Schneier on Security
A blog covering security and security technology.
« Chinese Gang Sells Fake Professional Certifications |
| Rolling Stone Magazine Writes About Computer Security »
August 9, 2012
Detecting Spoofed GPS Signals
This is the latest in the arms race between spoofing GPS signals and detecting spoofed GPS signals.
Unfortunately, the countermeasures all seem to be patent pending.
Posted on August 9, 2012 at 6:32 AM
• 35 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Sorry to post here, but what happened to the RSS/Atom feeds?
I see the RDF and XML links, but those aren't "found" by many feed-readers. .rss and .atom are important.
Bruce, you read that news item some time back about an autonomous drone that used signals of opportunity to navigate? Such as nearby television broadcasting towers. Used trilateration iirc.
Combining several positioning systems concurrently allows you to easily filter out spoofed ones.
Navy vessels do the same, they verify their MilGPS by periodic visual and radar checks, first they did that by hand, nowadays automated continuous systems are available.
The biggest hurdle is probably acknowledging the risks and the willingness to spend money to address it.
I read an extremely interesting paper a while ago about GPS spoofing, and being able to accurately detect them. The author gives a solution at the end of the paper, which I believe is not patented, to simply use two GPS receivers at a known distance apart. The number of locations the transmitter can be to accurately get a spoofed signal to measure the correct distance between those two independent receivers is significantly reduced.
I thought it was genius and hope others here do the same.
@Chris W: Before GPS, didn't aircraft, ships, and intercontinental missiles have computer-aided celestial navigation?
I thought it was genius and hope others here do the same
I thought of this solution years ago and have mentioned it on this blog a number of times in the past.
@Brian: That sounds exactly like Differential GPS. Not that there's anything wrong with that - using precisely-located LORAN beacons to augment deliberately-inaccurate GPS signals has quite a history.
I'm guessing with a sophisticated enough spoofing system, we're going to see a lot of trouble. Even jamming GPS would make most drones ineffective. This could be the next arms race.
How about signing the GPS signal. If it works for https website, I don't see why gps satellites can't be authenticated.
Sure, there is a question of performance. But I don't think that is a problem for any modern gps. There certainly is a question of key management. But I imagine that those satellites are already under the control of a nation. So, I guess, you would have a "us" gps, a "uk" gps and so on.
Everything else (nonce, key exchange, what to do if a key is compromised), is exactly the same as with any other certificates.
@ Ross Patterson,
That sounds exactly like Differential GPS.
No differential GPS as used to strip the SA was done by having a receiving antenna at an exact known spot then transmitting the difference between the "known position" and the "GPSposition". This can be spoofed just as easily as any single antenna GPS receiver.
The way you make it close spoof proof is by using two antennas a known distance appart. Without going through all the math what you are doing is turning the GPS system upside down in that due to time differences between the antenna you know how far the GPS transmission is away.
It's a bit difficult to put a spoofer up at the same distance as a GPS satellite hence you can work out you are being spoofed irrespective of where you are without having to use any other external refrence that potentialy could be spoofed as well.
+1 for Ross Patterson mentioning LORAN. I suspect that the ground based signal would have been a bit harder to spoof undetected. Just tune your radio to the station and play it by ear. Well maybe not that easy, but as a US ground based system with bulky equipment spoofing it would be risky. Too bad but I think all the transmitters were torn down or mothballed.
Re LORAN: it's a drastically different frequency, but the basic principle is the same as GPS. I don't see any reason why you can't spoof LORAN and GPS simultaneously. One caveat: because of the long wavelength, a powerful LORAN spoofer might be quite bulky -- and by "quite bulky" I mean "tens of meters long".
Re digital authentication of GPS signals: regardless of authentication, you will always be susceptible to a man-in-the-middle replay attack. (i.e., I can record signals from a real GPS satellite and play them to you a short time later, and you won't know the difference.) A replay attack is limited in certain ways (I can't make you think you're *closer* to the GPS satellite than you actually are, because I'd have to send you signals I haven't received yet), but is still potentially lethal. The only way to prevent this (to my knowledge) is with a challenge-response system, but that requires two-way communication between the satellite and each receiver, which is technically impossible.
The replay attacks are actually worse than that.
GPS works by comparing *relative* delays from satellites, so by delaying all the other satellites you can appear to be closer to one particular satellite, even though, in reality all of the signals are being delayed.
Because you usually have no highly accurate clock, then there's usually no way to detect it, provided the delays aren't applied suddenly.
I don't see what's so hard about using alternate navigation. Just stick with inertial navigation/GPS on your drones. Inertial Navigation is near impossible to spoof. Just enter starting coordianates and make sure you have a speedometer, compass and altimeter to help the system constantly update and you'll be just fine. If the Inertial navigation and GPS disagree on position then radio back home for help on a secure channel. If nobody answers self destruct.
Inertial navigation is a bit tougher than that--since winds at altitude are high and unpredictable, you need to use a 6-dimensional set of gyros and accelerometers, and even then you will lose accuracy relatively rapidly over time. That said, a GPS spoof would probably have an abrupt onset, so one could use the inertial system to detect that discontinuity.
Although if you are smart you gradually shift the spoofed GPS position. Generally the INS is periodically checked against GPS and updated to correct for drift, if you make your GPS spoof steps small enough that they aren't out of line with INS drift you can move the drone a few miles so it misses photographing your training camp/bombing your weapons factory
Best of all the operator doesn't even know that the mission failed so doesn't send anything bigger in to deal with you.
"Unfortunately, the countermeasures all seem to be patent pending."
Like with DPA and the Rivest ciphers... (sighs)
@Ian: Ugh, you're right. I'd forgotten that GPS solves for the true current time as one of the unknowns. A clever replay attack can convince your GPS you're *anywhere*.
@NobodySpecial: The drones also have cameras. The video feeds are sent back to the flight crew for verification of location and targets. This would have to be spoofed or jammed as well. I know in the past this video feed was not encrypted, but I would hope it now is, making video spoofing difficult. Jamming is still an option.
Using fake GPS transmissions from about half a kilometer (0.3 miles) away, they hijacked a mini drone, causing it to dip violently because it assumed it was inadvertently climbing when, in reality, it had been hovering at its desired altitude.
The mini drone’s design sucked. It should have used several sensors (GPS, Gyroscopes, Hall effect devices, pressure sensors, speedometers, light and sound transducers, mercury switches, etc.…) – and not depend on just one. More importantly, it should use directional antennas (or phased antenna arrays with beam steering) that look in the sky. An example of @ Clive Robinson’s voting mechanism would help.
An earlier, less sophisticated spoofing detector developed at Cornell is patent pending. Data from this latest demonstration will form the basis of a scientific paper, and a decision to apply for patent protection is forthcoming, according to Psiaki.
Right! We all know the enemy will certainly respect patent protections. How naïve! Disclosing the idea in a patent publication is not what you want to do when protecting military secrets ☺
The British faced a tricky German anti-handling fuse on some German bombs in WWII. Fortunately the maker RheinMetall (conveniently stamped onto the fuse casing) and taken the precaution of patenting the fuse in Britain in the 1930s.
How naïve! Disclosing the idea in a patent publication is not what you want to do when protecting military secrets
But the cynic in me says "It's the right thing to do if you want the DOD & DHS and many other LEO's to hand over very very large sackfulls of the tax payers green folding stuff".
However it might not turn out to be "a licence to print money" like DPA (which a certain idiot has tried to corner with patents) I can show evidence that reliable techniquess were known and talked about back before some of the students involved were born.
As I've said above and before and I'll repeate again "to detect GPS spoofing all you require is a fixed refrence that cannot be spoofed and having two antennas spaced about a body length appart gives such a refrence". So two antennass on your drone is more than sufficient to tell if the transmissioon source is in Low Earth Orbit (LEO) or within a few thousand meters, and more importantly if it is moving correctly with regards to the ephemeris data.
For those who are not sure why an analogy (you can look the actuall way it works up on wiki etc),
Imagine that in the center of the Earth there is a very very accurate clock that modulates a transmitter which radiates uniformly out up to a constalation of satellites in LEO. These satellites retransmit the time modulation in a way that does not interfere with the other satellites so that a reciver somewhere within the LEO orbit can recieve them .
So you can view the satellites as mirrors and the time modulation as discrete pulses of light that are effectivly the surface of a spherical wave front.
At the reciver you see a time delayed train of pulses, one pulse from each visable satellite if you can uniquely identify which pulse comes from which mirror/satellite you can measure the time relationship between each pulse and by knowing where each satellite was (the ephemeris data) when they reflected the pulse you can work out exactly where your pulse detector is by simple (, trilateration) geometry or the old fashioned way with a piece of paper and a (drawing) compass to draw in the circular wave fronts (the receiver is where they all uniquely cross so no pesky angular measurment needed).
Now if you have two light detectors a known distance appart you will realise that each has it's own slightly different pulse pattern and the difference is based on a triangle for each mirror/satellite. This triangle gives you a distance to the mirror/satellite which would be very very difficult to fake and impossible at more than a very very short distance from the light detectors (because you would have to spoof each detector uniquely).
Secondly the satellites are moving in known orbits which are known via the ephemeris data and can also be checked by relativly simple "two body" calculation, if the distance to the satellites and the angles between them do not change appropriatly then you know you are being spoofed.
Better yet, some non US GPS systems have "tri-corner reflectors" on them so you can bounce a laser beam of of them to measure very accuratly the distance and position of the satellite. The next "upgrade" to the US GPS will also be fitted with tri-corner reflectors.
 The original US GPS transmitted two "ranging codes" the public Course Acquisition (C/A) code which repeated every millisecond and the military Precise (P) code which repeates about once a week. The P-code is supposadly sufficient to work anywhere within the solar system (not that you can receive it).
I agree, there outa be a verifiable signature on each signal. Whenever a wireless technology becomes important enough to have security concerns it seems only then the concepts of authentication, encryption and security context comes to the fore. In the rush to get things in the market and our reliance on general purpose devices, leaves us with security defects in important systems. This is another example of that.
There are no proven cases of anyone anywhere ever successfully spoofing the military code, so arms race sounds like an exaggeration.
There are no proven cases of anyone anywhere ever successfully spoofing the military code
Err I think you will find that any successful "replay attack" against the Corse Aquisition (C/A) code will (if the bandwidth is sufficient) also work against the military Precise (P) code.
Likewise the mechanics of any generated spoof code that works with the Corse Acquisition (C/A) code sequence will also work with the military Precise (P) code if the sequence is known.
Finding the P code sequence can be done in a number of ways, if you remember a few years back some students worked out the "unpublished" sequence used for testing of the European GPS system. The difficulty of the method they used is determining the complexity of the sequence. If this is generated by a balanced output crypto algorithm then the problem may be currently beyond the resources likely to be available to researchers.
There are also the basic espionage methods including a military type activity to perform a "pinch". Ultimatly the success or failure of a pinch rests with the security of the tamper proof module the code generator is in.
No one has ever cracked the encryption on the European Galileo system.
That entire article was all fluff. Not a single mention of any of the methodologies. What a pointless exercise in writing.
I doubt replay attacks are going to be effective against any guidance system with an INS.
"I doubt replay attacks are going to be effective against any guidance system with an INS"
INS's are only so so good, the quality of their measurments is based more on the smooth movment of the craft not one that get flung around the skies alot. Further whilst their accuracy over short periods is better than GPS longer term it's a lot worse. And thus they "slip with time and movment".
To reduce this long term "slip" effect the INS gyro has to be more sensitive, and this basically means both bigger and generaly more mass (this applies to those using lasers as well). A drone only has so much payload and big heavy INS systems are not the best solution as a refrence, and an accurate clock would be lighter, less power hungry and more stable with time and movment.
It is already the case that some INS systems use "integrated GPS" readings to "correct" slip so if the spoofing was done slowly enough over a long enough period then the dron could be quite a way off without realising it.
In Afghanistan drones were known to be anything upto 20miles off of their asigned courses quite often and one or two pilots flying conventional plans had a close run in with a way off course drone at night. What has not been made public if the "off course" was technical or human in origin.
The odd. thing is that during the 1980's INS development was a "hot button" research job. But with the advent of smaller and cheaper GPS systems INS research appears to have stagnated except for very fast moving objects where longterm accuracy is not much of a consideration.
The last interesting research I saw on small INS's was oddly using very high accuracy clocks and low frequency large crystal oscilators where the crystals were used as the sensing elements and the read out was the phase change information between them and the master clock.
You may be able to spoof gps with a replay attack and you might be able to spoof an integrated ins/gps, but I doubt you could spoof an ins/gps with a replay attack.
just so we're clear, any inventions considered to be of Nat Sec importance are embargoed, and not published in the normal manner by the UPTO
any inventions considered to be of Nat Sec importance are embargoed...
So you expose more people (USPTO reviewers, even if it's a .gov organization) to the "invention disclosure" of a matter of Nat Sec for what purpose?
OK, makes sense. If an idiot is not aware of the "national security" importance of the idea, and sends it for patent protection, someone in the system pipeline, will stop the idea from being published.
@ B, Wael,
any inventions considered to be of Nat Sec importance are embargoed...
The smart engineer used to get around this quite easily...
You went and got yourself a "swiss patent" first. The Swiss are nicely accomadating in this respect with the attitude of "business is business and war is just another bussiness".
The other problem that got in the way of the Swiss Patent was the "exporting of munitions" the way around this was only marginaly harder and involved "cut out companies" in other jurisdictions (again the Swiss and other countries are quite amenable to this as money is the grease that keeps the wheels of commerce turning).
The only successful "Crypto Company" for many many years moved to Switzerland to avoid even that issue and for many years Zug was the home of Crypto AG.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.