Investigating GPS Vulnerability KEWEI ZHANG Master’s Degree Project Stockholm, Sweden December 10, 2013 Abstract The Global Position System (GPS) has become nearly mandatory in our daily life, like the Internet. Since it (the part for civilian use) is free, open and accurate, lots of applications have made our life more convenient and more effective, such as the location-based applications for cell phones, tracking bulldozers, shipping containers, etc. GPS is becoming mature and rather accurate, but its security can’t be neglected since it is widely used in the world. RF interference can be classified into: intentional and unintentional interference. There are lots of RF in our surroundings, whose frequency might be close to GPS frequency, could affect the GPS accuracy, or even sometimes make it unavailable. This project, I analyze two types interferences, spoofing and jamming interference. I implement two attacks: a version of Cicada attack, to check how this specific attack affects GPS, and the distance-deceasing attack, a special type of a relay attack (Early Detect(ED) attack and Late Commit(LC) attack). I find (i) that the Cicada attack, as implemented, is essentially equivalent to jamming, and (ii) how to set up the ED/LC attacks to succeed (i.e., have low BER). Acknowledgements I would like to express my sincere appreciation to my supervisor, Professor Panos Papadimitratos, who offers his great patience, enthusiasm and genius talent during my thesis working time. I couldn’t image having a better advisor and mentor; this thesis couldn’t be finished without his guidance and persistence. A heartfelt thanks go to my beloved girlfriend, Jia Guo, for all your love, sup- port and encouragement when I was thinking about the algorithms and formu- las. And thanks for your delicious food when I was busy on working in lots of nights. Last but not least, I want to give my thanks to my dear father, mother and lovely brother, who are living in China. Stockholm, 10/10/2013 Kewei Zhang Table of Contents 1 Introduction1 1.1 GPS Introduction.............................1 1.2 GPS Program History..........................2 1.3 GPS Segments..............................3 1.3.1 Space Segment..........................3 1.3.2 Operational Control Segment..................4 1.3.3 User Segment...........................4 1.4 Motivation for Research.........................5 1.5 Thesis Organization...........................5 2 GPS Signal Characteristics and GPS Receiver7 2.1 GPS Signal Characteristics.......................7 2.1.1 Introduction...........................7 2.1.2 Legacy Signals..........................7 2.1.3 C/A Spreading Code.......................8 2.1.3.1 C/A Code Generation.................8 2.1.3.2 C/A Code Correlation Properties.......... 10 2.1.4 Navigation Data Format..................... 11 2.1.5 Modulation for GNSS...................... 12 2.2 GPS Receiver............................... 13 2.2.1 GPS Receiver Front End..................... 13 2.2.2 Acquisition............................ 14 2.2.3 Tracking.............................. 17 2.2.4 Calculation............................ 20 3 Probing the Vulnerability of GNSS 23 3.1 Spoofing Interference........................... 24 3.1.1 Spoofing Classification...................... 24 3.1.2 Attacking Model......................... 24 3.2 Jamming Interference.......................... 26 4 Cicada Attack Simulation and Calculation 29 4.1 Cicada Attack Model........................... 29 4.1.1 The Attack Characteristics................... 30 4.2 Analytical Calculation.......................... 30 4.2.1 Acquisition Stage......................... 31 Table of Contents 4.2.2 Tracking Stage.......................... 32 4.3 Simulation Result............................. 32 5 Relaying Attack 39 5.1 Introduction to ED and LC Attack................... 39 5.2 Attack Principle............................. 40 5.3 Performance Evaluation......................... 43 5.3.1 ED Attack............................ 44 5.3.2 ED-LC attack........................... 45 5.3.3 The Relay Time......................... 47 6 Conclusion and Future Work 49 6.1 Summary................................. 49 6.2 Future work................................ 50 References 51 VI List of Figures 1.1 GPS Nominal Constellation [1].....................1 1.2 GPS segments...............................3 2.1 C/A Code Generator [9]......................... 10 2.2 C/A code correlation properties..................... 11 2.3 Navigation data format......................... 12 2.4 DSSS Modulation............................. 13 2.5 GNSS Receiver Front End [13]..................... 14 2.6 IF signal post processing......................... 15 2.7 Parallel frequency search acquisition.................. 15 2.8 Parallel code phase search acquisition................. 17 2.9 Carrier tracking loop........................... 17 2.10 Code tracking loop [2].......................... 19 2.11 Code correlation for three different replicas.............. 19 2.12 Three dimensional co-ordinate system [1]............... 21 3.1 GPS System with Spoofing attack................... 25 3.2 AGC and Spoof vulnerability [26].................... 25 4.1 Correlation value when two inputs has same amplitude........ 31 4.2 Correlation value when AP RN1 = 50AP RN10 .............. 32 4.3 Correlation in acquisition stage without Cicada Signal........ 33 4.4 Correlation in acquisition stage with Cicada Signal.......... 34 4.5 Correlation betwen the navigation data of satellite 15 and the preamble bits..................................... 35 4.6 Correlation betwen the navigation data of satellite 22 and the preamble bits..................................... 35 4.7 Navigation plot without Cicada signal................. 36 4.8 Navigation plot with Cicada signal................... 36 5.1 Overview of a distance-decreasing Relay Attack in GNSS...... 39 5.2 Satellite code transmission time..................... 40 5.3 Early Detection attack, the above curve is initial signal, the middle curve is the received signal by the attacker receiver and the bottom curve is the transmitted signal according to the detection determination. 41 5.4 Signal processing at attacker...................... 42 5.5 Phase detection.............................. 43 List of Figures 5.6 Early Detect attack result........................ 45 5.7 BER with LC without increasing amplitude, the whole symbol has 3 same amplitude (SNR), here tLC = 8 ∗ tchip .............. 46 5.8 BER with LC with increasing amplitude (SNR), the amplitude of tchip − tLC part is 1/(tLC /tchip) times of amplitude of tLC part, here 3 tLC = 8 ∗ tchip ............................... 46 5.9 BER based on different tLC , the amplitude (SNR) of part (tchip − tLC ) is raised by 5 times, and tED = 50 ns, here tchip = 977.5 ns..... 47 5.10 Relay time presenting on one symbol.................. 48 VIII List of Tables 2.1 Minimum Received Signal Power [2]..................8 2.2 C/A code phase assignment [9].....................9 2.3 Types of discriminators for code tracking loop [13].......... 20 3.1 Types of RF Interference and Potential Sources [2].......... 23 5.1 Parameters in ED attack simulation.................. 44 Acronyms AGC Automatic Gain Control BER Bit Error Rate BPSK Binary Phase Shift Keying CAF Cross Ambiguity Function CDMA Code Division Multiple Access CW Continuous Wave DFT Discrete Fourier Transform DLL Delay Lock Loops DSSS Direct Sequence Spread Spectrum ED Early Detect FFT Fast Fourier Transform GNSS Global Navigation Satellite System GPS Global Position System HOW Handover Word IEE Interference Error Envelope IF Intermediate Frequency IFFT Inverse Fast Frequency Transform IRA Interference Running Average LC Late Commit LO Local Oscillator NCO Numerical Controlled Oscillator NLOS Non-line-of-sight PDOP Position Dilution Of Precision PLL Phase Lock Loops PPS Precise Positioning Service PRN Pseudo Random Noise RHCP Right-Hand Circular Polarized SNR Signal Noise Ratio SPS Standard Positioning Service TLM Telemetry TOA Time Of Arrive UWB Ultra-Wide Band Chapter 1 1 Introduction 1.1 GPS Introduction The Global Position System (GPS) becomes increasingly important in our daily life, with applications for GPS far exceeding anyone’s expectations, including the GPS designers themselves. In simple terms, it is a satellites system, including 31 satellites, which can cover the whole world. These 31 satellites are arranged on 6 Figure 1.1 GPS Nominal Constellation [1] orbital planes with 5 or 6 satellites per plane, like Figure 1.1; GPS guarantees that at least 4 satellites are in radio communication with any point on the planet at any time, which ensures that GPS receivers can acquire precise longitude, latitude and altitude to achieve the functions of navigation, ranging and timing. The system utilizes Time Of Arrive (TOA) ranging to acquire the GPS signal propagation time from satellites to GPS receivers. The satellites broadcast ranging codes and navigation data on two different frequencies: L1 (1575.42MHz) and L2 (1227.6MHz) with a technology CDMA (Code Division Multiple Access). Each satellite has one specific code and those codes have low correlation. Receivers can determine the 1 Introduction satellites position through navigation data, and the ranging codes give the signal transmission delay to determine satellite-to-receiver range. At three dimensional location plus clock correction for a receiver requires 4 TOA satellite-to-receiver calculations. GPS is a dual-use system providing Standard Position Service (SPS) for civilian applications