Upload
others
View
18
Download
0
Embed Size (px)
Citation preview
© Logan Scott / LS Consulting 1 14 November 2012
!"#$%&'"(()*+
#,$-!.'",/
!! !"#$%&#'()#*%+#,-#.)#/&%#01(2-3#(4#5)2-#67-)#*%+89-#
:%4#;)<&7-9-#(4#;11#
!! !"#$%&'#(&)*$!"#+,'#$-./.$
!! ;"#/7-#=)4-9)-4##
!! 0&*,1*$2#'3$#,4$+54$6+4$-.78$
14 November 2012 © Logan Scott / LS Consulting 2
01(2-3#(4#5)2-#67-)#*%+89-#
5947%>%)(1#?-@-)3-#=)#?-A47"#B%2(4.%)#=3#0(94#%@#=C-)4.4<#
14 November 2012 © Logan Scott / LS Consulting 3
!! ;)4.3A%%@#D#09%%@#%@#B%2(4.%)#!! $%&#?%#=#E)%&#=FG#67-9-#=#/7.)H#=#;GI#!! ;)4.3A%%@#
!! $%&#?%#=#09%J-#4%#*%+#67-9-#=#;GI#!! 09%%@#%@#B%2(4.%)#
!! B%2(4.%)K/.G-#L.>)(4+9-#M1-G-)43#'()#=)21+C-"#!! '9<A4%>9(A7.2#N0L#OP#L.>)(1#L49+24+9-3#
!! 5J-91(AA.)>#L<34-G3"#N:LLQ#6.P.Q#-RB%9()Q#'(G-9(Q#=MMM#0STUU#/.G.)>#L4()C(9CQ#-42V#
!! B%2(4.%)#09%%@3#L7%+1C#,-#MA7-G-9(1#!! :--C#/.G-#MWA.9<Q#*%+#'%+1C#$(J-#X%J-C#
14 November 2012 © Logan Scott / LS Consulting 4 4
!! 67(4#&(3#47-#X%4.J(4.%)I#
! 09()H#
! LG+>>1.)>#
! ?.J-93.%)#
!! YZ[[Q[[[#A-9#
=)2.C-)4#
14 November 2012 © Logan Scott / LS Consulting 5
http://edition.cnn.com/2012/06/20/travel/yacht-sos-hoax
!! L4.)>-93#@%9#L<9.()#O-\-13I#
!! B%2(4.%)#O-349.24-CI#
!! /.G-#O-349.24-CI#
!! X%9-#N-)-9(11<Q#B%2(4.%)#
?-A-)C()4#PXL#'(A(\.1.4<#
!! O(C(9#N+.C()2-#X%C-3#
!! L-)3%9#'(A(\.1.4.-3#
14 November 2012 © Logan Scott / LS Consulting 6
!! LG(94#07%)-K/(\1-4#L-2+9.4<#'7(11-)>-3#;AA1<#4%#,%47#'.J.1#]#X.1.4(9<#^3-93#
!! '%GG-92.(1#L%@4&(9-#]#$(9C&(9-#
!! '%+)[email protected]#0(943#K#L+AA1<#'7(.)#=)_-24.%)#
!! P.9G&(9-#]#L%@4&(9-#^AC(4-3#
!! ^)3-2+9-C#=)@9(349+24+9-#]#$(9C&(9-#
!! :--C#4%#L-2+9-#X.11.%)3#%@#^3-93#
!! ;22.C-)43#6.11#$(AA-)#
14 November 2012 © Logan Scott / LS Consulting 7
DP Analysis
!! ;#LG(94#?-J.2-#'()#;22-33K$%1C#;#N9-(4#?-(1#%@#=)@%9G(4.%)#!! ?-4(.1-C#,(3-#X(A3#;22-33.\1-#5)1<#67-)#5:#,(3-#!! =)4-11.>-)2-#%9#X.33.%)#?(4(#;22-33.\1-#5)1<#67-)#O-1-J()4#/%#
'+99-)4#B%2(4.%)#!! =)4-11-24+(1#09%A-94<#;22-33#&.47#B%2(4.%)K/.G-#O-349.24.%)3#
!! B%2(4.%)#=3#0(94#%@#:L;#L-2+9.4<#0(9(C.>G3#!! `=4#.3#()#.GA%94()4#()C#J(1+(\1-#2(A(\.1.4<#4%#49(2H#47-#>-%R
1%2(4.%)#%@#G%\.1-#C-J.2-3#VVV#L+27#49(2H.)>#2()#7-1A#1%2(4-#1%34#%9#34%1-)#C-J.2-3#()C#2()#\-#+3-C#(3#A(94#%@#47-#(+47%9.a(4.%)#C-2.3.%)#A9%2-33#b47-9-#G(<#\-#C.c-9-)4#(22-33#9+1-3#C-A-)C.)>#%)#&7-47-9#+3-9#.3#.)3.C-#%9#%+43.C-#(#>.J-)#@(2.1.4<#%9#2%+)49<dVe#:L;Q#X%\.1.4<#'(A(\.1.4<#0(2H(>-Q#X(927#fg#f[SfQ#L-2+9-#h%=0#h-93.%)#SVf#
14 November 2012 © Logan Scott / LS Consulting 8
=)4-11.>-)2-#%9#X.33.%)#?(4(#;22-33.\1-#5)1<#67-)#O-1-J()4#/%#
0%1"2,$(-"%/3,4$2#"5/6$7&/
14 November 2012 © Logan Scott / LS Consulting 9
MCBH
Map View When OFF Base Map View When ON Base
"! '1%+C#L%+92-C#L-9J-93#X.>74#09%J.C-#N-%i14-9-C#/(24.2(1#^AC(4-3Q#X(A3Q#()C#=G(>-9<#
!! N-)V#E-.47#;1-W()C-9#b:L;#27.-@d#9-2-)41<#C-329.\-C#47-#1%33#%@#.)C+349.(1#.)@%9G(4.%)#
()C#.)4-11-24+(1#A9%A-94<#479%+>7#2<\-9#-3A.%)(>-#(3#j47-#>9-(4-34#49()3@-9#%@#&-(147#
.)#7.34%9<V`#
!! M34.G(4-C#h(1+-#kYT[[#\.11.%)#^L?#
14 November 2012 © Logan Scott / LS Consulting 10
American Enterprise Institute event 9 July 2012, Cybersecurity and American power video at http://www.aei.org/events/2012/07/09/cybersecurity-and-american-power/
!! 67-9-#?.C#47(4#lP.1-Q#'%GG()CQ#O-A%94Q#O-m+-34Q#
0(94n#'%G-#P9%GI#
!! :--C#4%#N-%@-)2-#L-)3.4.J-#?(4(#
!! B%2(4.%)#O-349.24#=)4-9)-4#P(2.)>#='LKL';?;#'%GG()C#]#'%)49%1#^3.)>#N-%i14-9.)>#
!! MRX(.1#()4.#LA-(9A7.37.)>#
!! h-9.@<#;.929(@4#B%2(4.%)#O-A%94.)>#
!! X()<Q#X()<#547-9#^3-#'(3-3#
© Logan Scott / LS Consulting
B%2(4.%)#O-349.24#=)4-9)-4#P(2.)>#='LKL';?;#'%GG()C#]#
Secured 5,000 HP Generator Self Destructing
Securely Under Remote Control
14 November 2012 11
!! LA-2.(14<#L-(927#
M)>.)-3#4%#P.)C#='LK
L';?;#?-J.2-3#
! 744A"KK
&&&V37%C()7mV2%GK#
! 744A"KK-9.AAV2%GK
14 November 2012 © Logan Scott / LS Consulting 12 © Logan Scott / LS Consulting 12
!! =)#47-#-<-3#%@#
^VLV#C-@-)3-#
3-29-4(9<#B-%)#0()-44(Q#.4#&(3#
`A9%\(\1<#47-#
G%34#C-349+24.J-#
(44(2H#47(4#47-#
A9.J(4-#3-24%9#7(3#3--)#4%#
C(4-Ve#
14 November 2012 © Logan Scott / LS Consulting 13 © Logan Scott / LS Consulting 13
!! `;)#(>>9-33%9#)(4.%)#%9#-W49-G.34#>9%+A#2%+1C#+3-#47-3-#H.)C3#%@#2<\-9#4%%13#4%#>(.)#2%)49%1#%@#29.4.2(1#3&.427-3Qe##
!! `/7-<#2%+1C#C-9(.1#A(33-)>-9#49(.)3Q#%9#-J-)#G%9-#C()>-9%+3Q#C-9(.1#A(33-)>-9#49(.)3#1%(C-C#&.47#1-47(1#27-G.2(13V#/7-<#2%+1C#2%)4(G.)(4-#47-#&(4-9#3+AA1<#.)#G(_%9#2.4.-3Q#%9#37+4#C%&)#47-#A%&-9#>9.C#(29%33#1(9>-#A(943#%@#47-#2%+)49<Ve#
14 November 2012 © Logan Scott / LS Consulting 14
14 November 2012 © Logan Scott / LS Consulting 15
techtripper.com/worlds-first-3d-printed-racing-car-can-pace-at-140-kmh/
Printed Body with Sharkskin Pattern and Advanced Air Intake Baffles
Printed Upper & Lower Receiver
Printed Upper & Lower Printed Upper & Lower Receiver
Direct Metal Laser Sintering to additively manufacture fully dense metal parts
89:/;<=/>:':-?:2/
0&/@A&(/B%:/
<"-%(/"1/C(($'D/-%/C/E"%#/
F9$-%G/
14 November 2012 © Logan Scott / LS Consulting 16 © Logan Scott / LS Consulting 16
“It worked as promised, but it made my GPS go
haywire” One
NO RF EXPERTISE
REQUIRED
!! 9:*$,1,+5;$:2<$+*=$2>?$(#&@#=$A1'#$,"+*$.8;BBB$61C*,#'3#&,$2&(61$*#,D1'E$61AF1*#*,($+*=$5+G#5(H#?5o#09-33#O-1-(3-#
14 November 2012 © Logan Scott / LS Consulting 17
Source: <http://www.usedcisco.com/press-my-esm_used_cisco_identifying_fake_chisco.aspx> Source: <http://www.usedcisco.com/press-my-esm_used_cisco_identifying_fake_chisco.aspx>
61AF1*#*,($+*=$5+G#5(H
"! 89:/=,$2(/<9"%:/0&/
@A&(/B%:/<"-%(/"1/
C(($'D/-%/C/E"%#/F9$-%G/
=11+G.)(4.)>#47-#'%)2-A4#
14 November 2012 © Logan Scott / LS Consulting 18
* But a Not So Good Navigation System
!! M)29<A4#LA9-(C#LA-249+G#:(J.>(4.%)#L.>)(13#
!! M)29<A4#LA9-(C.)>#L-m+-)2-Q#'7()>.)>#47-#E-<#5)2-#MJ-9<#T#X.)+4-3#
!! 5)1<#'%)49%1#L->G-)4#]#LA(2-#L->G-)4#$%1C#O-(1R4.G-#E-<3Q#:5/#/$M#^LMO#M!^=0XM:/#
!! O-1-(3-#E-<3#4%#/7-#0+\1.2#T#G.)+4-3#1(4-9#
!! /7.3#.3#:%4#47-#L(G-#(3#'+99-)4#N-)-9(4.%)#X.1.4(9<#L.>)(13#67-9-#E-<3#;9-#O-1-(3-C#;A9.%9.#()C#$(J-#4%#,-#$-1C#.)#/(GA-9#O-3.34()4Q#L-2+9-#L4%9(>-#
14 November 2012 © Logan Scott / LS Consulting 19
!! LA9-(C#LA-249+G#L.>)(13#;9-#$.CC-)#,-1%/-#:%.3-#()C#
(9-#$(9C#4%#P%9>-#6.47%+4#E-<3#
!! '()#L-)C#O(&#;K?#3(GA1-3#4%#%47-9#B%2(4.%)3#,-@%9-#E-<3#
;9-#O-1-(3-C#b`!&A#$I$J16+,&1*$K&)*+,C'#Hd#
! '%GG+).2(4.%)3#B.)H3#'()F4#P%9>-#B%2(4.%)#L.>)(4+9-#
!! 5)2-#E-<3#(9-#O-1-(3-CQ#L%@4&(9-#M)4.4.-3#2()#'%GA+4-#L-)C-9F3#B%2(4.%)#()C#/.G-#
!! L-2+9-#E-<#L4%9(>-#=3#:%4#:--C-C#=)#47-#^3-9#L->G-)4#
!! =4#=3#^3(\1-#=)#B-33#L-2+9-C#M)J.9%)G-)43#
14 November 2012 © Logan Scott / LS Consulting 20
!! ^3-9#L->G-)4#'()F4#?%#;)<47.)>#&.47#47-#L.>)(1#MW2-A4#L4%9-#=4#%9#L-)C#=4#M13-&7-9-#
^)4.1#/7-#E-<3#;9-#O-1-(3-C#
!! :(J.>(4.%)#L%1+4.%)3#$(J-#+A#4%#(#T#G.)+4-#?-1(<#
14 November 2012 © Logan Scott / LS Consulting 21
09(24.2(\1-#;)4.#LA%%@#]#09%%@#%@#B%2(4.%)#
14 November 2012 © Logan Scott / LS Consulting 22
!! X%C-9).a-C#L.>)(13#$(J-#/&%#'7())-13#
!! 0.1%4#'7())-1#b/9(2H.)>Q#^)(c-24-Cd#
!! X%C.i-C#?(4(#'7())-1#b[Vp#C,#L:O#B%33d#
!! '9<A4%>9(A7.2#6(4-9G(9H.)>#6.47#LA9-(C#LA-249+G#L-2+9.4<#'%C-#bLLL'd##
!! T[#\A3#?(4(#&.47#'9<A4%>9(A7.2#?(4(#L.>).)>#
14 November 2012 © Logan Scott / LS Consulting 23
!! ===F/8-,:/H"7/<$((:2%/0&/C!&"/I:(:2,-%:J/KL/=::J/M$!A:/!! NOP/===F/=A4&(-(A(-"%/1"2/ENFI/I$($/F9$%%:!/C(/N.OQ*/6'9-7R&:'"%J/<S/F"J:/>$(:/
© Logan Scott / LS Consulting 24
Watermark Generating Key
Cipher Stream Generator
Spread Spectrum Security Code
(SSSC) &
Time Hopping (TH) Pattern
Seed Value
Normal L1CDi Signal Flow per IS-GPS-800
10 msec
10% Duty Factor Time Hopped SSSC
Normal L1CDi Signal Flow per IS-GPS-800
10 msec
14 November 2012
Normal L1CNormal L1CNormal L1CNormal L1CDiIS-GPS-800
Signal Flow per IS-GPS-800
Signal Flow per IS-GPS-800
Signal Flow per IS-GPS-800
Signal Flow per Signal Flow per Normal L1CNormal L1CNormal L1CNormal L1CNormal L1CDiIS-GPS-800
Signal Flow per IS-GPS-800
Signal Flow per IS-GPS-800
Signal Flow per Signal Flow per Signal Flow per
Type 2 Format
!! ;11#'(3-3#!! SVT#\.4#;?'Q#0fqr[s#
!! rVT#X$a#0(33\()C#
!! S[[#G3-2#,1%2H3.a-#
14 November 2012 © Logan Scott / LS Consulting 25
Tx:L1CD Rx:L1CD
Tx:L1CD with 10% SSSC Rx:L1CD
Tx:L1CD with 10% SSSC Rx:SSSC Down 10 dB
Need Cipher Seed Unmodified Signal
14 November 2012 © Logan Scott / LS Consulting 26
Pcorrect=1 (Have the Key)
Pcorrect=0.9 (19 dBiC Spoof Gain)
Pcorrect=0.8 (16 dBiC Spoof Gain)
"! ;11#'(3-3#
"! SVT#\.4#;?'Q#0fqr[s#
"! rVT#X$a#0(33\()C#
"! S[[#G3-2#,1%2H3.a-#
Peak SNR =0 dB wrt Expected Value
Peak SNR =-2 dB wrt Expected Value
Peak SNR =-6 dB wrt Expected Value
!! E"'$(-"%/=-#%$(A2:/-&/TN)O/U4L(://VS",-%$!W/
!! I-?:2&:/82A&(/6"J:!&/C2:/<"&&-4!:/
© Logan Scott / LS Consulting
RF Front End & Downconversion A/D
Communi-cations
Interface
Secure Server(s) •!Ephemeris / Symbol Stream •!Watermark Generating Keys
•!5 minutes/SV
GPS Receiver
Or Control Segment
Location Signature Stream Is Sent Before
Watermark Keys Are Published
Authenticatable GPS Signals
"! E"'$(-"%/CA(9:%(-'$(-"%/B4X:'(/
"! S"/>Y/S::J:J/
"! F$%/K:/C!!/=RZ/
"! [/"2/)/=M/&"!A(-"%/
"! E"'$!5/>:,"(:5/"2/F!"AJ/K$&:J/
Local GPS Receiver (Optional in Some Cases)
TGHU 307703 0 22G1
Extend ICD-GPS-870?
14 November 2012 27
N.! F"!!:'(/<2:'"22:!$(-"%/CRI/=$,7!:&/!! Y"2/E"'$(-"%/<2""15/6A&(/=:%J/("/Q%J/<$2(L/K:1"2:/;:%:2$(-%#/U:L/0&/>:!:$&:J/
Q.! Z$(:2,$2D/;:%:2$(-%#/U:L/K:'",:&/C?$-!$4!:/VA7/("/)/,-%A(:&/!$(:2W/
*.! ;:%:2$(:/=72:$J/=7:'(2A,/=:'A2-(L/F"J:/V===FW/>:1:2:%':/=-#%$!/$%J/I:&72:$J/<2:?-"A&!L/F"!!:'(:J/CRI/=$,7!:&/
[.! 01/I"%\(/I:(:'(/=:'A2-(L/=72:$J-%#/F"J:/$(/F"22:'(/<"]:2/E:?:!/^/F"J:/<9$&:5/I"%\(/M$!-J$(:/=-#%$!/
). ! 01/=::/F2"&&/8$!D/8:2,&5/I"%\(/M$!-J$(:/=-#%$!/
© Logan Scott / LS Consulting 28 14 November 2012
© Logan Scott / LS Consulting 29
User Segment
Time
Frame 1 Frame 2
Signing Algorithm (Could also be Public)
Private Key (Known Only to CS & SS)
Frame N (Signature in Subframe 3, Page 8
Or Spares)
Authentication Algorithm
Authentication Flag
Public Key (Known to Everyone)
Digital Signature
Space Segment
14 November 2012
User Segment
Use As SSSC Watermark Key
=-#%$!/
6-%-,A,/=7""1:2/
C%(:%%$/;$-%_/
C&&"'-$(:J/
C%(:%%$/I-$,:(:2/
C&&"'-$(:J/Q`&-J:J/
*JK/K:$,]-J(9/
ENFI/
EQF6/E)0/
EN/=ZCC=/
QN/JK-F/
QN/JK-F/Qa/JK-F/
Qa/JK-F/
Qab/
*[b/a*b/
[cb/
Nd/J:#2::&/
Nd/J:#2::&/NO/J:#2::&/
NO/J:#2::&/
© Logan Scott / LS Consulting 30
† Gain Required for Spoofer to Read True SSSC and Generate False SSSC Bursts
With Correlation within 1 dB of True SSSC Bursts
14 November 2012
!! X.).G+G#LA%%@-9#
?-1(<##
!! ?-4-9G.)-C#,<#Lh#&.47#X(W.G+G#,-)4#0.A-#
0(47#B-)>47#J3V#?.9-24#
0(47#B-)>47#
!! N-%G-49<#?-A-)C()4#
14 November 2012 © Logan Scott / LS Consulting 31
Target GPS
Spoofer or
Forger
Bent Pipe
SVi SVk
<2"e-,-(L/0&/0,7"2($%(G/
14 November 2012 © Logan Scott / LS Consulting 32
+
«
"! B%2(1#B%2(4.%)#;+47-)4.2(4.%)#5\_-24#"! /(GA-9#O-3.34()2-#
"! /0X#'(A(\.1.4<#"! /.G-#E--A.)>#]#/.G-#L4(GA.)>#"! '%GA+4.)>#M)>.)-#
+ : Even Better
"! O-G%4-#B%2(4.%)#
;+47-)4.2(4.%)#5\_-24#
Small Sequestration
Delay
!! P(34#E-<3#O-1-(3-C#6.47#f#L-2%)C#O-)-&(1#O(4-#!! 5\4(.)-C#J.(#=)4-9)-4#5:B*#b='?RN0LRUt[I#()C#547-93d#
!! 09%J.C-3#B%&#B(4-)2<Q#L7%94#?+9(4.%)#09%%@3#%@#B%2(4.%)#&.47#P(34#^AC(4-#O(4-#
!! ;.929(@4Q#^;h3Q#/.G.)>#
!! L1%&#E-<3#O-1-(3-C#6.47#T#X.)+4-#O-)-&(1#O(4-#!! E-<3#/9()3G.44-C#,<#L(4-11.4-#
!! L+AA%943#;+4%)%G%+3#'7-2H.)>#&.47%+4#L-A(9(4-#'%GG+).2(4.%)3#'7())-1#
© Logan Scott / LS Consulting 33
Normal L1CDi Signal Flow per IS-GPS-800
10 msec
5% Fast Key / 5% Slow Key Duty Factor Time Hopped SSSC
Normal L1CDi Signal Flow per IS-GPS-800
10 msec
14 November 2012
Type 3 Format
14 November 2012 © Logan Scott / LS Consulting 34
+
«
"! B%2(1#B%2(4.%)#
;+47-)4.2(4.%)#5\_-24#
"
Location Spoofer is Not Necessarily RF, It May Be a Cyber Entity
+ : Even Better
"! O-G%4-#B%2(4.%)#
;+47-)4.2(4.%)#5\_-24#
Aircraft Location
Signature
Command & Control Location
Signature
=L&(:,/ F-?-!/CA(9:%(-'$(-"%/=($(A&/
:`E"2$%/ ?-G%)349(4-C#'(A(\.1.4<#b/MLB;#09%4%2%1dQ#
6(4-9G(9H-C#00X#G(<#\-#A%33.\1-#@%9#09%%@#%@#B%2(4.%)#
;$!-!:"/V3fW/ '%GG-92.(1#L-9J.2-3#bMgd#]#L(@-4<#%@#B.@-#bMT\d#&.11#$(J-#L.>)(1#
;+47-)4.2(4.%)#]#0%33.\1<#09%%@#%@#B%2(4.%)#
F",7$&&/V<>FW/ *-3Q#III#
;!"%$&&/V>A&&-$%W/ ^)H)%&)Q#:%4#0(94#%@#'+99-)4#'(A(\.1.4<#L-4#\+4#'?X;#J-93.%)3#
&%+1C#A9-3-)4#G%C-9).a(4.%)#%AA%94+).4<##
;<=/Vf=W/ '+99-)41<#:%4#0(94#%@#01())-C#'(A(\.1.4<#L-4Q#0%33.\1-#@%9##
`:.\\1-3e#L(4-11.4-3#
14 November 2012 35 © Logan Scott / LS Consulting
!! /7-<#;9-#(#?.>.4(1#'%GA%)-)43#bP0N;Id#
!! '%C-#N-)-9(4.%)#=43-1@#=3#:%4#;11#47(4#/.G-#'9.4.2(1#
!! /7-#5+4A+4#B(427#=3#67(4#=3#/.G-#'9.4.2(1#
!! '()#L&.427#5PP#6(4-9G(9H#=)3-94.%)#
14 November 2012 © Logan Scott / LS Consulting 36
Code Generator
Output Latch
Code Clock
To Transmitter Modulation
Chip needs to be ready “sometime” before latch clock
!! !"#!$#!%&'(")*"#!! <M8/0&/$/F2-(-'$!/^/B1(:%/H-JJ:%/3!:,:%(/"1/F-?-!/0%12$&(2A'(A2:/
!! 892:$(/=A21$':/0&/3e7$%J-%#/^/f&:2/F",,A%-(L/-&/E$2#:!L/f%$]$2:&/!! g<2""1/"1/E"'$(-"%/^/8-,:b/F$7$4-!-(L/0&/C%/f%,:(/S::J/
!! ;<=/,$L/4:/E"'D:J/"A(/"1/0%(:2%$(-"%$!/6$2D:(&/
!! !"#!$#+'),-.#!! <U0/C772"$'9/I":&/SB8/>:hA-2:/f&:2/3hA-7,:%(/("/H"!J/=:'2:(&/
!! 6-%"2/0,7$'(/B%/>:':-?:2&/(9$(/Z$%(/("/CA(9:%(-'$(:/
!! S"/0,7$'(/"%/>:':-?:2&/89$(/I"/S"(/Z$%(/("/CA(9:%(-'$(:/!! =(2"%#/=-#%$!/0%/=7$':/CA(9:%(-'$(-"%/0&/<"&&-4!:/1"2/E)05/EQF65/ENFI/$%J/
EN/ZCC=/
!! /.*.0"#!$#!%%.12)".#!! I"/S"(/S::J/YA!!/F"%&(:!!$(-"%5/3?:%/B%:/=M/F$%/<2"?-J:/=-#%-i'$%(/
E"'$(-"%/C&&A2$%':/;$-%/!! <"&&-4!:/>:?:%A:/=(2:$,/1"2/;<=/
© Logan Scott / LS Consulting 37 14 November 2012
!! <"!-'L/>:'",,:%J$(-"%&/SV! /%&(9C3#(#L%+)C#:(4.%)(1#0%1.2<#@%9#'.J.1#B%2(4.%)#()C#/.G-#;33+9()2-u#0+44.)>#47-#0.-2-3#/%>-47-9Q#=)3.C-N:LL#
X(>(a.)-Q#L-A4-G\-9K524%\-9#f[Sf#
!! F2L7("#2$79-'/=-#%$!/CA(9:%(-'$(-"%/SV! ;)4.RLA%%i)>#]#;+47-)4.2(4-C#L.>)(1#;927.4-24+9-3#@%9#'.J.1#:(J.>(4.%)#L<34-G3Q#=5:#N:LL#f[[Z#
fV! BS'#L7%+1C#=)2%9A%9(4-#'9<A4%>9(A7.2#;+47-)4.2(4.%)#P-(4+9-3Q##X(<#f[[g#'%GG-)43#%)#='?RN0LRU[[#
ZV! '.J.1.()#N0L#L.>)(1#.)#LA(2-#M)7()2-G-)43#@%9#;)4.LA%%i)>#()C#B%2(4.%)#;+47-)4.2(4.%)Q#A9-3-)4-C#(4#o:'#f[SSQ#
fU#o+)-Q#f[SS#
rV! B%2(4.%)#L.>)(4+9-3"#09%J.)>#B%2(4.%)#4%#L-2%)C#0(94.-3#&.47%+4#O-m+.9.)>#/9+34#Sf#o+)-#f[SfQ#o:'#f[Sf#
!! @$,,:2/E"'$(-"%/g@jNNb/SV! opSS"#/7-#'(3-#@%9#P(34#o(GG-9#?-4-24.%)#()C#B%2(4.%)#^3.)>#'9%&C3%+92.)>#;AA9%(27-3Q#A(A-9#A9-3-)4-C#(4#
=5:RN:LLRf[SSQ#L-A4-G\-9#f[RfZQ#f[SS#
!! >:':-?:2/F:2(-i'$(-"%/SV! O-2-.J-9#'-94.i2(4.%)"#X(H.)>#47-#N:LL#M)J.9%)G-)4#$%34.1-#4%#o(GG-93#]#LA%%@-93Q#A9-3-)4-C#:%J#pQ#f[SS#4%#
0:/#Mv'5X#;,V#;J(.1(\1-#(4##744A"KK&&&VA)4V>%JK(CJ.3%9<Kf[SSKSSK32%44VAC@#
fV! B-J-1#S#?9(@4#LA-2.i2(4.%)#A%34-C#(4"##744A"KK1%>()V32%44V7%G-V2%G2(34V)-4Kk1%>()V32%44K#
14 November 2012 © Logan Scott / LS Consulting 38
© Logan Scott / LS Consulting 39 14 November 2012
!! N-)V#b9-4d#X.27(-1#hV#$(<C-)Q#09.)2.A(1Q#/7-#'7-94%c#
N9%+Aw#
!! `0(94#%@#%+9#2<\-9#A%1.2<#A9%\1-G#.3#.43#)-&)-33#()C#%+9#@(G.1.(9#-WA-9.-)2-#.)#A7<3.2(1#3A(2-#C%-3#)%4#-(3.1<#49()3@-9#
4%#2<\-93A(2-V#'(3+(11<#(AA1<.)>#&-11RH)%&)#2%)2-A43#@9%G#
A7<3.2(1#3A(2-#1.H-#C-4-99-)2-Q#&7-9-#(449.\+4.%)#.3#
(33+G-CQ#4%#2<\-93A(2-#&7-9-#(449.\+4.%)#.3#@9-m+-)41<#,"#$
F'1G5#A;$&($+$'#6&F#$31'$3+&5C'#4H$
14 November 2012 © Logan Scott / LS Consulting 40
† Testimony before House Permanent Select Committee on Intelligence, Chairman Mike Rogers (R-Mich), Cyber Threats and Ongoing Efforts to Protect the Nation Oct 4, 2011.
14 November 2012 © Logan Scott / LS Consulting 41
March 23, 2012: Apple Loses $50 Billion
Market Valuation In 5 Minutes
Although we do not believe significant market data delays were the primary factor in causing the events of May 6, our analyses of that day reveal the extent to which the actions of market participants can be influenced by uncertainty about, or delays in, market data. SEC, Findings Regarding the Market Events of May 6, 2010
May 6, 2010
http://kelloggfinance.files.wordpress.com/2010/05/chart_dow_dip2-top1.gif?w=475&h=246
!! :-&3#34%9<#&(3#(24+(11<#g#<-(93#%1CQ#@9%G#f[[fQ#\+4#&(3#4.G-#34(GA-C#(3#2+99-)4#
!! ^;B#C9%AA-C#tgs#@9%G#YSfVZ[#4%#YZ#.)#(#G(44-9#%@#k#Z#G.)+4-3#
14 November 2012 © Logan Scott / LS Consulting 42
Stock Chart from: Berger et al., Rumors in Financial Markets 1 December 2010
14 November 2012 © Logan Scott / LS Consulting 43 14 November 2012 © Logan Scott / LS Consulting
Graphic from: Economist, 4 August 2012
!! M^#-WA-24-C#4%#9-m+.9-#3.>)(1#(+47-)4.2(4.%)#.)#49()3A%94(4.%)#3-24%93V#!! N(1.1-%#'%GG-92.(1#L-9J.2-3#b'Ld#L.>)(1#$(3#;+47-)4.2(4.%)#
P-(4+9-3#
!! ;+47-)4.2(4.%)#E-<3#6.11#\-#`P%9#P--e#!! ?-#@(24%#9-m+.9-G-)4#4%#+3-#N(1.1-%#
!! L-11#;+47-)4.2(4.%)#E-<3#%)#;G(a%)Q#./+)-3#-42V#!! '%GG-92.(1#O-4(.1-93#7(J-#?.349.\+4.%)#'7())-13#.)#01(2-#!! =33+-#.3#%)-#%@#'%GA1.()2-Q#)%4#L-2+9.4<#!! =@#S[s#%@#+3-9F3#27-(4u#47(4#G-()3#p[s#A(.C#
!! /7-9-#=3#;13%#;)%47-9#'%)49%1#L->G-)4#,+3.)-33#=)#B%&#B(4-)2<#B%2(4.%)#;+47-)4.2(4.%)#
14 November 2012 © Logan Scott / LS Consulting 44
!! ===F/F$%/C!&"/H$?:/F2L7("/F"%(2"!!:J/<9$&:/F",7"%:%(/
!! F$%/8-,:/6A!(-7!:e/8L7:/N/R/8L7:/Q/KA2&(-%#/
14 November 2012 © Logan Scott / LS Consulting 45
Cipher Stream Generator
L1CD Code Generator
Select
PN Code Clock
Timing Time Hop Selection
Cipher Stream
IS-GPS-800 Stream
100 sps Data Symbols
BPSK -> BOC Squarewave
Cipher Seed
The SSSC Code
;V! '()#L-1-24#0(47#&.47#X.).G+G#L-m+-349(4.%)#?-1(<#
,V! '()#,%+)C#/(9>-4#O-2-.J-9F3#B%2(4.%)#,(3-C#%)#O-1(4.J-#L-m+-349(4.%)#?-1(<3#
!! -V>V#Z#C-1(<3#2()#2%GA+4-#Z?#1%2(4.%)#
14 November 2012 © Logan Scott / LS Consulting 46
Target GPS
Spoofer or
Forger
Bent Pipe
SVi SVk
Authenti-cator “Y”
Authenti-cator “X”
Secure Timing
© Logan Scott / LS Consulting 47 14 November 2012
© Logan Scott / LS Consulting 48 14 November 2012
© Logan Scott / LS Consulting 49 14 November 2012
© Logan Scott / LS Consulting 50
0
5
10
15
20
25
30
35
40
45
50
0
10
20
30
40
50
60
10 12 14 16 18 20 22 24 26 28 30
Circular Aperture Diameter (inches)
Two Sided 3 dB Beamwidth (degrees)
Peak Gain (dBiC)
L1 Antenna Characteristics (80% Aperture Efficiency)
Two Sided 3 dB Beamwidth (Degrees) Aperture Width(inches)
14 November 2012
© Logan Scott / LS Consulting 51
Nominal L1CD C/No with 0dBiC Gain
Towards SV is ~ 40 dB-Hz
14 November 2012
CN0 Estimation Accuracy.xlsx
-4.0
-3.0
-2.0
-1.0
0.0
1.0
2.0
3.0
4.0
20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40
C/N
o Es
timat
ion
Erro
r (dB
wrt
Tru
th)
C/No (dB-Hz)
50.0% High 50.0% Low 90.0% High 90.0% Low 99.0% High 99.0% Low
Coherent Receiver: 1 msec SSSC Burst every 0.010 sec (DF=10.0%) , 0.20 sec Collection Interval