kth.sePublications KTH
EnglishSvenskaNorsk
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Safeguarding NMA Enhanced Galileo OS Signals from Distance-Decreasing Attacks
KTH, School of Electrical Engineering and Computer Science (EECS), Computer Science, Network and Systems Engineering. KTH Royal Institute of Technology.
KTH, School of Electrical Engineering and Computer Science (EECS), Computer Science, Network and Systems Engineering. RISE SICS.ORCID iD: 0000-0002-3267-5374
2019 (English)Conference paper, Published paper (Refereed)
Abstract [en]

Increased use of global satellite navigation systems (GNSS), for applications such as autonomous vehicles, intelligent transportationsystems and drones, heightens security concerns. Civil GNSS signals are vulnerable to notably spoofing and replayattacks. To counter such attacks, cryptographic methods are developed: Navigation Message Authentication (NMA) is onesuch scheme, about to be deployed for Galileo E1 Open Service (OS); it allows receivers to verify the signal origin andprotects navigation message integrity. However, NMA signals cannot fully thwart replay attacks, which do not require forgingnavigation messages. Classic replay attacks, e.g, meaconing, retransmit previously recorded signals without any modification,thus highly limiting the capacity of the adversary. Distance-decreasing (DD) attacks are a strong type of replay attack,allowing fine-grained individual pseudorange manipulation in real time. Moreover, DD attacks counterbalance processing andtransmission delays induced by adversary, by virtue of shifting earlier in time the perceived (relayed) signal arrival; thusshortening the pseudorange measurements. In this paper, we first analyze how DD attacks can harm the Galileo E1 OSNMAservice assuming the adversary has no prior information on the navigation message. Moreover,we propose a DD attackdetection method based on a Goodness of Fit test on the prompt correlator outputs of the victim. The results show that themethod can detect the DD attacks even when the receiver has locked to the DD signals.
Place, publisher, year, edition, pages
Miami, Florida, 2019. p. 4041-4052
National Category
Electrical Engineering, Electronic Engineering, Information Engineering
Identifiers
URN: urn:nbn:se:kth:diva-265517DOI: 10.33012/2019.17114ISI: 000568618904007Scopus ID: 2-s2.0-85075269802OAI: oai:DiVA.org:kth-265517DiVA, id: diva2:1377572
Conference
Proceedings of the 32nd International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GNSS+ 2019)
Note

QC  20191212

Available from: 2019-12-12 Created: 2019-12-12 Last updated: 2022-06-26Bibliographically approved
In thesis
1. Secure GNSS-based Positioning and Timing: Distance-Decreasing attacks, fault detection and exclusion, and attack detection with the help of opportunistic signals
Open this publication in new window or tab >>Secure GNSS-based Positioning and Timing: Distance-Decreasing attacks, fault detection and exclusion, and attack detection with the help of opportunistic signals
2021 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

With trillions of devices connected in large scale systems in a wired or wireless manner, positioning and synchronization become vital. Global Navigation Satellite System (GNSS) is the first choice to provide global coverage for positioning and synchronization services. From small mobile devices to aircraft, from intelligent transportation systems to cellular networks, and from cargo tracking to smart grids, GNSS plays an important role, thus, requiring high reliability and security protection.       

However, as GNSS signals propagate from satellites to receivers at distance of around 20 000 km, the signal power arriving at the receivers is very low, making the signals easily jammed or overpowered. Another vulnerability stems from that civilian GNSS signals and their specifications are publicly open, so that anyone can craft own signals to spoof GNSS receivers: an adversary forges own GNSS signals and broadcasts them to the victim receiver, to mislead the victim into believing that it is at an adversary desired location or follows a false trajectory, or adjusts its clock to a time dictated by the adversary. Another type of attack is replaying GNSS signals: an adversary transmits a pre-recorded GNSS signal stream to the victim receiver, so that the receiver calculates an erroneous position and time. Recent incidents reported in press show that the GNSS functionalities in a certain area, e.g., Black Sea, have been affected by cyberattacks composed of the above-mentioned attack types.        

This thesis, thus, studies GNSS vulnerabilities and proposes detection and mitigation methods for GNSS attacks, notably spoofing and replay attacks. We analyze the effectiveness of one important and powerful replay attack, the so-called Distance-decreasing (DD) attacks that were previously investigated for wireless communication systems, on GNSS signals. DD attacks are physical layer attacks, targeting time-of-flight ranging protocols, to shorten the perceived as measured distance between the transmitter and receiver. The attacker first transmits an adversary-chosen data bit to the victim receiver before the signal arrives at the attacker; upon receipt of the GNSS signal, the attacker estimates the data bit based on the early fraction of the bit period, and then switches to transmitting the estimate to the victim receiver. Consequently, the DD signal arrives at the victim receiver earlier than the genuine GNSS signals would have, which in effect shortens the pseudorange measurement between the sender (satellite) and the victim receiver, consequently, affecting the calculated position and time of the receiver. We study how the DD attacks affect the bit error rate (BER) of the received signals at the victim, and analyze its effectiveness, that is, the ability to shorten pseudorange measurements, on different GNSS signals. Several approaches are considered for the attacker to mount a DD attack with high probability of success (without being detected) against a victim receiver, for cryptographically unprotected and protected signals. We analyze the tracking output of the DD signals at the victim receiver and propose a Goodness of Fit (GoF) test and a Generalized Likelihood Ratio Test (GLRT) to detect the attacks. The evaluation of the two tests shows that they are effective, with the result being perhaps more interesting when considering DD attacks against Galileo signals that can be cryptographically protected.       

Moreover, this thesis investigates the feasibility of validating the authenticity of the GNSS signals with the help of opportunistic signals, which is information readily available in modern communication environments, e.g., 3G, 4G and WiFi. We analyze the time synchronization accuracy of different technologies, e.g., Network Time Protocol (NTP), WiFi and local oscillator, as the basis for detecting a discrepancy with the GNSS-obtained time. Two detection approaches are proposed and one testbench is designed for the evaluation. A synthesized spoofing attack is used to verify the effectiveness of the approaches.       

Beyond attack detection, we develop algorithms to detect and exclude faulty signals, namely the Clustering-based Solution Separation Algorithm (CSSA) and the Fast Multiple Fault Detection and Exclusion (FM-FDE). They both utilize the redundant available satellites, more than the minimum a GNSS receiver needs for position and time offset calculation. CSSA adopts data clustering to group subsets of positions calculated with different subsets of available satellites. Basically, these positions, calculated with subsets not containing any faulty satellites, should be close to each other, i.e., in a dense area; otherwise they should be scattered. FM-FDE is a more efficient algorithm that uses distances between positions, calculated with fixed-size subsets, as test statistics to detect and exclude faulty satellite signals. As the results show, FM-FDE runs faster than CSSA and other solution-separation fault detection and exclusion algorithms while remaining equally effective.
Place, publisher, year, edition, pages
KTH Royal Institute of Technology, 2021. p. 71
Series
TRITA-EECS-AVL ; 2021:19
National Category
Communication Systems Computer Systems Other Electrical Engineering, Electronic Engineering, Information Engineering Signal Processing Geotechnical Engineering and Engineering Geology
Research subject
Electrical Engineering
Identifiers
urn:nbn:se:kth:diva-291548 (URN)978-91-7873-811-3 (ISBN)
Public defence
2021-04-01, https://kth-se.zoom.us/webinar/register/WN_IFbfmOPTSVCODSCFxTnMDA, Online, Stockholm, 09:00 (English)
Opponent
Supervisors
Note

QC 20210316

Available from: 2021-03-16 Created: 2021-03-15 Last updated: 2025-02-05Bibliographically approved

Open Access in DiVA

fulltext(1952 kB)469 downloads
File information
File name FULLTEXT01.pdfFile size 1952 kBChecksum SHA-512
926e387c74403e2d64eb8e2ccc46c2509c35a55e2204b5684dcea3cb643d6044ae6cc20b321103af1ad15e7b4e1c7ce6269ff6102434da254d9b6b23446d6f96
Type fulltextMimetype application/pdf

Other links

Publisher's full textScopus

Authority records

Zhang, KeweiPapadimitratos, Panagiotis

Search in DiVA

By author/editor
Zhang, KeweiPapadimitratos, Panagiotis
By organisation
Network and Systems Engineering
Electrical Engineering, Electronic Engineering, Information Engineering

Search outside of DiVA

GoogleGoogle Scholar
Total: 472 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 752 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
v. 2.47.0
|
WCAG
|
KTH Library
|
DiVA support
|
Register in DiVA
|
Posting your thesis
|
SwePub
|
About Open Access