distance decreasing attack in gps final presentation l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Distance-decreasing attack in GPS Final Presentation PowerPoint Presentation
Download Presentation
Distance-decreasing attack in GPS Final Presentation

Loading in 2 Seconds...

play fullscreen
1 / 27

Distance-decreasing attack in GPS Final Presentation - PowerPoint PPT Presentation


  • 113 Views
  • Uploaded on

Distance-decreasing attack in GPS Final Presentation. Prof. Jean-Pierre Hubaux Assistant: Marcin Poturalski. Horacio Arze. Security and Cooperation in Wireless Networks. January 2009. Outline. GNSS Threat model Distance-decreasing attack Performance Discussion Conclusion. GLONASS.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Distance-decreasing attack in GPS Final Presentation' - wilmet


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
distance decreasing attack in gps final presentation

Distance-decreasing attack in GPSFinal Presentation

Prof. Jean-Pierre Hubaux

Assistant: Marcin Poturalski

Horacio Arze

Security and Cooperation in Wireless Networks

January 2009

outline
Outline
  • GNSS
  • Threat model
  • Distance-decreasing attack
  • Performance
  • Discussion
  • Conclusion
intro

GLONASS

GLONASS

GPS

GPS

Galileo

Compass

Compass

INTRO

GNSS

Global Navigation Satellite Systems

  • Road toll collection
  • Position-based insurance
  • Air traffic control
  • Resource access control

Galieleo

Security sensitive applications

security in gnss
Security in GNSS
  • Integrity
  • Authentication
  • Privacy

SPOOFING

spoofing
Spoofing

Attack actually implemented by O’Hanlon et al. at Cornell Univ.

Software-defined receiver/spoofer

Cost :1500$

O’ Hanlon, B. et al., January 1 2009, Assessing the Spoofing Threat, GPS World, http://www.gpsworld.com/defense/security-surveillance/assessing-spoofing-threat-3171

solutions
Solutions
  • Signal Authentication through Spread Spectrum Security Codes (SSSC)
  • Signal Authentication through Spreading Code Encryption (SCE)
  • Non cryptographic methods
  • Navigation Message Encryption
  • Navigation Message Authentication
    • Digital signature included in the messages
    • Public/private key pairs for each satellite

O. Pozzobon et al. 2004, Secure Tracking using Trusted GNSS Receivers and Galileo Authentication Services, Journal of Global Positioning Systems, Vol. 3, No. 1-2: 200-207.

G.W. Hein and F. Kneissl, September/October 2007, Authenticating GNSS Proofs Against Spoofs, InsideGNS.

relay attack
Relay attack

The relay retransmits the messages bit by bit introducing a certain delay for each message of Si

Relay

G.W. Hein and F. Kneissl, September/October 2007, Authenticating GNSS Proofs Against Spoofs, InsideGNS.

mistaken gnss
Mistaken GNSS

Clock Offset Test

Papadimitatos, P., Jovanovic, A., Global Navigation Satellite Systems (GNSS) - Attacks and Countermeasures, in IEEE Military Communications Conference (IEEE MILCOM), p. 1-7

dd attack
DD-attack
  • Distance-decreasing attacks proposed by Clulow et al. in 2006 in the context of distance bounding protocols.
  • Same configuration that the relay attack.
  • “Reduce” the actual propagation delay.

J. Clulow, G. P. Hancke, M. G. Kuhn, and T. Moore So near and yet so far: Distance-bounding attacks in wireless networks. , In ESAS, 2006.

dd attack11

Trelay

Trelay

TED

bit

TLC

bit

bit

DD-attack

bit

Satellite

Tb

Relay Rx

distance

Relay Tx

GPS

time

early detection

TED

bit

Early detection
  • Know the value of the bit, before the bit is completely transmitted.

Tb

bit

Satellite

Relay Rx

late commit

TLC

bit

bit

Late commit
  • Start transmitting something (e.g. noise)
  • Then, transmit something else so the receiver still decode the bit correctly.

Relay Tx

GPS

dd attack14

bit

Satellite

Tb

Relay Rx

distance

Relay Tx

GPS

time

Trelay

Trelay

TED

bit

TLC

bit

bit

DD-attack
gps modulation l1
GPS Modulation (L1)
  • DSSS Direct-sequence spread spectrum - CDMA
  • Data rate 50 bps
  • Sequence or Spreading code (Pseudorandom)
    • Rate 1.023 MHz, period of 1023 chips
  • BPSK

Bit sequence

Code

CDMA sequence

gps receiver

Demodulation

Antenna

I

IP

IPS

Down-converter

X

X

SIN

P

Q

QP

QPS

A/D

Converter

X

X

Digital

IF

COS

P

Carrier

Replica

Code

Generator

GPS Receiver
ed and lc
ED and LC
  • ED
  • LC
    • First phase: Signal constant during TS but average 0
    • Second phase: Signal corresponding to ED’s result
performance
Performance
  • Metric: BER estimated by theoretical Pe
    • Pe probability of error per bit
  • Parameters
    • C/N0 Carrier-to-noise Density
    • TED
    • Trelay
dd attack19

Trelay

Trelay

TED

bit

TLC

bit

bit

DD-attack

bit

Satellite

Tb

Relay Rx

distance

Relay Tx

GPS

time

performance20
Performance
  • ED
  • Normal Detector
  • LC
dd attack performance
DD-attack performance

TLC = 2ms

TLC = 4ms

TLC = 6ms

TLC = 8ms

TLC = 10ms

TLC = 12ms

TLC = 14ms

TLC = 16ms

TLC = 18ms

discussion
Discussion
  • Feasibility
    • O’Hanlon et al. device is a perfect platform for DD-Attack
    • By increasing the Tx power of the relay, we can achieve any performance.
    • Trelay = 1ms => already 300Km in range error.
    • Performance increased by bit prediction
discussion26
Discussion
  • Countermeasures
    • Non cryptographic countermeasures

Inertial Tests, Doppler Shift, Angle of arrival

    • Clock Offset Test non effective!
    • Analysis of the samples at the receiver
      • To be further developed
conclusion
Conclusion
  • Distance-decreasing attack is feasible in GPS L1 carrier.
  • A considerable error in position estimation can be introduced by with practically no lose of performance.
  • DD-attacks are specific to coding and modulation scheme. Analysis for other signals to be done (e.g. GPS L2 and L5, Galileo L5).
  • Designers of security sensitive devices must be warned about these kind of attacks.