Inside GNSS Media & Research

MAY-JUN 2018

Issue link:

Contents of this Issue


Page 51 of 67

52 Inside GNSS M A Y / J U N E 2 0 1 8 In terms of the fidelity of the physical layer of counterfeit signals, a number of authors have pointed to excessive code carrier divergence or spectrum abnor- malities as being indicative of spoofing. While this might be the case in some crude implementations, in light of the discussion here, it is perhaps naive to assume that once a receiver begins to monitor these features, that the adver- sary will be incapable of adapting. Obvious spectral deformation due to the use of a high spoofing power level is a parameter that can offer caution to a user in some cases, but may not actually be a wise choice of metric to base a security system on. While it is much easier for an adversary who does not care about collateral disruption to set their transmit power level to an extreme level, a more careful adversary might readily tune to within +/- 6 dB of a desired power level even on a rela- tively close and moving target. A cray adversary could just as easily pre-filter their side-lobes to make their presence less obvious at the cost of a bit more computation and a bit higher code tracking noise in the output, depend- ing on the receiver model. Addition- ally, since it is completely reasonable that users might want to make use of their GNSS receivers with simulators or in areas where unintentional RFI may be present, declaring the signal to be compromised based only on spectral bumps might result in an undesirably high fa lse-a larm rate. Systems t hat make use of 12 megahertz clocks can produce RF spurs at 1572 megahertz, whi le t hose t hat use 24 mega her tz clocks may produce one at 1560 mega- hertz or 1608 megahertz which have potential aliasing concerns. Consider- ing how prevalent 12 and 24megahertz oscillators are in modern electronics we highlight that devices using USB 1.0, 2.0 or 3.0 will likely have at least one of these frequencies present. Moreover, it is well known that many USB 3.0 devic- es generate broadband interference in the L-band observable in the vicinity of their connectors. e short summary being that whether we want it or not, the modern connected world is rich in useful devices that can cause artifacts in the L-band, and declaring a naviga- tion fault or malicious attack whenever one is detected may not be the best way to serve the end users. Outlook In summary, while we are glad the threat of spoofing is being discussed, it is worth noting that it is probably dangerous to adopt an industry posture that either exaggerates or minimizes the scope of the threat. It is not the case that we are adopting a new technology (GNSS), and doing so in full knowledge of the calculated risks — rather, we find our- selves having already fully embraced this technology, and only now are the risks coming to light. As users of GNSS receivers — consumer-grade equipment with scientific-grade precision — we are in some sense perfectionists, and so may have trouble identifying the dirty short-cuts that can be taken. It is worth remembering that from the perspec- tive of the adversary, it doesn't have to be pretty, it just has to work. While this article might at first appear to be pessi- mistic, suggesting that the adversary is boundlessly capable, the authors suggest that to believe the contrary, and to rely on the adversary to sleep through their comms-theory lectures and misconfig- ure their radio, is also probably not a good idea. Manufacturers The transceiver that has been used in numerous demonstrations of single- frequency (L1) GNSS spoofing is the Nuand BladeR F from Nuand LLC, Rochester, N.Y. USA, while the similar- ly priced pieces of equipment available refer to the HackRF from Great Scott Gadgets, Evergreen, Colorado, USA and the LimeSDR from Lime Microsystems, Surrey, United Kingdom. Further Reading LimeSDR micro/limesdr BladeRF HackRF: GSA: reports/gnss_user_technology_report_webb. pdf S e p te nt r i o : ht t p s : / / w w w. s e p te nt r i o. co m / insights/gps-spoofing-your-receiver-ready- attack New America: international-security/future-property-rights/ blog/price-precision-dual-frequency/ Black Sea Incident: node/5555 ION GNSS+ Spoofing: http://www.insidegnss. com/node/5661 Authors James T. Curran received a Ph.D. in electrical engi- neering from University College Cork, Ireland. Over the past decade h a s wo r k e d i n ra d i o navigation research at the University of Calgary, Canada, the Joint Research Center of the European Commission, Italy, and for the European Space Agency, ESTEC, Netherlands. A i d e n M o r r i s o n received his Ph.D. in 2010 from the Universi- ty of Calgary, where he worked on ionospheric phase scintillation char- a c t e r i z a t i o n u s i n g multi-frequency civil GNSS signals. He works as a research scientist at SINTEF Digital in Trond- heim, Norway C i l l i a n O ' D r i s c o l l r e c e i v e d h i s P h . D . degree from University College Cork, Ireland. He has worked as a senior research engineer with the PLAN Group at the University of Calgary, as a Grantholder with the European Commission, and as a research support officer at University College Cork, and is cur- rently an independent consultant specializing the GNSS. MULTI-FREQUENC Y SPOOFING

Articles in this issue

Links on this page

view archives of Inside GNSS Media & Research - MAY-JUN 2018