Inside GNSS Media & Research

MAY-JUN 2018

Issue link:

Contents of this Issue


Page 47 of 67

48 Inside GNSS M A Y / J U N E 2 0 1 8 based on the observation that the low- cost soware-defined transceivers sup- port only a single transmit frequency and have insufficient instantaneous bandwidth to synthesize two adjacent GNSS bands. While it is true that if these devices are used as intended, they are not capable of producing multi- frequency signals; however, if they are appropriately abused, then they can, as is demonstrated here. In this example it is shown that a transceiver can be intentionally misconfigured, such that it produces an ensemble of GNSS sig- nals at an "incorrect" frequency, but lea ks harmonics into t wo dif ferent GNSS bands (both above and below the transmitted carrier frequency). It is further shown that if the generated signal is sufficiently strong then these harmonics can be acquired and tracked by a naive GNSS receiver — with the result that the receiver produces a dual- frequency position solution based on signals generated from a single narrow- band single-frequency transmitter. e authors offer this as a caution- ary example, suggesting that we do not underestimate the adversary, and note that if some technical feat has not yet been observed, it does not necessarily imply that it is impossible. It might only illustrate that it has not yet been pro- voked. Moreover, this principle might be extended beyond signal synthesis, to condition our general assumptions about what is, and what is not, techni- cally feasible. Continuously challenging our assumptions and embracing a "red- team" approach might be necessary to more accurately quantify the risks. Recent Developments e spoofing of GNSS signals is a con- troversial and divisive topic within the satellite navigation community, with points of view on the topic ranging from the belief that spoofing is virtually infeasible, to the belief that it is trivial. Some hold that the act of spoofing is still only in the domain of state actors due to the extremely high resource require- ments necessary to properly execute such an attack, while others assert that entire families of mass market receivers are vulnerable to the most simplistic of spoofing attacks. Both of these camps can be viewed as correct in light of spe- cific recent events including ships in the Black Sea reporting that they were parked on the tarmac of a nearby inter- national airport, to smartphones at the ION GNSS+ 2017 conference in Port- land adamantly insisting that they had traveled through space and time to visit Europe circa 2014. Throughout a variety of interest- ing presentations authors pointed out a number of signal characteristics that could be used to detect, and therefore mitigate, the low-cost spoofing threat. One popularly held belief is questioned here: that it is technically challenging to create a set of dual-frequency coun- terfeit GNSS signals having sufficient phase and delay fidelity to be accept- able to a dual-frequency GNSS receiver, and that the cost of doing so is signifi- cantly higher than the cost of creating a single-frequency counterfeit signal. By extension, it is held that dual- or multi- frequency GNSS receivers are far less vulnerable to spoofing than single-fre- quency receivers. is assertion caused the authors to utter a collective "hold my beer and watch this" as we set out to debunk it. Further characteristics listed as red flags included: inconsistent navigation data; anomalous code-carrier diver- gence; and obvious spectral shaping indicating unexpectedly high received power levels, are discussed critically here in light of the questionable validity of the claim that dual-frequency signal genera- tion is difficult. Technological Barrier to Multi-Frequency Signal-Generation In GNSS receiver design, we are very much conditioned to strive for quality and precision, tend to use extremely high quality components, and take great measures to minimize receiver losses. For this reason we might overlook the simple "ugly" shortcuts that might be available to a less fastidious adversary. e adversary is only interested in the minimum passing standard, not the best that can be achieved, so equipment and techniques that might be unthinkable to a receiver engineer might be perfectly acceptable to him. To explore this idea, it is worth not- ing that there can be a large difference between: i) what the satellite actually generates, ii) what the receiver expects, iii) what signals and features the receiver actually looks for, iv) what signals the adversary is obliged to generate to sat- isfy this expectation, and v) what other signals the adversary can get away with producing. erefore, the adversary can put many things into the spectrum that is observed by the receiver, provided it also includes the expected signal, and provided any extra signals are not obvi- ously anomalous. More importantly, the spoofer can put virtually anything into the spectrum that the receiver does not observe. Under certain circumstances this fact can be exploited. In this example, we consider a typi- cal type of SDR transceiver that has been used in numerous demonstra- tions of single-frequency (L1) GNSS spoof i ng , howe ver t h is pa r t ic u la r device is very similar to other popular and similarly priced pieces of equip- ment available. ese devices typically have a USB 2.0 or 3.0 interface to the host computer, produce from 20 to 40 megahertz of instantaneous bandwidth, and can modulate a baseband signal to a carrier in the range of approximately 100 megahertz to 6 gigahertz. e chal- lenge was to perform dual-frequency spoofing with such a device. Conduc- tive tests were performed on a com- mercial multi-frequency survey-grade receiver, as shown in Figure 2 . Without revealing too many details (so as not to encourage misbehavior), what follows is a brief description of the concept. It was noted that if the front- end "reconstruction" filter were disabled or removed from a transmitter, then the signal synthesized at the digital- to-analog converter (DAC) would alias across the entire spectrum. Secondly, it was noted that if the L2 signals were present in the L1 band, they would MULTI-FREQUENC Y SPOOFING

Articles in this issue

Links on this page

view archives of Inside GNSS Media & Research - MAY-JUN 2018