As the security of global navigation satellite systems (GNSSs) for civilian usage is increasingly important, navigation message authentication (NMA) significantly improves resilience to spoofing attacks. However, not all attacks can be effectively countered: a strong variant of replay/relay attacks, distance-decreasing (DD) attacks, can shorten pseudorange measurements, without manipulating the cryptographically protected navigation message, thus manipulating the position, velocity, and time solution undetected. First, we discuss how DD attacks can tamper with GNSS signals, demonstrating the attack effectiveness on a recorded Galileo signal. DD attacks might introduce bit errors to the forged signals, but the adversary can keep this error rate very low with proper attack parameter settings. Then, based on our mathematical model of the prompt correlator output of the tracking phase at the victim receiver, we find that the correlator output distribution changes in the presence of DD attacks. This leads us to apply hypothesis testing to detect DD attacks, notably a goodness-of-fit (GoF) test and a generalized likelihood ratio test (GLRT), depending on the victim's knowledge on the DD attacks. Monte Carlo simulations are used to evaluate the detection probability and the receiver operating characteristic curves for two tests, for different adversary configuration and noise settings. Then, we evaluate the effectiveness of the GoF test and the GLRT with a synthesized DD signal. Both tests can detect DD attacks with similar performance in high-signal-to-noise-ratio (SNR) environments. The GLRT detection probability is approximately 20% higher than that of the GoF test in low-SNR environments.

Numerous applications and devices use Global Navigation Satellite System (GNSS)-provided position, velocity and time (PVT)information. However, unintentional interference and intentional attacks render GNSS-provided information unreliable. ReceiverAutonomous Integrity Monitoring (RAIM) is considered an effective and lightweight protection method when a subset of the availablesatellite measurements is affected. However, the conventional RAIM Fault Detection and Exclusion (FDE), exhaustive iterative searchto exclude faulty signals, can be expensive when there are many potential faults, especially so for multi-constellation GNSS receiversoperating in the presence of several faulty signals. Therefore, we propose a fast multiple fault detection and exclusion (FM-FDE)algorithm, to detect and exclude multiple faults for both single and multi-constellation receivers. The novelty is FM-FDE caneffectively exclude faults withouta lengthy iterative search on candidate fault signals. FM-FDE calculates position distances of anysubset pairs with (3+P) measurements, where P is the number of constellations. Then, the algorithm utilizes statistical testing toexamine the distances, identifies faulty measurements and further excludes them from the computation of the final PVT solution. Weevaluate FM-FDE with synthesized faulty measurements added to a collected data set; the results show that FM-FDE is faster thanconventional Solution Separation (SS) FDE when the number of faults is larger than 3 in a single constellation receiver. Moreover,FM-FDE is much faster when the number of faults is larger than 2 in a GPS-Galileo receiver, when both constellation contains faultymeasurements. The trade-off is that FM-FDE slightly degrades performance in terms of misdetection and false alarm probabilities,compared to the conventional SS FDE.

With trillions of devices connected in large scale systems in a wired or wireless manner, positioning and synchronization become vital. Global Navigation Satellite System (GNSS) is the first choice to provide global coverage for positioning and synchronization services. From small mobile devices to aircraft, from intelligent transportation systems to cellular networks, and from cargo tracking to smart grids, GNSS plays an important role, thus, requiring high reliability and security protection.       

However, as GNSS signals propagate from satellites to receivers at distance of around 20 000 km, the signal power arriving at the receivers is very low, making the signals easily jammed or overpowered. Another vulnerability stems from that civilian GNSS signals and their specifications are publicly open, so that anyone can craft own signals to spoof GNSS receivers: an adversary forges own GNSS signals and broadcasts them to the victim receiver, to mislead the victim into believing that it is at an adversary desired location or follows a false trajectory, or adjusts its clock to a time dictated by the adversary. Another type of attack is replaying GNSS signals: an adversary transmits a pre-recorded GNSS signal stream to the victim receiver, so that the receiver calculates an erroneous position and time. Recent incidents reported in press show that the GNSS functionalities in a certain area, e.g., Black Sea, have been affected by cyberattacks composed of the above-mentioned attack types.        

This thesis, thus, studies GNSS vulnerabilities and proposes detection and mitigation methods for GNSS attacks, notably spoofing and replay attacks. We analyze the effectiveness of one important and powerful replay attack, the so-called Distance-decreasing (DD) attacks that were previously investigated for wireless communication systems, on GNSS signals. DD attacks are physical layer attacks, targeting time-of-flight ranging protocols, to shorten the perceived as measured distance between the transmitter and receiver. The attacker first transmits an adversary-chosen data bit to the victim receiver before the signal arrives at the attacker; upon receipt of the GNSS signal, the attacker estimates the data bit based on the early fraction of the bit period, and then switches to transmitting the estimate to the victim receiver. Consequently, the DD signal arrives at the victim receiver earlier than the genuine GNSS signals would have, which in effect shortens the pseudorange measurement between the sender (satellite) and the victim receiver, consequently, affecting the calculated position and time of the receiver. We study how the DD attacks affect the bit error rate (BER) of the received signals at the victim, and analyze its effectiveness, that is, the ability to shorten pseudorange measurements, on different GNSS signals. Several approaches are considered for the attacker to mount a DD attack with high probability of success (without being detected) against a victim receiver, for cryptographically unprotected and protected signals. We analyze the tracking output of the DD signals at the victim receiver and propose a Goodness of Fit (GoF) test and a Generalized Likelihood Ratio Test (GLRT) to detect the attacks. The evaluation of the two tests shows that they are effective, with the result being perhaps more interesting when considering DD attacks against Galileo signals that can be cryptographically protected.       

Moreover, this thesis investigates the feasibility of validating the authenticity of the GNSS signals with the help of opportunistic signals, which is information readily available in modern communication environments, e.g., 3G, 4G and WiFi. We analyze the time synchronization accuracy of different technologies, e.g., Network Time Protocol (NTP), WiFi and local oscillator, as the basis for detecting a discrepancy with the GNSS-obtained time. Two detection approaches are proposed and one testbench is designed for the evaluation. A synthesized spoofing attack is used to verify the effectiveness of the approaches.       

Beyond attack detection, we develop algorithms to detect and exclude faulty signals, namely the Clustering-based Solution Separation Algorithm (CSSA) and the Fast Multiple Fault Detection and Exclusion (FM-FDE). They both utilize the redundant available satellites, more than the minimum a GNSS receiver needs for position and time offset calculation. CSSA adopts data clustering to group subsets of positions calculated with different subsets of available satellites. Basically, these positions, calculated with subsets not containing any faulty satellites, should be close to each other, i.e., in a dense area; otherwise they should be scattered. FM-FDE is a more efficient algorithm that uses distances between positions, calculated with fixed-size subsets, as test statistics to detect and exclude faulty satellite signals. As the results show, FM-FDE runs faster than CSSA and other solution-separation fault detection and exclusion algorithms while remaining equally effective.

Information cross-validation can be a powerful tool to detect manipulated, dubious GNSS data. A promising approach is to leverage time obtained over networks a mobile device can connect to, and detect discrepancies between the GNSS-provided time and the network time. The challenge lies in having reliably both accurate and trustworthy network time as the basis for the GNSS attack detection. Here, we provide a concrete proposal that leverages, together with the network time servers, the nearly ubiquitous IEEE 802.11 (Wi-Fi) infrastructure. Our framework supports application-layer, secure and robust real time broadcasting by Wi-Fi Access Points (APs), based on hash chains and infrequent digital signatures verification to minimize computational and communication overhead, allowing mobile nodes to efficiently obtain authenticated and rich time information as they roam. We pair this method with Network Time Security (NTS), for enhanced resilience through multiple sources, available, ideally, simultaneously. We analyze the performance of our scheme in a dedicated setup, gauging the overhead for authenticated time data (Wi-Fi timestamped beacons and NTS). The results show that it is possible to provide security for the external to GNSS time sources, with minimal overhead for authentication and integrity, even when the GNSS-equipped nodes are mobile, and thus have short interactions with the WiFi infrastructure and possibly intermittent Internet connectivity, as well as limited resources.

Global navigation satellite systems (GNSS) provide pervasive accurate positioning and timing services for a large gamut of applications, from Time based One-Time Passwords (TOPT), to power grid and cellular systems. However, there can be security concerns for the applications due to the vulnerability of GNSS. It is important to observe that GNSS receivers are components of platforms, in principle having rich connectivity to different network infrastructures. Of particular interest is the access to a variety of timing sources, as those can be used to validate GNSS-provided location and time. Therefore, we consider off-the-shelf platforms and how to detect if the GNSS receiver is attacked or not, by cross-checking the GNSS time and time from other available sources. First, we survey different technologies to analyze their availability, accuracy and trustworthiness for time synchronization. Then, we propose a validation approach for absolute and relative time. Moreover, we design a framework and experimental setup for the evaluation of the results. Attacks can be detected based on WiFi supplied time when the adversary shifts the GNSS provided time, more than 23.942 μs; with Network Time Protocol (NTP) supplied time when the adversary-induced shift is more than 2.046 ms. Consequently, the proposal significantly limits the capability of an adversary to manipulate the victim GNSS receiver.

The security of global navigation satellite systems draws attention increasingly, and authentication mechanisms for civilian services seem very effective in thwarting malicious behavior. For example, the Galileo E1 Open Service introduces navigation message authentication. Authentication, as well as encryption at navigation message or spreading code level, can prevent spoofing attacks, but do not preclude replay attacks. In this work, we consider a type of strong replay attacks, distance-decreasing attacks, against cryptographically protected GNSS signals. Distance-decreasing attack enhance an attacker’s capability of allowing it to mislead the victim receiver that the GNSS signals arrive earlier than true signals. We analyze the instantiation and the effects of the distance-decreasing attacks on unprotected GNSS signals, on navigation message authenticated signals, and on spreading-code encrypted signals. We discuss different strategies that the attacker can adopt to introduce the least bit errors to the re-transmitted signals and avoid being detected at the victim receiver. We provide evaluation results of distance-decreasing attacks on unprotected signals and authenticated navigation message signals, based on different strategies and configurations, and we sketch countermeasures to the different strategies.

Increased use of global satellite navigation systems (GNSS), for applications such as autonomous vehicles, intelligent transportationsystems and drones, heightens security concerns. Civil GNSS signals are vulnerable to notably spoofing and replayattacks. To counter such attacks, cryptographic methods are developed: Navigation Message Authentication (NMA) is onesuch scheme, about to be deployed for Galileo E1 Open Service (OS); it allows receivers to verify the signal origin andprotects navigation message integrity. However, NMA signals cannot fully thwart replay attacks, which do not require forgingnavigation messages. Classic replay attacks, e.g, meaconing, retransmit previously recorded signals without any modification,thus highly limiting the capacity of the adversary. Distance-decreasing (DD) attacks are a strong type of replay attack,allowing fine-grained individual pseudorange manipulation in real time. Moreover, DD attacks counterbalance processing andtransmission delays induced by adversary, by virtue of shifting earlier in time the perceived (relayed) signal arrival; thusshortening the pseudorange measurements. In this paper, we first analyze how DD attacks can harm the Galileo E1 OSNMAservice assuming the adversary has no prior information on the navigation message. Moreover,we propose a DD attackdetection method based on a Goodness of Fit test on the prompt correlator outputs of the victim. The results show that themethod can detect the DD attacks even when the receiver has locked to the DD signals.

Because of the limited satellite visibility, reduced signal reception reliability and constraining spatial geometry, e.g., in urban areas, the development of multi-constellation global navigation satellite systems (GNSS) has gained traction rapidly. GNSS-based applications are expected to handle observations from different navigation systems, e.g., GPS, GLONASS, Bei-Dou and Galileo, in order to improve positioning accuracy and reliability. Furthermore, multi-constellation receivers present an opportunity to better counter spoofing and replaying attacks, leveraging approaches take advantage of the redundant measurements. In particular, cluster-based solution separation algorithm (CSSA) proposes to detect and identify faulty/malicious signals in a single GPS constellation by checking the consistency of receiver positions calculated with different number of satellites. Intuitively, the algorithm targets directly the consequence of spoofing/replaying attacks: the victim receiver position error estimation. It works independently of how the attacks are launched, either through modifying pseudorange measurements or manipulating the navigation messages, without changing the receiver hardware. Multi-constellation GNSS receivers utilize all observations from different navigation systems, there are more than 30 available satellites at each epoch after Galileo and BeiDou systems become fully operational; in other words using abundant redundancy. Therefore, we introduce such a CSSA to a multi-constellation receiver. The work shows that a multi-constellation GNSS receiver equipped with our algorithm works effectively against a strong spoofing/replaying attacker that can manipulate a large number of signals, or even an entire constellation. The results show that CSSA with multi-constellation significantly improves the performance of detecting and identifying the malicious signals; particularly, when the adversary cannot control all the constellations, a multi-constellation receiver can identify the faults even the adversary induces very small errors to pseudorange measurements, comparing with a single constellation receiver. Moreover, when the attacker is powerful to manipulate most of signals of all the constellations, a multi-constellation receiver with CSSA can still detect and identify the faulty signals with high probability when the attacker tries to mislead the victim more than a couple of hundred meters from its true location.

Global Navigation Satellite Systems (GNSS) are vulnerable to jamming, spoong and replaying aacks because of their characteristics. Concerns regarding these aacks are being heightened because unmanned and autonomous vehicles become popular recently. Cryptographic methods have been proposed and are to be implemented in the Galileo and the GPS systems to counter spoong aacks. However, replaying aacks could still potentially harm GNSS receivers by bypassing the cryptographic methods. Distance-decreasing aacks is a strong type of replay aacks: it essentially resolves, from the aacker's point of view, the issue of introducing processing delay by implementing two phases: early detection and late commit. is poster analyzes the feasibility of distance-decreasing aacks against the GNSS navigation message authenticated signals and proposes countermeasures.