Embed Size (px)
Citation preview
Robust Positioning, Navigation& Timing
John Pottle
3 February 2016 / CIO Forum / Cyprus
2Spirent Communications PROPRIETARY AND CONFIDENTIAL
Improving Performance & RobustnessPositioning, Navigation & Timing
GLONASSGalileo GPS BeiDou
MilitaryApplications
Mobile Devices
CommercialAir Travel Automotive
Maritime
Space SurveyRailCritical
Infrastructure
Spirent Communications
3Spirent Communications PROPRIETARY AND CONFIDENTIAL
The Need for Precise Positioning & TimingAutomotive: Low Position Integrity Requirement
4Spirent Communications PROPRIETARY AND CONFIDENTIAL
The Need for Precise Positioning & TimingAutomotive: Medium Position Integrity Requirement
5Spirent Communications PROPRIETARY AND CONFIDENTIAL
The Need for Precise Positioning & TimingAutomotive: High Position & Time Integrity Requirement
Connected Vehicles (C2C or V2X)
Autonomous Vehicles
6Spirent Communications PROPRIETARY AND CONFIDENTIAL
Position and Time in the connected or autonomous car
Key parameters Integrity Accuracy Availability
Sensor fusion Figure of merit for each sensor Algorithm parameters
Standards for co-operative systems
7Spirent Communications PROPRIETARY AND CONFIDENTIAL
Overview of GNSS Vulnerabilities
8Spirent Communications PROPRIETARY AND CONFIDENTIAL
How are GNSS threats evolving?
Information Security categories apply to GNSS situation(Source: SANS Institute)
Unstructured Hacker
Structured Hacker
Organised crime/industrial espionage
Insider
Unfunded terrorist group
Funded terrorist group
Nation State
GNSS threat evolution has strong parallels with evolution of Information Security threats (Theunissen, 2014)
Currently no “responsible disclosure” for GNSS threats and vulnerabilities
Like
ly S
ever
ity
of
impa
ct
Low
Very High
9Spirent Communications PROPRIETARY AND CONFIDENTIAL
Overview of GNSS Vulnerabilities
10Spirent Communications PROPRIETARY AND CONFIDENTIAL
GPS Timing Event: 26 January 2016
“On 26 January … the [GPS] Wing … verified users were experiencing GPS timing issues.
… Further investigation revealed an issue in the Global Positioning System ground software which only affected the time on legacy L-band signals.
… This change occurred when the oldest vehicle, SVN 23, was removed from the constellation. While the core navigation systems were working normally, the coordinated universal time timing signal was off by 13 microseconds …
Earlier event: April 2014: GLONASS system outage: 12 hours
Source: CGSIC e-mail 28 January 2016
11Spirent Communications PROPRIETARY AND CONFIDENTIAL
Overview of GNSS Vulnerabilities
12Spirent Communications PROPRIETARY AND CONFIDENTIAL
“This past summer, multiple outbound vessels from a non-U.S. port suddenly lost GPS signal reception. The net effect was various alarms and a loss of GPS input to the ship’s surface search radar, gyro units and Electronic Chart Display & Information System (ECDIS), resulting in no GPS data for position fixing, radar over ground speed inputs, gyro speed input and loss of collision avoidance capabilities on the radar display.”
These types of events highlight the potential detrimental impact to navigation caused by GPS interference or jamming and the importance in understanding how your vessel’s or facility’s equipment could be impacted by a loss of GPS signal.”
Source: http://www.gps.gov/news/ &http://www.uscg.mil/hq/cg5/cg545/alerts/0116.pdf
13Spirent Communications PROPRIETARY AND CONFIDENTIAL
Source: Stavog trial, GLA, UK
14Spirent Communications PROPRIETARY AND CONFIDENTIAL
Availability of hacking tools
“If you are sales personnel and delivery drivers, this GPS tracking jammer is a very popular item for you to take lunch or make a personal stop outside of your territory or route off the radar We are a GPS jammer factory! We will check the quality before shipped! Best service! .”
15Spirent Communications PROPRIETARY AND CONFIDENTIAL
Google Images “GPS L1”, October 2015
16Spirent Communications PROPRIETARY AND CONFIDENTIAL
Google Images “GPS L1 L5”, October 2015
17Spirent Communications PROPRIETARY AND CONFIDENTIAL
How likely is it that GNSS systems could be disrupted?
The Spirent offices in Paignton, UK – Industrial estate in rural location – An ideal location for GPS testing in an unpolluted RF environment……
18Spirent Communications PROPRIETARY AND CONFIDENTIAL
Real PPD & Jamming Events
19Spirent Communications PROPRIETARY AND CONFIDENTIAL
Overview of GNSS Vulnerabilities
20Spirent Communications PROPRIETARY AND CONFIDENTIAL
GPS / GNSS spoofing
• Intentional Spoofing: The objective of a spoofing attack is to cheat the receiver position and time..
X
Authentic satellite signals
Spoofing Signals
Spoofer position
X
Truth PVT False PVT
21Spirent Communications PROPRIETARY AND CONFIDENTIAL
GPS / GNSS spoofing
• Fake Navigation Data
X
Authentic satellite signals
Spoofing Signal – A fake GPS message is transmitted
Spoofer position
X
Truth PVTFalse PVT or denial of service
Faked Navigation Message
22Spirent Communications PROPRIETARY AND CONFIDENTIAL
Spoofing
From report by Windward:
Google global fishing watch uses Satellite AIS and interactive mapping technology to monitor the AIS transmissions of all vessels (IMO mandate – all ships ovr 300GT on international voyages)
Windward analysis of AIS data shows that navigational data is being manipulated (or spoofed)
59% increase in GPS manipulations from mid-2013 to mid-2014
Many reasons for a vessel to manipulate its navigational data…..
Image source: Windward
23Spirent Communications PROPRIETARY AND CONFIDENTIAL
AIS vulnerabilities
From AIS Exposed: Understanding Vulnerabilities and attacks 2.0, Balduzzi et al, Blackhat Asia 2014
Presentation contains details of how AIS could be hacked...
Includes examples of attacks
Fake Man overboard generation
False weather data generation
False Collision warning
Spoofing position
Impersonate Port Authority
Book TDMA slots
24Spirent Communications PROPRIETARY AND CONFIDENTIAL
GPS Spoofing demonstrated at Hackers’ convention August 2015
Huang and Yang also spoofed a car’s position…. The car
is positioned in a car park but it’s sat-nav shows that it is
in the centre of a lake….
First time (known) that non-GPS specialists have spoofed navigation signals successfully
25Spirent Communications PROPRIETARY AND CONFIDENTIAL
Equipment needed is becoming more accessible
Also need Open Source Code available readily available including for– • GPS transmitter• GPS Receiver
USRP
bladeRF
HackRF
26Spirent Communications PROPRIETARY AND CONFIDENTIAL
Action Plan
Multi-FrequencyMulti-Frequency Multi-ConstellationMulti-Constellation Multi-ReceiverMulti-Receiver
Improved Antenna Technology
Improved Antenna Technology
Complementary: Dead Reckoning
Complementary: Dead Reckoning
Complementary:Alternative Positioning
Complementary:Alternative Positioning
Improved basic logicImproved basic logic Improved DSP detection
Improved DSP detection
Improved receiver technology
Improved receiver technology
27Spirent Communications PROPRIETARY AND CONFIDENTIAL
Final thoughts…
GPS / GNSS has unique advantages and will remain as a key component for position, navigation and timing for the foreseeable future
GNSS threats are evolving as internet threats did (only faster) Data-driven risk assessments
Operation strategy in the presence of threats
Suggest a proactive strategy for Robust Positioning, Navigation & Timing Good system design can make things much harder for the hacker
Initial mitigation steps are quite achievable and straightforward.
Full protection is requires a rigorous system level approach and thinking.
28Spirent Communications PROPRIETARY AND CONFIDENTIAL
© Spirent Communications, Inc. All of the company names and/or brand names and/or product names and/or logos referred to in this document, in particular the name “Spirent” and its logo device, are either registered trademarks or trademarks pending registration in accordance with relevant national laws. All rights reserved. Specifications subject to change without notice.
spirent.com
Thank you
• Join the GNSS Vulnerabilities group on LinkedIn to find out more about GNSS jamming and spoofing and join the discussion
