Transcript Slide 1
Thoughts on GPS Security and Integrity
Todd Humphreys, UT Austin Aerospace Dept.
DHS Visit to UT Radionavigation Lab | March 10, 2011
GPS: The Big Issues
Weak GPS Signals
Like a 30-Watt lightbulb held 4000 km away
GPS does not penetrate well indoors
GPS is easy target for jamming
GPS is vulnerable to natural interference (e.g.,
solar radio bursts and ionospheric scintillation)
Unauthenticated Civil GPS Signals
Civil GPS broadcast “in the clear”
Makes civil GPS vulnerable to spoofing
Emerging Threat: GPS Jamming
Emerging Threat: Civil GPS Spoofing
Spoofing and Jamming are Different Threats
Spoofing is more difficult & costly
Spoofing leaves no trace – victim receiver
doesn’t know it’s being spoofed
Spoofer typically targets a single receiver
Many countermeasures to jamming are
ineffective against spoofing
Assessing the Spoofing Threat
Multi-frequency, multi-system receivers
inherently resistant to spoofing
Vast majority of GPS receivers in critical
applications are single-frequency L1 C/A (easily
spoofable)
Software radio techniques are game-changer,
enabling one to “download” a spoofer
Strong financial incentives encourage “complicit
spoofing” (spoofing one’s own receiver)
Timing receivers used in communications
infrastructure are attractive target
Civil GPS Spoofing Testbed at UT Austin
Spoofer
GPS L1 C/A output
Software radio platform
Output precisely synchronized with
authentic signals via feedback
Finely adjustable output signal
strength
Remotely commanded via Internet
Defender
Vestigial signal defense
Data bit latency defense
Cryptographic defenses
Phase trauma monitoring
Dual-frequency tracking
Inside the Box
Digital attenuator for precise control of output signal power
Inside the Box
Spoofing signal feedback for precise signal alignment
Inside the Box
Interface board for remote operation
Inside the Box
Tracking, data-bit prediction, and synthesis on single DSP
Total bill of materials: ~$1,000
Civil Anti-Spoofing Techniques Inspired by
Work to Date
Data bit latency defense (weak but easy to implement)
Multi-antenna defense (patented in 1996; strong against
single spoofer; fails against multiple spoofers; requires
additional hardware)
Vestigial signal defense (work in progress; appears
strong)
Navigation message authentication (strong, practical,
more on this later)
Cross-correlation using P(Y) code (pioneered by Lo,
refined by Psiaki, very strong but not so practical)
Thoughts on the Way Forward for Civil
GNSS Authentication
More signals means more inherent security, but probably insufficient
Some civil cryptographic authentication scheme is likely required
“Signal definition inertia is enormous” – Tom Stansell
Navigation message authentication (NMA) appears to be best, practical
option (advocated by Logan Scott in 2003, others since, more on this
later)
Goal of cryptographic authentication: force adversary to use directional
antennas in a replay attack
Preliminary evaluation of NMA for L2C suggests optimism (more on this
later)
Cryptography must be paired with detection theory
Spoofing Detection as a Hypothesis Testing
Problem (Soft W-chip Estimation)
Spoofing
depends on
rough
See detection
forthcoming
paper
estimates of nominal (C/No)s and
(C/No)r
on this topic: “Detection
strategies for civil cryptographic anti-spoofing.”
Navigation and Timing Resilience Through
Opportunistic Navigation
Tightly-Coupled Opportunistic Navigation
Enabling configuration:
(1) Same clock: Downmix and sample
GPS and SOO with same oscillator
(2) Same silicon: Sample GPS and SOO
in same A/D converter
TCON for Legacy GPS Receivers:
The GPS Assimilator
Assimilator Prototype
More Information
http://radionavlab.ae.utexas.edu
Backup Slides
Synchrophasor-Aided Power
Distribution
Usage Example: Protecting a GPS Time and
Frequency Receiver
Usage Example: Reducing Ionospheric Errors
Usage Example: Harnessing CDMA Cellular
Signals as Aid for Weak GPS Signal Tracking
Usage Example: Iridium-Augmented GPS
Strong signals
Stable clocks
Navigational backup to GPS
Civilian Anti-spoofing
GPS Signals
Aiding signal from LEO high-power
spot beams over area of operations
LEO
crosslinks
User
400-km switchable beams