|Abstract:||Modern mobile network standards like Long Term Evolution-Time Division Duplex (LTE-TDD) and Long Term EvolutionAdvanced (LTE-A) require not only synchronization in frequency, but also in phase and time. Precise time synchronization between mobile cells is necessary to ensure undisturbed data and voice traffic. GNSS-timing receivers deliver the time reference in many cases although other methods like the precise time protocol (PTP) are used, especially in areas, where GNSS reception is not possible. One or a few cells are each supplied with one GNSS receiver. Therefore zones between two different GNSS synchronized areas become vulnerable to GNSS time spoofing attacks. When one receiver and therefore all its cells get the wrong time, the synchronization to the neighbor cells, supplied with the correct time, fails. Communication is then no longer possible in those areas. Different mobile standards have different time synchronization requirements. While LTE-TDD and LTE-A require 1.5 to 5 µs time accuracy, the upcoming 5G will require time accuracy under 300 ns. Therefore, we tested the influence of two different types of spoofing attacks, namely record- and replay-attack (RRA) and meaconing attack (MA). The tested receivers were the U-Blox M8T (~200 dollars) and the Septentrio PolaRx5TR (>10000 dollars), both widely used for precise time measurements. The RRA was made with an USRP (Universal Software Radio Peripheral). Signals were recorded in the L1-band, replayed and retransmitted via cable transfer to the receiver. The time delay was several months in this case. The U-Blox-receiver showed time jumps but detected the attacks with a special spoofing text message, which occurred in the GUI of the receiver software U-Blox-Center. The Septentrio receiver showed no time-jumps and a continuous position, but only when enough GNSS signals on other frequencies were tracked. The MA was made with a reception antenna, several amplifiers and a 30 m cable (delay-element of appr. 100 ns) connected to the victim receiver. The time delay of the attacking signal changes directly the receiver clock error and therefore the time output. We took a delay of 100 ns, because 30 m is a realistic distance of an attacker without the need of too much of amplification. Also it is shorter than 260 ns (minimum requirement of the upcoming 5G), which means, that the induced time jumps are less noticeable and for all kind of mobile standards more difficult to detect. The delay can then be enhanced by the attacker by slowly increasing the distance to the victim. Also, in case the distance would be increased, big jumps in the position would be avoided, which makes the attack harder to detect. Time and position jumps occurred for both receivers, which means that the attack was successful. The position accuracy (standard deviation) showed a temporary deterioration in all measurements immediately after the start of the attack. Monitoring of this parameter could be an easy possibility to detect MA. In order to improve the spoofing-text-warning of the U-Blox receiver, we implemented an anti-spoofing flag against MA in our own software receiver. It uses several parameters, which are influenced by spoofing attacks, including the code rate of the replica, the signal power and the code minus carrier (CMC). We tested the flag successfully in simulations and also for real signals over cable with manual receiver gain setting.|
Proceedings of the 2019 International Technical Meeting of The Institute of Navigation
January 28 - 31, 2019
Hyatt Regency Reston
|Pages:||345 - 362|
|Cite this article:||
Blum, Ronny, Dötterböck, Dominik, Pany, Thomas, "Investigation of the Vulnerability of Mobile Networks Against Spoofing Attacks on their GNSS Timing-receiver and Developing a Meaconing Protection," Proceedings of the 2019 International Technical Meeting of The Institute of Navigation, Reston, Virginia, January 2019, pp. 345-362.
ION Members/Non-Members: 1 Download Credit