

Poli4cal  /  Regulatory    -­‐  Not  controlled  by  Local  AuthoriOes  …  

Other  Systems

Main  idea:  Measure  signal  (characterisOcs)  +  AuthenOcate  Messages  IDM  =  Indirect  Distance  Measurement  (no  Time-­‐of-­‐Flight)  

RSSI  measurement  (e.g.,  WiFi,  Bluetooth,  802.15.4)  Phase  (mulO-­‐carrier)  measurement  (e.g.,  Atmel  AT86RF233)    FMCW  (radar)  AoA  (Angle  of  Arrival)  measurement    (e.g.,  Bluetooth  5.0)  Other  signal  characterisOcs  (channel,  noise  figures,  MIMO,  …)  

Direct  Distance  Measurement  (Time-­‐of-­‐Flight)  CSS  (e.g.,  NanoLOC)  By  direct  round-­‐trip  ToF  measurement  (e.g.,  UWB)  With  UWB  we  can  do  distance  bounding  

TDOA  (Time  Difference  of  Arrival)  Here,  we  can  do  some  spoofing  prevenOon  (hidden  staOons).  

THE KEYLESS ACCESS WORLD problem

K

K

Insecurity  of  Indirect  Distance  /  PosiOon  Measurements

Signal  characterisOcs  (AoA,  Phase,  RSSI,  …)  can  be  spoofed  at  low  cost  E.g.,  relay  a`acks  

E.g.,  TDOA  

Standard URSP device GNU Software readily available (BT, 802.15.4, 802.11) - RSSI spoofing (simple power adjustment) - Phase spoofing (simple phase delay adjustment)

BS1

BS2

BS3

Example:  A`ack  on  MulO-­‐Carrier  Phase  Ranging  System

Simple  ac4ve  aVack  ModificaOon  of  the  phase  slope  by  acOve  modificaOon  of  the  transmi`ed  phase. Done  using  single  acOve  USRP.  

2400 2420 2440 2460 24800

10

20

30

40

50

60

Frequency channel [MHz]

Mea

sure

d ph

ase

[rad]

unspoofed Θi -> d = 15 mspoofed Θi -> d = 6.07 m

2400 2420 2440 2460 2480-20

0

20

40

60

80

100

Frequency channel [MHz]

Mea

sure

d ph

ase

[rad]

unspoofed Θi -> d = 25 mspoofed Θi -> d = 2.5 m

Simple  passive  relay  aVack  ModificaOon  by  polarity  randomizaOon  of  the  re-­‐tx  signal.  Done  using  passive   analogue  components.    

Tests  show  that  these  systems  are  not  secure  even  against  low  cost  a`acks.    

• All  Indirect  (RSSI,  Phase,  AoA)  Distance  /  PosiOon  measurements  and  some  direct  measurements  (CSS,  802.15.4  UWB)  are  insecure  • (RSSI/WiFi:  Tippenhauer11,  NanoLOC/CSS:  Ranganathan12,  GPS:  Tippenhauer11,  Nighswander12,  Atmel/Phase,  UWB/802.15.4:  Poturalski11/12],   RSSI/RFID:  Hancke05,  …)  

• These  a`acks  are  typically  low  cost  and  require  low  level  of  sophisOcaOon  of  the  a`acker  

• Distance  /  PosiOon  measurements  cannot  be  secured  by  relying  on  solely  on  cryptography  since  these  are  physical-­‐layer  a`acks  

• Secure  posiOoning  /  distance  measurement  need  a  different  hardness  assumpOon  (e.g.,  inability  of  the  abacker  to  transmit  faster  than  the  speed  of  light  or  hidden  locaOons  of  the  infrastructure  nodes)   =>  Direct  Distance  Measurement  by  Time-­‐of-­‐Flight(Distance  Bounding)

Insecurity  of  Indirect  Distance  /  PosiOon  Measurements

UWB  Round  Trip  Time  of  Flight  

RTT  Time  of  Flight  Systems  (typically  100m  range  /  15cm  precision)  Not  all  RTT  UWB  systems  are  secure.  To  prevent  abacks,  one  needs  short  UWB  symbols  and  support  for  distance  bounding  protocols.    

h`p://www.decawave.com/  

h`p://beespoon.comh`p://www.3db-­‐access.com

Secure  Posi4oning  Infrastructure:  Some  Ideas

Secure  PosiOoning  Infrastructure

• So  far  we  only  discussed  components  needed  to  compute/verify  locaOons.  

• For  this  we  can  use  • UWB  ToF  +  Verifiable  MulOlateraOon  • TDOA  with  hidden  staOons  • Cellular  Infrastructure  (?)

• But  further  need  to    • map  locaOons  to  labels    • distribute  locaOon  informaOon  • enable  remote  locaOon  verificaOon  • support  privacy  protecOon    

0 2 4 6 8 10 12 140

50

100

150

200

250

300

350

400

450

area coverage (sq. Km)

num

ber o

f bas

esta

tions

groundstationsoverhead stations

An  IllustraOve  Example

4. Download location data

2. Secure localization

Localization

Infrastructure

Location

Name Server

Employee

application (P)

Recipient

application (V)

1. Register location mapping

Company

5. Verify location

3. Send email

Employee  proves  that  she  is  in  ‘one  of  the  offices’  of  the  Company.

Secure  PosiOoning  Infrastructure

4. Download location data

2. Secure localization

Localization

Infrastructure

Location

Name Server

Employee

application (P)

Recipient

application (V)

1. Register location mapping

Company

5. Verify location

3. Send email

• Localiza4on  Infrastructure  verifies  locaOons  and  issues  locaOon   statements  at  different  levels  of  granularity  (coordinates,  administraOve  boundaries)  

• Loca4on  Name  Server  maps  common  labels  (e.g.,  Company  Offices,   ‘My  Good  LocaOons’)  to  locaOons  that  the  LocalizaOon  Infrastructure   supports.  (acts  as  a  repository  but  could  also  act  as  a  CA  for  locaOons)    

• Employee  a`aches  locaOon  proof  to  the  sent  email.  

Another  IllustraOve  Example:  Enhanced  Server  AuthenOcaOon

User  only  connect  to  the  bank  when  the  bank  is  in  the  ‘trusted  locaOon’.User  connects  to  bank  website,  obtains  the  trusted  locaOon  from  the  DNSSec  record  (acts  as  the  LocaOon  Name  Service).    TLS  session  only  established  if  the  verified  locaOon  corresponds  to  the  one  in  the  DNS  record.    

3. Download location mapping

2. Secure positioning

Secure Positioning

Infrastructure

Location

Name Service

5. Indicate location label

and prove location

Banking

server (P)

Client-side

application (V)

1. Register location mapping

Bank

4. Log in

6. Verify location

Support  for  Hierarchical  Structures

Infrastructure  can  also  be  hierarchical:  e.g.,  Trusted  staOons  controlling  a  large  area  verify  locaOons  of  staOons  in  a  smaller  area,  which  then  verify  the  locaOon  of  a  mobile  device.    

CerOficaOon  Issues  (Limited)  Trust  TransiOvity  Issues

Support  for  Fully  Decentralized  LocaOon  VerificaOon  and  LocalizaOon

Infrastructure  doesn’t  need  to  be  fixed  •  Can  be  mobile  on  Trams,  Buses,  Taxis  •  PosiOoning  and  LocaOon  VerificaOon  can  be  Ad-­‐Hoc,  P2P    •  Mobile  nodes  can  verify  each  others  proximity  /  locaOons  and  issue  cerOficates  to  that  effect  

Infrastructure  nodes  do  not  need  to  be  on-­‐line  (might  require  only    regular  connecOons).  

X

YZI  verified  that  X  is  95  m  away

Things  are  Already  Moving  in  this  DirecOon

LoCaOon  Service  (LCS)  Architecture  • An  emerging  localizaOon  infrastructure  currently  being  designed  and  deployed  by  major  telecom  operators  and  communicaOon  hardware  manufacturers    

• Main  Goal:  to  enable  locaOon-­‐based  services  (e.g.,  locaOon  based  adverOsements,  emergency  rescue  and  support)  for  mobile  clients.

Summary

• We  need  a  new  Secure  PosiOoning  Infrastructure  • Many  research  and  commercial  opportuniOes    

• Different  architectures    • Physical  Layer  for  Secure  PosiOoning,  MAC  protocols    • Scalability    • Privacy  Preserving  Protocols  • New  Distributed  Components  (e.g.,  LocaOon  Name  Service)  • IntegraOon  with  applicaOons  /  use  cases    • LegislaOve

Acknowledgements  (in  random  order):      

• Claudio  Soriente  • Aanjhan  Ranganathan  • Ramya  MasO  • Boris  Danev  • Nils  Tippenhauer  • Kasper  Rasmussen    • ChrisOna  Popper  • Der-­‐Yeuan  Yu  • …

More  InformaOon

• h`p://www.secureposiOoning.com    

• Srdjan  Capkun   Why  We  Should  Build  A  Secure  PosiOoning  InfrastructurePosiOon  Paper,  June  2015    

• www.zisc.ethz.ch    

• capkuns@inf.ethz.ch