The GPS Assimilator Upgrading Receivers via Benign Spoofing
Interference, jamming, and spoofing are increasing the GNSS user community’s concerns about the security and reliability of their receivers. Although solutions are being proposed for future equipment designs that can process multiple signals from multiple GNSS systems, this article introduces a method for upgrading existing GPS user equipment to improve accuracy, robustness, and resistance to spoofing.
Todd E. Humphreys, Jahshan A. Bhatti ers to improve satellite availability and especially for timing synchronization The University of Texas at Austin robustness against signal interference. — and the potential for financial gain or Major commercial GNSS receiver causing high-profile mischief make civil Brent M. Ledvina manufacturers already have product GNSS jamming and spoofing a gather- Coherent Navigation roadmaps in place that anticipate these ing threat. Since the publication of the demands. Manufacturers realize that U.S. Department of Transportation’s they will be at a competitive disadvan- Volpe Report on GPS dependence nearly hat will GNSS receivers look tage relative to their peers if they only a decade ago, GNSS security researchers like five years from now? offer a subset of available GNSS signals have repeatedly warned that civil GPS The answer, of course, to sophisticated users. “Why should I is not yet secure, and that users trust its Wdepends on the application. have to choose between signals? ” their signals at their peril. Mass-market receivers used in applica- customers will complain, “I’d like all of As Professor David Last commented tions that do not require precision posi- them!” at a recent conference on GNSS security, tioning and timing (hand-held units for Then there is the issue of GNSS secu- “Navigation is no longer about how to hikers, for example) will likely remain rity. At one time, perhaps 20 years ago measure where you are accurately. That’s simple, single-frequency L1 C/A-code– or more, computer users were largely easy. Now it’s how to do so reliably, safe- based GPS devices. unconcerned with the security of their ly, robustly.” On the other hand, a growing seg- personal computers. That time has Secure positioning, navigation, and ment of military and civilian GNSS passed. As any victim of a computer timing (PNT) will require use of all users will demand greater accuracy and virus knows, firewalls, anti-virus soft- available means: inertial navigation sys- reliability from their receivers than can ware, and protocols for secure data tems, stable frequency sources, multiple be offered by single-frequency GPS. They transfer are no longer optional, but antennas, and cryptographic authenti- will want multi-frequency GNSS devices required. cation. Product designers and system to combat ranging errors due to iono- Likewise, the deepening dependence integrators will also want to exploit all spheric delay, and multi-system receiv- of the civil infrastructure on GNSS — radio frequency signals from which PNT
50 InsideGNSS june 2010 www.insidegnss.com information can be extracted — includ- GPS and other observables. The spoofer tight coupling between the GPS receiver ing non-GNSS signals and signals never is described in a paper by T. E. Hum- and the oscillator that it disciplines, the intended to be used for PNT. phreys et alia (2008) listed in Additional GPS receiver component cannot be eas- In short, PNT devices in critical Resources near the end of this article. ily swapped with a modern, secure ver- applications five years from now will Our benign spoofing technique is sion. likely be remarkably capable and secure embodied in a device, called the GPS Phasor Measurement Units (PMUs). Also devices that adhere to an all-signals-in- Assimilator, whose output is injected known as synchrophasors, these devices view, all-available-means philosophy. directly into the radio frequency (RF) couple a GPS receiver to power measure- Meanwhile, however, the over- input of existing GPS equipment to ment equipment in order to simultane- whelming majority of GNSS receivers immediately “robustify” the equipment ously obtain the phasor values of voltag- — even those in critical applications against GPS outages and interference. es and currents at particular instants of — are simple L1 C/A-based devices that This article describes the GPS Assimi- time. Although now used primarily for fail when signals are blocked or jammed, lator’s design and operation and reports monitoring, these devices are expected complaining, “Need clear view of sky.” the preliminatry performance results of to see widespread future application in Moreover, no commercially available a prototype model. closed-loop control systems designed civil GNSS receiver, as far as we are to increase the carrying capacity of the aware, incorporates even rudimentary Documenting the Need power distribution grid. defenses against spoofing. Consider three examples of existing The widespread installed base of Will these receivers be considered devices for which Assimilator augmen- PMUs (in Texas alone there are more obsolete in the near future as new equip- tation is potentially preferable to replace- than 8,000 installed today) represents ment that incorporates multiple signals, ment. a considerable investment. Unfortu- GNSS systems, and security measures Time Reference Receivers. These devic- nately, like time reference receivers, reaches the market? Perhaps. And per- es, which typically cost several thousand the embedded GPS receivers in PMUs haps the prudent course of action is to dollars apiece, couple a GPS receiver to a are easily spoofed. Timing errors lead replace them with secure and reliable stable oven-controlled crystal oscillator to phasor angle errors, and, when these modern devices. (OCXO) or atomic frequency reference. reach several degrees (~100 microsec- A decision to replace existing receiv- Timing receivers are used extensively onds), they could destabilize closed- ers, however, cannot be made lightly. in telecom networks; in particular, the loop control of transient swings, ulti- The millions of deployed GNSS receiv- IS-95 CDMA-based digital cellular stan- mately damaging critical components ers in operation around the globe today dard and its progeny require each base of the power grid. represent an enormous investment in station to be synchronized with a GPS Embedded Military GPS Receivers. equipment and training. Moreover, in receiver so that the timing of transmis- Unsurprisingly, GPS receivers find wide- many cases the GNSS receiver is only sions can be controlled to better than 10 spread use in armed forces worldwide. an embedded subcomponent of a larger microseconds. Several hundred thousand devices have PNT-reliant system. It may be inconve- Modern GNSS time reference receiv- been procured by the U.S. Department nient, unsafe, or expensive to replace ers easily meet this requirement. They of Defense and foreign military sales these embedded devices with modern are also capable of extended (24–36 customers over the last five years — a counterparts. Nonetheless, the vulner- hours) “holdover mode” operation in substantial collective investment. A large ability of existing receivers, embedded case of signal blockage or jamming. fraction of military-grade GPS receivers and otherwise, to signal obstruction, Nonetheless, recent experiments with are used as embedded receivers, being jamming, and spoofing, and their inabil- a popular time reference receiver model coupled to targeting, tracking, and com- ity to make use of modernized GNSS at the University of Texas Radionaviga- munications equipment via well-defined signals and other signals of opportunity, tion Laboratory have revealed that these and field-tested interfaces. leaves much to be desired. receivers are easily spoofed. Within the Blockage or jamming of incoming As an alternative to replacement of span of one hour, the pulse-per-second GPS signals can render these critical existing equipment, we propose aug- output of a receiver originally locked to downstream systems inoperable. Coun- mentation. We have developed a tech- authentic GPS signals can be driven to a terintuitive as it may seem that a vehi- nique for upgrading existing GNSS user larger than 10-microsecond error with- cle-to-vehicle communications system equipment to address their shortcomings out raising any of the receiver’s internal would be disabled by GPS blockage, such without requiring hardware or software alarms. is the nature of modern dependence on modifications to the equipment. The obvious implication — that it precision navigation and timing. This technique re-purposes a portable would take a malefactor less than one Each of these example devices would civil GPS spoofer to generate “friendly” hour to render a cell-phone base sta- experience benefits in accuracy, robust- spoofing signals whose implied naviga- tion inoperable via spoofing — is cause ness, or security from coupling to a solu- tion solution is derived from a fusion of for concern. Unfortunately, due to the tion such as the GPS Assimilator. www.insidegnss.com june 2010 InsideGNSS 51 gps assimilator
GPS Galileo Digital Signal Processor Iridium Multi-System Embedded Synthesized Receiver Module GPS RF Nav. & Timing RF Signals Target GPS Front-End Fusion Module Signal Anti-Spoofing Simulator Receiver Bank Module (A) Anti- GPS, Galileo, Iridium, GLONASS, Spoofing eLORAN,Compass, cell telephone Module (B) signals, etc.
Baseband PVT data (e.g., INS, keyboard, time source)
FIGURE 1 Block diagram of the conceptual Assimilator device.
Conceptual Assimilator ing obtained a PNT solution, the assim- from an internal or external database in The Assimilator concept is based on the ilative approach is warranted in cases order to make use of the observables. principle that from virtually any modern where, due to tight embedded coupling Navigation and Timing Fusion Module. environment one can extract a wealth with expensive downstream equipment The observables are sent to a central of navigation and timing-related infor- or due to user familiarity, augmenting navigation and timing fusion mod- mation. Thus, the Assimilator behaves existing equipment is more cost-effective ule, which also accepts baseband PNT opportunistically, scanning ambient or safer than replacing it. inputs. For each input signal there exists radio waves for PNT information while in the fusion module an a priori noise also accepting baseband data from an Assimilator Components and signal dynamics model, enabling the inertial navigation system (INS), an Figure 1 introduces the Assimilator con- data to be optimally fused in a Bayesian external time source, or directly from cept in block diagram form. We will dis- estimation framework. the user. cuss each subcomponent in turn. Anti-Spoofing Module. Both the multi- All extracted PNT information is Front-End Bank. A bank of RF front system receiver module and the navi- fused to yield an optimal navigation and ends digitizes segments of the RF spec- gation and timing fusion module are timing solution. Up to this point, the trum containing signals that poten- equipped with anti-spoofing software. Assimilator is no different from other tially bear PNT information. Naturally, Module A, which resides within the proposed systems for robust navigation GPS, Galileo, and other GNSS signals multi-system receiver module, continu- and timing that employ an “all available are among these, but so are terrestrial ously scans the RF data streams entering means” philosophy. For these proposed radionavigation signals such as LORAN/ the Assimilator for spoofing signatures. systems, as for the Assimilator, GPS is enhanced LORAN (now only outside the Module B, which resides within the but one of several potential sources of United States) as well as communication navigation and timing fusion module, PNT data. signals from cell phone towers or Irid- watches for inconsistencies between Having obtained a fused PNT solu- ium satellites — signals not originally observables in the centralized solution. tion, however, the Assimilator then takes designed for PNT. Further details on these modules will be an unusual additional step: it embeds the Multi-System Receiver Module. The dig- given later on. PNT solution in a consistent set of syn- itized data exiting the RF front-end bank Embedded GPS Signal Simulator. The thesized GPS L1 C/A signals, the com- are routed to a software-defined multi- output of the navigation and timing mon denominator of all existing GNSS system receiver module implemented on fusion module feeds an embedded GPS equipment. By casting its solution into a digital signal processor (DSP). Here, signal simulator. The embedded sig- this output format, the Assimilator can each target signal is tracked, either inde- nal simulator is depicted in Figure 1 as deliver the additional accuracy, robust- pendently or as part of a vector tracking residing partly outside the DSP because ness, and security of its solution to any loop. it includes an external RF upconversion GNSS device by simply injecting its out- Observables extracted from each component. put into the RF input of the target device. signal may include pseudorange, carrier Several options are possible for signal Thus, the Assimilator acts as a conduit phase, carrier Doppler, signal strength, simulation: for funneling ambient PNT information and navigation data. In the case of com- Impaired GPS L1 C/A. If reception to existing GNSS equipment, without munication or other signals not original- of GPS L1 C/A signals is impaired, then requiring hardware or software changes ly intended for navigation and timing, the embedded simulator can generate to the equipment. the Assimilator must draw supplemen- signal replicas in two ways: a “matched” Despite the inefficiency of re-gener- tary information such as ephemerides, mode in which the simulator generates ating GPS RF signals after already hav- clock offsets, or base station locations the same GPS L1 C/A signals that would
52 InsideGNSS june 2010 www.insidegnss.com n External {di}1 Data where
xn(τi), is the ith sample of the signal τ , the time of the ith sample n Nav. data i {tk}1 Generator An(τi), the amplitude at τi n d (τ), the navigation data bit value {θk} Control n i 1 Output RF Sample- that applies at τi n Module Stream {f } wise Up-conversion C (τ −t ), the ranging code chip D,k 1 Combiner Module Synthesized n i n,k value that applies at τ n RF Signals i P, V, T Local t , the start time of the kth ranging Simulator n,k Replica code interval Channels Generator Q{•}, a quantization function
fIF is the intermediate frequency FIGURE 2 Expanded view of the embedded GPS signal simulator θn(τi), the beat carrier phase at τi
fD,n,k the Doppler frequency shift at be visible to the Assimilator in clear sky Inside the Signal Simulator time tn,k. conditions, corrected to be consistent An expanded view of the embedded GPS The ranging code functionC n(τ) can with the fusion module’s PNT solu- signal simulator is shown in Figure 2. Its be expressed as tion; and a “fictitious” mode in which subcomponents will be treated in turn. the simulator generates a partially or Control Module. The control module entirely fictitious signal set the implied coordinates generation of the synthe- solution for which is consistent with the sized GPS signals by directing the car- and the navigation data bit function fusion module’s PNT solution. rier phase, carrier frequency, and code dn(τ) as Unimpaired GPS L1 C/A. If several phase in each of n simulator channels. sufficiently strong GPS L1 C/A signals The control module accepts the are available in the Assimilator’s envi- following inputs from the multi-sys- ronment, then the embedded simula- tem receiver module’s L1 C/A tracking tor can generate clean replicas of these, channels: the estimates of the start where {cn,j,cn,j+1,...} and {dn,j,dn,j+1,...} are, passing on to the target receiver the times of the kth ranging code interval respectively, the unique ranging code additional accuracy of the fused PNT on receiver channels 1-n; the estimates chip sequence and navigation data bit solution by continually applying correc- of the beat carrier phase on receiver sequence corresponding to the GPS sat- tions to the code start times and carrier channels 1-n at times ; and the esti- ellite whose signal is being emulated on phases of the GPS L1 C/A signals. mates of the Doppler frequency the nth simulator channel, Tc and Td are Again, we have two options for gen- shift on receiver channels 1-n at times the duration of one ranging code chip eration: a “non-aligned” mode in which . and one navigation data bit, and ∏T(τ) no attempt is made to align the code Further, the control module accepts is the usual rectangular support func- phase of the simulated and authentic sig- the following inputs from the fusion tion equal to unity over 0≤τ 0.15 ful for downstream square-root relationship between mini- s) systems. In this case, mum GDOP values implies that the er 0.145 the ith sample from minimum attainable GDOP for n satel- et (m 0.14 the nth simulator lites is r ro channel is weighted er 0.135 σ by the simulated 1- 0.13 amplitude An(τi) and 4 5 6 7 8 9 summed with the where is the minimum Number of simulated satellites corresponding sam- GDOP for 4 satellites. FIGURE 3 Minimum 1-σ position and range-equivalent timing error ples from the other Gains in precision due to increasing n deliverable to a target receiver by a one-bit quantized Assimilator simulator chan- are, unfortunately, vitiated by a decrease output stream, as a function of the number of simulated signals. For the underlying ranging precision model, a code tracking–loop averaging nels, each weighted in C/N0 for all signals as a consequence time of 10 seconds and an early-minus-late correlator spacing of one appropriately. The of the interference contributed by each chip are assumed. combined signal is additional simulated signal. If we assume then re-quantized that signals are simulated with equal is generated in one of two ways. When to produce an output bitstream. power and that the combined signal is GPS L1 C/A signals are available, a RF Upconversion Module. The output quantized to one bit in the sample-wise steady stream of navigation data bits is bitstream of the sample-wise com- combiner (one bit quantization being taken from the GPS L1 C/A channels of biner is routed to an RF upconversion a practical choice for signal generation the multi-system receiver module. Data module comprising a digital-to-analog on a compact, low-power platform), then bits extracted from the authentic signals converter, frequency mixers, filters, and we can show empirically that the C/N0 are fed to the navigation data generator a signal attenuator. The upconversion value for each simulated signal drops and compiled into a signal-specific data module converts the digital signal into from approximately 54 dB-Hz for n=4 bit library. a set of synthesized GPS signals at RF. to 51 dB-Hz for n=9. If the receiver module loses lock on The reference oscillator that drives the These C/N0 values can be incorpo- an authentic signal corresponding to one RF upconversion module must be the rated into a ranging precision model being simulated, then the navigation same oscillator that drives the Assimi- and combined with the GDOP values data generator continues to populate lator’s RF front-end bank. from Equation (6) to bound the posi- the simulated bitstream with navigation tion and time precision the Assimila- data from the data bit library, but the Capabilities and Limitations tor can deliver to the target receiver. library no longer gets updated as before. As with any system’s functionality, the Figure 3 shows this precision bound as This continues until the control module Assimilator has capabilities with finite a function of the number of simulated reconfigures the simulator channel to limits. In this section, we describe these signals. The plot indicates that under the generate another signal. in terms of accuracy, robustness, and assumptions presented here a precision If a simulator channel is configured security. of approximately 13 cm is attainable. to generate a signal for which there is no Accuracy. For maximum compat- The plot further indicates that there is recent data bit library, then the naviga- ibility with legacy GNSS receivers, the no advantage in simulating more than tion data generator produces data bits Assimilator outputs only GPS L1 C/A 6 signals. consistent with a standard ephemeris for signals. The narrow bandwidth (~2 Like the precision of code phase the corresponding satellite. The naviga- MHz) of the C/A ranging code limits the measurements derived from Assimila- tion data generator can also accept user- accuracy of the pseudorange-based posi- tor-generated signals, carrier phase pre- supplied satellite data in the form of a tion and time solution that the Assimila- cision is determined by the C/N0 values databit library or a satellite ephemeris. tor can deliver to the target receiver. The of the simulated signals. For n=6 simu- Sample-wise Combiner. Combination Assimilator compensates for this limita- lated signals of equal power, the rms car- of the signals generated in each of the tion by generating synthetic signals with rier phase errors are less than 0.4 degrees simulator channels is performed digi- high C/N0 and by selecting a constella- for each signal. tally sample-by-sample in the sample- tion geometry that minimizes the geo- Another aspect of accuracy has to wise combiner. For typical Assimilator metric dilution of precision (GDOP). do with how well the Assimilator can operation, all output signal are weighted For purposes of illustration, let’s sup- eliminate the effects of ionospheric equally so that the target GNSS receiver pose that the elevation mask angles of delay by exploiting multiple-frequency sees a set of received signals with equal the target receiver are disabled so that trans-ionospheric signals. The broad- carrier-to-noise (C/N0) ratios. for any number n of synthesized signals cast ionospheric model used in legacy However, the Assimilator is also the Assimilator can employ optimal single-frequency GPS receivers is known capable of matching ambient C/N0 constellation geometry, which includes to eliminate only approximately half of ratios in case this information is use- below-the-horizon satellites. The inverse the rms ranging error, leaving day-side 54 InsideGNSS june 2010 www.insidegnss.com zenith delay errors up to 10 meters for a One simple technique for extending multi-system receiver module. The mod- quiet ionosphere and much worse for an the mean time between cycle slips (and ule looks for outliers in pseudorange active ionosphere. decreasing the chances of frequency measurements in an extension of the By contrast, standard dual-frequency unlock) is to wipe off the navigation popular receiver-autonomous integrity L1 C/A and L2C GPS measurements at data bits from data-bearing channels so monitoring (RAIM) algorithm. C/N0=45 dB-Hz can be used to reliably that a traditional full-cycle carrier track- At a lower level in the processing estimate the ionospheric delay to within ing loop can be employed instead of a chain, the Assimilator’s anti-spoofing 0.66 meters. Thus, the multi-frequency half-cycle Costas loop. This technique is module A, which resides within the Assimilator can pass on to a single-fre- discussed in the article by T. E. Hum- multi-system receiver module, monitors quency target receiver significant ben- phreys et alia (2010) cited in Additional the individual incoming data streams efits in position and timing accuracy. Resources. for irregular behavior, employing, for Robustness. The Assimilator’s PNT The navigation data generator with- example, the data bit latency and ves- solution is, by virtue of the diverse in the Assimilator’s embedded signal tigial signal defenses introduced in the navigation and timing data that feed it, simulator stores a signal-specific data paper by T. E. Humphreys et alia (2008), inherently robust against GNSS signal bit library for each GPS L1 C/A signal. the multi-antenna defense introduced in obstruction and jamming. Signals from Because the C/A navigation message the article by P. Y. Montgomery et alia, or cell phone base stations, Iridium satel- repeats every 12.5 minutes, this library the signal quality monitoring technique lites, and LORAN transmitters are 10s of can be used to predict the value of data introduced in the article by B. Ledvina decibels stronger than those from GNSS bits that are received during scintilla- et alia (see Additional Resources for full satellites. Thus, not only is the Assimila- tion-induced power fades. A network citations). tor robust to GNSS outages, it can also withstand substantial blockage, jam- The Assimilator’s PNT solution is, by virtue of the ming, or other interference in the cell diverse navigation and timing data that feed it, phone (1.9 GHz), Iridium (1.6 GHz), and LORAN (100 kHz) frequency bands. inherently robust against GNSS signal obstruction Naturally, in a complete GNSS sig- and jamming. nal blackout, the PNT solution that the Assimilator feeds to the target receiver will be degraded, but by leveraging non- connection on the Assimilator permits Stronger civil spoofing defenses GNSS navigation and timing sources, data bit libraries to be downloaded from than these require cryptographic signal the Assimilator limits this degradation a remote server. authentication. Over the last decade, substantially. Baseband aiding from an The Assimilator also benefits from GNSS security researchers have pro- INS or stable frequency reference lowers access to modernized GNSS signals posed techniques for navigation message the Assimilator’s tracking threshold for with pilot (data-free) channels that are and spreading code authentication, and GNSS signals and permits the Assimila- by design more scintillation-robust than authentication based on exploiting the tor to “coast” through periods of com- the legacy GPS C/A signal. known relationship between GPS C/A plete RF blackout. Security. As with robustness, the signals and the encrypted GPS Y-code Ionospheric scintillation poses Assimilator is inherently more secure on L1. another challenge for GNSS receiver against signal spoofing than legacy civil Of these, navigation message authen- robustness. The deep power fades and GNSS receivers because of the diverse tication (NMA) appears to be the most accompanying fast phase transitions data from which its PNT solution is practical while still providing a strong induced by equatorial ionospheric scin- derived. defense against spoofing. The primary tillation stress a receiver’s carrier track- The paper by T. E. Humphreys et alia objection to civil NMA as applied to ing loops. As the severity of scintillation (2008) mentioned earlier demonstrated GPS is that it would require a change to increases, it can lead to navigation bit that developing a portable civil L1 GPS the GPS signal-in-space specification, errors, cycle slipping, and complete loss spoofer is relatively straightforward, but otherwise known as the GPS interface of carrier lock. carrying out a successful spoofing attack control document (ICD). The Assimilator makes best use of becomes much more difficult when mul- However, NMA could in fact be incoming GNSS signals by incorporat- tiple signal types must be spoofed simul- introduced in a way that is fully compat- ing carrier phase tracking loops that taneously. The Assimilator’s anti-spoof- ible with the current ICD by exploiting are specially designed for scintillation ing module B, which resides within the the flexible L2 or L5 navigation message robustness. (For maximum navigation navigation and timing fusion module, structure. In this approach, one of the accuracy, all carrier tracking loops with- exploits this inherent security by com- presently undefined navigation messages in the Assimilator track carrier phase, paring the observables output by each would be allocated for transmission of a not just frequency.) of the independent signals tracked in the digital signature. The GPS Operational www.insidegnss.com june 2010 InsideGNSS 55 gps assimilator receiver is protected from the spoofing attack. Prototype Assimilator We have built a prototype Assimilator to prove the basic feasibility of the con- ceptual Assimilator introduced previ- ously. The prototype is an extension of the GRID software-defined GNSS receiver introduced in the papers by T. E. Humphreys et alia (2006) and B. W. O’Hanlon and of the GPS spoofer dis- cussed earlier. The following sections will describe the prototype and offer initial experi- mental results. The prototype Assimilator is a dual- frequency device with a rudimentary spoofing defense. Its embedded signal simulator generates output signals in the FIGURE 4 (Top) The prototype Assimilator device connected to a GPS time reference receiver. (Lower left) Screen shot of a software GPS receiver tracking the Assimilator output and of the GPS time code-aligned, unimpaired GPS L1 C/A reference receiver’s status page showing a timing lock. (Lower right) The Assimilator’s DSP core. simulation mode. The device receives L1 This single chip performs all processing required for both signal tracking and signal generation. C/A and L2C GPS signals and outputs L1 C/A signals with code phases corrected for ionospheric delay. Bank Figure 4 shows a picture of the proto- Observables Nav. and Timing type assimilator coupled to a GPS time Data Buffer Channel Time of measurements Fusion Module reference receiver. Also shown is a close- buffer q1 PLLFLL DLL Position up of the DSP chip that simultaneously Pseudorange Vector Estimated State Velocity handles dual-frequency signal acquisi- buffer δt qn Carrier Phase Vector RX tion and tracking, and single-frequency Carrier Generator δt RX signal simulation. Code Generator Configuration Object Multi-System Receiver Module. Though it currently only tracks GPS L1 C/A and FIGURE 5 Software objects within the prototype implementation of the multi-system receiver and L2C signals, the prototype Assimilator’s the navigation and timing fusion modules multi-system receiver module is designed for expansion. Written in object-orient- Control Segment (OCS) would generate defining the new digital-signature-bear- ed C++, the module’s principal feature a public/private key pair, publishing the ing message is an extensible array of so-called Bank public key and keeping the private key The Assimilator could be adapted to objects, each of which acts as an inde- secret. Users would download the public implement the algorithm that verifies pendent software receiver. Class poly- key from a trusted repository. the received digital signature. Thus, by morphism is exploited so that all Bank With the private key, the OCS combining the Assimilator with naviga- objects share a common structure. would digitally sign all navigation data tion message authentication on the GPS Figure 5 illustrates the principal com- messages transmitted between the kth L2C or L5 signals, legacy GNSS receiv- ponents of the Bank object. Data from and (k+1)th digital signature message. ers could be cryptographically secured each RF front end are stored in separate The signature, at least 128 bits long for against GPS spoofing attacks. data buffers, with sub-buffers assigned adequate security, would be transmitted Whether by cryptographic means to each of the front ends’ quantization to the user in the payload of the (k+1)th or otherwise, if the Assimilator detects bits. The prototype uses two-bit quanti- signature message. a spoofing attack it alerts the user and zation, but its processing algorithms can With this scheme, users could peri- excludes the spoofed signals from its be adapted for N-bit quantization. odically authenticate all navigation data internal PNT estimate. The synthesized Each data buffer feeds a separate bits modulated on a given signal. Only a GPS signals that the Assimilator con- Bank object, of which the prototype slight extension to the GPS ICD would tinuously sends to the target receiver are Assimilator has two: one for GPS L1 C/A be required: an additional paragraph accordingly spoof-free, and the target and one for GPS L2C. Each Bank object, 56 InsideGNSS june 2010 www.insidegnss.com 5 premised on the dif- requiring 6 watts. The dual-frequency s) er 4 ficulty of (1) predict- RF front end draws 2 watts. A separate et 3 ing or synthesizing single-board computer used for network (m r a consistent stream communications, remote reprogramma- ro 2 Er 1 of navigation data bility, and housekeeping draws 1.3 watts. bits for each signal, The RF upconversion module draws tude 0 ti and (2) re-transmit- less than 700 milliwatts. Thus, the total Al -1 0 50 100 150 200 250 ting the broadcast power draw of the prototype Assimilator Time (sec) GPS data bits with is less than 10 watts. FIGURE 6 Time history of altitude errors within an Assimilator-aided an undetectable We conducted an experiment involv- single-frequency receiver. Midway through the processing run the latency. ing ionospheric delay modeling errors in Assimilator activates ionospheric compensation, reducing the target In the proto- order to illustrate the utility of the pro- receiver’s altitude errors by approximately 2.5 meters. type Assimilator’s totype Assimilator. The experiment was implementation of carried out in after-the-fact processing in turn, houses an array of Channel the defense, Channel objects continu- on a desktop PC running the Assimila- objects, one for each independent signal ously monitor each navigation data bit tor code. to be tracked. Channel objects are made stream and flag suspicious shifts in bit A dual-frequency front end identical up of phase, frequency, and code track- synchronization. The defense is far from to that of the prototype Assimilator was ing–loop objects and other supporting foolproof, but it is simple to implement used to digitize 300 seconds of dual-fre- members. and substantially raises the bar for a suc- quency data from a high-quality GPS All Channel objects within a Bank cessful spoofing attack. signal simulator. The signal simulator’s feed into a single Observables object that Embedded Signal Simulator. The proto- scenario profile was set to generate sig- encapsulates the observables extracted type Assimilator’s embedded signal sim- nals consistent with a Klobuchar iono- from the signals to which the Bank ulator functions just as described earlier spheric model with low electron content is devoted. Each Bank object feeds a for the conceptual Assimilator except (~2 meters zenith delay at L1). We used sequence of Observables objects to the that the prototype makes no attempt to data from the signal simulator to ensure navigation and timing fusion module to choose the best possible combination of a well-defined truth position. After-the- be fused into a single PNT solution. signals to simulate; it simply selects the fact processing was required because the Navigation and Timing Fusion Module. strongest n tracked C/A signals (usually GPS signal simulator and the prototype The prototype Assimilator fuses dual- six) for simulation. Assimilator were not co-located. frequency GPS measurements into a The Assimilator ingested the dual- single-frequency simulated GPS RF Preliminary Performance frequency digital data and generated a output by re-generating clean versions Results combined set of output single-frequen- of the C/A signals that it tracks and by When tuned for efficiency, the prototype cy C/A signals. These were routed to a compensating for ionospheric delay on Assimilator meets real-time deadlines software-defined single-frequency GPS each of the simulated signals. with computational resources to spare. receiver (the target receiver) whose inter- Only eight L2C-capable GPS satel- The processing power of the prototype’s nal ionospheric model had been disabled. lite are currently in orbit, which implies DSP is such that it can run the equiva- Midway through the run, the Assimila- that direct measurements of the L1 iono- lent of 135 parallel GPS C/A channels. tor began compensating for ionospheric spheric delay are not available for all sat- Because their longer ranging codes can- delay by adjusting the code phase of its ellite-to-receiver paths. To compensate not be stored in on-chip memory, L2C simulated signals. Prior to this moment, for ionospheric delay in all simulated channels require the equivalent process- the target receiver showed positioning signals, the prototype Assimilator uses ing of four C/A channels. errors of approximately three meters, whatever dual-frequency measurements More expensive still are the simula- mostly in the altitude component. are available to adjust the parameters of tor channels, each of which requires an To the target receiver it appeared a simple single-layer ionospheric model. equivalent of 5.4 C/A channels. At full as though a mismatch was occurring Delay estimates drawn from this model capability, the Assimilator can track 14 between the broadcast ionospheric are then applied to adjust the code phase GPS L1 C/A signals and 14 GPS L2C sig- model and the true ionosphere. How- of simulated signals. No attempt is made nals while simultaneously generating 8 ever, when the Assimilator activated its at present to compensate for ionosphere- simulation signals, in addition to per- dual-frequency-based ionospheric com- induced advances in the simulated sig- forming a one-hertz navigation solution pensation, the target receiver’s altitude nals’ carrier phases. and periodic background acquisition. errors were immediately reduced. Figure Anti-Spoofing. For anti-spoofing, the Of the prototype’s hardware sub- 6 plots the altitude error time history. prototype Assimilator implements a data systems, the DSP and its peripherals, Clearly, even with this experiment’s low- bit latency defense. This simple defense is unsurprisingly, draw the most power, electron-content ionosphere, the target www.insidegnss.com june 2010 InsideGNSS 57 gps assimilator receiver benefited from its coupling to [2] Humphreys, T. E., and B. M. Ledvina, M. L. [13] Spilker, J. J., Global Positioning System: The- the Assimilator. Psiaki, B. W. O’Hanlon, , and P. M. Kintner, Jr., ory and Applications, chap. 5: Satellite Constella- “Assessing the Spoofing Threat: Development of tion and Geometric Dilution of Precision, American Conclusions a Portable GPS Civilian Spoofer,” Proceedings of Institute of Aeronautics and Astronautics, Wash- ION GNSS 2008, Institute of Navigation, Savannah, ington, D.C., 1996, pp. 177–208 We have presented a technique for Georgia USA, 2008 [14] “Vulnerability assessment of the transpor- upgrading existing GNSS user equip- [3] Humphreys, T. E., and B. M. Ledvina, M. L. tation infrastructure relying on the Global Posi- ment, without requiring hardware or Psiaki, , and P. M. Kintner, Jr., “GNSS Receiver tioning System,” technical report, John A. Volpe software modifications to the equipment, Implementation on a DSP: Status, Challenges, and National Transportation Systems Center, U.S. to improve its accuracy, to increase its Prospects,” Proceedings of ION GNSS 2006, Insti- Department of Transportation, Cambridge, Mas- robustness in weak-signal or jammed tute of Navigation, Fort Worth, Texas USA, 2006 sachusetts USA, 2001 environments, and to secure it against [4] Humphreys, T. E., and M. L. Psiaki and P. M. counterfeit GNSS signals. The technique Kintner, Jr., , “Modeling the effects of Ionospheric is embodied in a device called the GPS Scintillation on GPS Carrier Phase Tracking,” IEEE Authors Assimilator that acts opportunisti- Transactions on Aerospace and Electronic Sys- Todd E. Humphreys is an cally to extract navigation and timing tems, 2010, to be published assistant professor in the information from its environment. The [5] Klobuchar, J. A., Global Positioning System: Department of Aerospace Assimilator encodes this information Theory and Applications, chap. 12: Ionospheric Engineering and Engi- into a set of standard GPS L1 C/A signals Effects on GPS, American Institute of Aeronautics neering Mechanics at the with which all legacy GNSS receivers are and Astronautics, Washington, D.C., 1996, pp. University of Texas at Austin. He received a B.S. natively compatible. 485–515 and M.S. in electrical and computer engineering [6] Ledvina, B., “Real-Time Generation of Bit- A dual-frequency prototype Assim- from Utah State University and a Ph.D. in aero- Wise Parallel Carrier Replicas Applied to a GPS/ ilator with a rudimentary spoofing space engineering from Cornell University. His GNSS Software Receiver,” IEEE Transactions on defense has been presented. Initial exper- research interests are in estimation and filtering, Aerospace and Electronic Systems, 2010, to be imental results show the prototype suc- GNSS technology, GNSS-based study of the iono- published. cessfully correcting ionospheric errors sphere and neutral atmosphere, and GNSS secu- in a single-frequency target receiver. [7] Ledvina, B. M., and W. J. Bencze, B. Galusha, rity and integrity. and I. Miller, “An In-Line Anti-Spoofing Module Efforts are underway to develop the Jahshan A. Bhatti is pursu- for Legacy Civil GPS Receivers,” Proceedings of next-generation Assimilator prototype: ing a Ph.D. in the Depart- the ION ITM, Institute of Navigation, San Diego, a compact device equipped with a robust ment of Aerospace Engi- CA, January 2010 cryptographic defense against spoofing neering and Engineering and capable of tracking dual-frequency [8] Lo, S., and D. DeLorenzo, P. Enge, D. Akos, and Mechanics at the Univer- P. Bradley, “Signal Authentication: A Secure Civil GPS and CDMA cell telephone signals. sity of Texas at Austin, GNSS for Today,” Inside GNSS, Vol. 4, No. 5, Sep- Eventually, as board sizes are reduced, where he also received tember/October 2009, pp. 30–39 his B.S. His research interests are in development the Assimilator’s processing core can [9] Montgomery, P. Y., and T. E. Humphreys, and of small satellites, software-defined radio appli- be housed within its antenna enclosure, B. M. Ledvina, “A Multi-Antenna Defense: Receiv- cations, and GNSS technologies. offering GNSS users the possibility of er-Autonomous GPS Spoofing Detection,” Inside Brent M. Ledvina is direc- upgrading their current receivers with GNSS, Vol. 4, No. 2, March/April 2009, pp. 40–46 tor of new business and a simple change of antenna. [10] O’Hanlon, B. W., and M. L. Psiaki, P. M. Kint- technology at Coherent ner, Jr., and T. E. Humphreys, “Development and Navigation in San Mateo, End Notes Field Testing of a DSP-Based Dual-Frequency California, USA. He is The assimilator concept and early Software GPS Receiver,” Proceedings of ION GNSS also an adjunct faculty hardware were developed at Coherent 2009, Institute of Navigation, Savannah, Georgia member of the Bradley Navigation, Inc., a startup company of USA, 2009 Department of Electrical and Computer Engineer- which Drs. Ledvina and Humphreys [11] Phadke, A., B. and Pickett, M. Adamiak, M. ing at Virginia Tech. He received a B.S. in electrical are co-founders, along with four oth- Begovic, G. Benmouyal, , R. Burnett Jr., T. Cease, J. and computer engineering from the University of ers. Coherent Navigation Inc. has filed a Goossens, D. Hansen, M. Kezunovic, , et al., “Syn- Wisconsin at Madison and a Ph.D. in electrical and patent covering the Assimilator concept chronized Sampling and Phasor Measurements for computer engineering from Cornell University. His research interests are in the areas of ionospheric and related technologies. Relaying and Control,” IEEE Transactions on Power Delivery, Vol. 9, No. 1, 1994, pp. 442–452 physics, space weather, estimation and filtering, and GNSS technology and applications. Additional Resources [12] Scott, L., “Anti-spoofing and authenticated [1] Hein, G., and F. Kneissi, J.-A. Avila-Rodriguez, signal architectures for civil navigation systems,” and S. Wallner, “Authenticating GNSS: Proofs Proceedings of ION GPS/GNSS 2003, Institute against Spoofs, Part 2,” Inside GNSS, September/ of Navigation, Portland, Oregon USA, 2003, pp. October 2007, pp. 71–78 1542–1552 58 InsideGNSS june 2010 www.insidegnss.com