[Infowarrior] - GPS Spoofing Countermeasures

[Richard Forno]

GPS Spoofing Countermeasures
Jon S. Warner
Roger G. Johnston

December 2003

http://www.homelandsecurity.org/bulletin/Dual%20Benefit/warner_gps_spoofing.html

This article was originally published as Los Alamos research paper LAUR-03-6163. The views expressed in this paper are those of the authors and should not necessarily be ascribed to Los Alamos National Laboratory or the U.S. Department of Energy. Anthony Garcia, Adam Pacheco, Ron Martinez, Leon Lopez, and Sonia Trujillo contributed to this work.

Jon S. Warner, Ph.D., and Roger G. Johnston, Ph.D., CPP, are members of the Vulnerability Assessment Team at Los Alamos National Laboratory.

Civilian Global Positioning System (GPS) receivers are vulnerable to attacks such as blocking, jamming, and spoofing. The goal of such attacks is either to prevent a position lock (blocking and jamming) or to feed the receiver false information so that it computes an erroneous time or location (spoofing). GPS receivers are generally aware of when blocking or jamming is occurring because they have a loss of signal. Spoofing, however, is a surreptitious attack. Currently, no countermeasures are in use for detecting spoofing attacks. We believe, however, that it is possible to implement simple, low-cost countermeasures that can be retrofitted onto existing GPS receivers. This would, at the very least, greatly complicate spoofing attacks.

Introduction

The civilian Global Positioning System (GPS) is widely used by both government and private industry for important applications, including public safety services such as police, fire, rescue, and ambulance. The cargo industry, buses, taxis, railcars, delivery vehicles, agricultural harvesters, private automobiles, spacecraft, and marine and airborne traffic also use GPS for navigation. In fact, the Federal Aviation Administration (FAA) is drafting an instruction requiring that all radio navigation systems aboard aircraft use GPS.1 Additional uses include hiking and surveying, as well as robotics, cell phones, animal tracking, and even wristwatches. Utility companies and telecommunication companies use GPS timing signals to regulate the base frequency of their distribution grids. GPS timing signals are also used by domestic and international finance, broadcasting, mobile telecommunications, banking (for money transfers and time locks), and other distributed computer network applications.2, 3 In short, anyone who wants to know exact location, velocity, or time might find GPS useful.

Unfortunately, the civilian GPS signals are not secure.4 Only the military GPS signals are encrypted (authenticated), but these are generally unavailable to civilians, foreign governments, and most of the U.S. government, including most of the Department of Defense. Plans are under way to upgrade the existing GPS system, but they apparently do not include adding encryption or authentication to the civilian GPS signal.5, 6

The GPS signal strength measured at the surface of the Earth is about –160dBw (1 x 10–16 watts), which is roughly equivalent to viewing a 25-watt light bulb from a distance of 10,000 miles. This weak signal can easily be blocked by destroying or shielding the GPS receiver’s antenna. The GPS signal can also be effectively jammed by a signal of a similar frequency but greater strength. Blocking and jamming, however, are not the greatest security risk, because the GPS receiver will be fully aware that it is not receiving the GPS signals needed to determine position and time. A more pernicious attack involves feeding the GPS receiver fake GPS signals so that it believes it is located somewhere in space and time that it is not. This “spoofing” attack is more elegant than jamming because it is surreptitious.

The Vulnerability Assessment Team at Los Alamos National Laboratory has demonstrated the ease with which civilian GPS spoofing attacks can be implemented.7 This spoofing is most easily accomplished by using a GPS satellite simulator. Such simulators are uncontrolled and widely available. To conduct the spoofing attack, an adversary broadcasts a fake GPS signal with a higher signal strength than the true signal. The GPS receiver believes that the fake signal is actually the true GPS signal from space and ignores the true signal. The receiver then proceeds to calculate erroneous position or time information based on this false signal.

How Does GPS Work?

GPS is operated by the Department of Defense. It consists of a constellation of 27 satellites (24 active and 3 standby) in 6 separate orbits. It reached full official operational capability status on 17 July 1995.8 GPS users can obtain a 3-D position, velocity, and time fix in all types of weather, 24 hours a day. GPS users can locate their position to within ± 18 ft on average or ± 60 to 90 ft in a worst case.9

Each GPS satellite broadcasts two signals: a civilian unencrypted signal and a military encrypted signal. The civilian GPS signal was never intended for critical or security applications, though that is, unfortunately, how it is now often used. The Department of Defense reserves the military encrypted GPS signal for sensitive applications such as smart weapons.

Here we are focusing on the civilian (unencrypted) GPS signal. Any discussion of civilian GPS vulnerabilities is fully unclassified.10 The carrier wave for the civilian signal is the same frequency (1575.2 MHz) for all the GPS satellites. The C/A code provides the GPS receiver on the Earth’s surface with a unique identification number (also known as PRN or pseudo random noise code). In this manner, each satellite transmits a unique identification number that allows the GPS receiver to know which satellites it is receiving signals from. The Nav/System data provides the GPS receiver with information about the position of all the satellites in the constellation as well as precise timing data from the atomic clocks aboard the satellites.


Figure 1: GPS signal structure.
The receiver continuously listens for the GPS signals from space and locks onto the signals from several GPS satellites simultaneously. The actual number of satellites the receiver locks onto is determined by the number of satellites in view of the receiver and the maximum number of satellites the receiver hardware is designed to accommodate. Because of the C/A code identification, the GPS receiver knows exactly which satellites it is receiving data from at any given time.

Once the identification codes for each of the received satellite signals are recognized, the GPS receiver generates an internal copy of the satellites’ identification codes. Each satellite transmits its identification codes in 1-millisecond intervals. The receiver compares its internally generated code against the repeating C/A code from space and looks for any lag from the expected 1-millisecond interval. Any deviation is assumed to be the travel time of the GPS signal from space. Once the travel time (ΔT) is determined, the receiver then calculates the distance from itself to each satellite using the following formula: Distance = ΔT x Speed of Light.

Figure 2: Example of GPS signal time delay.

One problem with this method is that the clocks on the receiver are not as accurate as the atomic clocks on board the satellites.

Because the receiver obtains signals from several GPS satellites simultaneously, the distances to several satellites are known at any given time. Figure 3 gives a conceptual overview given the distance of three GPS satellites (denoted by the stars). Note that in Figure 3 the ranges to the satellite, as measured by the GPS receiver, do not overlap at a single point. The measured and true ranges differ due to the clock errors in the receiver. The result is a distance error seen by the receiver; the error is represented by the dotted line in Figure 3.


Figure 3: 2-D representation of finding a position.
At this point, the receiver knows it is somewhere in the area of overlap shown by the dotted lines (Figure 3). The receiver then interpolates this overlap area to find the center. The result of this interpolation gives two important pieces of information: the position of the receiver and the clock error of the receiver. In addition to the time correction from the Nav/Sys data information from the satellites, the GPS receiver in essence uses the correct position information to determine its own clock error.

The more satellites involved, the smaller the area of overlap and the better the position fix will be. In theory, three satellites are all that are needed for a position fix. However, in practice, four or more satellites are needed to acquire an accurate latitude, longitude, and altitude fix.

Only one satellite is required for a time fix. The position is initially found in an X,Y,Z Earth-centered, Earth-fixed co-ordinate frame and then converted to latitude, longitude, and altitude.

Countermeasures

Several of the countermeasures we propose are based on signal strength, which must (at least initially) be higher for the fake signal than the true signal from space. Some of the other countermeasures involve recognizing the characteristics of the satellite simulator itself.

Many (if not all) GPS receivers display the signal strength and satellite number for each of the satellites it is receiving data from. We are unaware of any receivers that store this data and compare the information from one moment to the next.

One or more of the following countermeasures should allow suspicious GPS signal activity to be detected:

	• Monitor the absolute GPS signal strength: This countermeasure involves monitoring and recording the average signal strength. We would compare the observed signal strength to the expected signal strength of  about –163 dBw (5 x 10–17 watts). If the absolute value of the observed signal exceeds some preset threshold, the GPS receiver would alert the user. This countermeasure is based on the idea that relatively unsophisticated GPS spoofing attacks will tend to use GPS satellite simulators. Such simulators will typically provide signal strengths many orders of magnitude larger than any possible satellite signal at the Earth’s surface. This is an unambiguous indication of a spoofing attack.
	• Monitor the relative GPS signal strength: The receiver software could be modified so that the average signal strength could be recorded and compared from one moment to the next. An extremely large change in relative signal strength would be characteristic of an adversary starting to generate a counterfeit GPS signal to override the true satellite GPS signals.11 If the signal increases beyond some preset threshold, an alarm would sound and the end user could be alerted.
	• Monitor the strength of each received satellite signal: This countermeasure is an extension of the above two techniques. Here, the relative and absolute signal strengths are tested individually for each of the incoming satellite signals. Signals from a GPS satellite simulator will tend to make the signal coming from each artificial satellite of equal strength. Real satellite signals, however, vary from satellite to satellite and change over time. The idea here is that if the signal characteristics are too perfect, there is probably something wrong and the user should be alerted. Like the previous two countermeasures, this countermeasure could be implemented by modifying the existing software code of the GPS receiver.
	• Monitor satellite identification codes and the number of satellite signals received: GPS satellite simulators transmit signals from multiple satellites (typically 10)—more than the number of real satellites often detected by a GPS receiver in the field at a given time. Many commercial GPS receivers display satellite identification information but do not record this data or compare it to previously recorded data. Keeping track of both the number of satellite signals received and the satellite identification codes over time may prove helpful in determining whether foul play is occurring. This is especially true of an unsophisticated spoofing attack where the adversary does not attempt to mimic the true satellite constellation at a given time.
	• Check the time intervals: With most GPS satellite simulators, the time between the artificial signal from each satellite and the next is a constant. This is not the case with real satellites. In other words, the receiver may pick up the true signal from one satellite and then a few moments later pick up a signal from another satellite, etc. With the satellite simulator, the receiver would pick up signals from all of the “satellites” simultaneously. This is an exploitable feature of the satellite simulator that could be used to tell whether the signals were coming from the true source or a false simulator-based source.
	• Do a time comparison: Many current GPS receivers do not have an accurate clock. By using timing data from an accurate, continuously running clock to compare with the time derived from the GPS signal, we can check on the veracity of the received GPS signals. If the time deviates beyond some threshold, the user can be alerted to the possibility of a spoofing attack. As the Vulnerability Assessment Team has demonstrated, very accurate clocks can be small and inexpensive and operate on very low power.
	• Perform a sanity check: A small, solid-state accelerometer and compass can be used to independently monitor the physical trajectory (heading, velocity, etc.) of the receiver mounted, for example, on a moving truck. The information provided by this approach can be used to double-check the current position fix reported by the GPS receiver based on a previously reported position. In a sophisticated spoofing attack, the adversary would send a false signal reporting the moving target’s true position and then gradually walk the target to a false position. This is how an attack on a cargo truck might occur. The accelerometer would serve as a relative (not absolute) backup positioning system, which could be used to compare to the position reported by the GPS receiver. A discrepancy between the accelerometer and the receiver would raise a red flag and alert the user.
All seven strategies can be implemented by retrofitting existing GPS receivers; it is not necessary to redesign them. Strategies 1 to 5 can be implemented primarily through software alone. Strategy 6 could be implemented through software, or else a more accurate clock could be fitted onto the existing GPS receiver. Strategy 7 would require both hardware and software implementation to work properly. We believe that a proof of principle for countermeasures 1 to 7 could be demonstrated fairly quickly.

Conclusion

Although the countermeasures proposed in this paper will not stop spoofing attacks, they will alert the user of the GPS receiver to suspicious activity. This will decrease the odds that a spoofing attack can succeed and will require adversaries to deploy more sophisticated methods than the simple attack we have previously demonstrated.12 We believe that the potential countermeasures we propose could be implemented easily and inexpensively by retrofitting existing GPS receivers.

Author Contact Information

Jon S. Warner, Ph.D.
Los Alamos National Laboratory, Los Alamos, NM 87545
(505) 665-9987

jwarner at LANL.gov

References

Click on an end note number to return to the article.

1. John A. Volpe National Transportation Systems Center, Vulnerability Assessment of the Transportation Infrastructure Relying on the Global Positioning System, Final Report, Department of Transportation, 29 August 2001.

2. S. J. Harding, Study Into the Impact on Capability of UK Commercial and Domestic Services Resulting From the Loss of GPS Signals, Qinetiq, 2001.

3. LeeAnne Brutt, “NS/EP Implication of GPS Timing,” Office of the Manager, National Communications System, Technical Notes, Technology and Standards Division, Volume 6, Number 2, Aug. 1999.

4. Vulnerability Assessment of the Transportation Infrastructure.

5. Committee on the Future of the Global Positioning System, Commission on Engineering and Technical Systems, National Research Council Aeronautics and Space Engineering Board, The Global Positioning System: A Shared National Asset (Washington, DC: National Academy Press, 1995).

6. “Air Force NAVSTAR Global Positioning System Fact Sheet,” Florida Today Space Online (3 Oct. 1999).

7. J. Warner and R. Johnston, “A Simple Demonstration That the Global Positioning System (GPS) Is Vulnerable to Spoofing,” Journal of Security Administration, in press (2003).

8. U.S. Coast Guard, “GPS Frequently Asked Questions,” 8 Nov. 2002.

9. U.S. Air Force, GPS Support Center (2003).

10. Headquarters Air Force Space Command, NAVSTAR Global Positioning System Operations Protect Guide, Peterson Air Force Base.

11. J. Warner and R. Johnston.

12. Ibid.


---
Just because i'm near the punchbowl doesn't mean I'm also drinking from it.