Roi Mit, Yoav Zangvil and Dror Katalan, Regulus Cyber

View Abstract Sign in for premium content

Abstract:

During a test drive on Tesla Model 3 vehicle, using Tesla’s Navigate on Autopilot feature, a staged attack caused the car to suddenly slow down and unexpectedly veer off the main road. Regulus Cyber initially discovered the Tesla vulnerability during its ongoing study on the threat that easily accessible spoofing technology poses to GNSS (global navigation satellite systems, also known as GPS) receivers. The researchers found that spoofing attacks on the Tesla GNSS (GPS) receiver could easily be carried out wirelessly and remotely, exploiting security vulnerabilities in mission-critical telematics, sensor fusion, time and navigation capabilities. During the extensive research done by Regulus Cyber, the spoofing was generated by a software defined radio and by using both static and dynamic spoofing scenarios, was able to affect various functions including route planning, automatic speed limit, lane changing, and actual turning off the highway. The experiment included various combinations of GNSS attacks, of both spoofing GPS and jamming other constellations in order to check for different methods of multi-constellation mitigation. The attacks also exposed different vectors to identify any check location-shift and check time-shift that were utilized. In addition, different sensor fusion methods were detected including odometer and compass integration with the GPS data. Another experiment included time spoofing, and explored the different aspects of time based spoofing and the collateral affects on GNSS based timing base stations used in telecom industry. The experiment concluded that in certain situations of time offset it is possible to manipulate the timing of a target system, even if it is utilizing its own back atomic clock or oscillator. The talk will explain both experiments, and the type of hardware and software that was used in the process in order to generate the spoofed signals. The research also included measuring and analyzing the effectiveness of a self-developed software library for detection of cybersecurity attacks and authentication and protection of GNSS. The talk will include a functional explanation of the algorithm, and how utilizing software only approach enables real time detection of incoming spoofing signals. The architecture of such spoofing detection solutions, is opening an array of options for multiple industries having to deal with interferences and malicious signals including: mobile, maritime, aviation, infrastructure and timing systems. This is especially vital in the case of small size factor or in the case of retrofitting an existing receiver with an over the air update. The talk will present the research that Regulus has done that highlights the vulnerabilities of both manned and autonomous vehicles and provide best practices for both automotive OEMs and the vehicle GNSS receiver manufacturers. Mr. Zangvil will also cover the different aspects and capabilities of spoofing detection using a software library, and explain the different approaches of both offline and connected solutions to augment GNSS security.