Secure GNSS-Based Positioning and Timing

kth royal institute of technology

Doctoral Thesis in Electrical Engineering Secure GNSS-based Positioning and Timing

Distance-Decreasing attacks, fault detection and exclusion, and attack detection with the help of opportunistic signals

KEWEI ZHANG

Stockholm, Sweden 2021 Secure GNSS-based Positioning and Timing

Distance-Decreasing attacks, fault detection and exclusion, and attack detection with the help of opportunistic signals

KEWEI ZHANG

Academic Dissertation which, with due permission of the KTH Royal Institute of Technology, is submitted for public defence for the Degree of Doctor of Philosophy on Thursday the 1st April 2021, at 09:00 a.m. in Grimeton, Kistagången 16, Kista, Stockholm.

Doctoral Thesis in Electrical Engineering KTH Royal Institute of Technology Stockholm, Sweden 2021 © Kewei Zhang

ISBN 978-91-7873-811-3 TRITA-EECS-AVL-2021:19

Printed by: Universitetsservice US-AB, Sweden 2021 iii

Abstract

With trillions of devices connected in large scale systems in a wired or wireless manner, positioning and synchronization become vital. Global Navigation Satellite System (GNSS) is the first choice to provide global coverage for positioning and synchronization services. From small mobile devices to aircraft, from intelligent transportation systems to cellular networks, and from cargo tracking to smart grids, GNSS plays an important role, thus, requiring high reliability and security protection. However, as GNSS signals propagate from satellites to receivers at distance of around 20 000 km, the signal power arriving at the receivers is very low, making the signals easily jammed or overpowered. Another vulnerability stems from that civilian GNSS signals and their specifications are publicly open, so that anyone can craft own signals to spoof GNSS receivers: an adversary forges own GNSS signals and broadcasts them to the victim receiver, to mislead the victim into believing that it is at an adversary desired location or follows a false trajectory, or adjusts its clock to a time dictated by the adversary. Another type of attack is replaying GNSS signals: an adversary transmits a pre-recorded GNSS signal stream to the victim receiver, so that the receiver calculates an erroneous position and time. Recent incidents reported in press show that the GNSS functionalities in a certain area, e.g., Black Sea, have been affected by cyberattacks composed of the above-mentioned attack types. This thesis, thus, studies GNSS vulnerabilities and proposes detection and mitigation methods for GNSS attacks, notably spoofing and replay attacks. We analyze the effectiveness of one important and powerful replay attack, the so-called Distance-decreasing (DD) attacks that were previously investigated for wireless communication systems, on GNSS signals. DD attacks are physical layer attacks, targeting time-of-flight ranging protocols, to shorten the perceived as measured distance between the transmitter and receiver. The attacker first transmits an adversary-chosen data bit to the victim receiver before the signal arrives at the attacker; upon receipt of the GNSS signal, the attacker estimates the data bit based on the early fraction of the bit period, and then switches to transmitting the estimate to the victim receiver. Consequently, the DD signal arrives at the victim receiver earlier than the genuine GNSS signals would have, which in effect shortens the pseudorange measurement between the sender (satellite) and the victim receiver, consequently, affecting the calculated position and time of the receiver. We study how the DD attacks affect the bit error rate (BER) of the received signals at the victim, and analyze its effectiveness, that is, the ability to shorten pseudorange measurements, on different GNSS signals. Several approaches are considered for the attacker to mount a DD attack with high probability of success (without being detected) against a victim receiver, for cryptographically unprotected and protected signals. We analyze the tracking output of the DD signals at the victim receiver and propose a Goodness of Fit (GoF) test and a Generalized Likelihood Ratio Test (GLRT) to detect the attacks. The evaluation of the two tests shows that they are effective, with the result being perhaps more interesting when considering DD attacks against Galileo signals that can be cryptographically protected. iv

Moreover, this thesis investigates the feasibility of validating the authenticity of the GNSS signals with the help of opportunistic signals, which is information readily available in modern communication environments, e.g., 3G, 4G and WiFi. We analyze the time synchronization accuracy of different technologies, e.g., Network Time Protocol (NTP), WiFi and local oscillator, as the basis for detecting a discrepancy with the GNSS-obtained time. Two detection approaches are proposed and one testbench is designed for the evaluation. A synthesized spoofing attack is used to verify the effectiveness of the approaches. Beyond attack detection, we develop algorithms to detect and exclude faulty signals, namely the Clustering-based Solution Separation Algorithm (CSSA) and the Fast Multiple Fault Detection and Exclusion (FM-FDE). They both utilize the redundant available satellites, more than the minimum a GNSS receiver needs for position and time offset calculation. CSSA adopts data clustering to group subsets of positions calculated with different subsets of available satellites. Basically, these positions, calculated with subsets not containing any faulty satellites, should be close to each other, i.e., in a dense area; otherwise they should be scattered. FM-FDE is a more efficient algorithm that uses distances between positions, calculated with fixed-size subsets, as test statistics to detect and exclude faulty satellite signals. As the results show, FM-FDE runs faster than CSSA and other solution-separation fault detection and exclusion algorithms while remaining equally effective. v

Sammanfattning

Med biljoner enheter anslutna, trådbundet eller trådlöst, i storskaliga system, blir positionering och synkronisering avgörande. Global Navigation Satellite System (GNSS) är det första valet att tillhandahålla global täckning för positionering och synkroniseringstjänster. Från små mobila enheter till flyg- plan, från intelligenta transportsystem till mobilnätverk och från lastspårning till smarta nät, spelar GNSS en viktig roll, vilket kräver hög tillförlitlighet och säkerhetsskydd. Eftersom GNSS-signaler sprider sig från satelliter till mottagare på cirka 20 000 km avstånd, är signaleffekten som kommer till mottagarna dock mycket låg, vilket gör att signalerna lätt fastnar eller överstyrs. En annan sårbarhet härrör från att civila GNSS-signaler och deras specifikationer är offentligt öppna, så att alla kan skapa egna signaler för att förfalska GNSS-mottagare: en motståndare smider egna GNSS-signaler och sänder dem till offrets mottagare, för att vilseleda offret att tro att det är vid en motståndares önskade plats eller följer en falsk bana, eller justerar sin klocka till en tid som dikteras av motståndaren. Dessutom undersöker denna avhandling möjligheten att validera äktheten hos GNSS-signalerna med hjälp av opportunistiska signaler, vilket är information som är lättillgänglig i moderna kommunikationsmiljöer, t.ex. 3G, 4G och WiFi. Vi analyserade tidssynkroniseringsnoggrannheten för olika tekniker, t.ex. Network Time Protocol (NTP), WiFi och lokaloscillator, som grund för att detektera en avvikelse med den GNSS-erhållna tiden. Två detektionsmetoder föreslås och en testbänk är utformad för utvärderingen. En syntetiserad falsk attack används för att verifiera effektiviteten i tillvägagångssätten. Utöver attackdetektering utvecklar vi algoritmer för att upptäcka och utesluta felaktiga signaler, nämligen den klusterbaserade lösningsavskiljnings- algoritmen (CSSA) och den snabba multipeldetekteringen och uteslutningen (FM-FDE). De använder båda de redundanta tillgängliga satelliterna, mer än det minsta som en GNSS-mottagare behöver för att beräkna position och tidsförskjutning. Som resultaten visar går FM-FDE snabbare än CSSA och andra lösningsavskiljnings- och uteslutningsalgoritmer samtidigt som de förblir lika effektiva.

Acknowledgements

First of all, I would like to express my sincere gratitude to my main supervisor, Professor Panos Papadimitratos, to have me in the Networked Systems Security (NSS) group, and for his supervision, guidance and support through my PhD study. I also want to thank my secondary supervisor, Professor Erik G. Larsson, for his technical guidance in some of my work. Besides, I would like to thank the China Scholarship Council (CSC) for its financial support during the first four years of my PhD study. I am thankful to all my friends and colleagues, in my former division Network and Systems Engineering (NSE) and the current division Communication Systems (CoS). Especially, I want to thank Mohammad Khodaei and Hongyu Jin, for their full support and sharing the joy together in the last several years. Most importantly, I would like to thank my parents and my brother, who are always there for me, regardless of what happens. And my special thanks to my girlfriend, Qiyao Cai, I wouldn’t be able to achieve this without you.

Kewei Zhang Stockholm, March 2021

vii

To my parents, my brother and my girlfriend.

Your Kewei

Contents

Contents xi

Acronyms xv

1 Introduction 1 1.1 Thesis Structure ...... 4

2 Adversary Models 7 2.1 Distance-Decreasing Attack Model ...... 8

3 Related Work on GNSS Security 11 3.1 Spoofing and Replay Attacks ...... 11 3.2 Fault Detection and Exclusion ...... 12 3.3 Securing GNSS Time Transfer with Signals of Opportunity . . . . . 14

4 Dissertation Contributions 17 4.1 Thwarting DD Attacks on GNSS Signals ...... 17 4.2 Fault Detection and Exclusion ...... 22 4.3 Securing GNSS Time Transfer with Opportunistic Signals ...... 24

5 Summary of Original Work 29

6 Conclusions and Future Work 37 6.1 Thesis Conclusions ...... 37 6.2 Future Work ...... 38

Bibliography 39

Paper A: GNSS Receiver Tracking Performance Analysis under Distance-Decreasing Attacks 57

Paper B: Detection and Exclusion RAIM Algorithm against Spoof- ing/Replaying Attacks 75

xi xii CONTENTS

Paper C: On the Effects of Distance-decreasing Attacks on Crypto- graphically Protected GNSS Signalss 89

Paper D: Secure Multi-constellation GNSS Receivers with Clustering- based Solution Separation Algorithm 115

Paper E: Safeguarding NMA Enhanced Galileo OS Signals from Distance-Decreasing Attacks 139

Paper F: Protecting GNSS-based Services using Time Offset Vali- dation 161

Paper G: Protecting GNSS Open Service-Navigation Message Au- thentication against Distance-Decreasing Attacks 185

Paper H: Fast Multiple Fault Detection and Exclusion (FM-FDE) Algorithm for Standalone GNSS Receivers 221 CONTENTS xiii

Acronyms

ADS-B Automatic Dependent Surveillance-Broadcast. AGC Automatic Gain Control. AOA Angel of Arrival. AP Access Point. APNT Alternative Position, Navigation, and Time. ARX Adverserial Recevier. ATX Adverserial Transmitter.

BER Bit Error Rate. BPSK Binary Phase-Shift Keying.

CAF Cross Ambiguity Function. COTS Commercially Available Off-the-Shelf. CSS Chirp Spread Spectrum. CSSA Clustering-based Solution Separation.

DBSCAN Density-based Spatial Clustering of Applications with Noise. DD Distance-decreasing. DOA Direction of Arrival.

ED Early Detection.

FDE Fault Detection and Exclusion. FM-FDE Fast Multiple Fault Detection and Exclusion.

xv xvi ACRONYMS

GLONASS Global’naya Navigatsionnaya Sputnikovaya Sistema.

GLRT Generalized Likelihood Ratio Test.

GNSS Global Navigation Satellite Systems.

GoF Goodness of Fit.

GPS Global Positioning System.

GS Group Separation.

HRX Honest Recevier.

HTX Honest Transmitter.

IIOT Industrial Internet of Things.

INS Inertial Navigation System.

IoT Internet of Things.

LBS Location-based Service.

LC Late Commit.

LS Least Squared.

MAC Message Authentication Code.

MAI Multiple Access Interference.

MAP Maximum a Posterior.

MMSE Minimum Mean Square Error.

NLOS Non-Line-of-Sight.

NMA Navigation Message Authentication.

OWAS Optimally Weighted Average Solution.

PVT Position, Velocity and Time.

RAIM Receiver Autonomous Integrity Monitoring.

RF Radio Frequency. ACRONYMS xvii

ROC Receiver Operating Characteristic. RPM Received Power Monitoring.

SCER Security Code Estimation and Replay. SDR Software-Defined Radio. SIB System Information Block. SIS Signal in Space. SNR Signal-to-Noise Ratio. SQM Signal Quality Monitoring. SS Solution Separation.

TOF Time of Flight. TSN Time Sensitive Networking. TU Time Unit.

UE User End. UTC Coordinated Universal Time.

VAL Vertical Alarm Limit. VPL Vertical Protection Level.

WLAN Wireless Local Area Network.

Chapter 1

Introduction

Global Navigation Satellite Systems (GNSS) encompasses a constellation of satellites, which provide global coverage for Position, Velocity and Time (PVT) services. Currently, GNSSs include NAVSTAR Global Positioning System (GPS) from the USA, Galileo from Europe, Global’naya Navigatsionnaya Sputnikovaya Sistema (GLONASS) from Russia, and BeiDou Navigation Satellite System from China. Every GNSS system provides both civilian signals and restricted signals [1, 2]. Restricted signals are accessible to authorized users, while civilian signals are open to the public. Within the last decades, GNSS became vital not only in network infrastructure and systems, but also in mobile devices and the Internet of Things (IoT). As Fig. 1.1 shows, from large-scale systems, e.g., synchronization in power grids, to small devices, e.g., Location-based Service (LBS) for IoT devices, GNSS plays an important rule in our daily life. Because of the GNSS popularity, its security has drawn attention in the research community and increasingly beyond academia. In [3--5], authors demonstrated that one can build a dual-frequency GPS spoofer with low cost, around $250 - $400, based on a Raspberry Pi and a Software-Defined Radio (SDR). UT Austin researchers demonstrated a real-time spoofing attack to a 70 m yacht on the Mediterranean Sea [6]. GNSS is vulnerable to various attacks because of very low reception power at GNSS receivers after long propagation and GNSS civilian signals being open to public. After around 20 000 km of propagation, the received signal power at terrestrial receivers is lower than −125 dBm, much lower than the noise power level, around −110 dBm in a 2 MHz bandwidth [7]. This implies that GNSS receivers can be jammed easily, with very cheap devices costly only €10. The good news is that many countries have law enforcement that bans selling or using GNSS jamming devices [8], especially near safety-critical areas, e.g., airports. Moreover, anti-jamming methods are investigated based on different techniques, e.g., notch filter [9, 10] and pulse blanking [11, 12]. And anti-jamming products with antenna arrays [13, 14] are available on markets.

1 2 CHAPTER 1. INTRODUCTION

Network Timing & Synchronization GNSS rescue GIS & Survey

Avionics & UAV Agriculture Transportation

Fleet management Location-based services Autonomous driving

Figure 1.1: GNSS civilian applications.

Besides, unintentional interference from other radio services also puts GNSS receivers in danger. One of the unintentional interference sources is through harmonics [15]. The harmonic frequencies, which can fall within the GNSS signal frequencies, are integer multiples of fundamental frequencies used for other radio services. Incidents have been reported, with TV broadcast transmitters interfering the reception of GPS signals [16, 17]. Another unintentional interference source is multi-path signals, with reflections of the original signals arriving at the receiver, affecting the measured pseudorange and carrier phase. Theoretically, the maximum pseudorange measurement error induced by multipath signal is up to 1.5 times the spreading code chip length, for example, up to 450 m for Galileo E1 and GPS L1 C/A signals [18]. Signals transmitted by GNSS satellites can be written as: p y = 2PkCk(t)Dk(t)cos(2πft) (1.1) where k is the satellite index, P is the signal power, f is the carrier frequency; the navigation data, D(t), is multiplied by the ranging code C(t), then transmitted at frequency f, e.g., L1/E1/B1 band frequency at 1575.42 MHz, using Binary Phase- Shift Keying (BPSK) modulation. As civilian GNSS signals are publicly open, one can craft own GNSS signal and broadcast it, relying on a reasonable level of 3 technical background: ranging codes are freely available [1, 19--21], navigation data can be downloaded [22], to generate own GNSS signals and broadcast through a radio transmitter, with an online free source code [23]. This thesis studies GNSS vulnerabilities and countermeasures related to spoofing and replaying attacks. Spoofing attacks can be roughly categorized as follows: • Simple attacks: an adversary transmits forged signals, which are generated with a GNSS signal simulator/generator that typically has high cost. The simple spoofing signals are not synchronized with the Signal in Space (SIS), so they can be easily detected. • Intermediate attacks: an adversary uses a GNSS software receiver to estimate the signal Doppler frequency and calculate the navigation message, it then transmits its crafted signals with a single antenna. • Sophisticated attacks: in addition to the capabilities for intermediate attacks, an adversary has precise estimation of victim receiver position and implements a tracking lift-off attack [24]. Besides, the adversary may transmit the forged GNSS signals with multiple antennas, which can simulate signal arrival angles from different satellites. Another type of adversarial manipulation is replay attacks: the adversary records GNSS radio signals and broadcasts the recorded signals to mislead the victim receiver. Based on their effectiveness, replay attacks can be categorized as follows: • Classical replay attacks: an adversary captures an entire segment of GNSS Radio Frequency (RF) spectrum with a single antenna and replays without modification [25]. These attacks cannot arbitrarily manipulate the PVT of a victim receiver. The victim receiver will perceive that its position and velocity are the same as those of the adversary’s antenna, along with an erroneous time to true time. • Advanced replay attacks: an advanced replay attacker can manipulate each individual received signal and replay the signal ensemble to the victim receiver. One example is, meaconer, with multiple antenna elements, each of which receives one GNSS signal stream [25]. The meaconer manipulates the phasing of signal streams and combines those signal streams within an ensemble and replays it. Another advanced replay attack is the Security Code Estimation and Replay (SCER) attack [26], which receives and tracks each individual signal and estimates the signal’s security code on-the-fly. It then transmits the signal ensemble, based on the security code estimation, to the victim receiver. Related are the Forward estimation attacks (FEA) [27, 28] that utilize the redundancy in the authentication message introduced by forward error coding to predict message data, even prior to the message transmission. Distance-decreasing (DD) attacks [29--32] are another type of advanced replay attacks, which transmit an adversary-chosen symbol value before estimating 4 CHAPTER 1. INTRODUCTION

and transmitting the appropriate value based on the early fraction of the legitimate symbol. When the adversary has the estimate, it switches to transmitting the estimation for the symbol. Consequently, the DD signal is perceived to arrive at the victim receiver earlier than the legitimate signal, thus shortening the corresponding pseudorange measurement.

The above security issues and challenges motivate designing security algorithms, which can detect spoofing and replay attacks, and further exclude faulty satellite measurements and compute a corrected PVT solution. More specifically, this thesis makes the following contributions towards addressing these challenges:

• A thorough study of DD attacks in GNSS. We analyze the feasibility of implementing the DD attacks and the tracking performance at the victim receiver. Different approaches for the adversary are investigated to achieve high attack success probability, while avoiding easy detection. DD attacks on different GNSS signals are studied, along with their quantitative affects on shortening pseudorange measurements. We model the tracking outputs of legitimate signals and DD signals, which yield different distributions. This motivates us to propose two hypothesis tests to detect DD attacks. The tests are evaluated based on different signal parameters and noise environments, with a Monte-Carlo method and a synthesized DD signal.

• An exploration of the feasibility of validating GNSS signals with opportunistic signals, in particular time information that can be obtained over modern networks and be the basis for cross-checking the GNSS-obtained time corrections. We consider a synthesized GPS time-spoofing attack and readily available time references and conclude that relatively accurate time can limit the scope of the adversarial actions, revealing a range of GNSS attacks.

• A study of algorithms to exclude faulty satellite signals: Clustering-based Solution Separation (CSSA) and Fast Multiple Fault Detection and Exclusion (FM-FDE). In CSSA, a data clustering algorithm groups positions calculated by different subsets of available satellites, considering first single constellation receivers, then extending the algorithm for multi-constellation receivers. Furthermore, FM-FDE provides a computationally efficient fault exclusion algorithm, compared to conventional fault detection and exclusion algorithm. We study the complexity, detection rate, false alarm rate and execution time for FM-FDE, compared to the conventional approach, with field recorded data. FM-FDE is much more efficient, especially in presence of multiple faults for multi-constellation receivers, while preserving equivalent detection capability.

1.1 Thesis Structure

In the rest of this introduction, Chapter 2 presents adversary modeling for GNSS signals. The state of the art on GNSS security is discussed in Chapter 3. Chap- 1.1. THESIS STRUCTURE 5 ter 4 summarizes the contributions of this thesis, based on the papers in this compendium, outlined in Chapter 5; Chapter 6 concludes the thesis with discussion on future research work. An appendix provides accepted papers and submissions, in chronological order, with the author of this thesis as the first author.

Chapter 2

Adversary Models

This thesis considers both benign and malicious faults for fault detection and exclusion, as shown in Fig. 2.1. In benign environments, shadowing, Non-Line-of- Sight (NLOS) to satellites and interference from other radios degrade the reception of GNSS signals. Specifically, multipath signals affect the measured pseudoranges of the receiver, and consequently change its PVT solution. In a malicious environment, an attacker can mount spoofing/replay attacks to mislead the victim receiver into calculating a faulty PVT solution, possibly as precisely desired by the attacker. The attacker can transmit modified or forged signals and/or navigation messages to the victim receiver, either from a single transmitter or multiple transmitters. When the attacks occur before signal acquisition of the victim receiver, the adversary may directly send crafted signals with higher power than legitimate signals to force the receiver to lock on the malicious signals. When the receiver has already locked on to legitimate signals, the adversary may jam the reception of legitimate signals and then transmit the malicious signals to the victim receiver; or the adversary may implement a takeover attack [24] to quietly force the receiver to lock on the malicious signals. This takeover attack is a powerful method that hides itself underneath the legitimate signals. It gradually synchronizes with the received legitimate signals at the victim receiver and then increases its power to force the receiver to lock on the malicious signals. Therefore, it requires the adversary having knowledge about the victim receiver’s precise position, which is a strong prerequisite, especially for mobile receivers. Thus, jamming before transmitting malicious signals is a more practical option, even jamming itself might raise an alarm being attacked. Furthermore, the adversary can be mounted with one receive antenna and one transmit antenna, or more complex with multiple transmit antennas, each of which broadcasts one forged signal to imitate the arriving angle of each satellite. The setup of multiple transmitters makes the adversary more powerful to avoid the detection by receivers equipped with smart antennas [33, 34]. But at the same time, its cost is increased accordingly. In either case, the adversary aims to manipulate the receiver’s position (trajectory) and/or time, depending on its setup. This thesis provides the

8 CHAPTER 2. ADVERSARY MODELS

…

GNSS Spoofer

Figure 2.1: Multiple faults for a GNSS receiver.

adversary model for distance-decreasing attacks in next section, separately, as it merits special attention.

2.1 Distance-Decreasing Attack Model

The DD attacks are a type of physical layer attacks that harm Time of Flight (TOF) based ranging protocols [29]. The DD attacks consist of two components: an Adverserial Recevier (ARX), implementing Early Detection (ED) on arriving signals, and an Adverserial Transmitter (ATX), implementing Late Commit (LC) to generate DD signals, as shown in Fig. 2.2a. The DD attack formulation is per signal and per pseudorange measurement. It can further generalize to multiple ATX and ARX devices, as the sophistication and complexity of the attacker grows. Before receiving signal data originating from the Honest Transmitter (HTX), the ATX starts transmitting an adversary-chosen value to the Honest Recevier (HRX) during TLC period, as shown in Fig. 2.2b. Upon the genuine signal arriving at the ARX, the adversary estimates the symbol value of the genuine signal with the beginning fraction of the symbol during TED period, and then conveys the estimation to the ATX. Hereafter, the ATX switches to transmitting the estimate to the HRX. Consequently, the DD signal that arrives at the HRX is TDD earlier than the genuine signal originating from the HTX, which shortens the pseudorange measurement between the satellite (HTX) and the victim receiver (HRX), where TDD = TLC −TED −Td, with Td being the delay introduced by the attacker, including processing and transmission time, at the ARX and ATX and their communication. This, in turn, allows the manipulation of the computed position and time offset by acting solely at the physical layer, without any modification or guessing of the cryptographically protected parts of the navigation messages. 2.1. DISTANCE-DECREASING ATTACK MODEL 9

HTX 1 bit Satellite

TED ARX 1 bit Adversarial Receiver

ATX TLC 1 bit Adversarial Transmitter

TDD

HRX 1 bit Victim Receiver

time

(b) Illustration of DD attack (a) Adversary Model

Figure 2.2: Distance-decreasing attacks on GNSS signals. (also appears in [31])

The adversary mounts a pair of ARX-ATX for each targeted signal, as shown in Fig. 2.2a. The ARX estimates the symbol value and sends the estimated data value along with other signal parameters to the ATX. The ATX assembles new signals based on the ARX-provided values, and sends the assembled signals to the HRX. More specifically, the ARX and the ATX can be located on the same hardware platform, or be connected across a dedicated high-rate data link; then, the communication delay between them is negligible, comparing to data bit length of the GNSS signals, e.g., Galileo E1 OS symbol length is 4 ms. The ATX can be positioned in a way that it is best for transmitting the adversarial signals to the HRX; one example is that the HRX is in the view of the ATX and/or being close enough to the HRX in order to relatively easily achieve, for instance, comparative reception power to that of authentic signals. This allows the attacker to adjust its transmission power and other parameters accordingly. Nevertheless, each ARX or ATX does not have to be a dedicated hardware, rather a processing thread/channel. The adversary assembles each DD signal and transmits the assembled signal with an antenna to the victim receiver. In order to force the HRX lock on the DD signals, the adversary can either jam the reception of legitimate signals, then transmits the DD signals, or implements a smooth take-over attack [24]. The choice of action subjects to considerations pertinent to any spoofing attack and receiver possible reactions. With a jamming attack, the HRX loses its tracking on legitimate signals, then tries to do satellites re-acquisition. A within-symbol transition is not allowed for satellites acquisition, which must be considered while crafting the DD signals. The adversary can solve this challenge by starting assembling the DD signals from the preamble code, since the preamble code is known publicly. Hence, the preamble code is transmitted 10 CHAPTER 2. ADVERSARY MODELS correctly without a within-symbol transition. Then, the victim receiver will acquire and lock on the DD signals successfully. Chapter 3

Related Work on GNSS Security

This discusses the state-of-the-art on GNSS security along three paths: 1) countermeasures against spoofing and replay attacks; 2) research on fault detection and exclusion; 3) securing GNSS time transfer with signals of opportunity.

3.1 Spoofing and Replay Attacks

Significant work has been done on proposing countermeasures with different approaches. A report from the U.S. Department of Transportation assessed GPS vulnerabilities and listed potential mitigation strategies [35]. In [36], authors analyzed the requirements of successful GPS spoofing attacks for single and multiple receivers. Generally, two directions unfold to secure GNSS receivers: to augment the GNSS receiver and to enhance the GNSS infrastructure. At the receiver side, it was proposed to detect the presence of attacks based on observed abnormalities of the received signal strength, e.g., through monitoring the Automatic Gain Control (AGC) level [37--39] and Received Power Monitoring (RPM) [40--43]. Moreover, a properly designed receiver can determine signal arrival angles with specially designed antennas [44--47]; this can be useful because adversarial signals are usually transmitted from a single device/antenna. Comparing GNSS measurements with additional positioning information, e.g., from an Inertial Navigation System (INS), to detect the replaying/spoofing attacks [48--51] was also proposed. Some work also suggested to use Automatic Dependent Surveillance-Broadcast (ADS-B) to detect GNSS spoofing attacks, by analyzing advertisements of aircraft with an independent infrastructure on the ground [52]. Moreover, the clock drift and abnormalities of the Doppler frequency can be used to limit the extent of adversarial manipulation [40, 41, 53, 54]. Receiver Autonomous Integrity Monitoring (RAIM) can also detect attacks, by checking the consistency of receiver positions calculated based on subsets of all available satellites, being effective when the adversary attacks a subset of available satellites [55--57]. In [58--65], authors proposed monitoring the signal quality by statistically testing the symmetric character of early correlator E and

11 12 CHAPTER 3. RELATED WORK ON GNSS SECURITY late correlator L, or extra-correlator pairs, to detect attacks, because the spoofing signals lead to Cross Ambiguity Function (CAF) distortion. Multi-receiver spoofing detection methods detect spoofing attacks by checking the relative location errors of multiple receivers in presence of spoofing attacks [66--69]. Authors also proposed to validate the genuineness of received GPS signals by cross-checking the Angel of Arrival (AOA) or Direction of Arrival (DOA) estimated with antennas and calculated with received signals [70, 34]. Moreover, encrypted signals, e.g., GPS L1 P(Y) code signals, are used to validate the authenticity of received GPS L1 C/A signals with two receivers, one of which is in safe place and the other one is under spoofing [71, 72]. The two receivers know the expected relationship between the C/A code and the P(Y) code, which two versions of P(Y) codes at two receivers are correlated to obtain a detection statistic for the spoofing attacks. Acquisition peaks display differently during satellites acquisition process between only authentic signals and together with spoofed signals, which can be modeled to detect the presence of spoofing attacks [73, 74]. When it comes to enhancing the GNSS system infrastructure, providing security features, we usually talk about signal authentication/encryption and navigation data authentication/encryption [26, 75--78]. Military signals use signal encryption and/or navigation data encryption to restrict the access to the signals [79--81], e.g., the Galileo Public Regulated Service (PRS) signals, the GPS M-code signals and the BeiDou authorized signals. The European GNSS Agency is testing the civilian Galileo Open Service Navigation Message Authentication (OS NMA), to thwart spoofing attacks, with cryptographic Message Authentication Code (MAC) [82, 83]. The similar ideas about message authentication is also proposed for GPS civilian signals [78]. However, authenticated signals, in particular Navigation Message Authentication (NMA), cannot alone effectively protect receivers from replay attacks, including meaconing [35, 84], security code estimation and replay attack (SCER) [26, 85], forward estimation attack (FEA) [27, 28] and DD attacks [30--32]. DD attacks, first introduced in [29], are physical layer attacks against secure ranging and distance-bounding protocols. Their feasibility and effectiveness against Ultra-Wide Band (UWB) [86--88], impulse radio ranging[89] and Chirp Spread Spectrum (CSS) [90] systems were analyzed first. In the GNSS context, even with cryptographic protection in place, DD attacks can still shorten pseudorange measurements in real time, with a strong feature being compensating adversarial processing delays.

3.2 Fault Detection and Exclusion

Normally, a GPS receiver can view more GPS satellites than it needs to calculate its position and time. RAIM uses this redundancy to detect outliers in the satellites, by checking the consistency of position solutions calculated with different subsets of available satellites. Because a receiver requires at least four satellites to calculate its PVT solution, so RAIM requires at least 5 satellites for fault detection, and one 3.2. FAULT DETECTION AND EXCLUSION 13 extra satellite for fault exclusion. Initially, RAIM was designed to detect and exclude a single fault because the assumption is that the probability of simultaneous multiple satellite faults occurring in a single constellation system is negligible. In general, RAIM Fault Detection and Exclusion (FDE) is developed with two approaches: range based methods and position based methods. In range based methods, the Least Squared (LS) residual between measured pseudorange and expected value is used to test the hypotheses of the faults [91--94]. In position based methods, the position residuals between one all-in-view position and subset positions [95--98], or the maximum solution distances among all subset positions [99], are used as the test statistics to detect the outliers. RAIM FDE is still considered as a straightforward and cost-effective countermeasure, although it can only deal with the situation that only a subset of available satellite signals are affected [100]. However, while dealing with multiple faults, RAIM FDE approaches usually search and exclude multiple faults with an iterative manner. In [101, 102], authors first use a global test to check the consistency of observed measurements. When the global test fails, faults are claimed to be present in the measurements. Thus, a local test is performed to identify the faulty measurements, with an iterative search. In each local test iteration, the number of faults and the specific faulty measurements are assumed and excluded, and the LS residual test statistic is calculated. If the presumption about the faulty measurements is true, the remaining measurements are clean. Then, the test statistic should satisfy a threshold, calculated by a central Chi-square distribution with a required false alarm probability. Otherwise, it continues with different assumed faulty measurements with same number of faults, or increasing the number of assumed faulty satellites. In [103--105], multiple hypothesis solution separation algorithms (MHSS) describe the hypotheses of non- failure mode and various failure modes and one can assess the integrity risk by comparing the calculated Vertical Protection Level (VPL) with a Vertical Alarm Limit (VAL). For MHSS-FDE, e.g., Weighted Integrity Risk Solution Separation algorithm [106], a set of measurements are assumed as faults and removed, then one VPL is calculated with remaining measurements, which is compared with each other failure mode to check whether the removed satellites are actual faults. Because the VPL of subsets after removing some satellites is most likely larger than the VPL with all satellites, in absence of large faults. Therefore, one can claim that fault exits in the observations if any individual calculated subset VPL is smaller than the VPL with all satellites. The reason is that one expects the VPL increasing with less satellites that leads to degradation of geometry. But, MHSS-FDE requires same iterative steps as the Global-Local test in order to identify the faulty measurements. Moreover, in [107], authors proposed Group Separation (GS) as a RAIM FDE to detect and exclude multiple faults in a GPS and Galileo receiver when both constellations are available. Three user positions are calculated by GS: one using all satellites from both GPS and Galileo, and two positions using satellites of either all GPS or Galileo satellites. The distances between the full-set solution and either of the two individual constellation positions are calculated as test statistics to detect the 14 CHAPTER 3. RELATED WORK ON GNSS SECURITY presence of potential faults. However, GS can only deal with multiple faults in either constellation, not in a case when both constellations contain faults simultaneously. Authors developed Optimally Weighted Average Solution (OWAS) scheme in [108], using the weighting concept of NIORAIM [93] to weight the calculated solutions of GPS and Galileo in GS scheme to obtain higher RAIM availability. Due to this, OWAS has the same limitation as GS. In [57], CSSA utilizes a clustering algorithm, e.g., Density-based Spatial Clustering of Applications with Noise (DBSCAN), to detect and exclude multiple faults, because subset positions are supposed to be close to each other in absence of outliers. However, CSSA also requires exhaustive search to find the faulty satellites.

3.3 Securing GNSS Time Transfer with Signals of Opportunity

Many devices, equipped with a GNSS receiver, have access to many other technologies, e.g., WiFi network, cellular networks, networked time servers, as shown in Fig. 3.1. These technologies can either provide positioning or timing services. Even though their accuracy is typically worse than that for GNSS-provided position and time, their positioning or timing information can be used to validate whether the GNSS signals are authentic or not.

Figure 3.1: Opportunistic signals/data for a GNSS-enabled device/system.

A spoofing detection and mitigation method was proposed based on transmitting authenticated navigation message through LTE network to User End (UE) to validate the authenticity of the received GNSS signals [109]. In [110], a hypothesis 3.3. SECURING GNSS TIME TRANSFER WITH SIGNALS OF OPPORTUNITY 15 test was designed in an Alternative Position, Navigation, and Time (APNT) receiver to cross-check the receiver state with the GNSS-provided values and detect GNSS spoofing attacks, providing theoretic results. In [111], authors claimed that mobile phones can use side-information, e.g., information from A-GNSS and position information with mobile network towers, but the work did not provide concrete algorithm for spoofing detection. Another line of work analyzed position estimation with and without spoofing attacks in a cellular network, and proposed to use a Generalized Likelihood Ratio Test (GLRT) for spoofing detection [112], with simple experimental and simulation results. Iridium satellite signals were introduced to provide alternative position service, which could be used to detect position deviation under spoofing attacks [113]. In [114, 115], the discrepancy between position estimated by base stations of cellular networks and position calculated by GPS signals is used to detect spoofing attacks.

Chapter 4

Dissertation Contributions

This thesis is concerned with: 1) the study effectiveness of DD attacks on GNSS signals and the necessary countermeasures; 2) fault detection and exclusion efficiency, notably in complex settings with multiple constellations in use; 3) attack detection with opportunistic signals, in particular. This chapter outlines these contributions along these three lines concisely.

4.1 Thwarting DD Attacks on GNSS Signals

The DD attacks are a strong type of replay attacks, which can shorten pseudorange measurements from tens of meters to hundreds of kilometers, by adjusting its parameters. Paper A is the first published pear-reviewed research work about the DD attacks on GNSS signals, where we provide theoretical results on the performance, i.e., Bit Error Rate (BER), based on different parameter settings [30, 116, 117]. We provide preliminary analysis on the DD attacks during tracking phases, which, hereafter, gives preliminary detection results with Signal Quality Monitoring (SQM) methods [30]. In order to fully understand how the DD signals affect each type of GNSS signals, due to different signal structures, ranging code length, etc., paper C gives a detailed analysis on non-protected GNSS signals, e.g., GPS L1C and Galileo E1B, and protected signals, e.g., GPS L1 P(Y) and Galileo E6 [31, 118]. Table 4.1 illustrates the effectiveness on shortening pseudorange measurements, based on different GNSS signals, from which we can see that the DD attacker can mislead a victim’s trajectory precisely by adjusting the time gain, TDD. When the ARX of the DD attacker receives the genuine signal, it estimates the legitimate symbol values based on Maximum a Posterior (MAP) or Minimum Mean Square Error (MMSE) estimator. The error induced by the ARX is [30]:

r 1 C Pe = erfc TED (4.1) 2 N0

17 Table 4.1: The effects of distance-decreasing attacks on different GNSS signals. (also appears in [31])

Non-protection NMA signals Spreading-code encrypted signals signals GPS GPS BeiDou BeiDou Galileo Galileo GPS L1 C/A L1 M- B1Q B2Q E1 E6 Signals Galileo E1 OS BeiDou B1I and B2I P(Y) code PRS Code Target range Integer multiple of Fraction of one Fraction of one spreading code chip length spreading code length spreading code length Fraction of Level of TDD ms ns to ms 2 µs 195.5 488.8 97.8 391 ns 195.5 ns ns ns ns Shortened distance (pseu- ≥ 300 km meters to hundreds of meters to hundreds of km dorange measurement) km 4.1. THWARTING DD ATTACKS ON GNSS SIGNALS 19

where C/N0 is carrier to noise power ratio, erfc(.) is the complementary error function. If we consider the Multiple Access Interference (MAI), the bit error rate is written as [119]: q P 1 ! 2 TED Pe = Q q (4.2) Tc PK k N0 6 k=2 P + 4

1 where N0/2 is the two-sided power spectral density of the Gaussian noise, and P is the power of the signal we want to decode, P k, k = 2...K is the power of interfere signals, where K is the number of received satellites. At the transmitting side, the attacker crafts DD signals with two parts: an adversary-chosen part and a late-commit part, four approaches are analyzed for the adversary-chosen value [31]:

• A fixed value, e.g., +1.

• {+1, -1} are transmitted interleaved, for each spreading code length.

• Using the same value as the last symbol.

• For the spreading-code encrypted signals, {+1, -1} are transmitted as sample values for the encoded stream that is the result of multiplication of the secret code with the navigation data.

For each approach, the adversary needs to adjust the DD signal parameters accordingly, in order to make sure that the victim receiver decodes the symbol values correctly. A within-symbol transition is not allowed for satellites acquisition, which must be considered while crafting the DD signals. The adversary can solve this challenge by starting assembling the DD signals from the preamble code, since the preamble code is known publicly. Hence, the preamble code can be transmitted correctly without a within-symbol transition [32, 119, 120]. When the DD signals arrive at the HRX, the adversary can implement a jamming attack or a smooth take-over attack to force the victim receiver to lock on the DD signals. Consequently, the victim receiver tracks the DD signals successfully, and the prompt correlator output at tracking phase follows different distribution comparing to the authentic signals, which motivates to use hypothesis tests to detect the DD signals [119]. Specifically, we have the following sampled results for the prompt correlator after multiplying the legitimate signals with local aligned spreading sequence and carrier wave:

x0 = R(iT − τ)PN(iT − τ)cos(2πf iT + φ) Ip,i s s d s (4.3) where R(.) is the received legitimate signal, PN(.) is the spreading sequence, fd is the Doppler frequency, τ is the time delay, φ is the carrier phase and Ts = 1/fs is 20 CHAPTER 4. DISSERTATION CONTRIBUTIONS

0 the sampling interval. The prompt correlator output, IP , for the legitimate signals, follows: Tintfs r 0 X 0 E I [n] = x = fsTintb[n] + N0[n] (4.4) P Ip,i 2 i=0 where b is the data value: {+1, −1}, Tint is the integration period, E is the signal power and N0 is noise. Therefore, the prompt correlator output follows a normal distribution with the assumption of the noise being Gaussian. With the DD signals, after multiplying with local aligned spreading sequence and carrier wave, we have: xDD = S (iT − τ)PN(iT − τ)cos(2πf iT + φ) Ip,i AT X s s d s = u(iTs − TLC ) − u(iTs) SAT X (iTs − τ)PNE1B(iTs − τ)cos(2πfdiTs + φ) + u(iTs − Tb) − u(iTs − TLC ) SAT X (iTs − τ)PNE1B(iTs − τ)cos(2πfdiTs + φ) (4.5) where SAT X (.) is the received DD-crafted signal, u(t) is the unit step function. DD Thus, the prompt correlator output, IP , yields

Tintfs X IDD[n] = xDD P Ip,i i=0 r r E P = b [n] f T + b[n]A f (T − T ) + N [n] (4.6) pre 2 s LC 2 s int LC 0 q ( E TLC b 2 · fs · Tint A + (1 − A) T + N1[n] bpre = b = q int E TLC b · fs · Tint A − (1 + A) + N2[n] bpre = −b 2 Tint where bpre is the adversary-chosen symbol value, b is the true value and A is the signal amplitude ratio of the two parts within each symbol. Thus, we know that the prompt correlator output for the DD signals follows a Gaussian Mixture model. In Paper G, we use two statistical tests to examine the hypotheses: Goodness of Fit (GoF) [121, 122] and GLRT [123, 124], and evaluate the detection probability and the Receiver Operating Characteristic (ROC) curves for the two tests, separately, based on different adversary configuration and noise settings. The results show that both tests can effectively detect the DD attacks, and the detection probability with GLRT is approximately 20% higher than that of the GoF test in low Signal-to-Noise Ratio (SNR) environments, as shown in Fig. 4.1. In these figures, the SNR values correspond to the estimated SNR at the tracking outputs and Tint is the integration period. We also evaluate these two tests with a synthesized DD signal at a software GNSS receiver, as presented in Fig. 4.2. The results show that the two tests can detect the DD attacks in low SNR environments for high TLC ; and the tests work better in high SNR environments for both low and high TLC . 4.1. THWARTING DD ATTACKS ON GNSS SIGNALS 21

1 1

0.9 0.9

0.8 0.8

0.7 0.7

0.6 0.6 T /T =0.2500 T /T =0.2500 0.5 LC int 0.5 LC int T /T =0.3720 T /T =0.3720 LC int LC int 0.4 T /T =0.4940 0.4 T /T =0.4940 LC int LC int

Power of the test T /T =0.6160 T /T =0.6160 0.3 LC int 0.3 LC int T /T =0.7136 Power of the GLRT test T /T =0.7136 LC int LC int 0.2 0.2

0.1 0.1

0 0 0 5 10 15 20 25 30 0 5 10 15 20 25 30 SNR (dB) SNR (dB)

(a) Detection probability with the GoF (b) Detection probability with GLRT (Shapiro-Wilk) test. test.

Figure 4.1: Detection performance of two tests on DD attacks, with significance level being 0.01. (also appears in [119])

Detection results for SNR=15 dB Detection results for SNR=22 dB

1 1 T /T =0.25 T /T =0.25 LC int LC int T /T =0.372 T /T =0.372 LC int LC int T /T =0.494 T /T =0.494 LC int LC int T /T =0.616 T /T =0.616 LC int LC int T /T =0.7136 LC int T /T =0.7136 0 0 LC int

0 20 40 60 80 100 120 0 20 40 60 80 100 120 Time (s) Time (s) (a) (b)

Figure 4.2: Detection results of synthesized DD signal with GoF (top plot) and GLRT (bottom plot) for two SNR with significance level being 0.01: one detection result every four seconds; ’1’ indicates that the attack is detected and ’0’ indicates negative result. (also appears in [119]) 22 CHAPTER 4. DISSERTATION CONTRIBUTIONS

4.2 Fault Detection and Exclusion

As unintentional and intentional faults affect the PVT solutions of a GNSS receiver, we develop algorithms to detect and exclude the faulty signals. Paper B designs a FDE algorithm with the help of a clustering algorithm to detect and exclude faulty signals in a GPS receiver [56, 125, 126]. The basic idea is that it calculates positions with different subsets of available satellites; the subset positions, calculated only with non-faulty satellites, should be close to each other, i.e., in a dense area; otherwise, when the subsets contain faulty satellites, the computed positions are scattered. The algorithm starts assuming that there is only one fault and searches which one satellite is faulty, otherwise, it assumes that there are two faults and searches for two faulty satellites, and so on. In our proposed algorithm, a clustering scheme, e.g., DBSCAN, is used to group these subset positions, and then the algorithm identifies faulty satellites and excludes them from the final PVT calculation. Furthermore, we extend the algorithm to a multiple constellation receiver in Paper D, where the receiver can detect and exclude faulty satellites from multiple constellations [57, 127, 128]. The paper analyzes the algorithm in a multiple constellation receiver, which is divided into three cases based on fault detection on each constellation: 1) there is no fault in all constellations; 2) only some constellations contain faults; 3) all constellations contain faults. After determining which case the receiver falls into, a clustering algorithm is used to group non-faulty subset positions and exclude faulty satellites. We also evaluate the algorithm performance, in terms of feasibility, detection probability and false alarm probability, for the three different cases with a synthesized faulty satellites from a recorded RINEX observation file [129]. However, the aforementioned proposed algorithms have same issues as other fault detection and exclusion algorithms: iterative search on faulty satellite candidates, which is quite expensive with many faults when the number of satellites is large in multi-constellation receivers. Therefore, Paper H proposes a more efficient algorithm, i.e., FM-FDE, to detect and exclude multiple faults. As FM-FDE is a Solution Separation (SS) based RAIM FDE algorithm, the paper analyzes the conventional SS FDE [98, 130] and compares the performance of two algorithms. The conventional SS FDE uses the distance between a all-in-view solution that calculates the receiver position with all available satellites and subset solutions as test statistics to check whether fault is present or not. Differently put, FM-FDE utilizes the distances between fixed-size subsets as test statistics to identify faulty satellites. We design variants of the FM-FDE algorithm for single- and multi-constellation receivers, respectively. In a single constellation receiver, as shown in Fig. 4.3 [131], the main difference between FM-FDE and the conventional SS FDE is that FM-FDE uses the distances between fixed-size subsets as test statistics. We introduce a module called misdetec- tion check to reduce the false negatives. In addition, in a multi-constellation receiver, as shown in Fig. 4.4 [131], we introduce a measurement pool that accepts outputs of the algorithm operating with signals from one constellation at a time. In each 4.2. FAULT DETECTION AND EXCLUSION 23

Figure 4.3: FM-FDE for a single constellation receiver. (also appears in [131])

Figure 4.4: FM-FDE for a multi-constellation receiver. (also appears in [131])

individual constellation check, FM-FDE puts all deemed non faulty measurements to the measurement pool, by filtering out the deemed faulty measurements - to the extent if it can identify them as such. Otherwise, FM-FDE will put all measurements of the constellation to the pool. Subsequently, the algorithm uses the computed distance as the test statistic between fixed-size subsets to possibly exclude faulty measurements that individual constellation checks could not exclude. Furthermore, 24 CHAPTER 4. DISSERTATION CONTRIBUTIONS

Single constellation receiver Multi-constellation receiver

Conventional SS FDE Conv-SS FDE: two constellations 4 10 FM-FDE FM-FDE: two constellations 10 Conv-SS FDE: three constellations 10 FM-FDE: three constellations Conv-SS FDE: four constellations FM-FDE: four constellations

103

105

Number of subsets to be processed 102 Number of subsets to be processed 1 2 3 4 5 6 2 4 6 8 10 12 14 16 18 20 Number of faults Number of faults (a) Number of subsets to be processed in a (b) Number of subsets to be processed in a single constellation receiver. multi-constellation receiver.

Figure 4.5: Complexity comparison between conventional SS FDE and FM-FDE. (also appears in [131])

we evaluate the performance, in terms of complexity, detection probability, false alarm probability and execution time, and compare with the conventional SS FDE. Paper H formulates the complexity of the two algorithms as a function of number of faults and plots it in Fig. 4.5. We see that FM-FDE becomes more efficient than the conventional SS FDE when the number of faults is larger than 2 in a single constellation receiver; the advantage of FM-FDE becomes larger as the number of constellations grows. An evaluation with data recorded by a mobile phone through the Geo++ Rinex Logger application [132] is conducted in a simulation environment. As Fig. 4.6 shows, the conventional SS FDE has higher detection rate when the errors are smaller than 100 m comparing to FM-FDE, in a single constellation receiver. FM-FDE provides slightly lower detection rate than the conventional algorithm with errors smaller than 200 m, in a multi-constellation receiver, as presented in Fig. 4.7.

4.3 Securing GNSS Time Transfer with Opportunistic Signals

In order to explore the feasibility of validating the authenticity of GNSS signals with opportunistic signals, Paper F studies the timing accuracy of several technologies on different environments [133, 134]. Specifically, in 5G, proposals for UE time synchronization in RAN#81 leverage a new System Information Block (SIB)-based message to deliver time information to UEs for Time Sensitive Networking (TSN), 4.3. SECURING GNSS TIME TRANSFER WITH OPPORTUNISTIC SIGNALS25

1 0.14 FM_FDE: one fault Conventional SS FDE: one fault 0.98 0.12 FM_FDE: two faults

) Conventional SS FDE: two faults )

0.96 FA 0.1 FM_FDE: three faults D Conventional SS FDE: three faults FM_FDE: four faults 0.94 0.08 Conventional SS FDE: four faults FM_FDE: one fault 0.92 Conventional SS FDE: one fault 0.06 FM_FDE: two faults

Detection rate (P 0.9 Conventional SS FDE: two faults 0.04 FM_FDE: three faults False alarm rate (P Conventional SS FDE: three faults 0.88 FM_FDE: four faults 0.02 Conventional SS FDE: four faults 0.86 0 50 100 200 500 1000 50 100 200 500 1000 Error (m) Error (m) (a) Detection rate. (b) False alarm rate.

Figure 4.6: Detection and false alarm rates based on different number of faults in different level of errors, in the GPS receiver. (also appears in [131])

1 0.5 FM_FDE: one fault Conventional SS FDE: one fault FM_FDE: two faults 0.98 0.4

) Conventional SS FDE: two faults FM_FDE: one fault

) FM_FDE: three faults Conventional SS FDE: one fault FA D Conventional SS FDE: three faults FM_FDE: two faults FM_FDE: four faults Conventional SS FDE: two faults 0.96 0.3 Conventional SS FDE: four faults FM_FDE: three faults FM_FDE: five faults Conventional SS FDE: three faults Conventional SS FDE: five faults FM_FDE: four faults FM_FDE: six faults Conventional SS FDE: four faults 0.94 0.2 Conventional SS FDE: six faults FM_FDE: five faults FM_FDE: seven faults Conventional SS FDE: five faults Detection rate (P Conventional SS FDE: seven faults FM_FDE: six faults False alarm rate (P 0.92 Conventional SS FDE: six faults 0.1 FM_FDE: seven faults Conventional SS FDE: seven faults

0.9 0 50 100 200 500 1000 50 100 200 500 1000 Error (m) Error (m) (a) Detection rate. (b) False alarm rate.

Figure 4.7: Detection and false alarm rates based on different number of faults in different level of errors, in the GPS-Galileo receiver. (also appears in [131])

which provides time accuracy better than 250 ns for small Industrial Internet of Things (IIOT) cells [135--138]. In Wireless Local Area Network (WLAN), Access Points (APs) emit beacons periodically to advertise their network [139--141]; fixed beacon intervals can be used to validate GNSS-provided time. We propose checking the consistency of GNSS-provided time and time provided by alternative technologies, 26 CHAPTER 4. DISSERTATION CONTRIBUTIONS

Uniﬁed System Time

WiFi Beacon 1 Centralized controller WiFi Beacon 2 Logger WiFi AP TS Receiver Detection UST WiFi Beacon n

GPS GPS Link GPS TS Receiver UST

(. ) NTP Remote Server 1 Connector NTP Remote Server 2 Connector NTP Remote Server 3 Connector NTP TS UST NTP POOL

Synchronization Other Technologies Tech TS Sources Decision UST

Figure 4.8: Testbed architecture. (also appears in [133])

for cases of a single alternative technology as well as multiple ones. Based on different technologies, absolute time checking and relative time checking are considered. As NTP or NTPsec provides absolute Coordinated Universal Time (UTC), the receiver checks the difference between NTP provided time and GNSS provided time within a threshold, which is obtained through historical statistics, to detect the authenticity of the GNSS signals. WiFi beacons do not provide absolute time, but contain relative transmission time, which increments with a fixed value (configurable). The APs emit beacons periodically with interval of integral number of Time Unit (TU), which is a unit of time equaling to 1024 µs. Based on this information, the algorithm compares a time interval measured by WiFi beacons and measured by the GNSS signals to examine the discrepancy Single Opportunistic Technology: Figure 4.9 shows how a single alternative time technology can be used to validate the GNSS-provided time. In particular, absolute time checking can be formulated as:

f(t) = f(|Text(t) − TGNSS(t)|) (4.7) where Text is the time obtained from the alternative technology, TGNSS is GNSS- provided time and f(.) is a function of the time difference. The relative time checking can be written as:

f(∆t) = f(|∆text(t) − ∆tGNSS(t)|) (4.8) where ∆text(t) = Text(t + 1) − Text(t) and ∆tGNSS(t) = TGNSS(t + 1) − TGNSS(t). 4.3. SECURING GNSS TIME TRANSFER WITH OPPORTUNISTIC SIGNALS27

Figure 4.9: Illustration of the approach with a single external time source. (also appears in [133])

There may be several time sources for each alternative technology, e.g., the receiver can acquire UTC time information from several NTP servers at the same time. At each epoch, in order to claim that the GNSS time is valid, f(t) is required to fulfill: f(t) < ext (4.9) where ext is the threshold obtained for the alternative technology. Assuming there are k sources for the technology, if m out of k sources fulfill Eq. 4.9, when m 1 > (or a desired higher value) (4.10) k 2 then the GNSS time is deemed to be secure, with accuracy of ext. Multiple Opportunistic Technologies: the function g(t) is defined for absolute time checking and relative time checking as follows:

g(t) = g{fext1(t), . . . , fextk(t)} (4.11) g(t) = g{fext1(∆t), . . . , fextk(∆t)}

Figure 4.10 illustrates how alternative technologies ext1, ext2, ..., extk can be used to test the GNSS-provided time. If all of the alternative technologies provide equally trusted time information, then when majority of the technologies satisfies Eq. 4.10, the approach claims that the GNSS time is not faulty. If they are not equally trusted, we can apply weights to the technologies based on their level of trust and accuracy, e.g., an authenticated time source has higher weight than unauthenticated ones. Thus, the decision function in Fig. 4.10 can be written as:

fext1(t) fext2(t) fextk(t) g(t) = wext1 + wext2 + ··· + wextk (4.12) ext1 ext2 extk Pk where wextk is the weight of technology k and i=0 wexti = 1. The approach deems the GNSS time authentic when g(t) < 1, at time instance t. Successive decisions 28 CHAPTER 4. DISSERTATION CONTRIBUTIONS

Figure 4.10: Illustration of the approach with multiple external time sources. (also appears in [133])

over a period can provide a final decision, in order to increase the detection accuracy.

We designed an experimental setup, illustrated in Fig. 4.8, to evaluate the feasibility of validating GNSS provided time with other timing technologies. A GNSS spoofing attack was synthesized with gradual increase of the time offset from real GPS time and was fed to the test bench. The experiment used a u-blox evaluation kit receiving GPS signals, outputting the GPS time to a laptop that implements the proposed detection approach to validate the GPS provided time. In Paper F, we study the synchronization accuracy of NTP via wired networks and the accuracy of WiFi beacons in a local networking environment, based on which the thresholds, ext, are obtained. Attacks are detected by checking whether the discrepancy between the synthesized spoofed GPS time and alternative time satisfies Eq. 4.9 or not, i.e., for a single opportunistic source at a time. The detection results are presented through absolute time checking with NTP and relative time checking with WiFi network, separately [133]. The work shows that we can protect the receivers from being attacked to cause more than ext time offset, i.e., 23.9 µs for WiFi and 2.1 ms for NTP. Chapter 5

Summary of Original Work

Paper A: GNSS Receiver Tracking Performance Analysis under Distance-decreasing attacks

Kewei Zhang and Panos Papadimitratos Presented at: International Conference on Localization and GNSS (ICLGNSS), Gothenburg, Sweden, June 2015

Abstract: Numerous works have investigated the vulnerability of Global Naviga- tion Satellite Systems (GNSS) against attacks. Upcoming systems make provisions for cryptographic civilian signal protection. However, this alone does not fully protect GNSS-based localization. In this paper, we show that attacks at the physical layer, without modification of navigation messages, can be severely effective. We analyze the influence of the, so called distance decreasing attacks, and we investigate their feasibility and we find that they can be practical and effective. Finally, we consider signal quality monitoring, but it can not readily serve as a countermeasure.

Contribution: This work built on the MSc thesis [142] that of the first author, and drew on earlier work of the second author [86--89] and a related student project [143]. The author of this thesis did the attack analysis and feasibility evaluation along with the second author. He also proposed and evaluated detection methods. The article was written by both authors.

Paper B: Detection and Exclusion RAIM Algorithm against Spoofing/Replaying Attacks

Kewei Zhang, Rashedul Amin Tuhin and Panos Papadimitratos Presented at: International Symposium On GNSS (ISGNSS), Kyoto, Japan, Novem- ber 2015

29 30 CHAPTER 5. SUMMARY OF ORIGINAL WORK

Abstract: Malicious attacks, notably spoofing and replaying, in addition to jamming, have been shown increasingly practical even for attackers without high levels of sophistication. This makes malicious interference and manipulation a significant threat for Global Navigation Satellite Systems (GNSS)-based applications. Receiver Autonomous Integrity Monitoring (RAIM) has been widely used in safety- critical navigation applications to ensure the integrity and reliability of the navigation function, without being designed with malicious faults in mind. Along the lines of the RAIM approach, here we investigate an alternative method to exclude faulty pseudo-range measurements and obtain an as accurate as possible position estimate. We propose the use of an approach that allows the receiver to classify position estimates into, roughly speaking, those that are faulty (affected by an attacker) and those that are not. Identifying an intuitive match to GNSS-based positioning, we propose the use of a clustering algorithm for this classification. We find that our so-called Clustering-RAIM (CRAIM) is simple to configure and efficient in terms of computation, and our evaluation, simulating adversarial effect, shows it can be effective without any prior assumption on the number of faulty measurements; as long as they are the minority of the available ones.

Contribution: This work built on the MSc thesis [144] of the second author. The author of this thesis surveyed the related work, and the first and second authors designed the detection algorithm along with the third author. The first author evaluated the algorithm with navigation and observation files. The first and third authors wrote the article together.

Paper C: On the Effects of Distance-decreasing Attacks on Cryptographically Protected GNSS Signals

Kewei Zhang and Panos Papadimitratos Presented at: International Technical Meeting of The Institute of Navigation (ION ITM), Virginia, USA, January 2019

Abstract: The security of global navigation satellite systems draws attention increasingly, and authentication mechanisms for civilian services seem very effective in thwarting malicious behavior. For example, the Galileo E1 Open Service intro- duces navigation message authentication. Authentication, as well as encryption at navigation message or spreading code level, can prevent spoofing attacks, but do not preclude replay attacks. In this work, we consider a type of strong replay attacks, distance-decreasing attacks, against cryptographically protected GNSS signals. Distance-decreasing attack enhance an attacker’s capability of allowing it to mislead the victim receiver that the GNSS signals arrive earlier than true signals. We analyze the instantiation and the effects of the distance-decreasing attacks on unprotected GNSS signals, on navigation message authenticated signals, and on spreading-code encrypted signals. We discuss different strategies that the 31 attacker can adopt to introduce the least bit errors to the re-transmitted signals and avoid being detected at the victim receiver. We provide evaluation results of distance-decreasing attacks on unprotected signals and authenticated navigation message signals, based on different strategies and configurations, and we sketch countermeasures to the different strategies.

Contribution: The author of this thesis carried out the attack analysis for different GNSS signals along with the other author. He also provided the evaluation results and a brief countermeasure discussion. Both authors contributed to all phases, including the writing.

Paper D: Secure Multi-constellation GNSS Receivers with Clustering-based Solution Separation Algorithm

Kewei Zhang and Panos Papadimitratos Presented at: IEEE Aerospace Conference, Montana, USA, March 2019

Abstract: Because of the limited satellite visibility, reduced signal reception reliability and constraining spatial geometry, e.g., in urban areas, the development of multi-constellation global navigation satellite systems (GNSS) has gained trac- tion rapidly. GNSS-based applications are expected to handle observations from different navigation systems, e.g., GPS, GLONASS, BeiDou and Galileo, in order to improve positioning accuracy and reliability. Furthermore, multi-constellation receivers present an opportunity to better counter spoofing and replaying attacks, leveraging approaches take advantage of the redundant measurements. In particular, cluster-based solution separation algorithm (CSSA) proposes to detect and identify faulty/malicious signals in a single GPS constellation by checking the consistency of receiver positions calculated with different number of satellites. Intuitively, the algorithm targets directly the consequence of spoofing/replaying attacks: the victim receiver position error estimation. It works independently of how the attacks are launched, either through modifying pseudorange measurements or manipulating the navigation messages, without changing the receiver hardware. Multi-constellation GNSS receivers utilize all observations from different navigation systems, there are more than 30 available satellites at each epoch after Galileo and BeiDou systems become fully operational; in other words using abundant redundancy. Therefore, we introduce such a CSSA to a multi-constellation receiver. The work shows that a multi-constellation GNSS receiver equipped with our algorithm works effectively against a strong spoofing/replaying attacker that can manipulate a large number of signals, or even an entire constellation. The results show that CSSA with multi- constellation significantly improves the performance of detecting and identifying the malicious signals; particularly, when the adversary cannot control all the constellations, a multi-constellation receiver can identify the faults even the adversary induces very small errors to pseudorange measurements, comparing with a single 32 CHAPTER 5. SUMMARY OF ORIGINAL WORK constellation receiver. Moreover, when the attacker is powerful to manipulate most of signals of all the constellations, a multi-constellation receiver with CSSA can still detect and identify the faulty signals with high probability when the attacker tries to mislead the victim more than a couple of hundred meters from its true location.

Contribution: This work is a continuation of Paper B. The author of this thesis contributed the scenario analysis for a multi-constellation receiver, algorithm design, implementation and evaluation, along with the other author. The article was written by both authors.

Paper E: Safeguarding NMA Enhanced Galileo OS Signals from Distance-Decreasing Attacks

Kewei Zhang and Panos Papadimitratos Presented at: International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GNSS+), Florida, USA, September 2019

Abstract: Increased use of global satellite navigation systems (GNSS), for applications such as autonomous vehicles, intelligent transportation systems and drones, heightens security concerns. Civil GNSS signals are vulnerable to notably spoofing and replay attacks. To counter such attacks, cryptographic methods are developed: Navigation Message Authentication (NMA) is one such scheme, about to be deployed for Galileo E1 Open Service (OS); it allows receivers to verify the signal origin and protects navigation message integrity. However, NMA signals cannot fully thwart replay attacks, which do not require forging navigation messages. Classic replay attacks, e.g, meaconing, retransmit previously recorded signals without any modification, thus highly limiting the capacity of the adversary. Distance-decreasing (DD) attacks are a strong type of replay attack, allowing fine-grained individual pseudorange manipulation in real time. Moreover, DD attacks counterbalance processing and transmission delays induced by adversary, by virtue of shifting earlier in time the perceived (relayed) signal arrival; thus shortening the pseudorange measurements. In this paper, we first analyze how DD attacks can harm the Galileo E1 OS-NMA service assuming the adversary has no prior information on the navigation message. Moreover,we propose a DD attack detection method based on a Goodness of Fit test on the prompt correlator outputs of the victim. The results show that the method can detect the DD attacks even when the receiver has locked to the DD signals.

Contribution: This work is a continuation of Paper C. The author of this thesis contributed to the attack analysis, and proposed countermeasures and evaluated their effectiveness, together with the other author. This article was written by both authors. 33

Paper F: Protecting GNSS-based Services using Time Offset Validation

Kewei Zhang, Marco Spanghero and Panos Papadimitratos Presented at: IEEE/ION Position, Location and Navigation Symposium (PLANS), Portland, Oregon, USA, September 2020

Abstract: Global navigation satellite systems (GNSS) provide pervasive accurate positioning and timing services for a large gamut of applications, from Time based One-Time Passwords (TOPT), to power grid and cellular systems. However, there can be security concerns for the applications due to the vulnerability of GNSS. It is important to observe that GNSS receivers are components of platforms, in principle having rich connectivity to different network infrastructures. Of particular interest is the access to a variety of timing sources, as those can be used to validate GNSS-provided location and time. Therefore, we consider off-the-shelf platforms and how to detect if the GNSS receiver is attacked or not, by cross-checking the GNSS time and time from other available sources. First, we survey different technologies to analyze their availability, accuracy and trustworthiness for time synchronization. Then, we propose a validation approach for absolute and relative time. Moreover, we design a framework and experimental setup for the evaluation of the results. Attacks can be detected based on WiFi supplied time when the adversary shifts the GNSS provided time, more than 23.942 µs; with Network Time Protocol (NTP) supplied time when the adversary-induced shift is more than 2.046 ms. Consequently, the proposal significantly limits the capability of an adversary to manipulate the victim GNSS receiver.

Contribution: This work followed up on a European Space Agency project on Securing GNSS Time Transfer. The author of the thesis contributed to the literature survey on alternative timing technologies, the detection solution design, the testbed design and the solution evaluation, together with the other two authors. The article was written by the three authors.

Paper G: Protecting GNSS Open Service-Navigation Message Authentication against Distance-Decreasing Attacks

Kewei Zhang, Erik G. Larsson and Panos Papadimitratos Submitted to: IEEE Transactions on Aerospace and Electronic Systems, 2020

Abstract: As the security of global navigation satellite systems (GNSS) for civilian usage is increasingly important, navigation message authentication (NMA) significantly improves resilience to spoofing attacks. However, not all attacks can be 34 CHAPTER 5. SUMMARY OF ORIGINAL WORK effectively countered: a strong variant of replay/relay attacks, distance-decreasing (DD) attacks, can shorten pseudorange measurements, without manipulating the cryptographically protected navigation message, thus manipulating the position, velocity, and time solution undetected. First, we discuss how DD attacks can tamper with GNSS signals, demonstrating the attack effectiveness on a recorded Galileo signal. DD attacks might introduce bit errors to the forged signals, but the adversary can keep this error rate very low with proper attack parameter settings. Then, based on our mathematical model of the prompt correlator output of the tracking phase at the victim receiver, we find that the correlator output distribution changes in the presence of DD attacks. This leads us to apply hypothesis testing to detect DD attacks, notably a Goodness of Fit (GoF) test and a generalized likelihood ratio test (GLRT), depending on the victim’s knowledge on the DD attacks. Monte Carlo simulations are used to evaluate the detection probability and the receiver operating characteristic (ROC) curves for two tests, for different adversary configuration and noise settings. Then, we evaluate the effectiveness of the GoF and GLRT tests with a synthesized DD signal. Both tests can detect DD attacks with similar performance in high signal-to-noise ratio (SNR) environments. The GLRT detection probability is approximately 20% higher than that of the GoF test in low SNR environments.

Contribution: This work is a continuation of Paper E. The author of this thesis carried out the attack modeling and analyzed its feasibility along with the other two authors. He also proposed countermeasures thwarting the attacks and evaluated them on recorded signals. The article was written by the three authors.

Paper H: Fast Multiple Fault Detection and Exclusion (FM-FDE) Algorithm for Standalone GNSS Receivers

Kewei Zhang and Panos Papadimitratos Published in: IEEE Open Journal of the Communications Society, vol. 2, pp. 217-234, 2021

Abstract: Numerous applications and devices use Global Navigation Satellite System (GNSS)-provided position, velocity and time (PVT) information. However, unintentional interference and malicious attacks render GNSS-provided information unreliable. Receiver Autonomous Integrity Monitoring (RAIM) is considered an effective and lightweight protection method when a subset of the available satellite measurements is affected. However, conventional RAIM Fault Detection and Exclusion (FDE) can be computationally expensive, due to iterative search to exclude faulty signals, in case of many faults and more so for multi-constellation GNSS receivers. Therefore, we propose a fast multiple fault detection and exclusion (FM-FDE) algorithm, to detect and exclude multiple faults for both single and multi-constellation receivers. The novelty is that FM-FDE can effectively exclude 35 faults without an iterative search for faulty signals. FM-FDE calculates position distances of any subset pairs with max{3+P, 2P} measurements, where P is the number of constellations. Then, the algorithm utilizes statistical testing to examine the distances and identify faulty measurements to exclude from the computation of the resultant PVT solution. We evaluate FM-FDE with synthesized faulty measurements in a collected data set; it shows that FM-FDE is practically equally effective as the conventional Solution Separation (SS) FDE in a single constellation receiver. The computational advantage of FM-FDE is more pronounced in a multi- constellation setting, e.g., being more efficient for GPS-Galileo receivers facing more than 2 faults across both constellations. The trade-off is that FM-FDE slightly degrades performance in terms of detection and false alarm probabilities with small errors, compared to the conventional SS FDE.

Contribution: The author of this thesis analyzed the conventional FDE algorithm and the proposed FM-FDE algorithm. He also carried out field data recording; he performed the algorithm evaluation with the help of the other author. This article was written by both authors.

Publications not included in this thesis

Beyond the above-mentioned papers A to H, the author of this thesis also coauthored a number of publications, notably posters/short papers [116--118, 120, 125--128], and a conference paper [134], listed below.

Proceedings

• Marco Spanghero, Kewei Zhang and Panagiotis Papadimitratos, "Authen- ticated Time for Detecting GNSS Attacks", in Proceedings of the 33rd In- ternational Technical Meeting of the Satellite Division of The Institute of Navigation (ION GNSS+ 2020), ION, September 2020.

Posters

• Kewei Zhang and Panos Papadimitratos, "Are the upcoming Galileo Au- thenticated GNSS Signals safe enough?" Cybersecurity and Privacy (CySeP) Summer School jointly with 4th IEEE European Symposium on Security and Privacy (Euro S&P), Stockholm, Sweden, June 2019.

• Kewei Zhang and Panos Papadimitratos, "Analysis of the Effects of the Distance-Decreasing Attacks on GNSS Authenticated Signals," in Cybersecu- rity and Privacy (CySeP) Summer School jointly with the ACM Conference on Security and Privacy in Wireless & Mobile Networks (WiSec), Stockholm, Sweden, June 2018. 36 CHAPTER 5. SUMMARY OF ORIGINAL WORK

• Kewei Zhang and Panos Papadimitratos, "Optimization of Clustering-based Solution Separation Algorithm against Spoofing Attacks," in International Sym- posium on Precision Approach and Performance Based Navigation, Munich, Germany, October 2017. • Kewei Zhang and Panos Papadimitratos, "Clustering based RAIM Approach for Replay/Spoofing Attack," in Cybersecurity and Privacy (CySeP) Summer School, Stockholm, Sweden, June 2017. • Kewei Zhang and Panos Papadimitratos, "Securing GNSS-based positioning: fundamental building block for Intelligent Transportation Systems," in ITRL Conference on Integrated Transport: Connected and Automated Transport Systems, Sotckholm, Sweden, November 2016. • Kewei Zhang and Panos Papadimitratos, "Clustering based RAIM for Re- play/Spoofing Attack," in ACCESS Industrial Workshop, Stockholm, Sweden, May 2016. • Kewei Zhang and Panos Papadimitratos, "Attacking GNSS-based Positioning: Distance Decreasing Attacks," in Cybersecurity and Privacy (CySeP) Winter School, Stockholm, Sweden, October 2015. • Kewei Zhang and Panos Papadimitratos, "Attacking GNSS-based Positioning," in Cybersecurity and Privacy (CySeP) Winter School, Stockholm, Sweden, October 2014. Chapter 6

Conclusions and Future Work

6.1 Thesis Conclusions

This thesis contributions towards securing GNSS-based positioning and timing services concern: 1) Countering Distance-Decreasing attacks on GNSS signals; 2) Fault detection and exclusion for GNSS receivers; 3) Securing GNSS signals with the help of opportunistic signals. We explored the feasibility of DD attacks on GNSS signals, first on GPS signals and then Galileo signals. DD attacks offer the adversary high flexibility in terms of manipulating pseudorange measurements, because they can compensate processing and transmission delays, during the attacking process. We analyzed the performance of DD attacks on different GNSS signals, in terms of capacity to reliably (from the attacker’s side) shorten pseudorange measurements. The approaches that the adversary can utilize to effectively manipulate the victim receiver were studied and evaluated, specifically for GPS signals and Galileo signals. Based on the analysis on the receiver tracking outputs, we proposed two statistical tests to detect DD attacks: GoF test and GLRT. Both tests can effectively detect DD attacks; GLRT achieves higher detection probability compared to the GoF test in low SNR environments. Moreover, we have explored the feasibility of validating the legitimacy of GNSS signals relying on different timing technologies. Validation algorithms based on checking the discrepancy between the GNSS provided time and time from alternative technologies were considered, and a testbench was designed to evaluate the algorithm against a synthesized GPS time spoofing attack. The results show that our proposal can detect attacks when the time offset introduced by the adversary is higher than the accuracy of the alternative technologies. Beyond the detection of attacks, we investigated methods for excluding faulty satellite signals. CSSA was proposed to detect and exclude faulty satellite candidates based on that the subset positions fall in a dense area in absence of faults, otherwise are scattered. The algorithm was extended to a multi-constellation receiver, with an updated version. We evaluated the algorithms both in single and multi-constellation

37 38 CHAPTER 6. CONCLUSIONS AND FUTURE WORK receivers, and the results showed that they can effectively exclude potential faulty measurements. As CSSA has the same disadvantage as other RAIM FDE (computationally expensive searching the faulty satellites), we proposed a more efficient faults detection and exclusion algorithm: FM-FDE. We evaluated the performance, in terms of flexibility, detection probability, false alarm probability and execution time, and compared with conventional SS FDE. The results show that FM-FDE significantly reduces the execution time, especially in multi-constellation receivers, with slight degradation on the detection and false alarm probabilities when the adversary-induced errors are below 100 m.

6.2 Future Work

Although we thoroughly analyzed the DD attacks and evaluated our proposed countermeasures against the attacks in a simulated environment, a testbed for demonstrating the DD attacks in real-time can be developed in future work. Fur- thermore, a field experiment with the testbed and our proposed countermeasures in a GNSS receiver can be conducted. As an extension of our proposed countermeasures, a complementary study on different methods to detect the DD attacks in a standalone receiver, ranging from receiver power monitoring to signal quality monitoring, can be conducted to complement the work. This thesis investigated alternative technologies, e.g., NTP and WiFi beacons, to validate the GNSS-provided time in a static receiver. The work can be extended to study the limitation and feasibility on a mobile receiver with various motion activities, together with other technologies, e.g., 4G or 5G. A further study of approaches the receiver should adopt to have a smooth validation based on the network connection status, can be conducted based on a local oscillator or INS with some technologies, e.g., Kalman Filter. Bibliography

[1] Space & Missiles Systems Center (SMC) - LAAFB, ‘‘NAVSTAR GPS Space Segment/Navigation User Segment Interfaces IS-GPS-200,’’ Tech. Rep., May 2020.

[2] Space & Missiles Systems Center (SMC) - LAAFB, ‘‘NAVSTAR GPS Space Segment/Navigation User Segment Interfaces IS-GPS-705,’’ Tech. Rep., May 2020.

[3] L. Huang and Q. Yang, ‘‘Low-cost GPS simulator GPS spoofing by SDR,’’ in Proceedings of the 15th DEFCON, Paris, France, August 2015.

[4] J. T. Curranand, A. Morrison, and C. O’Driscoll. (In)Feasibility of Multi- Frequency Spoofing . [Online]. Available: https://insidegnss.com/infeasibility- of-multi-frequency-spoofing/

[5] K. C. Zeng, S. Liu, Y. Shu, D. Wang, H. Li, Y. Dou, G. Wang, and Y. Yang, ‘‘All your {GPS} are belong to us: Towards stealthy manipulation of road navigation systems,’’ in Proceedings of the 27th USENIX Security Symposium (USENIX Security 18), Baltimore, MD, U.S.A, August 2018, pp. 1527--1544.

[6] Radio Navigation Research Team in UT Austin. Spoofing on the High Seas. [Online]. Available: https://news.utexas.edu/2013/07/29/ut-austin- researchers-successfully-spoof-an-80-million-yacht-at-sea/

[7] E. Kaplan and C. Hegarty, Understanding GPS: principles and applications. Artech house, 2005.

[8] US Federal Communications Commission. Jammer Enforcement. [Online]. Available: https://www.fcc.gov/general/jammer-enforcement

[9] Y.-R. Chien, ‘‘Design of gps anti-jamming systems using adaptive notch filters,’’ IEEE Systems Journal, vol. 9, no. 2, pp. 451--460, 2013.

[10] D. Borio, ‘‘A multi-state notch filter for GNSS jamming mitigation,’’ in IEEE International Conference on Localization and GNSS 2014 (ICL-GNSS 2014), Helsinki, Finland, June 2014, pp. 1--6.

39 40 BIBLIOGRAPHY

[11] D. Borio and C. Gioia, ‘‘Real-time jamming detection using the sum-of-squares paradigm,’’ in 2015 IEEE International Conference on Localization and GNSS (ICL-GNSS), Gothenburg, Sweden, June 2015, pp. 1--6.

[12] D. Borio, ‘‘Swept GNSS jamming mitigation through pulse blanking,’’ in 2016 IEEE European Navigation Conference (ENC), Helsinki, Finland, June 2016, pp. 1--8.

[13] D. Reynolds, A. Brown, and A. Reynolds, ‘‘Miniaturized GPS antenna array technology and predicted anti-jam performance,’’ in Proceedings of the 12 th International Technical meeting of the Satellite Division of the Institute of Navigation, Nashville, TN, U.S.A, September 1999, pp. 777--785.

[14] Q. Li, W. Wang, D. Xu, and X. Wang, ‘‘A Robust Anti-Jamming Navigation Receiver with Antenna Array and GPS/SINS,’’ IEEE Communications Letters, vol. 18, no. 3, pp. 467--470, 2014.

[15] J. Das, Power System Analysis: Short-Circuit Load Flow and Harmonics. CRC press, 2017, vol. 1.

[16] A. D. Hutchinson and J. Weitzen, ‘‘Television interference to GPS,’’ in Proceedings of the 50th Annual Meeting of The Institute of Navigation (1994), Colorado Springs, CO, U.S.A, June 1994, pp. 331--334.

[17] T. Buck and G. Sellick, ‘‘GPS RF interference via a TV video signal,’’ in Pro- ceedings of the 10th International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GPS 1997), Kansas City, MO, U.S.A, September 1997, pp. 1497--1501.

[18] J. S. Subirana, J. J. Zornoza, and M. Hernández-Pajares, GNSS DATA PROCESSING Volume I: Fundamentals and Algorithms. European Space Agency, 2013.

[19] China Satellite Navigation Office, ‘‘BeiDou Navigation Satellite System Signal In Space Interface Control Document,’’ Tech. Rep., December 2012.

[20] European Union, ‘‘European GNSS (Galileo) Open Service Signal-in-Space Interface Control Document,’’ Tech. Rep., December 2016.

[21] Russian Space System, JSC, ‘‘Global Navigation Satellite System (GLONASS) Interface Control Document General Description of Code Division Multiple Access Signal System,’’ Tech. Rep.

[22] National Aeronautics and Space Administration (NASA). Broadcast ephemeris data. [Online]. Available: https://cddis.nasa.gov/Data_and_ Derived_Products/GNSS/broadcast_ephemeris_data.html BIBLIOGRAPHY 41

[23] T. Ebinuma. GPS-SDR-SIM. [Online]. Available: https://github.com/osqzss/ gps-sdr-sim

[24] T. E. Humphreys, B. M. Ledvina, M. L. Psiaki, B. W. O’Hanlon, and P. M. Kintner, ‘‘Assessing the spoofing threat: Development of a portable GPS civilian spoofer,’’ in Radionavigation laboratory conference proceedings, Austin, Texas, U.S.A, 2008.

[25] J. V. Carroll, ‘‘Vulnerability Assessment of the US Transportation Infrastruc- ture that Relies on the Global Positioning System: ASSESSMENT OF THE US TRANSPORTATION INFRASTRUCTURE,’’ The Journal of Navigation, vol. 56, no. 2, p. 185, 2003.

[26] T. E. Humphreys, ‘‘Detection strategy for cryptographic GNSS anti-spoofing,’’ IEEE Transactions on Aerospace and Electronic Systems, vol. 49, no. 2, pp. 1073--1090, 2013.

[27] J. T. Curran and C. O’Driscoll, ‘‘Message Authentication, Channel Coding & Anti-Spoofing,’’ in Proceedings of the 29th International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GNSS+ 2016), Portland, Oregon, U.S.A, September 2016, pp. 2948--2959.

[28] J. T. Curran and C. O’Driscoll, ‘‘Message authentication as an anti-spoofing mechanism,’’ Working Paper, 2017.

[29] J. Clulow, G. P. Hancke, M. G. Kuhn, and T. Moore, ‘‘So near and yet so far: Distance-bounding attacks in wireless networks,’’ in Proceedings of the European Workshop on Security in Ad-hoc and Sensor Networks. Hamburg, Germany: Springer, September 2006, pp. 83--97.

[30] K. Zhang and P. Papadimitratos, ‘‘GNSS receiver tracking performance analysis under distance-decreasing attacks,’’ in Proceedings of the 2015 IEEE International Conference on Location and GNSS (ICL-GNSS 2015), Gothen- berg, Sweden, June 2015, pp. 1--6.

[31] K. Zhang and P. Papadimitratos, ‘‘On the Effects of Distance-decreasing Attacks on Cryptographically Protected GNSS Signals,’’ in 2019 International Technical Meeting of The Institute of Navigation (ION ITM 2019), January 28-31, 2019, Reston, Virginia, January 2019, pp. 363--372.

[32] K. Zhang and P. Papadimitratos, ‘‘Safeguarding NMA Enhanced Galileo OS Signals from Distance-Decreasing Attacks,’’ in Proceedings of the 32nd International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GNSS+ 2019), Miami, Florida, U.S.A, September 2019, pp. 4041--4052. 42 BIBLIOGRAPHY

[33] S. Daneshmand, A. Jafarnia-Jahromi, A. Broumandan, and G. Lachapelle, ‘‘A low-complexity GPS anti-spoofing method using a multi-antenna array,’’ in Proceedings of the 25th International Technical Meeting of the Satellite Di- vision of The Institute of Navigation (ION GNSS 2012), Nashville, Tennessee, U.S.A, September 2012, pp. 1233--1243.

[34] T. Bitner, S. Preston, and D. Bevly, ‘‘Multipath and spoofing detection using angle of arrival in a multi-antenna system,’’ in Proceedings of the 2015 International technical Meeting of the Institute of Navigation, Dana Point, California, U.S.A, January 2015, pp. 822--832.

[35] J. A. Volpe, ‘‘Vulnerability assessment of the transportation infrastructure relying on the Global Positioning System,’’ National Transportation Systems Center, 2001.

[36] N. O. Tippenhauer, C. Pöpper, K. B. Rasmussen, and S. Capkun, ‘‘On the requirements for successful GPS spoofing attacks,’’ in Proceedings of the 18th ACM conference on Computer and Communications Security (CCS), Chicago Illinois, U.S.A, October 2011, pp. 75--86.

[37] D. M. Akos, ‘‘Who’s afraid of the spoofer? GPS/GNSS spoofing detection via automatic gain control (AGC),’’ Navigation, vol. 59, no. 4, pp. 281--290, 2012.

[38] F. Bastide, D. Akos, C. Macabiau, and B. Roturier, ‘‘Automatic gain control (AGC) as an interference assessment tool,’’ in Proceedings of the 2003 International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GPS/GNSS 2003), September 2003, pp. 2041--2042.

[39] H. Borowski, O. Isoz, S. Lo, F. Eklöf, and D. Akos, ‘‘Detecting false signals with automatic gain control,’’ GPS World, vol. 23, no. 4, pp. 38--43, 2012.

[40] D. Marnach, S. Mauw, M. Martins, and C. Harpes, ‘‘Detecting meaconing attacks by analysing the clock bias of GNSS receivers,’’ Artificial Satellites, vol. 48, no. 2, pp. 63--83, 2013.

[41] P. Papadimitratos and A. Jovanovic, ‘‘Method to secure GNSS based locations in a device having GNSS receiver,’’ April 2012, US Patent 8,159,391.

[42] A. J. Jahromi, A. Broumandan, J. Nielsen, and G. Lachapelle, ‘‘GPS spoofer countermeasure effectiveness based on signal strength, noise power, and C/N0 measurements,’’ Intenational Journal of Satellite Communications Networking, vol. 30, no. 4, pp. 181--191, 2012.

[43] K. D. Wesson, B. L. Evans, and T. E. Humphreys, ‘‘A combined symmetric difference and power monitoring GNSS anti-spoofing technique,’’ in 2013 IEEE Global Conference on Signal and Information Processing, Austin, Texas, U.S.A, December 2013, pp. 217--220. BIBLIOGRAPHY 43

[44] P. Y. Montgomery, T. E. Humphreys, and B. M. Ledvina, ‘‘Receiver- autonomous spoofing detection: Experimental results of a multi-antenna receiver defense against a portable civil GPS spoofer,’’ in Proceedings of the 22nd International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GNSS 2009), Savannah, GA, U.S.A, September 2009, pp. 124--130. [45] D. Borio, ‘‘PANOVA tests and their application to GNSS spoofing detection,’’ IEEE Transactions on Aerospace and Electronic Systems, vol. 49, no. 1, pp. 381--394, 2013. [46] M. L. Psiaki, B. W. O’hanlon, S. P. Powell, J. A. Bhatti, K. D. Wesson, and T. E. Humphreys, ‘‘GNSS spoofing detection using two-antenna differential carrier phase,’’ in Proceedings of Radionavigation Laboratory Conference, Austin, Texas, U.S.A, 2014. [47] D. Borio and C. Gioia, ‘‘A sum-of-squares approach to GNSS spoofing detection,’’ IEEE Transactions on Aerospace and Electronic Systems, vol. 52, no. 4, pp. 1756--1768, 2016. [48] S. Khanafseh, N. Roshan, S. Langel, F.-C. Chan, M. Joerger, and B. Pervan, ‘‘GPS spoofing detection using RAIM with INS coupling,’’ in Proceedings of the 2014 IEEE/ION Position, Location and Navigation Symposium (PLANS 2014), Monterey, CA, U.S.A, May 2014, pp. 1232--1239. [49] J. T. Curran and A. Broumendan, ‘‘On the use of low-cost IMUs for GNSS spoofing detection in vehicular applications,’’ in Proceedings of the Inter- national Technical Symposium on Navigation and Timing (ITSNT 2017), Toulouse, France, November 2017, pp. 1--8. [50] C. Tanil, S. Khanafseh, and B. Pervan, ‘‘An INS monitor against GNSS spoofing attacks during GBAS and SBAS-assisted aircraft landing approaches,’’ in Proceedings of the 29th International Technical Meeting of The Satellite Division of the Institute of Navigation (ION GNSS+ 2016), September 2016, pp. 2981--2990. [51] S. Narain, A. Ranganathan, and G. Noubir, ‘‘Security of GPS/INS based on-road location tracking systems,’’ in 2019 IEEE Symposium on Security and Privacy, San Francisco, CA, U.S.A, pp. 587--601. [52] K. Jansen, M. Schäfer, D. Moser, V. Lenders, C. Pöpper, and J. Schmitt, ‘‘Crowd-GPS-Sec: Leveraging crowdsourcing to detect and localize GPS spoofing attacks,’’ in 2018 IEEE Symposium on Security and Privacy (SP), San Francisco, California, U.S.A, May 2018, pp. 1018--1031. [53] P. Papadimitratos and A. Jovanovic, ‘‘GNSS-based positioning: Attacks and Countermeasures,’’ in Proceedings of the 2008 Military Communications 44 BIBLIOGRAPHY

Conference (MILCOM 2008), San Diego, California, U.S.A, November 2008, pp. 1--7. [54] P. Papadimitratos and A. Jovanovic, ‘‘Protection and Fundamental Vulner- ability of GNSS,’’ in IEEE International Workshop on Satellite and Space Communications (IEEE IWSSC), Toulouse, France, October 2008, pp. 167-- 171. [55] R. G. Brown, ‘‘A baseline GPS RAIM scheme and a note on the equivalence of three RAIM methods,’’ Navigation, vol. 39, no. 3, pp. 301--316, 1992. [56] K. Zhang, R. A. Tuhin, and P. Papadimitratos, ‘‘Detection and Exclusion RAIM Algorithm against Spoofing/Replaying Attacks,’’ in Proceedings of the 2015 International Symposium on GNSS (ISGNSS 2015), November 2015, pp. 1--10. [57] K. Zhang and P. Papadimitratos, ‘‘Secure Multi-constellation GNSS Re- ceivers with Clustering-based Solution Separation Algorithm,’’ in 2019 IEEE Aerospace Conference, Big Sky, Montana, U.S.A, March 2019, pp. 1--9. [58] R. E. Phelts, D. M. Akos, and P. Enge, ‘‘Robust signal quality monitoring and detection of evil waveforms,’’ in Proceedings of the 13th International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GPS 2000), Salt Lake City, UT, U.S.A, September 2000, pp. 1180--1190. [59] A. Cavaleri, B. Motella, M. Pini, and M. Fantino, ‘‘Detection of spoofed GPS signals at code and carrier tracking level,’’ in Proceedings of the 5th ESA Workshop on Satellite Navigation Technologies and European Work- shop on GNSS Signals and Signal Processing (NAVITEC 2010), Noordwijk, Netherlands, December 2010, pp. 1--6. [60] M. Pini, M. Fantino, A. Cavaleri, S. Ugazio, and L. L. Presti, ‘‘Signal quality monitoring applied to spoofing detection,’’ in Proceedings of the 24th International Technical Meeting of The Satellite Division of the Institute of Navigation (ION GNSS 2011), Portland, OR, U.S.A, September 2011, pp. 1888--1896. [61] M. Pini, B. Motella, and M. T. Gamba, ‘‘Detection of correlation distortions through application of statistical methods,’’ in Proceedings of the 26th In- ternational Technical Meeting of The Satellite Division of the Institute of Navigation (ION GNSS+ 2013), Nashville, TN, U.S.A, September 2013, pp. 3279--3289. [62] A. J. Jahromi, A. Broumandan, S. Daneshmand, G. Lachapelle, and R. T. Ioannides, ‘‘Galileo signal authenticity verification using signal quality monitoring methods,’’ in 2016 International Conference on Localization and GNSS (ICL-GNSS), Barcelona, Spain, June 2016, pp. 1--8. BIBLIOGRAPHY 45

[63] J. Huang, L. L. Presti, B. Motella, and M. Pini, ‘‘GNSS spoofing detection: Theoretical analysis and performance of the Ratio Test metric in open sky,’’ Elsevier ICT Express, vol. 2, no. 1, pp. 37--40, 2016. [64] M. T. Gamba, M. D. Truong, B. Motella, E. Falletti, and T. H. Ta, ‘‘Hypoth- esis testing methods to detect spoofing attacks: a test against the TEXBAT datasets,’’ GPS Solutions, vol. 21, no. 2, pp. 577--589, 2017. [65] M. L. Psiaki, S. P. Powell, and B. W. O’Hanlon, ‘‘GNSS spoofing detection using high-frequency antenna motion and carrier-phase data,’’ in proceedings of the 26th international technical meeting of the satellite division of the Institute of Navigation (ION GNSS+ 2013), Nashville, TN, U.S.A, September 2013, pp. 2949--2991. [66] E. Axell, E. G. Larsson, and D. Persson, ‘‘GNSS spoofing detection using multiple mobile COTS receivers,’’ in 2015 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP 2015), Brisbane, Australia, April 2015, pp. 3192--3196. [67] K. Jansen, N. O. Tippenhauer, and C. Pöpper, ‘‘Multi-receiver GPS spoofing detection: Error models and realization,’’ in Proceedings of the 32nd Annual Conference on Computer Security Applications, Los Angeles, CA, U.S.A, December 2016, pp. 237--250. [68] T. Y. Mina, S. Bhamidipati, and G. X. Gao, ‘‘Detecting GPS spoofing via a multi-receiver hybrid communication network for power grid timing verification,’’ in Proceedings of the 31st International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GNSS+ 2018), Hyatt Regency Miami, FL, U.S.A, September 2018, pp. 24--28. [69] A. Kalantari and E. G. Larsson, ‘‘Statistical test for GNSS spoofing attack detection by using multiple receivers on a rigid body,’’ EURASIP Journal on Advances in Signal Processing, vol. 2020, no. 1, pp. 1--16, 2020. [70] M. Meurer, A. Konovaltsev, M. Cuntz, and C. Hättich, ‘‘Robust joint multi- antenna spoofing detection and attitude estimation using direction assisted multiple hypotheses RAIM,’’ in proceedings of the 25th international technical meeting of the satellite division of the Institute of Navigation (ION GNSS 2012), Nashville, Tennessee, September 2012, pp. 3007--3016. [71] M. L. Psiaki, B. W. O’Hanlon, J. A. Bhatti, D. P. Shepard, and T. E. Humphreys, ‘‘Civilian gps spoofing detection based on dualreceiver correlation of military signals,’’ in Radionavigation Laboratory Conference Proceedings, Austin, Texas, U.S.A, 2011. [72] B. W. O’Hanlon, M. L. Psiaki, J. A. Bhatti, D. P. Shepard, and T. E. Humphreys, ‘‘Real-time GPS spoofing detection via correlation of encrypted signals,’’ Navigation, vol. 60, no. 4, pp. 267--278, 2013. 46 BIBLIOGRAPHY

[73] A. Ranganathan, H. Ólafsdóttir, and S. Capkun, ‘‘SPREE: A spoofing resistant GPS receiver,’’ in Proceedings of the 22nd Annual International Conference on Mobile Computing and Networking, New York, NY, U.S.A, October 2016, pp. 348--360.

[74] A. Broumandan, A. Jafarnia-Jahromi, and G. Lachapelle, ‘‘Spoofing detection, classification and cancelation (SDCC) receiver architecture for a moving GNSS receiver,’’ GPS Solutions, vol. 19, no. 3, pp. 475--487, 2015.

[75] B. C. Barker, J. W. Betz, J. E. Clark, J. T. Correia, J. T. Gillis, S. Lazar, K. A. Rehborn, and J. R. Straton III, ‘‘Overview of the GPS M code signal,’’ MITRE CORP BEDFORD MA, Tech. Rep., 2006.

[76] K. Wesson, M. Rothlisberger, and T. Humphreys, ‘‘Practical cryptographic civil GPS signal authentication,’’ NAVIGATION: Journal of the Institute of Navigation, vol. 59, no. 3, pp. 177--193, 2012.

[77] G. Caparra, S. Sturaro, N. Laurenti, C. Wullems, and R. T. Ioannides, ‘‘A novel navigation message authentication scheme for GNSS open service,’’ in Proceedings of the 29th International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GNSS+ 2016), Portland, Oregon, U.S.A, September 2016.

[78] J. M. Anderson, K. L. Carroll, N. P. DeVilbiss, J. T. Gillis, J. C. Hinks, B. W. O’Hanlon, J. J. Rushanan, L. Scott, and R. A. Yazdi, ‘‘Chips-message robust authentication (Chimera) for GPS civilian signals,’’ in Proceedings of the 30th International Technical Meeting of The Satellite Division of the Institute of Navigation (ION GNSS+ 2017), Portland, Oregon, U.S.A, September 2017, pp. 2388--2416.

[79] C. T. Mills, ‘‘M-Code Benefits and Availability. Accessed 19 Feb 2020,’’ https://www.gps.gov/multimedia/presentations/2015/04/partnership/ mills.pdf, 2015.

[80] European GNSS Agency (GSA), ‘‘Galileo Commercial Service Im- plementing Decision enters into force. Accessed 25 Nov 2019,’’ https://www.gsa.europa.eu/newsroom/news/galileo-commercial-service- implementing-decision-enters-force, 2019.

[81] Y. Yang, W. Gao, S. Guo, Y. Mao, and Y. Yang, ‘‘Introduction to BeiDou-3 navigation satellite system,’’ Navigation, vol. 66, no. 1, pp. 7--18, 2019.

[82] I. Fernández-Hernández, V. Rijmen, G. Seco-Granados, J. Simon, I. Rodríguez, and J. D. Calle, ‘‘A navigation message authentication proposal for the Galileo open service,’’ Navigation: Journal of the Institute of Navigation, vol. 63, no. 1, pp. 85--102, 2016. BIBLIOGRAPHY 47

[83] B. Motella, D. Margaría, and M. Paonni, ‘‘SNAP: An authentication concept for the Galileo open service,’’ in Proceedings of the 2018 IEEE/ION Position, Location and Navigation Symposium (PLANS), Monterey, CA, U.S.A, April 2018, pp. 967--977.

[84] P. Teunissen and O. Montenbruck, Springer Handbook of Global Navigation Satellite Systems. Springer, 2017.

[85] M. L. Psiaki and T. E. Humphreys, ‘‘Gnss spoofing and detection,’’ Proceedings of the IEEE, vol. 104, no. 6, pp. 1258--1270, 2016.

[86] M. Flury, M. Poturalski, P. Papadimitratos, J.-P. Hubaux, and J.-Y. Le Boudec, ‘‘Effectiveness of distance-decreasing attacks against impulse radio ranging,’’ in Proceedings of the third ACM conference on Wireless network security (WiSec 2010), Hoboken, New Jersey U.S.A, March 2010, pp. 117--128.

[87] M. Poturalski, M. Flury, P. Papadimitratos, J.-P. Hubaux, and J.-Y. Le Boudec, ‘‘Distance bounding with IEEE 802.15. 4a: Attacks and countermeasures,’’ IEEE Transactions on Wireless Communications, vol. 10, no. 4, pp. 1334--1344, 2011.

[88] M. Poturalski, M. Flury, P. Papadimitratos, J.-P. Hubaux, and J.-Y. Le Boudec, ‘‘On secure and precise IR-UWB ranging,’’ IEEE Transactions on Wireless Communications, vol. 11, no. 3, pp. 1087--1099, 2012.

[89] M. Poturalski, M. Flury, P. Papadimitratos, J.-P. Hubaux, and J.-Y. Le Boudec, ‘‘The cicada attack: degradation and denial of service in IR ranging,’’ in 2010 IEEE International Conference on Ultra-Wideband (ICUWB2010), Nanjing, China, September 2010, pp. 1--4.

[90] A. Ranganathan, B. Danev, A. Francillon, and S. Capkun, ‘‘Physical-layer attacks on chirp-based ranging systems,’’ in Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks (WiSec 12), New York, NY, U.S.A, April 2012, pp. 15--26.

[91] M. Joerger, F. C. Chan, S. Langel, and B. Pervan, ‘‘Raim detector and estimator design to minimize the integrity risk,’’ in Proceedings of the 25th International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GNSS 2012), Nashville, Tennessee, U.S.A, September 2012, pp. 2785--2807.

[92] G. Schroth, A. Ene, J. Blanch, T. Walter, and P. Enge, ‘‘Failure detection and exclusion via range consensus,’’ in Proceedings of European Navigation Conference GNSS 2008, Toulouse, France, April 2008. 48 BIBLIOGRAPHY

[93] P. Y. Hwang and R. G. Brown, ‘‘RAIM-FDE Revisited: A New Breakthrough In Availability Performance With nioRAIM (Novel Integrity-Optimized RAIM),’’ Navigation, vol. 53, no. 1, pp. 41--51, 2006.

[94] A. Ene, ‘‘Further development of Galileo-GPS RAIM for vertical guidance,’’ in Proceedings of the 19th International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GNSS 2006), Fort Worth, TX, U.S.A, September 2006, pp. 2597--2607.

[95] R. S. Young and G. A. McGraw, ‘‘Fault detection and exclusion using nor- malized solution separation and residual monitoring methods,’’ Navigation, vol. 50, no. 3, pp. 151--169, 2003.

[96] X. Zhang, Z. Huang, and R. Li, ‘‘RAIM analysis in the position domain,’’ in Proceedings of IEEE/ION Position, Location and Navigation Symposium (PLANS 2010), Indian Wells, CA, U.S.A, May 2010, pp. 53--59.

[97] M. Joerger, F.-C. Chan, and B. Pervan, ‘‘Solution Separation Versus Residual- Based RAIM,’’ NAVIGATION: Journal of the Institute of Navigation, vol. 61, no. 4, pp. 273--291, 2014.

[98] M. Joerger and B. Pervan, ‘‘Solution separation and Chi-Squared ARAIM for fault detection and exclusion,’’ in Proceedings of 2014 IEEE/ION Position, Location and Navigation Symposium (PLANS 2014), Monterey, CA, U.S.A, May 2014, pp. 294--307.

[99] R. G. Brown and P. W. McBurney, ‘‘Self-Contained GPS Integrity Check Using Maximum Solution Separation,’’ Navigation, vol. 35, no. 1, pp. 41--53, 1988.

[100] H. Tao, H. Li, W. Zhang, and M. Lu, ‘‘A recursive receiver autonomous integrity monitoring (recursive-RAIM) technique for GNSS anti-spoofing,’’ in Proceedings of the 2015 International Technical Meeting of The Institute of Navigation, Dana Point, California, U.S.A, January 2015, pp. 738--744.

[101] H. Kuusniemi, A. Wieser, G. Lachapelle, and J. Takala, ‘‘User-level Reliability Monitoring in Urban Personal Satellite-Navigation,’’ IEEE Transactions on Aerospace and Electronic Systems, vol. 43, no. 4, pp. 1305--1318, 2007.

[102] A. Angrisano, S. Gaglione, N. Crocetto, and M. Vultaggio, ‘‘PANG-NAV: a tool for processing GNSS measurements in SPP, including RAIM functional- ity,’’ GPS Solutions, vol. 24, no. 1, p. 19, 2020.

[103] F.-C. Chan and B. Pervan, ‘‘A Practical Approach to RAIM-based Fault- Tolerant Position Estimation,’’ in Proceedings of the 23rd International Technical Meeting of The Satellite Division of the Institute of Navigation (ION GNSS 2010), Portland, OR, U.S.A, September 2010, pp. 21--24. BIBLIOGRAPHY 49

[104] B. S. Pervan, S. P. Pullen, and J. R. Christie, ‘‘A multiple hypothesis approach to satellite navigation integrity,’’ Navigation, vol. 45, no. 1, pp. 61--71, 1998.

[105] J. Blanch, T. Walter, and P. Enge, ‘‘RAIM with optimal integrity and continuity allocations under multiple failures,’’ IEEE Transactions on Aerospace and Electronic Systems, vol. 46, no. 3, pp. 1235--1247, 2010.

[106] A. Ene, ‘‘Multiple Hypothesis RAIM with Real-Time FDE and Forecasted Availability for Combined Galileo-GPS Vertical Guidance,’’ in Proceedings of the European Navigation Conference-GNSS/TimeNav, Geneva, Switzerland, May 2007, pp. 28--31.

[107] Y. C. Lee, ‘‘Investigation of extending receiver autonomous integrity monitoring (RAIM) to combined use of Galileo and modernized GPS,’’ in Proceedings of the 17th International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GNSS 2004), Long Beach, CA, U.S.A, September 2004, pp. 1691--1698.

[108] Y. C. Lee, R. Braff, J. Fernow, D. Hashemi, M. P. McLaughlin, and D. O’Laughlin, ‘‘GPS and Galileo with RAIM or WAAS for Vertically Guided Approaches,’’ Long Beach, CA, U.S.A, September 2005.

[109] D. Spoljar, K. Lenac, D. Zigman, and M. Marović, ‘‘A Mobile Network-Based GNSS Anti-Spoofing,’’ in Proceedings of the 26th Telecommunications Forum (TELFOR 2018), Belgrade, Serbia, November 2018, pp. 1--3.

[110] P. F. Swaszek, R. J. Hartnett, and K. C. Seals, ‘‘APNT for GNSS spoof detection,’’ in Proceedings of the 2017 International Technical Meeting of The Institute of Navigation (ION ITM 2017), Monterey, California, U.S.A, January 2017, pp. 933--941.

[111] S. Ceccato, F. Formaggio, G. Caparra, N. Laurenti, and S. Tomasin, ‘‘Ex- ploiting side-information for resilient GNSS positioning in mobile phones,’’ in 2018 IEEE/ION Position, Location and Navigation Symposium (PLANS), Monterey, CA, U.S.A, April, pp. 1515--1524.

[112] F. Formaggio, S. Ceccato, F. Basana, N. Laurenti, and S. Tomasin, ‘‘GNSS Spoofing Detection Techniques by Cellular Network Cross-check in Smart- phones,’’ in Proceedings of the 32nd International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GNSS+ 2019), Miami, Florida, U.S.A, September 2019, pp. 3904--3916.

[113] G. Oligeri, S. Sciancalepore, and R. Di Pietro, ‘‘GNSS spoofing detection via opportunistic IRIDIUM signals,’’ in Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks, New York, NY, U.S.A. 50 BIBLIOGRAPHY

[114] G. Oligeri, S. Sciancalepore, O. A. Ibrahim, and R. Di Pietro, ‘‘Drive me not: GPS spoofing detection via cellular network: (architectures, models, and experiments),’’ in Proceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 19), Miami, FL, U.S.A, May 2019, pp. 12--22.

[115] J. Shokouh, ‘‘Detecting GNSS Attacks on Smartphones,’’ in Master thesis, School of Electrical Engineering at KTH Royal Institute of Technology in Stockholm, July 2013.

[116] K. Zhang and P. Papadimitratos, ‘‘Poster: Attacking GNSS-based Posi- tioning,’’ in Cybersecurity and Privacy (CySeP) Winter School, Stockholm, Sweden, October 2014.

[117] K. Zhang and P. Papadimitratos, ‘‘Poster: Attacking GNSS-based Positioning: Distance Decreasing Attacks,’’ in Cybersecurity and Privacy (CySeP) Winter School, Stockholm, Sweden, October 2015.

[118] K. Zhang and P. Papadimitratos, ‘‘Poster: Analysis of the Effects of the Distance-Decreasing Attacks on GNSS Authenticated Signals,’’ in Cybersecu- rity and Privacy (CySeP) Summer School jointly with the ACM Conference on Security and Privacy in Wireless & Mobile Networks (WiSec), Stockholm, Sweden, June 2018.

[119] K. Zhang, E. G. Larsson, and P. Papadimitratos, ‘‘Protecting GNSS Open Service-Navigation Message Authentication against Distance-Decreasing At- tacks,’’ submitted to IEEE Transactions on Aerospace and Electronic Systems, 2020.

[120] K. Zhang and P. Papadimitratos, ‘‘Poster: Are the upcoming Galileo Authen- ticated GNSS Signals safe enough?’’ in Cybersecurity and Privacy (CySeP) Summer School jointly with the 4th IEEE European Symposium on Security and Privacy (Euro S&P), Stockholm, Sweden, June 2019.

[121] S. Shaphiro and M. Wilk, ‘‘An analysis of variance test for normality,’’ Biometrika, vol. 52, no. 3, pp. 591--611, 1965.

[122] C. Huber-Carol, N. Balakrishnan, M. Nikulin, and M. Mesbah, Goodness-of-fit tests and model validity. Springer Science & Business Media, 2012.

[123] J. Fan, C. Zhang, and J. Zhang, ‘‘Generalized likelihood ratio statistics and Wilks phenomenon,’’ Annals of statistics, pp. 153--193, 2001.

[124] H. L. Van Trees, Detection, estimation, and modulation theory, part I: detection, estimation, and linear modulation theory. John Wiley & Sons, 2004. BIBLIOGRAPHY 51

[125] K. Zhang and P. Papadimitratos, ‘‘Poster: Clustering based RAIM for Re- play/Spoofing Attack,’’ in ACCESS Industrial Workshop, Stockholm, Sweden, May 2016.

[126] K. Zhang and P. Papadimitratos, ‘‘Poster: Securing GNSS-based positioning: fundamental building block for Intelligent Transportation Systems,’’ in ITRL Conference on Integrated Transport: Connected and Automated Transport Systems, Stockholm, Sweden, November 2016.

[127] K. Zhang and P. Papadimitratos, ‘‘Poster: Clustering based RAIM Approach for Replay/Spoofing Attack,’’ in Cybersecurity and Privacy (CySeP) Summer School, Stockholm, Sweden, June 2017.

[128] K. Zhang and P. Papadimitratos, ‘‘Poster: Optimization of Clustering-based Solution Separation Algorithm against Spoofing Attacks,’’ in International Symposium on Precision Approach and Performance Based Navigation, Mu- nich, Germany, October 2017.

[129] International GNSS Service (IGS), RINEX Working Group and Radio Technical Commission for Maritime Services Special Committee 104 . (RINEX The Receiver Independent Exchange Format Version 3.04. [Online]. Available: https://files.igs.org/pub/data/format/rinex304.pdf

[130] M. Joerger, S. Stevanovic, F.-C. Chan, S. Langel, and B. Pervan, ‘‘Integrity risk and continuity risk for fault detection and exclusion using solution separation ARAIM,’’ in Proceedings of the 26th International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GNSS+ 2013), Nashville, TN, U.S.A, September 2013, pp. 2702--2722.

[131] K. Zhang and P. Papadimitratos, ‘‘Fast Multiple Fault Detection and Ex- clusion (FM-FDE) Algorithm for Standalone GNSS Receivers,’’ IEEE Open Journal of the Communications Society, vol. 2, pp. 217--234, 2021.

[132] Geo++ GmbH, ‘‘Geo++ RINEX Logger V2.1.6,’’ http://www.geopp.de/ logging-of-gnss-raw-data-on-android/, 2020.

[133] K. Zhang, M. Spanghero, and P. Papadimitratos, ‘‘Protecting GNSS-based Services using Time Offset Validation,’’ in 2020 IEEE/ION Position, Location and Navigation Symposium (PLANS), Portland, Oregon, U.S.A, April 2020, pp. 575--583.

[134] M. Spanghero, K. Zhang, and P. Papadimitratos, ‘‘Authenticated Time for Detecting GNSS Attacks,’’ in Proceedings of the 33rd International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GNSS+ 2020), September 2020, pp. 3826--3834. 52 BIBLIOGRAPHY

[135] 3GPP, ‘‘Radio subsystem synchronization TS 05.10,’’ https://itectec.com/archive/3gpp-specification-ts-05-10/, Accessed 2020-02- 01. [136] 3GPP TDoc R2-125992, ‘‘Broadcast of Time Info by Using a New SIB v11.1.0,’’ https://www.3gpp.org/DynaReport/36331-CRs.htm, Accessed 2020-02-01. [137] 3GPP TDoc R2-1817172, ‘‘Overview of UE Time Synchronization Meth- ods,’’ https://www.3gpp.org/DynaReport/TDocExMtg--R2-104--18808.htm, Accessed 2020-02-01. [138] 3GPP TDoc R2-1817173, ‘‘Clock Accuracy Realization at UE,’’ https://www. 3gpp.org/DynaReport/TDocExMtg--R2-104--18808.htm, Accessed 2020-02- 01. [139] M. Mock, R. Frings, E. Nett, and S. Trikaliotis, ‘‘Continuous clock synchronization in wireless real-time applications,’’ in Proceedings 19th IEEE symposium on reliable distributed systems (SRDS2000), October 2000, pp. 125--132. [140] G. Cena, S. Scanzio, A. Valenzano, and C. Zunino, ‘‘A unified clock synchronization protocol for infrastructure wireless LANs,’’ in 2015 IEEE 1st International Forum on Research and Technologies for Society and Industry Leveraging a better tomorrow (RTSI 2015), Decmeber 2015, pp. 508--515. [141] A. Mahmood, R. Exel, H. Trsek, and T. Sauter, ‘‘Clock synchronization over IEEE 802.11 - A survey of methodologies and protocols,’’ IEEE Transactions on Industrial Informatics, vol. 13, no. 2, pp. 907--922, 2017. [142] K. Zhang, ‘‘Investigating GPS Vulnerability,’’ in Master thesis, School of Electrical Engineering at KTH Royal Institute of Technology in Stockholm, December 2013. [143] D. H. Arze Pando, ‘‘Distance-decreasing attack in Global Navigation Satellite System,’’ in Student Project, School of Computer and Communication Sciences at EPFL, Autumn Semester 2009. [144] T. Rashedul Amin, ‘‘Securing GNSS Receivers with a Density-based Clustering Algorithm,’’ in Master thesis, School of Electrical Engineering at KTH Royal Institute of Technology in Stockholm, June 2015.