Cooperative Spoofing Attack Detection using Multiple Antennas and Snapshot Receivers
J. Rossouw van der Merwe, Alexander Rügamer, Alexander Popugaev, Xabier Zubizarreta, Wolfgang Felber, Fraunhofer IIS, Germany
Spoofing—the illegal transmission of falsified global navigation satellite system (GNSS) signals—is a growing concern, not only in the GNSS community. There have been reported cases of meaconing (e.g. the ‘Black Sea incident’ in June 2017, where a GNSS repeater virtually set more than 20 ships on land, over 25 nautical miles away from their actual position in the Black Sea). However, in some instances a GNSS user might also willingly spoof his equipment: the intent might be to falsify the user`s location and is associated with criminal activity. Some examples include avoiding GNSS-based highway toll collection systems, falsifying automatic identification system (AIS) to illegally fish in protected marine areas, evading GNSS-based parole monitoring, or even cheating in mobile games such as “PokemonGO!”. Such attacks are cooperative, as the attacker has access to the GNSS hardware.
One method to achieve cooperative spoofing is the “Tin-Can”–method. A tin-can is fitted with an internal monopole antenna and radio-frequency (RF) connection. The can is then placed over the antenna of the victim GNSS receiver, and spoofing signals are transmitted through the can while shielding the antenna from the actual GNSS satellites. The tin-can functions as a wave guide, guaranteeing good coupling between the spoofing-transmitter (internal monopole) and the victim’s GNSS antenna. This method increases spoofing success, as there are no competing “real” signals and the user may interfere with the receiver itself, e.g. forcing the receiver to make a cold start. This makes spoofing detection especially difficult in such an environment. As this method merely requires a tin-can and some basic RF components, it is considered to be a low-cost and simple spoofing scheme. A “Tin-Can”-attack is characterized by the lack of transmission of any signals outside the can, hence there is no disruption to other services and it is difficult to locate.
In this paper a “Tin-Can” attack is simulated employing three snapshot receivers, in order to demonstrate some methods to counter such attacks. Each snapshot receiver consists of two or more antennas connected to a data recording front-end and a post-processing mechanism. A snapshot receiver (or “cloud based GNSS receiver”) is defined as a pure data grabber of the front-end’s analog-to-digital converted baseband samples that are evaluated in post processing. Since the recorded signal’s duration is typically to be minimized (typical snapshot lengths of 5 to 20 ms) in order to save power and reduce the storage capacity, conventional tracking of the signals is not possible. The results of the acquisition are refined to derive a pseudorange estimate and assistance data are used to obtain the ephemeris and GNSS correction data to calculate a position out of the raw data snapshots.
The first snapshot receiver uses a single element antenna, which illustrates the threat of such an attack. The second receiver uses a four-element array antenna, to show that array processing methods, such as beamforming, could be used to detect such a meaconing “Tin-Can” attack, despite the fact that the coupling of the signal is in the near-field. The third receiver uses a 2-channel receiver with a dual-polarimetric antenna, to illustrate some methods employing circular polarization of GNSS signals to detect such an attack.
For the four-element array antenna, incoherent acquisition over the four simultaneously recorded snapshots is performed to first determine code and carrier offsets. The code and carrier offsets will later be used in the receiver processing chain for positioning. The initial correlation values at these offsets are then used to estimate a beamforming vector for each satellite. These vectors are then compared to determine how similar they are. A similarity detector is used to recognize whether the signals are open-sky GNSS signals, or spoofed “Tin-Can” signals from the same directions. The benefit of the presented algorithm is that no calibration of the antenna array is required. Furthermore it shows that beamforming methods could be used in the presence of near-field coupling, even though beamforming is traditionally only assumed to be operational in the far-field. Initial results have shown that a receiver consisting of an array of antennas has good potential to detect a spoofing attack.
A similar approach is taken with the two-channel receiver and dual circularly polarized antenna, even though it is considered phase-steering as opposed to beamforming. The polarimetric antenna has a right hand circular polarized (RHCP) and left hand circular polarized (LHCP) components. Usually only the RHCP component is used, as GNSSs transmit RHCP signals. Furthermore, when a signal reflects off a surface, it approximately flips polarization from RHCP to LHCP and vice versa. Therefore, all odd-reflected multipath components are LHCP, which further emphasizes the use of RHCP antennas for multipath rejection. Low-cost antennas are usually linearly polarized, and can’t reject the LHCP components. In most scenarios, the RHCP will still have more received power than in the LHCP, as multipath components tend to have lower power than the line-of-sight (LOS) signal (the exception is in severe environments, like urban canyons). In a multipath-free signal, no LHCP component is expected. As the “Tin-Can” operates like a wave guide, it is expected that both the RHCP and LHCP components will be significant, making it simple to detect. Further, as all signals originate from the same monopole antenna (linearly polarized) inside the can, the RHCP and LHCP components of all the signals can have comparative magnitudes. Therefore, the similarity test as what was used for the four-element array could simply be adapted. This method shows that this is a simple low-cost option to increase receiver robustness, in comparison to an array antenna.