Cryptography Is Not Enough: Relay Attacks on Authenticated GNSS Signals

Motallebighomi, Maryam; Sathaye, Harshad; Singh, Mridula; Ranganathan, Aanjhan

doi:10.48550/arxiv.2204.11641

Cited by 4 publications

(8 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…While we use the term ‘authenticated positioning’, it should be noted that OSNMA at the moment can only authenticate the navigation data, and the PVT is still computed using unauthenticated ranging data. This caveat is also explained in the OSNMA receiver guidelines [ 2 ], and there have already been works where the unauthenticated ranging data are exploited to spoof receivers despite authentic navigation data [ 8 ]. While the positions we compute in this section cannot be considered fully authenticated, they are resilient against spoofing based on altering the navigation message.…”

Section: Results and Analysismentioning

confidence: 99%

“…Despite OSNMA being a relatively new and modern technology still in its test phase, there is already relevant literature related to it encompassing both theoretical work [ 4 , 5 , 6 , 7 , 8 , 9 ] and practical performance assessments [ 10 , 11 , 12 , 13 , 14 , 15 , 16 , 17 , 18 , 19 , 20 , 21 ]. In addition to this, there are a few open-source implementations of the OSNMA protocol [ 22 , 23 , 24 , 25 ], and some companies already support it in some of their products, such as Septentrio [ 26 ].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

An Experimental Performance Assessment of Galileo OSNMA

Hammarberg,

García,

Alanko

et al. 2024

Sensors

View full text Add to dashboard Cite

We present Galileo Open Service Navigation Message Authentication (OSNMA) observed operational information and key performance indicators (KPIs) from the analysis of a ten-day-long dataset collected in static open-sky conditions in southern Finland and using our in-house-developed OSNMA implementation. In particular, we present a timeline with authentication-related events, such as authentication status and type, dropped navigation pages, and failed cyclic redundancy checks. We also report other KPIs, such as the number of simultaneously authenticated satellites over time, time to first authenticated fix, and percentage of authenticated fixes, and we evaluate the accuracy of the authenticated position solution. We also study how satellite visibility affects these figures. Finally, we analyze situations where it was not possible to reach an authenticated fix, and offer our findings on the observed patterns.

show abstract

Section: Results and Analysismentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

An Experimental Performance Assessment of Galileo OSNMA

Hammarberg,

García,

Alanko

et al. 2024

Sensors

View full text Add to dashboard Cite

show abstract

“…Meaconing can also be effective against encrypted signals, as the signal content remains unaltered [8]. Advanced forms of meaconing allow spoofing of arbitrary positions by individually delaying each signal [4]. However, a lock on all counterfeit signals is not guaranteed and depends on factors such as the target's speed [28].…”

Section: Attack Model and Scenariosmentioning

confidence: 99%

“…Despite significant efforts by all GNSS operating stakeholders to upgrade security or deploy new, more secure generations of systems, civil GNSSs currently do not have sufficient security measures as practically demonstrated in the case of GPS [3]. However, cryptographically authenticated GNSS signals have also recently been shown to remain vulnerable to spoofing attacks [4].…”

Section: Introductionmentioning

confidence: 99%

Detecting Maritime GPS Spoofing Attacks Based on NMEA Sentence Integrity Monitoring

Spravil

Hemminghaus

Rechenberg

et al. 2023

JMSE

View full text Add to dashboard Cite

Today’s maritime transportation relies on global navigation satellite systems (GNSSs) for accurate navigation. The high-precision GNSS receivers on board modern vessels are often considered trustworthy. However, due to technological advances and malicious activities, this assumption is no longer always true. Numerous incidents of tampered GNSS signals have been reported. Furthermore, researchers have demonstrated that manipulations can be carried out even with inexpensive hardware and little expert knowledge, lowering the barrier for malicious attacks with far-reaching consequences. Hence, exclusive trust in GNSS is misplaced, and methods for reliable detection are urgently needed. However, many of the proposed solutions require expensive replacement of existing hardware. In this paper, therefore, we present MAritime Nmea-based Anomaly detection (MANA), a novel low-cost framework for GPS spoofing detection. MANA monitors NMEA-0183 data and advantageously combines several software-based methods. Using simulations supported by real-world experiments that generate an extensive dataset, we investigate our approach and finally evaluate its effectiveness.

show abstract

“…Finally, some attacks can be carried out without violating any cryptographic properties of the system. The authors of [12] show that precisely timed message replays can cause Global Navigation Satellite Systems (GNSS) to misreport the location of the receiver to an attacker-specified location. Since these attacks are carried out by simply introducing delay to messages rather than altering message contents, conventional cryptography does not protect against them.…”

Section: Motivationmentioning

confidence: 99%

Watch This Space: Securing Satellite Communication through Resilient Transmitter Fingerprinting

Smailes,

Köhler,

Birnbach

et al. 2023

Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Due to an increase in the availability of cheap off-the-shelf radio hardware, signal spoofing and replay attacks on satellite ground systems have become more accessible than ever. This is particularly a problem for legacy systems, many of which do not offer cryptographic security and cannot be patched to support novel security measures.Therefore, in this paper we explore radio transmitter fingerprinting in the context of satellite systems. We introduce the SatIQ system, proposing novel techniques for authenticating transmissions using characteristics of the transmitter hardware expressed as impairments on the downlinked radio signal. We look in particular at high sample rate fingerprinting, making device fingerprints difficult to forge without similarly high sample rate transmitting hardware, thus raising the required budget for spoofing and replay attacks. We also examine the difficulty of this approach with high levels of atmospheric noise and multipath scattering, and analyze potential solutions to this problem.We focus on the Iridium satellite constellation, for which we collected 1 705 202 messages at a sample rate of 25 MS/s. We use this data to train a fingerprinting model consisting of an autoencoder combined with a Siamese neural network, enabling the model to learn an efficient encoding of the message headers that preserves identifying information.We demonstrate the fingerprinting system's robustness under attack by replaying messages using a Software-Defined Radio, achieving an Equal Error Rate of 0.120, and ROC AUC of 0.946. Finally, we analyze its stability over time by introducing a time gap between training and testing data, and its extensibility by introducing new transmitters which have not been seen before. We conclude that our techniques are useful for building fingerprinting systems that are stable over time, can be used immediately with new transmitters without retraining, and provide robustness against spoofing and replay attacks by raising the required budget for attacks.

show abstract

Cryptography Is Not Enough: Relay Attacks on Authenticated GNSS Signals

Cited by 4 publications

References 19 publications

An Experimental Performance Assessment of Galileo OSNMA

An Experimental Performance Assessment of Galileo OSNMA

Detecting Maritime GPS Spoofing Attacks Based on NMEA Sentence Integrity Monitoring

Watch This Space: Securing Satellite Communication through Resilient Transmitter Fingerprinting

Contact Info

Product

Resources

About