Master Thesis—Kewei Zhang

Investigating GPS Vulnerability

KEWEI ZHANG

Master’s Degree Project Stockholm, Sweden December 10, 2013

Abstract

The Global Position System (GPS) has become nearly mandatory in our daily life, like the Internet. Since it (the part for civilian use) is free, open and accurate, lots of applications have made our life more convenient and more effective, such as the location-based applications for cell phones, tracking bulldozers, shipping containers, etc. GPS is becoming mature and rather accurate, but its security can’t be neglected since it is widely used in the world. RF interference can be classified into: intentional and unintentional interference. There are lots of RF in our surroundings, whose frequency might be close to GPS frequency, could affect the GPS accuracy, or even sometimes make it unavailable. This project, I analyze two types interferences, spoofing and jamming interference. I implement two attacks: a version of Cicada attack, to check how this specific attack affects GPS, and the distance-deceasing attack, a special type of a relay attack (Early Detect(ED) attack and Late Commit(LC) attack). I find (i) that the Cicada attack, as implemented, is essentially equivalent to jamming, and (ii) how to set up the ED/LC attacks to succeed (i.e., have low BER).

Acknowledgements

I would like to express my sincere appreciation to my supervisor, Professor Panos Papadimitratos, who oﬀers his great patience, enthusiasm and genius talent during my thesis working time. I couldn’t image having a better advisor and mentor; this thesis couldn’t be ﬁnished without his guidance and persistence. A heartfelt thanks go to my beloved girlfriend, Jia Guo, for all your love, sup- port and encouragement when I was thinking about the algorithms and formu- las. And thanks for your delicious food when I was busy on working in lots of nights. Last but not least, I want to give my thanks to my dear father, mother and lovely brother, who are living in China.

Stockholm, 10/10/2013 Kewei Zhang

Table of Contents

1 Introduction1 1.1 GPS Introduction...... 1 1.2 GPS Program History...... 2 1.3 GPS Segments...... 3 1.3.1 Space Segment...... 3 1.3.2 Operational Control Segment...... 4 1.3.3 User Segment...... 4 1.4 Motivation for Research...... 5 1.5 Thesis Organization...... 5

2 GPS Signal Characteristics and GPS Receiver7 2.1 GPS Signal Characteristics...... 7 2.1.1 Introduction...... 7 2.1.2 Legacy Signals...... 7 2.1.3 C/A Spreading Code...... 8 2.1.3.1 C/A Code Generation...... 8 2.1.3.2 C/A Code Correlation Properties...... 10 2.1.4 Navigation Data Format...... 11 2.1.5 Modulation for GNSS...... 12 2.2 GPS Receiver...... 13 2.2.1 GPS Receiver Front End...... 13 2.2.2 Acquisition...... 14 2.2.3 Tracking...... 17 2.2.4 Calculation...... 20

3 Probing the Vulnerability of GNSS 23 3.1 Spoofing Interference...... 24 3.1.1 Spoofing Classification...... 24 3.1.2 Attacking Model...... 24 3.2 Jamming Interference...... 26

4 Cicada Attack Simulation and Calculation 29 4.1 Cicada Attack Model...... 29 4.1.1 The Attack Characteristics...... 30 4.2 Analytical Calculation...... 30 4.2.1 Acquisition Stage...... 31 Table of Contents

4.2.2 Tracking Stage...... 32 4.3 Simulation Result...... 32

5 Relaying Attack 39 5.1 Introduction to ED and LC Attack...... 39 5.2 Attack Principle...... 40 5.3 Performance Evaluation...... 43 5.3.1 ED Attack...... 44 5.3.2 ED-LC attack...... 45 5.3.3 The Relay Time...... 47

6 Conclusion and Future Work 49 6.1 Summary...... 49 6.2 Future work...... 50

References 51

VI List of Figures

1.1 GPS Nominal Constellation [1]...... 1 1.2 GPS segments...... 3

2.1 C/A Code Generator [9]...... 10 2.2 C/A code correlation properties...... 11 2.3 Navigation data format...... 12 2.4 DSSS Modulation...... 13 2.5 GNSS Receiver Front End [13]...... 14 2.6 IF signal post processing...... 15 2.7 Parallel frequency search acquisition...... 15 2.8 Parallel code phase search acquisition...... 17 2.9 Carrier tracking loop...... 17 2.10 Code tracking loop [2]...... 19 2.11 Code correlation for three diﬀerent replicas...... 19 2.12 Three dimensional co-ordinate system [1]...... 21

3.1 GPS System with Spooﬁng attack...... 25 3.2 AGC and Spoof vulnerability [26]...... 25

4.1 Correlation value when two inputs has same amplitude...... 31 4.2 Correlation value when APRN1 = 50APRN10 ...... 32 4.3 Correlation in acquisition stage without Cicada Signal...... 33 4.4 Correlation in acquisition stage with Cicada Signal...... 34 4.5 Correlation betwen the navigation data of satellite 15 and the preamble bits...... 35 4.6 Correlation betwen the navigation data of satellite 22 and the preamble bits...... 35 4.7 Navigation plot without Cicada signal...... 36 4.8 Navigation plot with Cicada signal...... 36

5.1 Overview of a distance-decreasing Relay Attack in GNSS...... 39 5.2 Satellite code transmission time...... 40 5.3 Early Detection attack, the above curve is initial signal, the middle curve is the received signal by the attacker receiver and the bottom curve is the transmitted signal according to the detection determination. 41 5.4 Signal processing at attacker...... 42 5.5 Phase detection...... 43 List of Figures

5.6 Early Detect attack result...... 45 5.7 BER with LC without increasing amplitude, the whole symbol has 3 same amplitude (SNR), here tLC = 8 ∗ tchip ...... 46 5.8 BER with LC with increasing amplitude (SNR), the amplitude of tchip − tLC part is 1/(tLC /tchip) times of amplitude of tLC part, here 3 tLC = 8 ∗ tchip ...... 46 5.9 BER based on diﬀerent tLC , the amplitude (SNR) of part (tchip − tLC ) is raised by 5 times, and tED = 50 ns, here tchip = 977.5 ns..... 47 5.10 Relay time presenting on one symbol...... 48

VIII List of Tables

2.1 Minimum Received Signal Power [2]...... 8 2.2 C/A code phase assignment [9]...... 9 2.3 Types of discriminators for code tracking loop [13]...... 20

3.1 Types of RF Interference and Potential Sources [2]...... 23

5.1 Parameters in ED attack simulation...... 44

Acronyms

AGC Automatic Gain Control BER Bit Error Rate BPSK Binary Phase Shift Keying CAF Cross Ambiguity Function CDMA Code Division Multiple Access CW Continuous Wave DFT Discrete Fourier Transform DLL Delay Lock Loops DSSS Direct Sequence Spread Spectrum ED Early Detect FFT Fast Fourier Transform GNSS Global Navigation Satellite System GPS Global Position System HOW Handover Word IEE Interference Error Envelope IF Intermediate Frequency IFFT Inverse Fast Frequency Transform IRA Interference Running Average LC Late Commit LO Local Oscillator NCO Numerical Controlled Oscillator NLOS Non-line-of-sight PDOP Position Dilution Of Precision PLL Phase Lock Loops PPS Precise Positioning Service PRN Pseudo Random Noise RHCP Right-Hand Circular Polarized SNR Signal Noise Ratio SPS Standard Positioning Service TLM Telemetry TOA Time Of Arrive UWB Ultra-Wide Band Chapter 1 1 Introduction 1.1 GPS Introduction

The Global Position System (GPS) becomes increasingly important in our daily life, with applications for GPS far exceeding anyone’s expectations, including the GPS designers themselves. In simple terms, it is a satellites system, including 31 satellites, which can cover the whole world. These 31 satellites are arranged on 6

Figure 1.1 GPS Nominal Constellation [1] orbital planes with 5 or 6 satellites per plane, like Figure 1.1; GPS guarantees that at least 4 satellites are in radio communication with any point on the planet at any time, which ensures that GPS receivers can acquire precise longitude, latitude and altitude to achieve the functions of navigation, ranging and timing. The system utilizes Time Of Arrive (TOA) ranging to acquire the GPS signal propagation time from satellites to GPS receivers. The satellites broadcast ranging codes and navigation data on two diﬀerent frequencies: L1 (1575.42MHz) and L2 (1227.6MHz) with a technology CDMA (Code Division Multiple Access). Each satellite has one speciﬁc code and those codes have low correlation. Receivers can determine the 1 Introduction satellites position through navigation data, and the ranging codes give the signal transmission delay to determine satellite-to-receiver range. At three dimensional location plus clock correction for a receiver requires 4 TOA satellite-to-receiver calculations.

GPS is a dual-use system providing Standard Position Service (SPS) for civilian applications and Precise Position Service (PPS) for military use. The U.S. Department of Defense updated the SPS speciﬁcation in 2008 to satisfy the requirements of civilian use. The SPS is available for all users in the whole word, but it degrades predictable accuracy to at least 100m in the horizontal plane and 156m in the vertical plane by artiﬁcially introducing SA (Selective Availability). But the PPS can provide high predictable accuracy of at least 2m in the horizontal plane and 27.7m in the vertical plane for military use [2–4].

1.2 GPS Program History

In the early 1970s, the GPS project was developed by the U.S. Department of Defense (DoD), in order to overcome the limitations of previous navigation system. Before GPS, Transit became operational in 1964, but its positioning accuracy was unsatisfactory, and it couldn’t provide altitude information. So, the Navy sought to enhance Transit system to achieve precise positioning and other desired capabilities.

So Tinmation (earlier navigation system) was proposed by the U.S. Naval Research Laboratory (NRL); this global positioning net program was composed by 12-18 satellites with 10000km altitude; three experimental satellites were launched in 1967, 1969 and 1974 separately, and the atomic clock timing system was preliminarily tested in these satellites, which laid foundation for precise positioning of the GPS system.

But the U.S. Air Force proposed a satellite positioning system denoted as System 621B, in which only one satellite works on a synchronous orbit, the rest runs on an inclined orbit with 24h period. The plan used pseudo-random noise (PRN) modulation for ranging; because of its powerful features, even when the signal density is less than 1% of the ambient noise, it can be detected. The pseudo-random code is an important foundation of success of the GPS system. The Navy planned to provide the low dynamic two-dimensional positioning for ships, however the Air Force’s required high dynamic services; considering the system is too complex, and the same intent for global positioning, as well as the huge cost, in 1973 the U.S. the Oﬃce of the Secretary of Defense (OSD) established the Defense Navigation Satellite System (DNSS) program to form a single joint-use system. After this, the concept of the GPS system was formed.

2 1.3 GPS Segments

1.3 GPS Segments

GPS system comprises the space segment, the operational control segment and the user equipment segment. Figure 1.2 shows the components of each segment and their

Space Segment

- established - ephemeris -calculated L1 carrier -almanacs - time pulses - satellite health - ephemeris - time corrections - almanac -health -date, time

User Segment Control Segment

Figure 1.2 GPS segments functionality. The space segment is the set of satellites in space, which generates ranging codes and data messages for the user equipment segments. The operational control segment tracks, monitors and maintains the satellites in space. It monitors the health of the satellites and their signal integrity, and maintains the satellites orbit conﬁguration. The user equipment segment is the GPS signal receivers providing functions of navigation, ranging and timing.

1.3.1 Space Segment

The space segment currently consists of a nominal constellation of 31 operational satellites orbiting on 6 orbital planes [5]. The orbital period of a satellite is around 12 hours (11 hours 58 minutes) [6]. The orbits are nearly circular, located around the equator and inclined at 55◦ to the equator. The orbital radius (i.e., nominal distance from the center of mass of the Earth to the satellite) is approximately 26,600 km.

3 1 Introduction

It has been several generations since the Block I (Feb 1978) launching of the ﬁrst civilian signal; for the second civilian signal, known as L2C, launching began in Sep 2005 with GPS Block IIR(M); in May 2010, the Block IIF started launching with broadcasting operational L5 signal, the third civilian signal designed, to meet the requirements of "safety of life" functions and other high performance applications; the fourth civilian signal, L1C, plans to launch in 2015 with GPS Block III to implement interoperability between international satellites NAV system and GPS system.

1.3.2 Operational Control Segment

The operational control segment (OCS) consists of three components: Master Control Station (MCS), Monitor stations (MS) and Ground Antennas (GA); OCS takes responsibility for the daily commanding, monitoring and controlling GPS satellites constellation. The new (2nd generation) OCS contains another element since 2007: an alternative MCS [7]. In the 2nd generation OCS, MCS was sited in Colorado to implement the central OCS functions, providing command and control of the GPS constellation: monitoring satellites health, generating navigation message, allocating and scheduling resource, synchronizing to UTM system and maintaining timing service, evaluating and reporting GPS system status/performance. There exist 16 MS in 2nd CS to track the satellites when they exchange information with MCS: tracking navigation signal, measuring range/carrier and collecting atmospheric data. The GAs are responsible for communicating with satellites for transmissions command and control; there are 12 GAs located throughout the world, which also implement functions such as: navigation transmissions upload, processor transmissions load and collecting SV (space vehicle) telemetry.

1.3.3 User Segment

The User segment (US) refers to the GPS signal receiver applications, which are able to determine the user position, calculate the velocity and provide precise time. US is designed to receive the GPS signal from satellites and decode the satellites position, the transmission time and the satellites clock to fulﬁl the designed goal, which involves a lot of technologies like: antennas, analogue RF/digital electronics, system engineering, algorithms design.etc. Now GPS applications have been widely used in everywhere: farming planing, ﬁeld mapping, crop scouting in agriculture; position determine and route map for aviation applications; combination with other sensors to guide a train to prevent collisions;

4 1.4 Motivation for Research positioning and guiding for vehicles on road; surveying and mapping even without line of sight.

1.4 Motivation for Research

Although the GPS system provides significant convenience to people’s daily life, it faces many different attacks, including intentional and unintentional interferences. Its security becomes increasingly important when it is used widely. In this thesis, two different types of interference/attack are investigated: Spoofing Attack and Relaying Attack. A lot of research on these types of interferences is already done on, and researchers have designed or found related attacks in practice. In this thesis, another attack in GPS receiver is investigated, inspired from the Cicada Attack. Moreover, as one special relay attack, the distance-decreasing attack (ED and LC attack) will be simulated, in order to analyze its impact.

1.5 Thesis Organization

Chapter 2 briefly describes the GPS signal structure, the C/A spreading code and its properties, navigation message and the modulation format; it introduces the GPS receiver front-end structure and illustrates post processing steps: Acquisition, Tracking and Calculation. Chapter 3 illustrates how spoofing and jamming work, and surveys attacks and defenses. Chapter 4 analyzes one specific attack: a variant of Cicada attack; it simulates the attacking process to check how it affects the PS receiver. Chapter 5 investigates one distance-decreasing attack: the Relay attack (Early Detect attack and Late Commit attack); this chapter finds how different parameters (SNR, tED and tLC ) affect the performance. Chapter 6 contains conclusions and suggestions for future work.

Chapter 2 GPS Signal Characteristics and 2 GPS Receiver

2.1 GPS Signal Characteristics

2.1.1 Introduction

GPS satellites broadcast RF signals to enable GPS receivers to determine their accurate position and precise timing. GPS signals consist of three components: ranging code, navigation message and carrier wave. The ranging code is used to measure the distance from the satellite to GPS receiver; the navigation message provides the ephemeris data that can be used to calculate the satellite position, the satellite clock time and the satellites constellation; the ranging code and navigation message will be modulated onto carrier frequency to broadcast to receivers, and for now three carrier frequencies are designed for GPS use: L1 at 1575.42 MHz (10.23 MHz × 154), L2 at 1227.60 MHz (10.23 MHz × 120) and L5 (not describe in this thesis) at 1176.45 MHz (10.23 MHz × 115).

2.1.2 Legacy Signals

The GPS satellites transmit two frequency signals named L1 (the primary frequency) and L2 (the secondary frequency). L1 and L2 are Direct Sequence Spread Spectrum (DSSS) modulated by spread sequences with unique Pseudo Random Noise (PRN) code related with each satellite and by navigation messages. All satellites transmit the same two frequencies in a Code Division Multiple Access (CDMA) way. L1 carrier is modulated with two PRN codes: C/A code and P code. The L2 carrier is only modulated with one code: P code or Y code; these codes are encrypted in order to only be available for military use, called Precise Positioning Service (PPS). The C/A code is free for public, called Standard Positioning Service (SPS). For the SPS signal, the chip rate of C/A code is 1.023×106 chips/s, modulating with navigation data which has chipping rate of 50 bits/s. Each data bit is modulated by 2 GPS Signal Characteristics and GPS Receiver

Table 2.1 Minimum Received Signal Power [2]

L1 C/A code L1 P code L2 P code or C/A code

Minimum received power at -158.5 -161.5 -164.5 3dB gain linearly polarized antenna (dBW) Adjustment for unit gain an- -3.0 -3.0 -3.0 tenna (dB) Adjustment for typical RHCP 3.4 4.4 4.4 antenna versus linearly polarized antenna (dB) User minimum received power -158.1 -161.1 -163.1 at unity gain RHCP antenna (dBW)

20×1023 chips, which means 1023 Gold Codes repeating 20 times for transmitting one data bit. As the PPS signal, the P code has 10.23×106 chips/s chipping rate, but it will not be discussed further in this thesis. Table 2.1 provides minimum received signal power of GPS signals. It’s clear that no matter which case, civilian use or military use, they have similar minimum received power.

2.1.3 C/A Spreading Code

2.1.3.1 C/A Code Generation

The C/A code are deterministic sequences with length of 1023 bits also called PRN sequences, and it repeats every 1 sec. A C/A code is Gold Code; it fulﬁlls requirements of Gold Code’s properties [8]. It is constructed by XORing two M-sequences of the same length. Each C/A code is generated by a linear feedback shift register; the maximum length of the sequences is N = 2n − 1.

In the GPS system, each satellite is assigned with a distinct C/A code, with the C/A codes public for GPS receivers. Two shift registers are used for the C/A code generation: G1 and G2. The feedback of the two registers is conﬁgured with diﬀerent polynomials, for G1 f(x) = 1 + x3 + x10 (2.1) which means that state 3 and state 10 are fed back to the input. For G2, the polynomial is f(x) = 1 + x2 + x3 + x6 + x8 + x9 + x10 (2.2)

8 2.1 GPS Signal Characteristics

Table 2.2 C/A code phase assignment [9] Satellite ID GPS PRN ID Code Phase Se- Code delay chips lection G2 1 1 2 L 6 5 2 2 3 L 7 6 3 3 4 L 8 7 4 4 5 L 9 8 5 5 1 L 9 17 6 6 2 L 10 18 7 7 1 L 8 139 8 8 2 L 9 140 9 9 3 L 10 141 10 10 2 L 3 251 11 11 3 L 4 252 12 12 5 L 6 254 13 13 6 L 7 255 14 14 7 L 8 256 15 15 8 L 9 257 16 16 9 L 10 258 17 17 1 L 4 469 18 18 2 L 5 470 19 19 3 L 6 471 20 20 4 L 7 472 21 21 5 L 8 473 22 22 6 L 9 474 23 23 1 L 3 509 24 24 4 L 6 512 25 25 5 L 7 513 26 26 6 L 8 514 27 27 7 L 9 515 28 28 8 L 10 516 29 29 1 L 6 517 30 30 2 L 7 860 31 31 3 L 8 861 32 32 4 L 9 862 - 33 5 L 10 863 - 34 4 L 10 950 - 35 1 L 7 947 - 36 2 L 8 948 - 37 4 L 10 950

9 2 GPS Signal Characteristics and GPS Receiver

Figure 2.1 C/A Code Generator [9]

In order to generate the list of C/A codes for different satellites, the outputs of the registers are combined. Table 2.2 illustrates how the phase selections for each C/A code are combined. Figure 2.1 presents how the C/A code is generated with the feedback shift registers. To generate different C/A codes for different satellites, the phase selector needs to be configured appropriately. The generators are 10 taps, so each C/A code has 210 − 1 = 1023 chips, and each chip has length of 1 ÷ 1023 = 9.775 × 10−4s. Table 2.2 shows that there are actually 37 C/A codes, but two of them (34 and 37) are the same, so actually 36 codes. The first 32 codes have been assigned to 24 satellites until now and would be recycled when old satellites die and new ones are launched. The rest of others are reserved for other uses.

2.1.3.2 C/A Code Correlation Properties

The reason why the Gold Codes are selected as spread sequences in GPS signals is because its correlation properties, so it is necessary to discuss it here. There are two properties to be listed here: auto-correlation and cross-correlation. C/A codes are barely correlated with each other, so their cross-correlation nearly equals to zero. The normalized auto-correlation result has one peak value, which is 1; otherwise it nearly equals to zero.

10 2.1 GPS Signal Characteristics

(a) Auto Correlation (b) Cross Correlation

Figure 2.2 C/A code correlation properties

For auto-correlation, ( P1022 Ci(l)Ci(l + m) ≈ 0 for |m| ≥ 1 r (m) = l=0 (2.3) ii 1 for m=0

For cross-correlation,

1022 X k i rki(m) = C (l)C (l + m) ≈ 0 for all m (2.4) l=0

In equation (2.3) and (2.4), Ci and Ck are C/A codes for satellites i and k, the equations clearly indicate that only when the lag is zero, the auto-correlation has peak value of 1, otherwise the auto-correlation and the cross-correlation appropriately equal to zero. Figure 2.2(a) and 2.2(b) gives the plots of normalized auto-correlation and cross-correlation properties of two C/A codes of satellites 3 and 10, separately. As discussed, the ﬁgures show only one peak value when the lag is 0.

2.1.4 Navigation Data Format

As discussed before, both C/A code and P code needs to modulate the navigation message before transmitting it over carrier L1 or L2. Navigation data contains information on satellites positions, called ephemeris data, and the time as well as the constellation of all satellites, called almanac data. The rate of the data message is 50 bit/s, so the length of one data bit is 20 ms, which means that one data bit needs 20 groups of C/A code to be modulated. The navigation message contains 5 frames, and each frame has 300 bits, which is explained in Figure 2.3. The 300 bits are divided into 10 words of 30 bits each, and all 5 frames start from word Telemetry (TLM) and word Handover Word (HOW). Each TLM word contains a ﬁxed preamble sequence, 10001011, which is a ﬁxed 8-bit pattern and it doesn’t change. This preamble sequence is used for locating the beginning of each subframe,

11 2 GPS Signal Characteristics and GPS Receiver

Figure 2.3 Navigation data format and the rest bits of TLM are only used for authorized receivers. HOW is the word that gives users permission to change C/A code tracking to P code tracking. The functions of rest words of each subframe are illustrated in Figure 2.3. But the whole frame of 1500 bits only contains part of entire almanac data, which requires 25 whole frames, i.e, 25 × 1500 = 37500bits; so it takes 12.5 minutes to retrieve the entire almanac data.

2.1.5 Modulation for GNSS

The GPS navigation system uses Direct Sequence Spread Spectrum (DSSS) technique as its modulation, which is an extension of Binary Phase Shift Keying (BPSK), with C/A code or P code as spread sequences. In GPS System, C/A code or P code has extremely high symbol rate compared to the navigation data bit rate. Figure 2.4 shows that how to implement DSSS modulation: DSSSsignal = RF carrier × NavigationData × SpreadingCode. The reason why DSSS is selected to serve GPS could be provided by three points. First and most important, the PRN waveform introduces phase inversions in the transmitted signal, used for precise ranging from satellites to GPS receiver. Second, PRN codes have multiple choices and each satellite is assigned one specific PRN code; then satellites can broadcast their own signals in a same frequency carrier wave, L1 or L2. And the receivers can distinguish the signals based on the different PRN codes; the technique used for transmitting different signals on one frequency wave is called Code Division Multiple Access (CDMA). The last reason is that DSSS can reduce narrow-band interference.

12 2.2 GPS Receiver

Figure 2.4 DSSS Modulation

2.2 GPS Receiver

The GPS receiver receives GPS signals, decodes them and calculates the receiver’s position with at least four satellites in view. GPS uses Time Of Arrive (TOA) to estimate the distance between satellites and GPS receivers. It requires at least 4 satellites to calculate the receiver’s position, because there are four unknown parameters for one GPS receiver: Longitude 4x, Latitude 4y, Elevation 4z and Time 4t.

2.2.1 GPS Receiver Front End

Transmitting about 20000 km from space to GPS receivers, GPS signals go through the ionosphere and atmosphere. Considering the attenuation in space, atmosphere and path loss, the transmitting power is low, about 27 dBW (including satellite antenna gain), so the power is extremely low when the signal arrives at GPS receivers; about -160 dbW, which is 100 × 10−18W. It is 1019 times weaker than the Bluetooth transmission power. So in the GPS receiver front end, the signal must be amplified in order to be processed. There are some papers that investigate how to implement GPS receiver front end: [10–12]. Here we refer to [13], like Figure 2.5, which represents that how the received GPS signal is processed in the receiver front end. The signal will be filtered by the first bandpass filter with frequency selectivity, to remove the out of band RF interference. After that, amplifiers are implemented

13 2 GPS Signal Characteristics and GPS Receiver

Figure 2.5 GNSS Receiver Front End [13] to boost the signal, at the same time introducing some noise. But the GPS signal has very high carrier frequency, which is hard to handle, so it’s necessary to down- convert the carrier frequency. A Local Oscillator (LO) is introduced to down- convert the 1575.42MHz RF carrier to Intermediate Frequency (IF) at 9.548 MHz without changing the signal structure. There exist two ways to down-convert the frequency: mixing frequency and ADC sampling. Assuming GPS signal frequency is fs and LO frequency is fl, the frequency mixer works in the following way: cos(2πfs) × cos(2πfl) = 1/2[cos(2π(fs + fl)) + cos(2π(fs − fl))], which generates upper sidebands and lower sidebands of the GPS signal. The bandpass ﬁlter selects the lower sidebands, get rid of the upper sidebands and other out of band signals. ADC transforms the analogy GPS signal to the digital signal; selecting appropriate sampling frequency to down-convert the frequency to IF 9.548 MHz.

2.2.2 Acquisition

After the receiver front end, the IF signal needs to be post-processed to obtain the receiver’s position; post processing comprises Acquisition, Tracking and Calculat- ing.

The purpose of acquisition is to search the visible satellites and ﬁnd the coarse value of code phase and carrier frequency, which will assist the tracking process to acquire the precise code phase and carrier frequency; Figure 2.6 presents how these three steps work together to determine the receiver position. The satellites are distinguished by 32 PRN codes, so the number of visible satellites can be retrieved by utilizing these PRN codes. The second parameter is the code phase which is used for

14 2.2 GPS Receiver

Figure 2.6 IF signal post processing

Incoming Signal Fourier 2 Output Transform ||

Local PRN

Figure 2.7 Parallel frequency search acquisition ranging from the satellite to the receiver. Considering the correlation properties of the PRN codes, the correlation has a high value only when the lag is zero, then the coarse code phase could be acquired by correlating the local PRN code with diﬀerent phases and the incoming signal. The code phase must be perfectly aligned with the local code, so the PRN codes could be removed from the incoming signal. Another element that needs to be removed is the carrier wave, since the Doppler frequency shift is caused because of the velocity of satellite, with the carrier frequency deviating up to ±10 KHz in the worst case. But it is adequate to search the frequencies step by ±500 Hz [9].

Acquisition is generally a search process to determine the code phase and the carrier frequency. This is very important for the GPS receiver, because if it acquires wrong satellites or it doesn’t acquire enough satellites, the subsequent steps will be faulty. [14–16] investigate how to acquire the satellites signal in diﬀerent situations. Currently there are two major search acquisition algorithms: parallel frequency space search acquisition and parallel code phase search acquisition.

• Parallel frequency space search acquisition is based on the multiplication of locally generated PRN code with incoming signal, then Fourier transform the result from time domain to frequency domain. If the local code phase is perfectly aligned with the incoming signal, it exists one peak value in the frequency domain. Normally the length of the searching process is 1 ms, which is the

15 2 GPS Signal Characteristics and GPS Receiver

length of one C/A code sequence. Each generated PRN sequence, associated with one specific satellite, generally has one certain code phase, from 0 to 1022. Figure 2.7 shows how parallel frequency search acquisition works. Discrete Fourier Transform (DFT) or Fast Fourier Transform (FFT) could be used im implementing Fourier transform, and FFT is faster of 2, but it requires the sequence with x2 length. For example, the sampling frequency of the incoming signal fs is 20 MHz, the length of the signal to be analysed is 1 ms, then the sample number N is 20 000, so the frequency resolution is f /2 4f = s = 1000 Hz N/2 Fourier Transform converts the multiplication result from time domain to frequency domain, which is Complex signal. If the local PRN code is aligned perfectly with the incoming signal, the frequency domain will have a peak value in some certain frequency, which is IF plus frequency offset. • The Parallel code phase search algorithm parallels in the code phase dimension, 1023 code phase in one search loop, then only 41 steps (±10 KHz with 500 Hz search step) need to be implemented; comparing with the 1023 steps in parallel frequency search mode, this algorithm is more efficient. For each step, 1023 correlation between the incoming signal and a PRN code could be implemented with circular cross-correlation, without shifting code phase every time. The circular-cross correlation can be expressed:

1 N−1 1 N−1 z(n) = X x(m)y(m + n) = X x(−m)y(m − n) (2.5) N N m=0 m=0 The above equation in frequency domain can be simpliﬁed:

N−1 N−1 Z(k) = X X x(−m)y(m − n)e−j2πkn/N n=0 m=0

N−1 N−1 = X x(m)ej2πkm/N X y(m + n)e−j2πk(m+n)/N = X?(k)Y (k) (2.6) m=0 n=0 where X?(k) is the conjugate of X(k). The algorithm above could be implemented in a block diagram as in Figure 2.8. After multiplying with local PRN in frequency domain, Inverse Fast Frequency Transform (IFFT) is implemented to transform it to the time domain. The absolute output is the cross-correlation between the incoming signal and the local PRN code. If a peak value exits, the relating code phase is the incoming signal code phase. Assuming the sampling frequency is 20 MHz, the length of PRN code is 1 ms, then the samples of the PRN code is 20 000, so the accuracy of this algorithm is much higher than parallel frequency space search acquisition, comparing 20 000 diﬀerent values with 1023 diﬀerent values.

16 2.2 GPS Receiver

Incoming Signal Output FFT IFFT ||2

Conjugate 900 FFT Local Carrier PRN Code

Figure 2.8 Parallel code phase search acquisition

2.2.3 Tracking

After acquisition, the coarse carrier frequency and code phase have been estimated, but tracking is to reﬁne these values to remove RF carrier and PRN code to demodulate the navigation message. The IF signal in Figure 2.5 is expressed: k p k k sIF (t) = PC C (t)D (t)cos(wIF t) (2.7) where Ck(t) is C/A code of satellite k, Dk(t) is the navigation data of satellite k, wIF is the intermediate frequency acquired in receiver front end. So, in order to demodulate the navigation data, the GPS receiver must provide two replicas: RF carrier and PRN code. • The goal of the carrier tracking loop (Costas Loop) is to reﬁne the carrier accurately, then to remove it from the incoming signal. As showed in Figure

Figure 2.9 Carrier tracking loop

2.9, there are two multiplications to remove the carrier, one multiplying the incoming signal with local carrier, the other one multiplying it with local carrier shifted by 90◦. This loop tries to maintain power in I (in-phase) branch in order to be more accurate. Assuming, in Figure 2.9, that the code phase is perfectly aligned, then for the I branch, 1 D(t)cos(w n)cos(w n + θ) = D(n)[cos(θ) + cos(2w + θ)] (2.8) IF IF 2 IF

17 2 GPS Signal Characteristics and GPS Receiver

and for the Q branch, where the carrier is shifted 90◦, 1 D(t)cos(w n)sin(w n + θ) = D(n)[sin(θ) + sin(2w n + θ)] (2.9) IF IF 2 IF After the carrier looping low-pass ﬁlter, the signals in two branches are 1 I = D(n)cos(θ) (2.10) 2 1 Q = D(n)sin(θ) (2.11) 2 To remove the carrier wave, the phase diﬀerence (θ) between incoming carrier and local carrier must be minimized. From Equation (2.10) and Equation (2.11), the phase could be acquired,

Q = tan(θ) I (2.12) Q θ = tan−1( ) I From Equation (2.12), it can be seen that if θ needs to be zero, Q should be zero, then the energy is all in the I branch. So the Costas discriminator tries to reduce the phase diﬀerence in carrier tracking loop. Due to the navigation data bit transition, the Phase Lock Loops (PLL) must be insensitive to 180◦phase shift, Costas loop is type of these loops. Equation (2.12) shows that when the phase error is 0 or ±180◦, the discriminator output is zero, that is why Costas is insensitive to bit transition. • The aim of code tracking is to keep track of the code phase in the incoming signal. The output of the code tracking loop should be perfectly aligned to the incoming signal. The loop used in code tracking is named Delay Lock Loops (DLL), early-late tracking loop. Figure 2.10 shows how the correlators are used for DLL in code tracking. Local carrier generates two replicas carrier, sin carrier and cos carrier to convert the IF signal to baseband by multiplying them. Then the correlators E (Early), P (Prompt) and L (Late) are implemented 1 with spacing 2 chip. After this multiplication, these six outputs are integrated and dumped. The outputs of E, P and L correlators needs to be compared to ﬁnd the highest value, then determine how to change them in next loop. Generally the space between early replica, prompt replica and late replica is 1/2 chip, like Figure 2.11, (a) shows that the late replica has highest correlation value, then in the next loop, code phase should be decreased, which means that the PRN code should be delayed. (b) tells that the prompt replica gives the highest value for the correlation output. It is worth mentioning that this type of DLL (Figure 2.10) is independent of the performance of the phase lock loop in carrier tracking loop. The discriminators provides the feedback for the PRN code generator to adjust the code phase. Table 2.3 lists one coherent

18 2.2 GPS Receiver

Figure 2.10 Code tracking loop [2]

discriminator and three noncoherent discriminators. Different discriminators have different characteristics and could be employed in different situations. And in another way, the discriminators space also could be adjusted for coping 1 with different challenges. It will be more precise if the space is less than 2 chip. 1 But larger than 2 chip is better if the Signal Noise Ratio (SNR) is low; the

Figure 2.11 Code correlation for three diﬀerent replicas

19 2 GPS Signal Characteristics and GPS Receiver

Table 2.3 Types of discriminators for code tracking loop [13] Type Discriminator D Features Coherent IE − IL Simplest discriminator, but require a good carrier tracking loop. 2 2 2 2 (IE + QE) − (IL + QL) Early power minus late Noncoherent power. (I2 + Q2 ) − (I2 + Q2 ) E E L L Normalized early minus (I2 + Q2 ) + (I2 + Q2 ) E E L L late power, more eﬃ- cient in noisy signal. IP (IE − IL) + QP (QE − QL) Dot product. It uses all six correlators.

wider discriminator space is eﬃcient to handle the noisy signals.

2.2.4 Calculation

The receiver position calculation could be derived from calculating the pseudorange between satellites and receiver. And the pseudorange is expressed in the following equation, λk(n) = c[Tr(n) − Tsi(n)] (2.13) where: c is the light speed, 299,792,458 (m/s) Tr(n) is the receiving time corresponding to satellite time (s) Tsi(n) is the transmitting time in satellite clock time (s) The transmitting time Tsi, which is related with PRN code phase, is replicated in GPS receiver at epoch n. The pseudorange calculated by this is a function of receive time epoch n. PRN code transmitted by satellite contains n epochs, each of them is perfectly aligned to GPS time of week. The PRN code will be precisely correlated by local replica PRN code with phase oﬀset with respect to the beginning of GPS week which represents the transmitting time of the satellite. Another parameter to determine the receiver position is satellites position, at least four satellites. Figure 2.12 show the user position in 3-D coordinator system, assuming the coordinates of four satellites are: (X1,Y1,Z1), (X2,Y2,Z2), (X3,Y3,Z3) and (X4,Y4,Z4). The distance between satellite and receiver is: q 2 2 2 PSR = (Xsat − Xuser) + (Ysat − Yuser) + (Zsat − Zuser) + c × ∆t0 (2.14)

PSR is the pseudorange ∆t0 is the transmitting time. There are four unknown parameters, so four satellites are required to calculate the position. For Satellite i: q 2 2 2 PSRi = (Xsati − Xuser) + (Ysati − Yuser) + (Zsati − Zuser) + c∆t0 (2.15)

20 2.2 GPS Receiver

Figure 2.12 Three dimensional co-ordinate system [1]

As known, the Taylor series is: f 0 f 00 f(x) = f(x ) + (x )∆x + (x2)∆x + ... (2.16) 0 1! 0 2! 0 Equation (2.16) could be simpliﬁed like this:

0 f(x) = f(x0) + f (x0)∆x (2.17)

From Equation (2.17), calculating XAnw. YAnw and ZAnw could be instead acquired by calculating an estimated position Xes, Yes and Zes. Then, the introduced error by this estimation is four variables ∆x, ∆y and ∆z.

XAnw = Xes + ∆x

YAnw = Yes + ∆y

ZAnw = Zes + ∆z Then, the estimated user position is: q 2 2 2 Resi = (Xsati − Xes) + (Ysati − Yes) + (Zsati − Zes) (2.18) From the above equations, Equation (2.15) could be written: ∂(R ) ∂(R ) ∂(R ) PSR = R + esi ∆x + esi ∆y + esi ∆z + c∆t (2.19) i esi ∂x ∂y ∂z 0 Equation (2.19) is a linear equation with four unknown parameters. Then, it can be easily calculated when there are four satellites that provide four diﬀerent equations.

Chapter 3 3 Probing the Vulnerability of GNSS The RF signals from any undesired transmitter received by GPS receiver are considered as Interference. GPS Signals have high vulnerability not only because the lower power when it reaches at GPS receiver, but also because the contents of GPS signals (Civilian signal) are public to all the world. RF interference could be divided into Unintentional Interference and Intentional Interference.[17–21] analyze how various forms of interference or attack can aﬀect GPS, and [19] reports on how one existing incident aﬀected performance. The interference can result in degraded performance or loss of receiver tracking. Table 3.1 lists types of RF interferences and its potential

Table 3.1 Types of RF Interference and Potential Sources [2] Class-Type Potential Sources band-limited Gaussian Intentional matched bandwidth noise jammers Wideband phase/frequency modulation Signals form TV transmitter or near-band microwave link transmitter matched spectrum Intentional matched-spectrum jammers, spoofers pulse burst transmitters or ultraw- ideband phase/frequency modulation intentional chirp jammers Narrowband form AM radio station, citizen band radio swept continuous wave Intentional swept CW jammers or frequency modulation stations continuous wave Intentional CW jammers sources. There are wideband and narrowband interference from diﬀerent sources, like TV, or radio transmitters. In this chapter, interference will be discussed in two ways: Spooﬁng and Jamming. 3 Probing the Vulnerability of GNSS

3.1 Spooﬁng Interference

GPS was designed originally to contain two different codes: C/A code, which is free for civilian, and P code which is for military use. P code is encrypted so that it is hard to spoof, but the signal structure, the codes and modulation of the signal with C/A code are all open for public, the C/A code is easier to spoof. The goal of spoofing is to mislead the receiver, fool the receiver with fake signals for positioning calculations; the result of spoofing is to increase the measured distance. Some successful experiments related with spoofing attack are implemented in [22, 23], showing that the commercial GPS devices can’t detect these attacks.

3.1.1 Spooﬁng Classiﬁcation

Spooﬁng attacks are classiﬁed into three groups in [24]: Simplistic spoofers; Inter- mediate spoofers; Sophisticated spoofers. Simplistic spoofers needs a GPS signal simulator, to be consistent with any broadcast satellite. It comprises a GPS signal simulator and a transmitter. The receiver can receive both GPS original signals and the spoofed signal. Intermediate spoofers has all knowledge of the current broadcast satellites in view, Doppler shift and navigation data. It can synchronize its generated GPS signals with current GPS signals in view. The spoofer attacks each channel of the receiver by simulating phase alignment and then enforces the tracking loops to lock on the spoofer signals [25]. Sophisticated spoofers are more complex than other spoofers, it not only spoofs the current broadcast satellites, but also spoofs other spoofers’ signals. It requires multiple transmitting antennas to implement this.

3.1.2 Attacking Model

Considering an intermediate spoofer as attack source, composed of a GPS receiver and a signal transmitter. The receiver can provide the spoofer with the knowledge of GPS time, satellite position, navigation data, Doppler shift and signal power. The spoofer simulates GPS signal and forces GPS receiver to lock on the spoofer signal in order to mislead the GPS receiver. Figure 3.1 illustrates how spoofer aﬀects the GPS receiver. In [26], Automatic Gain Control (AGC) is considered as an important part in a successful spoof. The spoof means that malicious signal overpowers the benign signal and misleads the receiver to process the spoof signal. Figure 3.2 indicates a block diagram of a GPS receiver with spooﬁng attack. The signal received by GPS receiver antenna is Sant = Sa + Ss + SN (3.1) where Sa is the authentic signal, Ss is the spoof signal and SN is noise. When

Ss >> Sa,

24 3.1 Spooﬁng Interference

Figure 3.1 GPS System with Spooﬁng attack

GPS Spoof Signal Signal Noise This is a message to identify successful spoof AGC

Digital Down Front end amplifier Message converter A/D

Figure 3.2 AGC and Spoof vulnerability [26]

25 3 Probing the Vulnerability of GNSS the received signal (3.1) could be simpliﬁed to

Sant = Ss + SN (3.2) Then the signal will be A/D sampled, and the spoofing signal will be decoded to calculate the receiver’s position. When the last step is successful, the spoofing signal overrides the authentic signal to forge receiver’s position. So now the problem is that if algorithms for check matrices is public, GPS receiver couldn’t detect the spoof attack, because the spoof signal can make use of the known algorithms to make GPS receiver believe it is authentic signal. So it’s believed that spoofing attack could contribute more harm to the GPS receiver because spoofer can control the receiver to make it believe the fake signal, but jamming attack only degrades the performance of the receiver. In [27], it proposes one detection method for the intermediate spoofing attack. Firstly, Cross Ambiguity Function (CAF) is introduced in [28], which stands for that the signal processing in GPS receiver is based on the estimation of 2-D correlation function. The detection of the correlation peak within CAF corresponding to the correlation in acquisition, which can provide the coarse code phase value and carrier frequency. Then these coarse values are precisely estimated in tracking loops, which aligns the incoming signal to the local replica signal, which behaviour corresponds to find the carrier frequency and the code phase to maximum CAF value. So the distortions (caused by spoofing attack) on the peak value of the correlations could affect the position accuracy. As in [29], Ratio Test Metric are used as a measurement to detect the spoofing attack. The Ratio Test Metric is expressed as: δ δ 2 2 Ei + Li Rδ = (3.3) αPi where: Ei, Pi and Li presents the output of the Early, Prompt and Late correlator over the in-phase arm δ is the correlator spacing between the Early and Late correlator α is the correlation main peak slope When a spoofing attack occurs, the threshold of (3.3) will have extremely high value. So it can be used to detect the distortion in real time to provide an detection alarm.

3.2 Jamming Interference

GPS signals have extremely weak power when it reaches at GPS receiver, typically, −160 dBW, even getting worse in indoor, −190 dBW, which makes the GPS performance easily being degraded by jamming interference. Jamming attack illustrated in [30, 31] are: impulse train, multi-tone Continuous Wave (CW), single-tone CW, frequency-hop and linear chirp CW. Some algorithms are proposed to eliminate those jamming signals, like time-based excision, frequency-based excision and hybrid time/frequency solutions.

26 3.2 Jamming Interference

The received signal can be presented like r(t) = s(t) + n(t) + i(t), where s(t) is the transmitted signal, n(t) is the environment noise and i(t) is the interference. If we only consider the interference part i(t), it will be multiplied by the despreading sequence sc(t), in the frequency domain the result is Sc(f) ∗ I(f). Then the interference energy is spread over the spread code bandwidth, and Pi (power of interference) is reduced by demodulation with parameter process gain G = BWcode . BWdata The RF interference could be wideband interference and narrowband interference, wideband interference has larger bandwidth than the victim signal, so the narrowband interference is opposite. So the power ratio C becomes C because of adding N0 J+N0 the power spectral density of the interference. [32] convinces that the effect of wideband interference could be considered as Gaussian noise. Then the power ratio becomes C , where n = n + n . But when considering about narrowband Nnew new 0 J interference,√ the result√ has significant difference. Assume that the received signal is PD(t)c(t) + 2PJ cos(2πfJ t + θJ ), where P is the GPS power and PJ is the interference power. D(t) is the navigation data, c(t) is the PRN codes. After correlation with the local PRN codes: √ p Y = S + J = c(t) ∗ PD(t)c(t) + 2PJ cos(2πfJ t + θJ ) (3.4)

When the local PRN code is perfectly aligned with incoming signal, we can get: √ √ S = c(t) ∗ PD(t)c(t) = PD (3.5)

Meanwhile the interference part could be computed like: p J = c(t) ∗ 2PJ cos(2πfJ t + θJ ) √ T 2PJ Z = exp(jθJ ) c(t)exp(j2πfJ t)dt 2T 0 (3.6) Z T + exp(−jθJ ) c(t)exp(−j2πfJ t)dt 0

Equation (3.6) illustrates that the jamming interference power is spreading by the PRN code. The jammer could success when the interference overpowers the authorized GPS signal. From [33], we know, when combining Jr = 10logjr and J/S = Jr − Js(dB), we can get:

(J/S+Sr)/10 jr = 10 (3.7)

The paper represents that a 2W interference transmitter could interfere a GPS signal with d = 26.6km distance. [34–36] presents the detection methods and anti methods for jamming interference. Making use of the spectrum sensing in cognitive radio systems [37], it will be easier to detect the malicious signals in GNSS system. Because it doesn’t need knowledge of the detected signal, the sensing techniques, which are based on the eigenvalues of the

27 3 Probing the Vulnerability of GNSS covariance matrix of the received signal, now have become a suggestive method in the area of the random matrix theory. [35] establish a sample covariance matrix R(K,N) from the signals measurement, where K is the sensors used and N is the number of samples, and then generate a decision metric based on the eigenvalues of R(K,N). The authors propose two test methods: the generalized likelihood ratio test (GLRT) and the condition number test (CNT). The paper illustrates that the malicious narrow-band and wide-band jamming could be detected with better performance. [36] proposed one novel anti-jamming technique to cope with the errors introduced by the existing array-based anti-jamming GPS receivers. The technique is trying to estimate the GPS signal phase precisely by correctly tracking and compensating for the phase change in different jamming environment. The simulation result shows that the novel anti-jamming technique can effectively suppress the phase distortion, preserve the phase continuity by providing a robust estimate phase in a unfixed jamming environment. [38, 39] proposed two new methods to detect the RF interference: Interference Error Envelope (IEE) and Interference Running Average (IRA). CW and WB interference are taken into consideration in these two papers. The IEE detects the correlation distortion versus some interferer characteristics, for example, it measures the maximum discriminator function distortion with relation to one or more parameters of the jamming interference signal: the ranging error is generated according to variable interference frequency. IRA is obtained by averaging the error envelope. These papers investigate IEE versus spacing, IEE versus filter bandwidth, coherency versus noncoherency of the discriminator and IEE versus modulation format. The performed simulations illustrate that these tools could be used as a valuable method to measuring performance and designing receiver when there exits RF interference.

28 Chapter 4 Cicada Attack Simulation and 4 Calculation

The Cicada attack is proposed in [40], can decrease the measured distance for Ultra- Wide Band (UWB) ranging. In this chapter, the Cicada attack will be investigated to ﬁnd how it could aﬀect a GNSS system.

4.1 Cicada Attack Model

The Cicada attack is easy to implement, it doesn’t need sophisticated transmitter to broadcast complex signal, and the transmitter doesn’t need to have knowledge about the victim. But [40, 41] makes a conclusion that it eﬀectively degrades the ranging performance or achieve denial of service. In [40], the Cicada signal structure is constructed based on a synchronize preamble of IEEE 802.15.4a PHY, because ranging using IR-UWB needs the synchronize preamble to calculate the TOA to measure the distance. But in GPS system, the code used to measure the distance is PRN code. Acquisition is the ﬁrst stage when processing the IF signal, aiming to acquire the visible satellites and the coarse code phase, carrier frequency by correlating incoming with local carrier replicas and PRN replicas. And in the tracking stage, it determines the high accurate code phase and carrier wave with PLL and DLL techniques, as well as by correlating incoming signal with local replicas. The Cicada signal should be built based on PRN code, and its signal structure could be modelled in the following way:

∞ X i(t) = p(t − kTcode) (4.1) k=−∞ where: i(t) is the Cicada interference, p(t) is PRN code, Tcode is time duration of one PRN code. 4 Cicada Attack Simulation and Calculation

4.1.1 The Attack Characteristics

First, in the acquisition stage, the length of signal is chosen to correlate with local replicas is 2 ms. The 2 ms is divided into 2 × 1 ms, because the length of PRN code is 1 ms, but the navigation data bit transition could occur during one PRN code, and these correlating algorithms couldn’t ignore the effect of data transition. That’s why we choose continuous 2 ms signal to avoid the unsuccessful acquisition in the first 1 ms. So, the first choice of the attack length is 3 ms (1 ms more to be confident). Second, the attack signal length would be the same as the length of GPS signal. But the result won’t make much differences, because the signal length for acquisition is the same, and it misleads GPS receiver making it unable to find the start of the navigation data (Preamble). The simulation result will be presented in later sections.

4.2 Analytical Calculation

This Cicada signal interferes the GPS receiver by utilizing the correlation outputs, so here both two stages will be analysed: first, in the acquisition stage, Cicada could affect that the GPS receiver can’t acquire satellites, or acquire wrong satellites; second, in tracking and calculation stages, Cicada could force the GPS receiver to derive wrong Pseudorange or be unable to demodulate the data because Cicada can confuse GPS receiver to not find the preambles. The authentic GPS signal can be expressed: M X p rs(t) = 2Pmdm(t − τm)cm(t − τm)cos(2π(fL1 + fm)t + θm) + n(t) (4.2) m=1 where Pm is the signal amplitude of satellite m, cm is PRN code of satellite m and dm is data of satellite m, τm is the transmitting time, fm is the Doppler shift frequency. And the Cicada signal could be formatted:

i(t) = Ac(t − τinter)cos(2π(fL1 + finter)t + θinter) (4.3) where c(t) is the PRN code, A is interference amplitude, and τinter is the time shift. In reality, the authentic signal and the Cicada signal will be mixed before GPS receive antenna. But in my simulation, the real GPS signal is the digital IF signal, so the Cicada signal will be processed alone in the RF front end, then added to the real GPS signal. After the receiver RF front end, the composite IF signal could be expressed: M X p rIF (t) = 2Pmdm(t − τm)cm(t − τm)cos(2π(fIF + fdopp)t + θm) m=1 (4.4)

+ Acinter(t − τinter)cos(2π(fIF + finter)t + θinter) + n(t)

30 4.2 Analytical Calculation

The IF signal is then transmitted to post-precessing: acquisition, tracking and calculation.

4.2.1 Acquisition Stage

Now, consider one satellite signal, say from satellite k. When the local replica signal is coarsely aligned to incoming IF signal, the output is:

p rk(t) = 2Pkdk(nT )cosθk Z (j+1)T (4.5) + Ack(t − τinter)ck(t − τk)cos(∆ft + θinter)dt jT where rk(t) means acquired signal of satellite k, ck(t − τinter) is the PRN code of the Cicada signal, ck(t − τk) is the local replica PRN code, ∆f is the diﬀerence between Cicada signal carrier frequency and local replica carrier wave frequency. The ﬁrst part is the navigation data; the second part is the correlation result between local replica signal and Cicada signal. So the success of acquisition depends on the second part. Obviously we know that the cross-correlation has low values between

Figure 4.1 Correlation value when two inputs has same amplitude different PRN codes, but if one of the codes has high amplitude, the cross-correlation gives a new result. For example, when APRN1 = 50APRN10, which is presented in 4.2. PRN1 could be a component of Cicada attack, the amplitude is easy to reach 50 times of GPS signal power in GPS receiver. Comparing Figure 4.1 and Figure 4.2, it is clear that the correlation result of the amplified PRN code is much higher than the regular correlation value, even the peak value of auto-correlation. So in acquisition stage, the GPS receiver makes a decision about acquiring one satellite by comparing the correlation peak value to one fixed threshold, it might not acquire correct satellites because of this amplified PRN code.

31 4 Cicada Attack Simulation and Calculation

Figure 4.2 Correlation value when AP RN1 = 50AP RN10

4.2.2 Tracking Stage

After acquisition stage, the IF signal will be processed in tracking stage based on the acquired coarse carrier frequency and code phase. As discussed before, tracking process contains carrier tracking and phase tracking. Here the carrier tracking will be analysed. The carrier tracking uses PLL technology, the output from integrate- and-dump process for a particular satellite k:

p Z (j+1)T A Ik(j) = Pkdk(nT )cosφk + ck(t−τinter)ck(t−τk)cos(∆ft+∆φ)dt (4.6) jT 2T

p Z (j+1)T A Qk(j) = Pkdk(nT )sinφk+ ck(t−τinter)ck(t−τk)sin(∆ft+∆φ)dt (4.7) jT 2T

As discussed before, the discriminator used for carrier tracking loop is φk = −1 tan (Qk/Ik), in the design algorithm, the phase error is minimized when Qk is zero and Ik is maximum. But in Equation (4.6) and (4.7), if Qk is zero, the phase error calculated is:

R (j+1)T A  −1 jT 2T ck(t − τinter)ck(t − τk)sin(∆ft + ∆φ)dt φk = tan   (4.8) R (j+1)T A jT 2T ck(t − τinter)ck(t − τk)cos(∆ft + ∆φ)dt Because of the Cicada signal, the phase error couldn’t be minimized to zero, the carrier tracking fails to get an accurate carrier wave.

4.3 Simulation Result

The GPS signal data set used in my simulation was collected using the NordNav R30 sampling receiver in Turin, Italy, where the GIOVE-A satellite was visible. The data record is included in a DVD when you buy the book [13]. The parameters of the sampled GPS signal are:

32 4.3 Simulation Result

• Sampling Frequency: 16.3676 MHz

• Intermediate Frequency: 4.1304 MHz

• Signed character (8 bit) sample format

And the software modules used here was developed by University of Colorado Aerospace Department and SiGe Semiconductor [42]. The simulated Cicada signal is transmitted with 35 km distance away from the receiver, with diﬀerent power values, modulated in a carrier wave with L1 frequency. The transmitting power of the Cicada interference changes; propagation loss is Okumura model.

The length of GPS signal is at least 36 s in this algorithm to ensure the all navigation message subframes are provided. And the Cicada signal has 3 ms length to ensure aﬀecting acquisition process. The GPS signal, for instance, contains 5 satellites signal: SV3, SV15, SV16, SV18 SV19, SV 21 and SV22. And the Cicada signal is a series of sequences with lots of periods of PRN code corresponding to satellite 22. Figure 4.3 presents the acquisition result when the local replica code is PRN22. The

Figure 4.3 Correlation in acquisition stage without Cicada Signal

ﬁgure shows it reaches the peak value when the coarse carrier frequency is 4.1349 MHz (calculate from the frequencyBinIndex 24), and the coarse code phase is 13475 (PRN samples). These two values will be used to derive the accurate value in the tracking stage.

But when the Cicada signal is mixed in the GPS receiver front end, the acquisition result provides a diﬀerent correlation value. When the Cicada power is 10−6 W, Figure 4.4 shows the acquisition result when the local replica is PRN22. In this

33 4 Cicada Attack Simulation and Calculation

Figure 4.4 Correlation in acquisition stage with Cicada Signal situation, the acquired carrier frequency is 4.1309 MHz (the frequencyBinIndex 15), and the code phase is 15770.

Comparing Figure 4.3 and 4.4, we can see that the powerful Cicada signal misleads the GPS receiver to derive diﬀerent values for next stage. In Figure 4.4, it is clear that there are two peak values, one is caused by the Cicada signal, another one is the same value as Figure 4.3. So we can clearly understand how the Cicada signal aﬀects the GPS receiver at the acquisition stage.

Then, the IF signal will be processed in tracking stage based on the acquisition result. The tracking result is the discriminators error and phase arm values. The in-phase arm value could be truncated to -1 and +1. Here, finding the preamble is most important to decode the navigation data; the preamble indicates the start of the subframe. As we know, the preamble bits are [1 -1 -1 -1 1 -1 1 1], the correlation value of two perfectly aligned preamble bits is 8 or -8 when the inverted preamble is perfectly located. The bit rate is 1000 sps in the tracking output, each data bit has 20 ms length, so each bit of preamble pattern needs to be sampled 20 times. Then the correlation value changes from ±8 to ±160. Figure 4.5 presents part of the correlation result when it finds the location of preamble of satellite 15 in one channel. The figures shows that there are several high peaks which can reach 160 or little less. For the 37 s length of signal, it must find six preamble patterns and each of them has 6 s distance to the adjacent patterns.

34 4.3 Simulation Result

Figure 4.5 Correlation betwen the navigation data of satellite 15 and the preamble bits

But it gives diﬀerent correlation values when ﬁnding the preamble bits in the navigation data of satellite 22. Figure 4.6 shows there are no preamble pattern

Figure 4.6 Correlation betwen the navigation data of satellite 22 and the preamble bits existing. Because of the Cicada signal, the GPS receiver couldn’t track the signal to acquire the accurate carrier wave and code phase, the decoded navigation data is not correct because demodulation process removes the carrier wave and PRN code

35 4 Cicada Attack Simulation and Calculation based on the output of the tracking loops. The calculated user position has some changes when comparing before or after adding the Cicada signal. Figure 4.7 and 4.8 illustrates the navigation result of the original

Figure 4.7 Navigation plot without Cicada signal

Figure 4.8 Navigation plot with Cicada signal

GPS signal and the GPS signal under Cicada attack. But the difference between two figures is not caused because of the Cicada signal, the reason is that GPS receiver chooses different satellite sets in two calculations. Figure 4.8 shows that the signal of satellite 22 is not acquired successfully to help positioning, the Position Dilution Of Precision (PDOP) is larger than in Figure 4.7, which means the Cicada attack makes user position less precise by "hiding" one visible satellite. More research was made about what happens when the power of Cicada signal becomes low and high. The investigation shows that when the power is 10 times higher than the power considered before, the GPS receiver couldn’t acquire enough satellites signal (not at least 4 satellites, but only 2) to derive the position information.

36 4.3 Simulation Result

In this situation, the Cicada attack could be considered as a jamming signal to destroy the link between the satellites and GPS receiver. When the power of Cicada signal is 10 times lower, the simulation result shows that it won’t aﬀect the user’s position. The GPS receiver can acquire the same satellites and derive the same position as the situation without Cicada signal.

Chapter 5 5 Relaying Attack As discussed before, jammers and spoofers affect GNSS system by increasing Pseudo- range or destroying the satellite lock process. [43–46] present an against attack that could decrease the measured distance: Early Detect (ED) and Late Commit (LC) attack. While these efforts are concerned with the PHY of the IEEE 802.15.4a, in this chapter, ED and LC attack will be considered towards attacking a GNSS system to investigate how it could affect the Pseudorange estimates.

5.1 Introduction to ED and LC Attack

A way to see the distance-decreasing attack is to say that, the attacker needs to ’shift’ the signal back to a earlier time by some oﬀset trelay, which is relay gain. But, the channel delay between receiver and transmitter is unavoidable, which could

Satellite Transmitted Signal Attacker Attacker Received Signal

Attacker Transmitted Signal

Figure 5.1 Overview of a distance-decreasing Relay Attack in GNSS 5 Relaying Attack

be named tdelay,where tdelay < trelay, so the measured Pseudorange is decreased by c ∗ (trelay − tdelay). Figure 5.1 illustrates how the attack would work; the attacker should be at the transmitting path between the satellite and the victim GPS receiver, which means that the legitimate GPS signal arrives at the attacker earlier than the honest (victim) receiver.

5.2 Attack Principle

The adversary deploys two antennas: a receiving antenna and transmitting antenna, [45] illustrates how ED and LC attacks could contribute to preamble bits and payload data in PHY of IEEE 802.15.4a, and the research gives a conclusion that attacks on preamble bits and payload both can decrease the measured distance. But unlike IR-UWB signal, ranging bits and payload data of GPS signal are modulated together using DSSS technology, the analysis of ED and LC attack in GNSS shouldn’t be divided in two parts. First, we must know how the GPS receiver derive the GPS signal transmission time; as in Figure 5.2, it starts transmitting preamble bits at

Figure 5.2 Satellite code transmission time time t1; the GPS receiver will ﬁnd the position that preamble bits start (time t2) to calculate the transmission time ∆t. The attacker acquires GPS signal successfully, and meanwhile it sends it. Without enough time to fully demodulate it, as it is unnecessary. For the rest, the analysed signal format is the modulated sinusoid signal.

The attacker may use some implementation that doesn’t need to wait for bit decision that all energy of the bit has been received and integrated. Since the early detection makes decision for one bit before all energy received, the attacker must implement high SNR than normal receiver needs in order to obtain reasonable Bit Error Rate (BER).

40 5.2 Attack Principle

The early detection attacker detects part of one bit to determine the bit value, 1 for example, the attacker receiver detects m of the bit duration, then the attacker m−1 transmitter sends the bit according to the detection; it save m of bit duration time. Figure 5.3 demonstrates the operation of the attacker receiver and transmitter. The

Figure 5.3 Early Detection attack, the above curve is initial signal, the middle curve is the received signal by the attacker receiver and the bottom curve is the transmitted signal according to the detection determination. middle curve is the signal received by the attacker receiver. It starts comparing each chip with the ﬁrst chip (or local cosine wave), if the comparison result is positive, the next chip will be transmitted like the ﬁrst chip; if the comparison result is negative, the attacker transmitter will inverse the next chip. The signal period used to compare (detection) is tED, so in this situation, when increasing the value of tED, BER of the honest receiver will rise accordingly.

At the same time, if we introduce the ’Late Commit’ attack in the attacker transmitter, as Figure 5.4, the attacker receiver antenna performs Early Detect attack by choosing tED << tchip. tED could be very small, which will affect the attacker’s performance. The attacker receiver performs early detection; meanwhile, the transmitting antenna of the attacker performs Late Commit attack, it starts to transmit a chip before it receives a chip value from the receiver antenna. Then when the attacker receiver determines the phase of the PRN chip, the attacker transmitter continues transmitting the chip by the determined phase. At first, the transmitter doesn’t know the phase of each chip, it just guesses it, after obtaining the phase value from the receiver, it will change the phase if the guessed value is not correct. For the first chip, the transmitter keeps current phase to send the first chip; then it will continue transmitting the second chip with the current phase, but when the receiver detects the second chip

41 5 Relaying Attack

1-11

tED tED tED

Received Signal at attacker

trelay

Transmitted Signal at attacker

t LC tLC tLC

Figure 5.4 Signal processing at attacker and the ﬁrst chip have diﬀerent phases, it suddenly inverses the current phase to continue sending the second chip; so as the third chip. The red part in Figure 5.4 is the wrong guess value; the duration of the red part is trelay. Assume the signal transmitted by the satellite is

s(t) = c(t)d(t)cos(wt) (5.1) where c(t) is the PRN code, d(t) is the navigation data, cos(wt) is the carrier wave. The signal s(t) arrives at the attacker after a transmission delay t0:

ra(t) = c(t − t0)d(t − t0)cos(w(t − t0)) + N0 (5.2) where N0 is noise. The attacker transmitter sends one simulated satellite signal copy τ earlier than receiving:

sa(t) = c(t − t0 + τ)d(t − t0 + τ)cos(w(t − t0 + τ)) + N0 (5.3)

Assume signal sa(t) arrives at the honest receiver after time t1:

rh(t) = c(t − t0 + τ − t1)d(t − t0 + τ − t1)cos(w(t − t0 + τ − t1)) + N (5.4)

Comparing (5.1) and (5.4), we know that the delay time is t0 − τ + t1, but this time is uncertain:

• if τ − t1 > 0, the delay time t0 − τ + t1 < t0, in which case the pseudorange estimated is decreased; the replay gain is τ − t1.

• if τ − t1 < 0, the delay time t0 − τ + t1 > t0, in which case the estimated psedudorange is increased.

42 5.3 Performance Evaluation

5.3 Performance Evaluation

The first issue of this analysis is how to detect the phase of the cosine wave, which has only two values: 0◦ and 180◦. In our case, the transmitter sends a signal previously with 0◦ phase, after the receiver detects the first chip’s phase, the transmitter continues to transmit with the current phase (we assume that the first chip’s phase is same as previously transmitted signal’s phase), so in the following we only need to compare each chip’s phase with the first chip, if they have same phase, the transmitter will continue sending with current phase, otherwise it will inverse the signal. To compare each chip with the first chip, here we choose division. For example, cosx/cosx = 1 and cosx/cos(x + 180◦) = −1. So if (otherchip)/(firstchip) < 0, they have different phase; if (otherchip)/(firstchip) > 0, they have same phase. And the length of signal to be checked is tED, which is used to determine the chip value. Figure 5.5 presents the result of comparing the second chip with the first chip and the fifth chip with the first chip. If the number of positive values of these samples is larger than number of negative values (5.5a), the transmitter will send the next chip with current phase; otherwise, the transmitter will inverse the next chip (5.5b). Then, next issue is the red part wave in Figure 5.4, the length of this part wave equals to the previously transmitted signal. Sending this part of signal is not based on the receiver, but according to the last transmitted signal symbol. After transmitting a symbol, the adversary transmitter continues to send the signal with current phase; then when it gets response of the early detection signal from the adversary receiver,

Figure 5.5 Phase detection

43 5 Relaying Attack the transmitter will send the relevant signal according to early detection signal; it will continue transmitting the current signal if the comparison result looks like Figure 5.5a, otherwise it will inverse it. As in Figure 5.4, the red wave occurs because the guessed signal is not correct, which could cause wrong bit demodulation at the legitimate (victim) GPS receiver.

5.3.1 ED Attack

In my simulation, there is an adversary between a satellite and a legitimate receiver, which has two antennas: receive antenna and transmit antenna. The adversary will receive the GPS signal earlier than the legitimate receiver; the GPS signal only contains one satellite signal (simpliﬁed model). After receiving the GPS signal, the adversary will process the signal like, increasing the SNR, earlier detection, etc. Then the adversary transmitter will send a signal based on this processes, assuming that the legitimate receiver already locks on the adversary’s signal.

The parameters of the simulation are provided in Table 5.1, the different tED values will demonstrate whether and how different early detection times affect the attack performance. The different SNR gives how the environment affects the attack performance. In the simulation, the first chip could be used as a standard to be

Table 5.1 Parameters in ED attack simulation parameter value Carrier Frequency 204.6 MHz Sampling Frequency 8*204.6 MHz PRN codes per data bit 20 SNR [-3 0 1 3 8] dB tED [10 20 30 100] ns compared, or the local cosine wave also could be used as a standard. The attacker receiver tries to detect the bit value during tED, so theoretically when increasing tED, the accuracy of detecting will be raised, then the BER will be reduced. Figure 5.6 presents BER values in diﬀerent SNR and diﬀerent tED. It shows that tED doesn’t need to be very large when SNR is high enough, as we can get very low BER. When −4 SNR = 1dB, BER becomes very low (10 ) when tED is larger than 30 ns. Looking back to Figure 5.3, we know that the possibility of causing errors in signal detection decreases with increasing detection time. But in our simulation, the bits are used to compare are PRN codes, not navigation data bits, because of simulation limitation (It couldn’t simulate one whole navigation message on my computer). So in a real system, the bits error might not introduce navigation data error because of DSSS modulation, which is what we want, because the relay attacker tries to degrade the measured distance, not jam the signal. But from the simulation result , we can know that tED should be large if we want low BER; but it should be small if we want to

44 5.3 Performance Evaluation

Figure 5.6 Early Detect attack result signiﬁcantly reduce the satellite-victim receiver distance, which will be discussed later.

5.3.2 ED-LC attack

If we introduce late-commit attack in the attacker transmitter, the situation will change because LC attacker introduces guessed values (tLC ), transmitted earlier than receiving signal from the receiver. From Figure 5.4, it’s clear that the duration of the guessed part of one symbol is longer, the BER is bigger. But we can, of course, eliminate this type of BER addition, by increasing the SNR of the remaining part. Comparing Figure 5.7 and Figure 5.6, we can see when introducing LC attack, BER is becoming higher than when there is only ED attack. In Figure 5.7, even increasing tED BER couldn’t reach the value of Figure 5.6. For example, when tED is 100ns, the BER without LC attack is almost 0, but the BER with the LC attack is almost 0.009. That is caused by the guessed signal. But when tED is larger, say, 200ns and 500ns, the BER doesn’t have much diﬀerences, because for tED is large enough, a further increase of tED couldn’t reduce BER visibly further.

In order to get low BER, one solution is to increase the amplitude (SNR) of tchip −tLC part of symbol, which is transmitted based on the early detection result. Then at the GPS receiver, the tchip − tLC part will dominate the demodulation result. Bit error possibility caused by tLC will decrease, as in Figure 5.8. The BER decreases

45 5 Relaying Attack compared to Figure 5.7, and the result approaches that of the ED attack (Figure 5.6).

Figure 5.7 BER with LC without increasing amplitude, the whole symbol has same ampli- 3 tude (SNR), here tLC = 8 ∗ tchip

Figure 5.8 BER with LC with increasing amplitude (SNR), the amplitude of tchip − tLC 3 part is 1/(tLC /tchip) times of amplitude of tLC part, here tLC = 8 ∗ tchip

46 5.3 Performance Evaluation

Since tLC affects BER, we want to investigate how different tLC influences the performance. Theoretically, when increasing tLC , the uncertainties of the signal is raised as well. Figure 5.9 presents the relationship between BER and tLC , which is obtained by fixing SNR and tED. Here we can see that when tLC is large, BER is extremely high, which will cause GPS receiver unavailable to decode its position. BER seems to be same (0.5) when tLC reaches one value, that’s because tLC part of symbol is guessed symbol, whose randomization leads to 0.5 probability for each demodulated value (+1 and -1), so if tLC part of symbol dominates the demodulation, it will give 0.5 bit error rate.

Figure 5.9 BER based on diﬀerent tLC , the amplitude (SNR) of part (tchip − tLC ) is raised by 5 times, and tED = 50 ns, here tchip = 977.5 ns

5.3.3 The Relay Time

In the relay attack, the gain time diﬀers when only using ED attack or introducing LC attack. Of course we need to consider the transmission delay between attacker receiver and attacker transmitter (which is essentially the attacker channel); for example, the attacker receiver and transmitter are placed dA = 100m far from each dA other, then the transmission time must be considered tA = c = 333.3ns. In ED attack, the signal would be transmitted before receiving whole symbol, so the gain time is: trelay = tchip − tED − tA (5.5)

47 5 Relaying Attack

In our research, if tED = 100ns (for low BER), and dA = 100m, the gain time is trelay = 544.2ns, the measured distance will be reduced by d = 163.26m. When introducing the LC attack, the relay time of ED-LC could be represented in Figure 5.10. As discussed before, the condition is tED < tLC , in this case, trelay = tLC − tED. In Fig 5.10, assuming ARX and ATX are located at the same

HTX ARX/ATX HRX

t_relay t_LC t_ED Based on the detection

Figure 5.10 Relay time presenting on one symbol place, there doesn’t exit any propagation delay between them. So here the measured distance is reduced: dr = c ∗ trelay = c ∗ (tLC − tED) (5.6)

We consider the spreading sequences, whose BER is not the BER of the navigation data. But in reality, there should be some connection between BER of PRN codes and BER of navigation data (which could be found in future work). So here we need to ﬁnd what kind of tLC needed to reach the speciﬁed BER of navigation data (assuming we know the relationship between BER of PRN codes and BER of navigation data), so that GPS receiver still can decode the navigation data to acquire its position coordinate. Assuming it requires BER < 1% for PRN codes to reach one acceptable BER for navigation data so that it can decode its position, from Figure 4.5 5.9, tLC shouldn’t be larger than 8 × tchip in that situation.

48 Chapter 6 6 Conclusion and Future Work

6.1 Summary

Through this thesis project, I understood the GPS structure, its working principles and interference attacking principles. GPS evolved to a mature system whose position accuracy could reach to 10 m in civilize use. Although GPS uses technologies, like DSSS, differential-GPS, Kalman filters, etc, to cope with intentional and unintentional interference, multi-path, other distortions, there are still ways to affect GPS performance with special devices. We considered briefly spoofing and jamming interference affects the GPS system, attacking principles and protection methods.

The Cicada attack is implemented and investigated, to say how it can aﬀect GPS; aiming at synchronize symbols or the time acquisition stage, making use of public known PRN codes to attack the time acquisition process. The simulation result presents that Cicada attack could hide the satellite when using the PRN of the satellite to implement Cicada attack. The position calculated could deviate mildly because GPS chooses diﬀerent satellites set for calculating. When the power of Cicada attack is enough high, it can jam GPS receiver so that the receiver couldn’t acquire enough satellites for positioning.

I also evaluate a relay attack, which could reduce the measured distance. My work ﬁnds that ED attack can reduce the measured distance c ∗ (tchip − tED), with very low BER (PRN chip bits) at GPS receiver. Because the GPS signal uses DSSS modulation, after converting to navigation message data bits, the BER will be much lower, because 20 ∗ 1023 are corresponding to one navigation data bit. When introducing LC attack in the attacker transmitter, BER depends on which part of symbol dominates the demodulation, as discussed in last chapter. So in order to decode the GPS signal successfully, tLC shouldn’t be too large that it has ability to dominate the demodulation. 6 Conclusion and Future Work

6.2 Future work

With appropriate equipments, Cicada attack could be generated by a signal generator, and ﬁnd a way to check whether and how it aﬀects the GPS (GPS receiver in a mobile phone) locating nearby. The GPS signal after the relay attack could also be acquired by a hardware (GPS signal collector) investigate the relationship between tLC and successful demodulation rate in GPS receiver.

50 References

[1] Jean-MarierZogg. GPS Basics. U-bloxrAG, 2002. [2] Elliott D. Kaplan and Christopher J. Hegarty. Understanding GPS:Principles and Applications. Artech House, 2006. [3] The Assistant Secretary of Defense for Networks and Information Integration of USA. GLOBAL POSITIONING SYSTEM STANDARD POSITIONING SERVICE PERFORMANCE STANDARD, 4th edition, 2008. [4] The Assistant Secretary of Defense for Networks and Information Integration of USA. GLOBAL POSITIONING SYSTEM PRECISE POSITIONING SERVICE PERFORMANCE STANDARD, Feb 2007. [5] Fgnievinski and WDGraham. List of gps satellites. en.wikipedia.org/wiki/ List_of_GPS_satellite_launches. 6 June 2013. [6] R.R. Bate, D.D. Mueller, and J.E. White. Fundamentals of Astrodynamics. Dover Books on Aeronautical Engineering Series. DOVER PUBN Incorporated, 1971. [7] Navigation National Coordination Office for Space-Based Positioning and Timing. The global positioning system. www.gps.gov/systems/gps/. Jan 2013. [8] Maria George, Mujtaba Hamid, and Andy Miller. Gold code generators in virtex devices. Xilinx Application Note xapp217, v1, 1, 2000. [9] Dennis Matthew Akos. A software radio approach to global navigation satellite system receiver design. 1997. [10] Dennis M Akos and James BY Tsui. Design and implementation of a direct digitization gps receiver front end. Microwave Theory and Techniques, IEEE Transactions on, 44(12):2334–2339, 1996. [11] Yuan Yu, Qing Chang, and Yuan Chen. Design and simulation of a fully digitized gnss receiver front-end. Discrete Dynamics in Nature and Society, 2011, 2011. [12] Beatrice Motella, Marco Pini, and Fabio Dovis. Investigation on the effect of strong out-of-band signals on global navigation satellite systems receivers. GPS Solutions, 12(2):77–86, 2008. [13] Kai Borre. A software-defined GPS and Galileo receiver: a single-frequency approach. Springer, 2007. References

[14] Ch Kabakchiev, V Behar, and K Rohling. Adaptive c/a code acquisition in conditions of broadband interference with mvdr and cfar techniques. In Proc. of the European Navig. Conf. on Glob. Navig. Satel. Syst.-ENC GNSS 2010, 2010.

[15] Daniele Borio. Gnss acquisition in the presence of continuous wave interference. Aerospace and Electronic Systems, IEEE Transactions on, 46(1):47–60, 2010.

[16] Bernhard C Geiger, Michael Soudan, and Christian Vogel. On the detection probability of parallel code phase search algorithms in gps receivers. In Per- sonal Indoor and Mobile Radio Communications (PIMRC), 2010 IEEE 21st International Symposium on, pages 865–870. IEEE, 2010.

[17] Panagiotis Papadimitratos and Aleksandar Jovanovic. Gnss-based positioning: Attacks and countermeasures. In Military Communications Conference, 2008. MILCOM 2008. IEEE, pages 1–7. IEEE, 2008.

[18] Panagiotis Papadimitratos and Aleksandar Jovanovic. Protection and funda- mental vulnerability of gnss. In Satellite and Space Communications, 2008. IWSSC 2008. IEEE International Workshop on, pages 167–171. IEEE, 2008.

[19] Asghar Tabatabaei Balaei, Beatrice Motella, and Andrew G Dempster. Gps interference detected in sydney-australia. In Proceedings of the International Global Navigation Satellite Systems Society conference (IGNSS’07), 2007.

[20] R Johannessen, SJ Gale, and MJA Asbury. Potential interference sources to gps and solutions appropriate for applications to civil aviation. Aerospace and Electronic Systems Magazine, IEEE, 5(1):3–9, 1990.

[21] Juan M Parro-Jimenez, Rigas T Ioannides, Massimo Crisci, and José A López- Salcedo. Detection and mitigation of non-authentic gnss signals: Preliminary sensitivity analysis of receiver tracking loops. In Satellite Navigation Technologies and European Workshop on GNSS Signals and Signal Processing,(NAVITEC), 2012 6th ESA Workshop on, pages 1–9. IEEE, 2012.

[22] Todd E Humphreys, Brent M Ledvina, Mark L Psiaki, Brady W O Hanlon, and Paul M Kintner Jr. Assessing the spooﬁng threat: Development of a portable gps civilian spoofer. In Proceedings of the ION GNSS International Technical Meeting of the Satellite Division, 2008.

[23] Jon S Warner and Roger G Johnston. A simple demonstration that the global positioning system (gps) is vulnerable to spooﬁng. Journal of Security Adminis- tration, 25(2):19–27, 2002.

[24] Tae-Hee Kim, Cheon Sig Sin, and Sanguk Lee. Analysis of eﬀect of spooﬁng signal in gps receiver. In Control, Automation and Systems (ICCAS), 2012 12th International Conference on, pages 2083–2087. IEEE, 2012.

52 References

[25] Brent M Ledvina, William J Bencze, Bryan Galusha, and Issac Miller. An in-line anti-spoofing device for legacy civil gps receivers. In Proceedings of the 2010 International Technical Meeting of The Institute of Navigation, pages 698–712, 2001. [26] Hengqing Wen, Peter Yih-Ru Huang, John Dyer, Andy Archinal, and John Fagan. Countermeasures for gps signal spoofing. In ION GNSS, pages 13–16, 2005. [27] Antonio Cavaleri, Beatrice Motella, Marco Pini, and Maurizio Fantino. Detection of spoofed gps signals at code and carrier tracking level. In Satellite Navigation Technologies and European Workshop on GNSS Signals and Signal Processing (NAVITEC), 2010 5th ESA Workshop on, pages 1–6. IEEE, 2010. [28] Letizia Lo Presti and Beatrice Motella. The math of ambiguity: what is the acquisition ambiguity function and how is it expressed mathematically? INSIDE GNSS, pages 20–28, 2010. [29] Maurizio Fantino, Andrea Molino, Paolo Mulassano, Mario Nicola, and Marco Rao. Signal quality monitoring: Correlation mask based on ratio test metrics for multipath detection. In Proceedings of the International Global Navigation Satellite Systems Society (IGNSS) Symposium, Gold Coast, Australia, December, pages 1–3, 2009. [30] Philip A Dafesh, Raghavendra Prabhu, and Esteban L Valles. Cognitive antijam receiver system (cars) for gnss. In Proceedings of the 2010 International Technical Meeting of The Institute of Navigation, pages 657–666, 2001. [31] RH Mitch, RC Dougherty, M Psiaki, S Powell, B O Hanlon, J Bhatti, and T Humphreys. Signal characteristics of civil gps jammers. In Proceedings of the ION GNSS Meeting,(Portland, Oregon), Institute of Navigation, 2011. [32] Xu Yong et al. Estimating the interference of uwb pulse signal to gps receiver. In ITS Telecommunications Proceedings, 2006 6th International Conference on, pages 286–289. IEEE, 2006. [33] Wildemeersch Matthias and Fortuny-Guasch Joaquim. Radio frequency interference impact assessment on global navigation satellite systems. In JRC Scientific and Technical Reports, 2010. [34] Daniele Borio, Cillian O’Driscoll, and Joaquim Fortuny. Gnss jammers: Ef- fects and countermeasures. In Satellite Navigation Technologies and European Workshop on GNSS Signals and Signal Processing,(NAVITEC), 2012 6th ESA Workshop on, pages 1–7. IEEE, 2012. [35] Fernando D Nunes and Fernando MG Sousa. Jamming detection in gnss signals using the sample covariance matrix. In Satellite Navigation Technologies and European Workshop on GNSS Signals and Signal Processing,(NAVITEC), 2012 6th ESA Workshop on, pages 1–8. IEEE, 2012.

53 References

[36] Yimin D Zhang and Moeness G Amin. Anti-jamming gps receiver with reduced phase distortions. Signal Processing Letters, IEEE, 19(10):635–638, 2012. [37] Erik Axell, Geert Leus, Erik G Larsson, and H Vincent Poor. Spectrum sensing for cognitive radio: State-of-the-art and recent advances. Signal Processing Magazine, IEEE, 29(3):101–116, 2012. [38] Beatrice Motella, Simone Savasta, Davide Margaria, and Fabio Dovis. Method for assessing the interference impact on gnss receivers. Aerospace and Electronic Systems, IEEE Transactions on, 47(2):1416–1432, 2011. [39] Beatrice Motella, Simone Savasta, Davide Margaria, and Fabio Dovis. A method to assess robustness of gps c/a code in presence of cw interferences. International Journal of Navigation and Observation, 2010, 2010. [40] Marcin Poturalski, Manuel Flury, Panos Papadimitratos, J-P Hubaux, and J-Y Le Boudec. The cicada attack: degradation and denial of service in ir ranging. In Ultra-Wideband (ICUWB), 2010 IEEE International Conference on, volume 2, pages 1–4. IEEE, 2010. [41] Marcin Poturalski, Manuel Flury, Panos Papadimitratos, J Hubaux, and JL Boudec. On secure and precise ir-uwb ranging. Wireless Communications, IEEE Transactions on, 11(3):1087–1099, 2012. [42] University of Colorado Aerospace Department and SiGe Semiconductor. Front end hardware module. http://ccar.colorado.edu/gnss/. April 2012. [43] Gerhard P Hancke and Markus G Kuhn. Attacks on time-of-flight distance bounding channels. In Proceedings of the first ACM conference on Wireless network security, pages 194–202. ACM, 2008. [44] Jolyon Clulow, Gerhard P Hancke, Markus G Kuhn, and Tyler Moore. So near and yet so far: Distance-bounding attacks in wireless networks. In Security and Privacy in Ad-Hoc and Sensor Networks, pages 83–97. Springer, 2006. [45] Manuel Flury, Marcin Poturalski, Panos Papadimitratos, Jean-Pierre Hubaux, and Jean-Yves Le Boudec. Effectiveness of distance-decreasing attacks against impulse radio ranging. In Proceedings of the third ACM conference on Wireless network security, pages 117–128. ACM, 2010. [46] Jason Reid, Juan M Gonzalez Nieto, Tee Tang, and Bouchra Senadji. Detecting relay attacks with timing-based protocols. In Proceedings of the 2nd ACM symposium on Information, computer and communications security, pages 204– 213. ACM, 2007.

54 Declaration

I hereby certify that I have written this thesis independently and have only used the speciﬁed sources and resources indicated in the bibliography.

...... Stockholm, 10/10/2013 Kewei Zhang