Thoughts on GPS Security and Integrity

Todd Humphreys, UT Austin Aerospace Dept.

DHS Visit to UT Radionavigation Lab | March 10, 2011

GPS: The Big Issues

Weak GPS Signals Like a 30-Watt lightbulb held 4000 km away GPS does not penetrate well indoors GPS is easy target for jamming GPS is vulnerable to natural interference (e.g.,

solar radio bursts and ionospheric scintillation)

Unauthenticated Civil GPS Signals Civil GPS broadcast “in the clear” Makes civil GPS vulnerable to spoofing

Emerging Threat: GPS Jamming

Emerging Threat: Civil GPS Spoofing

Spoofing and Jamming are Different Threats Spoofing is more difficult & costly Spoofing leaves no trace – victim receiver

doesn’t know it’s being spoofed Spoofer typically targets a single receiver Many countermeasures to jamming are

ineffective against spoofing

Assessing the Spoofing Threat Multi-frequency, multi-system receivers

inherently resistant to spoofing Vast majority of GPS receivers in critical

applications are single-frequency L1 C/A (easily spoofable)

Software radio techniques are game-changer, enabling one to “download” a spoofer

Strong financial incentives encourage “complicit spoofing” (spoofing one’s own receiver)

Timing receivers used in communications infrastructure are attractive target

Civil GPS Spoofing Testbed at UT Austin

Vestigial signal defense Data bit latency defense Cryptographic defenses Phase trauma monitoring Dual-frequency tracking

Spoofer

Defender

GPS L1 C/A output Software radio platform Output precisely synchronized with

authentic signals via feedback Finely adjustable output signal

strength Remotely commanded via Internet

Inside the BoxDigital attenuator for precise control of output signal power

Inside the BoxSpoofing signal feedback for precise signal alignment

Inside the BoxInterface board for remote operation

Inside the BoxTracking, data-bit prediction, and synthesis on single DSP

Total bill of materials: ~$1,000

Civil Anti-Spoofing Techniques Inspired by Work to Date Data bit latency defense (weak but easy to implement) Multi-antenna defense (patented in 1996; strong against

single spoofer; fails against multiple spoofers; requires additional hardware)

Vestigial signal defense (work in progress; appears strong)

Navigation message authentication (strong, practical, more on this later)

Cross-correlation using P(Y) code (pioneered by Lo, refined by Psiaki, very strong but not so practical)

Thoughts on the Way Forward for Civil GNSS Authentication

More signals means more inherent security, but probably insufficient Some civil cryptographic authentication scheme is likely required “Signal definition inertia is enormous” – Tom Stansell Navigation message authentication (NMA) appears to be best, practical

option (advocated by Logan Scott in 2003, others since, more on this later)

Goal of cryptographic authentication: force adversary to use directional antennas in a replay attack

Preliminary evaluation of NMA for L2C suggests optimism (more on this later)

Cryptography must be paired with detection theory

Spoofing Detection as a Hypothesis Testing Problem (Soft W-chip Estimation)

Spoofing detection depends on rough estimates of nominal (C/No)s and (C/No)r

See forthcoming paper on this topic: “Detection strategies for civil cryptographic anti-spoofing.”

Navigation and Timing Resilience Through Opportunistic Navigation

Tightly-Coupled Opportunistic Navigation

Enabling configuration: (1) Same clock: Downmix and sample

GPS and SOO with same oscillator(2) Same silicon: Sample GPS and SOO

in same A/D converter

Enabling configuration: (1) Same clock: Downmix and sample

GPS and SOO with same oscillator(2) Same silicon: Sample GPS and SOO

in same A/D converter

TCON for Legacy GPS Receivers: The GPS Assimilator

Assimilator Prototype

More Information

http://radionavlab.ae.utexas.edu

Backup Slides

Synchrophasor-Aided Power Distribution

Usage Example: Protecting a GPS Time and Frequency Receiver

Usage Example: Reducing Ionospheric Errors

Usage Example: Harnessing CDMA Cellular Signals as Aid for Weak GPS Signal Tracking

User

LEOcrosslinks

Aiding signal from LEO high-powerspot beams over area of operations

400-km switchable beams

GPS Signals

Strong signals Stable clocks Navigational backup to GPS Civilian Anti-spoofing

Usage Example: Iridium-Augmented GPS