Department of Aerospace Engineering & Engineering Mechanics The University of Texas at Austin W. R. Woolrich Laboratories, C0600 210 East 24th Street Austin, Texas 78712-1221
Daniel P. Shepard is pursing a Ph.D. in the Department of Aerospace Engineering and Engineering Mechanics at The University of Texas at Austin, where he also received his B.S. He currently works in the University of Texas at Austin Radionavigation Lab. His research interests are in GNSS security, estimation and filtering, and guidance, navigation, and control.
Abstract: Cross-correlation of unknown encrypted signals between two Global Navigation Satellite System (GNSS) receivers is used for spoofing detection of publicly-known signals. This detection technique is one of the strongest known defenses against sophisticated spoofing attacks if the defended receiver has only one antenna. The attack strategy of concern overlays false GNSS radio-navigation signals on top of the true signals. The false signals increase in power, lift the receiver tracking loops off of the true signals, and drag the loops and the navigation solution to erroneous, but consistent results. This paper uses hypothesis testing theory to develop a codeless cross-correlation detection method for use in inexpensive, narrow-band civilian GNSS receivers. The detection method is instantiated by using the encrypted military GPS P(Y) code on the L1 frequency in order to defend the publicly-known civilian GPS C/A code. Successful detection of spoofing attacks is demonstrated by off-line processing of recorded RF data from narrow-band 2.5 MHz RF front-ends, which attenuate the wide-band P(Y) code by 5.5 dB. The new technique can detect attacks using correlation intervals of 1.2 sec or less.
Notes: to be published; available at http://web.mae.cornell.edu/psiaki/
Abstract: Results from Global Positioning System (GPS) spoofing tests against Phasor Measurement Units (PMUs) are presented, demonstrating that PMUs are vulnerable to spoofing attacks. A GPS spoofer can manipulate PMU time stamps by injecting a counterfeit ensemble of GPS signals into the antenna of the PMU's time reference receiver. A spoofer-induced timing error of only a few tens of microseconds causes a PMU to violate the maximum phase error allowed by the applicable standard. These and larger errors can give automated or human power grid controllers a false perception of the state of the grid, leading to unnecessary, and possibly destabilizing, remedial control actions. To emphasize this threat, it is shown that a particular PMU-based automatic control scheme currently implemented in Mexico, and whose control architecture and setpoints have been published in the open literature, could be induced by a GPS spoofing attack to trip a primary generator.
Abstract: Test results are presented from over-the-air civil GPS spoofing tests from a non-negligible stand-off distance. These tests were performed at White Sands Missile Range (WSMR) against two systems dependent on civil GPS, a civilian unmanned aerial vehicle (UAV) and a GPS time-reference receiver used in âsmart gridâ measurement devices. The tests against the civil UAV demonstrated that the UAV could be hijacked by a GPS spoofer by altering the UAVâs perceived location. The tests against the time-reference receiver demonstrated the spooferâs capability of precisely controlling timing from a distance, which means a spoofer could manipulate measurements used for smart grid control without requiring physical access to the measurement devices. Implications of spoofing attacks against each of these systems are also given. Recommendations are presented for regulations regarding GPS receivers used in critical infrastructure applications. These recommendations include creating a certification process by which receivers are declared spoof-resistant if they are able to detect or mitigate spoofing attacks in a set of canned scenarios. The recommendations also call for a mandate that only spoof-resistant receivers be used in applications classified by the Department of Homeland Security (DHS) as national critical infrastructure.
Abstract: Test results are presented from GPS spoofing tests against Phasor Measurement Units (PMUs) to demonstrate their vulnerability to spoofing attacks. A GPS spoofer can manipulate the timing of a PMU by broadcasting a falsified GPS signal and forcing the time reference receiver that is providing timing for the PMU to track the falsified signal. This spoofer-induced timing offset creates a corresponding change in the phase angle measured by the PMU.
A particular synchrophasor-based automatic control scheme currently implemented in Mexico is described. It is shown that a generator trip could be falsely activated by a GPS spoofing attack in this system, thus highlighting the threat of spoofing a PMU. A description of the events that led to the 2003 northeast blackout is provided as an example of a potential worst case scenario where the legitimate or false tripping of a single generator or transmission line could lead to cascading faults and a large scale blackout.
Abstract: A prototype precise augmented reality (PAR) system that uses carrier phase differential GPS (CDGPS) and an inertial measurement unit (IMU) to obtain sub-centimeter level accurate positioning and degree level accurate attitude is presented. Several current augmented reality systems and applications are discussed and distinguished from a PAR system. The distinction centers around the PAR systemâs highly accurate position estimate, which enables tight registration, or alignment of the virtual renderings and the real world. Results from static and dynamic tests of the PAR system are given. These tests demonstrate the positioning and orientation accuracy obtained by the system and how this accuracy translates to remarkably low registration errors, even at short distances from the virtual objects. A list of areas for improvement necessary to create a fully capable PAR system is presented.
Abstract: A battery of recorded spoofing scenarios has been compiled for evaluating civil Global Positioning System (GPS) signal authentication techniques. The battery can be considered the data component of an evolving standard meant to define the notion of spoof resistance for commercial GPS receivers. The setup used to record the scenarios is described. A detailed description of each scenario reveals readily detectable anomalies that spoofing detectors could target to improve GPS security.
Abstract: Cross-correlations of unknown encrypted signals between two civilian GNSS receivers are used to detect spoofing of known open-source signals. This type of detection algorithm is the strongest known defense against sophisticated spoofing attacks if the defended receiver has only one antenna. The attack strategy of concern starts by overlaying false GNSS radio-navigation signals exactly on top of the true signals. The false signals increase in power, lift the receiver tracking loops off of the true signals, and then drag the tracking loops and the navigation solution to erroneous, but consistent results. This paper develops codeless and semi-codeless spoofing detection methods for use in inexpensive, narrow-band civilian GNSS receivers. Detailed algorithms and analyses are developed that use the encrypted military P(Y) code on the L1 GPS frequency in order to defend the open-source civilian C/A code. The new detection techniques are similar to methods used in civilian dual-frequency GPS receivers to track the P(Y) code on L2 by cross-correlating it with P(Y) on L1. Successful detection of actual spoofing attacks is demonstrated by off-line processing of digitally recorded RF data. The codeless technique can detect attacks using 1.2 sec of correlation, and the semi-codeless technique requires correlation intervals of 0.2 sec or less. This technique has been demonstrated in a narrow-band receiver with a 2.5 MHz bandwidth RF front-end that attenuates the P(Y) code by 5.5 dB.
Abstract: Test procedures are developed for characterizing the response of civil GPS receivers to spoofing attacks. Two response characteristics are analyzed in detail for four representative GPS receivers: (1) the spoofer power advantage over the authentic signals required for successful receiver capture, and (2) the aggressiveness with which a spoofer can manipulate the victim receiver's time and position solution. Two of the tested receivers are commonly used in critical infrastructure applications, one in smart power grid regulation and one in telecommunications networks. The implications of the test results for these critical infrastructure applications are discussed.
Abstract: A receiver-autonomous non-cryptographic civil GPS anti-spoofing technique called the vestigial signal defense (VSD) is defined and evaluated. This technique monitors distortions in the complex correlation domain to detect spoofing attacks. Multipath and spoofing interference models are developed to illustrate the challenge of distinguishing the two phenomena in the VSD. A campaign to collect spoofing and multipath data is described, which specific candidate VSD techniques can be tested against. Test results indicate that the presence of multipath complicated the setting of an appropriate spoofing detection threshold.
Abstract: Disruption created by intentional generation of fake GPS signals could have serious economic consequences. This article discusses how typical civil GPS receivers respond to an advanced civil GPS spoofing attack, and four techniques to counter such attacks: spread-spectrum security codes, navigation message authentication, dual-receiver correlation of military signals, and vestigial signal defense. Unfortunately, any kind of anti-spoofing, however necessary, is a tough sell.
Abstract: A radio signal sent from a half-mile away deceived the GPS receiver of a UAV into thinking that it was rising straight up. In this way, the UAVâs dependence on civil GPS allowed the spoofer operator to force the UAV vertically downward in dramatic fashion as part of multiple capture demonstrations.
Abstract: Spoofing tests against phasor measurement units demonstrate their vulnerability to attack. A generator trip in an automatic control scheme could be falsely activated by the GPS spoofing, possibly leading to cascading faults and a large-scale power blackout.
Abstract: Test procedures are developed for characterizing the response of civil GPS receivers to spoofing attacks. Two response characteristics are analyzed in detail for four representative GPS receivers: (1) the agressiveness with which a spoofer can manipulate the victim receiverâs time and position solution, and (2) the spoofer power advantage over the authentic signals required for successful receiver capture. Two of the tested receivers are commonly used in critical infrastructure applications, one in âsmartâ power grid regulation and one in telecommunications networks. The implications of the test results for these critical infrastructure applications are discussed.
