Assessing the Spoofing Threat

January 1, 2009 By: Todd E. Humphreys, Paul M. Kintner Jr., Mark L. Psiaki, Brent Ledvina, Brady O' Hanlon GPS World

Seven years after the Volpe Report warned that "[a]s GPS further penetrates into the civil infrastructure, it becomes a tempting target that could be exploited by individuals, groups, or countries hostile to the U.S.," civil GPS receivers remain as vulnerable as ever to this threat. Among other types of interference, the Volpe report considers civil GPS spoofing, a pernicious type of intentional interference whereby a GPS receiver is fooled into tracking counterfeit GPS signals. More sinister than intentional jamming, spoofing deceives the targeted receiver, which cannot detect a spoofing attack and so cannot warn users that its navigation solution is untrustworthy. The Volpe report noted the absence of any off-the-shelf defense against civilian spoofing and lamented that "[t]here also is no open information on . . . the expected capabilities of spoofing systems made from commercial components." It recommended studies to characterize the spoofing threat: "Information on the capabilities, limitations, and operational procedures [of spoofers] would help identify vulnerable areas and detection strategies."

We recently canvassed four manufacturers of high-quality GPS receivers. They revealed that they were aware of the spoofing vulnerability but had not taken steps to equip their receivers with even rudimentary spoofing countermeasures. The manufacturers expressed skepticism about the seriousness of the threat and noted that countermeasures, if required, had better not be too expensive. Such attitudes propel further examination of the threat and practical countermeasures.

Important research into spoofing countermeasures during the last decade begins with an internal memorandum from the MITRE Corporation recommending these techniques to counter spoofing:

1. Amplitude discrimination
2. Time-of-arrival discrimination
3. Consistency of navigation inertial measurement unit (IMU) cross-check
4. Polarization discrimination
5. Angle-of-arrival discrimination
6. Cryptographic authentication

The first two techniques could be implemented in software on GPS receivers, but would be effective against only the most simplistic attacks. The next three tactics would be effective against some — but not all — more sophisticated attacks. In particular, angle-of-arrival discrimination, which exploits differential carrier-phase measurements taken between multiple antennas, could only be spoofed by a sophisticated coordinated spoofing attack (discussed later). However, they require additional hardware: multiple antennas or a high-grade IMU, whose cost militates against widespread adoption.

Cryptographic authentication, the last technique on the list, has received detailed study since 2001. Logan Scott offered several levels of authentication in a 2003 ION GPS/GNSS paper and urged their prompt adoption in a GPS World op-ed column in July 2007. His methods are backward-compatible with non-compliant GPS receivers. Spreading-code authentication, the basis for his Level 2 and 3 authentication, entails embedding messages in the GPS ranging codes and periodically authenticating these messages. Because this method effectively binds a digital signature to the ranging codes, it would render a compliant receiver practically impervious to a spoofing attack except during the short interval between reception and authentication of the embedded messages.

These cryptographic techniques all require modification of the civil GPS signal structure. Such changes appear extremely unlikely in the short term because, as one experienced observer noted, "signal definition inertia is enormous." A less effective but more practical approach over the United States would be to authenticate only the WAAS signal managed by the U.S. Department of Transportation and the Federal Aviation Administration. Since the WAAS signal is constructed on the ground and transmitted via bent-pipe communication spacecraft, it is more amenable to immediate modification. Even so, efforts to persuade WAAS officials to adopt spreading code authentication have so far proven fruitless.

The Homeland Security Institute, a research arm of the U.S. Department of Homeland Security, has also considered the threat of civil GPS spoofing. On its website it has posted a report listing seven spoofing countermeasures. The proposed countermeasures include the first three techniques from the list here. Some of the remaining four countermeasures would be trivial to spoof. None of the seven would adequately defend against a sophisticated attack. Nonetheless, the posting claims that its proposed techniques "should allow suspicious GPS signal activity to be detected." We worry that such optimistic language in such a prominent posting will mislead many readers into believing that the spoofing threat has been adequately addressed.

Our goals here are to assess the spoofing threat and develop and test practical and effective countermeasures. To advance these goals we found it necessary to go through the exercise of building a civil GPS spoofer. The process of developing a complete portable spoofer allows one to explore the range of practical spoofing techniques. Thus one discovers which aspects of spoofing are hard and which are easy to implement in practice. With this information, we can more accurately assess the difficulty of mounting an attack, and receiver developers can prioritize their defenses by choosing countermeasures that are effective against easily implementable spoofing techniques.

Software-defined GPS receivers furnish a natural platform for the study of civil spoofing and its effects. In a software receiver, real-time correlators, tracking loops, and navigation solver are all implemented in software on a programmable processor.