1 / 27

Distance-decreasing attack in GPS Final Presentation

Distance-decreasing attack in GPS Final Presentation. Prof. Jean-Pierre Hubaux Assistant: Marcin Poturalski. Horacio Arze. Security and Cooperation in Wireless Networks. January 2009. Outline. GNSS Threat model Distance-decreasing attack Performance Discussion Conclusion. GLONASS.

wilmet
Download Presentation

Distance-decreasing attack in GPS Final Presentation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Distance-decreasing attack in GPSFinal Presentation Prof. Jean-Pierre Hubaux Assistant: Marcin Poturalski Horacio Arze Security and Cooperation in Wireless Networks January 2009

  2. Outline • GNSS • Threat model • Distance-decreasing attack • Performance • Discussion • Conclusion

  3. GLONASS GLONASS GPS GPS Galileo Compass Compass INTRO GNSS Global Navigation Satellite Systems • Road toll collection • Position-based insurance • Air traffic control • Resource access control Galieleo Security sensitive applications

  4. Security in GNSS • Integrity • Authentication • Privacy SPOOFING

  5. GNSS

  6. Spoofing Attack actually implemented by O’Hanlon et al. at Cornell Univ. Software-defined receiver/spoofer Cost :1500$ O’ Hanlon, B. et al., January 1 2009, Assessing the Spoofing Threat, GPS World, http://www.gpsworld.com/defense/security-surveillance/assessing-spoofing-threat-3171

  7. Solutions • Signal Authentication through Spread Spectrum Security Codes (SSSC) • Signal Authentication through Spreading Code Encryption (SCE) • Non cryptographic methods • Navigation Message Encryption • Navigation Message Authentication • Digital signature included in the messages • Public/private key pairs for each satellite O. Pozzobon et al. 2004, Secure Tracking using Trusted GNSS Receivers and Galileo Authentication Services, Journal of Global Positioning Systems, Vol. 3, No. 1-2: 200-207. G.W. Hein and F. Kneissl, September/October 2007, Authenticating GNSS Proofs Against Spoofs, InsideGNS.

  8. Relay attack The relay retransmits the messages bit by bit introducing a certain delay for each message of Si Relay G.W. Hein and F. Kneissl, September/October 2007, Authenticating GNSS Proofs Against Spoofs, InsideGNS.

  9. Mistaken GNSS Clock Offset Test Papadimitatos, P., Jovanovic, A., Global Navigation Satellite Systems (GNSS) - Attacks and Countermeasures, in IEEE Military Communications Conference (IEEE MILCOM), p. 1-7

  10. DD-attack • Distance-decreasing attacks proposed by Clulow et al. in 2006 in the context of distance bounding protocols. • Same configuration that the relay attack. • “Reduce” the actual propagation delay. J. Clulow, G. P. Hancke, M. G. Kuhn, and T. Moore So near and yet so far: Distance-bounding attacks in wireless networks. , In ESAS, 2006.

  11. Trelay Trelay TED bit TLC bit bit DD-attack bit Satellite Tb Relay Rx distance Relay Tx GPS time

  12. TED bit Early detection • Know the value of the bit, before the bit is completely transmitted. Tb bit Satellite Relay Rx

  13. TLC bit bit Late commit • Start transmitting something (e.g. noise) • Then, transmit something else so the receiver still decode the bit correctly. Relay Tx GPS

  14. bit Satellite Tb Relay Rx distance Relay Tx GPS time Trelay Trelay TED bit TLC bit bit DD-attack

  15. GPS Modulation (L1) • DSSS Direct-sequence spread spectrum - CDMA • Data rate 50 bps • Sequence or Spreading code (Pseudorandom) • Rate 1.023 MHz, period of 1023 chips • BPSK Bit sequence Code CDMA sequence

  16. Demodulation Antenna I IP IPS Down-converter X X SIN P Q QP QPS A/D Converter X X Digital IF COS P Carrier Replica Code Generator GPS Receiver

  17. ED and LC • ED • LC • First phase: Signal constant during TS but average 0 • Second phase: Signal corresponding to ED’s result

  18. Performance • Metric: BER estimated by theoretical Pe • Pe probability of error per bit • Parameters • C/N0 Carrier-to-noise Density • TED • Trelay

  19. Trelay Trelay TED bit TLC bit bit DD-attack bit Satellite Tb Relay Rx distance Relay Tx GPS time

  20. Performance • ED • Normal Detector • LC

  21. BER for ED

  22. BER for LC

  23. DD-attack performance TLC = 2ms TLC = 4ms TLC = 6ms TLC = 8ms TLC = 10ms TLC = 12ms TLC = 14ms TLC = 16ms TLC = 18ms

  24. Compact presentation

  25. Discussion • Feasibility • O’Hanlon et al. device is a perfect platform for DD-Attack • By increasing the Tx power of the relay, we can achieve any performance. • Trelay = 1ms => already 300Km in range error. • Performance increased by bit prediction

  26. Discussion • Countermeasures • Non cryptographic countermeasures Inertial Tests, Doppler Shift, Angle of arrival • Clock Offset Test non effective! • Analysis of the samples at the receiver • To be further developed

  27. Conclusion • Distance-decreasing attack is feasible in GPS L1 carrier. • A considerable error in position estimation can be introduced by with practically no lose of performance. • DD-attacks are specific to coding and modulation scheme. Analysis for other signals to be done (e.g. GPS L2 and L5, Galileo L5). • Designers of security sensitive devices must be warned about these kind of attacks.

More Related