ABRIDGED RESEARCH ON FLIGHT INDUCED SPOOFING
IET
Radar, Sonar & Navigation
University
of Texas at Austin
Flight Induced
spoofing
Accepted:
29 August 2021
Revised:
22 July 2021
Received:
3 June 2021
Sources:
Wang, W.,
Wang, J.: GNSS induced spoofing simulation based on path planning.
IET Radar Sonar Navig. 16(1), 103–112 (2022).
https://doi.org/10.1049/rsn2.12167
DW INTERNATIOONAL - A NAVTECH COMPANY
John Wilde
Radio Navigation System Engineer at Qascom,
Italy
Samuele
Fantinato
Signal Processing Engineer at Qascom, Italy
Stefano
Montagner
Signal Processing Engineer at Qascom, Italy
Stefano
Ciccotosto
Founder and Technical director of Qascom, Italy
Oscar
Pozzobon
REFERENCES
1. Jafarnia‐Jahromi, A., et al.: GPS vulnerability to spoofing threats and a review of antispoofing techniques. Int. J. Navig. Obs. 2012, 127072 (2012). https://doi.org/10.1155/2012/127072
2. Carroll, J.V.: Vulnerability assessment of the transportation infrastructure relying on global positioning system. J. Navig. 56(2), 185–193 (2003)
3.
Humphreys, T.E., et al.: The Texas
spoofing test battery: Toward a standard for evaluating GPS signal
authentication techniques. In: Proceedings of the ION GNSS+ meeting, pp.
3569–3583. Nashville. September 2012
4. Kerns,
A.J., et al.: Unmanned aircraft capture
and control via GPS spoofing. J. Field Robot. 31(4), 617–636 (2014)
5.
Morales, F.R., et al.: A survey on coping
with intentional interference in satellite navigation for manned and unmanned
aircraft. IEEE Commun. Surv. Tut. 22(1), 249–291 (2020)
6.
Ioannides, R.T., Pany, T., Gibbons, G.: Known
vulnerabilities of global navigation satellite systems, status, and potential
mitigation techniques. Proc. of IEEE. 104(6), 1174–1194 (2016)
7.
Humphreys, T.E., et al.: Assessing the
spoofing threat: Development of a portable GPS civilian spoofer. In:
Proceedings of the ION GNSS meeting, pp. 16–19. Savannah. September 2008
8. Gao, Y., Lv, Z., Zhang, L.: Asynchronous lift‐off spoofing on satellite navigation receivers in the signal tracking stage. IEEE Sens. J. 20(15), 8604–8613 (2020)
Global Navigation Satellite Systems (GNSS) are highly
susceptible to various interferences.
By 2030 it is expected that GNSS will be the main navigation
system for most of the flight phases. GNSS is nowadays also as an essential
component for other aviation systems, such as the Enhanced Ground Proximity
Warning System (EGPWS) and Ground Based Augmentation System (GBAS).
It is expected that GNSS based air routes will be able to
accommodate up to three times the current traffic volume.
Intentional
Spoofing during Approach
An instrument approach may be divided into four approach
segments: initial, intermediate, final, and missed approach.
Depending on speed of the aircraft, availability of weather
information, and the complexity of the approach procedure or special terrain
avoidance procedures for the airport of intended landing, the in-flight
planning phase of an instrument approach can begin as far as 100-200 nautical
miles (NM) – from the destination,
The ILS
system
The major risk for aircraft navigation (most likely during
bad visibility conditions) is at the beginning of the approach phase.
The spoofing detection algorithms configurations as:
• Spoofing Doppler could have an offset of several KHz from
the authentic.
• Spoofing delay might have an offset up hundreds of chips
from the authentic
• Spoofing power offset depends on the relative distance
between the aircraft under attack and the sensor
Non
Intentional Spoofing during Taxi-in or Take Off
Certain non-aeronautical systems transmit radio signals
intended to supplement GNSS coverage in areas where GNSS signals cannot be
readily received (e.g. inside buildings). These systems include GNSS repeaters
and pseudolites. GNSS repeaters (also known as “reradiators”) are systems that
amplify existing GNSS signals and re-radiate them in real-time.
The interference caused alerts of the Enhanced Ground
Proximity Warning System providing the messages ”pull-up” and ”FMS/GPS Position
disagree” during Taxi-in and departure of the airplanes.
In these interferences, induced spoofing is very difficult
to be detected because it can gradually drag off the tracking points without
unlocking the tracking loops of the attacked receiver and cause the victim to
obtain a wrong position and/or time information.
The importance of GNSS makes it an increasingly attractive
target for hackers and criminals.
The openness of the civil GNSS signal structure and the weak
transmitting and receiving power make GNSS vulnerable to variable natural and
malicious interferences.
The spoofing, as a kind of malicious interference, can
possibly make GNSS victims produce wrong positioning and/or time information.
The spoofing attack mainly includes meaconing and generative
spoofing attack [5, 6]. For meaconing, spoofers first receive the authentic
satellite signals and then amplify and retransmit the signals to the target
receivers. However, for generative spoofing, spoofers usually use GNSS simulation
software to generate forged signals, which have the same structure as authentic
signals but have false navigation data information.
Generative
spoofing can be classified as:
Simplistic spoofing - the spoofing and authentic signals received
by victims have asynchronous parameters including code phase, carrier phase and
other parameters. Simplistic spoofing usually adopts the ‘jamming‐spoofing’ mode, which first
unlocks the target receiver by high power jamming and then enables the victim
recapture and lock on spoofing signals.
Intermediate spoofing - is also called induced spoofing or lift‐off spoofing. The spoofer first
controls the spoofing to synchronise with the authentic signals in the code
phase and Doppler frequency so as to disguise as the authentic signals and then
gradually controls the tracking loop of the target receiver. Induced spoofing
does not destroy the tracking state of the target receiver and smoothly induces
the victim to a false position/time, which is more threatening and difficult to
be detected.
Sophisticated
spoofing - based on induced spoofing, uses multiple transmit
antennas and controls the directions of transmitting antennas so that the
spoofing signals have the same arrival directions as the authentic ones [10].
It can defend against angle‐of‐arrival detection but needs a
huge increase in cost and complexity.
Data generation algorithm based on path planning
Induced
spoofing and anti‐spoofing
Signal
model
Induced spoofing has the same structure as that of the authentic
satellite signal but different parameters.
Take GPS L1 C/A as an example; they can be denoted as
When there is an induced spoofing, the victim will
simultaneously receive the authentic signal and spoofing as follows:
For induced spoofing,
the key feature is that it can gradually drag off the tracking points without
unlocking the code loop and carrier loop of the victim. In order to achieve
this goal, the spoofer has to first estimate the parameters of the authentic signals
received by the target receiver and then adjust the parameters of the spoofing
signals to synchronize the code and carrier phases with the authentic signal.
After that, the spoofing can drag off the tracking loop of the victim by increasing
the power.
However, it is difficult for the spoofer to produce the spoofing
signals whose carrier phase is exactly the same as that of authentic signals.
When the spoofer shifts the code phase of the spoofing signals,
there are two modes of carrier phase alignment between the spoofing and
authentic signals. The first one is the non‐frequency
lock mode, where the change rate of the carrier phase is proportional to that
of the code phase as follows:
where fc
is the
carrier frequency in Hz, ϕ and τ represent the change rates
of the code phase and carrier phase in seconds per second and cycles per
second, respectively.
The second one is the frequency lock mode
in which the spoofing and authentic signals have a certain initial carrier
phase offset, and the fixed offset is maintained in the process of changing the
code phase. Thus, the spoofing signal and the authentic signal have the same
carrier Doppler frequency.
It should also be noted that, in the non‐frequency
lock mode, the carrier phase difference between the spoofing and authentic
signals cannot be kept fixed, which leads to the rapid amplitude variation of
the blended signal. The frequency lock mode can avoid the above situation, that
is amplitude fluctuation.
Thus, spoofing detection methods based on
amplitude fluctuation cannot detect the spoofing.
However, the method, based on code rate
and Doppler frequency consistency, can be used to detect the frequency lock
mode. On the contrary, due to the continuous movement of the satellites, the
Doppler frequency of the authentic signals constantly changes even if the
victim is stationary. The movement of the victim will intensify this change. In
other words, it is difficult for the spoofer to estimate the accurate Doppler
frequency of the authentic signals. Therefore, the frequency lock mode is not
easy to implement.
The induction process of induced spoofing can be demonstrated by the auto‐correlation function (ACF) model of the authentic and spoofing signals. Depending on the methods of code phase alignment, induced spoofings can be classified as synchronous and asynchronous. Figure 1 shows the induction processes of the two methods.
The green dot marks indicate the code
phase discrimination result, that is, the tracking point of the receiver. As
the correlation peak of the spoofing signal moves, the tracking point of the
receiver will shift gradually and finally completely transfer to the spoofing
signal. Then, the tracking loop is controlled by the induced spoofing.
As shown in Figure 1a, synchronous induced spoofing mainly has two phases:
(1) T0 ‐T1: alignment phase and
(2) T2: drag‐off phase.
In the alignment phase T0, the power of the spoofing is initially lower than that of the authentic signal when the spoofing is injected, but the code phase and carrier frequency are synchronised with those of the authentic signal.
Then, in T1, the power of the spoofing signal increases gradually until it exceeds the power of the authentic signal. With the power advantage, the tracking loop will be controlled by the spoofing signal. Subsequently, in T2, the spoofing increases its code rate, which causes the spoofing correlation peak to move away from the authentic correlation peak during the drag‐off phase. Thus, the tracking point shifts gradually until it is completely transferred to the spoofing correlation peak as T3.
Synchronous induced spoofing signals can effectively forge the authentic signals, but it is necessary to know the precise geographical location and velocity of the target receiver to accurately estimate the code phase and carrier Doppler frequency of the authentic signal. However, it is very difficult to implement in a real spoofing scenario. Therefore, at the beginning, the spoofing generated by the spoofer usually has a certain code phase and Doppler frequency difference with the authentic signal. In this case, the generated spoofing is an asynchronous induced spoofing.
As shown in Figure 1b, the strategy of asynchronous induced spoofing is similar to that of synchronous induced spoofing, and the whole induction process includes three phases:
In T0', the spoofing initially has some code phase difference from the authentic signal. Then, the spoofing signal will continuously adjust its code phase so that its correlation peak gradually approaches that of the authentic signal until they are aligned. And the subsequent process is similar to synchronous induced spoofing. In this induction process, the spoofer does not know the accurate code phase and Doppler frequency of the authentic signals, which makes it impossible to know when it is synchronised with the authentic signal. Therefore, the spoofing correlation peak must always be higher than the authentic correlation peak to ensure that the spoofing signal can successfully lift off the tracking point after alignment.
In short, by adjusting the change rate of the code phase of spoofing based on a given strategy, the induced spoofing can gradually change the relative code phase difference between the authentic signal and spoofing.
Then, the induced spoofing can control the tracking loop of the victim, which will eventually lead to a wrong position and/or time information output. Therefore, the key step of induced spoofing is to gradually change the relative code phase difference between authentic signal and spoofing.
On the other hand, it is well known that the code phase received by the receiver is related to the transmission time of the satellite signal and the distance between the satellite and receiver based on the principle of satellite navigation. Thus, signals received by receivers in different locations have different code phases even for signals coming from the same satellite and the same transmission time.
Path planning
Suppose there are two receivers; one is called target receiver whose received satellite signals simulate the authentic signals received by the victim receiver. The other is called spoofing receiver whose received satellite signals simulate the spoofing generated by the spoofer.
When the target and spoofing receivers are located at the same three‐dimensional geographical positions at the same time, the distances from them to each satellite are equal, that is. Similarly, when the target and spoofing receivers are in different three‐dimensional geographic locations (in a small area), ∆=τi will change and approximately satisfy
where dr is the distance between
the target receiver and the spoofing receiver as
Example
of asynchronous induced spoofing to illustrate the algorithm of path planning.
The path planning consists of three phases:
(1) As shown in Figure 2a, the target and the spoofing receivers separately move along the solid line and the dotted line at different speeds from time t0 and meet at M1 at time t1, which corresponds to the T0’ of Figure 1(b).
Then, Δτi will change from Δτi > 0 to Δτi ¼ = 0.
(2) As shown in Figure 2b, from time t1 to time t2, two receivers move at the same speed along the same path. This process corresponds to the T0’ of Figure 1b.
(3) After time t2, as shown in Figure 2c, two receivers begin to move along different paths and the distance between them continuously increases. Thus, the Δτi changes from Δτi ¼ = 0 to Δτi >0. This process corresponds to the T2’ of Figure 1b.
The power control of spoofing
The power of spoofing signals is another crucial factor affecting the success of the inducing process. It is worth noting that it is not that the higher the power of the spoofing signal, the better. For the victim, the intrusion of the spoofing will increase the noise floor and affect the carrier-to‐ noise ratio. Excessive power will cause the victim to issue an abnormal alarm. Nevertheless, if the power of spoofing is too low and not synchronized with the authentic signal in the carrier phase, the stability of the tracking loop will be affected. Consequently, the power of the spoofing should be higher than the authentic signal, but not too high.
FIGURE 2 An example of path planning
for the target and spoofing receivers to produce an asynchronous induced
spoofing (a) Path from time t0 to time t1 (b) Path from time t0 to time t2 (c) Path from start t0 to the end of time.
FIGURE 6 Positioning solutions of
authentic, spoofing and mixed signals. (a) Latitude (b) Longitude (c) Height
Non
Intentional Spoofing: Repeaters
Intentional Spoofing, Landing Case (Simulated)
Spoofing
detection techniques
The spoofing detection engine has been designed according to the following requirements:
• Capability to Monitor Spoofing with:
– Power Offset: between -3 dB and +15 dB. Lower bound is related to receiver acquisition sensitivity, upper bound is a limit over which the spoofing signal can be considered as an interferer.
– Frequency Offset: related to the maximum relative velocity between the sensor and a plane during the approach phase.
– Delay Offset linked to common distance from the airport of the approach phase beginning.
• Spoofing Detection probability 95% and False Alarm lower than 10-4
• Time to Alarm lower than 5 seconds.
Nenhum comentário:
Postar um comentário