quinta-feira, 8 de setembro de 2022

INDUCED SPOOFING FROM APPROACH TO LANDING - During Taxi and Takeoff as well

 


ABRIDGED RESEARCH ON FLIGHT INDUCED SPOOFING


IET Radar, Sonar & Navigation

University of Texas at Austin

Flight Induced spoofing

Accepted: 29 August 2021

Revised: 22 July 2021

Received: 3 June 2021


Sources:

Wang, W., Wang, J.: GNSS induced spoofing simulation based on path planning.

IET Radar Sonar Navig. 16(1), 103–112 (2022).

https://doi.org/10.1049/rsn2.12167

 

DW INTERNATIOONAL - A NAVTECH COMPANY

John Wilde

Radio Navigation System Engineer at Qascom, Italy

Samuele Fantinato

Signal Processing Engineer at Qascom, Italy

Stefano Montagner

Signal Processing Engineer at Qascom, Italy

Stefano Ciccotosto

Founder and Technical director of Qascom, Italy

Oscar Pozzobon

 

REFERENCES

1. JafarniaJahromi, A., et al.: GPS vulnerability to spoofing threats and a review of antispoofing techniques. Int. J. Navig. Obs. 2012, 127072 (2012). https://doi.org/10.1155/2012/127072

2. Carroll, J.V.: Vulnerability assessment of the transportation infrastructure relying on global positioning system. J. Navig. 56(2), 185–193 (2003)

3. Humphreys, T.E., et al.: The Texas spoofing test battery: Toward a standard for evaluating GPS signal authentication techniques. In: Proceedings of the ION GNSS+ meeting, pp. 3569–3583. Nashville. September 2012

4. Kerns, A.J., et al.: Unmanned aircraft capture and control via GPS spoofing. J. Field Robot. 31(4), 617–636 (2014)

5. Morales, F.R., et al.: A survey on coping with intentional interference in satellite navigation for manned and unmanned aircraft. IEEE Commun. Surv. Tut. 22(1), 249–291 (2020)

6. Ioannides, R.T., Pany, T., Gibbons, G.: Known vulnerabilities of global navigation satellite systems, status, and potential mitigation techniques. Proc. of IEEE. 104(6), 1174–1194 (2016)

7. Humphreys, T.E., et al.: Assessing the spoofing threat: Development of a portable GPS civilian spoofer. In: Proceedings of the ION GNSS meeting, pp. 16–19. Savannah. September 2008

8. Gao, Y., Lv, Z., Zhang, L.: Asynchronous liftoff spoofing on satellite navigation receivers in the signal tracking stage. IEEE Sens. J. 20(15), 8604–8613 (2020)


Global Navigation Satellite Systems (GNSS) are highly susceptible to various interferences.

By 2030 it is expected that GNSS will be the main navigation system for most of the flight phases. GNSS is nowadays also as an essential component for other aviation systems, such as the Enhanced Ground Proximity Warning System (EGPWS) and Ground Based Augmentation System (GBAS).

It is expected that GNSS based air routes will be able to accommodate up to three times the current traffic volume.




Intentional Spoofing during Approach

An instrument approach may be divided into four approach segments: initial, intermediate, final, and missed approach.

Depending on speed of the aircraft, availability of weather information, and the complexity of the approach procedure or special terrain avoidance procedures for the airport of intended landing, the in-flight planning phase of an instrument approach can begin as far as 100-200 nautical miles (NM) – from the destination,

The ILS system

The major risk for aircraft navigation (most likely during bad visibility conditions) is at the beginning of the approach phase.

The spoofing detection algorithms configurations as:

• Spoofing Doppler could have an offset of several KHz from the authentic.

• Spoofing delay might have an offset up hundreds of chips from the authentic

• Spoofing power offset depends on the relative distance between the aircraft under attack and the sensor

Non Intentional Spoofing during Taxi-in or Take Off

Certain non-aeronautical systems transmit radio signals intended to supplement GNSS coverage in areas where GNSS signals cannot be readily received (e.g. inside buildings). These systems include GNSS repeaters and pseudolites. GNSS repeaters (also known as “reradiators”) are systems that amplify existing GNSS signals and re-radiate them in real-time.


The interference caused alerts of the Enhanced Ground Proximity Warning System providing the messages ”pull-up” and ”FMS/GPS Position disagree” during Taxi-in and departure of the airplanes.


In these interferences, induced spoofing is very difficult to be detected because it can gradually drag off the tracking points without unlocking the tracking loops of the attacked receiver and cause the victim to obtain a wrong position and/or time information.

The importance of GNSS makes it an increasingly attractive target for hackers and criminals.

The openness of the civil GNSS signal structure and the weak transmitting and receiving power make GNSS vulnerable to variable natural and malicious interferences.

The spoofing, as a kind of malicious interference, can possibly make GNSS victims produce wrong positioning and/or time information.

The spoofing attack mainly includes meaconing and generative spoofing attack [5, 6]. For meaconing, spoofers first receive the authentic satellite signals and then amplify and retransmit the signals to the target receivers. However, for generative spoofing, spoofers usually use GNSS simulation software to generate forged signals, which have the same structure as authentic signals but have false navigation data information.

Generative spoofing can be classified as:

Simplistic spoofing - the spoofing and authentic signals received by victims have asynchronous parameters including code phase, carrier phase and other parameters. Simplistic spoofing usually adopts the ‘jammingspoofing’ mode, which first unlocks the target receiver by high power jamming and then enables the victim recapture and lock on spoofing signals.

Intermediate spoofing - is also called induced spoofing or liftoff spoofing. The spoofer first controls the spoofing to synchronise with the authentic signals in the code phase and Doppler frequency so as to disguise as the authentic signals and then gradually controls the tracking loop of the target receiver. Induced spoofing does not destroy the tracking state of the target receiver and smoothly induces the victim to a false position/time, which is more threatening and difficult to be detected.

Sophisticated spoofing - based on induced spoofing, uses multiple transmit antennas and controls the directions of transmitting antennas so that the spoofing signals have the same arrival directions as the authentic ones [10]. It can defend against angleofarrival detection but needs a huge increase in cost and complexity.

Data generation algorithm based on path planning

Induced spoofing and antispoofing




Signal model

Induced spoofing has the same structure as that of the authentic satellite signal but different parameters.

Take GPS L1 C/A as an example; they can be denoted as


When there is an induced spoofing, the victim will simultaneously receive the authentic signal and spoofing as follows:

For induced spoofing, the key feature is that it can gradually drag off the tracking points without unlocking the code loop and carrier loop of the victim. In order to achieve this goal, the spoofer has to first estimate the parameters of the authentic signals received by the target receiver and then adjust the parameters of the spoofing signals to synchronize the code and carrier phases with the authentic signal. After that, the spoofing can drag off the tracking loop of the victim by increasing the power.

However, it is difficult for the spoofer to produce the spoofing signals whose carrier phase is exactly the same as that of authentic signals.

When the spoofer shifts the code phase of the spoofing signals, there are two modes of carrier phase alignment between the spoofing and authentic signals. The first one is the nonfrequency lock mode, where the change rate of the carrier phase is proportional to that of the code phase as follows:


where fc is the carrier frequency in Hz, ϕ and τ represent the change rates of the code phase and carrier phase in seconds per second and cycles per second, respectively.

 

The second one is the frequency lock mode in which the spoofing and authentic signals have a certain initial carrier phase offset, and the fixed offset is maintained in the process of changing the code phase. Thus, the spoofing signal and the authentic signal have the same carrier Doppler frequency.

 

 

It should also be noted that, in the nonfrequency lock mode, the carrier phase difference between the spoofing and authentic signals cannot be kept fixed, which leads to the rapid amplitude variation of the blended signal. The frequency lock mode can avoid the above situation, that is amplitude fluctuation.

Thus, spoofing detection methods based on amplitude fluctuation cannot detect the spoofing.

 

However, the method, based on code rate and Doppler frequency consistency, can be used to detect the frequency lock mode. On the contrary, due to the continuous movement of the satellites, the Doppler frequency of the authentic signals constantly changes even if the victim is stationary. The movement of the victim will intensify this change. In other words, it is difficult for the spoofer to estimate the accurate Doppler frequency of the authentic signals. Therefore, the frequency lock mode is not easy to implement.

The induction process of induced spoofing can be demonstrated by the autocorrelation function (ACF) model of the authentic and spoofing signals. Depending on the methods of code phase alignment, induced spoofings can be classified as synchronous and asynchronous. Figure 1 shows the induction processes of the two methods.

The green dot marks indicate the code phase discrimination result, that is, the tracking point of the receiver. As the correlation peak of the spoofing signal moves, the tracking point of the receiver will shift gradually and finally completely transfer to the spoofing signal. Then, the tracking loop is controlled by the induced spoofing.

As shown in Figure 1a, synchronous induced spoofing mainly has two phases:

(1) T0 T1: alignment phase and

(2) T2: dragoff phase.

 In the alignment phase T0, the power of the spoofing is initially lower than that of the authentic signal when the spoofing is injected, but the code phase and carrier frequency are synchronised with those of the authentic signal.

Then, in T1, the power of the spoofing signal increases gradually until it exceeds the power of the authentic signal. With the power advantage, the tracking loop will be controlled by the spoofing signal. Subsequently, in T2, the spoofing increases its code rate, which causes the spoofing correlation peak to move away from the authentic correlation peak during the dragoff phase. Thus, the tracking point shifts gradually until it is completely transferred to the spoofing correlation peak as T3.

Synchronous induced spoofing signals can effectively forge the authentic signals, but it is necessary to know the precise geographical location and velocity of the target receiver to accurately estimate the code phase and carrier Doppler frequency of the authentic signal. However, it is very difficult to implement in a real spoofing scenario. Therefore, at the beginning, the spoofing generated by the spoofer usually has a certain code phase and Doppler frequency difference with the authentic signal. In this case, the generated spoofing is an asynchronous induced spoofing.

As shown in Figure 1b, the strategy of asynchronous induced spoofing is similar to that of synchronous induced spoofing, and the whole induction process includes three phases: 

In T0', the spoofing initially has some code phase difference from the authentic signal. Then, the spoofing signal will continuously adjust its code phase so that its correlation peak gradually approaches that of the authentic signal until they are aligned. And the subsequent process is similar to synchronous induced spoofing. In this induction process, the spoofer does not know the accurate code phase and Doppler frequency of the authentic signals, which makes it impossible to know when it is synchronised with the authentic signal. Therefore, the spoofing correlation peak must always be higher than the authentic correlation peak to ensure that the spoofing signal can successfully lift off the tracking point after alignment.

In short, by adjusting the change rate of the code phase of spoofing based on a given strategy, the induced spoofing can gradually change the relative code phase difference between the authentic signal and spoofing.

Then, the induced spoofing can control the tracking loop of the victim, which will eventually lead to a wrong position and/or time information output. Therefore, the key step of induced spoofing is to gradually change the relative code phase difference between authentic signal and spoofing.

On the other hand, it is well known that the code phase received by the receiver is related to the transmission time of the satellite signal and the distance between the satellite and receiver based on the principle of satellite navigation. Thus, signals received by receivers in different locations have different code phases even for signals coming from the same satellite and the same transmission time.

Path planning

Suppose there are two receivers; one is called target receiver whose received satellite signals simulate the authentic signals received by the victim receiver. The other is called spoofing receiver whose received satellite signals simulate the spoofing generated by the spoofer.

When the target and spoofing receivers are located at the same threedimensional geographical positions at the same time, the distances from them to each satellite are equal, that is. Similarly, when the target and spoofing receivers are in different threedimensional geographic locations (in a small area), ∆=τi will change and approximately satisfy 

where dr is the distance between the target receiver and the spoofing receiver as

Example of asynchronous induced spoofing to illustrate the algorithm of path planning. The path planning consists of three phases:

(1) As shown in Figure 2a, the target and the spoofing receivers separately move along the solid line and the dotted line at different speeds from time t0 and meet at M1 at time t1, which corresponds to the T0  of Figure 1(b).

Then, Δτi  will change from Δτi  > 0 to Δτi  ¼ = 0.

(2) As shown in Figure 2b, from time t1 to time t2, two receivers move at the same speed along the same path. This process corresponds to the T0 of Figure 1b.

(3) After time t2, as shown in Figure 2c, two receivers begin to move along different paths and the distance between them continuously increases. Thus, the Δτi  changes from Δτi  ¼ = 0 to Δτi  >0. This process corresponds to the T2  of Figure 1b.

The power control of spoofing

The power of spoofing signals is another crucial factor affecting the success of the inducing process. It is worth noting that it is not that the higher the power of the spoofing signal, the better. For the victim, the intrusion of the spoofing will increase the noise floor and affect the carrier-to noise ratio. Excessive power will cause the victim to issue an abnormal alarm. Nevertheless, if the power of spoofing is too low and not synchronized with the authentic signal in the carrier phase, the stability of the tracking loop will be affected. Consequently, the power of the spoofing should be higher than the authentic signal, but not too high.






FIGURE 2 An example of path planning for the target and spoofing receivers to produce an asynchronous induced spoofing (a) Path from time t0 to time t1 (b) Path from time t0 to time t2 (c) Path from start t0 to the end of time.





FIGURE 6 Positioning solutions of authentic, spoofing and mixed signals. (a) Latitude (b) Longitude (c) Height


Non Intentional Spoofing: Repeaters

Intentional Spoofing, Landing Case (Simulated)


Spoofing detection techniques

 The spoofing detection engine has been designed according to the following requirements:

• Capability to Monitor Spoofing with:

– Power Offset: between -3 dB and +15 dB. Lower bound is related to receiver acquisition sensitivity, upper bound is a limit over which the spoofing signal can be considered as an interferer.

– Frequency Offset: related to the maximum relative velocity between the sensor and a plane during the approach phase.

– Delay Offset linked to common distance from the airport of the approach phase beginning.

• Spoofing Detection probability 95% and False Alarm lower than 10-4

• Time to Alarm lower than 5 seconds.