ABRIDGED RESEARCH ON FLIGHT INDUCED SPOOFING
IET
Radar, Sonar & Navigation
University
of Texas at Austin
Flight Induced
spoofing
Accepted:
29 August 2021
Revised:
22 July 2021
Received:
3 June 2021
Sources:
Wang, W.,
Wang, J.: GNSS induced spoofing simulation based on path planning.
IET Radar Sonar Navig. 16(1), 103–112 (2022).
https://doi.org/10.1049/rsn2.12167
DW INTERNATIOONAL - A NAVTECH COMPANY
John Wilde
Radio Navigation System Engineer at Qascom,
Italy
Samuele
Fantinato
Signal Processing Engineer at Qascom, Italy
Stefano
Montagner
Signal Processing Engineer at Qascom, Italy
Stefano
Ciccotosto
Founder and Technical director of Qascom, Italy
Oscar
Pozzobon
REFERENCES
1.
Jafarnia‐Jahromi, A., et al.: GPS vulnerability to spoofing threats and a review of antispoofing
techniques. Int. J. Navig. Obs. 2012, 127072 (2012).
https://doi.org/10.1155/2012/127072
2.
Carroll, J.V.: Vulnerability assessment
of the transportation infrastructure relying on global positioning system.
J. Navig. 56(2), 185–193 (2003)
3.
Humphreys, T.E., et al.: The Texas
spoofing test battery: Toward a standard for evaluating GPS signal
authentication techniques. In: Proceedings of the ION GNSS+ meeting, pp.
3569–3583. Nashville. September 2012
4. Kerns,
A.J., et al.: Unmanned aircraft capture
and control via GPS spoofing. J. Field Robot. 31(4), 617–636 (2014)
5.
Morales, F.R., et al.: A survey on coping
with intentional interference in satellite navigation for manned and unmanned
aircraft. IEEE Commun. Surv. Tut. 22(1), 249–291 (2020)
6.
Ioannides, R.T., Pany, T., Gibbons, G.: Known
vulnerabilities of global navigation satellite systems, status, and potential
mitigation techniques. Proc. of IEEE. 104(6), 1174–1194 (2016)
7.
Humphreys, T.E., et al.: Assessing the
spoofing threat: Development of a portable GPS civilian spoofer. In:
Proceedings of the ION GNSS meeting, pp. 16–19. Savannah. September 2008
8. Gao,
Y., Lv, Z., Zhang, L.: Asynchronous lift‐off spoofing on satellite navigation receivers in the signal
tracking stage.
IEEE Sens. J. 20(15), 8604–8613
(2020)
Global Navigation Satellite Systems (GNSS) are highly
susceptible to various interferences.
By 2030 it is expected that GNSS will be the main navigation
system for most of the flight phases. GNSS is nowadays also as an essential
component for other aviation systems, such as the Enhanced Ground Proximity
Warning System (EGPWS) and Ground Based Augmentation System (GBAS).
It is expected that GNSS based air routes will be able to
accommodate up to three times the current traffic volume.
Intentional
Spoofing during Approach
An instrument approach may be divided into four approach
segments: initial, intermediate, final, and missed approach.
Depending on speed of the aircraft, availability of weather
information, and the complexity of the approach procedure or special terrain
avoidance procedures for the airport of intended landing, the in-flight
planning phase of an instrument approach can begin as far as 100-200 nautical
miles (NM) – from the destination,
The ILS
system
The major risk for aircraft navigation (most likely during
bad visibility conditions) is at the beginning of the approach phase.
The spoofing detection algorithms configurations as:
• Spoofing Doppler could have an offset of several KHz from
the authentic.
• Spoofing delay might have an offset up hundreds of chips
from the authentic
• Spoofing power offset depends on the relative distance
between the aircraft under attack and the sensor
Non
Intentional Spoofing during Taxi-in or Take Off
Certain non-aeronautical systems transmit radio signals
intended to supplement GNSS coverage in areas where GNSS signals cannot be
readily received (e.g. inside buildings). These systems include GNSS repeaters
and pseudolites. GNSS repeaters (also known as “reradiators”) are systems that
amplify existing GNSS signals and re-radiate them in real-time.
The interference caused alerts of the Enhanced Ground
Proximity Warning System providing the messages ”pull-up” and ”FMS/GPS Position
disagree” during Taxi-in and departure of the airplanes.
In these interferences, induced spoofing is very difficult
to be detected because it can gradually drag off the tracking points without
unlocking the tracking loops of the attacked receiver and cause the victim to
obtain a wrong position and/or time information.
The importance of GNSS makes it an increasingly attractive
target for hackers and criminals.
The openness of the civil GNSS signal structure and the weak
transmitting and receiving power make GNSS vulnerable to variable natural and
malicious interferences.
The spoofing, as a kind of malicious interference, can
possibly make GNSS victims produce wrong positioning and/or time information.
The spoofing attack mainly includes meaconing and generative
spoofing attack [5, 6]. For meaconing, spoofers first receive the authentic
satellite signals and then amplify and retransmit the signals to the target
receivers. However, for generative spoofing, spoofers usually use GNSS simulation
software to generate forged signals, which have the same structure as authentic
signals but have false navigation data information.
Generative
spoofing can be classified as:
Simplistic spoofing - the spoofing and authentic signals received
by victims have asynchronous parameters including code phase, carrier phase and
other parameters. Simplistic spoofing usually adopts the ‘jamming‐spoofing’ mode, which first
unlocks the target receiver by high power jamming and then enables the victim
recapture and lock on spoofing signals.
Intermediate spoofing - is also called induced spoofing or lift‐off spoofing. The spoofer first
controls the spoofing to synchronise with the authentic signals in the code
phase and Doppler frequency so as to disguise as the authentic signals and then
gradually controls the tracking loop of the target receiver. Induced spoofing
does not destroy the tracking state of the target receiver and smoothly induces
the victim to a false position/time, which is more threatening and difficult to
be detected.
Sophisticated
spoofing - based on induced spoofing, uses multiple transmit
antennas and controls the directions of transmitting antennas so that the
spoofing signals have the same arrival directions as the authentic ones [10].
It can defend against angle‐of‐arrival detection but needs a
huge increase in cost and complexity.
Data generation algorithm based on path planning
Induced
spoofing and anti‐spoofing
Signal
model
Induced spoofing has the same structure as that of the authentic
satellite signal but different parameters.
Take GPS L1 C/A as an example; they can be denoted as
When there is an induced spoofing, the victim will
simultaneously receive the authentic signal and spoofing as follows:
For induced spoofing,
the key feature is that it can gradually drag off the tracking points without
unlocking the code loop and carrier loop of the victim. In order to achieve
this goal, the spoofer has to first estimate the parameters of the authentic signals
received by the target receiver and then adjust the parameters of the spoofing
signals to synchronize the code and carrier phases with the authentic signal.
After that, the spoofing can drag off the tracking loop of the victim by increasing
the power.
However, it is difficult for the spoofer to produce the spoofing
signals whose carrier phase is exactly the same as that of authentic signals.
When the spoofer shifts the code phase of the spoofing signals,
there are two modes of carrier phase alignment between the spoofing and
authentic signals. The first one is the non‐frequency
lock mode, where the change rate of the carrier phase is proportional to that
of the code phase as follows:
where fc
is the
carrier frequency in Hz, ϕ and τ represent the change rates
of the code phase and carrier phase in seconds per second and cycles per
second, respectively.
The second one is the frequency lock mode
in which the spoofing and authentic signals have a certain initial carrier
phase offset, and the fixed offset is maintained in the process of changing the
code phase. Thus, the spoofing signal and the authentic signal have the same
carrier Doppler frequency.
It should also be noted that, in the non‐frequency
lock mode, the carrier phase difference between the spoofing and authentic
signals cannot be kept fixed, which leads to the rapid amplitude variation of
the blended signal. The frequency lock mode can avoid the above situation, that
is amplitude fluctuation.
Thus, spoofing detection methods based on
amplitude fluctuation cannot detect the spoofing.
However, the method, based on code rate
and Doppler frequency consistency, can be used to detect the frequency lock
mode. On the contrary, due to the continuous movement of the satellites, the
Doppler frequency of the authentic signals constantly changes even if the
victim is stationary. The movement of the victim will intensify this change. In
other words, it is difficult for the spoofer to estimate the accurate Doppler
frequency of the authentic signals. Therefore, the frequency lock mode is not
easy to implement.
The induction process of induced spoofing
can be demonstrated by the auto‐correlation function
(ACF) model of the authentic and spoofing signals. Depending on the methods of
code phase alignment, induced spoofings can be classified as synchronous and asynchronous.
Figure 1 shows the induction processes of the two methods.
The green dot marks indicate the code
phase discrimination result, that is, the tracking point of the receiver. As
the correlation peak of the spoofing signal moves, the tracking point of the
receiver will shift gradually and finally completely transfer to the spoofing
signal. Then, the tracking loop is controlled by the induced spoofing.
As shown in Figure 1a, synchronous induced spoofing mainly has two phases:
(1) T0 ‐T1: alignment phase and
(2) T2: drag‐off
phase.
In the alignment phase T0, the power of the spoofing is initially lower than that of
the authentic signal when the spoofing is injected, but the code phase and
carrier frequency are synchronised with those of the authentic signal.
Then, in T1, the power of the spoofing
signal increases gradually until it exceeds the power of the authentic signal.
With the power advantage, the tracking loop will be controlled by the spoofing
signal. Subsequently, in T2, the spoofing increases
its code rate, which causes the spoofing correlation peak to move away from the
authentic correlation peak during the drag‐off phase. Thus, the
tracking point shifts gradually until it is completely transferred to the
spoofing correlation peak as T3.
Synchronous
induced spoofing signals can effectively forge the authentic signals, but it is
necessary to know the precise geographical location and velocity of the target
receiver to accurately estimate the code phase and carrier Doppler frequency of
the authentic signal. However, it is very difficult to implement in a real
spoofing scenario. Therefore, at the beginning, the spoofing generated by the
spoofer usually has a certain code phase and Doppler frequency difference with
the authentic signal. In this case, the generated spoofing is an asynchronous
induced spoofing.
As shown in Figure 1b, the strategy of asynchronous
induced spoofing is similar to that of synchronous induced spoofing, and the
whole induction process includes three phases:
In T0', the spoofing initially has some code phase
difference from the authentic signal. Then, the spoofing signal will
continuously adjust its code phase so that its correlation peak gradually
approaches that of the authentic signal until they are aligned. And the
subsequent process is similar to synchronous induced spoofing. In this
induction process, the spoofer does not know the accurate code phase and
Doppler frequency of the authentic signals, which makes it impossible to know
when it is synchronised with the authentic signal.
Therefore, the spoofing correlation peak must always be higher than the
authentic correlation peak to ensure that the spoofing signal can successfully lift
off the tracking point after alignment.
In short, by adjusting the change rate of
the code phase of spoofing based on a given strategy, the induced spoofing can gradually
change the relative code phase difference between the authentic signal and
spoofing.
Then, the induced spoofing can control
the tracking loop of the victim, which will eventually lead to a wrong position
and/or time information output. Therefore, the key step of induced spoofing is
to gradually change the relative code phase difference between authentic signal
and spoofing.
On the other hand, it is well known that
the code phase received by the receiver is related to the transmission time of the
satellite signal and the distance between the satellite and receiver based on
the principle of satellite navigation. Thus, signals received by receivers in
different locations have different code phases even for signals coming from the
same satellite and the same transmission time.
Path
planning
Suppose there are two receivers; one is
called target receiver whose received satellite signals simulate the authentic signals
received by the victim receiver. The other is called spoofing receiver whose
received satellite signals simulate the spoofing generated by the spoofer.
When the target and spoofing receivers
are located at the same three‐dimensional
geographical positions at the same time, the distances from them to each
satellite are equal, that is. Similarly, when the target and spoofing receivers
are in different three‐dimensional geographic
locations (in a small area), ∆=τi will change and approximately satisfy
where dr is the distance between
the target receiver and the spoofing receiver as
Example
of asynchronous induced spoofing to illustrate the algorithm of path planning.
The path planning consists of three phases:
(1)
As shown in Figure 2a, the
target and the spoofing receivers separately move along the solid line and the
dotted line at different speeds from time t0 and meet at M1 at time t1,
which corresponds to the T0’ of Figure 1(b).
Then,
Δτi will change from Δτi > 0 to Δτi ¼ = 0.
(2)
As shown in Figure 2b,
from time t1 to time t2, two receivers move at the same speed along the same
path. This process corresponds to the T0’ of Figure 1b.
(3)
After time t2, as shown in
Figure 2c, two
receivers begin to move along different paths and the distance between them
continuously increases. Thus, the Δτi changes from Δτi ¼ = 0 to Δτi >0. This process corresponds to the T2’ of Figure 1b.
The power control of spoofing
The power of spoofing signals
is another crucial factor affecting the success of the inducing process. It is
worth noting that it is not that the higher the power of the spoofing signal,
the better. For the victim, the intrusion of the spoofing will increase the
noise floor and affect the carrier-to‐ noise ratio. Excessive power will cause the victim to issue an
abnormal alarm. Nevertheless, if the power of spoofing is too low and not synchronized with the authentic signal in the carrier phase, the stability of
the tracking loop will be affected. Consequently, the power of the spoofing
should be higher than the authentic signal, but not too high.
FIGURE 2 An example of path planning
for the target and spoofing receivers to produce an asynchronous induced
spoofing (a) Path from time t0 to time t1 (b) Path from time t0 to time t2 (c) Path from start t0 to the end of time.
FIGURE 6 Positioning solutions of
authentic, spoofing and mixed signals. (a) Latitude (b) Longitude (c) Height
Non
Intentional Spoofing: Repeaters
Intentional
Spoofing, Landing Case (Simulated)
Spoofing
detection techniques
The spoofing detection engine has been
designed according to the following requirements:
• Capability to Monitor Spoofing with:
– Power Offset: between -3 dB and +15 dB.
Lower bound is related to receiver acquisition sensitivity, upper bound is a
limit over which the spoofing signal can be considered as an interferer.
– Frequency Offset: related to the
maximum relative velocity between the sensor and a plane during the approach
phase.
– Delay Offset linked to common distance
from the airport of the approach phase beginning.
• Spoofing Detection probability 95% and
False Alarm lower than 10-4
• Time to Alarm lower than 5 seconds.
