detection and localization of attacks on satellite-based
TRANSCRIPT
Detection and Localization of
Attacks on Satellite-Based
Navigation Systems
Dissertation
zur Erlangung des Grades eines Doktor-Ingenieurs
der Fakultät für Elektrotechnik und Informationstechnik
an der Ruhr-Universität Bochum
vorgelegt von
Kai Jansen
geboren in Iserlohn
Bochum, Dezember 2018
ii
Dissertation eingereicht am: 11. Dezember 2018
Tag der mündlichen Prüfung: 6. März 2019
Gutachter:
Prof. Dr. Aydin Sezgin, Ruhr-Universität Bochum
Zweitgutachterin:
Prof. Dr. Christina Pöpper, New York University Abu Dhabi
Drittgutachter:
Prof. Dr. Ivan Martinovic, University of Oxford
Abstract
The worldwide coverage of satellite-based navigation systems, such as the Global
Positioning System (GPS), facilitates self-localization and time synchronization in
outdoor environments. Location and time awareness are integral components of a
wide field of applications including, but not limited to, emergency localization, au-
tonomous vehicles, and aviation. However, the strong dependence on the integrity of
GPS makes systems susceptible to signal outage, or even more severe, to deliberate
manipulation. The latter is referred to as spoofing attacks, a powerful attack class
against GPS-dependent systems and challenging to protect against. In addition, the
tools available to attackers get increasingly more sophisticated and affordable. As a
consequence, we perceive a discrepancy between how critical systems are protected
and the feasibility of attacks.
In order to overcome this discrepancy, we propose countermeasures to harden
GPS-dependent systems against spoofing attacks. Moreover, our targeted domains,
in particular aviation, impose strict requirements on possible modifications to avoid
prolonged (re)certification processes. We address demanding real-world require-
ments and design lightweight countermeasures that can be realized with commercial
hardware or can even be implemented with the already existing infrastructure. For
instance, we develop effective mechanisms for the detection of GPS spoofing attacks.
Further, we tackle the challenge of spoofer localization and propose Crowd-GPS-Sec
as a system for pinpointing an attacker via Automatic Dependent Surveillance-
Broadcast (ADS-B) aircraft messages. Furthermore, we design a verification scheme
based on wireless witnessing to assess the trustworthiness of ADS-B aircraft reports.
In conclusion, we evaluate and implement different security solutions for the de-
tection and localization of attacks on satellite-based navigation systems. We theo-
retically analyze the viability of our proposals and develop prototypes demonstrating
their effectiveness. These solutions can be implemented today to improve the secu-
rity of GPS-dependent systems immediately.
iii
Kurzfassung
Die weltweite Abdeckung durch satellitengestützte Navigationssysteme, wie bei-
spielsweise das Global Positioning System (GPS), ermöglicht die Lokalisierung und
zeitliche Synchronisation. Orts- und Zeitbewusstsein sind wesentliche Bestandteile
vieler Anwendungsbereiche, einschließlich Katastrophenschutz, autonomes Fahren
und Luftfahrt. Die starke Abhängigkeit von GPS macht solche Anwendungen anfäl-
lig für Signalausfälle oder für eine vorsätzliche Manipulation. Letzteres beinhaltet
sogenannte Spoofing-Angriffe, eine mächtige Angriffsklasse gegen GPS-abhängige
Systeme, gegen die man sich nur schwer schützen kann. Darüber hinaus werden die
für Angreifer verfügbaren Werkzeuge immer erschwinglicher und bieten mehr Funk-
tionalität. Als Konsequenz sehen wir eine Diskrepanz zwischen den vorhandenen
Schutzmaßnahmen kritischer Systeme und der Durchführbarkeit von Angriffen.
Um diese Diskrepanz zu überwinden, stellen wir Gegenmaßnahmen vor, um GPS-
abhängige Systeme gegen Spoofing-Angriffe besser abzusichern. Dabei sind die stren-
gen Anforderungen der relevanten Anwendungsbereiche, insbesondere der Luftfahrt,
zu beachten, um längere (Re-)Zertifizierungsprozesse zu verhindern. Wir erfüllen die
gegebenen Anforderungen, indem wir unsere Gegenmaßnahmen auf eine Realisier-
barkeit mit kommerzieller Hardware oder der bereits vorhandenen Infrastruktur be-
schränken. Wir entwickeln beispielsweise effektive Gegenmaßnahmen zur Erkennung
von Spoofing Angriffen. Darüber hinaus gehen wir auf das Problem der Spoofer Loka-
lisierung ein und stellen Crowd-GPS-Sec als ein System zur Eingrenzung möglicher
Angreiferpositionen durch Automatic Dependent Surveillance-Broadcast (ADS-B)
vor. Weiterhin entwerfen wir ein Verifikationsschema basierend auf „Wireless Wit-
nessing“, um die Glaubwürdigkeit von ADS-B Flugzeugnachrichten zu verifizieren.
Zusammenfassend evaluieren und implementieren wir unterschiedliche Sicherheits-
lösungen zur Detektion und Lokalisierung von Angriffen auf satellitengestützte Na-
vigationssysteme. Wir analysieren die theoretische Realisierbarkeit unserer Ansätze
und entwickeln Prototypen, die deren Wirksamkeit demonstrieren. Die von uns vor-
gestellten Lösungsansätze können zeitnah implementiert werden, um die Sicherheit
von GPS-abhängigen Systemen zu verbessern.
v
Acknowledgements
First of all, I want to thank my supervisor Prof. Christina Pöpper for her encour-
aging support and helpful advice. She created a unique working environment both
comfortable and efficient. Furthermore, I wish to thank her for helping to establish
connections to other researchers resulting in many fruitful exchanges of ideas.
Moreover, I am grateful to my co-examiners Prof. Aydin Sezgin and Prof. Ivan Mar-
tinovic for devoting their time to review and evaluate my dissertation thesis. In
particular, I thank Prof. Ivan Martinovic for making it possible to have experienced
a memorable research visit at the University of Oxford.
I also give special thanks to my co-authors and collaborators Dr. Nils Ole Tippen-
hauer, Dr. Vincent Lenders, Dr. Matthias Schäfer, Prof. Jens Schmitt, and Dr. Mar-
tin Strohmeier for their valuable contribution to my research providing new insights
and perspectives.
Most of all, I want to thank my longtime colleagues with whom I had the opportu-
nity to spend so many precious days: Max “Maxi” Golla for the strive for the perfect
bibliography style; Lea “Lea” Schönherr for sound assistance on machine learning
techniques; Theodor “Theo” Schnitzler for pointing out the right moments to take
working holidays; Florian “Fabi” Farke for ways to approach CEOs of major com-
panies; Philipp “Freddy” Markert for how to exploit reimbursements for survey par-
ticipation at large-scale; Nicolai “Nico” Wilkop for advice on the next professional
gaming career; Jan “Janni” Wiele for raising the coffee standards; David “Dave”
Rupprecht for handling all the complicated wireless stuff; and especially Katharina
“Katha” Kohls for Choosing to spread her enthusiasm and for sharing a Gallery of
memories. This awesome group makes it so hard to leave.
Last but not least, I want to thank my parents Heike and Jonathan Jansen for their
love and endless support which provided the foundation for a successful dissertation.
vii
Contents
1 Introduction 1
1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Challenges in Satellite-Based Navigation Systems . . . . . . . . . . . 3
1.3 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.4 List of Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.5 Overview and Structure . . . . . . . . . . . . . . . . . . . . . . . . . 7
2 Preliminaries 9
2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2 Global Navigation Satellite Systems . . . . . . . . . . . . . . . . . . . 10
2.3 Aircraft Broadcast Signals . . . . . . . . . . . . . . . . . . . . . . . . 15
3 Attacks on Satellite-Based Navigation Systems 17
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.2 Attack Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.3 Advancing Attacker Models . . . . . . . . . . . . . . . . . . . . . . . 19
3.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
4 Multi-Receiver GPS Spoofing Detection 27
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
4.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
4.3 System Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
4.4 Attacker Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
4.5 Theoretical Multi-Receiver Spoofing Detection . . . . . . . . . . . . . 35
4.6 Experimental Evaluation of Authentic Signals . . . . . . . . . . . . . 41
4.7 Experimental Evaluation of Spoofed Signals . . . . . . . . . . . . . . 46
4.8 Simulation of the Countermeasure . . . . . . . . . . . . . . . . . . . . 49
4.9 Prototype Implementation . . . . . . . . . . . . . . . . . . . . . . . . 53
4.10 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
4.11 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
5 Crowdsourced GPS Spoofing Detection and Spoofer Localization 59
5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
5.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
5.3 System Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
5.4 Attacker Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
ix
x Contents
5.5 Crowd-GPS-Sec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
5.6 Multilateration (MLAT) . . . . . . . . . . . . . . . . . . . . . . . . . 72
5.7 GPS Spoofing Detection . . . . . . . . . . . . . . . . . . . . . . . . . 73
5.8 GPS Spoofer Localization . . . . . . . . . . . . . . . . . . . . . . . . 76
5.9 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
5.10 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
5.11 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
6 Trust Establishment for Aircraft Broadcast Signals 91
6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
6.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
6.3 System Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
6.4 Attacker Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
6.5 Design of an ADS-B Trust System . . . . . . . . . . . . . . . . . . . . 100
6.6 ADS-B Message Trust . . . . . . . . . . . . . . . . . . . . . . . . . . 101
6.7 Attack Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
6.8 Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
6.9 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
6.10 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
6.11 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
7 Conclusion 119
7.1 Key Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
7.2 Directions for Future Work . . . . . . . . . . . . . . . . . . . . . . . . 121
7.3 Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
List of Figures 126
List of Tables 127
List of Abbreviations 129
Bibliography 131
There are times when you run a marathon and you
wonder, Why am I doing this? But you take a drink
of water, and around the next bend, you get your
wind back, remember the finish line, and keep going.
— Steve Jobs
1Introduction
Contents
1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Challenges in Satellite-Based Navigation Systems . . . 3
1.3 Contributions . . . . . . . . . . . . . . . . . . . . . . . . 4
1.4 List of Publications . . . . . . . . . . . . . . . . . . . . . 6
1.5 Overview and Structure . . . . . . . . . . . . . . . . . . 7
1
2 Chapter 1 Introduction
1.1 Motivation
In modern times, accurate positioning information and precise time synchroniza-
tion are essential for a myriad of applications to provide users with their designated
services. Global Navigation Satellite Systems (GNSSs), such as the Global Posi-
tioning System (GPS) or the Global Navigation Satellite System (GLONASS), are
today’s means of localization in outdoor environments. In particular, GPS has
become the de facto positioning standard when the U.S. government discontinued
Selective Availability (SA)—an intentional degradation of public GPS signals—on
May 2, 2000.
Since then, GPS has found its place in various, more sophisticated devices such as
navigation units, mobile phones, activity trackers, industrial control systems, trading
platforms, agricultural machinery, cars, trains, ships, and aircraft as a ubiquitous
source of location and time information. Furthermore, with the growing popularity
of drones and other Unmanned Aerial Vehicles (UAVs), GPS is expected to maintain
a pervasive role in the near future making it an integral component of personal
applications as well as critical infrastructure. With virtually global coverage via
broadcast transmissions, GPS can provide its service to users all around the world.
Since the awareness of position and time is often an essential requirement to provide
additional functionality, the implementing systems highly depend on the viability
and integrity of the processed information. For instance, next-generation air traffic
monitoring systems mandate the embedding of GPS information into Automatic
Dependent Surveillance-Broadcast (ADS-B) aircraft reports. As a consequence, the
strong reliance on satellite-based navigation systems renders them a worthwhile
target for malicious actors.
The open nature of civilian GPS signals and low complexity makes them vul-
nerable to a wide range of attacks. While jamming attacks aim at disrupting the
communication by overshadowing the signals to prevent any useful decoding, spoof-
ing attacks, on the other hand, are geared towards injecting false positioning or
timing information into the system’s processing logic. Spoofing attacks exploit the
fact that non-military applications use public, unprotected GPS signals, which lack
basic security properties and are neither encrypted nor authenticated.
While in the past the requirements to successfully emulate realistic GPS signals
were considered too challenging, in the last couple of years a shift in attacker ca-
pabilities can be perceived. Recent advancements in both hardware and software
tools have facilitated the deployment of effective attack setups. As a result, the fre-
quency of reported GPS jamming and spoofing incidents has increased. Prominent
examples include the hijacking of a CIA stealth drone (RQ-170) allegedly via GPS
1.2 Challenges in Satellite-Based Navigation Systems 3
spoofing [103] in 2011, unintentional jamming close to Newark Airport [27] in 2012,
devices displaying false positions around the Moscow Kremlin [73,100,113] in 2016,
GPS jamming signals targeted at Norwegian airspace [75], and a mass GPS spoof-
ing attack in the Black Sea [13, 30, 31, 53, 64], both in 2017. Besides these publicly
known events, GPS also serves military purposes and is considered a mission-critical
national asset [16]. Its control and potential manipulation is likewise a matter of
military concern.
In response to these threats, the development of practical security solutions has
gained increasing attention—which has long been neglected. While proposals for a
wide range of countermeasures against jamming as well as spoofing attacks exist in
the wild, their implementations often lag in time, if ever considered. As a conse-
quence, attackers are progressively favored against the present protection systems.
This fact further intensifies the need for operational solutions that are ready to be
implemented today.
This thesis pursues the goal of designing and implementing secure positioning
solutions to harden satellite-based navigation systems against location spoofing at-
tacks. The results and findings specifically contribute to the demand for practical
solutions to counteract the current threat situation.
1.2 Challenges in Satellite-Based Navigation
Systems
While satellite-based navigation systems have been developed to mainly serve mili-
tary purposes with built-in security features designed to withstand powerful nation-
state attackers, the civilian counterpart is commonly left unprotected. With the
lack of suitable hardware and software tools to emulate satellite signals, the system
had been implicitly protected. However, technical advancements and the widespread
availability of Software Defined Radios (SDRs) created new security challenges.
The rigid composition of visible satellites, receiver implementations on the ground,
as well as the protocol specifications, is characterized by very long development
cycles. With the receiver design being the most flexible out of these three, it is the
primary focus of security research. Accepting that satellite and protocol specifics
will not change in the near future, new security proposals need to be lightweight in
the sense that the currently deployed infrastructure remains unaltered. Hence, the
overall challenge is retrofitting security into systems/protocols that were initially
developed based on attacker models that are considered obsolete today.
4 Chapter 1 Introduction
Multi-Receiver GPS
Spoofing Detection
Crowdsourced GPS
Spoofing Detection and
Spoofer Localization
Crowdsourced
Verification of ADS-B
Aircraft Reports
Satellites
Aircraft
Receivers
Figure 1.1: A schematic overview of the three main technical contributions accordingto the involved segments.
Moreover, safety-critical domains such as the transportation sector—in particular
aviation—are further conditioned to meet legal obligations and to undergo lengthy
certification procedures. The implementation of new components or any modifica-
tion of existing hardware would trigger the whole certification process anew. This
work acknowledges these requirements by designing security solutions restricted to
non-specialized Commercial Off-the-Shelf (COTS) hardware and logically separated
non-invasive functionality. This effort minimizes interference with production sys-
tems, and hence eases certification processes.
1.3 Contributions
In this dissertation, we make the following four contributions with respect to attacks
on satellite-based navigation systems: (i) We investigate how technical advance-
ments have impacted the validity of attacker models, (ii) we analyze and implement
a GPS spoofing detection system using multiple COTS receivers, (iii) we present
Crowd-GPS-Sec to detect and localize GPS spoofing attacks, and (iv) we propose a
verification scheme for ADS-B aircraft reports. Figure 1.1 depicts the scopes of the
three main technical contributions (ii - iv) and puts them into relation.
1.3 Contributions 5
(i) Technical Advancements and Validity of Attacker Models
The progressive technical advancements of adversaries led to the observation that
the currently prevalent attacker models need to be considered outdated. The results
have been presented at the 10th ACM Conference on Security and Privacy in Wire-
less and Mobile Networks (WiSec ’17) in Opinion: Advancing Attacker Models
of Satellite-based Localization Systems—The Case of Multi-device At-
tackers. The paper further approaches the deployment of multi-antenna attacks.
(ii) Multi-Receiver GPS Spoofing Detection
Based on the insight that today’s security solutions must resist more advanced at-
tackers, we developed a multi-receiver GPS spoofing detection scheme. We elab-
orate on the underlying error models and propose possible realizations in Multi-
Receiver GPS Spoofing Detection: Error Models and Realization pub-
lished in 32nd Annual Computer Security Applications Conference (ACSAC ’16).
Moreover, the countermeasure can be proven secure against multi-antenna attacks.
(iii) Crowdsourced GPS Spoofing Detection and Spoofer Localization
Going one step further, we tackle the problem of localizing the signal source when
successfully detecting ongoing spoofing attacks. We propose Crowd-GPS-Sec as a
scheme to detect spoofing attacks and localize spoofers by utilizing GPS-inferred
ADS-B aircraft reports. The system has been presented at the 39th IEEE Sympo-
sium on Security and Privacy (SP ’18) in Crowd-GPS-Sec: Leveraging Crowd-
sourcing to Detect and Localize GPS Spoofing Attacks. The evaluations are
based on real-world flight data provided by the OpenSky Network, and the system
could be implemented today without modifications on the existing infrastructure.
The paper received the 1st Place Cyber Award 2017 for outstanding research con-
tribution from armasuisse.
(iv) Crowdsourced Verification of ADS-B Aircraft Reports
Similar to the need for lightweight countermeasures to harden GNSS-dependent
systems, air traffic surveillance based on ADS-B has been proven vulnerable to
spoofing attacks and also puts strong requirements on security solutions. We design
a verification scheme to assess the trustworthiness of sensed ADS-B reports. We
present our results in Trust the Crowd: Wireless Witnessing for Attack
Detection in ADS-B Based Air Traffic Surveillance which is currently under
review as of writing of this dissertation.
6 Chapter 1 Introduction
1.4 List of Publications
The following list contains peer-reviewed publications on which this thesis is based
on. The list is in descending chronological order:
1. K. Kohls, K. Jansen, D. Rupprecht, T. Holz, and C. Pöpper, “On the Chal-
lenges of Geographical Avoidance for Tor,” in Network and Distributed System
Security Symposium (NDSS ’19). San Diego, CA, USA: Internet Society,
Feb. 2019.
2. K. Jansen, M. Schäfer, D. Moser, V. Lenders, C. Pöpper, and J. Schmitt,
“Crowd-GPS-Sec: Leveraging Crowdsourcing to Detect and Localize GPS
Spoofing Attacks,” in IEEE Symposium on Security and Privacy (SP ’18).
San Francisco, CA, USA: IEEE, May 2018, pp. 1018–1031.
3. K. Jansen and C. Pöpper, “Opinion: Advancing Attacker Models of Satellite-
based Localization Systems—The Case of Multi-device Attackers,” in ACM
Conference on Security and Privacy in Wireless and Mobile Networks
(WiSec ’17). Boston, MA, USA: ACM, Jul. 2017, pp. 156–159.
4. K. Jansen, M. Schäfer, V. Lenders, C. Pöpper, and J. Schmitt, “POSTER:
Localization of Spoofing Devices using a Large-scale Air Traffic Surveillance
System,” in ACM Asia Conference on Computer and Communications Secu-
rity (ASIACCS ’17). Abu Dhabi, United Arab Emirates: ACM, Apr. 2017,
pp. 914–916.
5. K. Jansen, N. O. Tippenhauer, and C. Pöpper, “Multi-Receiver GPS Spoofing
Detection: Error Models and Realization,” in Annual Computer Security Ap-
plications Conference (ACSAC ’16). Los Angeles, CA, USA: ACM, Dec. 2016,
pp. 237–250.
6. D. Rupprecht, K. Jansen, and C. Pöpper, “Putting LTE Security Func-
tions to the Test: A Framework to Evaluate Implementation Correctness,”
in USENIX Workshop on Offensive Technologies (WOOT ’16). Austin, TX,
USA: USENIX, Aug. 2016.
7. K. Jansen, “GPS Security,” in 10th Joint Workshop of the German Research
Training Groups in Computer Science. Dagstuhl, Germany: Universitätsver-
lag Chemnitz, May 2016, p. 105.
1.5 Overview and Structure 7
Additionally, the following works are in submission or already under review:
8. K. Jansen, W. Seymour, C. Pöpper, and I. Martinovic, “Trust the Crowd:
Wireless Witnessing for Attack Detection in ADS-B Based Air Traffic Surveil-
lance,” under review.
9. K. Jansen, D. Rupprecht, D. Yu, and C. Pöpper, “This is my Jam! DSSS
Jamming with Partially Disclosed Knowledge,” in submission.
1.5 Overview and Structure
The remainder of this dissertation is structured as follows:
• Chapter 2 provides the technical background on GNSSs with a focus on
how receivers calculate their positions while simultaneously processing multi-
ple satellite signals. Moreover, we introduce the basics of aircraft broadcast
signals.
• Chapter 3 investigates attacks on satellite-based navigation systems. In par-
ticular, we scrutinize prevalent attacker models and expose them to be insuf-
ficient in consideration of recent advancements both in hardware and software
tools.
• Chapter 4 proposes a GPS spoofing detection system using multiple receivers.
We demonstrate how a deployment of four standard receivers in a predefined
formation reliably distinguishes between normal operation and spoofing at-
tacks, even in the presence of powerful multi-antenna attackers.
• Chapter 5 explores means of detecting and localizing GPS spoofing attacks
only utilizing aircraft broadcasts containing attacker-influenced information.
Further, we implement an independent aircraft localization scheme, two dif-
ferent spoofing detection tests, and a spoofer localization estimation based on
data collected by a distributed sensor network.
• Chapter 6 addresses the lack of means for trust assessment of ADS-B aircraft
reports. We propose a verification scheme based on geographically distributed
sensors and Machine Learning (ML) techniques. In addition, we show that we
can also distinguish between several prominent attack vectors.
• Chapter 7 concludes this dissertation by summarizing key results and pro-
viding directions for future work.
Any sufficiently advanced technology is indistin-
guishable from magic.
— Arthur C. Clarke
2Preliminaries
Contents
2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2 Global Navigation Satellite Systems . . . . . . . . . . . 10
2.2.1 GPS Signal Transmission . . . . . . . . . . . . . . . . 10
2.2.2 GPS Signal Reception . . . . . . . . . . . . . . . . . . 11
2.2.3 GPS Positioning and Time Solution . . . . . . . . . . . 12
2.2.4 GPS Error Sources . . . . . . . . . . . . . . . . . . . 13
2.2.5 Application Areas . . . . . . . . . . . . . . . . . . . . 14
2.3 Aircraft Broadcast Signals . . . . . . . . . . . . . . . . . 15
9
10 Chapter 2 Preliminaries
2.1 Introduction
In order to make the technical contributions of this dissertation more comprehensi-
ble, we introduce the necessary background on the functionality of Global Navigation
Satellite Systems (GNSSs). We detail on signal acquisition, measurement of observ-
ables, and how one’s position is estimated. Further, we provide a breakdown of the
error sources with regard to localization accuracy and mention typical application
areas. Subsequently, we give a basic overview of air traffic communication.
2.2 Global Navigation Satellite Systems
The launch of Sputnik characterized the start of the Space Age in late 1957. This
event triggered the promotion of space technology including space exploration and
satellite technology. In the following years, the idea of tracking satellites based on
distance measurements with receivers on Earth became conceivable [22]. Initially ex-
pedited by military interests for strategic reconnaissance and secure communication,
the first Navigation System with Timing and Ranging (NAVSTAR) test satellites
were launched in 1974. The system that is known as the Global Positioning System
(GPS) reached a fully operational status with a total of 24 satellites orbiting the
Earth in 1993.
The breakthrough and commercial success of GPS started with the shutdown of
Selective Availability (SA) on May 2, 2000. Once implemented to degrade the service
for military adversaries, its discontinuation improved the achievable localization
accuracy to a few meters [130]. Apart from GPS operated by the United States,
the Russian Global Navigation Satellite System (GLONASS), the European Galileo,
and the Chinese Beidou are considerable satellite-based navigation systems providing
worldwide service. In the remainder of this dissertation, we specifically refer to GPS
as the most prominent instance. However, the developed solutions can likewise be
applied to other GNSSs.
2.2.1 GPS Signal Transmission
GPS provides two different types of signals: (i) public signals that can be received by
everyone with suitable equipment, and (ii) military signals protected by (at least)
secret spreading codes. While we consider civilian signals throughout this work,
the acquired results may also be adapted to other signals. In the original design,
civilian GPS signals use the L1 frequency band operated at 1575.42MHz, and the
military signals are additionally transmitted on the L2 frequency band operated
2.2 Global Navigation Satellite Systems 11
S1
S2 S
3S4
Receiver
Figure 2.1: Multiple satellites located in medium Earth orbit broadcast GPS signalswhich in turn are processed by ground-based receivers.
at 1227.60MHz. Since several satellites share the same frequency band, they use
different ranging codes identified by a unique Pseudorandom Noise (PRN) number
to apply Code Division Multiple Access (CDMA). These codes are referred to as
Coarse/Acquisition (C/A) codes and are highly orthogonal to each other.
In addition, civilian GPS signals carry a low bit rate navigation message. This
message contains, among other data, information on satellite clock correction pa-
rameters, the ephemeris data representing a satellite’s position in space, ionospheric
model parameters for error correction, and almanac data mapping the constellation
of all satellites. The navigation message and the C/A code is modulated on the
L1 carrier signal. As a result, each satellite broadcasts a different signal depending
on its PRN code. The transmission is directed at the Earth, and the signals travel
an approximate distance of 20,200 km from medium Earth orbit to the Earth’s sur-
face, where they arrive with very low signal power below the noise level. Figure 2.1
depicts the general situation.
2.2.2 GPS Signal Reception
On the receiver side, a GPS antenna receives all satellite signals as a superimposed
signal that needs to be amplified to raise the signal power above the noise level and
filtered to suppress other frequencies components. When demodulated, each satellite
signal must be acquired separately. Signal acquisition is the step of identifying the
signal in the mix. In particular, the acquisition is a two-dimensional search in the
code-phase to align with the C/A code chips and the frequency space to detect
12 Chapter 2 Preliminaries
frequency variations due to the Doppler effect. To this end, the receiver creates
multiple local replicas of the signal and correlates them against the received signal.
A high correlation yields matching parameters and the receiver can now keep track
of the signals.
The constant tracking of a GPS signal allows identifying the start of the embedded
navigation message. In consideration of the satellite’s ephemeris data, the frame
start time, and the local receiver time, the transit time from the satellite to the
receiver can be calculated. This time is put into relation with the speed of light to
obtain a pseudorange. A pseudorange represents the calculated distance from the
receiver to the tracked satellite, potentially affected by a local clock offset. Based
on multiple pseudoranges to different satellites, we are now able to calculate the
receiver’s position and the time solution to synchronize to the global GPS time. For
a more detailed overview of GPS signal generation, transmission, and reception, we
refer to the respective literature [39, 79,114,129].
2.2.3 GPS Positioning and Time Solution
Conceptionally, the positioning estimation and time synchronization is based on the
Time of Arrivals (ToAs) of four or more satellite signals. Each pseudorange ρSito
satellite Si can be represented as:
ρSi=
√
(xSi− xR)2 + (ySi
− yR)2 + (zSi− zR)2 +∆R · c, (2.1)
where xSi, xR, ySi
, yR, zSi, zR are the three-dimensional coordinates of the satellite
and the receiver, respectively. The local clock offset is denoted with ∆R and c
is the speed of light. This equation contains four unknown parameters, namely
the receiver position and the local clock offset. In consideration of four or more
equations, a receiver can numerically approximate a solution for the four unknown
values using a least squares error optimization process.
In essence, the receiver is located at positions that have a distance to the tracked
satellite according to the calculated pseudorange. As a geometric interpretation, a
sphere around the satellite with the pseudorange as radius marks all possible po-
sitions. Without further information on, e. g., the direction of the transmission, a
specific solution cannot be determined with a single pseudorange. By considering
four or more satellites, the spheres intersect each other and narrow down possible
locations. Figure 2.2 depicts this trilateration procedure. It is applicable when
multiple reference measurements are available, similar to server localization on the
2.2 Global Navigation Satellite Systems 13
S1
S2
S3
Receiver
Figure 2.2: Individual distances to multiple reference points such as satellites allowthe positioning of receivers via trilateration.
Internet by distributed response time measurements [58]. Specific to GPS, the cal-
culated ranges suffer under different error sources, which prevent a distinct solution.
2.2.4 GPS Error Sources
As GPS errors take a critical role for applications requiring a high positioning ac-
curacy, we discuss them in more detail. The standard GPS localization accuracy
is sufficient to estimate a position with an error of only a few meters. On closer
inspection, the error budget can be split up into different error sources. Due to the
signal generation in space and a travel distance of more than 20,000 km, the channel
from the satellites to the user is comparably unstable. We categorize the various
error sources into three groups: satellite, propagation medium, and receiver errors
(see Table 2.1).
Satellite Errors. Errors can arise from the satellite itself concerning clock bi-
ases and orbital drifts. For error mitigation, each satellite periodically embeds an
estimation of the error characteristics in the adjustable ephemeris data.
Signal Propagation Errors. Environmental effects such as ionospheric or tro-
pospheric refractions are dependent on the physical conditions on the propagation
path. When GPS signals reach the Earth’s surface, they are potentially reflected
at obstacles leading to multipath effects that further decrease the Signal-to-Noise
Ratio (SNR).
Receiver Errors. In addition to normal receiver noise (e. g., thermal noise in
components), the receiver can suffer under clock biases and center phase variations.
14 Chapter 2 Preliminaries
Table 2.1: GPS L1 C/A Error Sources and UERE [39,79]
1σ Error [m]
Type Error Source Bias Random Total
SatelliteEphemerides data 2.1 0.0 2.1Satellite clock 2.0 0.7 2.1
ChannelIonosphere 4.0 0.5 4.0Troposphere 0.5 0.5 0.7Multipath 1.0 1.0 1.4
Receiver Measurement 0.5 0.2 0.5
UERE 5.1 1.4 5.3
The combined error of all presented sources is summarized in the User Equivalent
Range Error (UERE). A quantifying analysis is conducted by Parkinson et al. [79].
The results in terms of bias, random, and total errors are given in Table 2.1. The
given values are based on a 1σ-probability level relating to the deviation in meter.
By applying suitable filtering to the random component of the error, the UERE can
be reduced from 5.3m down to 5.1m [79]. These errors represent guarantees, and
the experienced error is often far below that benchmark. An annual report analyzes
the current standing of GPS performance and measured an average 95th percentile
error of 1.28m for the year 2016 [99]. To be clear, the UERE is not the localization
accuracy. The achievable localization accuracy further depends on a combination of
satellite geometry, signal blockage, and the quality of the receiver design.
2.2.5 Application Areas
The free and open nature of GPS has driven the development of countless appli-
cations that use GPS as a source of location and time information. The uncondi-
tional, worldwide availability of GPS is perceived as a given fact. Hence, GPS is
omnipresent and an essential building block to enable further designated services. As
a result, GPS is not just another navigation system but is essential for most critical
infrastructure sectors. Specifically, GPS is used in the chemical, communications,
critical manufacturing, defense, emergency services, energy, financial services, food
and agriculture, information technology, nuclear, and the transportation systems
sector [61,131].
The total economic benefit of GPS can hardly be estimated. Only a few reports
exist that assess the economic value of GPS. For instance, the direct benefits for
the industry in the United States is estimated to range from $37.1 to $74.5 billion
2.3 Aircraft Broadcast Signals 15
for 2013 and is expected to have increased significantly since then [61]. However,
the indirect benefits cannot be put into numbers as GPS is inseparable from the
implementing applications. As a noteworthy example, the Federal Aviation Admin-
istration (FAA) predicted at least $200 million in efficiency benefits in 2011, without
factoring in the enormous improvements in aviation safety and the protection of hu-
man lives [61].
2.3 Aircraft Broadcast Signals
In aviation, satellite-based navigation systems are an important support for nav-
igation and autopilot applications. Notably, GPS is used in all phases of flight
including departure, waypoint-based route planning, airport approach, and even
navigation on the airport surface. Moreover, modern air traffic surveillance consid-
ers Automatic Dependent Surveillance-Broadcast (ADS-B) aircraft status reports
which embed GPS-derived positioning information. Digitally-aided monitoring of
airspaces is a key technology to assure safety and mandatory separation regulations
in increasingly dense flight spaces. By 2020, the implementation of ADS-B will be
mandatory for aircraft to access most of the world’s airspace [132].
In particular, ADS-B is a protocol that, in its basic form, defines two services. On
the one hand, ADS-B Out is a broadcast signal transmitted by aircraft transponders.
On the other hand, ADS-B In is the receiver part and allows the interpretation of
ADS-B messages. In the remainder of this dissertation, we use ADS-B when refer-
ring to ADS-B Out. These broadcasts are periodic aircraft status reports containing
an identification, information on speed, track, and acceleration, a GPS-derived po-
sition along with additional status information. ADS-B operates on a frequency of
1090MHz, and the signals can be received by ground-based sensors as illustrated
in Figure 2.3. Based on empirical measurements, the signals are received over a
distance up to 700 km [110].
The open specification of ADS-B promotes the free collection and usage of aircraft
reports. Simple, Commercial Off-the-Shelf (COTS) receivers can sense and decode
ADS-B messages to gain a real-time view of the close-by airspace. Even though the
message loss can reach up to 75% at individual sensors, the collaboration of sensors
can compensate missed reports and simultaneously increase covered air traffic. A
network of widely-distributed sensors is thus able to visualize large portions of the
world’s air traffic. One such network is the OpenSky Network [74,107–110,120] with
over 850 sensors that also makes the collected data available for research.
16 Chapter 2 Preliminaries
R1
R2
R3
Aircraft
Figure 2.3: Aircraft periodically transmit ADS-B status reports that can be sensedby receivers on the ground.
Similar periodic broadcast signals exist in other domains, e. g., for marine traffic.
In particular, vessels are mandated to use Automatic Identification System (AIS) to
inform others about their presence. In the same way, vessels are equipped with GPS
receivers and embed the derived positioning information in AIS status reports. From
a security point of view, both ADS-B and AIS lack fundamental security practices
making them vulnerable to various attack vectors.
You want weapons? We’re in a library! Books! Best
weapons in the world! This room’s the greatest ar-
senal we could have. Arm yourself!
— The Doctor
3Attacks on Satellite-Based
Navigation Systems
Contents
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.2 Attack Classification . . . . . . . . . . . . . . . . . . . . 18
3.2.1 Jamming Attacks . . . . . . . . . . . . . . . . . . . . 18
3.2.2 Spoofing Attacks . . . . . . . . . . . . . . . . . . . . . 19
3.3 Advancing Attacker Models . . . . . . . . . . . . . . . . 19
3.3.1 Attack Advancements . . . . . . . . . . . . . . . . . . 20
3.3.2 Multi-Antenna Attacker . . . . . . . . . . . . . . . . . 21
3.3.3 Related Work and Impact . . . . . . . . . . . . . . . . 23
3.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
17
18 Chapter 3 Attacks on Satellite-Based Navigation Systems
3.1 Introduction
While the integrity of the service provided by Global Navigation Satellite Systems
(GNSSs) is crucial for applications that depend on accurate positioning or timing
information, the civilian signals of Global Positioning System (GPS) are neither
encrypted nor authenticated. As a consequence, GPS has been shown to be vulner-
able to attacks with the goal of disrupting the service or injecting deliberate false
information. We differentiate between jamming attacks and spoofing attacks and
point out how these attacks affect targeted victims. We specifically analyze the
progression of attack requirements and demonstrate that the currently considered
attacker models need to be taken one step further.
3.2 Attack Classification
Attacks on satellite-based navigation systems can be classified into two categories,
namely (i) jamming attacks and (ii) spoofing attacks. While both are active attacks
on the signal level, they serve different purposes. The following attack classification
is based on the communications jamming taxonomy by Lichtman et al. [62].
3.2.1 Jamming Attacks
Since GPS signals reach the Earth’s surface at a very low signal power—even below
the noise level, they need to be filtered and amplified significantly. Hence, they
are susceptible to even slight sources of disturbance. We distinguish between unin-
tentional interference, which we do not consider here, and deliberate jamming. In
jamming attacks, an attacker transmits a signal with the purpose of disrupting the
communication. This can be achieved, e. g., via high-power noise-like signals to raise
the noise floor to prevent any useful decoding. Due to the low signal power of GPS
signals, a jammer can easily exceed such power levels. As a result, a receiver cannot
track the authentic satellite signals, and any localization or time-synchronization
service is blocked.
Although strictly illegal in the United States, a wide range of Commercial Off-
the-Shelf (COTS) GPS jamming devices are available for purchase on the Internet.
One such device caused a significant outage of a GPS assisted augmentation system
at Newark Liberty International Airport [27] in 2012. It was later identified to be a
“personal privacy device” intended to block the GPS-based vehicle tracking system.
The jamming of GPS signals can also be used as a tool to deny the service in a
targeted manner, for instance, GPS jamming directed at Norwegian airspace [75]
3.3 Advancing Attacker Models 19
denied GPS reception for aircraft. However, due to the usual increase in the signal
power, jamming attacks can be detected by analyzing the Received Signal Strength
(RSS) and can even be localized [81] by considering the Angle of Arrival (AoA).
3.2.2 Spoofing Attacks
In contrast to jamming attacks, a spoofing attack tries to mimic authentic signals,
i. e., a GPS spoofing attack emulates satellite signals. With full control over the
transmitted signals, an arbitrary constellation with respect to the Time Difference
of Arrival (TDoA) can be generated. The requirements are elaborated by Tippen-
hauer et al. [128]. A receiver processes such signals and calculates its position and
synchronize its internal clock accordingly. This constitutes a higher-layer attack
with the purpose of injecting false attacker-controlled information. The detection
of spoofing attacks can be troublesome depending on how signals are disguised. A
classification of different spoofing techniques is provided by van der Merwe et al. [67].
In the remainder of this dissertation, we consider spoofing attacks that inject false
positioning information.
Successful spoofing attacks on GPS-depending systems can directly interfere with
the Position, Velocity and Time (PVT) solution. Their applicability has been
demonstrated targeting COTS receivers [43], Unmanned Aerial Vehicles (UAVs) [57],
and even modern ships [9]. Apart from academic research, spoofing attacks can be
perceived in the real world as well. For instance, it is used as a defense against
GPS-controlled UAVs around the Kremlin in Russia [73, 100, 113] or impairs the
navigation of ships in the Black Sea [13, 30, 31, 53, 64]. These works and incidents
have highlighted the threat of GPS spoofing and identified the lack of suitable coun-
termeasures. To counter this threat, our objective is the design of effective, ready-
to-use countermeasures.
3.3 Advancing Attacker Models
Generally speaking, distance-based localization systems are challenging to protect
and are usually prone to spoofing attacks, e. g., fake GPS signals can be specifically
generated to confuse the localization procedure of a targeted receiver to inject false
position or time information. When the first affordable GPS spoofing systems be-
came available, the research community was compelled to react to this new threat.
The proposed countermeasures were designed to defend against attackers that use
one spoofing system to generate a mixture of false signals transmitted over a single
antenna (see Figure 3.1). This constraint stands in contrast to the normal operation
20 Chapter 3 Attacks on Satellite-Based Navigation Systems
Attacker Receiver
Receiver ts1s2 s
3s4
Figure 3.1: An attacker with a single antenna needs to transmit a signal mixture ofmultiple satellite signals, which determines the TDoA at the receiver.
scenario, where each signal is emitted by a different satellite located at distributed
positions (compare Figure 2.1).
The proposed countermeasures against these attackers are mainly based on signal
characteristics that cannot be correctly emulated by single-antenna systems such
as geometric features [49, 94, 95, 125–127], signal correlations [12, 37, 60, 88], relative
carrier phases [14,63,68,90], Doppler effects [106], or signal arrival times [105]. The
common assumption is that an attacker can only utilize single-antenna spoofing
systems and that using multiple devices is deemed too complex or too expensive.
With regard to technical advancements and significant cost reductions to deploy
several spoofing devices simultaneously, these assumptions need to be considered
outdated. However, today’s security solutions are still based on the single-antenna
attacker model and neglect the fact that the multi-device attacker has become a
reality [69]. As a result, systems with this outdated attacker model need to be
considered potentially insecure.
As an exemplary case, a multi-device attacker may successfully attack systems
based on distributed sensor infrastructures such as two proposals to secure air traf-
fic from Schäfer et al. [105, 106]. While the former system is based on unspoofable
time offsets [105], the latter builds on the integrity of Doppler shifts [106]. Nev-
ertheless, a multi-device attacker can adjust both properties at different locations
accordingly, e. g., to inject fake aircraft remaining undetectable by the respective
system. Furthermore, anti-spoofing systems based on signal characteristics such as
the AoA [60] or spatial correlation [12] may be circumvented by deploying multiple
antennas transmitting from different directions. Such systems could also emulate
realistic multipath propagation.
3.3.1 Attack Advancements
The GPS spoofing threat was first brought to the wider attention of the public by
the Volpe report [52] in 2001. The report states that malicious parties could be able
to deploy attacks against systems relying on GPS concerning the system’s inherent
lack of confidentiality and authentication. The spoofing threat became a reality
3.3 Advancing Attacker Models 21
in 2008 when Humphreys et al. [43] presented a custom-built, portable GPS spoofer
to generate false satellite signals with which they demonstrated the vulnerability of
GPS-dependent systems to spoofing attacks.
In the meantime, GPS satellite simulators—mainly designed for developing and
testing purposes—dropped significantly in cost from approx. $100,000 [60] to a few
thousand dollars. These devices can be turned into spoofing systems, limited only by
the accompanying software tools. Eventually, at DEFCON 2015, a Software Defined
Radio (SDR) GPS spoofer was presented [76] that is fully customizable and only
requires off-the-shelf SDRs such as a HackRF [26] or a Universal Software Radio
Peripheral (USRP) [23, 24], which lowers the costs for a single spoofing system to
a few hundred dollars. Several systems of this type can be utilized to transmit
different signals realizing a multi-antenna attacker with COTS hardware.
As a result, we conclude that, during the last decade, the cost and complexity
to build a GPS spoofing system lowered significantly. While the threat of facing
a multi-antenna attacker could be considered minimal ten years ago, nowadays we
need to factor the deployment of such an attacker into our attacker models as it has
become well feasible, thus changing our security assumptions and raising the risk for
applications relying on GPS for safety- or security-critical decisions and processes.
3.3.2 Multi-Antenna Attacker
The multi-antenna attacker utilizes (at least) four antennas each sending out a
different satellite signal. These signals arrive at the receivers as individual signals
with specific attacker-chosen time offsets. If chosen appropriately, the signals can be
resolved to a position that is determined by the actual satellite positions included
in the ephemeris data and the corresponding Time of Arrival (ToA). With one
satellite signal per antenna, the attacker can adjust the ToAs by repositioning the
corresponding antenna or inducing signal delays. Note that this is different from
the standard attacker setup, where a mixture of satellite signals is emitted from the
same source [12, 14, 43, 49, 60, 68, 90, 94–96, 128]. We want to stress that such an
attacker was only theoretically proposed in [128], but no practical implementations
are known.
Implementation of a Multi-Antenna Attacker
To illustrate advancements in attacker capabilities, we deploy a simple yet effective
setup to generate multiple separated spoofing signals (see Figure 3.2). The imple-
22 Chapter 3 Attacks on Satellite-Based Navigation Systems
Attacker
gnuradio
USRP 2
USRP 4USRP 3
USRP 1
Victim
gnss-sdr
GPS Receiver
Figure 3.2: An experimental multi-antenna attacker setup consisting of four synchro-nized USRPs operated by gnuradio targeting a victim’s GPS receiver.
mentation of a multi-antenna attacker allows us to be more flexible and to attack
systems that assume an attacker cannot leverage these many degrees of freedom.
In particular, we deploy a setup of four USRPs N210 [24] from Ettus Research,
each transmitting a different satellite signal. These signals are generated by the
software tool gps-sdr-sim [76] for four satellites randomly selected from all visible
satellites at the spoofed position and time. All USRPs are connected via a network
switch and a standard laptop running gnuradio [29] positioned equidistantly around
the targeted receiver. A gnuradio block was designed that synchronously provides
the USRPs with the necessary precomputed data samples. The USRPs are coupled
with passive GPS antennas. The targeted GPS receiver is another USRP N210
device connected to a second laptop running gnss-sdr [28] to analyze the capability
of the multi-antenna attacker. We performed this experiment in a shielded indoor
environment to minimize potential signal leakages to the outside.
Insights
With this simple test setup, we gathered the following three insights. (i) We were
able to spoof the receiver with four spoofing devices each emitting a different satellite
signal. By placing the spoofer’s antennas equidistant to the receiver and a time
synchronization via gnuradio, we achieved a stable position lock on the spoofing
signals. (ii) The targeted receiver acquired a lock on the spoofing signals after
approx. 50 s, which is in the range of the duration of a normal warm start. (iii) The
achieved position accuracy was within an error of approx. 20 km.
3.3 Advancing Attacker Models 23
Implementation Challenges
Notably, the time synchronization between the spoofing signals is a crucial require-
ment for a stable lock and eventually injecting the desired position. For instance,
a time offset of 1ms causes an offset in the pseudorange of approx. 300 km. This
offset can lead to unstable calculations and high position errors. Despite the high
dependency on the time synchronization, we were able to achieve comparably good
accuracy with the help of error correction procedures in the targeted receiver. More-
over, all results have been gathered in a non-laboratory environment, and are ex-
pected to increase in accuracy and stability by implementing an external time pulse
reference [7].
Results
As a result, we were able to successfully spoof the targeted receiver with a setup
that uses four antennas that each emit a different satellite signal. This setup allows
us to dynamically adjust single satellite signals separately from each other. Hence,
we obtain the complete freedom of how to manipulate the target, i. e., we can change
individual pseudoranges, signal amplitudes, Doppler frequencies, AoAs, or ToAs to
emulate the desired behavior. This can either be achieved by changing the geometric
setup or delaying signals. Eventually, we can attack systems that are based on
the assumption that signals are transmitted as a mixture and cannot be changed
individually.
It is noteworthy that the costs of the deployed attacking setup are moderate
and can be further decreased by using cheaper SDRs such as a HackRF One [26],
which is expected to perform equally good. The required knowledge can also be
considered low as most software is freely available online and the gnuradio block can
be generated by automated tools. This setup implements a fully customizable multi-
antenna attacker that can be used to target present secure localization systems.
3.3.3 Related Work and Impact
While there exists a multitude of related work on how to protect localization systems,
the attacker model assumptions differ significantly. For instance, several counter-
measure proposals only consider a single-antenna attacker and state that a multi-
antenna attacker is too complex, too costly, or too impractical [12, 14, 37, 43, 45, 60,
68, 90, 94, 95, 125–127]. The presented solutions are shown to be secure against the
single-antenna attacker model, but considering a more realistic attacker, they need
to be re-evaluated. Table 3.1 contains an overview of related work on localization
24 Chapter 3 Attacks on Satellite-Based Navigation Systems
Table 3.1: Related Work Considering Multi-Antenna Attacks
Reference YearMulti-Antenna Attacker Potentially AttackDeemed Too Complex Vulnerable Resistant
[43] 2008 ✓ —1 —1
[68] 2009 ✓ ✓ ✗
[60] 2010 ✓ ✓ ✗
[14] 2010 ✓ ✓ ✗
[128] 2011 ✗ —1 ✓2
[12] 2012 ✓ ✓ ✗
[45] 2012 ✓ ✓ ✗
[90] 2013 ✓ ✓ ✗
[125–127] 2013/14 ✓ ✓3 ✓4
[37] 2014 ✓ ✓ ✗
[144] 2014 ✗ ✗ ✓
[94, 95] 2015 ✓ ✓3 ✓4
[117] 2015 ✗ —1 —1
[105,106] 2015/16 ✗ ✓ ✗
[69] 2016 ✗ —1 —1
[96] 2016 ✗ ✗5 ✓5
[49] 2016 ✗ ✗ ✓
1focus on attacks rather than countermeasures2provide a proof for the security of four and more receivers3with three or less receivers4with four or more receivers5secure according to the authors, but we argue that using more antennas as available
channels in the receiver may also circumvent this countermeasure
systems that consider the multi-antenna attacker model and the resistance of the
proposed solutions to such attacks.
Moreover, countermeasure solutions assuming the outdated single-antenna at-
tacker model [12, 14, 37, 45, 60, 68, 90, 105, 106] may be deemed vulnerable against a
stronger attacker. In particular, we need to consider those works as potentially inse-
cure and to fall victim to more sophisticated attackers. On the other hand, solutions
based on multiple receivers monitoring satellite pseudoranges [94,95,125–127] can be
shown to be secure using four or more receivers according to Tippenhauer et al. [128].
As a consequence, countermeasures that were already designed with an extended
attacker model in mind exhibit better security against the multi-antenna attacker [49,
96, 144]. Notably, while Ranganathan et al. [96] state that their system is secure
against any currently known attacker, the countermeasure makes use of a limited
number of channels. Raising the number of attacking devices above the number of
channels, the countermeasure could potentially be circumvented.
3.4 Summary 25
Table 3.2: Selected Publications Providing Multi-Antenna Results
Domain Reference Theory Simulation Experiment
Localization
[43] ✓ ✗ ✗
[128] ✓ ✗ ✗
[96] ✓ ✗ ✗
[49] ✓ ✗ ✗
Power Grid [144] ✓ ✗ ✗
Physical Layer[117] ✓ ✓ ✓
Key Establishment
Air Traffic Control [69] ✓ ✓ ✓
Recently, the first works that specifically put the focus on a multi-device attacker
model have been published. These publications do not necessarily analyze localiza-
tion systems but evaluate the capabilities of multi-device attackers on, e. g., sensor
systems or physical-layer key exchange. For instance, Moser et al. [69] presented
insights on how to attack an air traffic control sensor system by using a multi-device
attacker. Furthermore, Steinmetzer et al. [117] outlined an attack using a multi-
antenna setup to eavesdrop on a physical-layer key exchange. This attacker can
successfully reconstruct the secret key, which was deemed impossible considering
the outdated single-antenna attacker. We want to highlight that these publications
are an exception to the standard security models as of writing of this dissertation.
Table 3.2 shows related work—not limited to localization systems—that already
consider multi-device attackers and present either theoretical, simulation, or experi-
mental results. As a summary, only a few works currently exist that analyze stronger
attacker models and the minority performed simulations or experiments.
3.4 Summary
We conclude that the majority of existing security solutions for satellite-based local-
ization systems are based on an outdated single-antenna attacker model. Our simple
yet effective multi-antenna setup demonstrates that today’s adversaries have access
to affordable and moderately complex tools to deploy multiple-device spoofing sys-
tems. These systems can be used to attack localization systems that were considered
secure in the single-antenna adversary model. Even more critical, the systems are
falsely advertised to be secure without factoring in that stronger attackers already
became a reality and may ultimately break the security.
26 Chapter 3 Attacks on Satellite-Based Navigation Systems
Considering these insights, we advocate a better understanding of advancing at-
tacker models, i. e., the multi-antenna attacker. In general, proposals for counter-
measures should be based on the most recent advancements in attacker capabilities
and should faster react on future progressions of available tools. We want to high-
light again that the multi-device attacker—often deemed as too complex—needs to
be considered a feasible attack vector and security solutions need to be developed
accordingly.
For the future, we demand system designs that are resistant against the multi-
antenna attacker to guarantee their integrity. First works already considered stronger
adversary models, however, this is still an exception. Following this approach, we
develop our proposed GPS spoofing countermeasures with strong but realistic at-
tackers in mind.
If you think cryptography is the answer to your prob-
lem, then you don’t know what your problem is.
— Peter G. Neumann
4Multi-Receiver GPS Spoofing
Detection
Contents
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 29
4.1.1 Problem Statement . . . . . . . . . . . . . . . . . . . 29
4.1.2 Contribution . . . . . . . . . . . . . . . . . . . . . . . 30
4.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . 31
4.3 System Model . . . . . . . . . . . . . . . . . . . . . . . . 33
4.4 Attacker Model . . . . . . . . . . . . . . . . . . . . . . . 33
4.5 Theoretical Multi-Receiver Spoofing Detection . . . . . 35
4.5.1 Detection Mechanism . . . . . . . . . . . . . . . . . . 35
4.5.2 Countermeasure Formation . . . . . . . . . . . . . . . 37
4.5.3 Leveraging Environmental Errors . . . . . . . . . . . . 38
4.5.4 Error Modeling and Distribution . . . . . . . . . . . . 39
4.6 Experimental Evaluation of Authentic Signals . . . . . 41
4.6.1 Experimental Setup . . . . . . . . . . . . . . . . . . . 41
4.6.2 Measurement Analysis . . . . . . . . . . . . . . . . . . 42
4.6.3 Additional Measurements . . . . . . . . . . . . . . . . 45
4.6.4 Results . . . . . . . . . . . . . . . . . . . . . . . . . . 45
4.7 Experimental Evaluation of Spoofed Signals . . . . . . 46
4.7.1 Experimental Setup . . . . . . . . . . . . . . . . . . . 46
4.7.2 Measurement Analysis . . . . . . . . . . . . . . . . . . 47
27
28 Chapter 4 Multi-Receiver GPS Spoofing Detection
4.7.3 Additional Measurements . . . . . . . . . . . . . . . . 49
4.7.4 Results . . . . . . . . . . . . . . . . . . . . . . . . . . 49
4.8 Simulation of the Countermeasure . . . . . . . . . . . . 49
4.8.1 Simulated Parameter Sets . . . . . . . . . . . . . . . . 50
4.8.2 Performance Metric . . . . . . . . . . . . . . . . . . . 51
4.8.3 Detection Performance . . . . . . . . . . . . . . . . . . 51
4.8.4 Results . . . . . . . . . . . . . . . . . . . . . . . . . . 53
4.9 Prototype Implementation . . . . . . . . . . . . . . . . . 53
4.9.1 Deployment . . . . . . . . . . . . . . . . . . . . . . . 53
4.9.2 Results . . . . . . . . . . . . . . . . . . . . . . . . . . 53
4.10 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . 54
4.10.1 Selection of Function f(·) . . . . . . . . . . . . . . . . 54
4.10.2 Multi-Antenna Attacker Resilience . . . . . . . . . . . 56
4.10.3 Outlook on Future Work . . . . . . . . . . . . . . . . 57
4.11 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
4.1 Introduction 29
4.1 Introduction
With the growing reliance on the viability of Global Navigation Satellite Systems
(GNSSs) as a ubiquitous source of location, time, and navigation information, the
systems’ protection has become a matter of great importance. The integrity of
the service is an integral component of various applications ranging from mobile
phones, navigation units, industrial control systems, financial trading platforms,
trains, ships, to ankle bracelets for criminals. Moreover, GNSS-based localization
services such as Global Positioning System (GPS) are also expected to play an impor-
tant role in the context of the upcoming Internet of Things (IoT) and Cyber-Physical
Systems (CPSs) as they often involve mobile or time-dependent components, e. g.,
for autonomous driving.
4.1.1 Problem Statement
Unfortunately, GNSSs are susceptible to spoofing attacks, in which a malicious trans-
mitter emits manipulated signals imitating real satellites. A spoofing attack can
cause a victim’s GNSS receiver to compute a wrong location and/or time solution.
As a result, an attacker may remotely inject fake data into security- and safety-
relevant systems. In response to this threat, increasingly sophisticated methods for
spoofing detection have been developed and were analyzed to enable the real-time
identification of ongoing spoofing attacks [33, 45, 54, 87, 111, 138]. Countermeasures
can be coarsely categorized as data bit level, signal processing level, or navigation
and position solution level detection techniques [45]. These countermeasures pre-
dominately require custom receivers with elaborate signal processing techniques and
enhanced hardware.
Furthermore, the attacker model used in many of these countermeasures considers
single-antenna attackers that may not make use of elaborate signal processing and
mixing techniques. We argue that an attacker with, e. g., an adaptable GPS simula-
tor, can generate spoofing signals with arbitrary precision in data, signal, or position
solution characteristics such as the imitation of satellite constellations, transmission
power, and other physical-layer characteristics. In addition, public GPS data is not
protected by signatures, so an equipped attacker can also spoof the data content
of the navigation messages. We therefore advocate the use of a detection measure
that leverages signal properties which are impossible to spoof correctly for nearby
or terrestrial attackers.
Research Question. We state the following research question: How can we reliably
detect GPS spoofing attacks in consideration of the most powerful multi-antenna
30 Chapter 4 Multi-Receiver GPS Spoofing Detection
attacker and only using Commercial Off-the-Shelf (COTS) receivers? Further, we
are interested in strong security properties and compact solutions to broaden the
applicability of our proposed countermeasure.
4.1.2 Contribution
In this work, we focus on multi(ple)-receiver GPS spoofing detection as proposed by
Tippenhauer et al. [128] and perform its first practical evaluation. The detection is
based on the location reported by two or more COTS receivers mounted in a fixed
formation. During an attack, a single-antenna attacker would spoof receivers to the
exact same position solution, which can be used to detect the attack. It has been
shown that—from a certain number of receivers onwards—even a multi-antenna
attacker cannot succeed in maintaining a fixed formation, respectively the relative
distances, during an attack [128]. This leads to the fact that this detection technique
is principally unspoofable as long as the attacker signals are received at all devices
(which is hard to prevent if the receivers are positioned close enough together).
A benefit of the multi-receiver detection mechanism is that it can be realized with
COTS receivers without changes to the GPS infrastructure. The performance of the
countermeasure is expected to depend on the chosen distances between the receivers,
as in practice the location is influenced by noise. Based on a rough estimation of
required distances, Tippenhauer et al. [128] suggested application settings such as
cargo ships or trucks. Following theoretic investigations [37, 125–127], performance
values for distances between 10m to 50m were derived analytically. As a result,
the countermeasure does not seem suitable for most moving vehicles, but is only
applicable in large stationary installations. To the best of our knowledge, the multi-
receiver countermeasure has not been practically investigated and validated against
real spoofing setups.
In this work, we analyze the models used by Heng et al. [37] and Swaszek et al. [125–
127] and show that (i) adjacent GPS receivers have correlated noise on their location
estimates, (ii) previous error models overestimate the location error in the attack
case, and (iii) considering correlated errors can drastically reduces the expected false
detection rate of the countermeasure while preserving the sensitivity to attacks. As
a result, a distance of 3m to 5m can be expected to be sufficient (in contrast to 10m
to 50m) as we show by simulations and experiments (for the same performance cri-
teria). This broadens the number of possible application scenarios. We validate
our theoretical predictions using a prototype implementation with several receivers
and a GPS satellite signal generator as spoofer, and we provide in-depth insights on
parameters and setups for a reliable operation of the countermeasure.
4.2 Related Work 31
Our investigations and results demonstrate the applicability of the countermeasure
and will help users and engineers to set it up accordingly. The countermeasure may
be used in static setups, e. g., in factories to prevent time spoofing, as well as in
mobile settings, e. g., on vehicles such as trucks or airplanes to prevent location and
navigation spoofing. As an extension, we also envisage its use for highly mobile
setups such as drone formations. The evaluation framework can serve as baseline
for further investigations.
Summary. In summary, our work contains the following contributions:
• We extend previous theoretical work on multi-receiver spoofing countermea-
sures by modeling distance-related errors with the goal to differentiate between
error distributions during normal operation and under attack.
• We experimentally provide estimates of practical localization noise in normal
operation as well as in spoofing scenarios showing that the noise is spatially
correlated.
• We leverage these insights to show that the multi-receiver spoofing counter-
measures can be used reliably in formations which are almost an order of
magnitude smaller than previously proposed (area of formation).
• We experimentally demonstrate that our countermeasure prototype can reli-
ably detect real spoofing signals utilizing four receivers in a mutual distance
of 5m.
The contributions of this work resulted from a collaboration with Nils Ole Tip-
penhauer and Christina Pöpper.
4.2 Related Work
The vulnerability of GPS-dependent infrastructures to malicious disruption by GPS
spoofing attacks was assessed by the Volpe report [52]. First experimental work
on the topic of GPS spoofing was published by Warner et al. [135, 136]. The au-
thors demonstrated that spoofing attacks were feasible using a GPS satellite simu-
lator. They proposed countermeasures mostly based on signal strength differences
for spoofed signals.
On the basis of these initial insights, a rich set of related work on GPS spoofing
attacks has emerged. For instance, Humphreys et al. [43] constructed a spoofer that
uses legitimate GPS signals to obtain correct GPS data, and then re-transmit sig-
nals with selectively applied time offsets, causing a victim’s receiver to compute a
32 Chapter 4 Multi-Receiver GPS Spoofing Detection
wrong location. Kerns et al. [57] conducted a practical attack against on-board GPS
receivers in unmanned aerial vehicles. Attacks targeting the software of receivers are
pointed out by Nighswander et al. [72]. Other recent works consider GPS spoofing
attacks on the time and phase synchronization in smart power grids [2,51,116,144].
In particular, Yu et al. [144] propose to use multiple static GPS receivers to deter-
mine the time of arrival of spoofed signals at different locations. The requirements
for successful spoofing attacks are elaborated by Tippenhauer et al. [128].
On the other hand, diverse countermeasures against spoofing attacks have been
proposed. One class of countermeasures is based on physical-layer signal character-
istics (e. g., Angle of Arrival (AoA), signal power, etc.). Different approaches are
compared by Papadimitratos and Jovanovic [77, 78]. Montgomery et al. [68] devel-
oped a detection technique of spoofing attacks differentiating phase shifts between
two antennas. Several signal quality monitoring techniques are proposed by Ledv-
ina et al. [60], Cavaleri et al. [14], and Wesson et al. [141]. While Akos [3] detects
spoofing signals based on the receiver’s automatic gain control, Psiaki et al. [88]
additionally compare correlations of military GPS signals. This countermeasure re-
quired a custom two-antenna receiver setup [43]. A receiver that performs auxiliary
peak tracking to detect spoofing signals is developed by Ranganathan et al. [96].
A different branch of research pursues the implementation of authentication mech-
anisms to secure GPS signals. Scott [112] proposed changes to the GPS signals
to introduce data-level authentication based on a public key infrastructure. An-
other authentication scheme based on short-term information hiding was proposed
by Kuhn [59]. To increase jamming resistance, Pöpper et al. [84] propose changes
in the modulation scheme without requiring pre-shared keys. Hein et al. [35, 36]
and Wesson et al. [140] pursue practical civilian GPS signal authentication. Later,
Humphreys [41] define detection strategies for attacks on cryptographically-secured
GPS signals.
Other countermeasure proposals are designed with customized antenna setups.
For instance, the spatial correlations of authentic and spoofing signals under random
antenna movements are analyzed by Broumandan et al. [12] and Psiaki et al. [90].
While Daneshmand et al. [20] analyze similar signal signatures with a multi-antenna
array, Psiaki et al. [89], Magiera, and Katulski [63] compare the phase of the carrier
signal between separated antennas. Moreover, Baker and Martinovic [5] propose to
compare the Time Difference of Arrivals (TDoAs) at a mobile node with a fixed
reference. In contrast to these detection schemes focusing on physical-layer char-
acteristics, we focus on the navigation message information itself. In other words,
4.3 System Model 33
instead of using pseudoranges [94, 95] we use the position solution for our counter-
measure, which is easy to obtain, process, and store on a high abstraction level.
Countermeasures based on multi-receiver architectures have been analyzed the-
oretically [37, 125–127]. Heng et al. [37] derived performance values for mutual
distances of 20m achieving a false rejection rate of less than 0.1 and a false detec-
tion rate of 0.01 (location noise σ = 5m). Therefore, the countermeasure seems
hardly applicable to most moving vehicles, but instead only suited toward large sta-
tionary installations. Swaszek et al. theoretically investigated the countermeasure
using statistical models [125,127] extended by bias in the two-dimensional noise dis-
tribution of the localization result [126]. For a four-receiver countermeasure, they
suggest that a square setup with 14m edge distance would achieve a false acceptance
rate of approx. 10−5 and a detection rate of approx. 0.99 (location noise σ = 4m).
However, such a formation would require an area of 200m2.
Comparative overviews and surveys on known and effective GPS spoofing counter-
measures are available in the respective literature [33, 34, 45, 54, 87, 111,138]. These
works offer a good foundation on investigated detection and protection techniques
and also provide directions for future work.
4.3 System Model
Conceptually, a multi-receiver spoofing countermeasure detects GPS spoofing at-
tacks based on the location reported by two (or more) COTS receivers Ri at fixed
known positions pi. In particular, we consider a multi-device deployment of GPS
receivers where the devices are distributed with physical distances d. Figure 4.1
depicts an exemplary setup of four receivers and at least four GPS satellites Si to
allow successful self-positioning.
Without loss of generality, we consider receivers located at approximately the same
height such that we can neglect the low-precision GPS altitude. The receivers peri-
odically compare their mutual distances of the calculated two-dimensional locations,
e. g., using wired connections. As our countermeasure only uses the localization re-
sult, a beneficial property is that it does not require any modification of standard
COTS receivers or on the GPS infrastructure.
4.4 Attacker Model
In accordance with the attacker models introduced in Section 3.3, we consider the
following attacker. The goal of the attacker is to change the localization or time
34 Chapter 4 Multi-Receiver GPS Spoofing Detection
S1
S2 S
3S4
R2
R1
d
d
d d
R4
R3
Figure 4.1: Our system model consists of a multi-device deployment of GPS receiversat fixed positions. The receivers are interconnected to share calculatedGPS positions given that at least four satellite signals are available.
result of one or more victims. The attacker is capable of generating fake GPS
signals with the same signal characteristics as authentic GPS signals. We distinguish
between two scenarios for the attacker antennas: (i) a single-antenna attacker and
(ii) a multi-antenna attacker. In the first case, the attacker is restricted to a single-
antenna setup, where all spoofing signals are sent from the same source. In the
second case, the attacker can utilize multiple antennas gaining more freedom for the
transmission of signals to send potentially different signals from various locations.
We assume that all receivers obtain signals from the same sources, i. e., receivers
are not shielded from the reception of signals seen by other receivers. As shown in
related work [128, 135], a single-antenna attacker can successfully spoof individual
victims to an arbitrary location and time by sending spoofing signals that have
constant TDoAs with respect to each other, independently of the location of the
receiver. As a result, multiple receivers in range of the attacker would all compute
the same localization result (with minor time differences due to their respective
distances to the attacker). This scenario is depicted in Figure 4.2.
For the multi-antenna adversary model, spoofing individual position solutions
for less than four receivers becomes theoretically possible as shown by Tippen-
hauer et al. [128]. By selectively positioning antennas, an attacker may succeed
in satisfying expected relative TDoAs as long as the number of receiving antennas
does not exceed a certain threshold. We discuss the resilience of our countermeasure
against a multi-antenna attack in Section 4.10.2.
4.5 Theoretical Multi-Receiver Spoofing Detection 35
R2
R1
R3
R4
d d
d
d
Attacker
R1
ts1s2 s
3s4
R2
ts1s2 s
3s4
R3
ts1s2 s
3s4
R4
ts1s2 s
3s4
Figure 4.2: A single antenna attacker targets the formation of multiple GPS re-ceivers. As a results, all TDoAs are the same at all receivers.
The problem of taking over an established lock, i. e., the problem of taking over a
victim’s fix to authentic GPS signals, is out of scope of this work. In order to induce
a new fix onto the spoofed signals (i. e., to replace authentic signals), an attacker
needs to force a lock loss of the establish fix, e. g., by prior jamming or high spoofing
power [52]. Since our countermeasure is based on positioning information, we can
give the attacker the power to overcome prominent signal-based countermeasures.
4.5 Theoretical Multi-Receiver Spoofing Detection
We first introduce our detection mechanism and then argue that its performance
depends on (i) the physical formation of the receivers, and (ii) on the GPS noise
experienced by the receivers. We discuss both factors in more detail and predict
that authentic signals and attacker signals have different noise characteristics. By
incorporating insights on the error models, we are able to improve the performance
of the countermeasure.
4.5.1 Detection Mechanism
We assume that two (or more) GPS receivers are set up in a known static formation.
All receivers are continuously obtaining their location via GPS to use the calculated
locations to detect spoofing cases. Basically, our detection mechanism compares the
reported receiver locations in order to perform a binary classification into authen-
tic/spoofed situations. This decision is probabilistic and considers the predefined
receiver formation, its fixed relative distances, and the noise characteristics of the
receivers. The detection model is based on work by Swaszek et al. [125–127]; it
36 Chapter 4 Multi-Receiver GPS Spoofing Detection
distinguishes between two potential detection outcomes based on the presence of an
attack. The considered hypotheses H0 and H1 are:
H0: No spoofing occurred.
H1: Spoofing is performed.
The decision making is based on the preservation of known receiver distances. In
case of authentic GPS signals, the computed distances are expected to be rather
stable and close to the physical distances of the given formation. In case of an
attack, the computed distances will shrink to values close to zero, as the receivers
would report the same location during a (single-antenna) spoofing attack. If the
system detects significant anomalies, the test should indicate a spoofing attack. In
contrast to the mean positions considered by Swaszek et al. [125–127], our detection
is based on relative distances between all pairs of receivers. The mechanism is
a function of the reported position information pGPSi and a comparison against a
decision threshold λ to be defined. The adapted test can be formally expressed as:
f(
pGPS1 , . . . , pGPS
n
)H0
≷H1
λ, (4.1)
where n denotes the number of receivers each reporting positions pGPSi , i ∈ {1, . . . , n}
and f(·) is a function merging the information to a single value. Each position pGPSi
consists of a latitude and a longitude component while we neglect the height informa-
tion here due to the low precision of GPS altitude. To simplify the discussion, we as-
sume that for our countermeasure all receivers are placed at approximately the same
height. We analyze possible functions (i. e., minimal, maximal, and weight-based ap-
proaches) and their effects on attack detection in more detail in Section 4.10.1.
Since our countermeasure is based on the relative distances between receivers, we
refine Equation (4.1) to directly take the set of GPS-derived distances dGPSi,j as input:
f(dGPSi,j ) := f
(
{
dGPSi,j
}1≤i,j≤n
i<j
)
H0
≷H1
λ. (4.2)
If the result of function f(·) on the GPS distances between the receivers falls
below the threshold λ, the test indicates a spoofing attack (H1). However, if the
result is above the threshold λ, the test decides for no spoofing (H0). Notably, since
the absolute positions contained in Equation (4.1) are not decisive for our spoofing
detection, there is no information loss from Equation (4.1) to Equation (4.2). Hence,
4.5 Theoretical Multi-Receiver Spoofing Detection 37
we can safely use Equation (4.2), which contains all distances clearly defining the
underlying formation.
On the basis of Equation (4.2), we can define two important probabilities in regard
to the detection and the false alarm ratio. The probability of detection Pd describes
the chance that an actual spoofing attack is indeed detected. Thus, the result of
f(·) needs to be below the threshold λ when under a spoofing attack :
Pd = Pr{f(
dGPSi,j
)
< λ | H1},
with 1 ≤ i < j ≤ n. On the other hand, the false alarm probability Pfa describes
the chance of triggered alarms when no spoofing occurs. The result of f(·) needs to
be below the threshold λ when no spoofing is performed :
Pfa = Pr{f(
dGPSi,j
)
< λ | H0}.
Considering both equations, we need to optimize λ with the purpose of achieving
high detection rates while maintaining a low probability of false alarms. If the re-
ceivers were to obtain their position solution without any error, they could perfectly
detect spoofing attacks even if their mutual distances are very small (e. g., a few
centimeters). Unfortunately, GPS receivers have a non-negligible position-solution
error in practice (as discussed in Section 2.2.4).
4.5.2 Countermeasure Formation
The generalized receiver formation for our countermeasure considers a virtual center
around which the receivers are placed. In particular, receivers are placed equidis-
tantly on the edge of a virtual circle with the aforementioned center. With this
constellation, a multi-receiver setup can be realized in a compact way and the setup
is extendable while keeping the same radius of the circle.
We denote the number of receivers as n and the radius of the circle is defined
as r, while the resulting distance between neighbors is d. For instance, for n = 2
each receiver is placed on the opposing side of the circle. As a result, for a given
radius r the distance becomes d = 2r. For n = 3 we obtain a triangle and for n = 4
the formation becomes a square with equal edge lengths. Figure 4.3 depicts possible
countermeasure formations equally distributed on a virtual circle. The relationship
between n, r, and d can be formulated as:
d = 2r · sin(
2π
2n
)
.
38 Chapter 4 Multi-Receiver GPS Spoofing Detection
R2
R1
rd
(a) n = 2
R2
R1
r
R3
d
(b) n = 3
R2
R1
R4
R3
r
d
d
d d
(c) n = 4
Figure 4.3: The multi-receiver spoofing detection countermeasure can be instanti-ated with different number of receivers distributed on a virtual circle.
Notably, the more receivers we use, the more different distances between all pos-
sible receiver pairs are obtained according and are used by the function f(·). While
for n = 2 we only have one single distance, for n = 4 we already have six (par-
tially dependent) distances. The number of connections can be calculated according
to(
2n
)
. For the actual detection system, we mostly consider a setup with n = 4
receivers. That is the least amount of receivers required while protecting against
the multiple-antenna attacker [128] as discussed in Section 4.10.2.
4.5.3 Leveraging Environmental Errors
The noise of the position solution experienced by receivers is a determining factor
for the performance of our countermeasure. We introduced general GPS errors in
Section 2.2.4, and we now apply the error model to our spoofing detection approach.
In prior work [125,126], the User Equivalent Range Error (UERE) as introduced in
Section 2.2.4 was modeled to be identical for authentic and spoofing signals. We now
argue that this is not the case in practice, and a more realistic model can improve
the countermeasure performance. On closer inspection, the UERE is a composition
of two components. The satellite system-intrinsic User Range Error (URE) includes
environmental errors, whereas the User Equipment Error (UEE) is caused by the
receiver design [130]. This is particularly relevant for two reasons:
(a) We claim that the environmental errors are to a certain degree location-
specific—i. e., several receivers at the same location will experience correlated en-
vironmental errors. The intuition is that this will make our countermeasure more
reliable in normal operating conditions, as position shifts are partially correlated.
4.5 Theoretical Multi-Receiver Spoofing Detection 39
(b) During a location spoofing attack, an attacker has potentially large influence
on the environmental error, but this error will be roughly the same for multiple
victims. In particular, the attacker has control over the ephemerides data and
satellite clock offsets in the spoofing signals. In addition, the attacker is comparably
close to the receivers, so that multipath effects are greatly reduced. As a result, our
intuition is that in an attack scenario, the location differences of several victims are
less noisy than under normal operation (i. e., their UEREs are expected to develop
a stronger correlation).
In order to get a better understanding of the impact of correlation, we take a look
at the calculation of a (noised) one-dimensional distance:
dGPSi,j = dist(pGPS
i + ni, pGPSj + nj) = dist(pGPS
i , pGPSj ) + (ni − nj),
where ni and nj is the noise for pGPSi and pGPS
j , respectively. The actual distance
dist(pGPSi , pGPS
j ) is impacted by the combined noise ni − nj. If both noise sources
are independent, there is no tendency on how the calculated (noised) distance will
behave. However, when the sources are correlated they will compensate each other
to a certain degree, which can be calculated by:
σdist =√
σ2i + σ2
j − 2ρi,jσiσj
σi=σj
=√2σ ·
√
1− ρi,j,
where σdist is the standard deviation of the distance, σi and σj the standard deviation
of pGPSi and pGPS
j (assumed to be roughly equal), and ρ is the Pearson correlation
coefficient given as:
ρX,Y =cov(X, Y )
σXσY
, (4.3)
with X and Y being two datasets of the same length. In particular, the correlation
coefficient is a measure of linear dependence between these two datasets. A value
of 0 indicates no correlation, whereas +1 and -1 represent total positive correla-
tion, respectively total negative correlation. As a result, the stronger the correlation
between the experienced noise, the less noisy are the mutual distances. Similar con-
siderations apply to the cases of two-dimensional latitude and longitude components
as well as multidimensional points.
4.5.4 Error Modeling and Distribution
In addition to our model of the receiver formation and the general error sources,
we require a more detailed model to describe the error distribution. Based on
those models, we can perform simulations to determine suitable distances between
40 Chapter 4 Multi-Receiver GPS Spoofing Detection
the receivers and optimal decision thresholds. According to the GPS performance
standard [130], we assume that the receiver’s position errors are Gaussian distributed
in latitude and longitude. If the mean and the standard deviation for each direction
are known, we can compute probability functions and make predictions for the error
distribution.
However, our scheme is based on relative distances and thus combines both di-
rections. Following [125, 126], we assume that distance-related errors are Gaussian
distributed with approximately the same standard deviation in latitude and lon-
gitude. We also assume that the correlation between changes in each direction
exhibits similar characteristics. By making these simplifications, the error distribu-
tion of the Euclidean distance of two two-dimensional Gaussian distributed points
can be formulated in a closed form. Notably, we use the distance projected on a
two-dimensional plane neglecting the curvature of the earth for small distances.
The resulting mathematical model, which describes the distribution of the dis-
tances between one two-dimensional Gaussian distributed point and a fixed point,
is a Rician distribution. We extend the model by replacing the fixed point with a
second two-dimensional Gaussian distributed point. If the standard deviation and
the correlation are the same, the adjusted distribution maintains its Rician property.
The Probability Density Function (PDF) for a Rician distribution is given by:
f(x) =
xσ2 e
−x2+s2
2σ2 I0(
xsσ2
)
, x > 0,
0, x ≤ 0,(4.4)
with noncentrality parameter s reflecting the distance to the center and scale param-
eter σ as the standard deviation of the Gaussian distribution. Further, I0 denotes
the zero-order modified Bessel function of the first kind.
The corresponding Cumulative Distribution Function (CDF) is defined as:
F (x) =
1−Q1
(
sσ, xσ
)
, x > 0,
0, x ≤ 0,(4.5)
where Q1 is the first order Marcum Q-function.
Due to our adaptions and the addition of a second Gaussian distributed point, the
noncentrality parameter s and the scale parameter σ of the resulting distribution
are not equivalent to the distance nor the standard deviation, respectively (but are
very close to the actual scales).
4.6 Experimental Evaluation of Authentic Signals 41
For the special case of two two-dimensional Gaussian distributed points with the
same center, s becomes 0. As a result, a Rayleigh distribution is obtained, which is
only dependent on the scale parameter σ.
Thus, the PDF simplifies as follows:
f(x) =
xσ2 e
− x2
2σ2 , x > 0,
0, x ≤ 0.(4.6)
The corresponding Rayleigh CDF is:
F (x) =
1− e−x2
2σ2 , x > 0,
0, x ≤ 0.(4.7)
In order to evaluate the CDFs, we first need to determine the parameters s and σ.
However, the parameter estimation for both distributions is a non-trivial problem
in mathematical analysis. Therefore, we use the numeric solution calculated by
the distribution fitting function fitdist provided by MATrix LABoratory (MAT-
LAB) [65]. Note that these error models are not taking correlations into consider-
ation. We therefore expect distances to be more dense around the means and that
our model is only a pessimistic approximation.
4.6 Experimental Evaluation of Authentic Signals
We present a series of experiments conducted to obtain real-world GPS localization
errors. The experiments were executed with a set of co-located receivers, which
allows us to determine temporal and spatial correlations between the localization
errors. As a result, we were able to identify suitable parameters for our spoofing
detection mechanism.
4.6.1 Experimental Setup
For our experimental setup, we deployed four standalone Arduino UNOs, rev. 3 [4].
Each Arduino is extended with a GPS logger shield including a GPS module in order
to process incoming GPS signals. Furthermore, an external active antenna with an
additional 28 dB gain is coupled with each GPS shield. The external antenna not
only provides more stable solutions but also increases the flexibility of the setup due
to an additional 5m cable length. The combination of these components is hereafter
referred to as a receiver (see Figure 4.4a).
42 Chapter 4 Multi-Receiver GPS Spoofing Detection
(a) Arduino UNO GPS Receiver (b) Experimental Setup
Figure 4.4: In the experimental setup, four Arduino UNO GPS receivers are posi-tioned on a wooden bench (circles) connected to a central laptop.
Table 4.1: Receiver Placement and Relative Distances
Receiver Side dC [m] dR1[m] dR2
[m] dR3[m] dR4
[m]
R1 East 7.00 - 8.06 13.00 9.90R2 South 4.00 8.06 - 7.21 11.00R3 West 6.00 13.00 7.21 - 9.22R4 North 7.00 9.90 11.00 9.22 -
In the initial measurements, four receivers were arranged in a cross-like formation
with side lengths of approx. 4m to 7m as depicted in Figure 4.4b. Each receiver
generates National Marine Electronics Association (NMEA) 0183 [70] data sentences
while processing the received signals. The data is constantly stored on a controlling
laptop connected via USB, which also powers the receivers. With a total of four
receivers, we obtain six distinct distances matching each device with each other. For
the specific relative distances we refer to Table 4.1, in which dC is the distance to
the center (as measured by hand), and dRiis the calculated distance to the other
receivers. The overall formation is aligned to the cardinal directions North, South,
East, and West, which was set up for approx. 2.5 h at a place with clear Line of
Sight (LoS) to the sky.
4.6.2 Measurement Analysis
We next evaluate the recorded data and derive suitable parameters for the sub-
sequent simulations. The position map in Figure 4.5 indicates that the reported
positions are scattered around four points, which in our case closely reflect the ac-
tual receiver placement. However, the deviation from the interim positions to the
actual placement can reach several meters. Figure 4.6 shows the development of
these distances over the course of the experiment. While the average distance er-
ror µ ranges from approx. 0.79m for R4 to 1.61m for R3, the standard deviation σ
4.6 Experimental Evaluation of Authentic Signals 43
13.615 13.620 13.625 13.630
Longitude E 7° [']
30.424
30.426
30.428
30.430
30.432
30.434
Latitu
de N
51°
[']
Figure 4.5: Illustration of the receiver placements on the wooden bench (dashedlines) including reported positions, where “X” indicates the mean posi-tions over the measurement duration.
0 20 40 60 80 100 120 140
Measurement Duration [min]
0
1
2
3
4
Dis
tan
ce
fro
m M
ea
n [
m]
Figure 4.6: The calculated distances between the reported positions and their re-spective means (close to the actual positions).
varies between approx. 0.41m for R4 and 0.87m for R3. In comparison to the values
reported in Table 2.1, the positions measured during the experiment are very stable.
Since our spoofing detection mechanism takes the relative distances into account,
we calculate the distances between the reported positions. The results are depicted
in Figure 4.7. The histogram uses a bin width of 0.5m. The average distances are
all within 1m from the actual distances noted in Table 4.1. In Section 4.5.4, we
concluded that the underlying distribution is Rician. We try to align the respec-
tive PDF from Equation (4.4) with the measurements. The solid line represents a
normalized best fit based on a Rician distribution. The gap between the theoretical
distribution and the recorded data is due to correlations of position errors (distances
tend to be smaller) and limitations of the measurement setup. The parameters of
the distributions are included in Table 4.2. In particular, the noncentrality param-
44 Chapter 4 Multi-Receiver GPS Spoofing Detection
0 5 10 15
Distance [m]
0
0.5
1
Pro
babili
ty D
ensity
(a) R1 — R2
0 5 10 15
Distance [m]
0
0.5
1
Pro
ba
bili
ty D
en
sity
(b) R1 — R3
0 5 10 15
Distance [m]
0
0.5
1
Pro
ba
bili
ty D
en
sity
(c) R1 — R4
0 5 10 15
Distance [m]
0
0.5
1
Pro
ba
bili
ty D
en
sity
(d) R2 — R3
0 5 10 15
Distance [m]
0
0.5
1
Pro
ba
bili
ty D
en
sity
(e) R2 — R4
0 5 10 15
Distance [m]
0
0.5
1
Pro
ba
bili
ty D
en
sity
(f) R3 — R4
Figure 4.7: The distribution of calculated distances between each pair of receivers,with fitted Rician distribution curves (bin width of 0.5m).
Table 4.2: Error Distribution Parameters - Authentic
Distance Noncentrality s Scale σ d99 [m] ρLAT ρLON
R1 — R2 8.13 0.68 6.58 0.05 0.40R1 — R3 13.32 0.81 11.46 0.49 0.78R1 — R4 10.80 0.78 9.02 0.51 0.47R2 — R3 7.04 0.80 5.24 0.72 0.65R2 — R4 11.34 1.13 8.77 0.51 0.47R3 — R4 9.76 1.49 6.42 0.35 0.72
eter s closely reflects the average distance µ, whereas the scale parameter σ reflects
the standard deviation of the dataset.
As an illustrative example, we focus on a single distance. Considering the CDF of
the Rician distribution from Equation (4.5), we are able to calculate the probability
that a certain threshold λ is exceeded. In particular, we can determine the point
at which 1% of the distribution is accumulated. According to the CDF, we expect
that 99% of the distances exceed this fix point such that
Pr{dGPS ≤ d99} = 1−Q1
(
s
σ,d99σ
)
,
where d99 represents the distance that is shorter than 99% of all distances. With
this equation we can calculate thresholds that belong to different probabilities. The
distances corresponding to the 99% threshold for each pair of co-located receivers
are shown in Table 4.2. For instance, the distance R3 — R4 (µ = 9.87m) is expected
to be below 6.42m in only 1% of the cases and is calculated to be maintained 99%
of the times, which is approx. 3.4m less than the actual distance based on the initial
measurements.
4.6 Experimental Evaluation of Authentic Signals 45
A further aspect of our measurement analysis is how position changes correlate
spatially. We expect a correlation between the position deviations of co-located re-
ceivers since the system-intrinsic URE is an environment-dependent error. To iden-
tify its extent, we compute Pearson’s correlation coefficient ρ from Equation (4.3)
between the reported positions. The results of our measurements are listed in Ta-
ble 4.2. For better clarity, ρ is partitioned in a latitude and a longitude component.
We recognize a consistent positive correlation. Even though the extent of correlation
differs between the receivers due to noise effects (ρLAT for R1 — R2 is an outlier),
the correlation is considerable and throughout positive.
4.6.3 Additional Measurements
We conducted further measurements to confirm our error modeling approach in
different environments, e. g., receivers were placed close to metallic walls. Over
different time periods (up to three days non-stop) measurements were collected to
assess the effects of signal reflections and changing meteorological conditions. For
the sake of clarity, we only present resulting parameters for the standard deviation
and the correlation here.
For receivers with clear LoS, but under multipath effects, we experienced a typical
position noise in the range of σ ≈ 0.75 to σ ≈ 3.06, where the latter occurred close
to a reflecting metallic wall. Similar degradations were observed for the correlation
between position changes. Additional noise sources can impair the correlation to ρ ≈0.27 for direct wall reflections. However, correlations of ρ ≈ 0.82 were still perceived
for receivers affected by multipath signal components but with clear LoS.
3-day Experiment
This experiment was run over the course of three days non-stop with n = 4 receivers
and changing weather conditions. Over 1,200,000 data points for each receiver were
recorded. Figure 4.8 shows a histogram of all relative distances. We note that the
real distances between the receivers were relatively small to shelter the devices from
rain. Outliers are still visible and could be caused by changing temperature and
weather conditions.
4.6.4 Results
In conclusion, the localization precision of the utilized COTS receivers for authentic
signals is within typical standard deviations of σ ≈ 0.5, . . . , 3. The correlation be-
tween the position shifts is significantly positive and stabilizes at ρ ≈ 0.4, . . . , 0.6 for
46 Chapter 4 Multi-Receiver GPS Spoofing Detection
0 5 10 15
Distance [m]
0
0.1
0.2
0.3
Pro
babili
ty D
ensity
(a) R1 — R2
0 5 10 15
Distance [m]
0
0.1
0.2
0.3
Pro
babili
ty D
ensity
(b) R1 — R3
0 5 10 15
Distance [m]
0
0.1
0.2
0.3
Pro
babili
ty D
ensity
(c) R1 — R4
0 5 10 15
Distance [m]
0
0.1
0.2
0.3
Pro
babili
ty D
ensity
(d) R2 — R3
0 5 10 15
Distance [m]
0
0.1
0.2
0.3
Pro
babili
ty D
ensity
(e) R2 — R4
0 5 10 15
Distance [m]
0
0.1
0.2
0.3
Pro
babili
ty D
ensity
(f) R3 — R4
Figure 4.8: Stabilized distance distributions over a three-day measurement periodwith n = 4 receivers, with fitted Rician distribution (bin width of 0.5m).
long-term measurements. We validated our findings with experiments in changing
environments, at different days, and varying measurement periods.
4.7 Experimental Evaluation of Spoofed Signals
In the previous section, we investigated the localization error for authentic signals.
We now present experimental results on the localization error for spoofed signals,
using the same receivers as in the previous experiments.
4.7.1 Experimental Setup
In our measurement setup, the spoofing attack is realized via a GPS signal sim-
ulator that is capable of generating arbitrary civilian GPS signals (LabSat 3 [93]
from Racelogic). These signals can be composed with attacker-chosen parameters
such as signal power or position solution. With the supplied software tools, we are
able to generate scenarios, which emulate similar conditions as were present during
our measurements for the authentic signals. In particular, the simulator uses the
ephemeris data for that specific place and time period.
Since the satellite simulator aggregates a mix of satellite signals into a signal
that is resolvable to one specific location, we choose the coordinates of one of the
receivers from our initial measurements as the spoofed position. The spoofing signal
was sent wirelessly during limited time periods and all receivers obtained the signal
at approximately the same power levels. In order to imitate the authentic scenario
as closely as possible, we adapted the external antennas inclination to the new AoAs
due to the ground-level simulator. A sophisticated attacker is assumed to send out
signals from higher positions avoiding the antenna adjustments. During the (indoor)
4.7 Experimental Evaluation of Spoofed Signals 47
0 20 40 60 80 100 120 140
Measurement Duration [min]
0
0.5
1
1.5
Dis
tance fro
m M
ean [m
]
Figure 4.9: The progression of the calculated distances to their respective meansreveals a close spatial correlation in the spoofing scenario.
experiment, the receivers were shielded from real GPS signals in order to acquire a
quick fix to the spoofing signals as well as to prevent signal leakages to the outside.
In less than one minute, the receivers locked onto the spoofing signal and kept tuning
to process all available satellites from the signal. The spoofing attack was performed
with the same GPS time and for the same duration as for the outdoor measurement.
4.7.2 Measurement Analysis
The analysis of the recorded measurements reveals the following insights. All re-
ported positions closely reflect the preconfigured location for which the GPS signals
were generated. Within the given precision, the mean of the reported positions is
the same for all receivers, independent of the actual positioning or formation.
In consideration of the reported positions as shown in Figure 4.9, all four traces
exhibit similar patterns and, over the course of the experiment, we can recognize
periods in which the distance to the mean positions concurrently increases or de-
creases. In these periods, we assume that the simulator imitates the changing signal
quality at the chosen location and time by adjusting the impact of system-intrinsic
UREs. The average distance µ from the means varies between approx. 0.47m for R4
and 0.57m for R3, whereas the standard deviation σ ranges from approx. 0.21m
for R4 to 0.29m for R3. In comparison to the outdoor measurements, both quan-
tities are roughly halved. We conclude that the reported positions are less affected
by errors.
In consideration of the relative distances, the resulting distribution is depicted in
Figure 4.10. To increase the resolution, the applied bin width is refined to 0.1m.
As analyzed in Section 4.5.4, the distances follow a Rayleigh distribution, for which
48 Chapter 4 Multi-Receiver GPS Spoofing Detection
0 0.2 0.4 0.6 0.8 1
Distance [m]
0
2
4
6
8
Pro
babili
ty D
ensity
(a) R1 — R2
0 0.2 0.4 0.6 0.8 1
Distance [m]
0
2
4
6
8
Pro
babili
ty D
ensity
(b) R1 — R3
0 0.2 0.4 0.6 0.8 1
Distance [m]
0
2
4
6
8
Pro
babili
ty D
ensity
(c) R1 — R4
0 0.2 0.4 0.6 0.8 1
Distance [m]
0
2
4
6
8
Pro
babili
ty D
ensity
(d) R2 — R3
0 0.2 0.4 0.6 0.8 1
Distance [m]
0
2
4
6
8
Pro
babili
ty D
ensity
(e) R2 — R4
0 0.2 0.4 0.6 0.8 1
Distance [m]
0
2
4
6
8
Pro
ba
bili
ty D
en
sity
(f) R3 — R4
Figure 4.10: The distribution of calculated receiver distances under a spoofing at-tack, with fitted Rayleigh distribution curves (bin width of 0.1m).
the noncentrality parameter s becomes 0 due to overlapping center points. The
solid (red) curve represents the best fit on the basis of the respective PDF from
Equation (4.6). Note again that, due to correlations between the position errors,
distances tend to be smaller than the distribution suggests. Measurement limitations
prevent a perfect fit with the distribution, see Table 4.3 for the determining scale
factor σ.
According to Figure 4.10, the relations involving R4 feature less distinct peaks
such that the (red) curve drops slower towards the right side. Taking the CDF of
the Rayleigh distribution from Equation (4.5) into consideration, we can determine
the probability that a certain threshold λ is exceeded. This can be described as
Pr{dGPS > d99} = e−d99
2
2σ2 ,
where d99 is expected to be larger than 99% of the distances. In contrast to the
authentic measurements, the role of d99 is swapped representing a threshold towards
the upper limit. For each receiver pair, the value of d99 is stated in Table 4.3.
Due to the very small deviations in the reported position solutions, the calculated
thresholds are less than 1m. Even for the most diversified distance R1 — R4, the
relative distance exceeds approx. 0.66m in only 1% of the cases.
Finally, we evaluate the correlation between position deviations on the basis of
the correlation coefficient. The calculated coefficients for latitude and longitude
directions are included in Table 4.3. Across all receivers, the values illustrate a
strong positive correlation with a minimal coefficient of ρ ≈ 0.87 for R1 — R4 and a
maximal coefficient of ρ ≈ 0.99 for R2 — R3, both in latitude direction. Compared
to the correlation for the outdoor measurements, the correlation in the spoofing
scenario is constantly higher. Each receiver is faced with the same GPS signals and
4.8 Simulation of the Countermeasure 49
Table 4.3: Error Distribution Parameters - Spoofing
Distance Scale σ d99 [m] ρLAT ρLON
R1 — R2 0.13 0.38 0.97 0.93R1 — R3 0.14 0.42 0.97 0.92R1 — R4 0.22 0.66 0.87 0.90R2 — R3 0.09 0.28 0.99 0.97R2 — R4 0.16 0.49 0.93 0.96R3 — R4 0.18 0.55 0.93 0.96
thus the same embedded system-intrinsic errors. Receiver-specific errors only take
a minor role, which is reflected by high correlation coefficients close to 1.
4.7.3 Additional Measurements
We performed additional spoofing experiments to investigate the impact of different
environments. For instance, we varied the antenna inclination due to the different
AoA of spoofing signals due to a ground-level satellite simulator. We tried to es-
tablish similar power levels at the receivers to imitate the conditions under normal
operation. In all our experiments, the spoofer was in close vicinity to the receivers.
We obtained the following typical results for the standard deviation and the correla-
tion. For unfavorable environments, the individual position inaccuracy can increase
to σ ≈ 0.88 under spoofing. The correlation coefficients across several measure-
ments maintained a comparably high level of ρ ≈ 0.98 to ρ ≈ 0.46 in scenarios with
stronger multipath effects.
4.7.4 Results
In conclusion, the receivers maintain a position accuracy of σ ≈ 0.2, . . . , 1. The
typical correlation coefficient for position shifts is strong positive in the range of
ρ ≈ 0.5, . . . , 1. In comparison to the performance for authentic signals, the position
solutions are more stable and the correlation is higher. Again, we validated our
findings with additional spoofing experiments in changing environments.
4.8 Simulation of the Countermeasure
We now use the noise parameter ranges learned from our real-world experiments in
Section 4.6 and Section 4.7 to instantiate the GPS spoofing detection system and
evaluate its performance through simulations. We developed a simulation framework
50 Chapter 4 Multi-Receiver GPS Spoofing Detection
Table 4.4: Simulation Parameter Sets
Case σauthentic ρauthentic σspoofing ρspoofing
1 4 0.5 2 0.52 2 0.5 1 0.53 1 0.5 1 0.54 1 0.5 1 0.75 1 0.5 0.5 0.9
using MATLAB in order to calculate the expected performance of different receiver
formations. In addition, the framework finds optimal decision thresholds λ with
respect to corresponding detection probabilities pd and false alarm probabilities pfa.
Within the simulation framework, we pursue two goals: (i) Simulate the coun-
termeasure for n receivers (we focus on n = 4) considering different distribution
parameters including distance, standard deviation, and correlation. (ii) Evaluate
different instantiations of the function f(·), which is the determining function for
the decision mechanism in Equation (4.2). For the analysis with n = 4 receivers, we
chose a normalized majority voting, where longer distances (diagonal in a square)
are more significant. The reasoning behind the selection is given in Section 4.10.1.
4.8.1 Simulated Parameter Sets
Based on real-world measurements, we consider five different error models repre-
senting different scenarios and measurement environments, see Table 4.4. The first
scenario considers high noise from our worst case measurements (Case 1). On the
other hand, the fifth scenario includes the most stable position solutions that we
measured (Case 5). The other scenarios are intermediate steps between these two
extremes (Cases 2, 3, 4). Notably, the third scenario represents an error model for
which authentic and spoofing signals suffer from the same extent of errors.
The simulation covers varying receiver distances given as the radius r of the virtual
circle, gradually increased from 0m to 15m with a step size of 0.01m. The number of
generated measurements is 10,000,000 for each receiver position and each simulation
run. The error modeling is realized by adding Gaussian noise with the corresponding
distribution parameters that also maintain correlations between generated datasets.
4.8 Simulation of the Countermeasure 51
1 2 3 4 5 10 15
r [m]
10-6
10-4
10-2
100
EE
R
Case 1
Case 2
Case 3
Case 4
Case 5
Figure 4.11: The resulting EER for n = 4 receivers equidistantly positioned on avirtual circle with different radii r and distinct error parameter sets.
4.8.2 Performance Metric
As the first measure of performance, we consider Equal Error Rates (EERs), i. e.,
1− pd!= pfa. (4.8)
In other words, our decision threshold λ is chosen in such a way that the probabil-
ity of a false alarm pfa is equal to the probability of a missed detection pd. However,
we notice that the occurrence of spoofing and non-spoofing scenarios is not equally
distributed. In most cases, the receivers operate with authentic signals, whereas an
actual attack is very unlikely. False alarms are generally more likely to occur than
false detections and thus would need to be weighted more than missed detections.
The usage of the EER gives us a worst case estimation with a stronger focus on reli-
able detection; the distance between receivers may be decreased further if we allow
poorer detection probabilities. At the same time, missed detections typically incur
a larger security risk than false detections. To account for these considerations, we
later additionally report results individually for the probabilities of false alarms pfa
and missed detection pd.
4.8.3 Detection Performance
We examine the detection performance of our detection mechanism for n = 4 re-
ceivers. The results under consideration of the error scenarios from Table 4.4 are
depicted in Figure 4.11. The required receiver distances differ substantially for each
of the simulated cases. For example, a radius of approx. 11m is needed for an
EER of 10−6 in the worst measured scenario (Case 1). An EER of 10−6 equals
52 Chapter 4 Multi-Receiver GPS Spoofing Detection
0 5 10 15
r [m]
10 -6
10 -4
10 -2
10 0P
fa Pd = 0.999
Pd = 0.99
Pd = 0.9
(a) Without Improvements
0 5 10 15
r [m]
10 -6
10 -4
10 -2
10 0
Pfa
Pd = 0.999
Pd = 0.99
Pd = 0.9
(b) With Correlation
0 5 10 15
r [m]
10 -6
10 -4
10 -2
10 0
Pfa
Pd = 0.999
Pd = 0.99
Pd = 0.9
(c) With Lower Spoofing Errors
0 5 10 15
r [m]
10 -6
10 -4
10 -2
10 0
Pfa
Pd = 0.999
Pd = 0.99
Pd = 0.9
(d) Combination of Both
Figure 4.12: Detection performance when introducing our improved error models oncorrelation and behavior under spoofing for n = 4 receivers.
only one triggered alarm on a sample size of 1,000,000 measurements under normal
operation, whereas only one instance of spoofing remains undetected. For our best
error model the required radius is reduced to approx. 2m (Case 5). The radii for
the other scenarios vary from approx. 6m (Case 2), and approx. 4m (Case 3), to
approx. 3.5m (Case 4).
To integrate our results with theoretic prior work [125–127], we take σ = 4
(assumed by Swaszek et al. [126]) as a starting point to show the effect of our
measurement-based improvements. Note that the official performance standard [130]
only gives typical ranges for the standard deviation from σ ≈ 1 to σ ≈ 8. Figure 4.12
shows the performance improvements as we introduce our assumptions. The curves
in Figure 4.12a are generated with a standard deviation of σ = 4 and a correlation
of ρ = 0.5 between position changes for both normal operation and spoofing. In
Figure 4.12b, we introduce the effect of higher correlation during a spoofing attack
by adjusting ρspoofing = 0.9. A more realistic assumption on the standard deviation
is introduced in Figure 4.12c, where we keep σauthentic = 4 and change σspoofing = 1
emulating the reduced position shifts under spoofing. Figure 4.12d combines both
effects, i. e., σauthentic = 4, σspoofing = 1, ρauthentic = 0.5, and ρspoofing = 0.9.
In particular, the (red) dashed line in Figure 4.12 represents the resulting false
alarm rate as a function of the radius by fixing the detection probability to pd = 0.99.
Without considering reduced error characteristics under spoofing, we obtain pfa =
10−5 for a radius of approx. 12.31m. Using our derived parameter set, the required
radius is reduced to approx. 3.63m for the same false alarm rate. When relating to
4.9 Prototype Implementation 53
the required space to deploy all receivers, the resulting square has edges of length
approx. 5.13m.
4.8.4 Results
We conclude that our proposed improvements greatly reduce the required area
for the countermeasure from 200m2 as suggested by Swaszek et al. [126] to ap-
prox. (5.13m)2 ≈ 26.32m2, which is almost an order of magnitude smaller (square
area). For this comparison, we picked the same UERE values as Swaszek et al. [126].
If we use the UERE we measured in our experiments instead, the performance would
increase even further.
4.9 Prototype Implementation
To demonstrate the applicability of our proposed multi-receiver spoofing detection
mechanism, we develop a prototype implementation. We incorporate the results of
our simulation with regard to suitable receiver distances.
4.9.1 Deployment
We deploy an experimental setup with n = 4 receivers positioned in a square with
edge length d = 5.00m, which is equivalent to a circle with r ≈ 3.54m. Two
receivers are placed in close vicinity to a metal wall introducing signal shielding and
additional multipath components. Figure 4.13 shows the measurement environment
(the metallic wall is close to the right hand side).
We tested this formation in two different environments: (i) We recorded mea-
surements under authentic conditions, see Figure 4.13. (ii) We targeted the same
formation with an indoor spoofing attack. Notably, we used the indoor setup to
prevent—in particular illegal—interference with surrounding devices. We captured
data for spoofing and normal operation for close to three hours. For this specific
setup we utilized the normalized majority voting approach for the receiver distance
analysis.
4.9.2 Results
Within the entire measurement period, we encountered no false alarms. While under
spoofing, our countermeasure detected the spoofing attack reliably as depicted in
Figure 4.14. More than 80,000 GPS measurements were recorded during the exper-
iments. The threshold, which is represented by the horizontal line, is an estimation
54 Chapter 4 Multi-Receiver GPS Spoofing Detection
Figure 4.13: The outdoor deployment of our GPS spoofing detection prototype withn = 4 receivers in a distance of d = 5.00m (metallic wall to the right).
that optimizes both the detection and the false alarm probability. The normalized
majority distance for the authentic measurements is constantly above the thresh-
old, whereas in the spoofing case it is always below. If any of the measurements
cross the threshold line, either a false alarm or a missed spoofing would occur. A
sliding-window approach could compensate single threshold under- or overcuts.
With our prototype implementation we have demonstrated that the detection
mechanism is applicable to n = 4 receivers positioned in a square formation of
edge length d = 5.00m or a circle with radius r ≈ 3.54m. For the duration of the
experiment we encountered no false alarms and no missed spoofing events.
4.10 Discussion
We now discuss further aspects of the developed multi-receiver GPS spoofing de-
tection system. We first analyze different instantiations of function f(·) and their
impact on the decision making process. We then reason about the resilience of our
countermeasure even against multi-antenna attackers and finally outline directions
for future research.
4.10.1 Selection of Function f(·)To find an optimized function f(·) for the implementation in Equation 4.2, we con-
sider four different instantiations, which represent a minimal, maximal, majority,
4.10 Discussion 55
0 20 40 60 80 100 120 140 160
Measurement Duration [min]
0
2
4
6
8
No
rma
lize
d M
ajo
rity
[m
]
Authentic
Spoofing
Figure 4.14: The normalized majority distance for authentic GPS signals (top) andunder spoofing (bottom). The line represents the decision threshold λ.
0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5
r [m]
10-6
10-4
10-2
100
EE
R
Figure 4.15: EER for different radii considering four different instantiations of func-tion f(·) with n = 4 receivers and same error distributions (Case 3).
and normalized approach. The minimal and maximal functions only consider the
minimal, respectively the maximal, measured distance from the set of all distances.
The majority approach performs a voting mechanism which decides for spoofing
when the majority of distances, i. e., four out of six, fall below the decision threshold.
The normalized approach further makes distances more significant depending on
their relative length compared to others, e. g., the diagonal in a square is√2-times
longer than the edges.
For instance, we consider n = 4 receivers resulting in six distances in total. Ex-
emplarily, we present results considering the error model with the same error dis-
tributions for spoofing and non-spoofing conditions (Case 3) from Table 4.4. We
are able to identify the best choice for the function f(·) for this specific model and
give hints towards the impact of changing error models. Figure 4.15 compares per-
56 Chapter 4 Multi-Receiver GPS Spoofing Detection
Table 4.5: Function f(·) Performance (Lower is Better)
Function f(·) Relation 1 Relation 2 Relation 3
Minimal ≥ 7 ≥ 9 ≥ 10Maximal 1.00 1.20 1.23
Majority 0.85 1.00 1.02Normalized 0.83 0.98 1.00
formance values for the functions function f(·), i. e., minimal, maximal, majority,
and normalized. As one can see, the choice of minimal offers the worst perfor-
mance from the analyzed set. The other three types, namely maximal, majority,
and normalized, all perform pretty similar with normalized as a close call winner.
In order to quantitatively compare the performances, we compute the relative
difference in EER over all radii and average it by means of normalizing the results.
Results are given in Table 4.5. We can state that the normalized approach performs
approx. 2% better than the (non-normalized) majority voting and approx. 17%
better than the maximal function. The majority function has an approx. 15% bet-
ter average performance than the maximal function. In conclusion, the normalized
approach is the best choice for the selected error model.
We also conducted simulations for other error models with similar results. For
the scenarios with more stable and more correlated signals, we notice that the dif-
ferences of maximal, majority, and normalized functions are decreasing and even-
tually the maximal distance performs almost as good as the others within negligible
margins. The usage of the maximal function is beneficial for setups with restricted
computational resources since this function requires less comparisons. Nevertheless,
(normalized) majority voting is the optimal choice for all considered error models.
4.10.2 Multi-Antenna Attacker Resilience
With respect to the resilience of our GPS spoofing countermeasure against the multi-
antenna attacker, we can state the following. While the countermeasure has been
designed with single-antenna attackers in mind, the deployment with multiple, dis-
tributed receivers also exhibits effective protection against the more powerful multi-
antenna attacker. In particular, for settings with n ≥ 4 receivers, a multi-antenna
attack (with the attacker trying to adjust the TDoAs) cannot preserve relative dis-
tances of all receivers as reasoned by Tippenhauer et al. [128]. As a result, our
proposed spoofing countermeasure with four receivers is expected to be resilient
against multi-antenna attacks by design.
4.11 Summary 57
With our limited multi-antenna attacker implementation from Section 3.3.2, we
tried to fool the spoofing detection with a distance-preserving multi-antenna attack—
with very limited success. We were only able to spoof single receivers, and even our
basic countermeasure with n = 2 is already complicating the attack significantly.
4.10.3 Outlook on Future Work
Our investigations leave promising avenues for future work. Before the countermea-
sure is deployed on a larger scale, more investigations regarding the stability of GPS
errors and their correlation for different locations, environmental conditions, and
time intervals are desirable. We are interested in further reductions of the required
distance between receivers (e. g., in scenarios with rather stable signals due to di-
rect LoS or due to receiver dynamics). Recently, Pesyna et al. [82] presented the
potentiality of centimeter positioning, which would greatly improve our detection
performance. Our investigations provide an evaluation framework that facilitates
extended measurements and evaluations. We leave the evaluation of overlapping
legitimate and spoofing signals for future work.
4.11 Summary
We thoroughly investigated a multi-receiver GPS spoofing detection technique and
performed its first practical implementation. We started by revising the error model
assumptions of previous work and claimed that there exists a spatial correlation
between errors at co-located receiver positions. We experimentally validated that
the predicted error correlation is present in authentic signal scenarios, as well as
under spoofing attacks. By leveraging the correlated noise of co-located receivers,
we were able to lower the false alarm rate of the countermeasure, while preserving
the sensitivity to attacks.
A multi-receiver formation of at least four receivers can detect attacks even con-
sidering an attacker utilizing multiple antennas, whereas two receivers can already
detect single-antenna attacks. As a result, a formation covering an area of 26m2 is
sufficient (for a detection rate of 99% and a false alarm rate of approx. 10−5), in
contrast to the previously proposed 200m2 [126] or even larger areas [37]. We real-
ized the first multi-receiver-based GPS spoofing detection system based on low-cost
COTS devices. Using this implementation, we were able to validate our theoreti-
cal findings through a range of experiments using single-antenna and multi-antenna
attackers. For an experiment over the course of roughly 3 h, we observed no false
alarms or missed detections.
Data is like garbage. You’d better know what you
are going to do with it before you collect it.
— Mark Twain
5Crowdsourced GPS Spoofing
Detection and Spoofer
Localization
Contents
5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 61
5.1.1 Problem Statement . . . . . . . . . . . . . . . . . . . 61
5.1.2 Contribution . . . . . . . . . . . . . . . . . . . . . . . 62
5.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . 63
5.3 System Model . . . . . . . . . . . . . . . . . . . . . . . . 65
5.4 Attacker Model . . . . . . . . . . . . . . . . . . . . . . . 66
5.4.1 Threat Model . . . . . . . . . . . . . . . . . . . . . . 66
5.4.2 Validation of Assumptions . . . . . . . . . . . . . . . . 67
5.5 Crowd-GPS-Sec . . . . . . . . . . . . . . . . . . . . . . . 70
5.6 Multilateration (MLAT) . . . . . . . . . . . . . . . . . . 72
5.7 GPS Spoofing Detection . . . . . . . . . . . . . . . . . . 73
5.7.1 Time Alignment of Transmissions . . . . . . . . . . . . 74
5.7.2 Test 1 (Cross-Checks with Multilateration (MLAT)) . . 74
5.7.3 Test 2 (Multiple Aircraft Comparison) . . . . . . . . . 75
5.7.4 Complementary Design . . . . . . . . . . . . . . . . . 76
5.8 GPS Spoofer Localization . . . . . . . . . . . . . . . . . 76
5.8.1 Localization Model . . . . . . . . . . . . . . . . . . . 77
59
60 Chapter 5 Crowdsourced GPS Spoofing Detection and Spoofer Localization
5.8.2 Error Minimization . . . . . . . . . . . . . . . . . . . 79
5.8.3 Improved Filtering . . . . . . . . . . . . . . . . . . . . 81
5.9 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . 81
5.9.1 Spoofing Detection Performance . . . . . . . . . . . . . 81
5.9.2 Spoofer Localization Performance . . . . . . . . . . . . 84
5.9.3 Impact of GPS Accuracy . . . . . . . . . . . . . . . . 86
5.9.4 Impact of MLAT Accuracy . . . . . . . . . . . . . . . 87
5.9.5 Impact of Spoofed Track Velocity . . . . . . . . . . . . 87
5.10 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . 88
5.10.1 Combined Error Effects . . . . . . . . . . . . . . . . . 88
5.10.2 Localizing Spoofers of Stationary Targets . . . . . . . . 89
5.10.3 Applicability to Other Networks . . . . . . . . . . . . . 89
5.11 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
5.1 Introduction 61
5.1 Introduction
While Global Navigation Satellite Systems (GNSSs) have become the de facto stan-
dard means of navigation and tracking services in outdoor environments on the
Earth’s surface, their services also play an important role for aerial applications.
With its ubiquitous coverage, Global Positioning System (GPS) is often a mission
critical factor for aircraft navigation as well as for Unmanned Aerial Vehicles (UAVs),
ranging from consumer-class mini or micro drones to tactical and strategic UAVs.
5.1.1 Problem Statement
Although GPS is commonly used in aviation, the system is not secure, i. e., civilian
(public) GPS signals sent by the satellites are neither authenticated nor encrypted.
As a consequence, aircraft and UAVs are vulnerable to GPS signal spoofing attacks,
where a malicious transmitter emits signals similar to those from the satellites but
at a higher power and, potentially, at slightly different time delays. The aircraft’s
GPS receiver will likely lock on to the spoofed signal as it arrives with a higher
signal strength than the authentic signals. By selectively varying the time offsets of
the spoofed satellite signals, attackers are able to mimic arbitrary positions. These
kinds of spoofing attacks are well-known [40, 43, 52, 86, 128] and have been shown
to be feasible in the real-world [9, 40]. In fact, GPS spoofing has allegedly been
used to hijack a CIA stealth drone (RQ-170) in Iran in 2011 [103] or luring ships
off their course [9, 86]. Moreover, GPS spoofing has been used as a defense against
GPS-controlled UAVs flying in the vicinity of the Kremlin in Russia [73,100,113]. In
particular, in 2017, a mass GPS spoofing incident occurred in the Black Sea [13,30,
31,53,64]—an attack executed by an unknown spoofer from an unknown position.
Over the years, the price to perform GPS spoofing attacks has dramatically
dropped as detailed in Section 3.3. Mobile Commercial Off-the-Shelf (COTS) GPS
spoofing devices are available for less than $1,000 [86] and publicly available soft-
ware tools [76] allow the generation of arbitrary GPS signals. The price fall and
low-expertise requirements raise the risk for applications relying on GPS for safety-
or security-critical decisions and processes. The democratization of GPS spoofing
technologies has triggered the development of various countermeasures, which can
be coarsely categorized into three classes: (i) data bit level, (ii) signal processing
level, and (iii) navigation and position solution level [45]. Since the majority of
countermeasures proposals require far-reaching modifications of either the GPS in-
frastructure or the receiving devices, they are unlikely to be implemented in the
near future.
62 Chapter 5 Crowdsourced GPS Spoofing Detection and Spoofer Localization
Research Question. We state the following research question: How can we detect
(and potentially localize) GPS spoofing attacks without requiring any modifications on
the currently available satellite and receiver infrastructure? Moreover, the solution
should be suitable for a geographically distributed sensor network via crowdsourcing
collaboration.
5.1.2 Contribution
Driven by the increasing threat and the lack of realistic short-term solutions, we
propose Crowd-GPS-Sec, a system that detects and localizes GPS spoofing attacks
on aerial vehicles without the need to update the satellites’ signals nor the logic
of the airborne GPS receivers. Crowd-GPS-Sec leverages crowdsourcing to moni-
tor the position advertisements derived from GPS that aircraft and UAVs periodi-
cally broadcast for air traffic surveillance. Using those advertisements, we devise a
GPS spoofing detection and localization solution that analyzes the contents and the
Time Difference of Arrivals (TDoAs) of these surveillance messages as received by
distributed sensors on the ground.
We evaluate Crowd-GPS-Sec with simulations and real-world data from the Open-
Sky Network [74,107], a crowdsourcing initiative which maintains a network of more
than 850 air traffic communication sensors around the world. Our implementation
of Crowd-GPS-Sec is able to globally detect GPS spoofing attacks in less than two
seconds and to localize the attacker up to an accuracy of 150 meters after 15 minutes
of monitoring time.
While the problem addressed in this work is related to spoofing detection and
localization in classical direction finding [20,63,68] and multilateration systems [69],
there is one fundamental difference and unique advantage. Instead of trying to de-
tect and localize the GPS spoofer through direct measurements of its own signals, we
rely on indirect measurements from position advertisements that aircraft are broad-
casting. This approach enables us to detect and localize the spoofer even when there
is no direct Line of Sight (LoS) between a sensor and a spoofer. Maintaining a LoS
to an aircraft is much simpler and thus more effective since aircraft are in the sky
and use high transmission power levels which render the signals receivable from the
ground up to several hundred kilometers away. Another major advantage is that
Crowd-GPS-Sec relies on data from air traffic monitoring sensors that are already
widely deployed around the world. Thus, our solution does not require a dedicated
GPS signal acquisition infrastructure for spoofing detection and localization. To the
best of our knowledge, this work is the first to propose a GPS spoofing countermea-
5.2 Related Work 63
sure which takes advantage of considering indirect GPS-inferred data rather than
raw GPS signals.
Summary. In summary, our work makes the following contributions:
• We propose Crowd-GPS-Sec and elaborate on the idea to provide security via
an existing infrastructure of crowdsourcing sensors.
• We present algorithms for the detection of GPS spoofing attacks on airborne
targets by using aircraft reports and multilateration.
• We provide a novel technique for the localization of GPS spoofers based on
position differences between pairs of spoofed aircraft.
• We report on experiments with aircraft transponders and assess the perfor-
mance of Crowd-GPS-Sec analyzing real-world air traffic control data.
The contributions of this work resulted from a collaboration with Matthias Schäfer,
Daniel Moser, Vincent Lenders, Christina Pöpper, and Jens Schmitt.
5.2 Related Work
As GPS is known to be vulnerable to spoofing attacks [40, 42, 45, 52, 135], several
works demonstrated their feasibility [9, 43, 57, 86]. Attacks can target different do-
mains such as vehicle navigation systems [9, 57, 86, 115, 145] or critical infrastruc-
tures [144]. Tippenhauer et al. [128] analyzed the requirements for successful GPS
spoofing attacks. It is worth noting that GPS spoofing has also been proposed as
a countermeasure, e. g., to defend against hostile UAVs [42, 57, 73, 113] by means of
hijacking or misguidance.
A rich body of countermeasures specific to GPS exists in the literature which
can be categorized into prevention and detection measures. In order to prevent
spoofing of GPS signals, several works propose the use of cryptographic techniques
to authenticate satellite signals [35,36,41,59,112,141]. This is similar to how military
GPS signals are protected. However, cryptographic techniques require profound
modifications of the GPS infrastructure as well as a key distribution system which
is challenging to implement for applications with disconnected receivers. Further,
the use of encryption alone does not protect against signal replaying attacks [77,78].
The detection of GPS spoofing attacks also received considerable attention in the
literature providing a broad overview [33,34,45,54,87,111,138] on different detection
techniques.
64 Chapter 5 Crowdsourced GPS Spoofing Detection and Spoofer Localization
A different class of detection approaches deploys multiple receiving antennas. Tip-
penhauer et al. [49, 128] and Swaszek et al. [125–127] use multiple co-located GPS
receivers whose calculated positions and times are compared; coinciding locations
indicate an attack. A dual antenna receiver setup to determine the Angle of Arrival
(AoA) of incoming signals is proposed by Montgomery et al. [68] and extended by
Psiaki et al. [88, 89] to include differential carrier phase measurements. Magiera
and Katulski [63] even suggest the use of arrays of antennas showing that antenna
diversity is effective at detecting single antenna spoofers without knowledge of the
target’s position. Although these detection approaches do not require changes to
the GPS infrastructure, they assume more sophisticated GPS receivers which would
significantly increase the complexity, size, costs, and power requirements. This,
however, is contradictory to the objectives of GPS.
On the other hand, techniques for localizing the source of wireless spoofing attacks
also exist in the literature. Chen et al. [15] proposed a localization approach for wire-
less attacks (not specific to GPS satellite signals) based on Received Signal Strength
(RSS) readings from different locations to locate the spoofer. They evaluated their
scheme in 802.11 and 802.15.4 networks. Later, Yang et al. [142, 143] extended
the scheme to deal with attackers which vary their transmission power. Rather
than using direct RSS values, they consider RSS differences at multiple locations.
Bhatti et al. [10] localize GNSS spoofers by comparing TDoAs from a synchronized
array of sensor nodes. A UAV-mounted jammer localization system is implemented
by Perkins et al. [80,81] and they dynamically measure RSS and AoA information to
narrow down possible spoofer positions. It is worth noting that, in principle, almost
any passive localization technique (such as multilateration) could be used to locate
GPS spoofers. However, in contrast to our approach, these methods assume a direct
LoS between the localization system and the attacker. As a consequence, this would
require a dedicated infrastructure which covers all potential attacker positions.
Other works specifically consider spoofing detection and localization with re-
spect to aircraft broadcast signals via Automatic Dependent Surveillance-Broadcast
(ADS-B). Schäfer et al. [105,106] and Strohmeier et al. [119,123] present techniques
to verify position claims using a distributed sensor network. While Baker et al. [5]
design a verification and localization system with a mobile receiver, Moser et al. [69]
devise a multi-receiver spoofing detection system and even evaluate it against a
distributed and coordinated attack. However, the threat model in these works is
different to ours as they consider spoofed ADS-B signals and not spoofed GPS sig-
nals. These techniques are therefore not capable of localizing GPS spoofers in the
same way as in Crowd-GPS-Sec.
5.3 System Model 65
RADAR ADS-B/Flarm
GPS
Satellite-to-Aircraft
Aircraft-to-Ground
Figure 5.1: Schematic overview of currently deployed technologies used to monitorair traffic including GPS, RADAR, and ADS-B/Flarm.
5.3 System Model
While in the past, Radio Detection and Ranging (RADAR) and inertial systems
used to be the two main localization technologies in aviation, GPS is today often
the preferred solution due to its superior accuracy. Modern airliners, smaller aircraft,
gliders, helicopters, or UAVs are almost all equipped with GPS receivers. GPS is
typically used by pilots or UAVs for self-localization but the technology is also used
for remote air-traffic surveillance and collision-avoidance applications. In the latter
cases, aerial vehicles are required to periodically broadcast position and velocity
advertisements to inform neighboring aircraft and ground controllers about their
presence. Larger aerial vehicles generally transmit those messages over the ADS-B
system while smaller and slower vehicles rely on the Flarm [25] system. Irrespective
of the used system, these advertisements contain a position pGPS that is directly
derived from airborne GPS receivers as depicted in Figure 5.1.
In this work, we propose to leverage the position advertisement messages of ADS-
B and Flarm in order to detect and localize GPS spoofers. While ADS-B and Flarm
rely on different radio frequencies and message formats, the underlying concept is
the same. On regular random intervals at transmission time tTX (around twice per
second), aircraft Ai broadcast their current position pGPSi together with their unique
identifiers. Neighboring aerial vehicles and ground stations receive these messages
to generate a recognized air picture. The advertisement messages can be received
over long distances. In ADS-B, messages can be received up to distances of 700 km
66 Chapter 5 Crowdsourced GPS Spoofing Detection and Spoofer Localization
when there is a direct LoS between the transmitter and the receiver [110]. In Flarm,
the range is smaller but reception ranges of up to 100 km are possible.
5.4 Attacker Model
GPS spoofing attacks exploit the lack of encryption and authentication of civil-
ian GPS signals by imitating the legitimate signals with the purpose of modifying
the localization or time result of a victim [43, 52, 57, 128, 135]. Technically, spoof-
ing attacks are based on fake GPS signals manipulating the TDoAs of signals that
otherwise use the same payload as real signals. In the past, incidents were re-
ported [9,73,86,100,103,113] where spoofers successfully interfered with the integrity
of GPS-dependent systems, thus rendering the spoofing threat far from being only
of theoretical nature. As a result, currently marketed drones, aircraft, helicopters,
or any kind of vehicles that rely on GPS are prone to spoofing attacks and lack
effective countermeasures.
Based on common assumptions on attacker capabilities and recent incidents, we
assess the resulting threat model. First, we clarify our considered adversary model.
Second, we reason about key assumptions that Crowd-GPS-Sec is based on to de-
tect and localize spoofing attacks. We focus on the common assumption that the
attacker uses a single antenna for transmitting the spoofing signals, but the pro-
posed technique could also be extended to multi-antenna attackers representing an
emerging threat [46].
5.4.1 Threat Model
The attacker’s motivation to interfere with the air safety by injecting false position-
ing information into UAVs or aircraft can be manifold. An attacker may consider
hijacking the targeted victim for an own benefit of acquiring goods or circumvent-
ing flying bans. Even more severe, an attacker may participate in terrorist attacks
by manipulating the air-traffic control or the collision-avoidance systems, e. g., by
spoofing fake position information to fool the safety logic of these systems.
In our adversary model, the attacker is able to transmit specially crafted signals
identical to those broadcasted by GPS satellites but can achieve a higher power at
the target location. The attacker aims at spoofing a moving aircraft or a UAV from
a position on the ground. In order to conduct a stealthy and unnoticed attack, the
spoofer may use a directional antenna oriented towards the victim in the sky. How-
ever, due to the target’s movement, the attacker needs to transmit signals from a
considerable distance, hundreds of meters to kilometers away. We note that typical
5.4 Attacker Model 67
operating altitudes of UAVs range from 60m to 20,000m and their mission radii
vary from 5 km to 200 km and beyond [50]. Hence, if the route taken by the vic-
tim is not predictable, the attacker will be forced to use antennas with wide-beam
propagation patterns. This forces the attacker to transmit signals of such a strength
and propagation that the spoofing signals most likely will not only be received at a
particular primary target location but also over a wider area, affecting other aircraft
and UAVs in the neighborhood. Since the spoofer is targeting moving vehicles, we
further assume that the spoofer is emulating a moving track such as a straight line
or a curve with some potential acceleration.
5.4.2 Validation of Assumptions
Crowd-GPS-Sec relies on two key assumptions which we validate in this section. The
first assumption is that whenever a GPS receiver locks on to the spoofed signals,
the position advertisements of the aircraft and UAVs will contain the spoofed GPS
positions. While commercial GPS receivers are known to be vulnerable to spoofing
attacks [9,40,42,43,52,57], aviation transponders could have additional plausibility
checks to prevent spoofed GPS positions propagating to the broadcasted position
advertisements. The second assumption is that the spoofed signals will not only
affect the target victim of the spoofer but also neighboring aircraft and UAVs. We
validate these two assumptions with controlled lab experiments and simulations with
real-world air traffic data from the OpenSky Network [74].
Spoofing Experiments
We perform GPS spoofing experiments with two Flarm [25] transponders that are
widely deployed. As we could not get formal approval from the national office of com-
munications in Switzerland to perform GPS spoofing experiments in the wild with
real aircraft, we rely on an isolated experimental setup inside a shielded lab environ-
ment. The goal of these experiments is to demonstrate that existing transponders do
not perform any checks on the derived GPS position and that spoofers can precisely
control the position and speed of victim receivers.
Our experimental setup consists of two newest-generation Flarm transponders
from Flarm Technology: a PowerFLARM Core and a PowerFLARM Portable both
with an integrated GPS receiver from u-blox, see Figure 5.2. Worldwide, more than
30,000 manned aircraft, helicopters, and UAVs are equipped with these transpon-
ders [25]. As GPS spoofer, we rely on a Universal Software Radio Peripheral
(USRP) B200 [23] from Ettus Research and the software-defined GPS signal simula-
68 Chapter 5 Crowdsourced GPS Spoofing Detection and Spoofer Localization
(a) PowerFLARM Core (b) PowerFLARM Portable
Figure 5.2: Two newest-generation Flarm transponder models. Both transpondershave an integrated GPS receiver but do not provide any protection toGPS spoofing and advertise false positions when spoofed.
tor gps-sdr-sim [76]. To monitor the reported Flarm position advertisements from
the transponders, we use a Raspberry Pi [97] with an RTL-Software Defined Radio
(SDR) dongle [101] and the flare [92] open-source Flarm decoder. All devices are
equipped with omnidirectional antennas.
We put all devices in vicinity of each other and spoof tracks with speeds of 0 km/h,
6 km/h, 30 km/h, 100 km/h, 300 km/h, and 1,000 km/h. The difference between the
fake target positions emitted by the spoofer and the reported positions in the Flarm
advertisements is plotted in Figure 5.3. While the deviation becomes larger with
increasing speed, our experiments confirm that an attacker can exactly control the
derived position and speed at the Flarm devices. Even for speeds up to 1,000 km/h,
the deviation of both spoofed devices is always smaller than 160m, and thus sig-
nificantly smaller than the mandated separation minima in aviation [133]. These
experiments also confirm that such commercial transponders as deployed in aerial
vehicles do not perform plausibility checks on the GPS signal input and simply re-
port the spoofed GPS data in the advertisement messages. This result is inline with
air traffic communications not being protected against wireless attacks [122].
Spoofing Coverage Estimation
To validate the assumption that a GPS spoofer will affect the GPS receivers of
multiple aerial vehicles at the same time, we evaluate the reception range of a spoofer
using the free-space path loss model and a typical airspace density model as observed
by the OpenSky Network in the European airspace.
Since the power of GPS signals when they arrive at the Earth’s surface is very
low and below the noise floor (approx. −160 dBW [130]), the necessary power
to create adequate spoofing signals is accordingly low. We assume an attacker
5.4 Attacker Model 69
0 20 40 60 80 100 120 140 160
Deviation [m]
0
0.2
0.4
0.6
0.8
1
CD
F
0
6
30
100
300
1000
Speed [km/h]
Figure 5.3: Cumulative Distribution Function (CDF) of the deviation betweenspoofed and reported positions of the PowerFLARM Core transponder.
with standard equipment, who can reasonably achieve a generated signal power
of 15 dBm (USRP N210 [24]) coupled with an exemplary antenna gain of 12 dBi in
the main lobe. We also consider an additional signal attenuation of approx. 30 dB
due to the fuselage and the downward direction. Based on these estimations, we can
calculate the reception range with regard to the free-space path loss [1]:
Lfs(dkm) = 32.45 + 20 log10(dkm) + 20 log10(fMHz), (5.1)
where dkm is the distance between the source of the signal and the receiver in kilome-
ters and fMHz is the signal frequency given in megahertz; the constant 32.45 depends
on the utilized units. The resulting reception range is based on the signal power
impaired by all attenuation sources and the distance dkm from Equation (5.1):
Power− Lfs(dkm)− Attenuation ≥ −160 [dBW],
which results in a distance dkm of approx. 34 km. Considering our parameter esti-
mations, all aircraft within the main lobe closer than 34 km will receive the spoofing
signal with at least −160 dBW.
Naturally, an attacker will be interested in exceeding these power levels to en-
sure the takeover of the GPS lock at the intended target(s). However, to remain
as stealthy as possible, the attacker is likely to use an attack setup with directional
antennas to avoid a wide signal broadcast detectable by, e. g., ground-based signal
power sensors. A directional antenna setup is characterized by its beamwidth influ-
encing the signal spread and the inclination angle determining how the main lobe
of the signal beam is targeted. Notably, an attack on moving targets requires to
70 Chapter 5 Crowdsourced GPS Spoofing Detection and Spoofer Localization
20 25 30 35 40 45 50
Inclination [°]
1
2
3
4
5
Ave
rag
e A
ffe
cte
d A
ircra
ft 50
40
30
20
10
0
Beamwidth [°]
Figure 5.4: The number of affected aircraft depends on the beamwidth of the di-rectional antenna and the inclination angle. The figure uses a realisticairspace density sampled from OpenSky Network data.
increase the beamwidth and to use higher inclination angles, resulting in a certain
proliferation of the affected area.
Based on data from an exemplary day (February 13th, 2017) sampled from the
OpenSky Network, we perform a conservative estimation of the average number
of aircraft possibly affected by a spoofing attack. The results in Figure 5.4 con-
sider randomly selected en-route aircraft in the European airspace. The baseline
(0◦ beamwidth) represents an attacker that can perfectly pinpoint a victim, thus
avoiding secondary targets. Such a small beamwidth is however impossible to achieve
in practice and would further be very sensitive to small orientation errors. As one
can see, small beamwidths and inclination angles already span enough space to af-
fect several aircraft around the intended target, making it highly likely to hit several
additional aircraft. The assumption that our work relies on is therefore realistic for
dense airspaces such as found in Europe.
5.5 Crowd-GPS-Sec
We propose Crowd-GPS-Sec as an independent system infrastructure on the ground
that continuously analyzes the content and the Time of Arrival (ToA) of Flarm
and ADS-B position advertisements. As its name suggests, Crowd-GPS-Sec re-
lies on crowdsourcing to monitor those messages at global scale. The sensors used
for Crowd-GPS-Sec are part of the growing OpenSky Network [74, 107–110, 120], a
crowdsourcing initiative with the purpose to make air traffic communication data
available for research.
5.5 Crowd-GPS-Sec 71
Figure 5.5: Worldwide coverage of Crowd-GPS-Sec as of December 2017.
The vast majority of the sensors are installed and operated by aviation enthusiasts
and volunteers which support the cause of the network. As of December 2017, it
collects more than 200,000 messages per second at peak times from over 700 sensors
which are distributed all over the world as shown in Figure 5.5. Europe and the
American continent exhibit a particular high density of sensors such that individual
position advertisements are most likely being received by more than four sensors.
The goals of Crowd-GPS-Sec are to detect GPS spoofing attacks on aerial vehicles
as quickly as possible and to localize the position of the spoofer(s). To achieve these
goals, Crowd-GPS-Sec has three modules which continuously process all position
advertisements that are received by the OpenSky Network, as shown in Figure 5.6.
The Multilateration (MLAT) module estimates the location of the aircraft based
on the TDoAs of position advertisements between different sensors. This module
is fundamental to Crowd-GPS-Sec as it allows us to determine the true position of
the aircraft independently of the content of the advertised messages. The spoofing
detection module checks for inconsistencies between multilaterated positions and
GPS-derived positions in the advertisement messages as well as for inconsistencies
between position advertisements from different aircraft (e. g., when two aircraft ad-
vertise the same position at the same time). The spoofer localization module, finally,
is triggered only when the spoofing detection module has detected a GPS spoofer. It
then estimates the position of the spoofer by analyzing differences in position adver-
tisements from affected aircraft in consideration of the true positions as estimated
by MLAT. We describe the modules in the next three sections.
72 Chapter 5 Crowdsourced GPS Spoofing Detection and Spoofer Localization
Figure 5.6: The system overview of Crowd-GPS-Sec: A spoofer transmits fake GPSsignals received by aircraft that periodically broadcast ADS-B/Flarmposition reports. Ground-based sensors record these reports, which arethen processed for spoofing detection and spoofer localization.
5.6 Multilateration (MLAT)
The implementation of MLAT as an independent aircraft localization will serve as
an auxiliary component for one of the spoofing detection tests and the subsequent
spoofer localization. To implement such a system, we make use of the fact that in
regions with high sensor density position advertisement messages are received by
multiple geographically distributed sensors. Each message is timestamped at the
receiver and can be represented as a simplified tuple of the reported position and
the ToA:
m := (pGPSi , tR), (5.2)
where pGPSi denotes the reported position of aircraft i as derived by GPS and tR is
the timestamp as generated by receiving sensor R.
Since the sensors are geographically distributed, the propagation distances of the
transmitted signals differ. Hence, the same broadcasted message is potentially times-
tamped differently at diverse sensors. If the sensors are synchronized to the same
global clock, e. g., by GPS time synchronization, and are deployed at known posi-
tions, we can formulate relations between the propagation distances and the TDoA:
dist(A,Ri)− dist(A,Rj) = ∆ti,j · c, (5.3)
5.7 GPS Spoofing Detection 73
Figure 5.7: Implementation of an independent aircraft localization scheme based onmultilateration considering the TDoAs of ADS-B/Flarm messages.
where Ri and Rj denote the position of sensor i and the position of sensor j, respec-
tively. The TDoA of the same message from a reference aircraft A between these
sensors is ∆ti,j = ti − tj, and c is the speed of light.
Equation (5.3) is fulfilled for all points that have the same distance difference to
both considered sensors determined by the TDoA. By construction of at least four
relations of this type, we perform multilateration to approximate the position of
the targeted aircraft. Geometrically, each relation describes a hyperbola in 2D and
a hyperboloid in 3D. The intersecting point of all relations indicates the aircraft
position. Figure 5.7 provides a visual interpretation of this multilateration process.
5.7 GPS Spoofing Detection
Spoofing detection is the first step in a mitigation strategy to counter GPS spoofing
attacks. The idea of Crowd-GPS-Sec to detect GPS spoofing attacks is based on the
broadcasted ADS-B/Flarm reports containing potentially spoofed positioning infor-
mation. We propose a verification process consisting of a preceding time alignment
process and two complementary checks.
74 Chapter 5 Crowdsourced GPS Spoofing Detection and Spoofer Localization
5.7.1 Time Alignment of Transmissions
Since ADS-B/Flarm messages are broadcasted at variable transmission times, we
need to time-align those reports in order to make them comparable. This is achieved
by incorporating the results from the MLAT computation. To align the position
reports to a reference global time, two steps are performed subsequently.
The first step yields the transmission time tTX at which the aircraft started the
broadcast of the ADS-B/Flarm message:
tTX = tR − dist(A,R)
c, (5.4)
with tR being the time at which sensor R has timestamped the message, dist(A,R)
representing the Euclidean distance between the considered sensor and aircraft, and
c being the speed of light.
The second step is an interpolation to approximate the aircraft position pREF at
a global reference time tREF. We need to consider the following three cases:
pREF =
pTX · (tTX+1 − tREF) + pTX+1 · (tREF − tTX)
tTX+1 − tTX
tTX < tREF
pTX tTX = tREF
pTX · (tREF − tTX−1) + pTX−1 · (tTX − tREF)
tTX − tTX−1
tTX > tREF
(5.5)
with pTX = a denoting the aircraft position at transmission time, TX− 1, TX, and
TX+1 being the previous, current, and next transmission event, respectively. After
this interpolation, all reported positions are time-aligned and can be compared with
respect to the same reference time basis. In the remainder of this work, we assume
time-aligned positions.
5.7.2 Test 1 (Cross-Checks with MLAT)
We propose the implementation of two complementary tests. The first test performs
a cross-check between the reported positions and the estimated real positions from
the previously described MLAT approach. We check for each incoming position
report whether
dist(pMLATi , pGPS
i )?< T1 (5.6)
holds, where pMLATi is the real position of aircraft Ai determined by MLAT, pGPS
i
is the position reported by aircraft Ai using ADS-B/Flarm, dist() is the Euclidean
distance function, and T1 denotes a predefined threshold which tolerates measure-
5.7 GPS Spoofing Detection 75
ment errors in pMLATi and pGPS
i . Choosing the right threshold T1 depends on the
accuracy of the underlying secondary localization method (here MLAT). Smaller T1
lead to higher false positive rates, while larger T1 create more room for undetected
manipulations.
Complexity
Let n be the number of aircraft. Equation (5.6) needs to be checked once for
each aircraft, i. e., n times, resulting in a complexity of O(n). For each sampling
time, we require the positioning information from ADS-B/Flarm and MLAT. The
comparisons of both positioning sources can be parallelized, since the checks for
each aircraft are independent of all other aircraft. As a result, the first test of GPS
spoofing detection scales linearly with the number of simultaneously tracked aircraft.
5.7.3 Test 2 (Multiple Aircraft Comparison)
The second test makes use of the information provided by other aircraft. In particu-
lar, we perform a comparison between reported positions of multiple aircraft. When
multiple aircraft receive the signals from the same spoofer device, they will appear
at the same location [49,128] since the time differences between individual satellites
are emulated on the radio of the spoofer prior transmission. Due to mandatory sep-
aration minima [133], i. e., minimum required distances between en-route aircraft,
similar positions are critical and are caused either by a serious incident, e. g., near-
collision, or a GPS spoofing attack. Eventually, the multiple aircraft comparison
test is defined as:
dist(pGPSi , pGPS
j ) = di,j?> T2, (5.7)
where i and j denote two different aircraft, pGPSi and pGPS
j are the GPS-derived
positions of aircraft i and aircraft j, respectively. Moreover, dist() is the Euclidean
distance function, where di,j is its result, and T2 is a threshold tolerating the GPS
positioning noise. Choosing an appropriate T2 depends on the mandated separation
minima in the considered airspace and the accuracy of the GPS information provided
via position reports. However, as accuracy is one of the design goals of ADS-B and
Flarm and the separation minima are usually in the order of kilometers, a threshold
as small as a few hundreds of meters is appropriate.
Complexity
Let n be the number of aircraft. Since Equation (5.7) considers pairs of aircraft,
a naive implementation would require(
n
2
)
= n2−n2
comparisons resulting in a com-
76 Chapter 5 Crowdsourced GPS Spoofing Detection and Spoofer Localization
Table 5.1: Spoofing Detection Tests Comparison
Test Equation Complexity Requirement Advantages
1 dist(pMLATi , pGPS
i )?< T1
O(n) MLATLow ComplexitySingle Detection
2 dist(pGPSi , pGPS
j )?> T2
O(n · log n) NeighborsMLAT IndependenceAttack Separation
plexity of O(n2). However, since Test 2 considers spatial data only, the complexity
can be reduced by implementing nearest neighbor searches based on k-d trees and
cover trees. In fact, since Test 2 fails if there is any neighbor closer than T2,
solving the 1-nearest neighbor (1-NN) problem for each aircraft is sufficient. Us-
ing the aforementioned data structures, this can be accomplished at a complexity
of O(log n) for each aircraft [8], resulting in a global complexity of O(n · log n).
5.7.4 Complementary Design
We propose a complementary design consisting of both tests in parallel. Table 5.1
contains a comparison of the spoofing detection tests. While the first test based on
the cross-check of Equation (5.6) is independent of other flights, the second test based
on the comparison of multiple aircraft of Equation (5.7) is independent of the MLAT
positioning and can thus tolerate bad MLAT performance (e. g., when sensors have
a bad geometric distribution leading to high dilution of precision). Furthermore, the
second test is able to separate multiple spoofing attacks occurring at the same time
as there will be independent sets of coinciding aircraft. The combination of both
tests can overcome the pitfalls of the other and we can achieve a more versatile and
robust spoofing detection.
5.8 GPS Spoofer Localization
After spoofing detection, Crowd-GPS-Sec aims at localizing spoofer devices. This is
the next step in tracing an attacker in order to take appropriate action for shutting
down an attack. We present a novel localization approach to remotely pinpoint such
devices using already available ADS-B/Flarm reports broadcasted by aircraft. We
start by describing the high-level idea and then detail on the functionality of our
localization system based on crowdsourcing.
5.8 GPS Spoofer Localization 77
5.8.1 Localization Model
When a malicious device emits GPS spoofing signals, aircraft within the effective
range will broadcast spoofed positions as contained in their ADS-B/Flarm reports.
All aircraft that receive the same fake GPS signals will report positions on the same
track but timely shifted as a result of the propagation delay caused by different
distances to the spoofing source [128]. In particular, at the same global time, the
aircraft have different synchronizations on the spoofing signals based on how long
it takes for the signals to arrive at the aircraft’s GPS receivers, i. e., aircraft that
receive the fake signals earlier are ahead on the spoofed track, whereas aircraft that
are further away from the spoofer receive the signals at a later point in time and are
thus behind on the track. We extract the position differences from the ADS-B/Flarm
reports and backtrace these deviations to the location of the spoofing device.
Our starting point is the identification of the currently spoofed aircraft, which is
the outcome of the GPS spoofing detection module. For those identified aircraft,
we forward relevant information to the spoofer localization module. We further
require the actual aircraft positions pMLATi and pMLAT
j from MLAT and the mutual
distance di,j between the GPS-derived position reports pGPSi and pGPS
j with Ai, Aj
being aircraft affected by the same spoofing signals.
As a next step, we put the distance between the reported aircraft positions into
relation with the propagation distances and the rate of position change, i. e., the
spoofed track velocity. We can formulate this as follows:
dist(SP, pMLATi )− dist(SP, pMLAT
j ) = di,j ·c
vtrack
, (5.8)
where pMLATi and pMLAT
j indicate the actual position of aircraft Ai and Aj as given
by MLAT, SP is the unknown spoofer location, di,j the distance of the reported
positions, and vtrack the velocity of the spoofed GPS track. The factor cvtrack
relates
the position change rate to the signal propagation speed (close to the speed of light).
We note that we need to assure vtrack 6= 0 and hence require a track of changing
positions. Having related the reported positions to the spoofer location, we solve
each equation towards this location. In particular, each equation describes all points
that have the same mutual distance differences.
Geometric Interpretation
Considering the solutions of one relation of the type given by Equation (5.8), all
potential solutions geometrically describe a hyperbola in two-dimensional space and
a hyperboloid in three-dimensional space with foci pMLATi and pMLAT
j and distance
78 Chapter 5 Crowdsourced GPS Spoofing Detection and Spoofer Localization
Figure 5.8: Each relation forms a hyperboloid representing all points with the samedistance differences. For the shown two-dimensional projection, we canconstruct three distinct relations considering three different aircraft.
difference di,j · cvtrack
. With two different relations, the possible solutions describe a
curve, which is the intersection between the hyperboloids. Eventually, three hyper-
boloids intersect in at most two points, whereas four or more hyperboloids narrow
down the location of the spoofer to a single point. The general functionality of this
approach is depicted in Figure 5.8 as a two-dimensional projection.
Requirements
In order to obtain at least four different relations, we need to fulfill one of the
cases shown in Table 5.2. In particular, we either require four or more different
reference aircraft or, in the case we have less, we need to gather reports from the
same reference aircraft but from different locations. In other words, reports sent by
only two aircraft but from four different positions are already sufficient to perform
spoofer localization. Since we consider moving targets, the transmission origins will
naturally change likewise. Hence, we are able to trade the number of spoofed aircraft
with the required observation time, which we can formulate as follows:
(
m
2
)
· tp ≥ 4, (5.9)
where m is the number of spoofed aircraft and tp denotes the number of observed
samples from different aircraft positions. The binomial coefficient provides the num-
5.8 GPS Spoofer Localization 79
Table 5.2: Localization Requirements
Affected Aircraft Possibility of Localization
1 Localization not possible2 At least 4 different locations3 At least 2 different locations4+ Localization possible
ber of possible relations. Equation (5.9) defines the minimum requirement for our
spoofer localization. If fulfilled, we can construct at least four relations and eventu-
ally determine a distinct solution for the spoofer location.
Comparison with MLAT
The described localization approach exhibits similarities to the MLAT process of
Section 5.6 but is characterized by decisive differences as compared in Table 5.3.
Our approach uses the position information included in the ADS-B/Flarm reports,
whereas MLAT is based on the TDoAs at multiple sensors. We want to highlight
that it is not possible to trace the location of spoofing devices with MLAT. In our
approach, we thus exploit a characteristic that is attacker-controlled such as the
spoofed positions in the advertisements. As a result, we obtain a multilateration
with switched roles, i. e., the references are moving aircraft as compared to the
stationary ADS-B/Flarm sensors. Since the considered measure is shifted from time
to positioning information, we need to adjust the scaling factor with the velocity
of the spoofed track. As a beneficial side effect, this diminishes the factor with
which the uncertainties in the GPS-derived positions are multiplied and consequently
reduces the noise impact on the localization accuracy.
5.8.2 Error Minimization
In contrast to a definite analytic solution considering relations based on Equa-
tion (5.8), real-world signal reception and measurements suffer from several error
sources and hence prevent a distinct solution for the spoofer position. Both the
positions from MLAT as well as the reported spoofed GPS positions are affected by
noise. Notably, the interpolation process for time-alignment induces even more noise
into the system. Consequently, compared to the theoretical analysis, the constructed
hyperboloids do not intersect in a distinct point but rather mark an area.
80 Chapter 5 Crowdsourced GPS Spoofing Detection and Spoofer Localization
Table 5.3: Localization Scenario Comparison
Approach MLAT Spoofer Localization
Scenario
Equationdist(A,Ri)−dist(A,Rj) =
∆ti,j · cdist(SP, pMLAT
i )−dist(SP, pMLATj ) =
di,j · cvtrack
References Sensors Aircraft
Target Aircraft Spoofer
Measure Time Position
Scaling Factor cc
vtrack
In order to find the optimal solution for the spoofer position SP, we formulate the
following error function Et(·):
Et(SP, i, j) = dist(SP, pMLATi )− dist(SP, pMLAT
j )− di,j ·c
vtrack
, (5.10)
where di,j is the distance in the reported ADS-B/Flarm positions and t is the current
sample time. The real aircraft positions are denoted by pMLATi and pMLAT
j , and c is
the speed of light.
All resulting errors add up to the overall error, which we try to minimize by
computing the Root Mean Square Error (RMSE). Eventually, our algorithm outputs
the most likely spoofer position:
argminSP
√
√
√
√
∑∞
t=1
∑m
i=1
∑i−1j=1 Et(SP, i, j)2
t ·(
m2
2−m
) , (5.11)
with t indicating the sample time corresponding to Equation (5.10). The inner
two sums aggregate the errors of the relations between all spoofed aircraft, whereas
the outer sum aggregates the errors over all sample times. The argument with the
minimum error is calculated to be the best approximation of the spoofer position.
When time progresses, the total number of relations considering different refer-
ences increases. This also affects the error minimization process by expanding the
system of equations that are simultaneously evaluated. However, the complexity
increase is only linear and, as we will show, this process stabilizes quickly. As
5.9 Evaluation 81
all measurements are affected by noise, more relations are beneficial to reduce the
system-intrinsic errors and the localization is predicted to gain precision.
5.8.3 Improved Filtering
For GPS spoofing attacks targeting multiple aircraft, we identify an additional op-
timization technique that helps to lower the impact of uncertainty in the reported
positions even further. As all affected aircraft receive the same spoofing signals,
they report positions on the same track irrelevant of timing information. This al-
lows to better predict the underlying track by incorporating all available reports.
Consequently, we can apply a subsequent filtering of the spoofed aircraft positions.
In particular, we apply a projection of the reported positions on the combined
estimated track. Notably, with this projection we cannot correct timing inaccuracies,
but we can better estimate the most likely position at the current measurement time.
The (orthogonal) projection provides the least error with respect to the estimated
track and can be described as:
pGPSi − pGPS
i
′ ⊥ track, (5.12)
where pGPSi is the noisy GPS position and pGPS
i
′ is the projected point with pGPSi −
pGPSi
′ being orthogonal on the estimated track. Moreover, we do not necessarily
require a continuous straight line but the track can also contain separated segments,
which are then evaluated separately to apply the projection.
5.9 Evaluation
To evaluate the applicability of Crowd-GPS-Sec to real-world air traffic, we assess its
performance in terms of spoofing detection and accuracy of the spoofer localization.
In particular, we have implemented Crowd-GPS-Sec and applied it to real-world
data from the OpenSky Network. Moreover, we have built a simulation framework
to generate results with respect to spoofing scenarios.
5.9.1 Spoofing Detection Performance
We compare our two spoofing detection tests with regard to their coverage, detection
delay, and detection rate. The tests are applied to air traffic data of Central Europe
as received by the OpenSky Network over a period of one hour. The dataset contains
141,693 unique positions of 142 aircraft.
82 Chapter 5 Crowdsourced GPS Spoofing Detection and Spoofer Localization
1 2 3 4 5 6 7 8 9 10 11 12
Attacker Range [km]
0
0.2
0.4
0.6
0.8
Dete
ction R
ate
Test 1 only
Test 1 and 2
Test 2 only
Figure 5.9: Detection rates and coverage of Test 1 and Test 2 in the consideredOpenSky Network dataset depending on the attacker’s range.
Coverage
We define the coverage of a test as the percentage of aircraft positions that is pro-
tected by a test. Protection means that a test indicates a spoofing attack if the
aircraft is indeed spoofed. For simplicity, we assume that the attacker is using an
omnidirectional antenna and is positioned right underneath the target using exactly
the required transmission power to have the target aircraft lock on the spoofer. This
results in an attack range in the form of a sphere with a radius of the altitude of
the aircraft. Note that this setup models an unrealistically optimal attacker since in
reality, the attacker may not be able to stay exactly underneath the target aircraft as
the aircraft is moving and it may use higher transmission powers than the minimal
required power.
Since both tests rely on different features, the sets of positions covered by one
test are different from the sets covered by the other test, but there are overlaps.
We therefore analyze how many aircraft in our dataset are covered by which test.
Figure 5.9 shows the fractions of aircraft in the dataset covered by Test 1 (Cross-
Checks with MLAT), Test 2 (Multiple Aircraft Comparison), or both depending
on the target’s altitude. While 61.2% of the aircraft are covered by Test 1 alone,
only 2.9% are covered solely by Test 2. Further, 8.9% are covered by both tests at
the same time. Hence, Test 1 clearly outperforms Test 2 with respect to coverage.
This result is not surprising since the receiver density of the OpenSky Network is
high (which benefits Test 1), while the aircraft density (which Test 2 relies on) is
limited due to separation minima. In total, we can summarize that if the spoofer’s
target is at an altitude above 11 km and the spoofer is directly underneath the
target, the detection rate is about 75% using either of the two tests. If the spoofer
5.9 Evaluation 83
0 2 4 6 8 10 12
Altitude [km]
0
0.2
0.4
0.6
0.8
1
CD
F
Test 2
All
Test 1
Figure 5.10: Comparison of the detection rates of Test 1 and Test 2 in the OpenSkyNetwork dataset depending on the target’s altitude.
uses higher transmission powers or if it is not directly underneath the target, the
detection rate increases quickly towards 100%.
By design, Test 1 directly depends on multilateration coverage and should there-
fore work better at high altitudes where aircraft are tracked by more sensors. In
contrast, Test 2 benefits from dense airspaces since close aircraft protect one another
from a security viewpoint. To further investigate this effect, we considered the cu-
mulative distribution of the altitudes of all aircraft and compared it to those of the
aircraft protected by either of the tests. The results are shown in Figure 5.10. As
expected, Test 2 has a distribution similar to all altitudes. The steep inclines in its
distribution confirm that it is most effective at the common altitudes above 10 km
(en-route flights) and at around 1 km (approach areas). Most aircraft detected by
Test 1, on the other hand, were higher than 10 km which also complies with the
above hypothesis.
Detection Delay
We define the detection delay as the delay between the point in time when an at-
tack takes effect, i. e., when the aircraft’s GPS sensor locks on to the spoofed signal
until the detection test indicates the attack. As for Test 1, this corresponds to the
delay between receiving the ADS-B position and the MLAT position updates. To
evaluate this, we used the open-source MLAT implementation [55] with the Open-
Sky Network’s real-time data stream and measured the time between the reception
of an ADS-B position and the emission of the respective position by the MLAT
implementation. As for Test 2, the delay can be reduced to the inter-arrival times
between spoofed position reports. Figure 5.11 shows the distributions for the delays
84 Chapter 5 Crowdsourced GPS Spoofing Detection and Spoofer Localization
0 5 10 15 20 25 30
Time [s]
0
0.2
0.4
0.6
0.8
1
CD
F
Test 2
Test 1
Figure 5.11: Comparison of the detection times of Test 1 and Test 2 in the OpenSkyNetwork dataset.
of the two tests. The delay of Test 1 is a result of the delay of the relatively long
MLAT calculations. Test 2, on the other hand, can detect an attack as soon as a
false position report is received from two different aircraft. Note that the position
broadcast interval of ADS-B is random within an interval of 0.4 s to 0.6 s, explaining
the average detection delay close to 0.5 s.
Conclusion
The results of our evaluation show that with realistic air traffic and implementation
characteristics, the two tests can reach a detection rate of up to 75% when the
attacker is directly underneath the target. While Test 1 performs much better
in terms of coverage and detection rate, the detection delay is much smaller for
Test 2. These results encourage a complementary implementation as proposed in
Section 5.7.4.
5.9.2 Spoofer Localization Performance
To evaluate Crowd-GPS-Sec in terms of GPS spoofer localization accuracy, we have
built a simulation framework in MATrix LABoratory (MATLAB), which allows us
to analyze spoofing scenarios in a controlled environment without having to spoof
real aircraft. In particular, we assess the impact of noise in the GPS-derived position
reports, MLAT positioning noise, and spoofed track velocity.
Simulation Framework
While we are interested in results from varying parameter sets, we otherwise incor-
porate realistic data observed by the sensor infrastructure of the OpenSky Network.
5.9 Evaluation 85
Table 5.4: Simulation Framework Parameters
Class Parameter Parameter Range Default
EnvironmentSensor Density 10 . . . 100
[
1(100 km)2
]
OpenSky
Airspace Density 10 . . . 100[
1(100 km)2
]
OpenSky
AircraftFlightpath random OpenSkyFlight Altitude 0 . . . 10,000 [m] OpenSkyAirspeed 0 . . . 1,000 [km/h] OpenSky
SpooferSpoofer Position random randomSpoofing Range 10 . . . 200 [km] 100 kmSpoofed Track Velocity 0 . . . 10,000 [km/h] 1,000 km/h
ErrorsGPS Noise (std) 0.01 . . . 4 [m] 4mMLAT Noise (std) 1 . . . 100 [m] 10m
Table 5.4 contains an overview of the utilized simulation parameters. In the default
case, our simulation samples aircraft from the OpenSky Network including reported
positions, altitudes, airspeeds, and headings. The spoofer is randomly positioned
in an exemplary area of (400 km)2 and its range is set to 100 km spoofing a track
of 1,000 km/h. By selectively modifying these default settings, we are able to sim-
ulate different airspace constellations, attacker configurations, and noise impacts of
MLAT and GPS. In particular, we consider standard assumptions taken from speci-
fications [130] and technical reports [71] as well as more optimistic assumptions that
could be achieved with more sophisticated equipment.
To simulate the impact of GPS spoofing on aircraft, we imitate position reports
from already spoofed aircraft by incorporating the attacker-controlled positions and
adding Gaussian noise according to the considered noise model. Subsequently, we
apply standard noise correction techniques based on a Kalman filter [56]. For the
error minimization considering distance relations, we implement a numerical solver.
To cope with an increasing number of equations, we only evaluate the relations
at discrete time intervals which are defined as the time that has elapsed since the
spoofing attack was launched, ranging from a few seconds up to 15 minutes.
Metrics
In order to quantify our results we define two metrics. First, we consider the distance
between the actual spoofer position and our estimation. Second, we construct a
circle around our estimated position with a radius equal to the distance to the
actual spoofer. We consider this to be the search space to find the attacker and we
86 Chapter 5 Crowdsourced GPS Spoofing Detection and Spoofer Localization
0 5 10 15
Elapsed Time after Spoofing Attack [min]
101
102
103
104
105
106
Dis
tance to S
poofe
r [m
]4 2 1 0.5 0.1 0.01
Figure 5.12: The impact of GPS noise ranging from σGPS = 4m to 0.01m on thespoofer localization, depicted including standard deviation errorbars.The MLAT positioning accuracy is fixed to σMLAT = 10m.
compare it to the observed area of (400 km)2, on which the spoofer was randomly
positioned. For each of the analyzed parameter sets, we performed 200 randomized
simulation runs and averaged the results.
5.9.3 Impact of GPS Accuracy
Figure 5.12 depicts the impact of high GPS noise (σGPS = 4m) to low GPS noise
(σGPS = 0.01m) applied to the latitude and longitude direction. We do not require
altitude information for spoofer localization and can therefore neglect altitude inac-
curacies. We conclude that the extent of noise in the reported GPS positions is a
dominating factor that can make the difference between a few kilometers and merely
tens of meters in spoofer localization. In particular, we achieve an average localiza-
tion accuracy of approx. 8.2 km for σGPS = 4m, approx. 1.7 km for σGPS = 1m, and
approx. 149m for σGPS = 0.1m, each after 15 minutes.
Considering the search space, we need to scan approx. 0.13% for σGPS = 4m,
approx. 5.8× 10−5 for σGPS = 1m, and approx. 4.4× 10−7 for σGPS = 0.1m, again
after 15 minutes. Furthermore, we observe that the localization accuracy increases
rapidly within the first few minutes, whereas after 5min the accuracy only improves
slowly. From 5min to 15min, the distance roughly halves. As a result, we can
already give a good spoofer position estimation in a timely manner after the spoofing
attack is launched and narrow it down to a more exact position after a few minutes.
5.9 Evaluation 87
0 5 10 15
Elapsed Time after Spoofing Attack [min]
103
104
105
106
Dis
tance to S
poofe
r [m
]
100 50 10 5 1
Figure 5.13: The considered MLAT positioning noise in the range of σMLAT = 100mto 1m do not show any significant impact on the localization accuracy.The results are based on a high GPS noise of σGPS = 4m.
5.9.4 Impact of MLAT Accuracy
Another uncertainty of our localization approach is the accuracy of the MLAT po-
sitioning that we require to determine the actual (unspoofed) aircraft positions. We
choose to vary the MLAT accuracy between high noise (σMLAT = 100m) and lower
noise levels (σMLAT = 1m), each representing the standard deviation in latitude,
longitude, and altitude. Figure 5.13 contains the impact on the localization of dif-
ferent MLAT noise levels. In contrast to the strong dependence on the GPS noise in
the spoofed measurements, the MLAT noise has little impact on the accuracy of the
spoofer localization. As a result, our localization approach does not rely on highly
accurate MLAT measurements of the actual aircraft position and can still perform
decently on relatively noisy data.
5.9.5 Impact of Spoofed Track Velocity
As the spoofed track velocity vtrack is part of the scaling factor in the distance
relations in Equation (5.8), we identify it to be another important parameter. The
results for varying spoofed track velocities are depicted in Figure 5.14. For a spoofed
track velocity of vtrack = 300 km/h, the accuracy decreases by nearly one fourth. The
accuracy decreases further for a track velocity of vtrack = 100 km/h. Eventually, for
track speeds lower than vtrack = 30 km/h, the spoofer localization fails to narrow
down a useful search radius. However, considering less GPS noise, we expect to see
better results even for lower track velocities. The strong dependence on the track
velocity is due to the scaling factor, which relates the observed distances to the
spoofed track velocity and the speed of light. Hence, low velocities result in smaller
88 Chapter 5 Crowdsourced GPS Spoofing Detection and Spoofer Localization
0 5 10 15
Elapsed Time after Spoofing Attack [min]
103
104
105
106
Dis
tance to S
poofe
r [m
]6 30 100 300 1000
Figure 5.14: The spoofed track velocity is analyzed between vtrack = 6km/h to1,000 km/h. The results consider a GPS noise level of σGPS = 1mand an MLAT positioning accuracy error of σMLAT = 10m.
distance differences among the spoofed aircraft and are relatively more affected by
system-intrinsic noise.
5.10 Discussion
The evaluation of Crowd-GPS-Sec revealed the localization performance considering
different external as well as attacker-controlled parameters. We now discuss selected
topics and elaborate on combined error effects, the possibility to locate spoofers of
stationary targets, and the applicability to other sensor networks.
5.10.1 Combined Error Effects
The spoofer localization accuracy of Crowd-GPS-Sec depends on the GPS error,
the MLAT error, and the spoofed track velocity. These three parameters are all
components of the relations defined in Equation (5.8) and thus impact the accuracy
of the solution. While the MLAT noise is less decisive, the GPS noise and the
spoofed track velocity are significantly affecting the achievable accuracy. This is
due to the small differences in spoofed aircraft positions with respect to the speed
of light divided by the spoofed track velocity. In general, we expose the following
relationship between the localization error E, the GPS noise σGPS, and the spoofed
track velocity vtrack:
E ∝√2 · σGPS
vtrack, (5.13)
5.10 Discussion 89
with σGPS being scaled with√2 due to the Euclidean distance based on two normally
distributed points in space. Hence, we can expect to see similar results for low track
velocities with low GPS noise and high track velocities with high GPS noise.
5.10.2 Localizing Spoofers of Stationary Targets
The attacker model considered in this work assumes that the spoofer’s target is a
moving object. If instead the target is stationary, the attacker could also spoof con-
stant positions. While spoofing detection would still work, the spoofer localization
would fail since the differences in propagation delays between spoofer and aircraft
would not be reflected in the reported position differences (compare di,j in Equa-
tion (5.10)). One way to cope with such attackers is to additionally propagate GPS
time synchronization information to the ground infrastructure. As time is evolving,
the spoofer would have to imitate a progressing GPS time to remain undetected by
the target. Having information about the time synchronization of affected aircraft
would allow performing a localization by analogy. More specifically, if t denotes
the real reference time and tGPSi the reported time of aircraft i, the relation from
Equation (5.8) can be rewritten to:
dist(SP, pMLATi )− dist(SP, pMLAT
j ) = (tGPSi − tGPS
j ) · cδ, (5.14)
where δ denotes a factor representing the spoofed GPS clock’s speed. Equation (5.14)
is independent from the spoofed position and therefore allows localizing spoofers,
even if the target is stationary.
5.10.3 Applicability to Other Networks
The underlying idea of Crowd-GPS-Sec does not only apply to aircraft but can
also be relevant to GPS spoofing attacks on cars, trucks, ships, or other vehicles on
ground. Similar to the broadcasting of avionic position reports via ADS-B or Flarm,
vehicular systems could also report state information to, e. g., roadside units. The
combined reports can then be used to run our spoofing detection and localization
scheme. Even though the speeds of vehicles are comparably low, the density of
affected targets is much higher and the GPS filtering is expected to be more con-
ditioned. Eventually, we envision the merging of information provided by different
networks. In particular, each spoofed system, such as aircraft, vehicles, vessels, etc.,
can collaborate by sharing their information in a crowdsourcing manner.
90 Chapter 5 Crowdsourced GPS Spoofing Detection and Spoofer Localization
5.11 Summary
In this work, we presented Crowd-GPS-Sec, an independent system to detect and
localize GPS spoofing attacks targeted at aircraft and UAVs. Crowd-GPS-Sec is
lightweight and leverages existing wireless air traffic broadcast infrastructures, the
ADS-B and Flarm systems, to identify spoofing attacks from a remote location—
possibly far from where the attack is happening. We have shown that our approach
is effective at localizing spoofing devices by using differences in reported positions
by multiple aircraft. Using simulations based on real-world input from the OpenSky
Network, we have demonstrated that Crowd-GPS-Sec achieves attack detection de-
lays below two seconds and an attacker localization accuracy of around 150 meters
after 15 minutes of monitoring time.
Alone we can do so little; together we can do so much.
— Helen Keller
6Trust Establishment for Aircraft
Broadcast Signals
Contents
6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 93
6.1.1 Problem Statement . . . . . . . . . . . . . . . . . . . 93
6.1.2 Contribution . . . . . . . . . . . . . . . . . . . . . . . 94
6.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . 95
6.3 System Model . . . . . . . . . . . . . . . . . . . . . . . . 97
6.4 Attacker Model . . . . . . . . . . . . . . . . . . . . . . . 98
6.5 Design of an ADS-B Trust System . . . . . . . . . . . . 100
6.6 ADS-B Message Trust . . . . . . . . . . . . . . . . . . . 101
6.6.1 Sanity Check . . . . . . . . . . . . . . . . . . . . . . 102
6.6.2 Differential Check . . . . . . . . . . . . . . . . . . . . 103
6.6.3 Dependency Check . . . . . . . . . . . . . . . . . . . 103
6.6.4 Cross Check . . . . . . . . . . . . . . . . . . . . . . . 104
6.7 Attack Analysis . . . . . . . . . . . . . . . . . . . . . . . 105
6.7.1 Type of Attack . . . . . . . . . . . . . . . . . . . . . 105
6.7.2 Affected Sensors . . . . . . . . . . . . . . . . . . . . . 107
6.8 Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . 107
6.8.1 GPS Spoofing . . . . . . . . . . . . . . . . . . . . . . 108
6.8.2 ADS-B Spoofing . . . . . . . . . . . . . . . . . . . . . 108
91
92 Chapter 6 Trust Establishment for Aircraft Broadcast Signals
6.8.3 Sensor Control/Sybil Attack . . . . . . . . . . . . . . . 108
6.9 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . 109
6.9.1 Attack Detection Performance . . . . . . . . . . . . . . 109
6.9.2 Attack Analysis: Type of Attack . . . . . . . . . . . . 112
6.9.3 Attack Analysis: Affected Sensors . . . . . . . . . . . . 113
6.9.4 Impact: Grid Resolution . . . . . . . . . . . . . . . . . 113
6.10 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . 114
6.10.1 Implicit Data Source Trust . . . . . . . . . . . . . . . 114
6.10.2 Attacker’s Knowledge . . . . . . . . . . . . . . . . . . 114
6.10.3 False Alarm Events . . . . . . . . . . . . . . . . . . . 115
6.10.4 Current Attack Resilience . . . . . . . . . . . . . . . . 115
6.10.5 Optimizing Sensor Deployment . . . . . . . . . . . . . 116
6.10.6 Extensions . . . . . . . . . . . . . . . . . . . . . . . . 117
6.11 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
6.1 Introduction 93
6.1 Introduction
The monitoring of air traffic has evolved from an analog Radio Detection and Rang-
ing (RADAR)-based system to a digitally-aided surveillance infrastructure. By 2020,
all aircraft are required to be equipped with transmitters to periodically broadcast
status reports that inform others about identification, position, movement, and addi-
tional status codes [132]. Protocols such as the Automatic Dependent Surveillance-
Broadcast (ADS-B) will become mandatory to access most of the world’s airspace
and already constitutes the de facto standard for air traffic monitoring.
6.1.1 Problem Statement
While the aviation industry is characterized by very long development cycles—up
to several decades—, applications that mandate high safety guarantees are usually
lagging behind advancements on the security side. As such, ADS-B reports are
neither encrypted nor authenticated. At the same time, the open specification of
ADS-B promotes the collection and free usage of aircraft reports. Simple sensors
can decode aircraft reports and gain a real-time view of their surrounding airspace.
A network that combines more than 850 user-operated ground-based sensors in a
crowdsourcing manner is the OpenSky Network [74, 107–110, 120]. This network
collects and stores air traffic data from around the world and makes them available
for research.
Since ADS-B lacks fundamental security practices, the risk potential of attacks
targeting air traffic has long been discussed [18, 48, 66, 104, 118, 121]. These works
demonstrate how attackers can interfere with aircraft sensors and how fake aircraft
messages can be injected into air traffic monitoring systems [18]. For instance, ad-
versaries with affordable Commercial Off-the-Shelf (COTS) hardware and moderate
knowledge can generate ADS-B messages containing arbitrary data encapsulated in
valid reports trying to remain unnoticed by protection schemes [118,121]. The con-
sequences of such attacks range from flight controller distractions up to violations
of mandatory safety separations, and eventually increasing the possibility of aircraft
collisions. Since these attacks are far from being only of academic nature, security
solutions are urgently needed to protect the integrity of air traffic surveillance [17].
In fact, trust establishment is an open and central problem in the aviation industry
and emerging concerns have already reached the public [17, 32, 40, 42, 146]. Sim-
ilar shortcomings exist for the Global Positioning System (GPS), whose location
information is embedded in ADS-B reports.
94 Chapter 6 Trust Establishment for Aircraft Broadcast Signals
Research Question. We state the following research question: How can we es-
tablish self-contained trust in ADS-B aircraft reports without external channels or
modifications only using the already implemented infrastructure? In particular, the
solution should be able to distinguish between normal operation and attack patterns.
6.1.2 Contribution
To answer the demands for more security in the safety-driven aviation industry,
we propose a data-centric [98] trust evaluation system with the goal of assessing the
trustworthiness of ADS-B reports using data that is already collected at a wide scale.
We refer to trust in the sense that messages are trustworthy when they originate from
functional, non-malicious sources. In contrast, error-prone or attacker-controlled
messages trying to harm the system should be detected and potentially filtered out.
Furthermore, we explore the identification of the attack type and the traceability of
malicious sensors.
The development of such a system faces several challenges imposed by the strongly
regulated aviation industry. Viable solutions need to be lightweight in the sense that
they do not require any modifications on the deployed hardware or software pro-
tocols. In particular, security systems should not interfere or interact with other
systems already in place to avoid lengthy (re)certification processes [17]. Preferably,
applicable solutions are augmentation systems that operate autonomously with sen-
sor input already available. We develop our system to fulfill all these challenges.
At the core of our system, we make use of the crowdsourcing nature of a sensor
network in which user-collected data cross-validates the data provided by other users.
This allows forming a network of trusted sensors based on mutual auditing and
wireless witnessing. Wireless witnessing is the collaborative process of observing the
status of a distributed wireless system. We apply it in the security context to assess
and validate the trustworthiness of ADS-B messages based on reception events. In
particular, we implement a Machine Learning (ML)-based verification test that is
trained on typical message reception patterns. In fact, the collaboration of sensors
characterizes the expected reception behavior of aircraft reports transmitted from
certain airspace segments while automatically factoring in natural message loss.
Our system can reliably differentiate between normal air traffic broadcasts and
suspicious messages diverging from expected patterns. Furthermore, our system can
recognize the type of attack, e. g., GPS spoofing, ADS-B spoofing, and even Sybil
attacks to trace malicious sensors. We achieve high detection rates and identify the
sensor redundancy as an important factor. To further harden the network against
attacks, new sensors can be integrated by providing consistent snapshots of their
6.2 Related Work 95
airspaces. Since our system is solely based on an already existing infrastructure and
does not require any modifications on aviation systems, it is lightweight and could be
implemented today easing very long certification processes. In contrast to existing
solutions for air traffic verification [105,106], we do not require the measurement of
time or frequency shifts, but only use discrete sensor events.
Summary. In summary, the contributions of this work are:
• We propose and detail the first comprehensive approach to evaluate the trust-
worthiness of ADS-B aircraft reports based on an existing infrastructure of
crowdsourcing sensors.
• We demonstrate the applicability of our approach by incorporating real-world
flight data already collected by geographically distributed sensors at a large
scale.
• We simulate prominent attacks on GPS and ADS-B, detect their presence via
validation in our trust system, and draw conclusions about their type and
origin.
• We elaborate on network expansion and optimized sensor deployment to fur-
ther harden the network against attacks in the future.
The contributions of this work resulted from a collaboration with William Sey-
mour, Christina Pöpper, and Ivan Martinovic.
6.2 Related Work
The foundation of this work is partly based on the work by Raya et al. [98] who were
the first to propose a framework for data-centric trust establishment with a focus
on short-lived associations in volatile environments. While our proposal for trust
establishment specifically targets ADS-B based air traffic surveillance, similar trust
requirements exist for Vehicular Ad Hoc Networks (VANETs) or industrial wireless
sensor networks. While Petit et al. [83] discuss detection systems for VANETs based
on dynamic thresholds, Ruj et al. [102] focus on validating message consistency to
identify misbehavior. While Sun et al. [124] present a trust framework for VANETs
to detect faulty data, Hundman et al. [44] apply similar data verification schemes for
spacecraft. Wang et al. [134] analyze the feasibility of false data filtering in general
sensor networks and Henningsen et al. [38] especially focus on industrial networks. In
comparison, our system is tailored towards a network of geographically distributed
sensors.
96 Chapter 6 Trust Establishment for Aircraft Broadcast Signals
While in practice still vulnerable, the insecurity of ADS-B has long been high-
lighted from an academic perspective. Purton et al. [91] analyzed critical informa-
tion flows and focused primarily on technical solutions. They applied a qualitative
assessment method [137] that identified potential shortcomings. In contrast, McCal-
lie et al. [66] applied a risk analysis to assess the impact of different attack vectors
and recommended solutions to be incorporated into the ADS-B implementation plan.
Moreover, Strohmeier et al. [118,121] provide an overview of system-inherent prob-
lems and illustrate the security challenges of ADS-B in future air traffic monitoring.
There are several open attack vectors that, from a scientific perspective, would al-
low attacking ADS-B on different levels. Nevertheless, we must always consider the
necessary effort for an attack and its feasibility in a real-world scenario.
Moser et al. [69] take a perspective on the feasibility of attacking ADS-B commu-
nication and consider an attacker using a multi-device setup. Recent work showed
that such strong adversaries become increasingly realistic [46]. Furthermore, Costin
and Aurélien [18] demonstrated that the step from a scientific attack concept to a
real attack is not necessarily too wide and managed to inject fake aircraft messages
into live surveillance monitors. Later, Schäfer et al. [104] experimentally analyzed
the practicability of known threats revealing startling results. Besides these pro-
posals, which all focus on aviation applications, Balduzzi et al. [6] proved that also
maritime traffic via Automatic Identification System (AIS) broadcast messages can
be the target of successful attacks. While the physical constraints of vehicles differ
a lot, the similarity of communication channels helps to map well-known attacks to
this new context.
Besides the large body of offensive work, defensive proposals exist in recent re-
search. Schäfer et al. [105, 106] propose the usage of timing or Doppler shift char-
acteristics to detect attacks on ADS-B. While this cannot protect from attacks, it
still helps to identify malicious or inaccurate messages. Other location verification
schemes and anomaly detection methods are based on RADAR observations [85] or
statistical tests [119]. First results based on cross-referencing within a distributed
sensor network are illustrated by Strohmeier et al. [123]. Wesson et al. [139] discuss
solutions based on cryptography. Our system, on the other hand, requires no addi-
tional measurement information different from already collected data and can thus
be implemented without any modifications.
Aside from ADS-B and AIS, the insecurity of GPS has been repeatedly demon-
strated, while Humphreys et al. [43] were the first to publish an attack on GPS, where
they managed to spoof GPS signals. Tippenhauer et al. [128] later analyzed the re-
quirements of successful GPS spoofing attacks and reasoned about possible attacker
6.3 System Model 97
positions when facing a specific sensor deployment. Considering multiple sensors,
countermeasures exist for the detection of GPS spoofing attacks [49, 125–127, 144]
and also for spoofer localization [47, 48, 144]. However, these countermeasures de-
pend on ground-based sensors and do not exploit the network volatility. This limits
the impact and consequences to a fraction of real-world use cases.
Overall, we experience a gap between theoretically proposed defenses and deployed
countermeasures. Hence, protecting ADS-B is an open challenge that demands
scientific advances to consider the requirements and limitations of the real world.
6.3 System Model
In recent years, traditional analog RADAR-based systems for air traffic monitoring
have been augmented with digital means for active wireless communication. To
communicate with ground stations and other aerial vehicles, aircraft are mandated
to be equipped with ADS-B transponders that periodically broadcast status mes-
sages [132]. Additionally, an aircraft identification, information on speed, track, and
acceleration along with further observation data is transmitted. The positioning
information is derived via GPS, which is the preferred method for self-localization.
A set of geographically distributed sensors receives these reports and their data
is shared with others in a crowdsourcing manner. A central server processes the
forwarded reports and makes the collected data accessible. Overall, we are faced with
the high mobility of aircraft on the one hand, while on the other hand, the receiving
sensors are stationary and are less likely to move significantly. Figure 6.1 depicts
an overview of our system model that we consider to assess the trustworthiness of
ADS-B aircraft reports.
We define trust in our system as the certainty of an ADS-B message to be the result
of normal behavior and not disrupted by malfunctioning or active manipulation. To
this end, a trusted message represents valid data transmitted by genuine sources.
On the other hand, an untrustworthy message is identified as erroneous or fake
data that should be discarded from further processing. While the traditional notion
of trust had been entity-centric and rigid, today’s fast-changing ad hoc networks
necessitate the adjustment of trust models. Hence, we seek to establish a data-centric
trust model in consideration of short-lived associations in volatile environments as
introduced by Raya et al. [98]. In particular, we design a trust system that is
driven by data reported by distributed sensors that share their observations within
a network. The combination of redundant views enables the system to cross-validate
reported data and eventually establishes a form of wireless witnessing.
98 Chapter 6 Trust Establishment for Aircraft Broadcast Signals
Aircraft
ADS-B Sensors
Satellites
GPS
ADS-B
Broadcast
Central
Server
Figure 6.1: Our considered system model of GPS satellites, aircraft, ADS-B sensors,and the processing central server.
6.4 Attacker Model
Since the ADS-B protocol is openly specified, the modulation and data frame pat-
terns are known. ADS-B operates at a frequency of 1,090MHz and the reception
range can reach up to 700 km making the signals decodable on simple COTS hard-
ware such as Universal Software Radio Peripherals (USRPs) [23,24], or even cheaper
Software Defined Radios (SDRs) like RTL-SDR dongles [101], which are available
for as low as $20. The availability of SDRs not only allows passive eavesdropping
but also led to software tools for active ADS-B transmission [19] or the generation of
fake GPS signals [76]. Surprisingly, the ADS-B protocol lacks fundamental security
measures, and neither applies encryption nor authentication.
Our adversary model comprises several prominent attack vectors, which we cat-
egorize according to their intended target and their scope. Table 6.1 shows an
overview. We evaluate our proposed system against these attacks. Moreover, we
argue in Section 6.10.2 that attackers with complete knowledge about our verifica-
tion scheme cannot bypass our implementation of wireless witnessing and can be
detected as well.
GPS Spoofing. The airborne (self)-positioning sensors process received GPS sig-
nals from multiple satellites to embed the results in the broadcasted ADS-B reports.
One attack scenario considers the spoofing of GPS signals where an attacker sends
out specially crafted signals at a considerable signal strength [43, 128]. As a re-
sult, an attacker can inject false positioning or timing information into the aircraft
systems inducing the processing of fake attacker-controlled data [48].
6.4 Attacker Model 99
Table 6.1: Attack Vectors
Target Attack Scope Effort
Aircraft GPS Spoofing - Moderate
ADS-B Sensor ADS-B SpoofingSingle ModerateMultiple High
Central ServerSensor Control Single LowSybil Attack Multiple High
ADS-B Spoofing (Single). An attacker capable of generating fake ADS-B mes-
sages can transmit arbitrary reports with full control over their contents. These
bogus messages may represent, e. g., any aircraft identifier, positioning solution,
or movement information [18, 66, 104]. Receivers of such messages will decode the
message contents and forward the sensed information to the central server. We dif-
ferentiate this attack according to the number of affected sensors. An attacker that
is limited in its effective range is likely to only affect single sensors due to their broad
spatial distribution.
ADS-B Spoofing (Multiple). A large-scale attacker may also be capable of tar-
geting multiple geographically distributed sensors at the same time. This attacker,
however, requires multiple antennas or a high elevated, high power antenna. The
attack is conducted in a broadcast fashion and is expected to affect all sensors within
its predetermined area. As a result, more than one sensor would receive the same
fake report and forward it to the central server.
Sensor Control. Due to the open nature of the surveillance network, attackers
can operate their own sensors and become part of the crowdsourcing infrastructure.
Having full control over a sensor, an attacker is able to inject arbitrary data en-
capsulated in genuine ADS-B reports [104]. This attack can be performed without
broadcasting false sensor inputs and can be directly conducted on the network level.
Sybil Attack. A large-scale attacker operating multiple sensors to capture the
network’s protection systems can perform a Sybil attack [21]. An attacker deploys a
significant number of sensors at potentially different locations to decisively influence
the system’s behavior. As a result, a Sybil attacker may completely overtake the
system’s mechanics while remaining unnoticed by the protection systems. This
constitutes one of the most powerful attacks against sensor networks.
100 Chapter 6 Trust Establishment for Aircraft Broadcast Signals
6.5 Design of an ADS-B Trust System
We propose a system to establish a dynamic verification of ADS-B messages for air
traffic surveillance. We first describe the specifics of our considered data and state
general network statistics. We then define (i) verification tests checking the contents
of a message and (ii) an ML classifier evaluating the metadata of a message.
As the source of our considered data, we utilize real-world air traffic data from
the OpenSky Network [74,107–110,120]. The sensors are installed and operated by
volunteers, which can either remain anonymous or register themselves by providing
personal data. Over 850 sensors promote the coverage of the network that exhibits
a particular high sensor density in Europe and on the American continent. The
network relies on user-provided data, processes the data on centralized servers, and
offers access to the collected data of around 20 billion messages per day. Notably,
nodes in the network are not equipped with any cryptographic means or certificates,
which would hinder the growth of the sensor network and contradict the easy access
to the crowdsourcing platform. While other air traffic sensor networks exist, we
make use of the research-friendly data sharing of this network.
For the sake of simplification, we initially restrict the considered data to the Euro-
pean airspace where the OpenSky Network sensor density is the highest. To further
reduce complexity, we divide this space into non-overlapping clusters C and assign
each cluster a latitude and longitude index as the coordinates of its center. Hence,
the considered environment becomes the union of all clusters CLAT,LON. We imple-
ment the size of each cluster as a trade-off between sensitivity and generalization.
In order to get a better understanding of the data provided by the OpenSky Net-
work, we present basic statistics including sensor coverages and the total number of
processed ADS-B messages with respect to their spatial distribution. These evalu-
ations are based on data collected from an entire day (July 2nd, 2018) resulting in
a total of 182,824,762 messages broadcasted by real aircraft. Figure 6.2a depicts a
heat map of the spatial distribution of all recorded ADS-B reports on the exemplary
day. As one can see, most reports originated from a few cluster areas close to central
European airports. Notably, the database only contains messages that reached at
least one contributing sensor.
The overall coverage of the network is the combination of all participating sensors.
Since the individual sensor coverages can significantly overlap with each other, the
redundancy of the coverage is higher in areas with more sensors as compared to
rural areas. Figure 6.2b shows the aggregated sensor coverage of the OpenSky
Network as of July 2nd, 2018. The heatmap depicts the number of sensors that
simultaneously cover an indicated area. A total of 613 different sensors reported data
6.6 ADS-B Message Trust 101
(a) Total Messages (b) Sensor Coverage
Figure 6.2: Spatial distribution of captured reports and sensor coverage of the Open-Sky Network in Europe for the exemplary day (July 2nd, 2018).
for the exemplary day and the considered airspace. We notice a strong dominance
in Central Europe, where the most participating sensors are operated.
For the remainder of this work, we use the following notations. The network is
formed by a set of ground-based sensors R, where each sensor is referred to as Ri ∈ R.
Each ADS-B message m can be received by an arbitrary number ≥ 1 of sensors Ri,
hence the link (m,Ri) exists. Due to noise effects and message collisions, message
loss can naturally occur and we denote the probability that sensor Ri receives a
message transmitted from cluster Cj as Prec(Ri, Cj). Moreover, the messages are
timestamped by the receiving sensors, where t is the issued timestamp. When a
message is not picked up by any sensor, it is consequently not in the considered
database.
6.6 ADS-B Message Trust
In order to assess the trustworthiness of ADS-B messages, we design an evalua-
tion process consisting of four verification tests, namely (i) sanity, (ii) differential,
(iii) dependency, and (iv) cross check. While the former three tests are stated for
the sake of completion, we focus on the cross check that is tailored towards the ex-
isting sensor infrastructure to implement wireless witnessing. The system overview
is depicted in Figure 6.3 and is developed in the following.
102 Chapter 6 Trust Establishment for Aircraft Broadcast Signals
DIFFERENTIAL
CHECK
DEPENDENCY
CHECK
CROSS
CHECK
SANITY
CHECK
Defined Value
Range
Maximal
Change
Physical
Restrictions
Sensor
Coverage
OK OK
Content Metadata
ATTACK ANALYSIS
Type of Attack Affected Sensors
FAILED
OK OK
FAILED FAILED FAILED
Figure 6.3: The process of ADS-B trust evaluation including four different verifica-tion tests, their utilized data, and conditional branching to the subse-quent attack analysis.
Table 6.2: Sanity Check
Category Parameter Range
PositionLatitude −90◦ to 90◦
Longitude −180◦ to 180◦
Altitude −3m to 20,000m
MovementVelocity 0 km/h to 1,200 km/hTrue Track 0◦ to 360◦
Vertical Rate −50m/s to 50m/s
IdentificationICAO Identifier Registered AircraftCall Sign Assigned Call Signs
6.6.1 Sanity Check
The sanity check represents a message content verification with respect to defined
value ranges. Where values are not restricted by definition, we apply physical pos-
sibility bounds. Sanity checks are specific to the message content, i. e., the reported
aircraft status. Table 6.2 provides an overview of the implemented sanity check.
Position. The reported position contains information about the latitude, longitude,
and altitude. The latitude is only defined in the range of −90◦ to 90◦, whereas the
longitude is defined over −180◦ to 180◦. The altitude is not bounded by its definition
but by physical restrictions ranging from approximately −3m, which is the altitude
of the lowest European airport, Amsterdam Airport Schiphol. For the maximum
altitude, we use a bound of 20,000m, which is hardly reachable for casual air traffic.
Movement. While airborne, the velocity is expected to be positive and bounded by
the maximum speed of the specific aircraft type, usually less than approx. 1,200 km/h.
The direction of movement, referred to as the true track, is defined by the angle
6.6 ADS-B Message Trust 103
Table 6.3: Differential Check
Parameter Maximal Change per Second
Horizontal Position 500mAltitude 100mTrue Track 10◦
Velocity 25 km/hVertical Rate 10m/s
aligned with the True North in the range of 0◦ to 360◦. Moreover, the vertical rate
is also aircraft-dependent and is expected to not exceed ±50m/s.
Identification. Each aircraft is assigned a unique identification, the International
Civil Aviation Organization (ICAO) 24-bit registration identity. This identifier can
be checked against databases that contain currently assigned ICAO registrations.
In addition, each aircraft is assigned a volatile call sign, which can also be verified.
6.6.2 Differential Check
The differential check considers changes between succeeding ADS-B messages from
the same aircraft. These checks, therefore, require the assignment of messages to
tracks based on the included identifier. In consideration of the message update rate
and broadcast frequency, we identify reasonable maximal changes per second that
conform to the inertia and aircraft capabilities as well as covered by observations of
real flight data. Table 6.3 contains the implemented tolerable parameter changes.
In cases where we receive updated ADS-B reports after a prolonged loss of commu-
nication, e. g., due to missing sensor coverage, we incorporate the lack of data by
scaling the tolerable maximal change with the missed time period.
6.6.3 Dependency Check
The dependency check verifies relationships between physically-dependent parame-
ters by considering subsequent reports from the same aircraft. In total, we formulate
three different tests. Based on the current position, velocity, and true track, we com-
pare predicted positions with the actually reported coordinates in the subsequent
message. We perform this check for both horizontal as well as vertical movements
and allow for a deviation up to 100m, which we have empirically derived from the
available dataset. A further dependency exists between the reported altitude and
the aircraft indicating to be on ground. We coarsely perform this check against the
104 Chapter 6 Trust Establishment for Aircraft Broadcast Signals
Table 6.4: Dependency Check
Relationship Tolerance
Horizontal Position ↔ Velocity + True Track 100mAltitude ↔ Vertical Rate 100mAltitude ↔ Aircraft on Ground 1,707m
elevation of the highest European airport (1,707m), Samedan Airport of Switzer-
land. Notably, more fine-grained information about the geographical topology would
benefit the test validity. Table 6.4 shows the implemented dependency checks.
6.6.4 Cross Check
The cross check utilizes the spatial redundancy of the surveillance network in a col-
laborating manner. Participating sensors are widely distributed and their coverages
overlap significantly, as shown in Figure 6.2b. Even though the sensor locations
are unknown, we can estimate which sensors observe which airspace via inspecting
the reported positions embedded in their received ADS-B reports. Hence, in our
grid-based approach, each cluster Cj can be dedicated to covering sensors Ri such
that the following equation holds:
Prec(Ri, C) > 0. (6.1)
If for an indicated cluster Cj multiple sensors Ri cover the same area such that
Prec(Ri, C) > 0, we can countercheck the received message information by consulting
all designated sensors. In areas observed by none or a single sensor, a cross check
cannot be applied. For each sensor covering the reported position, we distinguish
two discrete events: the sensor has received the message or the sensor has not receive
the message:
Xm,Ri=
0 ∄(m,Ri)
1 ∃(m,Ri).
Due to noise effects and signal collisions, sensors naturally experience a message
loss in the range of 10% to 75% depending on the distance to the origin, obstacles
in view, or the airspace density [107]. Hence, the case of missing a report does not
causally imply unusual behavior or the existence of attacks and needs to be factored
in accordingly. We refer to the combination of events Xm,Ri, Ri ∈ R as the observed
message reception pattern for a report broadcasted from the claimed position. Each
6.7 Attack Analysis 105
sensed message is therefore mapped to a vector representing the reception events for
every sensor:~Xm =
[
Xm,R1, Xm,R2
, · · · , Xm,Rn−1, Xm,Rn
]
, (6.2)
where n is the total number of sensors in the network. For our considered scenario,
we obtain a vector with 613 entries, which represents the message reception pattern.
These patterns exhibit a certain variance and cannot be translated into fixed rules
due to the non-deterministic sensor reception. Hence, we choose a ML approach
to handle the huge amount of available data and simultaneously consider unknown
external effects.
In particular, for each of the 182,824,762 recorded ADS-B reports, we determine
which of the 613 sensors reported that specific message. In combination with the
embedded positioning information, we learn typical reception patterns for the entire
day and label the data to be the result of normal operating air traffic and sensors.
After processing all reports, each cluster Cj is assigned with actually observed mes-
sage reception patterns and we assume these patterns to represent normal behavior.
We discuss this assumption in Section 6.10.1 and reason about its validity.
Algorithm Choice. In general, we use a binary classification to distinguish be-
tween normally observed reception patterns and patterns resulting from erroneous
or malicious behavior. In particular, we chose to use an ensemble algorithm with
bagged decision trees, i. e. random forests. In essence, this creates many different
trees that independently make a decision on a given input pattern. This approach
is more robust and prevents overfitting as compared to simple decision trees. For
more information on ML algorithms, and especially on random forests, we refer to
an article by Leo Breimann [11].
6.7 Attack Analysis
In the case one of our four verification tests indicates unusual behavior, an attack
analysis is triggered that tries to further reason about (i) the type of attack and
(ii) the affected sensors. Depending on which test triggered the attack analysis,
different conclusions can be drawn on the causing of an alarm.
6.7.1 Type of Attack
We notice that our three attack classes, i. e., GPS spoofing, ADS-B spoofing, and
sensor control/Sybil attack, can be characterized by the type of manipulation they
cause on the message, respectively on the network. This can either be on the content
106 Chapter 6 Trust Establishment for Aircraft Broadcast Signals
Table 6.5: Sensitivity to Attacks
Attack Vector Sanity
Differen
tial
Dep
ende
ncy
Cross
GPS Spoofing # G#
ADS-B Spoofing (Single) G# G# G#
ADS-B Spoofing (Multiple) G# G# G# H#
Sensor Control G# G# G#
Sybil Attack G# G# G# H#
# not indicative, G# potentially indicative always indicative, H# network dependent
of the ADS-B messages directly, or more subtle on the metadata of the message
reception. While the sanity, differential, and dependency checks can verify the
message payload, the cross check evaluates the message metadata. For each attack
vector, we identify which verification test may be indicative and provide an overview
in Table 6.5.
Sanity Check. A sanity check detects defined value range violations. These can
occur when a report is not originating from a genuine airborne ADS-B transmitter.
However, specifically crafted messages during an ADS-B spoofing attack on ground-
based sensors may also contain data outside their definition ranges. If a sensor is
entirely under the control of an attacker, the forwarded reports may also contain
bogus data.
Differential Check. A differential check is indicative to unusual jumps in the data.
A GPS spoofing attack may hence be detectable if the position exhibits a sudden
jump. All other attacks can also trigger an alarm for this test depending on the
variance in the generated fake data.
Dependency Check. A dependency check detects inconsistencies between de-
pendable data from independent sensors within the aircraft. Since a successful GPS
spoofing attack only affects the GPS-related sensors, other information on the move-
ment or on the heading will likely result in a violation. Again, the other attacks can
also fail this test if the fake reports do not satisfy parameter dependencies.
Cross Check. A cross check tries to decide if the message reception pattern is
the result of normal behavior or is due to some kind of attack. A message from
an aircraft affected by a GPS spoofing attack indicates a wrong position and the
reception pattern will likely differ from the actual reception pattern from the real
6.8 Simulation 107
location. For the other attacks, the validity of the cross check depends upon the
number of sensors that observe the claimed aircraft position. The more sensors si-
multaneously cover an area, the less likely it will be that only a specific number of
sensors, e. g., affected by an ADS-B spoofing attack, receive that specific message.
Similar considerations apply for attackers adding sensors to the network by con-
trolling their behavior. Nevertheless, the unaffected sensors will not report injected
messages which is eventually reflected in an unusual reception pattern. For both
attack classes, message reception patterns are easier to decide the more sensors are
participating.
6.7.2 Affected Sensors
If we successfully detect unusual behavior and potentially identified the type of at-
tack, we try to also reason about the affected ADS-B sensors. We generally distin-
guish between passively and actively participating sensors during an attack. While
we can tag all sensors that reported an untrustworthy message as potentially mali-
cious, we are interested which sensors are indeed attacker-controlled. These compro-
mised sensors are actively trying to disrupt the network. We, therefore, identify all
sensors that reported messages clearly assigned to a sensor control/Sybil attack as
malicious. Their identification allows the disconnection from the network to restore
the network’s integrity.
On the other hand, sensors that are victim to an attack themselves may only be
temporarily disconnected from the network. Sensors that are recognized in such
a way can later be reactivated. The tracing of affected sensors also allows for a
coarse localization an attack. Even though sensor locations are unknown, coverages
of the sensors can be estimated and consequently a rough attacker position could
be narrowed down.
6.8 Simulation
While the characteristics of normally operating air traffic can be learned from the
actually sensed broadcasted ADS-B messages, attack scenarios need to be emulated
based on realistic assumptions and experience. Assuming that no apparent attacks
are present on the exemplary day (July 2nd, 2018), we use all messages to map
trustworthy reports and typical message reception patterns. In the following, we
describe how we simulated the three considered attack classes, i. e., GPS spoofing,
ADS-B spoofing, and sensor control/Sybil attack. For each attack scenario, we
generate 1,000,000 different fake reports representing the respective attack.
108 Chapter 6 Trust Establishment for Aircraft Broadcast Signals
6.8.1 GPS Spoofing
To emulate a successful GPS spoofing attack, we manipulate the reported GPS-
derived positioning information embedded in ADS-B reports. In particular, we ran-
domly sample 1,000,000 real aircraft messages from the OpenSky Network database
and exchange the GPS position while all other data fields and the sensors that re-
ceived the message remain the same. The embedded position is exchanged with a
random position within the coverage of the sensor network. We label the messages
as resulting from a GPS spoofing attack and feed them to our ML classifier.
6.8.2 ADS-B Spoofing
To realistically emulate an ADS-B spoofing attack, we are faced with the problem
of unknown sensor locations. This prevents us from declaring a specific area where
such an attack would affect all situated sensors. As a solution, we consider all
sensors observing a specific area as potential victims of an ADS-B spoofing attack.
Nevertheless, an attacker would face the same problem and cannot directly target
sensors but would need to blindly affect larger regions to reach multiple sensors. We
differentiate the attack according to how many sensors are the victim of the attack,
i. e., a single sensor, half of the sensors, or all sensors.
We again generate 1,000,000 messages for each scenario by randomized sampling
from real-world aircraft reports, but adjust the receiving sensors depending on the
considered coverage and how many sensors are affected by the attack. We use real
aircraft reports to represent an attacker trying to inject authentic ghost aircraft into
the network by sending those messages to the scenario-dependent number of sensors.
6.8.3 Sensor Control/Sybil Attack
In a sensor control/Sybil attack, an attacker adds sensors to the network that are
under the attacker’s synchronized control. We assume that the attacker’s sensors
initially behave normally to remain unnoticed prior to any fake message injection.
When an attack is launched, all controlled sensors mutually try to report the same
fake message. We again differentiate between the number of controlled sensors with
regard to the number of benign sensors, i. e., a single sensor, half of the benign
sensors, or equality between attacker sensors and other sensors.
Again, we sample 1,000,000 messages to obtain real-world ADS-B reports and then
try to inject each message from the attacker-controlled sensors. Notably, the other
sensors that cover the same cluster do not report the reception of such messages. We
assume that the attacker utilizes all controlled sensors to inject the same message.
6.9 Evaluation 109
6.9 Evaluation
We split the evaluation of our developed ADS-B trust system into (i) performance
of detecting each considered attack, (ii) distinguishing between the attack vectors,
(iii) identifying the affected sensors, and (iv) analyzing the impact of different grid
resolutions.
6.9.1 Attack Detection Performance
For our three attack classes, i. e., GPS spoofing, ADS-B spoofing, and sensor con-
trol/Sybil attack, we shortly describe which message content triggered an alarm and
then focus on the ML supported cross check. We train our binary random forest
classifier with an equal number of messages from normal operation and all simulated
attack scenarios. We then separately test the same trained classifier against each
specific attack scenario using messages separated from the training phase. Moreover,
we analyze the detection performance within areas of different sensor coverages, i. e.,
3, 5, 10, 20, 50 sensors that are simultaneously observing the same airspace. For our
prototype implementation, we initially consider a grid resolution of roughly 7 km.
GPS Spoofing
While a smooth position deviation may actually pass the differential test, our depen-
dency test consistently triggered alarms indicating mismatches between predicted
positions and the current aircraft movement. Even though we account for a specific
uncertainty threshold, at a certain point the attack exceeds this threshold. For our
prototype implementation and for the cross check to apply, we assume a deviation
of at least the considered grid resolution. Smaller GPS position deviations would
be mapped to the same cluster and consequently the same reception pattern at re-
ceiving sensors. Notably, higher resolutions may drastically increase the sensitivity
to the attack.
Our detection performance of GPS spoofing attacks is stated in Table 6.6. The
measure used to compare the performance is the True Positive Rate (TPR), which
represents the probability that a message from a certain class is labeled correctly.
Notably, all detection rates were obtained with respect to a single message and are
further improved when considering multiple consecutive reports (from different grid
clusters), as discussed in Section 6.10.3.
Results. While the dependency check is generally effective in detecting GPS spoof-
ing attacks, in cases where additional information might be missing, the cross check
is sufficient to detect such attacks with a high probability. In clusters with higher
110 Chapter 6 Trust Establishment for Aircraft Broadcast Signals
Table 6.6: GPS Spoofing Detection Performance (TPR [%])
Sensor Coverage 3 5 10 20 50
Normal Operation 86.37 89.10 94.42 97.08 98.65GPS Spoofing 96.38 94.36 94.62 95.02 96.03
Table 6.7: ADS-B Spoofing Detection Performance (TPR [%])
Sensor Coverage 3 5 10 20 50
Normal Operation 86.37 89.10 94.42 97.08 98.65ADS-B Spoofing (single) 41.75 44.23 75.19 94.83 95.20ADS-B Spoofing (half) 57.19 61.30 73.31 78.92 97.37ADS-B Spoofing (all) 76.47 83.18 88.10 96.81 99.96
sensor coverages, our classifier better predicts from which scenario the message re-
sulted. With increasing sensor coverage, the uncertainty diminishes and therefore
the decision gains more validity. As a result, we can identify GPS spoofing attacks
with a probability of approx. 94% to 96%. Notably, the cross check is limited to de-
tecting attacks that manipulate positioning information by at least that much such
that the message reception pattern differs from the real location. In other words,
false positions that still remain within the same grid cluster cannot be detected
using the reception patterns alone.
ADS-B Spoofing
For the evaluation of the ADS-B spoofing detection performance, we focus on the
outcome of the cross check. Since an attacker is able to generate arbitrary reports,
we assume that an attacker successfully passes all tests on the message contents to
remain undetectable by the sanity, differential, and dependency test. We analyze our
detection performance according to different number of affected victims and within
regions of different sensor coverages. The results are given as TPRs in Table 6.7.
We evaluate each scenario according to the number of affected sensors, i. e., a single
sensor, half of the sensors, or all sensors, separately.
Results. Our ML-based cross check is able to effectively detect ADS-B spoofing
attacks. The sensor coverage is a crucial parameter of the detection performance.
The values stated in Table 6.7 represent the mean over all regions with the stated
coverage. In general, the higher the sensor coverage, the more likely it is that the
attack is indeed detected. With respect to the natural message loss, too many
or too few sensors reporting the same message is an unusual observation. As a
6.9 Evaluation 111
Table 6.8: Sensor Control/Sybil Attack Detection Performance (TPR [%])
Sensor Coverage 3 5 10 20 50
Normal Operation 86.37 89.10 94.42 97.08 98.65Sensor Control 41.71 46.36 79.60 94.33 99.66Sybil Attack (half) 14.29 75.95 80.64 95.87 99.95Sybil Attack (same) 98.91 99.69 99.90 99.97 100.00
consequence, an optimized attacker strategy would try to emulate typical reception
patterns and only affect a specific number of sensors. However, since sensors are
geographically distributed at unknown positions, an attacker cannot systematically
control which and how many sensors receive the fake reports. Eventually, an attacker
may broadcast from a location close to the designated position to emulate realistic
message reception. However, the attack would then become a legitimate broadcast
of ADS-B reports from the advertised position.
Sensor Control/Sybil Attack
To evaluate our detection performance of sensor control/Sybil attacks, we again fo-
cus on the outcome of the cross check. Our simulated attack messages are crafted in
a way that all pass the message content verification and need to be detected by their
metadata. For the analysis, we consider different sensor coverage regions in which
the attacker adds different numbers of compromised sensors, i. e., a single sensor,
half of the sensors, or the same number of sensors already observing that specific
airspace. Notably, the attackers’ sensors initially participate normally and are al-
ready considered when deciding message reception patterns. Table 6.8 separately
compares TPRs for correctly classifying normal and attack messages.
Results. We successfully distinguish between messages resulting from sensor con-
trol/Sybil attacks and reports from normal operation. However, in regions of low
sensor coverage, the attack is hardly detected. As a result, the validity of the cross
check requires a certain number of sensors to effectively detect Sybil attacks. We
even recognize a slightly better detection performance as compared to ADS-B spoof-
ing messages. The reasoning behind this is based on the fact that other sensors in the
same area will not report the reception of the fake message that is directly injected
by compromised sensors. This represents a very unlikely case of a high number of
sensors missing on the same message. The higher the coverage of the sensors is, the
more unlikely these events become. Moreover, an attacker cannot emulate realistic
reception patterns by direct message injection considering that sensors are deployed
at unknown locations.
112 Chapter 6 Trust Establishment for Aircraft Broadcast Signals
ADS-B
Spoofing
GPS
Spoofing
Sybil
AttackTPR TNR
Sybil
Attack<1% 2% 98%
Predicted Class
2%98%
Tr
ue
Cla
ss
ADS-B
Spoofing<1% 89% 11% 11%89%
GPS
Spoofing99% <1% <1% 1%99%
Figure 6.4: The confusion matrix of our ML classifier deciding the type of attackwhen confronted with random messages resulting from: Normal Opera-tion, GPS Spoofing, ADS-B Spoofing, or Sybil Attack.
6.9.2 Attack Analysis: Type of Attack
If one of our verification tests issues an alarm and an attack is detected, we further
try to identify the type of attack. In order to evaluate the ability to differentiate
between attacks, we consider the results of the cross check verification. In par-
ticular, we train our classifier with messages from all the analyzed attacks, i. e.,
GPS spoofing, ADS-B spoofing, and sensor control/Sybil attack. We then test the
classifier against messages randomly sampled from messages identified as malicious.
Figure 6.4 depicts a confusion matrix while considering an exemplary coverage of
ten sensors. Furthermore, for the ADS-B spoofing attack and the Sybil attack, we
consider an attacker affecting half of the monitoring sensors. Aside from the TPR,
we provide the complementary True Negative Rate (TNR).
Results. The messages resulting from a simulated GPS spoofing attack are assigned
to the matching class in 99% of the cases. While, only 89% of ADS-B attack re-
ports are correctly detected, a huge proportion of 11% of those messages are falsely
decided to reflect a Sybil attack. In particular, we simulated this attack with a very
beneficial attacker setup replicating typical reception patterns by simultaneously
affecting multiple sensors. This constitutes the most stealthy attack with respect
to our classifier. In comparison, Sybil attacks are correctly classified with a prob-
ability of 98% and only 2% are decided to result from ADS-B spoofing. Notably,
all of the shown results are based on a single message classification. To further re-
duce the probability of false alarms, we discuss the requirements of successive false
classifications in Section 6.10.3.
6.9 Evaluation 113
6.9.3 Attack Analysis: Affected Sensors
We generally differentiate between sensors that are victims themselves misused as
passive attack actors and sensors that are actively collaborating and causing the
attack. For instance, in GPS spoofing attacks and ADS-B spoofing attacks, sensors
may be faced with bogus input data. While their input data may be bogus, passive
victim sensors are still functioning correctly and are otherwise conform with their
intended behavior. While for GPS spoofing attacks the sensor reception patterns
reflect normal behavior but for a different message origin, the reception patterns
for ADS-B spoofing attacks are altered. If our attack analysis reveals the type of
attack being of the latter case, the reporting sensors may be disconnected from the
network and excluded from the cross checking procedure of other messages. These
sensors are directly affected by the attacker and their sensing of messages cannot
be trusted. However, after the attack is concluded, the identified sensors may be
reactivated and again contribute to the network.
In contrast, if the attack analysis reveals a sensor control/Sybil attack, we are
faced with compromised sensors actively launching attacks on the network. All
sensors that reported the reception of identified attack messages are considered a
part of an attacker-controlled sensor union. Any shared messages from such sensors
cannot be considered trustworthy. Their participating in the crowdsourcing network
is shut down and their forwarded messages are filtered out accordingly to recover
the integrity of the network.
6.9.4 Impact: Grid Resolution
The resolution of our considered underlying grid determines the clustering process
of assigning messages and sensors to the same cluster Cj. The higher the grid reso-
lution, the finer is the differentiation between regions and eventually their reception
patterns. However, increasing the grid resolution not only increases the computa-
tional load but can also lead to overfitting areas to the monitoring sensors. For
instance, since we do not know the exact locations of sensors, we need to learn them
from their reported ADS-B messages. The chances that a sensor reported no mes-
sage from a specific area increases with smaller sizes even though the sensor might
actually observe that airspace. We evaluated the impact of the grid resolution for
edge lengths of 70 km, 35 km, 14 km, and 7 km and gained the following insights.
The greater the proliferation of a cluster is, the more sensors are potentially
observing at least parts of the area. As a consequence, the reception patterns feature
more active sensors and have a higher variance. However, this also makes it harder
114 Chapter 6 Trust Establishment for Aircraft Broadcast Signals
to have a clear distinction between normal operation and malicious patterns. On the
other hand, a too small cluster area actually prevents a generalized estimation and
thus also decreases the validity. For our analysis, we achieve a reasonable trade-off
for a grid size of 7 km, with which all the presented results were gathered.
6.10 Discussion
We discuss important parameters of our developed system, e. g., (i) implicit trust in
the data source, (ii) attacker’s knowledge, (iii) false alarm events, (iv) the current
attack resilience, (v) optimized sensor deployment, and (vi) further extensions.
6.10.1 Implicit Data Source Trust
We base the evaluation of our trust system on data provided by the OpenSky Net-
work, which records real-world air traffic reports. However, we take the data “as is”
and consider it to represent normal behavior. We cannot exclude the existence of
erroneous data or even reports that resulted from some kind of attack. Nevertheless,
we thoroughly analyzed the messages of our considered exemplary day (July 2nd,
2018) without any findings. While our system is designed to analyze live data, our
system can also be used to find unusual data retrospectively and potential attacks
in the recorded air traffic messages of arbitrary days.
6.10.2 Attacker’s Knowledge
In our performance analysis of detecting different attacks, we considered attackers
controlling a certain number of sensors. However, an attacker with full awareness of
our detection scheme might try to optimize the pursued attack strategy and imitate
authentic reception patterns. For both ADS-B spoofing and Sybil attacks, it can
only be achieved to a certain degree and cannot overcome the detection in regions
with enough sensor redundancy. Even a fully aware attacker does not know the
locations of other sensors, and hence it is not possible to manipulate them in a
targeted manner (e. g., through ADS-B spoofing). Moreover, an attacker cannot
access the unprocessed readings of other sensors in an effort to localize them. In the
case of ADS-B spoofing, where an attacker affects multiple sensors, victims cannot
separately be targeted. A Sybil attacker, however, could try to emulate realistic
reception patterns via compromised sensors, but cannot do so with the sound user-
controlled sensors. We, therefore, argue that even an attacker, fully aware of our
detection scheme, cannot overcome it due to the concealed locations of other sensors.
6.10 Discussion 115
Table 6.9: False Alarm Probability [%]
Consecutive Messages 1 2 3 4 5
3 13.63 1.86 0.25 0.03 <0.015 10.90 1.19 0.13 0.01 <0.01
Coverage 10 5.58 0.34 0.02 <0.01 <0.0120 2.92 0.09 <0.01 <0.01 <0.0150 1.35 0.02 <0.01 <0.01 <0.01
6.10.3 False Alarm Events
Even though our ML-based cross check exhibits a high detection performance, the
probability of false alarm events is non-negligible. A false alarm is triggered when an
ADS-B message is incorrectly labeled as the result of an attack while originating from
normal operation. Depending on the sensor coverage of the considered airspace, the
false alarm rate can reach approx. 14%, which is unacceptably high for a productive
system. However, we want to highlight again that all results in Tables 6.6 - 6.8 are
referred to a single, separated message. By requiring multiple, consecutive reports
that are detected as malicious, the false alarm rate can be lowered drastically.
The chances of false alarms by requiring several false classifications in succession
is stated in Table 6.9. Notably, for this evaluation, we assume that the successive
aircraft reports are sent from different grid areas with distinct message reception
patterns. This is naturally satisfied as aircraft are moving constantly when en-route.
By increasing the number of consecutive messages, the false alarm probability can
be brought down to reasonable levels even for low-density regions.
6.10.4 Current Attack Resilience
The crowdsourcing sensors are at the core of our trust system and their distribution
and density are of utter importance for the detection of attacks. The validity of the
cross check, i. e., wireless witnessing, increases with the number of sensors covering
a certain air segment. Thus, the higher the redundancy is, the better malicious
attacks and sensors can be detected. We analyzed the current resilience of the
OpenSky Network by considering regions related to the evaluated coverages, i. e., 3,
5, 10, 20, and 50 sensors. Figure 6.5a depicts areas that already provide at least the
indicated number of sensor redundancy. Further, Table 6.10 states the breakdown of
the total covered area and relates it to the total surface of the European continent.
116 Chapter 6 Trust Establishment for Aircraft Broadcast Signals
(a) Resilience (b) Optimized Deployment
Figure 6.5: The resilience measured in sensor redundancy and identified regions thatwould benefit the most by optimized sensor deployment, both consider-ing the currently deployed infrastructure as of July 2nd, 2018.
Table 6.10: Coverage Regions
Coverage ≥ 3 ≥ 5 ≥ 10 ≥ 20 ≥ 50
Area [km2] 705,649 568,859 379,556 253,595 93,032Total [%] 69.32 55.88 37.28 24.91 9.14
6.10.5 Optimizing Sensor Deployment
To further develop the security of the network, we encourage the deployment of
new sensors in less covered areas or optimize the current geographical distribution.
While the latter is not a viable solution since sensors are naturally deployed in the
vicinity of the operating user and cannot be freely moved around, we follow the first
approach of optimized network expansion. From the coverage information of existing
sensors in the network (see Figure 6.5a), we can learn how to optimize the placement
of new sensors with the goal of filling blind spots. Our optimization target is an
overall coverage increase and therefore a hardening against attacks.
To provide an overview of areas that would benefit the most from the deployment
of new sensors, we weight the need for better coverage according to the sensor
redundancy of the network. The lower the current coverage is, the higher is the
demand for new sensors. We restrict possible locations to be on land. We further
assume an average reception range of 400 km and simplify the observable airspace to
be a circle around the sensor. Figure 6.5b depicts areas according to their coverage
increase for the entire network. While in Central Europe the deployment of new
6.11 Summary 117
sensors does not significantly impact the overall resilience against attacks, especially
sensor setups close to the coastlines can heavily increase the attack resilience.
6.10.6 Extensions
We discuss three extensions of our trust system with the goal of better reflecting
real-world characteristics as well as introducing a sensor reputation to weight the
impact on the trust assessment process. Further, dynamic learning strategies can
keep attack detection strategies updated.
Time Dependence. Since ADS-B broadcasts use the wireless medium, message
collisions can occur when the frequency band is saturated. The resulting rate of
message loss is dependent on the airspace density which in turn changes over time
based on the operating hours of airports. The more aircraft share the same medium,
the higher the chances are of messages being lost. While our current system esti-
mates reception probabilities based on averaged observations, a future extension of
our trust system may account for time-dependent message losses.
Sensor Reputation. In the currently deployed crowdsourcing network, we con-
sider each sensor as equivalent to any other sensor. However, a portion of the sensors
are operated by personal contacts or registered users. Those sensors are expected
to be less likely to participate in active attacks and we could link the reputation of
the operator to its possessed sensors. To further refine the sensor reputation, the
hardware implementation could also be taken into account, where some implemen-
tations are more robust to faults than others. By incorporating sensor reputation,
the validity of telling normal behavior and attack scenarios apart could be further
improved.
Dynamic Learning. Finally, we envision the implementation of dynamic learning
techniques. A dynamic learning approach could constantly be updated to incorpo-
rate shifts in the message reception patterns which can occur when, e. g., sensors
are joining or leaving the network, the reception range of sensors changes, or trans-
mission ranges are altered. Moreover, new attack vectors may arise in the future. A
(re-)training of our classifier with updated attack vector definitions ensures that the
trust evaluation process keeps its validity while facing currently unknown attacks.
6.11 Summary
This work approached a trust evaluation system for ADS-B based air traffic surveil-
lance using an already existing infrastructure of crowdsourcing sensors. We demon-
118 Chapter 6 Trust Establishment for Aircraft Broadcast Signals
strated how our solution leverages sensor redundancy to establish wireless witnessing
to protect an otherwise unsecured open system. To this end, we tested our system
against prominent attack vectors showing that we cannot only detect them but also
draw conclusions about their type and the participating sensors. The validity of
our trust evaluation process depends on the redundancy of sensors observing the
same airspace segments. Moreover, we outlined considerations for future sensor
deployment hardening the network’s security by optimized expansion.
The finish line is just the beginning of a whole new
race.
— Unknown
7Conclusion
Contents
7.1 Key Results . . . . . . . . . . . . . . . . . . . . . . . . . 120
7.2 Directions for Future Work . . . . . . . . . . . . . . . . 121
7.3 Concluding Remarks . . . . . . . . . . . . . . . . . . . . 122
119
120 Chapter 7 Conclusion
7.1 Key Results
Based on the insight that today’s adversaries are progressively advancing in their
available tools, we identified the need for new security approaches to harden satellite-
based navigation systems against updated attacker models. In addition, proposals
need to fulfill restrictions imposed by safety-critical domains to ease the process
of implementation and certification. As a result, we developed lightweight security
solutions that do not require any modifications to the already existing infrastructure.
In the following, we sum up the key results of this dissertation.
Starting with a thorough review of the state of the art concerning attacks on
satellite-based navigation systems and existing countermeasures, we recognized an
increasing gap between the attacker side and the models against which countermea-
sures are evaluated. With the currently available tools and assuming a moderate
knowledge of signal processing, we were able to implement a simple multi-antenna
attacker that is often deemed as too complex or too expensive. This type of attacker
could successfully circumvent countermeasures that neglect the advancements in at-
tacker capabilities.
To this end, we proposed the deployment of four receivers in a predefined forma-
tion to detect Global Positioning System (GPS) spoofing attacks—even considering
the presence of multi-antenna attackers. To demonstrate the viability of our ap-
proach, we implemented a prototype and analyzed its detection performance both
under normal operation and under spoofing attacks. An in-depth error analysis and
the insight that GPS errors are spatially correlated allowed to significantly reduce
the required distances to 5m and an area of 26m2. Hence, the countermeasure can
be instantiated on smaller vehicles while maintaining reliable attack detection and
negligible false alarm rates.
Taking GPS spoofing detection one step further, we proposed Crowd-GPS-Sec as
a crowdsourcing system to detect and localize the signal source of spoofing attack-
ers. The developed scheme uses GPS-inferred Automatic Dependent Surveillance-
Broadcast (ADS-B) aircraft status reports and does not require to be the attacker’s
target itself but can work remotely from where the attack is happening. We designed
Crowd-GPS-Sec without modifications of the existing infrastructure and only con-
sidering already collected reports gathered by the OpenSky Network. As a prereq-
uisite, we implement Multilateration (MLAT) based on Time Difference of Arrival
(TDoA) measurements to independently localize aircraft within a few hundred me-
ters. Further, we formulate two different spoofing detection tests and analyze their
combined detection rate to be approx. 75% and approaching 100% for attackers
with increased range. Eventually, we analyzed the spoofer localization performance
7.2 Directions for Future Work 121
of Crowd-GPS-Sec using extensive simulations and a prototype implementation pro-
cessing real-world aircraft reports. Depending on the considered error model, we
achieved a localization accuracy of approx. 150m after 15min of monitoring time.
To additionally detect attacks on the ADS-B protocol, we pursued a form of
wireless witnessing to assess the trustworthiness of aircraft reports. In particular,
we designed a set of verification tests with a focus on a Machine Learning (ML)
supported cross check making use of the geographical distribution of sensors and
discrete reception events. Again, our system is lightweight in the sense that it
does not require any modifications to the existing infrastructure. Using real-world
air traffic data and simulated attack scenarios, we successfully classified ADS-B
reports to result from normal operation or one of our considered attacks, i. e., GPS
spoofing, ADS-B spoofing, or a Sybil attack. The differentiation gains validity with
an increase in sensor redundancy. Further, we identified the type of attack and
revealed malicious sensors with a high chance of 89% to 99%. Concluding, we
elaborated on optimized sensor deployment and identified the most beneficial regions
for new sensors to further harden the system against attacks.
7.2 Directions for Future Work
To further promote the security of GPS-dependent systems, we point out promising
directions for future work. In particular, we want to highlight the following five
aspects that have emerged during our work.
Implementation and Analysis of Multi-Antenna Attacks
While we presented initial results from a basic multi-antenna implementation, a
thorough evaluation could reveal more insights on how countermeasures behave in
the presence of this type of attack. For instance, a proper attack setup may serve
as a tool to test the protection of concrete countermeasure implementations. Such
a tool can help to substantiate the theoretical resistance of our multi-receiver GPS
spoofing detection. Furthermore, the implementation of a multi-antenna attacker
could help to assess the validity of Crowd-GPS-Sec and its spoofing detection tests
concerning this attacker. Overall, the multi-antenna attacker may have a significant
impact on how we design countermeasures in the future.
Consideration of Mobile Receivers
In its current form, our multi-receiver spoofing detection is instantiated with four
stationary receivers. The consideration of mobile receivers allows dynamical adjust-
122 Chapter 7 Conclusion
ments of the formation as well as affect the error characteristics of mutual distances.
Moreover, the countermeasure may be ported to Unmanned Aerial Vehicle (UAV)
formations, vehicle convoys, or general ad hoc networks to unite against GPS spoof-
ing attacks.
Cross-Network Information Exchange
Our crowdsourcing-based proposals consider multiple data sources, e. g., the ADS-
B sensors of the OpenSky Network. However, the gathered information originates
from the same network limited to the currently participating sensors. To broaden
the available information base, we envision a cross-network information exchange.
Similar to the air traffic surveillance infrastructure, sensor networks exist for marine
traffic or road traffic based on roadside units. Cooperation between these networks
can provide more data for Crowd-GPS-Sec to better detected and localize spoofing
attacks.
Spoofer Localization of Known GPS Spoofing Incidents
While we evaluated the localization performance of Crowd-GPS-Sec based on sim-
ulated attack scenarios, the localization of an unknown real-world attacker remains
an open task. For instance, the spoofer that caused the Black Sea GPS spoofing
incident has never been exposed. Notably, the targeted area was not covered by the
OpenSky Network at the time of happening.
Heuristic Anomaly Detection for ADS-B Reports
Our designed verification system for ADS-B aircraft reports is comparable to the
functioning of Intrusion Detection Systems (IDSs). In essence, we estimate the prob-
ability that a message originated from normal operation or deliberate manipulation
and, hence, we perform anomaly detection. This topic is well-researched in the net-
work security community. Our verification system could adapt known techniques,
e. g., implement a heuristic approach similar to how antivirus software determines
whether files are sound or malicious.
7.3 Concluding Remarks
The technical advancements of recent years have significantly extended the avail-
able attacker tools to threaten applications that rely on satellite-based navigation
systems. The pervasive dependency on the integrity of positioning and time infor-
7.3 Concluding Remarks 123
mation necessitates strong security requirements. However, we observe a striking
mismatch between the feasibility of attacks and the implemented countermeasures.
Even more aggravating, regulators impose restrictions on possible modifications and
therefore demand lightweight security solutions.
To this end, we addressed the challenge of retrofitting security into GPS-dependent
systems. Our proposals demonstrate that these challenges can indeed be approached
and effective countermeasures are available. We are—still—in the position to im-
prove the current security systems and act proactively, rather than to react after
the damage is already done. All that is left is taking our ideas from prototype to
production.
List of Figures
1.1 Schematic Overview of Contributions . . . . . . . . . . . . . . . . . . 4
2.1 Reception of GPS Satellite Signals . . . . . . . . . . . . . . . . . . . . 11
2.2 Positioning via Trilateration . . . . . . . . . . . . . . . . . . . . . . . 13
2.3 Aircraft Broadcast Reports . . . . . . . . . . . . . . . . . . . . . . . . 16
3.1 Single Antenna Attacker . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.2 Multi-Antenna Attacker . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.1 Multi-Receiver Deployment . . . . . . . . . . . . . . . . . . . . . . . 34
4.2 Attack on Multiple Receivers . . . . . . . . . . . . . . . . . . . . . . 35
4.3 Multi-Receiver Formations . . . . . . . . . . . . . . . . . . . . . . . . 38
4.4 Hardware and Experimental Setup . . . . . . . . . . . . . . . . . . . 42
4.5 Reported Receiver Positions . . . . . . . . . . . . . . . . . . . . . . . 43
4.6 Deviations from Mean Position - Authentic . . . . . . . . . . . . . . . 43
4.7 Distance Distributions - Authentic . . . . . . . . . . . . . . . . . . . 44
4.8 Additional Measurements . . . . . . . . . . . . . . . . . . . . . . . . . 46
4.9 Deviations from Mean Position - Spoofing . . . . . . . . . . . . . . . 47
4.10 Distance Distributions - Spoofing . . . . . . . . . . . . . . . . . . . . 48
4.11 Evaluation of Different Radii . . . . . . . . . . . . . . . . . . . . . . . 51
4.12 Detection Performance . . . . . . . . . . . . . . . . . . . . . . . . . . 52
4.13 Prototype Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . 54
4.14 Deciding Authentic and Spoofing Scenarios . . . . . . . . . . . . . . . 55
4.15 Analysis of Different Functions f(·) . . . . . . . . . . . . . . . . . . . 55
5.1 Overview of Air Traffic Monitoring Techniques . . . . . . . . . . . . . 65
5.2 Experimental Hardware . . . . . . . . . . . . . . . . . . . . . . . . . 68
5.3 Reported Spoofed Positions . . . . . . . . . . . . . . . . . . . . . . . 69
5.4 Number of Affected Aircraft . . . . . . . . . . . . . . . . . . . . . . . 70
5.5 Coverage of Crowd-GPS-Sec . . . . . . . . . . . . . . . . . . . . . . . 71
5.6 System Overview of Crowd-GPS-Sec . . . . . . . . . . . . . . . . . . 72
5.7 Aircraft Localization via Multilateration . . . . . . . . . . . . . . . . 73
5.8 Spoofer Localization . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
5.9 Detection Rates and Coverage . . . . . . . . . . . . . . . . . . . . . . 82
5.10 Comparison of the Detection Rates . . . . . . . . . . . . . . . . . . . 83
5.11 Comparison of the Detection Times . . . . . . . . . . . . . . . . . . . 84
125
126 List of Figures
5.12 Impact of GPS Noise . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
5.13 Impact of MLAT Noise . . . . . . . . . . . . . . . . . . . . . . . . . . 87
5.14 Impact of Spoofed Track Velocity . . . . . . . . . . . . . . . . . . . . 88
6.1 System Model for ADS-B Trust Establishment . . . . . . . . . . . . . 98
6.2 Distribution of Messages and Sensor Coverage . . . . . . . . . . . . . 101
6.3 ADS-B Trust Evaluation Process . . . . . . . . . . . . . . . . . . . . 102
6.4 Type of Attack - Confusion Matrix . . . . . . . . . . . . . . . . . . . 112
6.5 Resilience and Optimized Deployment . . . . . . . . . . . . . . . . . . 116
List of Tables
2.1 GPS L1 C/A Error Sources and UERE [39,79] . . . . . . . . . . . . . 14
3.1 Related Work Considering Multi-Antenna Attacks . . . . . . . . . . . 24
3.2 Selected Publications Providing Multi-Antenna Results . . . . . . . . 25
4.1 Receiver Placement and Relative Distances . . . . . . . . . . . . . . . 42
4.2 Error Distribution Parameters - Authentic . . . . . . . . . . . . . . . 44
4.3 Error Distribution Parameters - Spoofing . . . . . . . . . . . . . . . . 49
4.4 Simulation Parameter Sets . . . . . . . . . . . . . . . . . . . . . . . . 50
4.5 Function f(·) Performance (Lower is Better) . . . . . . . . . . . . . . 56
5.1 Spoofing Detection Tests Comparison . . . . . . . . . . . . . . . . . . 76
5.2 Localization Requirements . . . . . . . . . . . . . . . . . . . . . . . . 79
5.3 Localization Scenario Comparison . . . . . . . . . . . . . . . . . . . . 80
5.4 Simulation Framework Parameters . . . . . . . . . . . . . . . . . . . 85
6.1 Attack Vectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
6.2 Sanity Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
6.3 Differential Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
6.4 Dependency Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
6.5 Sensitivity to Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
6.6 GPS Spoofing Detection Performance (TPR [%]) . . . . . . . . . . . 110
6.7 ADS-B Spoofing Detection Performance (TPR [%]) . . . . . . . . . . 110
6.8 Sensor Control/Sybil Attack Detection Performance (TPR [%]) . . . 111
6.9 False Alarm Probability [%] . . . . . . . . . . . . . . . . . . . . . . . 115
6.10 Coverage Regions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
127
List of Abbreviations
ADS-B . . . . . Automatic Dependent Surveillance-Broadcast
AIS . . . . . . . Automatic Identification System
AoA . . . . . . . Angle of Arrival
C/A . . . . . . . Coarse/Acquisition
CDF . . . . . . Cumulative Distribution Function
CDMA . . . . . Code Division Multiple Access
COTS . . . . . . Commercial Off-the-Shelf
CPS . . . . . . . Cyber-Physical System
EER . . . . . . . Equal Error Rate
FAA . . . . . . . Federal Aviation Administration
GLONASS . . . Global Navigation Satellite System
GNSS . . . . . . Global Navigation Satellite System
GPS . . . . . . . Global Positioning System
ICAO . . . . . . International Civil Aviation Organization
IDS . . . . . . . Intrusion Detection System
IoT . . . . . . . Internet of Things
LoS . . . . . . . Line of Sight
MATLAB . . . MATrix LABoratory
ML . . . . . . . Machine Learning
MLAT . . . . . Multilateration
NAVSTAR . . . Navigation System with Timing and Ranging
NMEA . . . . . National Marine Electronics Association
PDF . . . . . . . Probability Density Function
129
130 List of Abbreviations
PRN . . . . . . Pseudorandom Noise
PVT . . . . . . Position, Velocity and Time
RADAR . . . . Radio Detection and Ranging
RMSE . . . . . Root Mean Square Error
RSS . . . . . . . Received Signal Strength
SA . . . . . . . . Selective Availability
SDR . . . . . . . Software Defined Radio
SNR . . . . . . . Signal-to-Noise Ratio
TDoA . . . . . . Time Difference of Arrival
TNR . . . . . . True Negative Rate
ToA . . . . . . . Time of Arrival
TPR . . . . . . True Positive Rate
UAV . . . . . . Unmanned Aerial Vehicle
UEE . . . . . . User Equipment Error
UERE . . . . . User Equivalent Range Error
URE . . . . . . User Range Error
USRP . . . . . . Universal Software Radio Peripheral
VANET . . . . Vehicular Ad Hoc Network
Bibliography
[1] D. L. Adamy, EW 101: A First Course in Electronic Warfare, 1st ed. Artech
House, 2001.
[2] I. Akkaya, E. A. Lee, and P. Derler, “Model-Based Evaluation of GPS Spoofing
Attacks on Power Grid Sensors,” in Workshop on Modeling and Simulation of
Cyber-Physical Energy Systems (MSCPES ’13). Berkeley, CA, USA: IEEE,
May 2013.
[3] D. M. Akos, “Who’s Afraid of the Spoofer? GPS/GNSS Spoofing Detection
via Automatic Gain Control (AGC),” NAVIGATION, Journal of the Institute
of Navigation, vol. 59, no. 4, pp. 281–290, Dec. 2012.
[4] Arduino. Arduino Uno Rev3. [Online]. Available: https://www.arduino.cc/
en/Main/ArduinoBoardUno
[5] R. Baker and I. Martinovic, “Secure Location Verification with a Mobile Re-
ceiver,” in ACM Workshop on Cyber-Physical Systems Security & Privacy
(CPS-SPC ’16). Vienna, Austria: ACM, Oct. 2016, pp. 35–46.
[6] M. Balduzzi, A. Pasta, and K. Wilhoit, “A Security Evaluation of AIS Au-
tomated Identification System,” in Annual Computer Security Applications
Conference (ACSAC ’14). New Orleans, LA, USA: ACM, Dec. 2014, pp.
436–445.
[7] M. Bartolucci, J. A. del Peral-Rosado, R. Estatuet-Castillo, J. A. García-
Molina, M. Crisci, and G. E. Corazza, “Synchronisation of Low-Cost Open
Source SDRs for Navigation Applications,” in ESA Workshop on Satellite
Navigation Technologies and European Workshop on GNSS Signals and Signal
Processing (NAVITEC ’16). Noordwijk, Netherlands: IEEE, Dec. 2016.
[8] A. Beygelzimer, S. Kakade, and J. Langford, “Cover Trees for Nearest Neigh-
bor,” in International Conference on Machine Learning (ICML ’06). Pitts-
burgh, PA, USA: ACM, Jun. 2006, pp. 97–104.
[9] J. A. Bhatti and T. E. Humphreys, “Hostile Control of Ships via False GPS
Signals: Demonstration and Detection,” NAVIGATION, Journal of the Insti-
tute of Navigation, vol. 64, no. 1, pp. 51–66, May 2017.
131
132 Bibliography
[10] J. A. Bhatti, T. E. Humphreys, and B. M. Ledvina, “Development and Demon-
stration of a TDOA-Based GNSS Interference Signal Localization System,”
in IEEE/ION Position, Location and Navigation Symposium (PLANS ’12).
Myrtle Beach, SC, USA: IEEE, Apr. 2012, pp. 455–469.
[11] L. Breiman, “Random Forests,” Machine Learning, vol. 45, no. 1, pp. 5–32,
Oct. 2001.
[12] A. Broumandan, A. Jafarnia-Jahromi, V. Dehghanian, J. Nielsen, and
G. Lachapelle, “GNSS Spoofing Detection in Handheld Receivers based on
Signal Spatial Correlation,” in IEEE/ION Position, Location and Navigation
Symposium (PLANS ’12). Myrtle Beach, SC, USA: IEEE, Apr. 2012, pp.
479–487.
[13] M. Burgess. (2017, Sep.) When a tanker vanishes, all the evidence points to
Russia. WIRED. [Online]. Available: https://www.wired.co.uk/article/black-
sea-ship-hacking-russia
[14] A. Cavaleri, B. Motella, M. Pini, and M. Fantino, “Detection of Spoofed GPS
Signals at Code and Carrier Tracking Level,” in ESA Workshop on Satellite
Navigation Technologies and European Workshop on GNSS Signals and Signal
Processing (NAVITEC ’10). Noordwijk, Netherlands: IEEE, Dec. 2010.
[15] Y. Chen, W. Trappe, and R. P. Martin, “Detecting and Localizing Wireless
Spoofing Attacks,” in Annual IEEE Communications Society Conference on
Sensor, Mesh and Ad Hoc Communications and Networks (SECON ’07). San
Diego, CA, USA: IEEE, Jun. 2007, pp. 193–202.
[16] Committee on the Future of the Global Positioning System; Commission on
Engineering and Technical Systems; National Research Council, The Global
Positioning System: A Shared National Asset - Recommendations for Techni-
cal Improvements and Enhancements. National Academy Press, 1995.
[17] P. Cooper, “Aviation Cybersecurity–Finding Lift, Minimizing Drag,” Atlantic
Council, Tech. Rep., Nov. 2017, underwritten by Thales.
[18] A. Costin and A. Francillon, “Ghost in the Air(Traffic): On insecurity of ADS-
B protocol and practical attacks on ADS-B devices,” Black Hat USA, Tech.
Rep., Jul. 2012.
[19] crescentvenus. (2018) WALB (Wireless Attack Launch Box). GitHub
Repository. [Online]. Available: https://github.com/crescentvenus/WALB
Bibliography 133
[20] S. Daneshmand, A. Jafarnia-Jahromi, A. Broumandan, and G. Lachapelle, “A
Low-Complexity GPS Anti-Spoofing Method Using a Multi-Antenna Array,”
in International Technical Meeting of The Satellite Division of the Institute of
Navigation (ION GNSS ’12), Nashville, TN, USA, Sep. 2012, pp. 1233–1243.
[21] J. R. Douceur, “The Sybil Attack,” in Revised Papers from the First Inter-
national Workshop on Peer-to-Peer Systems (IPTPS ’01). Cambridge, MA,
USA: Springer, Jan. 2002, pp. 251–260.
[22] R. D. Easton and E. F. Frazier, GPS Declassified: From Smart Bombs to
Smartphones. Potomac Books, 2013.
[23] Ettus Research. USRP B200. [Online]. Available: https://www.ettus.com/
product/details/UB200-KIT
[24] Ettus Research. USRP N210. [Online]. Available: https://www.ettus.com/
product/details/UN210-KIT
[25] Flarm Technology, “System Design and Compatibility,” Tech. Rep., Aug. 2015.
[26] G. S. Gadgets. HackRF One. [Online]. Available: https://greatscottgadgets.
com/hackrf/
[27] G. Gibbons. (2013, Aug.) FCC Fines Operator of GPS Jammer
That Affected Newark Airport GBAS. Inside GNSS. [Online]. Available:
http://www.insidegnss.com/node/3676
[28] Centre Tecnológic de Telecomunicacions de Catalunya (CTTC). GNSS-SDR -
An open source Global Navigation Satellite Systems software-defined receiver.
[Online]. Available: https://gnss-sdr.org
[29] The GNU Radio Foundation. GNU Radio - The Free & Open Software Radio
Ecosystem. [Online]. Available: https://www.gnuradio.org
[30] S. Goff. (2017, Jul.) Reports of Mass GPS Spoofing Attack in the Black
Sea Strengthen Calls for PNT Backup. Inside GNSS. [Online]. Available:
http://www.insidegnss.com/node/5555
[31] D. Goward. (2017, Jul.) Mass GPS Spoofing Attack in Black Sea?
The Maritime Executive. [Online]. Available: https://www.maritime-
executive.com/editorials/mass-gps-spoofing-attack-in-black-sea
134 Bibliography
[32] A. Greenberg. (2012, Jul.) Next-Gen Air Traffic Control Vulnerable
To Hackers Spoofing Planes Out Of Thin Air. Forbes. [Online]. Avail-
able: https://www.forbes.com/sites/andygreenberg/2012/07/25/next-gen-
air-traffic-control-vulnerable-to-hackers-spoofing-planes-out-of-thin-air
[33] C. Günther, “A Survey of Spoofing and Counter-Measures,” NAVIGATION,
Journal of the Institute of Navigation, vol. 61, no. 3, pp. 159–177, Sep. 2014.
[34] Z. Haider and S. Khalid, “Survey on Effective GPS Spoofing Countermea-
sures,” in International Conference on Innovative Computing Technology (IN-
TECH ’16). Dublin, Ireland: IEEE, Aug. 2016, pp. 573–577.
[35] G. W. Hein, F. Kneissl, J.-Á. Ávila-Rodríguez, and S. Wallner, “Authen-
ticating GNSS: Proofs against Spoofs, Part 1,” Inside GNSS, vol. 2, no. 5
(July/August), pp. 58–63, Jul. 2007.
[36] G. W. Hein, F. Kneissl, J.-Á. Ávila-Rodríguez, and S. Wallner, “Authen-
ticating GNSS: Proofs against Spoofs, Part 2,” Inside GNSS, vol. 2, no. 6
(September/October), pp. 71–78, Sep. 2007.
[37] L. Heng, J. J. Makela, A. D. Domínguez-García, R. B. Bobba, W. H. Sanders,
and G. X. Gao, “Reliable GPS-Based Timing for Power Systems: A Multi-
Layered Multi-Receiver Architecture,” in Power and Energy Conference at
Illinois (PECI ’14). Champaign, IL, USA: IEEE, Feb. 2014, pp. 196–202.
[38] S. Henningsen, S. Dietzel, and B. Scheuermann, “Misbehavior Detection in
Industrial Wireless Networks: Challenges and Directions,” Mobile Networks
and Applications, vol. 23, no. 5, pp. 1330–1336, Oct. 2018.
[39] B. Hofmann-Wellenhof, H. Lichtenegger, and J. Collins, Global Positioning
System: Theory and Practice, 5th ed. Springer, 2001.
[40] T. E. Humphreys, “Statement on the Vulnerability of Civil Unmanned Aerial
Vehicles and Other Systems to Civil GPS Spoofing,” University of Texas at
Austin, Tech. Rep., Jul. 2012, Submitted to the Subcommittee on Oversight,
Investigations, and Management of the House Committee on Homeland Secu-
rity.
[41] T. E. Humphreys, “Detection Strategy for Cryptographic GNSS Anti-
Spoofing,” IEEE Transactions on Aerospace and Electronic Systems, vol. 49,
no. 2, pp. 1073–1090, Apr. 2013.
Bibliography 135
[42] T. E. Humphreys, “Statement on the Security Threat Posed By Unmanned
Aerial Systems and Possible Countermeasures,” University of Texas at Austin,
Tech. Rep., Mar. 2015, Submitted to the Subcommittee on Oversight and
Management Efficiency of the House Committee on Homeland Security.
[43] T. E. Humphreys, B. M. Ledvina, M. L. Psiaki, B. W. O’Hanlon, and P. M.
Kintner, Jr., “Assessing the Spoofing Threat: Development of a Portable GPS
Civilian Spoofer,” in International Technical Meeting of The Satellite Division
of the Institute of Navigation (ION GNSS ’08), Savannah, GA, USA, Sep.
2008, pp. 2314–2325.
[44] K. Hundman, V. Constantinou, C. Laporte, I. Colwell, and T. Soderstrom,
“Detecting Spacecraft Anomalies Using LSTMs and Nonparametric Dynamic
Thresholding,” in ACM SIGKDD International Conference on Knowledge Dis-
covery and Data Mining (KDD ’18). London, United Kingdom: ACM, Aug.
2018, pp. 387–395.
[45] A. Jafarnia-Jahromi, A. Broumandan, J. Nielsen, and G. Lachapelle, “GPS
Vulnerability to Spoofing Threats and a Review of Antispoofing Techniques,”
International Journal of Navigation and Observation, vol. 2012, May 2012,
Article ID 127072.
[46] K. Jansen and C. Pöpper, “Opinion: Advancing Attacker Models of Satellite-
based Localization Systems—The Case of Multi-device Attackers,” in ACM
Conference on Security and Privacy in Wireless and Mobile Networks
(WiSec ’17). Boston, MA, USA: ACM, Jul. 2017, pp. 156–159.
[47] K. Jansen, M. Schäfer, V. Lenders, C. Pöpper, and J. Schmitt, “POSTER:
Localization of Spoofing Devices using a Large-scale Air Traffic Surveillance
System,” in ACM Asia Conference on Computer and Communications Secu-
rity (ASIACCS ’17). Abu Dhabi, United Arab Emirates: ACM, Apr. 2017,
pp. 914–916.
[48] K. Jansen, M. Schäfer, D. Moser, V. Lenders, C. Pöpper, and J. Schmitt,
“Crowd-GPS-Sec: Leveraging Crowdsourcing to Detect and Localize GPS
Spoofing Attacks,” in IEEE Symposium on Security and Privacy (SP ’18).
San Francisco, CA, USA: IEEE, May 2018, pp. 1018–1031.
[49] K. Jansen, N. O. Tippenhauer, and C. Pöpper, “Multi-Receiver GPS Spoof-
ing Detection: Error Models and Realization,” in Annual Computer Security
136 Bibliography
Applications Conference (ACSAC ’16). Los Angeles, CA, USA: ACM, Dec.
2016, pp. 237–250.
[50] The Executive Director of the Joint Air Power Competence Centre (JAPCC),
“Strategic Concept of Employment for Unmanned Aircraft Systems in NATO,”
Joint Air Power Competence Centre (JAPCC), Tech. Rep. UAS CONEMP
Report, Jan. 2010.
[51] X. Jiang, J. Zhang, B. J. Harding, J. J. Makela, and A. D. Domínguez-García,
“Spoofing GPS Receiver Clock Offset of Phasor Measurement Units,” IEEE
Transactions on Power Systems, vol. 28, no. 3, pp. 3253–3262, Feb. 2013.
[52] John A. Volpe National Transportation Systems Center, “Vulnerability Assess-
ment of the Transportation Infrastructure Relying on the Global Positioning
System,” United States Department of Transportation, Tech. Rep., Aug. 2001.
[53] M. Jones. (2017, Oct.) Spoofing in the Black Sea: What really happened?
GPS World. [Online]. Available: http://gpsworld.com/spoofing-in-the-black-
sea-what-really-happened/
[54] A. Jovanovic, C. Botteron, and P.-A. Fariné, “Multi-test Detection and Protec-
tion Algorithm Against Spoofing Attacks on GNSS Receivers,” in IEEE/ION
Position, Location and Navigation Symposium (PLANS ’14). Monterey, CA,
USA: IEEE, May 2014, pp. 1258–1271.
[55] O. Jowett. (2016) mlat-server. GitHub Repository. [Online]. Available:
https://github.com/mutability/mlat-server
[56] R. E. Kalman, “A New Approach to Linear Filtering and Prediction Prob-
lems,” Transactions of the ASME–Journal of Basic Engineering, vol. 82, no.
Series D, pp. 35–45, 1960.
[57] A. J. Kerns, D. P. Shepard, J. A. Bhatti, and T. E. Humphreys, “Unmanned
Aircraft Capture and Control Via GPS Spoofing,” Journal of Field Robotics,
vol. 31, no. 4, pp. 617–636, Apr. 2014.
[58] K. Kohls, K. Jansen, D. Rupprecht, T. Holz, and C. Pöpper, “On the Chal-
lenges of Geographical Avoidance for Tor,” in Network and Distributed System
Security Symposium (NDSS ’19). San Diego, CA, USA: Internet Society,
Feb. 2019.
Bibliography 137
[59] M. G. Kuhn, “An Asymmetric Security Mechanism for Navigation Signals,”
in International Workshop on Information Hiding (IH ’04). Toronto, ON,
Canada: Springer, May 2004, pp. 239–252.
[60] B. M. Ledvina, W. J. Bencze, B. Galusha, and I. Miller, “An In-Line Anti-
Spoofing Device for Legacy Civil GPS Receivers,” in International Technical
Meeting of The Institute of Navigation (ION ’10), San Diego, CA, USA, Jan.
2010, pp. 698–712.
[61] I. Leveson, “GPS Civilian Economic Value to the U.S., Interim Report,” ASRC
Federal Research and Technology Solutions, Inc., Tech. Rep., Aug. 2015, Pre-
pared for the National Executive Committeefor Space-Based Positioning, Nav-
igation and Timing.
[62] M. Lichtman, J. D. Poston, S. Amuru, C. Shahriar, T. C. Clancy, R. M.
Buehrer, and J. H. Reed, “A Communications Jamming Taxonomy,” IEEE
Security & Privacy, vol. 14, no. 1, pp. 47–54, Feb. 2016.
[63] J. Magiera and R. J. Katulski, “Detection and Mitigation of GPS Spoofing
Based on Antenna Array Processing,” Journal of Applied Research and Tech-
nology, vol. 13, no. 1, pp. 45–57, Feb. 2015.
[64] Maritime Administration, “2017-005A-GPS Interference-Black Sea,” United
States Department of Transportation, Tech. Rep. 2017-005A, Jul. 2017.
[65] “MATLAB and Statistics and Machine Learning Toolbox Release 2018a,” The
MathWorks, Inc., Natick, MA, USA.
[66] D. McCallie, J. Butts, and R. Mills, “Security analysis of the ADS-B imple-
mentation in the next generation air transportation system,” International
Journal of Critical Infrastructure Protection, vol. 4, no. 2, pp. 78–87, Aug.
2011.
[67] J. R. van der Merwe, X. Zubizarreta, I. Lukčin, A. Rügamer, and W. Felber,
“Classification of Spoofing Attack Types,” in European Navigation Conference
(ENC ’18). Gothenburg, Sweden: IEEE, May 2018, pp. 91–99.
[68] P. Y. Montgomery, T. E. Humphreys, and B. M. Ledvina, “Receiver-
Autonomous Spoofing Detection: Experimental Results of a Multi-antenna
Receiver Defense Against a Portable Civil GPS Spoofer,” in International
Technical Meeting of The Institute of Navigation (ION ’09), Anaheim, CA,
USA, Jan. 2009, pp. 124–130.
138 Bibliography
[69] D. Moser, P. Leu, V. Lenders, A. Ranganathan, F. Ricciato, and S. Čapkun,
“Investigation of Multi-device Location Spoofing Attacks on Air Traffic Con-
trol and Possible Countermeasures,” in Annual International Conference on
Mobile Computing and Networking (MobiCom ’16). New York, USA: ACM,
Oct. 2016, pp. 375–386.
[70] National Marine Electronics Association, NMEA 0183, The Standard for In-
terfacing Marine Electronics, National Marine Electronics Association Std.,
Rev. Version 4.10, Jun. 2012.
[71] W. H. L. Neven, T. J. Quilter, R. Weedon, and R. A. Hogendoorn, “Wide Area
Multilateration,” National Aerospace Laboratory (NLR), Tech. Rep. NLR-CR-
2004-472, Aug. 2015.
[72] T. Nighswander, B. M. Ledvina, J. Diamond, R. Brumley, and D. Brumley,
“GPS Software Attacks,” in ACM Conference on Computer and Communica-
tions Security (CCS ’12). Raleigh, NC, USA: ACM, Oct. 2012, pp. 450–461.
[73] R. Oliphant. (2016, Oct.) Is Kremlin cyber warfare behind Moscow GPS
quirk sending Uber cars and Pokemon Go players to strange destinations?
The Telegraph. [Online]. Available: http://www.telegraph.co.uk/news/2016/
10/21/is-kremlin-cyber-warfare-behind-moscow-gps-quirk-sending-uber-ca/
[74] The OpenSky Network. Open Air Traffic Data for Research. [Online].
Available: https://opensky-network.org/
[75] J. I. Øren and T. A. Jensen, “Norway Communications Authority Report GPS
Jamming,” National Communications Authority, Tech. Rep., Sep. 2017.
[76] OSQZSS. (2018) Software-Defined GPS Signal Simulator. GitHub Repository.
[Online]. Available: https://github.com/osqzss/gps-sdr-sim
[77] P. Papadimitratos and A. Jovanovic, “GNSS-based Positioning: Attacks
and Countermeasures,” in IEEE Military Communications Conference (MIL-
COM ’08). San Diego, CA, USA: IEEE, Nov. 2008.
[78] P. Papadimitratos and A. Jovanovic, “Protection and Fundamental Vulnera-
bility of GNSS,” in IEEE International Workshop on Satellite and Space Com-
munications (IWSSC ’08). Toulouse, France: IEEE, Oct. 2008, pp. 167–171.
[79] B. W. Parkinson, J. J. Spilker Jr., P. Axelrad, and P. Enge, Global Positioning
System: Theory and Applications. American Institute of Aeronautics and
Astronautics, 1996, vol. I.
Bibliography 139
[80] A. Perkins, L. Dressel, S. Lo, and P. Enge, “Antenna Characterization for
UAV Based GPS Jammer Detection,” in International Technical Meeting of
The Satellite Division of the Institute of Navigation (ION GNSS+ ’15), Tampa,
FL, USA, Sep. 2015, pp. 1684–1695.
[81] A. Perkins, L. Dressel, S. Lo, T. Reid, K. Gunning, and P. Enge, “Demon-
stration of UAV-Based GPS Jammer Localization During a Live Interference
Exercise,” in International Technical Meeting of The Satellite Division of the
Institute of Navigation (ION GNSS+ ’16), Portland, OR, USA, Sep. 2016, pp.
3094–3106.
[82] K. M. Pesyna, Jr., R. W. Heath, Jr., and T. E. Humphreys, “Centimeter Po-
sitioning with a Smartphone-Quality GNSS Antenna,” in International Tech-
nical Meeting of The Satellite Division of the Institute of Navigation (ION
GNSS+ ’14), Tampa, FL, USA, Sep. 2014, pp. 1568–1577.
[83] J. Petit, M. Feiri, and F. Kargl, “Spoofed Data Detection in VANETs using
Dynamic Thresholds,” in IEEE Vehicular Networking Conference (VNC ’11).
Amsterdam, Netherlands: IEEE, Nov. 2011, pp. 25–32.
[84] C. Pöpper, M. Strasser, and S. Čapkun, “Jamming-resistant Broadcast
Communication without Shared Keys,” in USENIX Security Symposium
(USENIX ’09). Montreal, QC, Canada: USENIX, Aug. 2009, pp. 231–248.
[85] K. Pourvoyeur and R. Heidger, “Secure ADS-B usage in ATC tracking,” in
Tyrrhenian International Workshop on Digital Communications - Enhanced
Surveillance of Aircraft and Vehicles (TIWDC/ESAV ’14). Rome, Italy:
IEEE, Sep. 2014, pp. 35–40.
[86] M. L. Psiaki and T. E. Humphreys, “Attackers can spoof navigation signals
without our knowledge. Here’s how to fight back GPS lies,” IEEE Spectrum,
vol. 53, no. 8, pp. 26–32; 52–53, Aug. 2016.
[87] M. L. Psiaki and T. E. Humphreys, “GNSS Spoofing and Detection,” Proceed-
ings of the IEEE, vol. 104, no. 6, pp. 1258–1270, Jun. 2016.
[88] M. L. Psiaki, B. W. O’Hanlon, J. A. Bhatti, D. P. Shepard, and T. E.
Humphreys, “Civilian GPS Spoofing Detection based on Dual-Receiver Corre-
lation of Military Signals,” in International Technical Meeting of The Satellite
Division of the Institute of Navigation (ION GNSS ’11), Portland, OR, USA,
Sep. 2011, pp. 2619–2645.
140 Bibliography
[89] M. L. Psiaki, B. W. O’Hanlon, S. P. Powell, J. A. Bhatti, K. D. Wesson, T. E.
Humphreys, and A. Schofield, “GNSS Spoofing Detection using Two-Antenna
Differential Carrier Phase,” in International Technical Meeting of The Satellite
Division of the Institute of Navigation (ION GNSS+ ’14), Tampa, FL, USA,
Sep. 2014, pp. 2776–2800.
[90] M. L. Psiaki, S. P. Powell, and B. W. O’Hanlon, “GNSS Spoofing Detection
Using High-Frequency Antenna Motion and Carrier-Phase Data,” in Interna-
tional Technical Meeting of The Satellite Division of the Institute of Navigation
(ION GNSS+ ’13), Nashville, TN, USA, Sep. 2013, pp. 2949–2991.
[91] L. Purton, H. Abbass, and S. Alam, “Identification of ADS-B System Vulnera-
bilities and Threats,” in Australasian Transport Research Forum (ATRF ’10),
Canberra, Australia, Sep. 2010.
[92] S. Pusep. (2017) nRF905 demodulator/FLARM decoder. GitHub Repository.
[Online]. Available: https://github.com/creaktive/flare
[93] Racelogic. LabSat 3 GPS Simulator. [Online]. Available: https://www.labsat.
co.uk/index.php/en/products/labsat-3
[94] D. S. Radin, “GPS Spoofing Detection Using Multiple Antennas and Individ-
ual Space Vehicle Pseudoranges,” Master’s Thesis, University of Rhode Island,
2015.
[95] D. S. Radin, P. F. Swaszek, K. C. Seals, and R. J. Hartnett, “GNSS Spoof De-
tection Based Upon Pseudoranges from Multiple Receivers,” in International
Technical Meeting of The Institute of Navigation (ION ’15), Dana Point, CA,
USA, Jan. 2015, pp. 657–671.
[96] A. Ranganathan, H. Ólafsdóttir, and S. Čapkun, “SPREE: A Spoofing Resis-
tant GPS Receiver,” in Annual International Conference on Mobile Computing
and Networking (MobiCom ’16). New York, USA: ACM, Oct. 2016, pp. 348–
360.
[97] Raspberry Pi Foundation. Raspberry Pi. [Online]. Available: https:
//www.raspberrypi.org
[98] M. Raya, P. Papadimitratos, V. D. Gligor, and J.-P. Hubaux, “On Data-
Centric Trust Establishment in Ephemeral Ad Hoc Networks,” in IEEE Con-
ference on Computer Communications (INFOCOM ’08). Phoenix, AZ, USA:
IEEE, Apr. 2008, pp. 1912–1920.
Bibliography 141
[99] B. A. Renfro, A. Terry, and N. Boeker, “An Analysis of Global Positioning Sys-
tem (GPS) Standard Positioning System (SPS) Performance for 2016,” Space
and Geophysics Laboratory - Applied Research Laboratories - The University
of Texas at Austin, Tech. Rep. TR-SGL-17-06, May 2017.
[100] K. Rothrock. (2016, Oct.) The Kremlin Eats GPS for Breakfast -
Why geolocation in central Moscow has become a real headache. The
Moscow Times. [Online]. Available: https://themoscowtimes.com/articles/
the-kremlin-eats-gps-for-breakfast-55823
[101] RTL-SDR.COM. RTL-SDR (RTL2832U) and software defined radio news
and projects. Also featuring Airspy, HackRF, FCD, SDRplay and more.
[Online]. Available: https://www.rtl-sdr.com
[102] S. Ruj, M. A. Cavenaghi, Z. Huang, A. Nayak, and I. Stojmenovic, “On Data-
Centric Misbehavior Detection in VANETs,” in IEEE Vehicular Technology
Conference (VNC Fall ’11). San Francisco, CA, USA: IEEE, Sep. 2011.
[103] M.-A. Russon. (2015, May) Wondering how to hack a military drone? It’s all
on Google. International Business Times. [Online]. Available: https://www.
ibtimes.co.uk/wondering-how-hack-military-drone-its-all-google-1500326
[104] M. Schäfer, V. Lenders, and I. Martinovic, “Experimental Analysis of Attacks
on Next Generation Air Traffic Communication,” in International Conference
on Applied Cryptography and Network Security (ACNS ’13). Banff, AB,
Canada: Springer, Jun. 2013, pp. 253–271.
[105] M. Schäfer, V. Lenders, and J. Schmitt, “Secure Track Verification,” in IEEE
Symposium on Security and Privacy (SP ’15). San Jose, CA, USA: IEEE,
May 2015, pp. 199–213.
[106] M. Schäfer, P. Leu, V. Lenders, and J. Schmitt, “Secure Motion Verification
using the Doppler Effect,” in ACM Conference on Security and Privacy in
Wireless and Mobile Networks (WiSec ’16). Darmstadt, Germany: ACM,
Jul. 2016, pp. 135–145.
[107] M. Schäfer, M. Strohmeier, V. Lenders, I. Martinovic, and M. Wilhelm,
“Bringing up OpenSky: A Large-scale ADS-B Sensor Network for Research,”
in International Symposium on Information Processing in Sensor Networks
(IPSN ’14). Berlin, Germany: IEEE, Apr. 2014, pp. 83–94.
142 Bibliography
[108] M. Schäfer, M. Strohmeier, M. Smith, M. Fuchs, V. Lenders, M. Liechti, and
I. Martinovic, “OpenSky Report 2017: Mode S and ADS-B Usage of Military
and other State Aircraft,” in IEEE/AIAA Digital Avionics Systems Conference
(DASC ’17). St. Petersburg, FL, USA: IEEE, Sep. 2017.
[109] M. Schäfer, M. Strohmeier, M. Smith, M. Fuchs, V. Lenders, and I. Marti-
novic, “OpenSky Report 2018: Assessing the Integrity of Crowdsourced Mode
S and ADS-B Data,” in IEEE/AIAA Digital Avionics Systems Conference
(DASC ’18). London, United Kingdom: IEEE, Sep. 2018.
[110] M. Schäfer, M. Strohmeier, M. Smith, M. Fuchs, R. Pinheiro, V. Lenders,
and I. Martinovic, “OpenSky Report 2016: Facts and Figures on SSR Mode
S and ADS-B Usage,” in IEEE/AIAA Digital Avionics Systems Conference
(DASC ’16). Sacramento, CA, USA: IEEE, Sep. 2016.
[111] D. Schmidt, K. Radke, S. Camtepe, E. Foo, and M. Ren, “A Survey and Anal-
ysis of the GNSS Spoofing Threat and Countermeasures,” ACM Computing
Surveys, vol. 48, no. 4, May 2016.
[112] L. Scott, “Anti-Spoofing & Authenticated Signal Architectures for Civil Nav-
igation Systems,” in International Technical Meeting of The Satellite Division
of the Institute of Navigation (ION GPS/GNSS ’03), Portland, OR, USA,
Sep. 2003, pp. 1543–1552.
[113] C. Sebastian. (2016, Dec.) Getting lost near the Kremlin? Russia could
be ’GPS spoofing’. CNNMoney. [Online]. Available: http://money.cnn.com/
2016/12/02/technology/kremlin-gps-signals/index.html
[114] G. Seeber, Satellite Geodesy: Foundations, Methods, and Applications, 2nd ed.
de Gruyter, 2003.
[115] S.-H. Seo, B.-H. Lee, S.-H. Im, and G.-I. Jee, “Effect of Spoofing on Unmanned
Aerial Vehicle using Counterfeited GPS Signal,” Journal of Positioning, Nav-
igation, and Timing, vol. 4, no. 2, pp. 57–65, Jun. 2015.
[116] D. P. Shepard, T. E. Humphreys, and A. A. Fansler, “Evaluation of the Vul-
nerability of Phasor Measurement Units to GPS Spoofing Attacks,” in Annual
IFIP WG 11.10 International Conference on Critical Infrastructure Protection
(ICCIP ’12), Washington, D.C., USA, Mar. 2012.
[117] D. Steinmetzer, M. Schulz, and M. Hollick, “Lockpicking Physical Layer Key
Exchange: Weak Adversary Models Invite the Thief,” in ACM Conference on
Bibliography 143
Security and Privacy in Wireless and Mobile Networks (WiSec ’15). New
York City, USA: ACM, Jun. 2015.
[118] M. Strohmeier, V. Lenders, and I. Martinovic, “On the Security of the Au-
tomatic Dependent Surveillance-Broadcast Protocol,” IEEE Communications
Surveys & Tutorials, vol. 17, no. 2, pp. 1066–1087, Oct. 2014.
[119] M. Strohmeier, V. Lenders, and I. Martinovic, “Lightweight Location Verifi-
cation in Air Traffic Surveillance Networks,” in ACM Cyber-Physical System
Security Workshop (CPSS ’15). Singapore, Republic of Singapore: ACM,
Apr. 2015, pp. 49–60.
[120] M. Strohmeier, M. Schäfer, M. Fuchs, V. Lenders, and I. Martinovic, “Open-
Sky: A Swiss Army Knife for Air Traffic Security Research,” in IEEE/AIAA
Digital Avionics Systems Conference (DASC ’15). Prague, Czech Republic:
IEEE, Sep. 2015.
[121] M. Strohmeier, M. Schäfer, V. Lenders, and I. Martinovic, “Realities and
Challenges of NextGen Air Traffic Management: The Case of ADS-B,” IEEE
Communications Magazine, vol. 52, no. 5, pp. 111–118, May 2014.
[122] M. Strohmeier, M. Schäfer, R. Pinheiro, V. Lenders, and I. Martinovic, “On
Perception and Reality in Wireless Air Traffic Communication Security,” IEEE
Transactions on Intelligent Transportation Systems, vol. 18, no. 6, pp. 1338–
1357, Jun. 2017.
[123] M. Strohmeier, M. Smith, M. Schäfer, V. Lenders, and I. Martinovic, “Crowd-
sourcing Security for Wireless Air Traffic Communications,” in International
Conference on Cyber Conflict (CyCon ’17). Tallinn, Estonia: IEEE, May
2017.
[124] M. Sun, M. Li, and R. Gerdes, “A Data Trust Framework for VANETs En-
abling False Data Detection and Secure Vehicle Tracking,” in IEEE Conference
on Communications and Network Security (CNS ’17). Las Vegas, NV, USA:
IEEE, Oct. 2017.
[125] P. F. Swaszek and R. J. Hartnett, “Spoof Detection Using Multiple COTS
Receivers in Safety Critical Applications,” in International Technical Meeting
of The Satellite Division of the Institute of Navigation (ION GNSS+ ’13),
Nashville, TN, USA, Sep. 2013, pp. 2921–2930.
144 Bibliography
[126] P. F. Swaszek and R. J. Hartnett, “A Multiple COTS Receiver GNSS Spoof
Detector – Extensions,” in International Technical Meeting of The Institute of
Navigation (ION ’14), San Diego, CA, USA, Jan. 2014, pp. 316–326.
[127] P. F. Swaszek, R. J. Hartnett, M. V. Kempe, and G. W. Johnson, “Analysis
of a Simple, Multi-Receiver GPS Spoof Detector,” in International Technical
Meeting of The Institute of Navigation (ION ’13), San Diego, CA, USA, Jan.
2013, pp. 884–892.
[128] N. O. Tippenhauer, C. Pöpper, K. B. Rasmussen, and S. Čapkun, “On the
Requirements for Successful GPS Spoofing Attacks,” in ACM Conference on
Computer and Communications Security (CCS ’11). Chicago, IL, USA: ACM,
Oct. 2011, pp. 75–86.
[129] J. B.-Y. Tsui, Fundamentals of Global Positioning System Receivers: A Soft-
ware Approach, 2nd ed. John Wiley & Sons, 2005.
[130] United States Department of Defense, Global Positioning System Standard
Positioning Service Performance Standard, United States Government Std.,
Rev. 4th Edition, Sep. 2008.
[131] United States Department of Homeland Security. Critical Infrastructure Sec-
tors. [Online]. Available: https://www.dhs.gov/cisa/critical-infrastructure-
sectors
[132] United States Department of Transportation, Automatic Dependent
Surveillance-Broadcast (ADS-B) Out Performance Requirements To Support
Air Traffic Control (ATC) Service; Final Rule, Federal Aviation Administra-
tion, May 2010.
[133] United States Department of Transportation, Air Traffic Control - JO
7110.65X, Federal Aviation Administration, Sep. 2017.
[134] J. Wang, Z. Liu, S. Zhang, and X. Zhang, “Defending collaborative false data
injection attacks in wireless sensor networks,” Information Sciences, vol. 254,
pp. 39–53, Jan. 2014.
[135] J. S. Warner and R. G. Johnston, “A Simple Demonstration that the Global
Positioning System (GPS) is Vulnerable to Spoofing,” The Journal of Security
Administration, vol. 25, no. 2, pp. 19–28, 2002.
[136] J. S. Warner and R. G. Johnston, “GPS Spoofing Countermeasures,” Home-
land Security Journal, Dec. 2003.
Bibliography 145
[137] H. Weihrich, “The TOWS Matrix—A Tool for Situational Analysis,” Long
Range Planning, vol. 15, no. 2, pp. 54–66, Apr. 1982.
[138] H. Wen, P. Y.-R. Huang, J. Dyer, A. Archinal, and J. Fagan, “Countermea-
sures for GPS Signal Spoofing,” in International Technical Meeting of The
Satellite Division of the Institute of Navigation (ION GNSS ’05), Long Beach,
CA, USA, Sep. 2005, pp. 1285–1290.
[139] K. D. Wesson, T. E. Humphreys, and B. L. Evans, “Can Cryptography Secure
Next Generation Air Traffic Surveillance?” The University of Texas at Austin,
Tech. Rep., Mar. 2014.
[140] K. D. Wesson, M. Rothlisberger, and T. E. Humphreys, “Practical Cryp-
tographic Civil GPS Signal Authentication,” NAVIGATION, Journal of the
Institute of Navigation, vol. 59, no. 3, pp. 177–193, Sep. 2012.
[141] K. D. Wesson, D. P. Shepard, J. A. Bhatti, and T. E. Humphreys, “An Evalu-
ation of the Vestigial Signal Defense for Civil GPS Anti-Spoofing,” in Interna-
tional Technical Meeting of The Satellite Division of the Institute of Navigation
(ION GNSS ’11), Portland, OR, USA, Sep. 2011, pp. 2646–2656.
[142] J. Yang, Y. Chen, and W. Trappe, “Detecting Spoofing Attacks in Mobile
Wireless Environments,” in Annual IEEE Communications Society Conference
on Sensor, Mesh and Ad Hoc Communications and Networks (SECON ’09).
Rome, Italy: IEEE, Jun. 2009, pp. 189–197.
[143] J. Yang, Y. Chen, W. Trappe, and J. Cheng, “Detection and Localization
of Multiple Spoofing Attackers in Wireless Networks,” IEEE Transactions on
Parallel and Distributed Systems, vol. 24, no. 1, pp. 44–58, Apr. 2013.
[144] D.-Y. Yu, A. Ranganathan, T. Locher, S. Čapkun, and D. Basin, “Short Paper:
Detection of GPS Spoofing Attacks in Power Grids,” in ACM Conference on
Security and Privacy in Wireless and Mobile Networks (WiSec ’14). Oxford,
United Kingdom: ACM, Jul. 2014, pp. 99–104.
[145] K. C. Zeng, S. Liu, Y. Shu, D. Wang, H. Li, Y. Dou, G. Wang, and Y. Yang,
“All Your GPS Are Belong To Us: Towards Stealthy Manipulation of Road
Navigation Systems,” in USENIX Security Symposium (USENIX ’18). Bal-
timore, MD, USA: USENIX, Aug. 2018, pp. 1527–1544.