Preliminary Assessment on the Vulnerability of NMA-based GNSS Signals for a Special Class of Record & Replay Spoofing Attacks
Ronny Blum, Daniel Maier, Kathrin Frankl, Thomas Pany, Bernd Eissfeller, Institute of Space Technology and Space Applications, Universität der Bundeswehr München, Germany
In the last few years, the authentication of GNSS signals has increased in importance. The Navigation Message Authentication (NMA) is one promising approach discussed for the authentication of GNSS signals ,,. For the Galileo Open Service, several performance studies of the NMA have been carried out, see, e.g., ,.
One main spoofing attack for NMA-based GNSS signals is the recording of the GNSS signals and their (time-delayed) replay. The objective of this work is to evaluate the vulnerability of NMA-based GNSS signals with respect to record & replay spoofing attacks. The key innovative step is to emulate such attacks by a wide applicable demonstrator called Sisitau. It consists of two signal generators S and T and two GNSS receivers R and U, all equipped with authentication tools. The signal generators broadcast some predefined GNSS signal with or without authentication data according to the NMA proposed in . The GNSS receivers receive and track the signals, extract the navigation message data and, optionally, check for authentication. The signal generators and GNSS receivers are arranged in the following setup.
The GNSS signal of one signal generator (here: S) is understood as the GNSS signals from the GNSS satellites in space. The other signal generator (here: T) is considered as the transmitter of a spoofer that tries to falsify the true GNSS signals. The GNSS receiver R is placed at the spoofer’s position, i.e., it can receive the true signals or the emulated ones from signal generator S. The other GNSS receiver (here: U) represents the target of the spoofer, i.e., it is the user receiver whose position the spoofer wants to falsify. Thus, it can receive true GNSS signals, emulated ones from signal generator S, spoofed ones from signal generator T or combinations of them. Within this setting, three different case studies are investigated.
In the first case study, a very simple self-spoofing attack is analyzed. To this end, the user’s GNSS receiver U records real GNSS signals from a static position and extracts the navigation messages. Upon the recorded navigation message, NMA bits are added. Afterwards, random bits of the navigation message and the NMA bits are changed by applying Monte-Carlo simulations. The modified navigation messages serve as input for the signal generator T, which replays the modified GNSS signal. The user’s GNSS receiver U receives the modified GNSS signals and evaluates them in terms of authentication. Note that, in this case study, also the starting time of receiving the signals by the GNSS receiver U is varied as, in real situations, GNSS receivers usually also start receiving GNSS signals at arbitrary time instants during the navigation message broadcast. This way, the influence of bit errors in the navigation and NMA message on the authentication is analyzed. The percentage of successful authentication can be evaluated. In particular, it can be tested whether different positions of the bit errors influence the security of the NMA bits to a significant extent. Moreover, the average time of the GNSS receiver U to achieve the first fix of the navigation data (ATFFD) as well as the average time to additionally evaluate the authentication information on these data (ATFAFD) is assessed.
In the second case study, the user’s and spoofer’s GNSS receivers are placed at two different static positions. The GNSS receiver R of the spoofer records real GNSS signals and transmits them with the corresponding NMA bits via its signal generator T to the user’s GNSS receiver U. Hereby, the signal power of the spoofed signal is stepwise increased. This way, the behavior of the authentication algorithm can be evaluated for the three different phases: (a) no spoofing signal or a spoofing signal with low signal power (b) the signal power of the real signal and the spoofing signal are in the same magnitude and (c) a spoofing signal with high signal power. Here, the performance parameters ATFFD and ATFAFD are also evaluated for receiving the real signal only, and for receiving the real signal interfered with the spoofing signals. Note that phase (b) is of particular interest in terms of the output of the authentication algorithm (“successful authenticated” or “authentication failed”) as well as in terms of the performance parameters ATFFD and ATFAFD in order to assess the potential of the GNSS receiver U to detect the spoofing attack.
In the third case study, the following self-spoofing scenario is investigated. A vehicle aims to navigate to a predefined destination A. However, the GNSS receiver U placed at this vehicle mainly receives the signals of a spoofer T that aims to pretend the GNSS receiver U to navigate to another position B. To this end, both GNSS receivers are initially placed at the same position. The GNSS receiver U is mounted on the institute’s own test vehicle and records the real GNSS signals when following a straight trajectory to a predefined position A. The spoofer’s GNSS receiver R is mounted on a drone. While the GNSS receiver U moves to destination A, the drone with the spoofer’s GNSS receiver R records the signals during moving to a different destination B. At any time, the spoofer’s transmitter T sends the GNSS signals (with the corresponding NMA bits) recorded by its receiver R towards the GNSS receiver U. The signal power of the spoofer’s transmitter T is chosen to be at a critical level identified in phases (b) and (c) of case study 2. The feasibility study carried out here includes technical as well as computational aspects and formulates preconditions for a successful or unsuccessful spoofing attack. Also, the output of the authentication algorithm (“successful authenticated” or “authentication failed”) as well as the performance parameters ATFFD and ATFAFD are evaluated to assess the risk and feasibility of such spoofing attacks.
The significance of this work is to show first results of the demonstration tool Sisitau for a special class of record & replay attacks. Sisitau is able to emulate the whole chain from generating true or spoofed GNSS signals to the authentication of the signals. The conclusions are a preliminary assessment on the risk that stems from the addressed spoofing attacks.
 K. D. Wesson, M. P. Rothlisberger, T. E. Humphreys, “A proposed navigation message authentication implementation for civil GPS anti-spoofing”, Proceedings of the 24th International Technical Meeting of The Satellite Division of the Institute of Navigation (ION GNSS 2011), Portland, OR, 2011.
 J. T. Curran, M. Paonni, J. Bishop, “Securing the open-service: a candidate navigation message authentication scheme for Galileo E1 OS”, European Navigation Conference ENC, 2014.
 M. Yuan, Z. Lv, H. Chen, J. Li, G. Ou, „An implemenation of navigation message authentication with reserved bits for civil BDS anti-spoofing“, China Satellite Navigation Conference (CSNC) 2017, Volume II, 2017.
 I. F. Hernández, V. Rijmen, G. S. Granados, J. Simón, I. Rodríguez, J. D. Calle, “Design drivers, solutions and robustness assessment of navigation message authentication for the galileo open service”, Proceedings of the ION GNSS+ Meeting, 2014.
 C. Sarto, O. Pozzobon, S. Fantinato, S. Montagner, I. F. Hernández, J. Simon, J. D. Calle, S. C. Díaz, P. Walker, D. Burkey, G. Seco-Granados, E. Göhler, “Implementation and testing of OSNMA for Galileo”, Proceedings of the ION GNSS+ Meeting, 2017.