Inside GNSS Media & Research

SEP-OCT 2018

Issue link:

Contents of this Issue


Page 57 of 67

58 Inside GNSS S E P T E M B E R / O C T O B E R 2 0 1 8 GPS SPOOFING AND AVIATION A natural start is the simplest, unin- tentional spoofing scenario, where a single data point exists: badly installed or malfunctioning GNSS repeaters. e German Air Navigation Service Provider (DFS) pointed out in the discussion fol- lowing the Hannover incident that cur- rent GPS receivers are dumb: even if they are on an aircra in flight, they will be happy to display a static position when fully locked on to the repeater. But how will the receiver know when its aircra is in f light? A simple solution for this could be the weight-on-wheel switch, used by numerous avionics systems. But introducing a new connection to a GNSS receiver raises new complexities. What if the weight on wheels is out of service? Would this impact the GNSS receiver? With any interface, a dependency is cre- ated. is may lead to inconsistencies in certification levels, if the new external component is not developed to the same rigour. erefore, the preferred solution will always be to detect dynamic state by the receiver itself, before relying on an external interface. Also, all the in- between scenarios where the aircraft receiver is tracking a mix of real satel- lites and the repeater signal need to be considered. So a defense at the range tracking level seems to be preferable over a position domain monitor. On the other hand, maybe some logic can be applied which enforces realistic trajectory evolu- tion, respecting Newton's laws? OK, but then this may involve a considerable computational load. As engineers, we are eager to speculate about many pos- sible solutions. When doing so, it quickly becomes apparent that even a relatively trivial spoofing mitigation function against the most basic threats is far from simple to implement. Following the logic applied in the RFI mitigation plan, the next area to consider is spoofing where aviation is not the intended target. In general, spoofing is an intentional act, since knowledge of the victim receiver char- acteristics and functions is required to design the attack. Furthermore, it is normally only effective against a single target. erefore, the potential for avia- tion to suffer collateral damage from spoof ing not directed at aviation is minimal. It helps that successful spoof- ing requires insertion of signals at the same power level as GNSS, which means that only a very badly designed spoof- ing attack with inappropriate amounts of power could result in collateral jam- ming. But are there possibilities to carry out spoof ing attacks which impact more than a single target receiver? At extended ranges, differences in propa- gation losses become less significant, possibly creating the opportunity for a multi-receiver impact. While it will not be possible to control multiple receivers by injecting different trajectories from a single source, common errors might be possible. is would more likely cause confusion than sensor outputs leading to an actual threat. While far from a scenario with demonstrated feasibil- ity, one area of concern here could be data spoofing; a denial of service attack leading to a receiver to lock up, need- ing a factory reset. Just like any other product, GNSS receivers are not tested against every conceivable version of non- ICD-compliant signals. For example, the reaction to false ephemeris data is hard to predict. Here more work is needed to see if a spoofing attack could be set up which could disable all receivers transi- tioning through a given area. e next level up would be some sort of meaconing or replay attack where the spoofing signal source is not static, but following some realistic aircra dynam- ics. It is beyond the scope of this article to describe all the various ways in which this could be done other than to say that generating the spoofed reference trajec- tory and transmitting it to the aircra in real time are not easy either. Any sort of attacks at the dynamic range or posi- tion domain done to actually try and misguide the aircra are, luckily, quite challenging. We abandon the ref lec- tion on spoofing scenarios at this point: this topic is quite sensitive, and it is not appropriate to go into full detail in a publicly accessible magazine. Primar- ily, we aim to explain that for a good number of scenarios, a good number of defenses are already in place and expected to be effective. Furthermore, next generation GNSS receiver designs should consider these scenarios and see which additional defenses can be imple- mented. As a minimum, the defenses must be effective against the most com- mon and simple threat, GNSS repeaters and other forms of "simple" spoofing. A variety of options are being studied, ranging from monitoring of AGC, C/ N 0 and clock bias to more sophisticated methods. Just as important as the actual defense mechanisms is the understand- ing of the impact of the various spoof- ing scenarios on actual observables, i.e., how can an aircrew or an internal data recording notice that a spoofing attack is occurring? Authentication as a Possible Spoofing Mitigation? One of t he more advanced defense mechanisms being studied is authenti- cation. For aviation to use authentica- tion features, a number of factors need to be considered. First of all, public key management represents a fundamentally new mechanism that requires addition- al overhead. It is unlikely that it will be worthwhile for aviation to implement a public key infrastructure (PKI) just for GNSS alone. If, however, PKI is imple- mented for many other reasons such as securing communications data links, then by just adding some features for navigation, authentication becomes a lot more palatable. On the GNSS sys- tem side, it is also a lot better if there are many other applications using authen- tication than aviation alone. In general, aviation limits as much as possible to levy unique requirements on GNSS sys- tem providers. But finally, the benefits and implementation complexities need to be considered. On the positive side, authentication is an intrinsic capability, remaining internal to the GNSS receiver, without any new interfaces to other avionics except key loading. As discussed before, one of the main strengths of aviation is the level of diversity and redundancy of systems, leading to a fantastic resilience and integration potential. However, with each more sophisticated integra- tion, system complexity and dependency increase. So finding GNSS-internal solu- tions has some appeal. e next question is on application

Articles in this issue

Links on this page

view archives of Inside GNSS Media & Research - SEP-OCT 2018