Global Navigation Satellite Systems

Justin Baker Avatar by Justin Baker
on June 18, 2020

Today’s Research Paper: Known Vulnerabilities of Global Navigation Satellite Systems, Status, and Potential Mitigation Techniques

Global Navigation Satellite Systems (GNSS) are the greater classification of what is commonly referred to as GPS but includes other navigation systems such as Galileo and Russia’s GLONASS. GNSS uses time difference of arrival (TDOA) to provide position and time information to land based receivers. Given a connection to 4 or more satellites, receivers can calculate their position. However, due to the nature of these signals, receivers can be tricked if a signal is broadcast on the same frequency as the true GNSS signal. This poses a major challenge as GNSS is vital to the economy. A survey from the European Commission (EC) estimates assets depending on GNSS to be at the 800 billion Euro level (~ 9 billion US dollars). Consequently, this paper explores both the vulnerabilities present in GNSS systems and methods of detection and mitigation.

The GNSS Operation Principle

There are three elements that make up GNSS: the space segment, control segment, and the user segment.

Space Segment

GNSS satellites are medium sized and weight between 200 and 2000 kilograms. Most have a nearly circular orbit that is around 25 – 30 million meters above the earth’s surface. These satellites use the L-band frequency for communications to earth. More technically, they use high power amplifiers (HPAs) which are non-linear amplifiers. Signal multiplexing technologies are used which enable amplification from a singular HPA.

User Receivers

This section of the paper relied on a lot of math to explain how GNSS frequencies are acquired by receivers. I do not understand these concepts well enough to attempt to explain them, but I encourage the interested reader to consult the paper.

Control Segment

The control segment uses GNSS receivers at monitor stations that collect data from all the satellites. The locations of these stations are exactly known which allows the prediction of satellite location and estimations of small deviations in their onboard atomic clocks. These stations can also estimate the delay of the signal that is caused by the atmosphere. Data on all of this is uploaded to the satellite in the C-band every few hours.

Attacks to GNSS Receivers

An interference signal can cause receiver failure, incorrect position estimates, or incorrect time estimates. This interference coms in two forms: jamming and spoofing.

Jamming

Jamming exists as both intentional and unintentional jamming. Its level of interference is based on the “effective carrier to noise ratio.” In other words, a more powerful jamming device, coupled with a signal that is close to the true satellite signal, results in more noise.

Unintentional Interference

Unintentional interference comes from other systems that broadcast radio frequencies that can be either out of band or in band. Out of band interference comes from devices like terrestrial digital video broadcasting (DVB-T), multicarrier modulated satellite communication systems, and amateur radios. In band interference can come from sources such as civilian and military navigation systems as distance measuring equipment, tactical air navigation, military communication systems, and various forms of radars.

Intentional Interference

This form of interference is created by a strong signal in the GNSS band. These signals can come from personal privacy devices (PPD) that are typically used to block a vehicle from being tracked in cases such as road tolling trackers.

Spoofing

Spoofing occurs when the interference waveform is similar in structure to the true waveform. This allows an adversary to deceive the receiver’s estimate of location and timing information. It can be difficult to carry out a spoofing attack undetected. The spoofer must know the approximate user’s trajectory, provide a reasonable delay, power, and doppler while considering the attacker’s own hardware delays. Baring the difficulties, it is possible to inject fake navigation information by transmitting a spoofing signal with slightly more power than the true signal. There are two attack vectors that exist when spoofing OS GNSS signals: the navigation message and the ranging code.

Navigation attacks

In order to carry out a navigation attack, the attacker will demodulate the authentic navigation data, modify it in some way, and retransmit the signal with incorrect ranging, position, and timing. While there are detection schemes to prevent this using expected times, these are not applicable to all GNSS systems.

Code Level Attacks

I am saving the specifics of these attacks for a separate post as they are very technical in nature and I want to understand them better before I post them here. I encourage the interested reader to consult the paper to learn more about these attacks. The attacks described in the paper are listed below for convenience.

Detection of Interferences

There exists a jamming detection scheme that uses properties of the automatic gain control (AGC). The AGC’s output is driven by noise, consequently, variations in this device’s output could signal an attack. This method is most effective when a strong interference signal is present, and losses detection ability as the signal nears the strength of the true signal. Many popular interference detection algorithms fall into the spectral monitoring category, with a major algorithm being the short-time Fourier transform. Other methods such as wavelet transforms and quadratic TFR algorithms each offer different abilities when it comes to resolution.

Mitigation of Interferences

Mitigation techniques are grouped into four domains: time, frequency, time-frequency, and spatial time. The pulse blanking technique is the most popular for the time domain. As for the frequency domain, the goal is to remove the harmonic component of an interfering signal. To do this, harmonics that exceed a detection threshold are set to zero. I was unable to find specific information for the other two domains, but the paper did note that these techniques are not suitable for matched spectrum or broadband jamming.

Detection and Mitigation of Spoofing

Detection of spoofing is inherently difficult due to the spoofed signal being extremely close in power to the true signal. The two major domains of detection and mitigation exist at the user level and at the system level.

User Level

There are many user level techniques explored briefly in the paper. The bottom line is that there are many variables that go into detection and mitigation at the user level. While techniques do exist, the performance analysis of these are incomplete and must be further explored under a variety of conditions. Consequently, the GNSS community is leaning towards system-level techniques as a solution.

System Level

The system level uses authentication based in cryptographic techniques thereby making it difficult for adversaries to generate the same signal. Although not all spoofing attacks can be prevented with authentication, when paired with receiver-based techniques the result could be quite successful. When considering different authentication techniques, the application requirements and use cases must be considered. Cryptography for this application comes in two flavors, symmetric key and asymmetric key. In symmetric key cryptography the transmitter and the receiver share a secret key. This makes it impractical for civilian use as anyone that knows the key could impersonate the satellite. Asymmetric key cryptography uses a public and private key and would work on a larger scale system; however it is slower and requires longer keys and more computational power.

Final Takeaways

There are aspects of this paper that I did not cover or did not cover in detail. This paper is quite technical, and I want to take more time to understand certain aspects before publishing them. While this paper may be difficult for beginners to understand, the information is fundamental to the security of satellites and provides a great basis for continued learning.

Please note that this post represents my takeaways from the paper; all credit goes to the authors.

Title Photo courtesy of Jamie Street


You Might Want To Read...
Research Explainer: Jamming and Spoofing

Jamming and spoofing are two very real threats to satellites, yet it can be difficult to defend against such attacks. Both attacks can have disastrous consequences...

Research Should You Trust the WiFi on Your Cruise Ship?

The findings of the researchers are quite startling. For starters, the data that is transmitted through open air and is clearly interceptable, is not encrypted by default...

technology An Introduction to CubeSats

In order to analyze the security of satellites, it is important to first understand what exactly goes into a satellite...