270 likes | 470 Views
Distance-decreasing attack in GPS Final Presentation. Prof. Jean-Pierre Hubaux Assistant: Marcin Poturalski. Horacio Arze. Security and Cooperation in Wireless Networks. January 2009. Outline. GNSS Threat model Distance-decreasing attack Performance Discussion Conclusion. GLONASS.
E N D
Distance-decreasing attack in GPSFinal Presentation Prof. Jean-Pierre Hubaux Assistant: Marcin Poturalski Horacio Arze Security and Cooperation in Wireless Networks January 2009
Outline • GNSS • Threat model • Distance-decreasing attack • Performance • Discussion • Conclusion
GLONASS GLONASS GPS GPS Galileo Compass Compass INTRO GNSS Global Navigation Satellite Systems • Road toll collection • Position-based insurance • Air traffic control • Resource access control Galieleo Security sensitive applications
Security in GNSS • Integrity • Authentication • Privacy SPOOFING
Spoofing Attack actually implemented by O’Hanlon et al. at Cornell Univ. Software-defined receiver/spoofer Cost :1500$ O’ Hanlon, B. et al., January 1 2009, Assessing the Spoofing Threat, GPS World, http://www.gpsworld.com/defense/security-surveillance/assessing-spoofing-threat-3171
Solutions • Signal Authentication through Spread Spectrum Security Codes (SSSC) • Signal Authentication through Spreading Code Encryption (SCE) • Non cryptographic methods • Navigation Message Encryption • Navigation Message Authentication • Digital signature included in the messages • Public/private key pairs for each satellite O. Pozzobon et al. 2004, Secure Tracking using Trusted GNSS Receivers and Galileo Authentication Services, Journal of Global Positioning Systems, Vol. 3, No. 1-2: 200-207. G.W. Hein and F. Kneissl, September/October 2007, Authenticating GNSS Proofs Against Spoofs, InsideGNS.
Relay attack The relay retransmits the messages bit by bit introducing a certain delay for each message of Si Relay G.W. Hein and F. Kneissl, September/October 2007, Authenticating GNSS Proofs Against Spoofs, InsideGNS.
Mistaken GNSS Clock Offset Test Papadimitatos, P., Jovanovic, A., Global Navigation Satellite Systems (GNSS) - Attacks and Countermeasures, in IEEE Military Communications Conference (IEEE MILCOM), p. 1-7
DD-attack • Distance-decreasing attacks proposed by Clulow et al. in 2006 in the context of distance bounding protocols. • Same configuration that the relay attack. • “Reduce” the actual propagation delay. J. Clulow, G. P. Hancke, M. G. Kuhn, and T. Moore So near and yet so far: Distance-bounding attacks in wireless networks. , In ESAS, 2006.
Trelay Trelay TED bit TLC bit bit DD-attack bit Satellite Tb Relay Rx distance Relay Tx GPS time
TED bit Early detection • Know the value of the bit, before the bit is completely transmitted. Tb bit Satellite Relay Rx
TLC bit bit Late commit • Start transmitting something (e.g. noise) • Then, transmit something else so the receiver still decode the bit correctly. Relay Tx GPS
bit Satellite Tb Relay Rx distance Relay Tx GPS time Trelay Trelay TED bit TLC bit bit DD-attack
GPS Modulation (L1) • DSSS Direct-sequence spread spectrum - CDMA • Data rate 50 bps • Sequence or Spreading code (Pseudorandom) • Rate 1.023 MHz, period of 1023 chips • BPSK Bit sequence Code CDMA sequence
Demodulation Antenna I IP IPS Down-converter X X SIN P Q QP QPS A/D Converter X X Digital IF COS P Carrier Replica Code Generator GPS Receiver
ED and LC • ED • LC • First phase: Signal constant during TS but average 0 • Second phase: Signal corresponding to ED’s result
Performance • Metric: BER estimated by theoretical Pe • Pe probability of error per bit • Parameters • C/N0 Carrier-to-noise Density • TED • Trelay
Trelay Trelay TED bit TLC bit bit DD-attack bit Satellite Tb Relay Rx distance Relay Tx GPS time
Performance • ED • Normal Detector • LC
DD-attack performance TLC = 2ms TLC = 4ms TLC = 6ms TLC = 8ms TLC = 10ms TLC = 12ms TLC = 14ms TLC = 16ms TLC = 18ms
Discussion • Feasibility • O’Hanlon et al. device is a perfect platform for DD-Attack • By increasing the Tx power of the relay, we can achieve any performance. • Trelay = 1ms => already 300Km in range error. • Performance increased by bit prediction
Discussion • Countermeasures • Non cryptographic countermeasures Inertial Tests, Doppler Shift, Angle of arrival • Clock Offset Test non effective! • Analysis of the samples at the receiver • To be further developed
Conclusion • Distance-decreasing attack is feasible in GPS L1 carrier. • A considerable error in position estimation can be introduced by with practically no lose of performance. • DD-attacks are specific to coding and modulation scheme. Analysis for other signals to be done (e.g. GPS L2 and L5, Galileo L5). • Designers of security sensitive devices must be warned about these kind of attacks.