Authentication by Polarization: A Powerful Anti-Spoofing Method
Wim De Wilde, Bruno Bougard, Jean-Marie Sleewaegen, Gert Cuypers, Septentrio, Belgium; Alexander Popugaev, Markus Landmann, Christopher Schirmer, Fraunhofer IIS, Germany; Daniel Egea Roca, José A. López-Salcedo, Gonzalo Seco Granados, Universitat Autònoma de Barcelona, Spain
Date/Time: Wednesday, Sep. 26, 5:08 p.m.
Global Navigation Satellite Systems have become a ubiquitous tool for our modern society for vital tasks such as transportation, civil engineering or precision agriculture. This breath has reached the realm of safety-critical applications as time management of critical infrastructures or autonomous vehicles, in which GNSS is an essential tool nowadays. In this side, GNSS is used for synchronization of communication networks and power-plants, which is a key enabler for the inception of smart cities. Nevertheless, GNSS receivers are vulnerable to radio-frequency interference. In particular, spoofing is becoming one of the main concerns for the GNSS community. The main reason is that a spoofing threat can inject misleading information into these vital systems, potentially with catastrophic consequences.
These types of threats are increasingly becoming a worldwide concern, particularly due to the fact that some recent incidents are being speculated to have been caused by spoofing attacks [1,2]. Moreover, with the new trend of safety-critical applications coming up, the motivation of spoofers is increasing, too. From an implementation point of view, spoofing can be done in a large variety of ways, ranging from simplistic ones to sophisticated ones . The formers are expected to become a real threat in the coming years thanks to the very affordable software defined radios (SDR) that entered the market the last few years. These SDRs can be configured to forge GPS signals using open source software. However, the forged signal of this class of spoofers has many artifacts, which can be exploited to easily detect the spoofing attack .
Notwithstanding, this doesn’t hold for a reradiation attack where, instead of generating the signal, the spoofer captures the RF signal at one spot and re-transmits the very same signal with full level of detail. Most SDRs can be set-up to record and reradiate the signal with very significant changes in timing or position. This is hard to detect, particularly if the genuine signal has been blocked or jammed. Another class of attacks uses higher-end simulation equipment, which can simulate the GNSS signal with great level of detail. This enables an attack, in which the spoofer gradually takes control of the signal and pulls away the timing provided by a GPS receiver from the actual timing. This type of attack was demonstrated in , in which an affordable multi-frequency simulator was configured to spoof the timing reference of a power plant.
A new technique was developed as part of the FANTASTIC project (Field Aware Navigation and Timing Authentication Sensor and Timing Infrastructure and Centimeter level positioning) in order to address spoofing attacks based on a perfect or nearly-perfect signal replica. The technique exploits the polarization of the GNSS signals. GNSS signals are broadcasted with a right-hand-circular polarization (RHCP), but the perceived polarization at receiver level will be elliptic and different for each satellite, because of reflections and antenna non-idealities. In case of a spoofing attack, the spoofed satellite signals will all have the same polarization. The idea is to exploit this property to detect and reject the spoofing signals.
A dual-polar antenna was developed to validate this concept. This E1/L2/E5/E6 antenna has one output which responds to the right-hand circularly polarized field component like any GNSS antenna, and another output reacting on the opposite polarization (left-hand circular polarization, LHCP). The antenna was optimized for polarization purity, avoiding antenna-induced spill-over from one polarization into the other. The paper will present the radiation patterns which could be achieved in this way.
The two outputs of the antenna connect to the inputs of a dual-antenna receiver, which is normally used for 2D attitude applications. The software of the receiver was modified to capture the correlations from the LHCP input simultaneously with the RHCP correlations, using the stronger RHCP signal to feedback the tracking loops. This provides a permanent monitoring of the LHCP signal and hence polarization, even under very low C/No conditions.
This set-up was used to collect data in a special anechoic chamber from the Fraunhofer institute, which can simulate a spoofing attack in the spatial and polarization domain. This anechoic chamber uses a tailored constellation simulator, which outputs digital waveforms for each satellite individually. These signals are then provided to a hemispherical antenna array. This array synthesizes an electromagnetic wave which accurately emulates the spatial direction and polarization of the signal. The simulator was configured to generate “genuine” satellites at different azimuth and elevation angles next to a spoofing signal in a fixed direction. The primary purpose was to try to hijack the PPS output of the receiver. The paper reports on experiments done with linearly and circularly polarized spoofing antennas.
The recorded data was used to develop a reliable anti-spoofing algorithm, providing a solid spoofing flag to inform the user on the attack. The focus is to avoid false alarms, which would let the user take unnecessary measures and jeopardize normal operation of the system. For this, the receiver system was used to record polarization measurements in various outdoor environments, in absence of a spoofer. These included rural environments, urban canyons as well as an extended logging under tree canopy. These extensive data recordings were used to obtain an accurate statistical model of authentic GNSS signal polarization. This model was used to design a simple but reliable detector, which maximizes the probability to detect the spoofer while ensuring a very low probability of false alarm.
: Daniel Shepard, Jahshan A. Bhatti, Todd E. Humphreys, “Drone hack: Spoofing attack demonstration on a civilian unmanned aerial vehicle”, GPS World, Vol. 1, nº Dec., 2011.
: CNN, “Getting lost near the Kremlin? Russia could be GPS spoofing”, CNN tech, Retrieved from: http://money.cnn.com/2016/12/02/technology/kremlin-gps-signals/index.html, Accesed: 18-6-2017, 2016.
: Todd E. Humphreys, Brent M. Ledvina, Mark L. Psiaki, Brady W. Hanlon, Paul M. Kintner, “Assessing the spoofing threat: Development of a portable GPS civilian spoofer", Proceedings of the 21st International Technical Meeting of the Satellite Division of The Institute of Navigation (ION), pp. 2314-2325, 2008.
 De Wilde, Wim et al, "Spoofing Threats: Reality Check, Impact and Cure," Proceedings of the 30th International Technical Meeting of The Satellite Division of the Institute of Navigation (ION GNSS+ 2017), Portland, Oregon, September 2017, pp. 1289-1327.
 lie, Iurie et al, "Spoofing of Electrical Power Grid: It’s Easier Than You Think," Proceedings of the 30th International Technical Meeting of The Satellite Division of the Institute of Navigation (ION GNSS+ 2017), Portland, Oregon, September 2017, pp. 1383-1408.
For Attendees Technical Program Registration Hotel Travel Visas Special Events Exhibit Hall Submit Kepler Nomination For Authors Abstract Management Author Resource Center Session Chair Resources Student Paper Awards For Exhibitors Exhibitor Resource Center Marketing Resources Other Years Future Meetings Past Meetings