A Flexible Replay Delay Control Method for GNSS Direct Meaconing Signal

Shang, Shunshun; Li, Hong; Wei, Yimin; Lu, Mingquan

doi:10.33012/2020.17192

Cited by 4 publications

(5 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Since the message content is authenticated, we design our attack strategy to manipulate the reception time estimation method used for the pseudorange estimation. Suppose an adversary records and replays the GNSS signals as shown in prior work [43], i.e., delays all the satellite signals by the same amount. In that case, the victim receiver's spoofed location is limited to where the adversary recorded the signal.…”

Section: Attack Overviewmentioning

confidence: 99%

“…Their proposed attack is focused on misleading the secure ranging and distance-bounding. Works like [23,43] discuss various approaches to execute replay attacks against cryptographically secured GNSS signal. [37] studied the GNSS vulnerability to replay attacks.…”

Section: Related Workmentioning

confidence: 99%

“…In [43] the authors propose a delay control method that is capable of delaying signals by an integer multiple of the sampling period as well as a fractional multiple of the sampling period. Their worked was more focused on how to add the delays to the individual signals.…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Cryptography Is Not Enough: Relay Attacks on Authenticated GNSS Signals

Motallebighomi¹,

Sathaye²,

Singh³

et al. 2022

Preprint

View full text Add to dashboard Cite

Civilian-GNSS is vulnerable to signal spoofing attacks, and countermeasures based on cryptographic authentication are being proposed to protect against these attacks. Both Galileo and GPS are currently testing broadcast authentication techniques based on the delayed key disclosure to validate the integrity of navigation messages. These authentication mechanisms have proven secure against record now and replay later attacks, as navigation messages become invalid after keys are released. This work analyzes the security guarantees of cryptographically protected GNSS signals and shows the possibility of spoofing a receiver to an arbitrary location without breaking any cryptographic operation. In contrast to prior work, we demonstrate the ability of an attacker to receive signals close to the victim receiver and generate spoofing signals for a different target location without modifying the navigation message contents. Our strategy exploits the essential common reception and transmission time method used to estimate pseudorange in GNSS receivers, thereby rendering any cryptographic authentication useless. We evaluate our attack on a commercial receiver (ublox M9N) and a software-defined GNSS receiver (GNSS-SDR) using a combination of open-source tools, commercial GNSS signal generators, and software-defined radio hardware platforms. Our results show that it is possible to spoof a victim receiver to locations around 4000 km away from the true location without requiring any high-speed communication networks or modifying the message contents. Through this work, we further highlight the fundamental limitations in securing a broadcast signaling-based localization system even if all communications are cryptographically protected.

show abstract

Section: Attack Overviewmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Cryptography Is Not Enough: Relay Attacks on Authenticated GNSS Signals

Motallebighomi¹,

Sathaye²,

Singh³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Traditionally, this type of interference is attributed either to interference leading to the suppression of navigation satellite signals (jamming) and, as a consequence, the inability to calculate navigation parameters, or to interference, represented by signals emitted by pseudolites that replace the signals of the GNSS space segment. The second type of interference is called spoofing; since the navigation receiver continues to calculate navigation parameters and the exact time, these values can be controlled by pseudolites when generating signals [2][3][4][5][6][7]. Thus, the task of spoofing detection is crucial.…”

Section: Introductionmentioning

confidence: 99%

Global Navigation Satellite System Spoofing Detection in Inertial Satellite Navigation Systems

Zharkov,

Veremeenko,

Kuznetsov

et al. 2023

Inventions

View full text Add to dashboard Cite

The susceptibility of global navigation satellite systems (GNSSs) to interference significantly limits the possibility of their use. From the standpoint of possible consequences, the most dangerous interference is the so-called spoofing. Simultaneously, in most cases of GNSS use, an inertial navigation system (INS) or an attitude and heading reference system (AHRS) is also present on the board of mobile objects. In this regard, the research goal is to assess the possibility of detecting GNSS spoofing in inertial satellite navigation systems. This paper examines the method for detecting GNSS spoofing by combining a pair of commercially available GNSS receivers and antennas with an INS or AHRS. The method is based on a comparison of the double differences of GNSS carrier phase measurements performed by receivers under conditions of resolved integer ambiguity and the values of the range double differences predicted using an INS. GNSS carrier phase integer ambiguity can be resolved using a strapdown inertial navigation system (SINS) or AHRS data. The mathematical model of GNSS phase difference measurements and the SINS-predicted satellite range differences model are given. The proposed algorithm calculates the moving average of the residuals between the SINS-predicted satellite range double differences and the measured GNSS carrier phase double differences. The primary criterion for spoofing detection is the specified threshold excess of the moving average of the double difference residuals. Experimental studies are performed using simulation and hardware-in-the-loop simulation. The experimental results allow us to evaluate the efficiency of the proposed approach and estimate the potential characteristics of the spoofing detection algorithm based on it.

show abstract

“…Furthermore, those services employing NMA [4,5] such as GALILEO Open Service (OS-NMA) and Commercial Service Authentication (CAS) are essentially not providing protection from the meaconing type of receive and replay attack [1][2][3], and have limited protection from certain types of spoofing attacks (e.g., the spoofer's ability to broadcast valid navigation messages) [6]. Both direct meaconing (utilizing beforehand processing of the authentic signal, extraction of its parameters, followed by its modified replay delay) and indirect meaconing attack (utilizing reception of authentic signals from different satellites by an antenna array, followed by their replay with different relative delays) is claimed to be particularly effective even against signal-level protection [7]. Therefore, Safety-of-Life (SoL) and the critical infrastructure's GNSS users being aware of both meaconing (non-manipulated delayed GNSS information) and spoofing (intentionally manipulated GNSS information) is of utmost importance.…”

Section: Introductionmentioning

confidence: 99%

Use of Supervised Machine Learning for GNSS Signal Spoofing Detection with Validation on Real-World Meaconing and Spoofing Data—Part II

Semanjski

Šemanjski

Wilde

et al. 2020

Sensors

View full text Add to dashboard Cite

Global Navigation Satellite System (GNSS) meaconing and spoofing are being considered as the key threats to the Safety-of-Life (SoL) applications that mostly rely upon the use of open service (OS) signals without signal or data-level protection. While a number of pre and post correlation techniques have been proposed so far, possible utilization of the supervised machine learning algorithms to detect GNSS meaconing and spoofing is currently being examined. One of the supervised machine learning algorithms, the Support Vector Machine classification (C-SVM), is proposed for utilization at the GNSS receiver level due to fact that at that stage of signal processing, a number of measurements and observables exists. It is possible to establish the correlation pattern among those GNSS measurements and observables and monitor it with use of the C-SVM classification, the results of which we present in this paper. By adding the real-world spoofing and meaconing datasets to the laboratory-generated spoofing datasets at the training stage of the C-SVM, we complement the experiments and results obtained in Part I of this paper, where the training was conducted solely with the use of laboratory-generated spoofing datasets. In two experiments presented in this paper, the C-SVM algorithm was cross-fed with the real-world meaconing and spoofing datasets, such that the meaconing addition to the training was validated by the spoofing dataset, and vice versa. The comparative analysis of all four experiments presented in this paper shows promising results in two aspects: (i) the added value of the training dataset enrichment seems to be relevant for real-world GNSS signal manipulation attempt detection and (ii) the C-SVM-based approach seems to be promising for GNSS signal manipulation attempt detection, as well as in the context of potential federated learning applications.

show abstract

A Flexible Replay Delay Control Method for GNSS Direct Meaconing Signal

Cited by 4 publications

References 0 publications

Cryptography Is Not Enough: Relay Attacks on Authenticated GNSS Signals

Cryptography Is Not Enough: Relay Attacks on Authenticated GNSS Signals

Global Navigation Satellite System Spoofing Detection in Inertial Satellite Navigation Systems

Use of Supervised Machine Learning for GNSS Signal Spoofing Detection with Validation on Real-World Meaconing and Spoofing Data—Part II

Contact Info

Product

Resources

About