Security of Global Navigation Satellite Systems
The Problem
Today, it is possible to spoof a GPS receiver to any arbitrary location. Check out the video we created to demonstrate how trivial it is to spoof GPS signals today! The increasing availability of low-cost radio hardware platforms make it feasible to execute such attacks with less than few hundred dollars worth of hardware equipment.
Selected Projects
SPREE: A Spoofing Resistant GPS Receiver
Global Positioning System (GPS) is used ubiquitously in a wide variety of applications ranging from navigation and tracking to modern smart grids and communication networks. However, it has been demonstrated that modern GPS receivers are vulnerable to signal spoofing attacks. For example, today it is possible to change the course of a ship or force a drone to land in a hostile area by simply spoofing GPS signals. Several countermeasures have been proposed in the past to detect GPS spoofing attacks. These countermeasures offer protection only against naive attackers. They are incapable of detecting strong attackers such as those capable of seamlessly taking over a GPS receiver, which is currently receiving legitimate satellite signals, and spoofing them to an arbitrary location. Also, there is no hardware platform that can be used to compare and evaluate the effectiveness of existing countermeasures in real-world scenarios.
In this work, we present SPREE, which is, to the best of our knowledge, the first GPS receiver capable of detecting all spoofing attacks described in the literature. Our novel spoofing detection technique called auxiliary peak tracking enables detection of even a strong attacker capable of executing the seamless takeover attack. We implement and evaluate our receiver against three different sets of GPS signal traces: (i) a public repository of spoofing traces, (ii) signals collected through our own wardriving effort and (iii) using commercial GPS signal generators. Our evaluations show that SPREE constraints even a strong attacker (capable of seamless takeover attack) from spoofing the receiver to a location not more than 1 km away from its true location. This is a significant improvement over modern GPS receivers that can be spoofed to any arbitrary location. Finally, we release our implementation and datasets to the community for further research and development.
Project website: https://www.spree-gnss.ch
Related publication:
Aanjhan Ranganathan, Hildur Ólafsdóttir, Srdjan Capkun
SPREE: Spoofing Resistant GPS Receiver [Paper][Bibtex]
In Proceedings of the 22nd Annual International Conference on Mobile Computing and Networking (MobiCom 2016)
On the Requirements for GPS Signal Spoofing Attacks
In this paper, we investigate the requirements for successful GPS spoofing attacks on individuals and groups of victims with civilian or military GPS receivers. In particular, we are interested in identifying from which locations and with which precision the attacker needs to generate its signals in order to successfully spoof the receivers.
We will show, for example, that any number of receivers can easily be spoofed to one arbitrary location; however, the attacker is restricted to only few transmission locations when spoofing a group of receivers while preserving their constellation. In addition, we investigate the practical aspects of a satellite-lock takeover, in which a victim receives spoofed signals after first being locked on to legitimate GPS signals. Using a civilian GPS signal generator, we perform a set of experiments and find the minimal precision of the attacker’s spoofing signals required for covert satellite-lock takeover.
Related publication:
Nils Ole Tippenhauer, Christina Pöpper, Kasper Bonne Rasmussen, Srdjan Capkun
On the Requirements for Successful GPS Spoofing Attacks
ACM Conference on Computer and Communications Security (CCS), 2011
Other Publications
Yu, Der-Yeuan, Aanjhan Ranganathan, Thomas Locher, Srdjan Capkun, and David Basin
Short paper: Detection of GPS spoofing attacks in power grids
In Proceedings of the 2014 ACM conference on Security and privacy in wireless & mobile networks (WiSec).