Exploiting Side-Information for Resilient GNSS Positioning in Mobile Phones
Silvia Ceccato, Francesco Formaggio, Gianluca Caparra, Stefano Tomasin, Nicola Laurenti, University of Padova, Italy
More and more applications rely on Global Navigation Satellite Systems (GNSS) as a precise, convenient and ubiquitous timing and positioning source. Although the authenticity, integrity and availability of this service are typically taken for granted, the GNSS signal is not immune to attacks aiming at disrupting the provided services and even at causing damage to the depending devices and systems. Such attacks can either attempt to cease the availability of the service by broadcasting deliberate interference, i.e. jamming the GNSS signal, or more subtly, at manipulating the position, velocity and timing (PVT) solution. The latter case is referred to as spoofing, where a malicious entity tricks the receiver into computing fake PVT by transmitting counterfeit GNSS signals.
The threat of GNSS spoofing has been recognized by the community, and several anti-spoofing measures have been proposed in the literature. These can either operate at the system level, with the insertion of security features into the signal in space (SIS), or at the receiver level, with the development of robust signal processing techniques.
Even though mobile handsets are not security critical devices when it comes to positioning, in recent years the variety of smartphone-based applications for society critical tasks has vastly increased:
- Smartphone payment systems are now used by more and more customers and card fraud is a well known issue. Indeed, credit card companies currently look for inconsistencies between the site of a transaction and the estimated location of the cardholder, raising warnings in case of a mismatch.
- Several companies use tracking applications installed on smartphones or tablets provided to their employees for workforce management.
- Enhanced 911 (E911) is a standard for emergency calls that requires the carrier to deliver the user’s positioning information whenever a 911 call takes place. The standard also defines specific requirements for the positioning accuracy.
- Crowdsourcing services often include geographical coordinates in the information collected from the users.
The above considerations motivate a study on GNSS positioning resilience in smartphones and how to improve it with the current handset capabilities. Moreover, a recent spoofing incident happened at ION GNSS+ 2017 caused a number of devices to be accidentally spoofed by a GNSS simulator with non properly terminated RF connectors. This event has further inspired our investigation on the device’s vulnerabilities to spoofing.
The aim of our work is to propose a set of solutions to improve the resilience of mass market GNSS modules against less sophisticated spoofing attacks. We focus on software-based cross-checks with side information coming from other sources, such as signals of opportunity (WiFi, cellular networks, Bluetooth) or the on board sensors (accelerometer, digital compass, clock, etc.). These consistency checks can be easily implemented in the current chipsets generation, minimizing the impact on the user segment without requiring modifications to the space segment.
AGNSS has contributed to the widespread of GNSS positioning in handsets by integrating wireless communication with GNSS. AGNSS allows mobile devices to retrieve system information (ephemeris data, frequency and code delay estimates, etc.) from an aiding channel, allowing to compute the PVT solution even in challenging conditions, such as urban canyons and indoor. Even though retrieving the navigation message through AGNSS is beneficial in terms of time to first fix (TTFF) and decoding probability, it is still worth checking for consistency with the message from the SIS.
Most smartphones integrate several sensors (e.g., accelerometer, gyroscope, barometer, etc.) which provide useful side-information that can be effectively combined with the GNSS signals to improve spoofing detection. Handsets are most likely to be connected to a mobile data network, and thus to a specific serving base station. This connection is an immediately available source of position and timing related information, such as a rough time synchronization and the position of the base station itself. These data can be cross-checked with the GNSS SIS and PVT solution. Another potential spoofing indicator may be represented by past positioning solutions. Checking the position history is indeed a simple and straightforward solution to reveal inconsistencies.
Even though the other sources are not immune to spoofing, a smart fusion of all available information increases the effort that is required by the attacker. The solutions we propose are not sufficient to achieve complete PVT robustness, as they may not protect against more sophisticated spoofing attacks. However they have the advantage of being easy to implement even in today’s receivers, and they could be later complemented by the next generations of GNSS signals that will possibly allow for more effective authentication techniques.
In order to demonstrate how the suggested cross-checks can greatly improve the robustness of handset receivers against spoofing, we assessed the current behaviour of mass market smartphones and tablets under various kinds of spoofing attacks.
To the best of the authors’ knowledge, a systematic set of tests on the resilience of GNSS positioning on mobile devices has never been performed. In this work we will analyze how mobile devices behave when exposed to a spoofing GNSS signal that is inconsistent with any other positioning source. Experiments will be carefully designed and laboratory procedures will be organized in a rigorous manner. The goal is to propose a smart integration of all available positioning information in order to make smartphones’ positioning more reliable without requiring any additional signal component, and exploiting only immediately available sources.
The test setup will exploit a GNSS signal generator that allows to generate the GPS and Galileo signals for any selected position and time, and the Nuand BladeRF software-defined radio (SDR). The experiments will be tailored to investigate all the above aspects, testing several mobile devices in order to reveal whether or not any integrity measures are currently used for guaranteeing PVT consistency.