The Vulnerability of GPS Where We Are and Where Do We Go From Here?

1. The Vulnerability of GPSWhere We Are and Where Do We Go From Here? Robert James CSE 914 Spring 2019

2. Presentation Overview • Introduction • Brief History of GPS Development • How GPS Works • GPS Security Issues • GPS Security Tools • Conclusion • Addendum – Time permitting

3. Introduction • Successful travel is dependent on accurate determination of location. The Global Positioning System (GPS) has, since the mid 1990’s, seen wide spread use in providing this functionality. The problem is that GPS signals can be compromised.

4. Introduction II • As GPS is to be incorporated into autonomous vehicles it is imperative that such vehicles be capable of detecting and mitigating attacks attempting to compromise GPS performance and accuracy.

5. Introduction III • Major goal of this project was to determine what aspects of GPS security need scrutiny. The first step taken was to examine the current research pertaining to GPS security. Only by examining the current research can determination be made regarding the direction future research need take.

6. 2.0 An Abridged History of GPS Development

7. 2.1 Key People in GPS Development The accredited inventors of the GPS: (From left to right) Bradford Parkinson, Dr. Ivan Getting, and Roger Easton (from [1]). Dr. Gladys West (far right) was an instrumental member of the development team. All pictures from: https://geoawesomeness.com/who-invented-the-gps/

8. 2.2 GPS Time Table • 1973, a Labor Day weekend meeting led to the design of the Global Positioning System [2]. • 1977, the first receiver test. • 1978, February. First satellite is launched. • 1978-1985, eleven Block I satellites were placed in orbit • 1983, following the shooting down of South Korean flight 007, which had inadvertently trespassed into the Soviet Union’s airspace, GPS was extended to the civilian sector. • 1989, the first of the Block II satellites was put into orbit. Magellan Corporation releases the first handheld GPS receiver. • 1994, the last of the Block II satellites is put into orbit. • 1995, GPS is formally activated and declared fully operational. • 2000, Selective Availability (SA) was deactivated by presidential decree. This allowed for accuracy to go from ~100 meters to ~20 meters (or less). Except when specifically noted information is from: Basic Concept of GPS and Its Applications [1]

9. 2.3 GPS Today From: Basic Concept of GPS and Its Applications[1]

10. 2.4 GPS Areas of Usage • Navigation • Cellphone towers (Verizon), to calibrate the frequency and timing of transmissions. • Power grid, to coordinate time stamps for phasor movements. • Traffic lights. • Air traffic control towers. • Tracking parolee movement, ankle bracelet. • Internet timestamps • Stock transactions

11. 3.0 How GPS Works

12. How GPS Work Figure 1: GPS Signal Structure C/A: Coarse Acquisition From: A Simple Demonstration that the Global Positioning System (GPS) is Vulnerable to Spoofing [3]

13. How GPS Works Figure 2: An Example of GPS signal time delay. From: A Simple Demonstration that the Global Positioning System (GPS) is Vulnerable to Spoofing [3]

14. How GPS Works A 2-D Representation of Finding a Position From: A Simple Demonstration that the Global Positioning System (GPS) is Vulnerable to Spoofing [3]

15. How GPS WorksA Review • Each satellite has a unique identification code (C/A code) that is repeated every millionth of a second. • NAV/System provides system with information about the position of the satellite and precise timing data from the satellite’s (Cesium) clock. • GPS receiver reads C/A code and generates a matching internal C/A code. This technique is used to determine the travel time of the signal (Figure 2). Once that is known the distance between the satellite and receiver can be determined. • Figure 3, look at overlap to determine position and GPS receiver’s clock error From: A Simple Demonstration that the Global Positioning System (GPS) is Vulnerable to Spoofing [3]

16. 4.0 GPS Security Issues

17. The Start of Documented Concern Over GPS Security Vulnerability Assessment of the Transportation Infrastructure Relying on the Global Positioning System August 29, 2001 Prepared by John A. Volpe National Transportation Systems Center [4]

18. Vulnerability Assessment of the Transportation Infrastructure Relying on the Global Positioning System “[a]s GPS further penetrates into the civil infrastructure, it becomes a tempting target that could be exploited by individuals, groups or countries”. From: Vulnerability Assessment of the Transportation Infrastructure Relying on the Global Positioning System [4]

19. Vulnerability Assessment of the Transportation Infrastructure Relying on the Global Positioning System A.2 GPS DISRUPTION MECHANISMS GPS is susceptible to disruption by both unintentional and intentional mechanisms. Unintentional mechanisms include ionospheric effects, interference from other RF emitters, and signal blockage. Human error can also disrupt GPS services. Intentional disruption mechanisms include jamming, spoofing and meaconing. From: Vulnerability Assessment of the Transportation Infrastructure Relying on the Global Positioning System [4] page 64

20. 4.1 GPS Jamming In 2009 Newark Liberty International Airport was testing a new air traffic control system called Smartpath. It worked so well that the product was purchased. As they continued testing Smartpath airport personnel noticed that occasionally, seemingly at random, it would stop working. The culprit wasn’t the product, rather one Gary Bojczak took exception to having his employer track his movements via the GPS installed in his assigned truck. He installed a GPS jamming device in his truck which, as he drove by the airport, interfered with Smartpath’s GPS receivers. After a three month investigation Mr. Bojczak was caught and fined $32,000 [5]. From: Why GPS is more Vulnerable Than Ever

21. 4.2 GPS Spoofing • Ranganathan et. al., [6] have four categories for spoofing attacks. Category is determined by, 1. the faux signal’s time synchronicity with real signals, and 2. consistency with respect to the navigation messages. • 1. Non-coherent and modified message contents. Easy to do, requires no technical expertise. • 2. Non-coherent but unmodified message contents. By modifying timing an attacker can spoof the receiver to a desired (by the attacker) location. In this category is Meaconing. • 3. Coherent but modified message contents. It has been shown that a variety of commercial GPS receivers are susceptible to this attack [3]. Can physically damage GPS receiver. (Phase two of seamless takeover attack). • 4 Coherent and unmodified message contents. Phase one of the seamless takeover attack. • Seamless lock takeover and Meaconing attacks are considered to be a very strong attacks. Required is considerable technical expertise and access to sophisticated equipment. From: SPREE: A Spoofing Resistant GPS Receiver [6]

22. GPS SpoofingNo Expertise Required Attack RTL-SDR Blog R820T2 RTL2832U 1PPM TCXO SMA Software Defined Radio with 2x Telescopic Antennas Price $29.95 (Amazon) Demo/Instructions on how to use the equipment for GPS spoofing: Courtesy of Crazy Danish Hacker https://www.crazydanishhacker.com/tag/gps/

23. At Least One GPS Spoofing Attack Against Automobiles Has Occurred • https://cyware.com/news/seven-car-manufacturers-hit-by-gps-spoofing-attacks-146701c4

25. 4.2.1 The Seamless Lock Takeover Attack Spoofing Steps: • Fabricate valid PRN code for each satellite • Broadcast weak (faint) signals carrying the same codes of all nearby satellites at once. • Next comes “drag-off” where the attacker(s) slowly override the true signals. They slowly increase the power of the faux signals until the receiver catches onto these signals. Once the receiver latches onto the false signals the attacker is free to do what they set out to do. • Requires expensive equipment and extensive technical know-how and close proximity. Protecting GPS From Spoofers Is Critical to the Future of Navigation [7]

26. Other Instances of GPS Spoofing, Rumored or Verified. • There are rumors of the Russians having “weaponized” GPS spoofing. • https://www.newscientist.com/article/2143499-ships-fooled-in-gps-spoofing-attack-suggest-russian-cyberweapon/ • Iranians may have used GPS spoofing to mislead US sailors and hijack CIA stealth drone. (Meaconing) • In 2013 students from the University of Texas were able to affect a super yacht’s course via GPS spoofing [6]. • Pokemon Go – GPS spoofing was used to lure players to locations where they were robbed. • Australia – iPhone GPS malfunction led vacationers into desert where they had to be rescued. • A demonstration of a successful GPS spoofing attack on a military grade drone was conducted at the White Sands Military Base.

27. 5.0 GPS Security Tools Advanced receivers will perform the Receiver Autonomous Integrity Monitoring (RAIM) algorithm. RAIM checks navigation data and other parameters to see if they comply with the current orbital parameters. Problem is that spoofing may start out with all the correct data and hence is not caught by RAIM. [8] GPS Spoofing Detection using RAIM with INS Coupling

28. SPREE Enter SPREE. According to Ranganathan et. al.[6], SPREE is the first commercial off-the-shelf (COTS), single antenna, GPS receiver capable of detecting and limiting all known GPS spoofing attacks. • SPREE reduces the maximum spoofing distance to one kilometer. • SPREE consists of two key components: • Auxiliary Peak Tracker (APT). The APT can track multiple signals, not just the strongest. Multiple signals originating from the same satellite are examined and if found to be beyond a certain time threshold a spoofing attack is declared. • Navigation Message Inspector (NAVI). Checks time stamp of consecutive messages. Compares navigational data of consecutive messages and from all satellites. • SPREE requires no additional hardware and supports all platform and file sources supported by GNSS-SDR. • SPREE only detects spoofing, it doesn’t determine action to take. • It acknowledges possibility of false alarms, but gives no number. SPREE: A Spoofing Resistant GPS Receiver

29. Antenna Array Processing • Is based on fact that almost all spoofing attacks produce signals that radiate from a single source. So, simplistically speaking, if multiple GPS signals have the same direction of arrival (DOA) a spoofing detection alert can be produced. It has been found more reliable to compare phase delays rather than actual DOAs. • Gives high probability of detection and low probability of a false alarm. • Requires minimum of four satellite signals. If only four satellites, there must not be a low signal-to-noise ratio. • Could be extended to provide a mitigation solution. Allows for detecting source of spoofing signal and rejecting signals from that source. • Requires additional hardware, more expensive. • Currently most robust technique [9]. Detection and Mitigation of GPS Spoofing Based on Antenna Array Processing [9]

30. Ratio Test Metric • Is an extension of the work by Ledvina et. al. [10]. Unfortunately this document is buried in the ION vault. • Authors feel that their results show promise and merit further research. GNSS Spoofing Detection: Theoretical Analysis and Performance of the Ration Test Metric in Open Sky [11]

31. Multistage Anti-Spoof GPS Interference Correlator (MAGIC) • MAGIC is an algorithm designed to cope with jamming and spoofing. • Filters strong jammers and extracts weak GPS signals. • Detect and extract Spoofers. • Shows promise, but authors admit more research is required. Multistage Anti-Spoof GPS Interference Correlator (MAGIC) [12]

32. Onboard Inertial Measurement Unit • Target usage is drones. • Idea is to use an inertial measurement unit (IMU) as an inertial navigational system (INS). • Concept is linear acceleration and angular velocity can be integrated over time to calculate the position of the receiver. Problem is that the integration process introduces errors which accumulate. • Tries to minimize integration. • Results were decent, all spoofing attacks were detected. However, under certain conditions, false alarms can be as high as eight percent. An Efficient UAV Hijacking Detection Method Using Onboard Inertial Measure Unit [13]

33. Conclusions • Advanced receivers use the Receiver Autonomous Integrity Monitoring (RAIM) algorithm. RAIM does not perform well when dealing with flat trajectories. Works well aircraft, not sure it is adequate for surface vehicles. Needs testing to determine its functionality for surface vehicles. • Currently SPREE is the only commercially available spoofing detector. Does not mitigate spoofing. • Several techniques show promise, at least on paper, but are not thoroughly tested. Some of these techniques can mitigate spoofing/jamming. • There is a need for a navigational backup system in event of GPS failure. Recommend INS coupled with visual scanning to locate landmarks that will correlate to current location e.g., mile markers, street signs, overpasses, cell towers, readily identifiable/unique structures. • Other possibilities for backups include eLORAN and cell towers. eLORAN is reputedly cheap, in a relative sense, but the infrastructure needs to be built. Not sure how well it works on land.

34. Addendum • We’ve scrutinized the GPS vulnerability in regards to GPS signals, but what about the hardware side of GPS? • Referring to GPS receivers, not GPS satellites. • Only one paper, Nighswander et. al. [14], covers this aspect and it was published in 2012. • Can affect more than navigation and autonomous vehicles. • Updated Research definitely needed here.

35. Vulnerability of GPS Receivers • GPS receivers often are full OSes. • The higher end receivers may include network services. • GPS signals are treated as correct though they are in fact unauthenticated.

36. Data Layer Attacks • A portion of the Nav/System data pertains to the square root of the semi-major axis of the satellite’s orbit. Set this value to zero (satellite is at the earth’s center) in bogus GPS signal, send signal.

37. Data Layer Attacks • Good News! • All receiver models tested, but one, rejected the bogus signal. • A description of the behavior of the model that didn’t reject the bogus signal. • The Trimble NetRS threw an exception and tried to resolve the error by doing a warm reboot. System restarted, using the cached data the gpssd daemon tries to do what it is supposed to do i.e. process the data, and throws an exception. Infinite reboot cycle. • Only way out is a cold reboot.

38. Data Layer Attacks • Bad News! • The NetRS represents 30% and 20% of the global CORS and NTRIP networks, respectively. • National Continuously Operating Reference Station (CORS) • Networked Transport of RTCM via Internet Protocol (NTRIP) • Radio Technical Commission for Maritime Services (RTCM)

39. Data Layer Attacks • Also possible through GPS signals to alter the GPS date. This should be caught, but in the case of the Arbiter system it is not. To make matters worse the Arbiter’s GPS clock can not be decremented.

40. OS Layer Attacks • NetRS runs Linux and can be networked via an Ethernet port. Numerous security flaws allow for root access.

41. Receiver Susceptibility to Attacks From: GPS Software Attacks [14]

42. Conclusions • Data is old, needs to be reexamined. • Most vulnerabilities appear to be patchable. • Results do show that awareness of the need for GPS receiver security needs to be strengthened.

43. References [1] Z. Hoque, Basic Concept of GPS and Its Applications, IOSR Journal Of Humanities And Social Sciences, vol. 21, Issue 3, March 2016, pp 31-37. [2] D. P. Shepard, J. A. Bhatti, and T. E. Humphries, Evaluation of Smart Grid and Civilian UAV Vulnerability to GPS Spoofing Attacks, Proceedings of the 2012 ION GNSS Conference, September 2012, pp 3591-3605. [3] J. S. Warner and R. G. Johnston, A Simple Demonstration that the Global Positioning System (GPS) is Vulnerable to Spoofing, The Journal of Security Administration, 25, pp 19-28, 2002. [4] J. A. Volpe National Transportation Systems Center, Vulnerability Assessment of the Transportation Infrastructure Relying on the Global Positioning System, Final Report, August 2001. [5] J. Uchill, Why GPS Is More Vulnerable Than Ever, Christian Science Monitor, https://www.csmonitor.com/World/Passcode/2016/0510/Why-GPS-is-more-vulnerable-than-ever, Oct. 2016. [6] A. Ranganathan, H. Olafsdottir, and S. Capkun, SPREE: A Spoofing Resistant GPS Receiver, ACM MobiCom, 2016. [7] M. L. Psiaki and T.E. Humphreys, Protecting GPS From Spoofers Is Critical to the Future of Navigation, IEEE Spectrum, 2016. [8] S. Khanafseh, N. Roshan, S. Langel, F-C. Chan, M. Joerger, and Boris Pervan, GPS Spoofing Detection Using RAIM with INS Coupling, Proceedings of the IEEE/ION PLANS Meeting, May 2014, pp 45-57. [9] J. Magiera and R. Katulski, Detection and Mitigation of GPS Spoofing Based on Antenna Array Processing, Journal of Applied Research and Technology, Volume 13, Feb. 2015, pp 45-57.

44. References Cont. [10] B. M. Ledvina, W. J. Bencze, B. Galusha, and I. Miller, An In-Line Anti-Spoofing Device For Legacy Civil GPS Receivers, Proceedings of the International Technical Meeting of the Institute of Navigation, 2010. [11] J. Huang, L. Presti, B. Motella and M. Pini, GNSS Spoofing Detection: Theoretical Analysis and Performance of the Ratio Test Metric in Open Sky, ICT Express, Vol. 2, No. 1, Feb. 2016, pp 37-40. [12] W. L. Myrick, M. Picciolo, J. S. Goldstein, and V. Joyner, Multistage Anti-Spoof GPS Interference Correlator (MAGIC), IEEE Military Communications Conference, 2015, pp 1497-1502. [13] Z. Feng, N. Guan, M. Lv, W. Liu, Q. Deng, X. Liu, and W. Yi, An Efficient UAV Hijacking Detection Method Using Onboard Inertial Measurement Unit, Design, Automation & Test in Europe Conference & Exhibition 2017, Vol. 17, No. 6, Dec. 2018. [14] T. Nighswander, B. Ledvina, J. Diamond, R. Brumley, and D. Brumley, GPS Software Attacks, Proceedings of the ACM Conference on Computer and Communications Security, 2012.