Detection and localization of attacks on satellite-based ...

Detection and Localization of

Attacks on Satellite-Based

Navigation Systems

Dissertation

zur Erlangung des Grades eines Doktor-Ingenieurs

der Fakultät für Elektrotechnik und Informationstechnik

an der Ruhr-Universität Bochum

vorgelegt von

Kai Jansen

geboren in Iserlohn

Bochum, Dezember 2018

ii

Dissertation eingereicht am: 11. Dezember 2018

Tag der mündlichen Prüfung: 6. März 2019

Gutachter:

Prof. Dr. Aydin Sezgin, Ruhr-Universität Bochum

Zweitgutachterin:

Prof. Dr. Christina Pöpper, New York University Abu Dhabi

Drittgutachter:

Prof. Dr. Ivan Martinovic, University of Oxford

Abstract

The worldwide coverage of satellite-based navigation systems, such as the Global

Positioning System (GPS), facilitates self-localization and time synchronization in

outdoor environments. Location and time awareness are integral components of a

wide field of applications including, but not limited to, emergency localization, au-

tonomous vehicles, and aviation. However, the strong dependence on the integrity of

GPS makes systems susceptible to signal outage, or even more severe, to deliberate

manipulation. The latter is referred to as spoofing attacks, a powerful attack class

against GPS-dependent systems and challenging to protect against. In addition, the

tools available to attackers get increasingly more sophisticated and affordable. As a

consequence, we perceive a discrepancy between how critical systems are protected

and the feasibility of attacks.

In order to overcome this discrepancy, we propose countermeasures to harden

GPS-dependent systems against spoofing attacks. Moreover, our targeted domains,

in particular aviation, impose strict requirements on possible modifications to avoid

prolonged (re)certification processes. We address demanding real-world require-

ments and design lightweight countermeasures that can be realized with commercial

hardware or can even be implemented with the already existing infrastructure. For

instance, we develop effective mechanisms for the detection of GPS spoofing attacks.

Further, we tackle the challenge of spoofer localization and propose Crowd-GPS-Sec

as a system for pinpointing an attacker via Automatic Dependent Surveillance-

Broadcast (ADS-B) aircraft messages. Furthermore, we design a verification scheme

based on wireless witnessing to assess the trustworthiness of ADS-B aircraft reports.

In conclusion, we evaluate and implement different security solutions for the de-

tection and localization of attacks on satellite-based navigation systems. We theo-

retically analyze the viability of our proposals and develop prototypes demonstrating

their effectiveness. These solutions can be implemented today to improve the secu-

rity of GPS-dependent systems immediately.

iii

Kurzfassung

Die weltweite Abdeckung durch satellitengestützte Navigationssysteme, wie bei-

spielsweise das Global Positioning System (GPS), ermöglicht die Lokalisierung und

zeitliche Synchronisation. Orts- und Zeitbewusstsein sind wesentliche Bestandteile

vieler Anwendungsbereiche, einschließlich Katastrophenschutz, autonomes Fahren

und Luftfahrt. Die starke Abhängigkeit von GPS macht solche Anwendungen anfäl-

lig für Signalausfälle oder für eine vorsätzliche Manipulation. Letzteres beinhaltet

sogenannte Spoofing-Angriffe, eine mächtige Angriffsklasse gegen GPS-abhängige

Systeme, gegen die man sich nur schwer schützen kann. Darüber hinaus werden die

für Angreifer verfügbaren Werkzeuge immer erschwinglicher und bieten mehr Funk-

tionalität. Als Konsequenz sehen wir eine Diskrepanz zwischen den vorhandenen

Schutzmaßnahmen kritischer Systeme und der Durchführbarkeit von Angriffen.

Um diese Diskrepanz zu überwinden, stellen wir Gegenmaßnahmen vor, um GPS-

abhängige Systeme gegen Spoofing-Angriffe besser abzusichern. Dabei sind die stren-

gen Anforderungen der relevanten Anwendungsbereiche, insbesondere der Luftfahrt,

zu beachten, um längere (Re-)Zertifizierungsprozesse zu verhindern. Wir erfüllen die

gegebenen Anforderungen, indem wir unsere Gegenmaßnahmen auf eine Realisier-

barkeit mit kommerzieller Hardware oder der bereits vorhandenen Infrastruktur be-

schränken. Wir entwickeln beispielsweise effektive Gegenmaßnahmen zur Erkennung

von Spoofing Angriffen. Darüber hinaus gehen wir auf das Problem der Spoofer Loka-

lisierung ein und stellen Crowd-GPS-Sec als ein System zur Eingrenzung möglicher

Angreiferpositionen durch Automatic Dependent Surveillance-Broadcast (ADS-B)

vor. Weiterhin entwerfen wir ein Verifikationsschema basierend auf „Wireless Wit-

nessing“, um die Glaubwürdigkeit von ADS-B Flugzeugnachrichten zu verifizieren.

Zusammenfassend evaluieren und implementieren wir unterschiedliche Sicherheits-

lösungen zur Detektion und Lokalisierung von Angriffen auf satellitengestützte Na-

vigationssysteme. Wir analysieren die theoretische Realisierbarkeit unserer Ansätze

und entwickeln Prototypen, die deren Wirksamkeit demonstrieren. Die von uns vor-

gestellten Lösungsansätze können zeitnah implementiert werden, um die Sicherheit

von GPS-abhängigen Systemen zu verbessern.

v

Acknowledgements

First of all, I want to thank my supervisor Prof. Christina Pöpper for her encour-

aging support and helpful advice. She created a unique working environment both

comfortable and efficient. Furthermore, I wish to thank her for helping to establish

connections to other researchers resulting in many fruitful exchanges of ideas.

Moreover, I am grateful to my co-examiners Prof. Aydin Sezgin and Prof. Ivan Mar-

tinovic for devoting their time to review and evaluate my dissertation thesis. In

particular, I thank Prof. Ivan Martinovic for making it possible to have experienced

a memorable research visit at the University of Oxford.

I also give special thanks to my co-authors and collaborators Dr. Nils Ole Tippen-

hauer, Dr. Vincent Lenders, Dr. Matthias Schäfer, Prof. Jens Schmitt, and Dr. Mar-

tin Strohmeier for their valuable contribution to my research providing new insights

and perspectives.

Most of all, I want to thank my longtime colleagues with whom I had the opportu-

nity to spend so many precious days: Max “Maxi” Golla for the strive for the perfect

bibliography style; Lea “Lea” Schönherr for sound assistance on machine learning

techniques; Theodor “Theo” Schnitzler for pointing out the right moments to take

working holidays; Florian “Fabi” Farke for ways to approach CEOs of major com-

panies; Philipp “Freddy” Markert for how to exploit reimbursements for survey par-

ticipation at large-scale; Nicolai “Nico” Wilkop for advice on the next professional

gaming career; Jan “Janni” Wiele for raising the coffee standards; David “Dave”

Rupprecht for handling all the complicated wireless stuff; and especially Katharina

“Katha” Kohls for Choosing to spread her enthusiasm and for sharing a Gallery of

memories. This awesome group makes it so hard to leave.

Last but not least, I want to thank my parents Heike and Jonathan Jansen for their

love and endless support which provided the foundation for a successful dissertation.

vii

Contents

1 Introduction 1

1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

1.2 Challenges in Satellite-Based Navigation Systems . . . . . . . . . . . 3

1.3 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.4 List of Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1.5 Overview and Structure . . . . . . . . . . . . . . . . . . . . . . . . . 7

2 Preliminaries 9

2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2.2 Global Navigation Satellite Systems . . . . . . . . . . . . . . . . . . . 10

2.3 Aircraft Broadcast Signals . . . . . . . . . . . . . . . . . . . . . . . . 15

3 Attacks on Satellite-Based Navigation Systems 17

3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

3.2 Attack Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

3.3 Advancing Attacker Models . . . . . . . . . . . . . . . . . . . . . . . 19

3.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

4 Multi-Receiver GPS Spoofing Detection 27

4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

4.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

4.3 System Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

4.4 Attacker Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

4.5 Theoretical Multi-Receiver Spoofing Detection . . . . . . . . . . . . . 35

4.6 Experimental Evaluation of Authentic Signals . . . . . . . . . . . . . 41

4.7 Experimental Evaluation of Spoofed Signals . . . . . . . . . . . . . . 46

4.8 Simulation of the Countermeasure . . . . . . . . . . . . . . . . . . . . 49

4.9 Prototype Implementation . . . . . . . . . . . . . . . . . . . . . . . . 53

4.10 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

4.11 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

5 Crowdsourced GPS Spoofing Detection and Spoofer Localization 59

5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

5.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

5.3 System Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

5.4 Attacker Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

ix

x Contents

5.5 Crowd-GPS-Sec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

5.6 Multilateration (MLAT) . . . . . . . . . . . . . . . . . . . . . . . . . 72

5.7 GPS Spoofing Detection . . . . . . . . . . . . . . . . . . . . . . . . . 73

5.8 GPS Spoofer Localization . . . . . . . . . . . . . . . . . . . . . . . . 76

5.9 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

5.10 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

5.11 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

6 Trust Establishment for Aircraft Broadcast Signals 91

6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

6.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

6.3 System Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

6.4 Attacker Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

6.5 Design of an ADS-B Trust System . . . . . . . . . . . . . . . . . . . . 100

6.6 ADS-B Message Trust . . . . . . . . . . . . . . . . . . . . . . . . . . 101

6.7 Attack Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

6.8 Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

6.9 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

6.10 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

6.11 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

7 Conclusion 119

7.1 Key Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

7.2 Directions for Future Work . . . . . . . . . . . . . . . . . . . . . . . . 121

7.3 Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

List of Figures 126

List of Tables 127

List of Abbreviations 129

Bibliography 131

There are times when you run a marathon and you

wonder, Why am I doing this? But you take a drink

of water, and around the next bend, you get your

wind back, remember the finish line, and keep going.

— Steve Jobs

1Introduction

Contents

1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . 2

1.2 Challenges in Satellite-Based Navigation Systems . . . 3

1.3 Contributions . . . . . . . . . . . . . . . . . . . . . . . . 4

1.4 List of Publications . . . . . . . . . . . . . . . . . . . . . 6

1.5 Overview and Structure . . . . . . . . . . . . . . . . . . 7

1

2 Chapter 1 Introduction

1.1 Motivation

In modern times, accurate positioning information and precise time synchroniza-

tion are essential for a myriad of applications to provide users with their designated

services. Global Navigation Satellite Systems (GNSSs), such as the Global Posi-

tioning System (GPS) or the Global Navigation Satellite System (GLONASS), are

today’s means of localization in outdoor environments. In particular, GPS has

become the de facto positioning standard when the U.S. government discontinued

Selective Availability (SA)—an intentional degradation of public GPS signals—on

May 2, 2000.

Since then, GPS has found its place in various, more sophisticated devices such as

navigation units, mobile phones, activity trackers, industrial control systems, trading

platforms, agricultural machinery, cars, trains, ships, and aircraft as a ubiquitous

source of location and time information. Furthermore, with the growing popularity

of drones and other Unmanned Aerial Vehicles (UAVs), GPS is expected to maintain

a pervasive role in the near future making it an integral component of personal

applications as well as critical infrastructure. With virtually global coverage via

broadcast transmissions, GPS can provide its service to users all around the world.

Since the awareness of position and time is often an essential requirement to provide

additional functionality, the implementing systems highly depend on the viability

and integrity of the processed information. For instance, next-generation air traffic

monitoring systems mandate the embedding of GPS information into Automatic

Dependent Surveillance-Broadcast (ADS-B) aircraft reports. As a consequence, the

strong reliance on satellite-based navigation systems renders them a worthwhile

target for malicious actors.

The open nature of civilian GPS signals and low complexity makes them vul-

nerable to a wide range of attacks. While jamming attacks aim at disrupting the

communication by overshadowing the signals to prevent any useful decoding, spoof-

ing attacks, on the other hand, are geared towards injecting false positioning or

timing information into the system’s processing logic. Spoofing attacks exploit the

fact that non-military applications use public, unprotected GPS signals, which lack

basic security properties and are neither encrypted nor authenticated.

While in the past the requirements to successfully emulate realistic GPS signals

were considered too challenging, in the last couple of years a shift in attacker ca-

pabilities can be perceived. Recent advancements in both hardware and software

tools have facilitated the deployment of effective attack setups. As a result, the fre-

quency of reported GPS jamming and spoofing incidents has increased. Prominent

examples include the hijacking of a CIA stealth drone (RQ-170) allegedly via GPS

1.2 Challenges in Satellite-Based Navigation Systems 3

spoofing [103] in 2011, unintentional jamming close to Newark Airport [27] in 2012,

devices displaying false positions around the Moscow Kremlin [73,100,113] in 2016,

GPS jamming signals targeted at Norwegian airspace [75], and a mass GPS spoof-

ing attack in the Black Sea [13, 30, 31, 53, 64], both in 2017. Besides these publicly

known events, GPS also serves military purposes and is considered a mission-critical

national asset [16]. Its control and potential manipulation is likewise a matter of

military concern.

In response to these threats, the development of practical security solutions has

gained increasing attention—which has long been neglected. While proposals for a

wide range of countermeasures against jamming as well as spoofing attacks exist in

the wild, their implementations often lag in time, if ever considered. As a conse-

quence, attackers are progressively favored against the present protection systems.

This fact further intensifies the need for operational solutions that are ready to be

implemented today.

This thesis pursues the goal of designing and implementing secure positioning

solutions to harden satellite-based navigation systems against location spoofing at-

tacks. The results and findings specifically contribute to the demand for practical

solutions to counteract the current threat situation.

1.2 Challenges in Satellite-Based Navigation

Systems

While satellite-based navigation systems have been developed to mainly serve mili-

tary purposes with built-in security features designed to withstand powerful nation-

state attackers, the civilian counterpart is commonly left unprotected. With the

lack of suitable hardware and software tools to emulate satellite signals, the system

had been implicitly protected. However, technical advancements and the widespread

availability of Software Defined Radios (SDRs) created new security challenges.

The rigid composition of visible satellites, receiver implementations on the ground,

as well as the protocol specifications, is characterized by very long development

cycles. With the receiver design being the most flexible out of these three, it is the

primary focus of security research. Accepting that satellite and protocol specifics

will not change in the near future, new security proposals need to be lightweight in

the sense that the currently deployed infrastructure remains unaltered. Hence, the

overall challenge is retrofitting security into systems/protocols that were initially

developed based on attacker models that are considered obsolete today.


Multi-Receiver GPS

Spoofing Detection

Crowdsourced GPS

Spoofing Detection and

Spoofer Localization

Crowdsourced

Verification of ADS-B

Aircraft Reports

Satellites

Aircraft

Receivers

Figure 1.1: A schematic overview of the three main technical contributions accordingto the involved segments.

Moreover, safety-critical domains such as the transportation sector—in particular

aviation—are further conditioned to meet legal obligations and to undergo lengthy

certification procedures. The implementation of new components or any modifica-

tion of existing hardware would trigger the whole certification process anew. This

work acknowledges these requirements by designing security solutions restricted to

non-specialized Commercial Off-the-Shelf (COTS) hardware and logically separated

non-invasive functionality. This effort minimizes interference with production sys-

tems, and hence eases certification processes.

1.3 Contributions

In this dissertation, we make the following four contributions with respect to attacks

on satellite-based navigation systems: (i) We investigate how technical advance-

ments have impacted the validity of attacker models, (ii) we analyze and implement

a GPS spoofing detection system using multiple COTS receivers, (iii) we present

Crowd-GPS-Sec to detect and localize GPS spoofing attacks, and (iv) we propose a

verification scheme for ADS-B aircraft reports. Figure 1.1 depicts the scopes of the

three main technical contributions (ii - iv) and puts them into relation.

1.3 Contributions 5

(i) Technical Advancements and Validity of Attacker Models

The progressive technical advancements of adversaries led to the observation that

the currently prevalent attacker models need to be considered outdated. The results

have been presented at the 10th ACM Conference on Security and Privacy in Wire-

less and Mobile Networks (WiSec ’17) in Opinion: Advancing Attacker Models

of Satellite-based Localization Systems—The Case of Multi-device At-

tackers. The paper further approaches the deployment of multi-antenna attacks.

(ii) Multi-Receiver GPS Spoofing Detection

Based on the insight that today’s security solutions must resist more advanced at-

tackers, we developed a multi-receiver GPS spoofing detection scheme. We elab-

orate on the underlying error models and propose possible realizations in Multi-

Receiver GPS Spoofing Detection: Error Models and Realization pub-

lished in 32nd Annual Computer Security Applications Conference (ACSAC ’16).

Moreover, the countermeasure can be proven secure against multi-antenna attacks.

(iii) Crowdsourced GPS Spoofing Detection and Spoofer Localization

Going one step further, we tackle the problem of localizing the signal source when

successfully detecting ongoing spoofing attacks. We propose Crowd-GPS-Sec as a

scheme to detect spoofing attacks and localize spoofers by utilizing GPS-inferred

ADS-B aircraft reports. The system has been presented at the 39th IEEE Sympo-

sium on Security and Privacy (SP ’18) in Crowd-GPS-Sec: Leveraging Crowd-

sourcing to Detect and Localize GPS Spoofing Attacks. The evaluations are

based on real-world flight data provided by the OpenSky Network, and the system

could be implemented today without modifications on the existing infrastructure.

The paper received the 1st Place Cyber Award 2017 for outstanding research con-

tribution from armasuisse.

(iv) Crowdsourced Verification of ADS-B Aircraft Reports

Similar to the need for lightweight countermeasures to harden GNSS-dependent

systems, air traffic surveillance based on ADS-B has been proven vulnerable to

spoofing attacks and also puts strong requirements on security solutions. We design

a verification scheme to assess the trustworthiness of sensed ADS-B reports. We

present our results in Trust the Crowd: Wireless Witnessing for Attack

Detection in ADS-B Based Air Traffic Surveillance which is currently under

review as of writing of this dissertation.


1.4 List of Publications

The following list contains peer-reviewed publications on which this thesis is based

on. The list is in descending chronological order:

1. K. Kohls, K. Jansen, D. Rupprecht, T. Holz, and C. Pöpper, “On the Chal-

lenges of Geographical Avoidance for Tor,” in Network and Distributed System

Security Symposium (NDSS ’19). San Diego, CA, USA: Internet Society,

Feb. 2019.

2. K. Jansen, M. Schäfer, D. Moser, V. Lenders, C. Pöpper, and J. Schmitt,

“Crowd-GPS-Sec: Leveraging Crowdsourcing to Detect and Localize GPS

Spoofing Attacks,” in IEEE Symposium on Security and Privacy (SP ’18).

San Francisco, CA, USA: IEEE, May 2018, pp. 1018–1031.

3. K. Jansen and C. Pöpper, “Opinion: Advancing Attacker Models of Satellite-

based Localization Systems—The Case of Multi-device Attackers,” in ACM

Conference on Security and Privacy in Wireless and Mobile Networks

(WiSec ’17). Boston, MA, USA: ACM, Jul. 2017, pp. 156–159.

4. K. Jansen, M. Schäfer, V. Lenders, C. Pöpper, and J. Schmitt, “POSTER:

Localization of Spoofing Devices using a Large-scale Air Traffic Surveillance

System,” in ACM Asia Conference on Computer and Communications Secu-

rity (ASIACCS ’17). Abu Dhabi, United Arab Emirates: ACM, Apr. 2017,

pp. 914–916.

5. K. Jansen, N. O. Tippenhauer, and C. Pöpper, “Multi-Receiver GPS Spoofing

Detection: Error Models and Realization,” in Annual Computer Security Ap-

plications Conference (ACSAC ’16). Los Angeles, CA, USA: ACM, Dec. 2016,

pp. 237–250.

6. D. Rupprecht, K. Jansen, and C. Pöpper, “Putting LTE Security Func-

tions to the Test: A Framework to Evaluate Implementation Correctness,”

in USENIX Workshop on Offensive Technologies (WOOT ’16). Austin, TX,

USA: USENIX, Aug. 2016.

7. K. Jansen, “GPS Security,” in 10th Joint Workshop of the German Research

Training Groups in Computer Science. Dagstuhl, Germany: Universitätsver-

lag Chemnitz, May 2016, p. 105.

1.5 Overview and Structure 7

Additionally, the following works are in submission or already under review:

8. K. Jansen, W. Seymour, C. Pöpper, and I. Martinovic, “Trust the Crowd:

Wireless Witnessing for Attack Detection in ADS-B Based Air Traffic Surveil-

lance,” under review.

9. K. Jansen, D. Rupprecht, D. Yu, and C. Pöpper, “This is my Jam! DSSS

Jamming with Partially Disclosed Knowledge,” in submission.

1.5 Overview and Structure

The remainder of this dissertation is structured as follows:

• Chapter 2 provides the technical background on GNSSs with a focus on

how receivers calculate their positions while simultaneously processing multi-

ple satellite signals. Moreover, we introduce the basics of aircraft broadcast

signals.

• Chapter 3 investigates attacks on satellite-based navigation systems. In par-

ticular, we scrutinize prevalent attacker models and expose them to be insuf-

ficient in consideration of recent advancements both in hardware and software

tools.

• Chapter 4 proposes a GPS spoofing detection system using multiple receivers.

We demonstrate how a deployment of four standard receivers in a predefined

formation reliably distinguishes between normal operation and spoofing at-

tacks, even in the presence of powerful multi-antenna attackers.

• Chapter 5 explores means of detecting and localizing GPS spoofing attacks

only utilizing aircraft broadcasts containing attacker-influenced information.

Further, we implement an independent aircraft localization scheme, two dif-

ferent spoofing detection tests, and a spoofer localization estimation based on

data collected by a distributed sensor network.

• Chapter 6 addresses the lack of means for trust assessment of ADS-B aircraft

reports. We propose a verification scheme based on geographically distributed

sensors and Machine Learning (ML) techniques. In addition, we show that we

can also distinguish between several prominent attack vectors.

• Chapter 7 concludes this dissertation by summarizing key results and pro-

viding directions for future work.

Any sufficiently advanced technology is indistin-

guishable from magic.

— Arthur C. Clarke

2Preliminaries

Contents

2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 10

2.2 Global Navigation Satellite Systems . . . . . . . . . . . 10

2.2.1 GPS Signal Transmission . . . . . . . . . . . . . . . . 10

2.2.2 GPS Signal Reception . . . . . . . . . . . . . . . . . . 11

2.2.3 GPS Positioning and Time Solution . . . . . . . . . . . 12

2.2.4 GPS Error Sources . . . . . . . . . . . . . . . . . . . 13

2.2.5 Application Areas . . . . . . . . . . . . . . . . . . . . 14

2.3 Aircraft Broadcast Signals . . . . . . . . . . . . . . . . . 15

9

10 Chapter 2 Preliminaries

2.1 Introduction

In order to make the technical contributions of this dissertation more comprehensi-

ble, we introduce the necessary background on the functionality of Global Navigation

Satellite Systems (GNSSs). We detail on signal acquisition, measurement of observ-

ables, and how one’s position is estimated. Further, we provide a breakdown of the

error sources with regard to localization accuracy and mention typical application

areas. Subsequently, we give a basic overview of air traffic communication.

2.2 Global Navigation Satellite Systems

The launch of Sputnik characterized the start of the Space Age in late 1957. This

event triggered the promotion of space technology including space exploration and

satellite technology. In the following years, the idea of tracking satellites based on

distance measurements with receivers on Earth became conceivable [22]. Initially ex-

pedited by military interests for strategic reconnaissance and secure communication,

the first Navigation System with Timing and Ranging (NAVSTAR) test satellites

were launched in 1974. The system that is known as the Global Positioning System

(GPS) reached a fully operational status with a total of 24 satellites orbiting the

Earth in 1993.

The breakthrough and commercial success of GPS started with the shutdown of

Selective Availability (SA) on May 2, 2000. Once implemented to degrade the service

for military adversaries, its discontinuation improved the achievable localization

accuracy to a few meters [130]. Apart from GPS operated by the United States,

the Russian Global Navigation Satellite System (GLONASS), the European Galileo,

and the Chinese Beidou are considerable satellite-based navigation systems providing

worldwide service. In the remainder of this dissertation, we specifically refer to GPS

as the most prominent instance. However, the developed solutions can likewise be

applied to other GNSSs.

2.2.1 GPS Signal Transmission

GPS provides two different types of signals: (i) public signals that can be received by

everyone with suitable equipment, and (ii) military signals protected by (at least)

secret spreading codes. While we consider civilian signals throughout this work,

the acquired results may also be adapted to other signals. In the original design,

civilian GPS signals use the L1 frequency band operated at 1575.42MHz, and the

military signals are additionally transmitted on the L2 frequency band operated

2.2 Global Navigation Satellite Systems 11

S1

S2 S

3S4

Receiver

Figure 2.1: Multiple satellites located in medium Earth orbit broadcast GPS signalswhich in turn are processed by ground-based receivers.

at 1227.60MHz. Since several satellites share the same frequency band, they use

different ranging codes identified by a unique Pseudorandom Noise (PRN) number

to apply Code Division Multiple Access (CDMA). These codes are referred to as

Coarse/Acquisition (C/A) codes and are highly orthogonal to each other.

In addition, civilian GPS signals carry a low bit rate navigation message. This

message contains, among other data, information on satellite clock correction pa-

rameters, the ephemeris data representing a satellite’s position in space, ionospheric

model parameters for error correction, and almanac data mapping the constellation

of all satellites. The navigation message and the C/A code is modulated on the

L1 carrier signal. As a result, each satellite broadcasts a different signal depending

on its PRN code. The transmission is directed at the Earth, and the signals travel

an approximate distance of 20,200 km from medium Earth orbit to the Earth’s sur-

face, where they arrive with very low signal power below the noise level. Figure 2.1

depicts the general situation.

2.2.2 GPS Signal Reception

On the receiver side, a GPS antenna receives all satellite signals as a superimposed

signal that needs to be amplified to raise the signal power above the noise level and

filtered to suppress other frequencies components. When demodulated, each satellite

signal must be acquired separately. Signal acquisition is the step of identifying the

signal in the mix. In particular, the acquisition is a two-dimensional search in the

code-phase to align with the C/A code chips and the frequency space to detect


frequency variations due to the Doppler effect. To this end, the receiver creates

multiple local replicas of the signal and correlates them against the received signal.

A high correlation yields matching parameters and the receiver can now keep track

of the signals.

The constant tracking of a GPS signal allows identifying the start of the embedded

navigation message. In consideration of the satellite’s ephemeris data, the frame

start time, and the local receiver time, the transit time from the satellite to the

receiver can be calculated. This time is put into relation with the speed of light to

obtain a pseudorange. A pseudorange represents the calculated distance from the

receiver to the tracked satellite, potentially affected by a local clock offset. Based

on multiple pseudoranges to different satellites, we are now able to calculate the

receiver’s position and the time solution to synchronize to the global GPS time. For

a more detailed overview of GPS signal generation, transmission, and reception, we

refer to the respective literature [39, 79,114,129].

2.2.3 GPS Positioning and Time Solution

Conceptionally, the positioning estimation and time synchronization is based on the

Time of Arrivals (ToAs) of four or more satellite signals. Each pseudorange ρSito

satellite Si can be represented as:

ρSi=

√

(xSi− xR)2 + (ySi

− yR)2 + (zSi− zR)2 +∆R · c, (2.1)

where xSi, xR, ySi

, yR, zSi, zR are the three-dimensional coordinates of the satellite

and the receiver, respectively. The local clock offset is denoted with ∆R and c

is the speed of light. This equation contains four unknown parameters, namely

the receiver position and the local clock offset. In consideration of four or more

equations, a receiver can numerically approximate a solution for the four unknown

values using a least squares error optimization process.

In essence, the receiver is located at positions that have a distance to the tracked

satellite according to the calculated pseudorange. As a geometric interpretation, a

sphere around the satellite with the pseudorange as radius marks all possible po-

sitions. Without further information on, e. g., the direction of the transmission, a

specific solution cannot be determined with a single pseudorange. By considering

four or more satellites, the spheres intersect each other and narrow down possible

locations. Figure 2.2 depicts this trilateration procedure. It is applicable when

multiple reference measurements are available, similar to server localization on the

2.2 Global Navigation Satellite Systems 13

S1

S2

S3

Receiver

Figure 2.2: Individual distances to multiple reference points such as satellites allowthe positioning of receivers via trilateration.

Internet by distributed response time measurements [58]. Specific to GPS, the cal-

culated ranges suffer under different error sources, which prevent a distinct solution.

2.2.4 GPS Error Sources

As GPS errors take a critical role for applications requiring a high positioning ac-

curacy, we discuss them in more detail. The standard GPS localization accuracy

is sufficient to estimate a position with an error of only a few meters. On closer

inspection, the error budget can be split up into different error sources. Due to the

signal generation in space and a travel distance of more than 20,000 km, the channel

from the satellites to the user is comparably unstable. We categorize the various

error sources into three groups: satellite, propagation medium, and receiver errors

(see Table 2.1).

Satellite Errors. Errors can arise from the satellite itself concerning clock bi-

ases and orbital drifts. For error mitigation, each satellite periodically embeds an

estimation of the error characteristics in the adjustable ephemeris data.

Signal Propagation Errors. Environmental effects such as ionospheric or tro-

pospheric refractions are dependent on the physical conditions on the propagation

path. When GPS signals reach the Earth’s surface, they are potentially reflected

at obstacles leading to multipath effects that further decrease the Signal-to-Noise

Ratio (SNR).

Receiver Errors. In addition to normal receiver noise (e. g., thermal noise in

components), the receiver can suffer under clock biases and center phase variations.


Table 2.1: GPS L1 C/A Error Sources and UERE [39,79]

1σ Error [m]

Type Error Source Bias Random Total

SatelliteEphemerides data 2.1 0.0 2.1Satellite clock 2.0 0.7 2.1

ChannelIonosphere 4.0 0.5 4.0Troposphere 0.5 0.5 0.7Multipath 1.0 1.0 1.4

Receiver Measurement 0.5 0.2 0.5

UERE 5.1 1.4 5.3

The combined error of all presented sources is summarized in the User Equivalent

Range Error (UERE). A quantifying analysis is conducted by Parkinson et al. [79].

The results in terms of bias, random, and total errors are given in Table 2.1. The

given values are based on a 1σ-probability level relating to the deviation in meter.

By applying suitable filtering to the random component of the error, the UERE can

be reduced from 5.3m down to 5.1m [79]. These errors represent guarantees, and

the experienced error is often far below that benchmark. An annual report analyzes

the current standing of GPS performance and measured an average 95th percentile

error of 1.28m for the year 2016 [99]. To be clear, the UERE is not the localization

accuracy. The achievable localization accuracy further depends on a combination of

satellite geometry, signal blockage, and the quality of the receiver design.

2.2.5 Application Areas

The free and open nature of GPS has driven the development of countless appli-

cations that use GPS as a source of location and time information. The uncondi-

tional, worldwide availability of GPS is perceived as a given fact. Hence, GPS is

omnipresent and an essential building block to enable further designated services. As

a result, GPS is not just another navigation system but is essential for most critical

infrastructure sectors. Specifically, GPS is used in the chemical, communications,

critical manufacturing, defense, emergency services, energy, financial services, food

and agriculture, information technology, nuclear, and the transportation systems

sector [61,131].

The total economic benefit of GPS can hardly be estimated. Only a few reports

exist that assess the economic value of GPS. For instance, the direct benefits for

the industry in the United States is estimated to range from $37.1 to $74.5 billion

2.3 Aircraft Broadcast Signals 15

for 2013 and is expected to have increased significantly since then [61]. However,

the indirect benefits cannot be put into numbers as GPS is inseparable from the

implementing applications. As a noteworthy example, the Federal Aviation Admin-

istration (FAA) predicted at least $200 million in efficiency benefits in 2011, without

factoring in the enormous improvements in aviation safety and the protection of hu-

man lives [61].

2.3 Aircraft Broadcast Signals

In aviation, satellite-based navigation systems are an important support for nav-

igation and autopilot applications. Notably, GPS is used in all phases of flight

including departure, waypoint-based route planning, airport approach, and even

navigation on the airport surface. Moreover, modern air traffic surveillance consid-

ers Automatic Dependent Surveillance-Broadcast (ADS-B) aircraft status reports

which embed GPS-derived positioning information. Digitally-aided monitoring of

airspaces is a key technology to assure safety and mandatory separation regulations

in increasingly dense flight spaces. By 2020, the implementation of ADS-B will be

mandatory for aircraft to access most of the world’s airspace [132].

In particular, ADS-B is a protocol that, in its basic form, defines two services. On

the one hand, ADS-B Out is a broadcast signal transmitted by aircraft transponders.

On the other hand, ADS-B In is the receiver part and allows the interpretation of

ADS-B messages. In the remainder of this dissertation, we use ADS-B when refer-

ring to ADS-B Out. These broadcasts are periodic aircraft status reports containing

an identification, information on speed, track, and acceleration, a GPS-derived po-

sition along with additional status information. ADS-B operates on a frequency of

1090MHz, and the signals can be received by ground-based sensors as illustrated

in Figure 2.3. Based on empirical measurements, the signals are received over a

distance up to 700 km [110].

The open specification of ADS-B promotes the free collection and usage of aircraft

reports. Simple, Commercial Off-the-Shelf (COTS) receivers can sense and decode

ADS-B messages to gain a real-time view of the close-by airspace. Even though the

message loss can reach up to 75% at individual sensors, the collaboration of sensors

can compensate missed reports and simultaneously increase covered air traffic. A

network of widely-distributed sensors is thus able to visualize large portions of the

world’s air traffic. One such network is the OpenSky Network [74,107–110,120] with

over 850 sensors that also makes the collected data available for research.


R1

R2

R3

Aircraft

Figure 2.3: Aircraft periodically transmit ADS-B status reports that can be sensedby receivers on the ground.

Similar periodic broadcast signals exist in other domains, e. g., for marine traffic.

In particular, vessels are mandated to use Automatic Identification System (AIS) to

inform others about their presence. In the same way, vessels are equipped with GPS

receivers and embed the derived positioning information in AIS status reports. From

a security point of view, both ADS-B and AIS lack fundamental security practices

making them vulnerable to various attack vectors.

You want weapons? We’re in a library! Books! Best

weapons in the world! This room’s the greatest ar-

senal we could have. Arm yourself!

— The Doctor

3Attacks on Satellite-Based

Navigation Systems

Contents

3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 18

3.2 Attack Classification . . . . . . . . . . . . . . . . . . . . 18

3.2.1 Jamming Attacks . . . . . . . . . . . . . . . . . . . . 18

3.2.2 Spoofing Attacks . . . . . . . . . . . . . . . . . . . . . 19

3.3 Advancing Attacker Models . . . . . . . . . . . . . . . . 19

3.3.1 Attack Advancements . . . . . . . . . . . . . . . . . . 20

3.3.2 Multi-Antenna Attacker . . . . . . . . . . . . . . . . . 21

3.3.3 Related Work and Impact . . . . . . . . . . . . . . . . 23

3.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

17

18 Chapter 3 Attacks on Satellite-Based Navigation Systems

3.1 Introduction

While the integrity of the service provided by Global Navigation Satellite Systems

(GNSSs) is crucial for applications that depend on accurate positioning or timing

information, the civilian signals of Global Positioning System (GPS) are neither

encrypted nor authenticated. As a consequence, GPS has been shown to be vulner-

able to attacks with the goal of disrupting the service or injecting deliberate false

information. We differentiate between jamming attacks and spoofing attacks and

point out how these attacks affect targeted victims. We specifically analyze the

progression of attack requirements and demonstrate that the currently considered

attacker models need to be taken one step further.

3.2 Attack Classification

Attacks on satellite-based navigation systems can be classified into two categories,

namely (i) jamming attacks and (ii) spoofing attacks. While both are active attacks

on the signal level, they serve different purposes. The following attack classification

is based on the communications jamming taxonomy by Lichtman et al. [62].

3.2.1 Jamming Attacks

Since GPS signals reach the Earth’s surface at a very low signal power—even below

the noise level, they need to be filtered and amplified significantly. Hence, they

are susceptible to even slight sources of disturbance. We distinguish between unin-

tentional interference, which we do not consider here, and deliberate jamming. In

jamming attacks, an attacker transmits a signal with the purpose of disrupting the

communication. This can be achieved, e. g., via high-power noise-like signals to raise

the noise floor to prevent any useful decoding. Due to the low signal power of GPS

signals, a jammer can easily exceed such power levels. As a result, a receiver cannot

track the authentic satellite signals, and any localization or time-synchronization

service is blocked.

Although strictly illegal in the United States, a wide range of Commercial Off-

the-Shelf (COTS) GPS jamming devices are available for purchase on the Internet.

One such device caused a significant outage of a GPS assisted augmentation system

at Newark Liberty International Airport [27] in 2012. It was later identified to be a

“personal privacy device” intended to block the GPS-based vehicle tracking system.

The jamming of GPS signals can also be used as a tool to deny the service in a

targeted manner, for instance, GPS jamming directed at Norwegian airspace [75]

3.3 Advancing Attacker Models 19

denied GPS reception for aircraft. However, due to the usual increase in the signal

power, jamming attacks can be detected by analyzing the Received Signal Strength

(RSS) and can even be localized [81] by considering the Angle of Arrival (AoA).

3.2.2 Spoofing Attacks

In contrast to jamming attacks, a spoofing attack tries to mimic authentic signals,

i. e., a GPS spoofing attack emulates satellite signals. With full control over the

transmitted signals, an arbitrary constellation with respect to the Time Difference

of Arrival (TDoA) can be generated. The requirements are elaborated by Tippen-

hauer et al. [128]. A receiver processes such signals and calculates its position and

synchronize its internal clock accordingly. This constitutes a higher-layer attack

with the purpose of injecting false attacker-controlled information. The detection

of spoofing attacks can be troublesome depending on how signals are disguised. A

classification of different spoofing techniques is provided by van der Merwe et al. [67].

In the remainder of this dissertation, we consider spoofing attacks that inject false

positioning information.

Successful spoofing attacks on GPS-depending systems can directly interfere with

the Position, Velocity and Time (PVT) solution. Their applicability has been

demonstrated targeting COTS receivers [43], Unmanned Aerial Vehicles (UAVs) [57],

and even modern ships [9]. Apart from academic research, spoofing attacks can be

perceived in the real world as well. For instance, it is used as a defense against

GPS-controlled UAVs around the Kremlin in Russia [73, 100, 113] or impairs the

navigation of ships in the Black Sea [13, 30, 31, 53, 64]. These works and incidents

have highlighted the threat of GPS spoofing and identified the lack of suitable coun-

termeasures. To counter this threat, our objective is the design of effective, ready-

to-use countermeasures.

3.3 Advancing Attacker Models

Generally speaking, distance-based localization systems are challenging to protect

and are usually prone to spoofing attacks, e. g., fake GPS signals can be specifically

generated to confuse the localization procedure of a targeted receiver to inject false

position or time information. When the first affordable GPS spoofing systems be-

came available, the research community was compelled to react to this new threat.

The proposed countermeasures were designed to defend against attackers that use

one spoofing system to generate a mixture of false signals transmitted over a single

antenna (see Figure 3.1). This constraint stands in contrast to the normal operation


Attacker Receiver

Receiver ts1s2 s

3s4

Figure 3.1: An attacker with a single antenna needs to transmit a signal mixture ofmultiple satellite signals, which determines the TDoA at the receiver.

scenario, where each signal is emitted by a different satellite located at distributed

positions (compare Figure 2.1).

The proposed countermeasures against these attackers are mainly based on signal

characteristics that cannot be correctly emulated by single-antenna systems such

as geometric features [49, 94, 95, 125–127], signal correlations [12, 37, 60, 88], relative

carrier phases [14,63,68,90], Doppler effects [106], or signal arrival times [105]. The

common assumption is that an attacker can only utilize single-antenna spoofing

systems and that using multiple devices is deemed too complex or too expensive.

With regard to technical advancements and significant cost reductions to deploy

several spoofing devices simultaneously, these assumptions need to be considered

outdated. However, today’s security solutions are still based on the single-antenna

attacker model and neglect the fact that the multi-device attacker has become a

reality [69]. As a result, systems with this outdated attacker model need to be

considered potentially insecure.

As an exemplary case, a multi-device attacker may successfully attack systems

based on distributed sensor infrastructures such as two proposals to secure air traf-

fic from Schäfer et al. [105, 106]. While the former system is based on unspoofable

time offsets [105], the latter builds on the integrity of Doppler shifts [106]. Nev-

ertheless, a multi-device attacker can adjust both properties at different locations

accordingly, e. g., to inject fake aircraft remaining undetectable by the respective

system. Furthermore, anti-spoofing systems based on signal characteristics such as

the AoA [60] or spatial correlation [12] may be circumvented by deploying multiple

antennas transmitting from different directions. Such systems could also emulate

realistic multipath propagation.

3.3.1 Attack Advancements

The GPS spoofing threat was first brought to the wider attention of the public by

the Volpe report [52] in 2001. The report states that malicious parties could be able

to deploy attacks against systems relying on GPS concerning the system’s inherent

lack of confidentiality and authentication. The spoofing threat became a reality


in 2008 when Humphreys et al. [43] presented a custom-built, portable GPS spoofer

to generate false satellite signals with which they demonstrated the vulnerability of

GPS-dependent systems to spoofing attacks.

In the meantime, GPS satellite simulators—mainly designed for developing and

testing purposes—dropped significantly in cost from approx. $100,000 [60] to a few

thousand dollars. These devices can be turned into spoofing systems, limited only by

the accompanying software tools. Eventually, at DEFCON 2015, a Software Defined

Radio (SDR) GPS spoofer was presented [76] that is fully customizable and only

requires off-the-shelf SDRs such as a HackRF [26] or a Universal Software Radio

Peripheral (USRP) [23, 24], which lowers the costs for a single spoofing system to

a few hundred dollars. Several systems of this type can be utilized to transmit

different signals realizing a multi-antenna attacker with COTS hardware.

As a result, we conclude that, during the last decade, the cost and complexity

to build a GPS spoofing system lowered significantly. While the threat of facing

a multi-antenna attacker could be considered minimal ten years ago, nowadays we

need to factor the deployment of such an attacker into our attacker models as it has

become well feasible, thus changing our security assumptions and raising the risk for

applications relying on GPS for safety- or security-critical decisions and processes.

3.3.2 Multi-Antenna Attacker

The multi-antenna attacker utilizes (at least) four antennas each sending out a

different satellite signal. These signals arrive at the receivers as individual signals

with specific attacker-chosen time offsets. If chosen appropriately, the signals can be

resolved to a position that is determined by the actual satellite positions included

in the ephemeris data and the corresponding Time of Arrival (ToA). With one

satellite signal per antenna, the attacker can adjust the ToAs by repositioning the

corresponding antenna or inducing signal delays. Note that this is different from

the standard attacker setup, where a mixture of satellite signals is emitted from the

same source [12, 14, 43, 49, 60, 68, 90, 94–96, 128]. We want to stress that such an

attacker was only theoretically proposed in [128], but no practical implementations

are known.

Implementation of a Multi-Antenna Attacker

To illustrate advancements in attacker capabilities, we deploy a simple yet effective

setup to generate multiple separated spoofing signals (see Figure 3.2). The imple-


Attacker

gnuradio

USRP 2

USRP 4USRP 3

USRP 1

Victim

gnss-sdr

GPS Receiver

Figure 3.2: An experimental multi-antenna attacker setup consisting of four synchro-nized USRPs operated by gnuradio targeting a victim’s GPS receiver.

mentation of a multi-antenna attacker allows us to be more flexible and to attack

systems that assume an attacker cannot leverage these many degrees of freedom.

In particular, we deploy a setup of four USRPs N210 [24] from Ettus Research,

each transmitting a different satellite signal. These signals are generated by the

software tool gps-sdr-sim [76] for four satellites randomly selected from all visible

satellites at the spoofed position and time. All USRPs are connected via a network

switch and a standard laptop running gnuradio [29] positioned equidistantly around

the targeted receiver. A gnuradio block was designed that synchronously provides

the USRPs with the necessary precomputed data samples. The USRPs are coupled

with passive GPS antennas. The targeted GPS receiver is another USRP N210

device connected to a second laptop running gnss-sdr [28] to analyze the capability

of the multi-antenna attacker. We performed this experiment in a shielded indoor

environment to minimize potential signal leakages to the outside.

Insights

With this simple test setup, we gathered the following three insights. (i) We were

able to spoof the receiver with four spoofing devices each emitting a different satellite

signal. By placing the spoofer’s antennas equidistant to the receiver and a time

synchronization via gnuradio, we achieved a stable position lock on the spoofing

signals. (ii) The targeted receiver acquired a lock on the spoofing signals after

approx. 50 s, which is in the range of the duration of a normal warm start. (iii) The

achieved position accuracy was within an error of approx. 20 km.


Implementation Challenges

Notably, the time synchronization between the spoofing signals is a crucial require-

ment for a stable lock and eventually injecting the desired position. For instance,

a time offset of 1ms causes an offset in the pseudorange of approx. 300 km. This

offset can lead to unstable calculations and high position errors. Despite the high

dependency on the time synchronization, we were able to achieve comparably good

accuracy with the help of error correction procedures in the targeted receiver. More-

over, all results have been gathered in a non-laboratory environment, and are ex-

pected to increase in accuracy and stability by implementing an external time pulse

reference [7].

Results

As a result, we were able to successfully spoof the targeted receiver with a setup

that uses four antennas that each emit a different satellite signal. This setup allows

us to dynamically adjust single satellite signals separately from each other. Hence,

we obtain the complete freedom of how to manipulate the target, i. e., we can change

individual pseudoranges, signal amplitudes, Doppler frequencies, AoAs, or ToAs to

emulate the desired behavior. This can either be achieved by changing the geometric

setup or delaying signals. Eventually, we can attack systems that are based on

the assumption that signals are transmitted as a mixture and cannot be changed

individually.

It is noteworthy that the costs of the deployed attacking setup are moderate

and can be further decreased by using cheaper SDRs such as a HackRF One [26],

which is expected to perform equally good. The required knowledge can also be

considered low as most software is freely available online and the gnuradio block can

be generated by automated tools. This setup implements a fully customizable multi-

antenna attacker that can be used to target present secure localization systems.

3.3.3 Related Work and Impact

While there exists a multitude of related work on how to protect localization systems,

the attacker model assumptions differ significantly. For instance, several counter-

measure proposals only consider a single-antenna attacker and state that a multi-

antenna attacker is too complex, too costly, or too impractical [12, 14, 37, 43, 45, 60,

68, 90, 94, 95, 125–127]. The presented solutions are shown to be secure against the

single-antenna attacker model, but considering a more realistic attacker, they need

to be re-evaluated. Table 3.1 contains an overview of related work on localization


Table 3.1: Related Work Considering Multi-Antenna Attacks

Reference YearMulti-Antenna Attacker Potentially AttackDeemed Too Complex Vulnerable Resistant

[43] 2008 ✓ —1 —1

[68] 2009 ✓ ✓ ✗

[60] 2010 ✓ ✓ ✗

[14] 2010 ✓ ✓ ✗

[128] 2011 ✗ —1 ✓2

[12] 2012 ✓ ✓ ✗

[45] 2012 ✓ ✓ ✗

[90] 2013 ✓ ✓ ✗

[125–127] 2013/14 ✓ ✓3 ✓4

[37] 2014 ✓ ✓ ✗

[144] 2014 ✗ ✗ ✓

[94, 95] 2015 ✓ ✓3 ✓4

[117] 2015 ✗ —1 —1

[105,106] 2015/16 ✗ ✓ ✗

[69] 2016 ✗ —1 —1

[96] 2016 ✗ ✗5 ✓5

[49] 2016 ✗ ✗ ✓

1focus on attacks rather than countermeasures2provide a proof for the security of four and more receivers3with three or less receivers4with four or more receivers5secure according to the authors, but we argue that using more antennas as available

channels in the receiver may also circumvent this countermeasure

systems that consider the multi-antenna attacker model and the resistance of the

proposed solutions to such attacks.

Moreover, countermeasure solutions assuming the outdated single-antenna at-

tacker model [12, 14, 37, 45, 60, 68, 90, 105, 106] may be deemed vulnerable against a

stronger attacker. In particular, we need to consider those works as potentially inse-

cure and to fall victim to more sophisticated attackers. On the other hand, solutions

based on multiple receivers monitoring satellite pseudoranges [94,95,125–127] can be

shown to be secure using four or more receivers according to Tippenhauer et al. [128].

As a consequence, countermeasures that were already designed with an extended

attacker model in mind exhibit better security against the multi-antenna attacker [49,

96, 144]. Notably, while Ranganathan et al. [96] state that their system is secure

against any currently known attacker, the countermeasure makes use of a limited

number of channels. Raising the number of attacking devices above the number of

channels, the countermeasure could potentially be circumvented.

3.4 Summary 25

Table 3.2: Selected Publications Providing Multi-Antenna Results

Domain Reference Theory Simulation Experiment

Localization

[43] ✓ ✗ ✗

[128] ✓ ✗ ✗

[96] ✓ ✗ ✗

[49] ✓ ✗ ✗

Power Grid [144] ✓ ✗ ✗

Physical Layer[117] ✓ ✓ ✓

Key Establishment

Air Traffic Control [69] ✓ ✓ ✓

Recently, the first works that specifically put the focus on a multi-device attacker

model have been published. These publications do not necessarily analyze localiza-

tion systems but evaluate the capabilities of multi-device attackers on, e. g., sensor

systems or physical-layer key exchange. For instance, Moser et al. [69] presented

insights on how to attack an air traffic control sensor system by using a multi-device

attacker. Furthermore, Steinmetzer et al. [117] outlined an attack using a multi-

antenna setup to eavesdrop on a physical-layer key exchange. This attacker can

successfully reconstruct the secret key, which was deemed impossible considering

the outdated single-antenna attacker. We want to highlight that these publications

are an exception to the standard security models as of writing of this dissertation.

Table 3.2 shows related work—not limited to localization systems—that already

consider multi-device attackers and present either theoretical, simulation, or experi-

mental results. As a summary, only a few works currently exist that analyze stronger

attacker models and the minority performed simulations or experiments.

3.4 Summary

We conclude that the majority of existing security solutions for satellite-based local-

ization systems are based on an outdated single-antenna attacker model. Our simple

yet effective multi-antenna setup demonstrates that today’s adversaries have access

to affordable and moderately complex tools to deploy multiple-device spoofing sys-

tems. These systems can be used to attack localization systems that were considered

secure in the single-antenna adversary model. Even more critical, the systems are

falsely advertised to be secure without factoring in that stronger attackers already

became a reality and may ultimately break the security.


Considering these insights, we advocate a better understanding of advancing at-

tacker models, i. e., the multi-antenna attacker. In general, proposals for counter-

measures should be based on the most recent advancements in attacker capabilities

and should faster react on future progressions of available tools. We want to high-

light again that the multi-device attacker—often deemed as too complex—needs to

be considered a feasible attack vector and security solutions need to be developed

accordingly.

For the future, we demand system designs that are resistant against the multi-

antenna attacker to guarantee their integrity. First works already considered stronger

adversary models, however, this is still an exception. Following this approach, we

develop our proposed GPS spoofing countermeasures with strong but realistic at-

tackers in mind.

If you think cryptography is the answer to your prob-

lem, then you don’t know what your problem is.

— Peter G. Neumann

4Multi-Receiver GPS Spoofing

Detection

Contents

4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 29

4.1.1 Problem Statement . . . . . . . . . . . . . . . . . . . 29

4.1.2 Contribution . . . . . . . . . . . . . . . . . . . . . . . 30

4.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . 31

4.3 System Model . . . . . . . . . . . . . . . . . . . . . . . . 33

4.4 Attacker Model . . . . . . . . . . . . . . . . . . . . . . . 33

4.5 Theoretical Multi-Receiver Spoofing Detection . . . . . 35

4.5.1 Detection Mechanism . . . . . . . . . . . . . . . . . . 35

4.5.2 Countermeasure Formation . . . . . . . . . . . . . . . 37

4.5.3 Leveraging Environmental Errors . . . . . . . . . . . . 38

4.5.4 Error Modeling and Distribution . . . . . . . . . . . . 39

4.6 Experimental Evaluation of Authentic Signals . . . . . 41

4.6.1 Experimental Setup . . . . . . . . . . . . . . . . . . . 41

4.6.2 Measurement Analysis . . . . . . . . . . . . . . . . . . 42

4.6.3 Additional Measurements . . . . . . . . . . . . . . . . 45

4.6.4 Results . . . . . . . . . . . . . . . . . . . . . . . . . . 45

4.7 Experimental Evaluation of Spoofed Signals . . . . . . 46

4.7.1 Experimental Setup . . . . . . . . . . . . . . . . . . . 46

4.7.2 Measurement Analysis . . . . . . . . . . . . . . . . . . 47

27

28 Chapter 4 Multi-Receiver GPS Spoofing Detection

4.7.3 Additional Measurements . . . . . . . . . . . . . . . . 49

4.7.4 Results . . . . . . . . . . . . . . . . . . . . . . . . . . 49

4.8 Simulation of the Countermeasure . . . . . . . . . . . . 49

4.8.1 Simulated Parameter Sets . . . . . . . . . . . . . . . . 50

4.8.2 Performance Metric . . . . . . . . . . . . . . . . . . . 51

4.8.3 Detection Performance . . . . . . . . . . . . . . . . . . 51

4.8.4 Results . . . . . . . . . . . . . . . . . . . . . . . . . . 53

4.9 Prototype Implementation . . . . . . . . . . . . . . . . . 53

4.9.1 Deployment . . . . . . . . . . . . . . . . . . . . . . . 53

4.9.2 Results . . . . . . . . . . . . . . . . . . . . . . . . . . 53

4.10 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . 54

4.10.1 Selection of Function f(·) . . . . . . . . . . . . . . . . 54

4.10.2 Multi-Antenna Attacker Resilience . . . . . . . . . . . 56

4.10.3 Outlook on Future Work . . . . . . . . . . . . . . . . 57

4.11 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

4.1 Introduction 29

4.1 Introduction

With the growing reliance on the viability of Global Navigation Satellite Systems

(GNSSs) as a ubiquitous source of location, time, and navigation information, the

systems’ protection has become a matter of great importance. The integrity of

the service is an integral component of various applications ranging from mobile

phones, navigation units, industrial control systems, financial trading platforms,

trains, ships, to ankle bracelets for criminals. Moreover, GNSS-based localization

services such as Global Positioning System (GPS) are also expected to play an impor-

tant role in the context of the upcoming Internet of Things (IoT) and Cyber-Physical

Systems (CPSs) as they often involve mobile or time-dependent components, e. g.,

for autonomous driving.

4.1.1 Problem Statement

Unfortunately, GNSSs are susceptible to spoofing attacks, in which a malicious trans-

mitter emits manipulated signals imitating real satellites. A spoofing attack can

cause a victim’s GNSS receiver to compute a wrong location and/or time solution.

As a result, an attacker may remotely inject fake data into security- and safety-

relevant systems. In response to this threat, increasingly sophisticated methods for

spoofing detection have been developed and were analyzed to enable the real-time

identification of ongoing spoofing attacks [33, 45, 54, 87, 111, 138]. Countermeasures

can be coarsely categorized as data bit level, signal processing level, or navigation

and position solution level detection techniques [45]. These countermeasures pre-

dominately require custom receivers with elaborate signal processing techniques and

enhanced hardware.

Furthermore, the attacker model used in many of these countermeasures considers

single-antenna attackers that may not make use of elaborate signal processing and

mixing techniques. We argue that an attacker with, e. g., an adaptable GPS simula-

tor, can generate spoofing signals with arbitrary precision in data, signal, or position

solution characteristics such as the imitation of satellite constellations, transmission

power, and other physical-layer characteristics. In addition, public GPS data is not

protected by signatures, so an equipped attacker can also spoof the data content

of the navigation messages. We therefore advocate the use of a detection measure

that leverages signal properties which are impossible to spoof correctly for nearby

or terrestrial attackers.

Research Question. We state the following research question: How can we reliably

detect GPS spoofing attacks in consideration of the most powerful multi-antenna


attacker and only using Commercial Off-the-Shelf (COTS) receivers? Further, we

are interested in strong security properties and compact solutions to broaden the

applicability of our proposed countermeasure.

4.1.2 Contribution

In this work, we focus on multi(ple)-receiver GPS spoofing detection as proposed by

Tippenhauer et al. [128] and perform its first practical evaluation. The detection is

based on the location reported by two or more COTS receivers mounted in a fixed

formation. During an attack, a single-antenna attacker would spoof receivers to the

exact same position solution, which can be used to detect the attack. It has been

shown that—from a certain number of receivers onwards—even a multi-antenna

attacker cannot succeed in maintaining a fixed formation, respectively the relative

distances, during an attack [128]. This leads to the fact that this detection technique

is principally unspoofable as long as the attacker signals are received at all devices

(which is hard to prevent if the receivers are positioned close enough together).

A benefit of the multi-receiver detection mechanism is that it can be realized with

COTS receivers without changes to the GPS infrastructure. The performance of the

countermeasure is expected to depend on the chosen distances between the receivers,

as in practice the location is influenced by noise. Based on a rough estimation of

required distances, Tippenhauer et al. [128] suggested application settings such as

cargo ships or trucks. Following theoretic investigations [37, 125–127], performance

values for distances between 10m to 50m were derived analytically. As a result,

the countermeasure does not seem suitable for most moving vehicles, but is only

applicable in large stationary installations. To the best of our knowledge, the multi-

receiver countermeasure has not been practically investigated and validated against

real spoofing setups.

In this work, we analyze the models used by Heng et al. [37] and Swaszek et al. [125–

127] and show that (i) adjacent GPS receivers have correlated noise on their location

estimates, (ii) previous error models overestimate the location error in the attack

case, and (iii) considering correlated errors can drastically reduces the expected false

detection rate of the countermeasure while preserving the sensitivity to attacks. As

a result, a distance of 3m to 5m can be expected to be sufficient (in contrast to 10m

to 50m) as we show by simulations and experiments (for the same performance cri-

teria). This broadens the number of possible application scenarios. We validate

our theoretical predictions using a prototype implementation with several receivers

and a GPS satellite signal generator as spoofer, and we provide in-depth insights on

parameters and setups for a reliable operation of the countermeasure.

4.2 Related Work 31

Our investigations and results demonstrate the applicability of the countermeasure

and will help users and engineers to set it up accordingly. The countermeasure may

be used in static setups, e. g., in factories to prevent time spoofing, as well as in

mobile settings, e. g., on vehicles such as trucks or airplanes to prevent location and

navigation spoofing. As an extension, we also envisage its use for highly mobile

setups such as drone formations. The evaluation framework can serve as baseline

for further investigations.

Summary. In summary, our work contains the following contributions:

• We extend previous theoretical work on multi-receiver spoofing countermea-

sures by modeling distance-related errors with the goal to differentiate between

error distributions during normal operation and under attack.

• We experimentally provide estimates of practical localization noise in normal

operation as well as in spoofing scenarios showing that the noise is spatially

correlated.

• We leverage these insights to show that the multi-receiver spoofing counter-

measures can be used reliably in formations which are almost an order of

magnitude smaller than previously proposed (area of formation).

• We experimentally demonstrate that our countermeasure prototype can reli-

ably detect real spoofing signals utilizing four receivers in a mutual distance

of 5m.

The contributions of this work resulted from a collaboration with Nils Ole Tip-

penhauer and Christina Pöpper.

4.2 Related Work

The vulnerability of GPS-dependent infrastructures to malicious disruption by GPS

spoofing attacks was assessed by the Volpe report [52]. First experimental work

on the topic of GPS spoofing was published by Warner et al. [135, 136]. The au-

thors demonstrated that spoofing attacks were feasible using a GPS satellite simu-

lator. They proposed countermeasures mostly based on signal strength differences

for spoofed signals.

On the basis of these initial insights, a rich set of related work on GPS spoofing

attacks has emerged. For instance, Humphreys et al. [43] constructed a spoofer that

uses legitimate GPS signals to obtain correct GPS data, and then re-transmit sig-

nals with selectively applied time offsets, causing a victim’s receiver to compute a


wrong location. Kerns et al. [57] conducted a practical attack against on-board GPS

receivers in unmanned aerial vehicles. Attacks targeting the software of receivers are

pointed out by Nighswander et al. [72]. Other recent works consider GPS spoofing

attacks on the time and phase synchronization in smart power grids [2,51,116,144].

In particular, Yu et al. [144] propose to use multiple static GPS receivers to deter-

mine the time of arrival of spoofed signals at different locations. The requirements

for successful spoofing attacks are elaborated by Tippenhauer et al. [128].

On the other hand, diverse countermeasures against spoofing attacks have been

proposed. One class of countermeasures is based on physical-layer signal character-

istics (e. g., Angle of Arrival (AoA), signal power, etc.). Different approaches are

compared by Papadimitratos and Jovanovic [77, 78]. Montgomery et al. [68] devel-

oped a detection technique of spoofing attacks differentiating phase shifts between

two antennas. Several signal quality monitoring techniques are proposed by Ledv-

ina et al. [60], Cavaleri et al. [14], and Wesson et al. [141]. While Akos [3] detects

spoofing signals based on the receiver’s automatic gain control, Psiaki et al. [88]

additionally compare correlations of military GPS signals. This countermeasure re-

quired a custom two-antenna receiver setup [43]. A receiver that performs auxiliary

peak tracking to detect spoofing signals is developed by Ranganathan et al. [96].

A different branch of research pursues the implementation of authentication mech-

anisms to secure GPS signals. Scott [112] proposed changes to the GPS signals

to introduce data-level authentication based on a public key infrastructure. An-

other authentication scheme based on short-term information hiding was proposed

by Kuhn [59]. To increase jamming resistance, Pöpper et al. [84] propose changes

in the modulation scheme without requiring pre-shared keys. Hein et al. [35, 36]

and Wesson et al. [140] pursue practical civilian GPS signal authentication. Later,

Humphreys [41] define detection strategies for attacks on cryptographically-secured

GPS signals.

Other countermeasure proposals are designed with customized antenna setups.

For instance, the spatial correlations of authentic and spoofing signals under random

antenna movements are analyzed by Broumandan et al. [12] and Psiaki et al. [90].

While Daneshmand et al. [20] analyze similar signal signatures with a multi-antenna

array, Psiaki et al. [89], Magiera, and Katulski [63] compare the phase of the carrier

signal between separated antennas. Moreover, Baker and Martinovic [5] propose to

compare the Time Difference of Arrivals (TDoAs) at a mobile node with a fixed

reference. In contrast to these detection schemes focusing on physical-layer char-

acteristics, we focus on the navigation message information itself. In other words,

4.3 System Model 33

instead of using pseudoranges [94, 95] we use the position solution for our counter-

measure, which is easy to obtain, process, and store on a high abstraction level.

Countermeasures based on multi-receiver architectures have been analyzed the-

oretically [37, 125–127]. Heng et al. [37] derived performance values for mutual

distances of 20m achieving a false rejection rate of less than 0.1 and a false detec-

tion rate of 0.01 (location noise σ = 5m). Therefore, the countermeasure seems

hardly applicable to most moving vehicles, but instead only suited toward large sta-

tionary installations. Swaszek et al. theoretically investigated the countermeasure

using statistical models [125,127] extended by bias in the two-dimensional noise dis-

tribution of the localization result [126]. For a four-receiver countermeasure, they

suggest that a square setup with 14m edge distance would achieve a false acceptance

rate of approx. 10−5 and a detection rate of approx. 0.99 (location noise σ = 4m).

However, such a formation would require an area of 200m2.

Comparative overviews and surveys on known and effective GPS spoofing counter-

measures are available in the respective literature [33, 34, 45, 54, 87, 111,138]. These

works offer a good foundation on investigated detection and protection techniques

and also provide directions for future work.

4.3 System Model

Conceptually, a multi-receiver spoofing countermeasure detects GPS spoofing at-

tacks based on the location reported by two (or more) COTS receivers Ri at fixed

known positions pi. In particular, we consider a multi-device deployment of GPS

receivers where the devices are distributed with physical distances d. Figure 4.1

depicts an exemplary setup of four receivers and at least four GPS satellites Si to

allow successful self-positioning.

Without loss of generality, we consider receivers located at approximately the same

height such that we can neglect the low-precision GPS altitude. The receivers peri-

odically compare their mutual distances of the calculated two-dimensional locations,

e. g., using wired connections. As our countermeasure only uses the localization re-

sult, a beneficial property is that it does not require any modification of standard

COTS receivers or on the GPS infrastructure.

4.4 Attacker Model

In accordance with the attacker models introduced in Section 3.3, we consider the

following attacker. The goal of the attacker is to change the localization or time


S1

S2 S

3S4

R2

R1

d

d

d d

R4

R3

Figure 4.1: Our system model consists of a multi-device deployment of GPS receiversat fixed positions. The receivers are interconnected to share calculatedGPS positions given that at least four satellite signals are available.

result of one or more victims. The attacker is capable of generating fake GPS

signals with the same signal characteristics as authentic GPS signals. We distinguish

between two scenarios for the attacker antennas: (i) a single-antenna attacker and

(ii) a multi-antenna attacker. In the first case, the attacker is restricted to a single-

antenna setup, where all spoofing signals are sent from the same source. In the

second case, the attacker can utilize multiple antennas gaining more freedom for the

transmission of signals to send potentially different signals from various locations.

We assume that all receivers obtain signals from the same sources, i. e., receivers

are not shielded from the reception of signals seen by other receivers. As shown in

related work [128, 135], a single-antenna attacker can successfully spoof individual

victims to an arbitrary location and time by sending spoofing signals that have

constant TDoAs with respect to each other, independently of the location of the

receiver. As a result, multiple receivers in range of the attacker would all compute

the same localization result (with minor time differences due to their respective

distances to the attacker). This scenario is depicted in Figure 4.2.

For the multi-antenna adversary model, spoofing individual position solutions

for less than four receivers becomes theoretically possible as shown by Tippen-

hauer et al. [128]. By selectively positioning antennas, an attacker may succeed

in satisfying expected relative TDoAs as long as the number of receiving antennas

does not exceed a certain threshold. We discuss the resilience of our countermeasure

against a multi-antenna attack in Section 4.10.2.

4.5 Theoretical Multi-Receiver Spoofing Detection 35

R2

R1

R3

R4

d d

d

d

Attacker

R1

ts1s2 s

3s4

R2

ts1s2 s

3s4

R3

ts1s2 s

3s4

R4

ts1s2 s

3s4

Figure 4.2: A single antenna attacker targets the formation of multiple GPS re-ceivers. As a results, all TDoAs are the same at all receivers.

The problem of taking over an established lock, i. e., the problem of taking over a

victim’s fix to authentic GPS signals, is out of scope of this work. In order to induce

a new fix onto the spoofed signals (i. e., to replace authentic signals), an attacker

needs to force a lock loss of the establish fix, e. g., by prior jamming or high spoofing

power [52]. Since our countermeasure is based on positioning information, we can

give the attacker the power to overcome prominent signal-based countermeasures.

4.5 Theoretical Multi-Receiver Spoofing Detection

We first introduce our detection mechanism and then argue that its performance

depends on (i) the physical formation of the receivers, and (ii) on the GPS noise

experienced by the receivers. We discuss both factors in more detail and predict

that authentic signals and attacker signals have different noise characteristics. By

incorporating insights on the error models, we are able to improve the performance

of the countermeasure.

4.5.1 Detection Mechanism

We assume that two (or more) GPS receivers are set up in a known static formation.

All receivers are continuously obtaining their location via GPS to use the calculated

locations to detect spoofing cases. Basically, our detection mechanism compares the

reported receiver locations in order to perform a binary classification into authen-

tic/spoofed situations. This decision is probabilistic and considers the predefined

receiver formation, its fixed relative distances, and the noise characteristics of the

receivers. The detection model is based on work by Swaszek et al. [125–127]; it


distinguishes between two potential detection outcomes based on the presence of an

attack. The considered hypotheses H0 and H1 are:

H0: No spoofing occurred.

H1: Spoofing is performed.

The decision making is based on the preservation of known receiver distances. In

case of authentic GPS signals, the computed distances are expected to be rather

stable and close to the physical distances of the given formation. In case of an

attack, the computed distances will shrink to values close to zero, as the receivers

would report the same location during a (single-antenna) spoofing attack. If the

system detects significant anomalies, the test should indicate a spoofing attack. In

contrast to the mean positions considered by Swaszek et al. [125–127], our detection

is based on relative distances between all pairs of receivers. The mechanism is

a function of the reported position information pGPSi and a comparison against a

decision threshold λ to be defined. The adapted test can be formally expressed as:

f(

pGPS1 , . . . , pGPS

n

)H0

≷H1

λ, (4.1)

where n denotes the number of receivers each reporting positions pGPSi , i ∈ {1, . . . , n}

and f(·) is a function merging the information to a single value. Each position pGPSi

consists of a latitude and a longitude component while we neglect the height informa-

tion here due to the low precision of GPS altitude. To simplify the discussion, we as-

sume that for our countermeasure all receivers are placed at approximately the same

height. We analyze possible functions (i. e., minimal, maximal, and weight-based ap-

proaches) and their effects on attack detection in more detail in Section 4.10.1.

Since our countermeasure is based on the relative distances between receivers, we

refine Equation (4.1) to directly take the set of GPS-derived distances dGPSi,j as input:

f(dGPSi,j ) := f

(

{

dGPSi,j

}1≤i,j≤n

i<j

)

H0

≷H1

λ. (4.2)

If the result of function f(·) on the GPS distances between the receivers falls

below the threshold λ, the test indicates a spoofing attack (H1). However, if the

result is above the threshold λ, the test decides for no spoofing (H0). Notably, since

the absolute positions contained in Equation (4.1) are not decisive for our spoofing

detection, there is no information loss from Equation (4.1) to Equation (4.2). Hence,


we can safely use Equation (4.2), which contains all distances clearly defining the

underlying formation.

On the basis of Equation (4.2), we can define two important probabilities in regard

to the detection and the false alarm ratio. The probability of detection Pd describes

the chance that an actual spoofing attack is indeed detected. Thus, the result of

f(·) needs to be below the threshold λ when under a spoofing attack :

Pd = Pr{f(

dGPSi,j

)

< λ | H1},

with 1 ≤ i < j ≤ n. On the other hand, the false alarm probability Pfa describes

the chance of triggered alarms when no spoofing occurs. The result of f(·) needs to

be below the threshold λ when no spoofing is performed :

Pfa = Pr{f(

dGPSi,j

)

< λ | H0}.

Considering both equations, we need to optimize λ with the purpose of achieving

high detection rates while maintaining a low probability of false alarms. If the re-

ceivers were to obtain their position solution without any error, they could perfectly

detect spoofing attacks even if their mutual distances are very small (e. g., a few

centimeters). Unfortunately, GPS receivers have a non-negligible position-solution

error in practice (as discussed in Section 2.2.4).

4.5.2 Countermeasure Formation

The generalized receiver formation for our countermeasure considers a virtual center

around which the receivers are placed. In particular, receivers are placed equidis-

tantly on the edge of a virtual circle with the aforementioned center. With this

constellation, a multi-receiver setup can be realized in a compact way and the setup

is extendable while keeping the same radius of the circle.

We denote the number of receivers as n and the radius of the circle is defined

as r, while the resulting distance between neighbors is d. For instance, for n = 2

each receiver is placed on the opposing side of the circle. As a result, for a given

radius r the distance becomes d = 2r. For n = 3 we obtain a triangle and for n = 4

the formation becomes a square with equal edge lengths. Figure 4.3 depicts possible

countermeasure formations equally distributed on a virtual circle. The relationship

between n, r, and d can be formulated as:

d = 2r · sin(

2π

2n

)

.


R2

R1

rd

(a) n = 2

R2

R1

r

R3

d

(b) n = 3

R2

R1

R4

R3

r

d

d

d d

(c) n = 4

Figure 4.3: The multi-receiver spoofing detection countermeasure can be instanti-ated with different number of receivers distributed on a virtual circle.

Notably, the more receivers we use, the more different distances between all pos-

sible receiver pairs are obtained according and are used by the function f(·). While

for n = 2 we only have one single distance, for n = 4 we already have six (par-

tially dependent) distances. The number of connections can be calculated according

to(

2n

)

. For the actual detection system, we mostly consider a setup with n = 4

receivers. That is the least amount of receivers required while protecting against

the multiple-antenna attacker [128] as discussed in Section 4.10.2.

4.5.3 Leveraging Environmental Errors

The noise of the position solution experienced by receivers is a determining factor

for the performance of our countermeasure. We introduced general GPS errors in

Section 2.2.4, and we now apply the error model to our spoofing detection approach.

In prior work [125,126], the User Equivalent Range Error (UERE) as introduced in

Section 2.2.4 was modeled to be identical for authentic and spoofing signals. We now

argue that this is not the case in practice, and a more realistic model can improve

the countermeasure performance. On closer inspection, the UERE is a composition

of two components. The satellite system-intrinsic User Range Error (URE) includes

environmental errors, whereas the User Equipment Error (UEE) is caused by the

receiver design [130]. This is particularly relevant for two reasons:

(a) We claim that the environmental errors are to a certain degree location-

specific—i. e., several receivers at the same location will experience correlated en-

vironmental errors. The intuition is that this will make our countermeasure more

reliable in normal operating conditions, as position shifts are partially correlated.


(b) During a location spoofing attack, an attacker has potentially large influence

on the environmental error, but this error will be roughly the same for multiple

victims. In particular, the attacker has control over the ephemerides data and

satellite clock offsets in the spoofing signals. In addition, the attacker is comparably

close to the receivers, so that multipath effects are greatly reduced. As a result, our

intuition is that in an attack scenario, the location differences of several victims are

less noisy than under normal operation (i. e., their UEREs are expected to develop

a stronger correlation).

In order to get a better understanding of the impact of correlation, we take a look

at the calculation of a (noised) one-dimensional distance:

dGPSi,j = dist(pGPS

i + ni, pGPSj + nj) = dist(pGPS

i , pGPSj ) + (ni − nj),

where ni and nj is the noise for pGPSi and pGPS

j , respectively. The actual distance

dist(pGPSi , pGPS

j ) is impacted by the combined noise ni − nj. If both noise sources

are independent, there is no tendency on how the calculated (noised) distance will

behave. However, when the sources are correlated they will compensate each other

to a certain degree, which can be calculated by:

σdist =√

σ2i + σ2

j − 2ρi,jσiσj

σi=σj

=√2σ ·

√

1− ρi,j,

where σdist is the standard deviation of the distance, σi and σj the standard deviation

of pGPSi and pGPS

j (assumed to be roughly equal), and ρ is the Pearson correlation

coefficient given as:

ρX,Y =cov(X, Y )

σXσY

, (4.3)

with X and Y being two datasets of the same length. In particular, the correlation

coefficient is a measure of linear dependence between these two datasets. A value

of 0 indicates no correlation, whereas +1 and -1 represent total positive correla-

tion, respectively total negative correlation. As a result, the stronger the correlation

between the experienced noise, the less noisy are the mutual distances. Similar con-

siderations apply to the cases of two-dimensional latitude and longitude components

as well as multidimensional points.

4.5.4 Error Modeling and Distribution

In addition to our model of the receiver formation and the general error sources,

we require a more detailed model to describe the error distribution. Based on

those models, we can perform simulations to determine suitable distances between


the receivers and optimal decision thresholds. According to the GPS performance

standard [130], we assume that the receiver’s position errors are Gaussian distributed

in latitude and longitude. If the mean and the standard deviation for each direction

are known, we can compute probability functions and make predictions for the error

distribution.

However, our scheme is based on relative distances and thus combines both di-

rections. Following [125, 126], we assume that distance-related errors are Gaussian

distributed with approximately the same standard deviation in latitude and lon-

gitude. We also assume that the correlation between changes in each direction

exhibits similar characteristics. By making these simplifications, the error distribu-

tion of the Euclidean distance of two two-dimensional Gaussian distributed points

can be formulated in a closed form. Notably, we use the distance projected on a

two-dimensional plane neglecting the curvature of the earth for small distances.

The resulting mathematical model, which describes the distribution of the dis-

tances between one two-dimensional Gaussian distributed point and a fixed point,

is a Rician distribution. We extend the model by replacing the fixed point with a

second two-dimensional Gaussian distributed point. If the standard deviation and

the correlation are the same, the adjusted distribution maintains its Rician property.

The Probability Density Function (PDF) for a Rician distribution is given by:

f(x) =

xσ2 e

−x2+s2

2σ2 I0(

xsσ2

)

, x > 0,

0, x ≤ 0,(4.4)

with noncentrality parameter s reflecting the distance to the center and scale param-

eter σ as the standard deviation of the Gaussian distribution. Further, I0 denotes

the zero-order modified Bessel function of the first kind.

The corresponding Cumulative Distribution Function (CDF) is defined as:

F (x) =

1−Q1

(

sσ, xσ

)

, x > 0,

0, x ≤ 0,(4.5)

where Q1 is the first order Marcum Q-function.

Due to our adaptions and the addition of a second Gaussian distributed point, the

noncentrality parameter s and the scale parameter σ of the resulting distribution

are not equivalent to the distance nor the standard deviation, respectively (but are

very close to the actual scales).

4.6 Experimental Evaluation of Authentic Signals 41

For the special case of two two-dimensional Gaussian distributed points with the

same center, s becomes 0. As a result, a Rayleigh distribution is obtained, which is

only dependent on the scale parameter σ.

Thus, the PDF simplifies as follows:

f(x) =

xσ2 e

− x2

2σ2 , x > 0,

0, x ≤ 0.(4.6)

The corresponding Rayleigh CDF is:

F (x) =

1− e−x2

2σ2 , x > 0,

0, x ≤ 0.(4.7)

In order to evaluate the CDFs, we first need to determine the parameters s and σ.

However, the parameter estimation for both distributions is a non-trivial problem

in mathematical analysis. Therefore, we use the numeric solution calculated by

the distribution fitting function fitdist provided by MATrix LABoratory (MAT-

LAB) [65]. Note that these error models are not taking correlations into consider-

ation. We therefore expect distances to be more dense around the means and that

our model is only a pessimistic approximation.

4.6 Experimental Evaluation of Authentic Signals

We present a series of experiments conducted to obtain real-world GPS localization

errors. The experiments were executed with a set of co-located receivers, which

allows us to determine temporal and spatial correlations between the localization

errors. As a result, we were able to identify suitable parameters for our spoofing

detection mechanism.

4.6.1 Experimental Setup

For our experimental setup, we deployed four standalone Arduino UNOs, rev. 3 [4].

Each Arduino is extended with a GPS logger shield including a GPS module in order

to process incoming GPS signals. Furthermore, an external active antenna with an

additional 28 dB gain is coupled with each GPS shield. The external antenna not

only provides more stable solutions but also increases the flexibility of the setup due

to an additional 5m cable length. The combination of these components is hereafter

referred to as a receiver (see Figure 4.4a).


(a) Arduino UNO GPS Receiver (b) Experimental Setup

Figure 4.4: In the experimental setup, four Arduino UNO GPS receivers are posi-tioned on a wooden bench (circles) connected to a central laptop.

Table 4.1: Receiver Placement and Relative Distances

Receiver Side dC [m] dR1[m] dR2

[m] dR3[m] dR4

[m]

R1 East 7.00 - 8.06 13.00 9.90R2 South 4.00 8.06 - 7.21 11.00R3 West 6.00 13.00 7.21 - 9.22R4 North 7.00 9.90 11.00 9.22 -

In the initial measurements, four receivers were arranged in a cross-like formation

with side lengths of approx. 4m to 7m as depicted in Figure 4.4b. Each receiver

generates National Marine Electronics Association (NMEA) 0183 [70] data sentences

while processing the received signals. The data is constantly stored on a controlling

laptop connected via USB, which also powers the receivers. With a total of four

receivers, we obtain six distinct distances matching each device with each other. For

the specific relative distances we refer to Table 4.1, in which dC is the distance to

the center (as measured by hand), and dRiis the calculated distance to the other

receivers. The overall formation is aligned to the cardinal directions North, South,

East, and West, which was set up for approx. 2.5 h at a place with clear Line of

Sight (LoS) to the sky.

4.6.2 Measurement Analysis

We next evaluate the recorded data and derive suitable parameters for the sub-

sequent simulations. The position map in Figure 4.5 indicates that the reported

positions are scattered around four points, which in our case closely reflect the ac-

tual receiver placement. However, the deviation from the interim positions to the

actual placement can reach several meters. Figure 4.6 shows the development of

these distances over the course of the experiment. While the average distance er-

ror µ ranges from approx. 0.79m for R4 to 1.61m for R3, the standard deviation σ


13.615 13.620 13.625 13.630

Longitude E 7° [']

30.424

30.426

30.428

30.430

30.432

30.434

Latitu

de N

51°

[']

Figure 4.5: Illustration of the receiver placements on the wooden bench (dashedlines) including reported positions, where “X” indicates the mean posi-tions over the measurement duration.

0 20 40 60 80 100 120 140

Measurement Duration [min]

0

1

2

3

4

Dis

tan

ce

fro

m M

ea

n [

m]

Figure 4.6: The calculated distances between the reported positions and their re-spective means (close to the actual positions).

varies between approx. 0.41m for R4 and 0.87m for R3. In comparison to the values

reported in Table 2.1, the positions measured during the experiment are very stable.

Since our spoofing detection mechanism takes the relative distances into account,

we calculate the distances between the reported positions. The results are depicted

in Figure 4.7. The histogram uses a bin width of 0.5m. The average distances are

all within 1m from the actual distances noted in Table 4.1. In Section 4.5.4, we

concluded that the underlying distribution is Rician. We try to align the respec-

tive PDF from Equation (4.4) with the measurements. The solid line represents a

normalized best fit based on a Rician distribution. The gap between the theoretical

distribution and the recorded data is due to correlations of position errors (distances

tend to be smaller) and limitations of the measurement setup. The parameters of

the distributions are included in Table 4.2. In particular, the noncentrality param-


0 5 10 15

Distance [m]

0

0.5

1

Pro

babili

ty D

ensity

(a) R1 — R2

0 5 10 15

Distance [m]

0

0.5

1

Pro

ba

bili

ty D

en

sity

(b) R1 — R3

0 5 10 15

Distance [m]

0

0.5

1

Pro

ba

bili

ty D

en

sity

(c) R1 — R4

0 5 10 15

Distance [m]

0

0.5

1

Pro

ba

bili

ty D

en

sity

(d) R2 — R3

0 5 10 15

Distance [m]

0

0.5

1

Pro

ba

bili

ty D

en

sity

(e) R2 — R4

0 5 10 15

Distance [m]

0

0.5

1

Pro

ba

bili

ty D

en

sity

(f) R3 — R4

Figure 4.7: The distribution of calculated distances between each pair of receivers,with fitted Rician distribution curves (bin width of 0.5m).

Table 4.2: Error Distribution Parameters - Authentic

Distance Noncentrality s Scale σ d99 [m] ρLAT ρLON

R1 — R2 8.13 0.68 6.58 0.05 0.40R1 — R3 13.32 0.81 11.46 0.49 0.78R1 — R4 10.80 0.78 9.02 0.51 0.47R2 — R3 7.04 0.80 5.24 0.72 0.65R2 — R4 11.34 1.13 8.77 0.51 0.47R3 — R4 9.76 1.49 6.42 0.35 0.72

eter s closely reflects the average distance µ, whereas the scale parameter σ reflects

the standard deviation of the dataset.

As an illustrative example, we focus on a single distance. Considering the CDF of

the Rician distribution from Equation (4.5), we are able to calculate the probability

that a certain threshold λ is exceeded. In particular, we can determine the point

at which 1% of the distribution is accumulated. According to the CDF, we expect

that 99% of the distances exceed this fix point such that

Pr{dGPS ≤ d99} = 1−Q1

(

s

σ,d99σ

)

,

where d99 represents the distance that is shorter than 99% of all distances. With

this equation we can calculate thresholds that belong to different probabilities. The

distances corresponding to the 99% threshold for each pair of co-located receivers

are shown in Table 4.2. For instance, the distance R3 — R4 (µ = 9.87m) is expected

to be below 6.42m in only 1% of the cases and is calculated to be maintained 99%

of the times, which is approx. 3.4m less than the actual distance based on the initial

measurements.


A further aspect of our measurement analysis is how position changes correlate

spatially. We expect a correlation between the position deviations of co-located re-

ceivers since the system-intrinsic URE is an environment-dependent error. To iden-

tify its extent, we compute Pearson’s correlation coefficient ρ from Equation (4.3)

between the reported positions. The results of our measurements are listed in Ta-

ble 4.2. For better clarity, ρ is partitioned in a latitude and a longitude component.

We recognize a consistent positive correlation. Even though the extent of correlation

differs between the receivers due to noise effects (ρLAT for R1 — R2 is an outlier),

the correlation is considerable and throughout positive.

4.6.3 Additional Measurements

We conducted further measurements to confirm our error modeling approach in

different environments, e. g., receivers were placed close to metallic walls. Over

different time periods (up to three days non-stop) measurements were collected to

assess the effects of signal reflections and changing meteorological conditions. For

the sake of clarity, we only present resulting parameters for the standard deviation

and the correlation here.

For receivers with clear LoS, but under multipath effects, we experienced a typical

position noise in the range of σ ≈ 0.75 to σ ≈ 3.06, where the latter occurred close

to a reflecting metallic wall. Similar degradations were observed for the correlation

between position changes. Additional noise sources can impair the correlation to ρ ≈0.27 for direct wall reflections. However, correlations of ρ ≈ 0.82 were still perceived

for receivers affected by multipath signal components but with clear LoS.

3-day Experiment

This experiment was run over the course of three days non-stop with n = 4 receivers

and changing weather conditions. Over 1,200,000 data points for each receiver were

recorded. Figure 4.8 shows a histogram of all relative distances. We note that the

real distances between the receivers were relatively small to shelter the devices from

rain. Outliers are still visible and could be caused by changing temperature and

weather conditions.

4.6.4 Results

In conclusion, the localization precision of the utilized COTS receivers for authentic

signals is within typical standard deviations of σ ≈ 0.5, . . . , 3. The correlation be-

tween the position shifts is significantly positive and stabilizes at ρ ≈ 0.4, . . . , 0.6 for


0 5 10 15

Distance [m]

0

0.1

0.2

0.3

Pro

babili

ty D

ensity

(a) R1 — R2

0 5 10 15

Distance [m]

0

0.1

0.2

0.3

Pro

babili

ty D

ensity

(b) R1 — R3

0 5 10 15

Distance [m]

0

0.1

0.2

0.3

Pro

babili

ty D

ensity

(c) R1 — R4

0 5 10 15

Distance [m]

0

0.1

0.2

0.3

Pro

babili

ty D

ensity

(d) R2 — R3

0 5 10 15

Distance [m]

0

0.1

0.2

0.3

Pro

babili

ty D

ensity

(e) R2 — R4

0 5 10 15

Distance [m]

0

0.1

0.2

0.3

Pro

babili

ty D

ensity

(f) R3 — R4

Figure 4.8: Stabilized distance distributions over a three-day measurement periodwith n = 4 receivers, with fitted Rician distribution (bin width of 0.5m).

long-term measurements. We validated our findings with experiments in changing

environments, at different days, and varying measurement periods.

4.7 Experimental Evaluation of Spoofed Signals

In the previous section, we investigated the localization error for authentic signals.

We now present experimental results on the localization error for spoofed signals,

using the same receivers as in the previous experiments.

4.7.1 Experimental Setup

In our measurement setup, the spoofing attack is realized via a GPS signal sim-

ulator that is capable of generating arbitrary civilian GPS signals (LabSat 3 [93]

from Racelogic). These signals can be composed with attacker-chosen parameters

such as signal power or position solution. With the supplied software tools, we are

able to generate scenarios, which emulate similar conditions as were present during

our measurements for the authentic signals. In particular, the simulator uses the

ephemeris data for that specific place and time period.

Since the satellite simulator aggregates a mix of satellite signals into a signal

that is resolvable to one specific location, we choose the coordinates of one of the

receivers from our initial measurements as the spoofed position. The spoofing signal

was sent wirelessly during limited time periods and all receivers obtained the signal

at approximately the same power levels. In order to imitate the authentic scenario

as closely as possible, we adapted the external antennas inclination to the new AoAs

due to the ground-level simulator. A sophisticated attacker is assumed to send out

signals from higher positions avoiding the antenna adjustments. During the (indoor)

4.7 Experimental Evaluation of Spoofed Signals 47

0 20 40 60 80 100 120 140


0

0.5

1

1.5

Dis

tance fro

m M

ean [m

]

Figure 4.9: The progression of the calculated distances to their respective meansreveals a close spatial correlation in the spoofing scenario.

experiment, the receivers were shielded from real GPS signals in order to acquire a

quick fix to the spoofing signals as well as to prevent signal leakages to the outside.

In less than one minute, the receivers locked onto the spoofing signal and kept tuning

to process all available satellites from the signal. The spoofing attack was performed

with the same GPS time and for the same duration as for the outdoor measurement.

4.7.2 Measurement Analysis

The analysis of the recorded measurements reveals the following insights. All re-

ported positions closely reflect the preconfigured location for which the GPS signals

were generated. Within the given precision, the mean of the reported positions is

the same for all receivers, independent of the actual positioning or formation.

In consideration of the reported positions as shown in Figure 4.9, all four traces

exhibit similar patterns and, over the course of the experiment, we can recognize

periods in which the distance to the mean positions concurrently increases or de-

creases. In these periods, we assume that the simulator imitates the changing signal

quality at the chosen location and time by adjusting the impact of system-intrinsic

UREs. The average distance µ from the means varies between approx. 0.47m for R4

and 0.57m for R3, whereas the standard deviation σ ranges from approx. 0.21m

for R4 to 0.29m for R3. In comparison to the outdoor measurements, both quan-

tities are roughly halved. We conclude that the reported positions are less affected

by errors.

In consideration of the relative distances, the resulting distribution is depicted in

Figure 4.10. To increase the resolution, the applied bin width is refined to 0.1m.

As analyzed in Section 4.5.4, the distances follow a Rayleigh distribution, for which


0 0.2 0.4 0.6 0.8 1

Distance [m]

0

2

4

6

8

Pro

babili

ty D

ensity

(a) R1 — R2

0 0.2 0.4 0.6 0.8 1

Distance [m]

0

2

4

6

8

Pro

babili

ty D

ensity

(b) R1 — R3

0 0.2 0.4 0.6 0.8 1

Distance [m]

0

2

4

6

8

Pro

babili

ty D

ensity

(c) R1 — R4

0 0.2 0.4 0.6 0.8 1

Distance [m]

0

2

4

6

8

Pro

babili

ty D

ensity

(d) R2 — R3

0 0.2 0.4 0.6 0.8 1

Distance [m]

0

2

4

6

8

Pro

babili

ty D

ensity

(e) R2 — R4

0 0.2 0.4 0.6 0.8 1

Distance [m]

0

2

4

6

8

Pro

ba

bili

ty D

en

sity

(f) R3 — R4

Figure 4.10: The distribution of calculated receiver distances under a spoofing at-tack, with fitted Rayleigh distribution curves (bin width of 0.1m).

the noncentrality parameter s becomes 0 due to overlapping center points. The

solid (red) curve represents the best fit on the basis of the respective PDF from

Equation (4.6). Note again that, due to correlations between the position errors,

distances tend to be smaller than the distribution suggests. Measurement limitations

prevent a perfect fit with the distribution, see Table 4.3 for the determining scale

factor σ.

According to Figure 4.10, the relations involving R4 feature less distinct peaks

such that the (red) curve drops slower towards the right side. Taking the CDF of

the Rayleigh distribution from Equation (4.5) into consideration, we can determine

the probability that a certain threshold λ is exceeded. This can be described as

Pr{dGPS > d99} = e−d99

2

2σ2 ,

where d99 is expected to be larger than 99% of the distances. In contrast to the

authentic measurements, the role of d99 is swapped representing a threshold towards

the upper limit. For each receiver pair, the value of d99 is stated in Table 4.3.

Due to the very small deviations in the reported position solutions, the calculated

thresholds are less than 1m. Even for the most diversified distance R1 — R4, the

relative distance exceeds approx. 0.66m in only 1% of the cases.

Finally, we evaluate the correlation between position deviations on the basis of

the correlation coefficient. The calculated coefficients for latitude and longitude

directions are included in Table 4.3. Across all receivers, the values illustrate a

strong positive correlation with a minimal coefficient of ρ ≈ 0.87 for R1 — R4 and a

maximal coefficient of ρ ≈ 0.99 for R2 — R3, both in latitude direction. Compared

to the correlation for the outdoor measurements, the correlation in the spoofing

scenario is constantly higher. Each receiver is faced with the same GPS signals and

4.8 Simulation of the Countermeasure 49

Table 4.3: Error Distribution Parameters - Spoofing

Distance Scale σ d99 [m] ρLAT ρLON

R1 — R2 0.13 0.38 0.97 0.93R1 — R3 0.14 0.42 0.97 0.92R1 — R4 0.22 0.66 0.87 0.90R2 — R3 0.09 0.28 0.99 0.97R2 — R4 0.16 0.49 0.93 0.96R3 — R4 0.18 0.55 0.93 0.96

thus the same embedded system-intrinsic errors. Receiver-specific errors only take

a minor role, which is reflected by high correlation coefficients close to 1.

4.7.3 Additional Measurements

We performed additional spoofing experiments to investigate the impact of different

environments. For instance, we varied the antenna inclination due to the different

AoA of spoofing signals due to a ground-level satellite simulator. We tried to es-

tablish similar power levels at the receivers to imitate the conditions under normal

operation. In all our experiments, the spoofer was in close vicinity to the receivers.

We obtained the following typical results for the standard deviation and the correla-

tion. For unfavorable environments, the individual position inaccuracy can increase

to σ ≈ 0.88 under spoofing. The correlation coefficients across several measure-

ments maintained a comparably high level of ρ ≈ 0.98 to ρ ≈ 0.46 in scenarios with

stronger multipath effects.

4.7.4 Results

In conclusion, the receivers maintain a position accuracy of σ ≈ 0.2, . . . , 1. The

typical correlation coefficient for position shifts is strong positive in the range of

ρ ≈ 0.5, . . . , 1. In comparison to the performance for authentic signals, the position

solutions are more stable and the correlation is higher. Again, we validated our

findings with additional spoofing experiments in changing environments.

4.8 Simulation of the Countermeasure

We now use the noise parameter ranges learned from our real-world experiments in

Section 4.6 and Section 4.7 to instantiate the GPS spoofing detection system and

evaluate its performance through simulations. We developed a simulation framework


Table 4.4: Simulation Parameter Sets

Case σauthentic ρauthentic σspoofing ρspoofing

1 4 0.5 2 0.52 2 0.5 1 0.53 1 0.5 1 0.54 1 0.5 1 0.75 1 0.5 0.5 0.9

using MATLAB in order to calculate the expected performance of different receiver

formations. In addition, the framework finds optimal decision thresholds λ with

respect to corresponding detection probabilities pd and false alarm probabilities pfa.

Within the simulation framework, we pursue two goals: (i) Simulate the coun-

termeasure for n receivers (we focus on n = 4) considering different distribution

parameters including distance, standard deviation, and correlation. (ii) Evaluate

different instantiations of the function f(·), which is the determining function for

the decision mechanism in Equation (4.2). For the analysis with n = 4 receivers, we

chose a normalized majority voting, where longer distances (diagonal in a square)

are more significant. The reasoning behind the selection is given in Section 4.10.1.

4.8.1 Simulated Parameter Sets

Based on real-world measurements, we consider five different error models repre-

senting different scenarios and measurement environments, see Table 4.4. The first

scenario considers high noise from our worst case measurements (Case 1). On the

other hand, the fifth scenario includes the most stable position solutions that we

measured (Case 5). The other scenarios are intermediate steps between these two

extremes (Cases 2, 3, 4). Notably, the third scenario represents an error model for

which authentic and spoofing signals suffer from the same extent of errors.

The simulation covers varying receiver distances given as the radius r of the virtual

circle, gradually increased from 0m to 15m with a step size of 0.01m. The number of

generated measurements is 10,000,000 for each receiver position and each simulation

run. The error modeling is realized by adding Gaussian noise with the corresponding

distribution parameters that also maintain correlations between generated datasets.

4.8 Simulation of the Countermeasure 51

1 2 3 4 5 10 15

r [m]

10-6

10-4

10-2

100

EE

R

Case 1

Case 2

Case 3

Case 4

Case 5

Figure 4.11: The resulting EER for n = 4 receivers equidistantly positioned on avirtual circle with different radii r and distinct error parameter sets.

4.8.2 Performance Metric

As the first measure of performance, we consider Equal Error Rates (EERs), i. e.,

1− pd!= pfa. (4.8)

In other words, our decision threshold λ is chosen in such a way that the probabil-

ity of a false alarm pfa is equal to the probability of a missed detection pd. However,

we notice that the occurrence of spoofing and non-spoofing scenarios is not equally

distributed. In most cases, the receivers operate with authentic signals, whereas an

actual attack is very unlikely. False alarms are generally more likely to occur than

false detections and thus would need to be weighted more than missed detections.

The usage of the EER gives us a worst case estimation with a stronger focus on reli-

able detection; the distance between receivers may be decreased further if we allow

poorer detection probabilities. At the same time, missed detections typically incur

a larger security risk than false detections. To account for these considerations, we

later additionally report results individually for the probabilities of false alarms pfa

and missed detection pd.

4.8.3 Detection Performance

We examine the detection performance of our detection mechanism for n = 4 re-

ceivers. The results under consideration of the error scenarios from Table 4.4 are

depicted in Figure 4.11. The required receiver distances differ substantially for each

of the simulated cases. For example, a radius of approx. 11m is needed for an

EER of 10−6 in the worst measured scenario (Case 1). An EER of 10−6 equals


0 5 10 15

r [m]

10 -6

10 -4

10 -2

10 0P

fa Pd = 0.999

Pd = 0.99

Pd = 0.9

(a) Without Improvements

0 5 10 15

r [m]

10 -6

10 -4

10 -2

10 0

Pfa

Pd = 0.999

Pd = 0.99

Pd = 0.9

(b) With Correlation

0 5 10 15

r [m]

10 -6

10 -4

10 -2

10 0

Pfa

Pd = 0.999

Pd = 0.99

Pd = 0.9

(c) With Lower Spoofing Errors

0 5 10 15

r [m]

10 -6

10 -4

10 -2

10 0

Pfa

Pd = 0.999

Pd = 0.99

Pd = 0.9

(d) Combination of Both

Figure 4.12: Detection performance when introducing our improved error models oncorrelation and behavior under spoofing for n = 4 receivers.

only one triggered alarm on a sample size of 1,000,000 measurements under normal

operation, whereas only one instance of spoofing remains undetected. For our best

error model the required radius is reduced to approx. 2m (Case 5). The radii for

the other scenarios vary from approx. 6m (Case 2), and approx. 4m (Case 3), to

approx. 3.5m (Case 4).

To integrate our results with theoretic prior work [125–127], we take σ = 4

(assumed by Swaszek et al. [126]) as a starting point to show the effect of our

measurement-based improvements. Note that the official performance standard [130]

only gives typical ranges for the standard deviation from σ ≈ 1 to σ ≈ 8. Figure 4.12

shows the performance improvements as we introduce our assumptions. The curves

in Figure 4.12a are generated with a standard deviation of σ = 4 and a correlation

of ρ = 0.5 between position changes for both normal operation and spoofing. In

Figure 4.12b, we introduce the effect of higher correlation during a spoofing attack

by adjusting ρspoofing = 0.9. A more realistic assumption on the standard deviation

is introduced in Figure 4.12c, where we keep σauthentic = 4 and change σspoofing = 1

emulating the reduced position shifts under spoofing. Figure 4.12d combines both

effects, i. e., σauthentic = 4, σspoofing = 1, ρauthentic = 0.5, and ρspoofing = 0.9.

In particular, the (red) dashed line in Figure 4.12 represents the resulting false

alarm rate as a function of the radius by fixing the detection probability to pd = 0.99.

Without considering reduced error characteristics under spoofing, we obtain pfa =

10−5 for a radius of approx. 12.31m. Using our derived parameter set, the required

radius is reduced to approx. 3.63m for the same false alarm rate. When relating to

4.9 Prototype Implementation 53

the required space to deploy all receivers, the resulting square has edges of length

approx. 5.13m.

4.8.4 Results

We conclude that our proposed improvements greatly reduce the required area

for the countermeasure from 200m2 as suggested by Swaszek et al. [126] to ap-

prox. (5.13m)2 ≈ 26.32m2, which is almost an order of magnitude smaller (square

area). For this comparison, we picked the same UERE values as Swaszek et al. [126].

If we use the UERE we measured in our experiments instead, the performance would

increase even further.

4.9 Prototype Implementation

To demonstrate the applicability of our proposed multi-receiver spoofing detection

mechanism, we develop a prototype implementation. We incorporate the results of

our simulation with regard to suitable receiver distances.

4.9.1 Deployment

We deploy an experimental setup with n = 4 receivers positioned in a square with

edge length d = 5.00m, which is equivalent to a circle with r ≈ 3.54m. Two

receivers are placed in close vicinity to a metal wall introducing signal shielding and

additional multipath components. Figure 4.13 shows the measurement environment

(the metallic wall is close to the right hand side).

We tested this formation in two different environments: (i) We recorded mea-

surements under authentic conditions, see Figure 4.13. (ii) We targeted the same

formation with an indoor spoofing attack. Notably, we used the indoor setup to

prevent—in particular illegal—interference with surrounding devices. We captured

data for spoofing and normal operation for close to three hours. For this specific

setup we utilized the normalized majority voting approach for the receiver distance

analysis.

4.9.2 Results

Within the entire measurement period, we encountered no false alarms. While under

spoofing, our countermeasure detected the spoofing attack reliably as depicted in

Figure 4.14. More than 80,000 GPS measurements were recorded during the exper-

iments. The threshold, which is represented by the horizontal line, is an estimation


Figure 4.13: The outdoor deployment of our GPS spoofing detection prototype withn = 4 receivers in a distance of d = 5.00m (metallic wall to the right).

that optimizes both the detection and the false alarm probability. The normalized

majority distance for the authentic measurements is constantly above the thresh-

old, whereas in the spoofing case it is always below. If any of the measurements

cross the threshold line, either a false alarm or a missed spoofing would occur. A

sliding-window approach could compensate single threshold under- or overcuts.

With our prototype implementation we have demonstrated that the detection

mechanism is applicable to n = 4 receivers positioned in a square formation of

edge length d = 5.00m or a circle with radius r ≈ 3.54m. For the duration of the

experiment we encountered no false alarms and no missed spoofing events.

4.10 Discussion

We now discuss further aspects of the developed multi-receiver GPS spoofing de-

tection system. We first analyze different instantiations of function f(·) and their

impact on the decision making process. We then reason about the resilience of our

countermeasure even against multi-antenna attackers and finally outline directions

for future research.

4.10.1 Selection of Function f(·)To find an optimized function f(·) for the implementation in Equation 4.2, we con-

sider four different instantiations, which represent a minimal, maximal, majority,

4.10 Discussion 55

0 20 40 60 80 100 120 140 160


0

2

4

6

8

No

rma

lize

d M

ajo

rity

[m

]

Authentic

Spoofing

Figure 4.14: The normalized majority distance for authentic GPS signals (top) andunder spoofing (bottom). The line represents the decision threshold λ.

0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5

r [m]

10-6

10-4

10-2

100

EE

R

Figure 4.15: EER for different radii considering four different instantiations of func-tion f(·) with n = 4 receivers and same error distributions (Case 3).

and normalized approach. The minimal and maximal functions only consider the

minimal, respectively the maximal, measured distance from the set of all distances.

The majority approach performs a voting mechanism which decides for spoofing

when the majority of distances, i. e., four out of six, fall below the decision threshold.

The normalized approach further makes distances more significant depending on

their relative length compared to others, e. g., the diagonal in a square is√2-times

longer than the edges.

For instance, we consider n = 4 receivers resulting in six distances in total. Ex-

emplarily, we present results considering the error model with the same error dis-

tributions for spoofing and non-spoofing conditions (Case 3) from Table 4.4. We

are able to identify the best choice for the function f(·) for this specific model and

give hints towards the impact of changing error models. Figure 4.15 compares per-


Table 4.5: Function f(·) Performance (Lower is Better)

Function f(·) Relation 1 Relation 2 Relation 3

Minimal ≥ 7 ≥ 9 ≥ 10Maximal 1.00 1.20 1.23

Majority 0.85 1.00 1.02Normalized 0.83 0.98 1.00

formance values for the functions function f(·), i. e., minimal, maximal, majority,

and normalized. As one can see, the choice of minimal offers the worst perfor-

mance from the analyzed set. The other three types, namely maximal, majority,

and normalized, all perform pretty similar with normalized as a close call winner.

In order to quantitatively compare the performances, we compute the relative

difference in EER over all radii and average it by means of normalizing the results.

Results are given in Table 4.5. We can state that the normalized approach performs

approx. 2% better than the (non-normalized) majority voting and approx. 17%

better than the maximal function. The majority function has an approx. 15% bet-

ter average performance than the maximal function. In conclusion, the normalized

approach is the best choice for the selected error model.

We also conducted simulations for other error models with similar results. For

the scenarios with more stable and more correlated signals, we notice that the dif-

ferences of maximal, majority, and normalized functions are decreasing and even-

tually the maximal distance performs almost as good as the others within negligible

margins. The usage of the maximal function is beneficial for setups with restricted

computational resources since this function requires less comparisons. Nevertheless,

(normalized) majority voting is the optimal choice for all considered error models.

4.10.2 Multi-Antenna Attacker Resilience

With respect to the resilience of our GPS spoofing countermeasure against the multi-

antenna attacker, we can state the following. While the countermeasure has been

designed with single-antenna attackers in mind, the deployment with multiple, dis-

tributed receivers also exhibits effective protection against the more powerful multi-

antenna attacker. In particular, for settings with n ≥ 4 receivers, a multi-antenna

attack (with the attacker trying to adjust the TDoAs) cannot preserve relative dis-

tances of all receivers as reasoned by Tippenhauer et al. [128]. As a result, our

proposed spoofing countermeasure with four receivers is expected to be resilient

against multi-antenna attacks by design.

4.11 Summary 57

With our limited multi-antenna attacker implementation from Section 3.3.2, we

tried to fool the spoofing detection with a distance-preserving multi-antenna attack—

with very limited success. We were only able to spoof single receivers, and even our

basic countermeasure with n = 2 is already complicating the attack significantly.

4.10.3 Outlook on Future Work

Our investigations leave promising avenues for future work. Before the countermea-

sure is deployed on a larger scale, more investigations regarding the stability of GPS

errors and their correlation for different locations, environmental conditions, and

time intervals are desirable. We are interested in further reductions of the required

distance between receivers (e. g., in scenarios with rather stable signals due to di-

rect LoS or due to receiver dynamics). Recently, Pesyna et al. [82] presented the

potentiality of centimeter positioning, which would greatly improve our detection

performance. Our investigations provide an evaluation framework that facilitates

extended measurements and evaluations. We leave the evaluation of overlapping

legitimate and spoofing signals for future work.

4.11 Summary

We thoroughly investigated a multi-receiver GPS spoofing detection technique and

performed its first practical implementation. We started by revising the error model

assumptions of previous work and claimed that there exists a spatial correlation

between errors at co-located receiver positions. We experimentally validated that

the predicted error correlation is present in authentic signal scenarios, as well as

under spoofing attacks. By leveraging the correlated noise of co-located receivers,

we were able to lower the false alarm rate of the countermeasure, while preserving

the sensitivity to attacks.

A multi-receiver formation of at least four receivers can detect attacks even con-

sidering an attacker utilizing multiple antennas, whereas two receivers can already

detect single-antenna attacks. As a result, a formation covering an area of 26m2 is

sufficient (for a detection rate of 99% and a false alarm rate of approx. 10−5), in

contrast to the previously proposed 200m2 [126] or even larger areas [37]. We real-

ized the first multi-receiver-based GPS spoofing detection system based on low-cost

COTS devices. Using this implementation, we were able to validate our theoreti-

cal findings through a range of experiments using single-antenna and multi-antenna

attackers. For an experiment over the course of roughly 3 h, we observed no false

alarms or missed detections.

Data is like garbage. You’d better know what you

are going to do with it before you collect it.

— Mark Twain

5Crowdsourced GPS Spoofing

Detection and Spoofer

Localization

Contents

5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 61


5.1.2 Contribution . . . . . . . . . . . . . . . . . . . . . . . 62

5.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . 63

5.3 System Model . . . . . . . . . . . . . . . . . . . . . . . . 65

5.4 Attacker Model . . . . . . . . . . . . . . . . . . . . . . . 66

5.4.1 Threat Model . . . . . . . . . . . . . . . . . . . . . . 66

5.4.2 Validation of Assumptions . . . . . . . . . . . . . . . . 67

5.5 Crowd-GPS-Sec . . . . . . . . . . . . . . . . . . . . . . . 70

5.6 Multilateration (MLAT) . . . . . . . . . . . . . . . . . . 72

5.7 GPS Spoofing Detection . . . . . . . . . . . . . . . . . . 73

5.7.1 Time Alignment of Transmissions . . . . . . . . . . . . 74

5.7.2 Test 1 (Cross-Checks with Multilateration (MLAT)) . . 74

5.7.3 Test 2 (Multiple Aircraft Comparison) . . . . . . . . . 75

5.7.4 Complementary Design . . . . . . . . . . . . . . . . . 76

5.8 GPS Spoofer Localization . . . . . . . . . . . . . . . . . 76

5.8.1 Localization Model . . . . . . . . . . . . . . . . . . . 77

59

60 Chapter 5 Crowdsourced GPS Spoofing Detection and Spoofer Localization

5.8.2 Error Minimization . . . . . . . . . . . . . . . . . . . 79

5.8.3 Improved Filtering . . . . . . . . . . . . . . . . . . . . 81

5.9 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . 81

5.9.1 Spoofing Detection Performance . . . . . . . . . . . . . 81

5.9.2 Spoofer Localization Performance . . . . . . . . . . . . 84

5.9.3 Impact of GPS Accuracy . . . . . . . . . . . . . . . . 86

5.9.4 Impact of MLAT Accuracy . . . . . . . . . . . . . . . 87

5.9.5 Impact of Spoofed Track Velocity . . . . . . . . . . . . 87

5.10 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . 88

5.10.1 Combined Error Effects . . . . . . . . . . . . . . . . . 88

5.10.2 Localizing Spoofers of Stationary Targets . . . . . . . . 89

5.10.3 Applicability to Other Networks . . . . . . . . . . . . . 89

5.11 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

5.1 Introduction 61

5.1 Introduction

While Global Navigation Satellite Systems (GNSSs) have become the de facto stan-

dard means of navigation and tracking services in outdoor environments on the

Earth’s surface, their services also play an important role for aerial applications.

With its ubiquitous coverage, Global Positioning System (GPS) is often a mission

critical factor for aircraft navigation as well as for Unmanned Aerial Vehicles (UAVs),

ranging from consumer-class mini or micro drones to tactical and strategic UAVs.


Although GPS is commonly used in aviation, the system is not secure, i. e., civilian

(public) GPS signals sent by the satellites are neither authenticated nor encrypted.

As a consequence, aircraft and UAVs are vulnerable to GPS signal spoofing attacks,

where a malicious transmitter emits signals similar to those from the satellites but

at a higher power and, potentially, at slightly different time delays. The aircraft’s

GPS receiver will likely lock on to the spoofed signal as it arrives with a higher

signal strength than the authentic signals. By selectively varying the time offsets of

the spoofed satellite signals, attackers are able to mimic arbitrary positions. These

kinds of spoofing attacks are well-known [40, 43, 52, 86, 128] and have been shown

to be feasible in the real-world [9, 40]. In fact, GPS spoofing has allegedly been

used to hijack a CIA stealth drone (RQ-170) in Iran in 2011 [103] or luring ships

off their course [9, 86]. Moreover, GPS spoofing has been used as a defense against

GPS-controlled UAVs flying in the vicinity of the Kremlin in Russia [73,100,113]. In

particular, in 2017, a mass GPS spoofing incident occurred in the Black Sea [13,30,

31,53,64]—an attack executed by an unknown spoofer from an unknown position.

Over the years, the price to perform GPS spoofing attacks has dramatically

dropped as detailed in Section 3.3. Mobile Commercial Off-the-Shelf (COTS) GPS

spoofing devices are available for less than $1,000 [86] and publicly available soft-

ware tools [76] allow the generation of arbitrary GPS signals. The price fall and

low-expertise requirements raise the risk for applications relying on GPS for safety-

or security-critical decisions and processes. The democratization of GPS spoofing

technologies has triggered the development of various countermeasures, which can

be coarsely categorized into three classes: (i) data bit level, (ii) signal processing

level, and (iii) navigation and position solution level [45]. Since the majority of

countermeasures proposals require far-reaching modifications of either the GPS in-

frastructure or the receiving devices, they are unlikely to be implemented in the

near future.


Research Question. We state the following research question: How can we detect

(and potentially localize) GPS spoofing attacks without requiring any modifications on

the currently available satellite and receiver infrastructure? Moreover, the solution

should be suitable for a geographically distributed sensor network via crowdsourcing

collaboration.

5.1.2 Contribution

Driven by the increasing threat and the lack of realistic short-term solutions, we

propose Crowd-GPS-Sec, a system that detects and localizes GPS spoofing attacks

on aerial vehicles without the need to update the satellites’ signals nor the logic

of the airborne GPS receivers. Crowd-GPS-Sec leverages crowdsourcing to moni-

tor the position advertisements derived from GPS that aircraft and UAVs periodi-

cally broadcast for air traffic surveillance. Using those advertisements, we devise a

GPS spoofing detection and localization solution that analyzes the contents and the

Time Difference of Arrivals (TDoAs) of these surveillance messages as received by

distributed sensors on the ground.

We evaluate Crowd-GPS-Sec with simulations and real-world data from the Open-

Sky Network [74,107], a crowdsourcing initiative which maintains a network of more

than 850 air traffic communication sensors around the world. Our implementation

of Crowd-GPS-Sec is able to globally detect GPS spoofing attacks in less than two

seconds and to localize the attacker up to an accuracy of 150 meters after 15 minutes

of monitoring time.

While the problem addressed in this work is related to spoofing detection and

localization in classical direction finding [20,63,68] and multilateration systems [69],

there is one fundamental difference and unique advantage. Instead of trying to de-

tect and localize the GPS spoofer through direct measurements of its own signals, we

rely on indirect measurements from position advertisements that aircraft are broad-

casting. This approach enables us to detect and localize the spoofer even when there

is no direct Line of Sight (LoS) between a sensor and a spoofer. Maintaining a LoS

to an aircraft is much simpler and thus more effective since aircraft are in the sky

and use high transmission power levels which render the signals receivable from the

ground up to several hundred kilometers away. Another major advantage is that

Crowd-GPS-Sec relies on data from air traffic monitoring sensors that are already

widely deployed around the world. Thus, our solution does not require a dedicated

GPS signal acquisition infrastructure for spoofing detection and localization. To the

best of our knowledge, this work is the first to propose a GPS spoofing countermea-

5.2 Related Work 63

sure which takes advantage of considering indirect GPS-inferred data rather than

raw GPS signals.

Summary. In summary, our work makes the following contributions:

• We propose Crowd-GPS-Sec and elaborate on the idea to provide security via

an existing infrastructure of crowdsourcing sensors.

• We present algorithms for the detection of GPS spoofing attacks on airborne

targets by using aircraft reports and multilateration.

• We provide a novel technique for the localization of GPS spoofers based on

position differences between pairs of spoofed aircraft.

• We report on experiments with aircraft transponders and assess the perfor-

mance of Crowd-GPS-Sec analyzing real-world air traffic control data.

The contributions of this work resulted from a collaboration with Matthias Schäfer,

Daniel Moser, Vincent Lenders, Christina Pöpper, and Jens Schmitt.

5.2 Related Work

As GPS is known to be vulnerable to spoofing attacks [40, 42, 45, 52, 135], several

works demonstrated their feasibility [9, 43, 57, 86]. Attacks can target different do-

mains such as vehicle navigation systems [9, 57, 86, 115, 145] or critical infrastruc-

tures [144]. Tippenhauer et al. [128] analyzed the requirements for successful GPS

spoofing attacks. It is worth noting that GPS spoofing has also been proposed as

a countermeasure, e. g., to defend against hostile UAVs [42, 57, 73, 113] by means of

hijacking or misguidance.

A rich body of countermeasures specific to GPS exists in the literature which

can be categorized into prevention and detection measures. In order to prevent

spoofing of GPS signals, several works propose the use of cryptographic techniques

to authenticate satellite signals [35,36,41,59,112,141]. This is similar to how military

GPS signals are protected. However, cryptographic techniques require profound

modifications of the GPS infrastructure as well as a key distribution system which

is challenging to implement for applications with disconnected receivers. Further,

the use of encryption alone does not protect against signal replaying attacks [77,78].

The detection of GPS spoofing attacks also received considerable attention in the

literature providing a broad overview [33,34,45,54,87,111,138] on different detection

techniques.


A different class of detection approaches deploys multiple receiving antennas. Tip-

penhauer et al. [49, 128] and Swaszek et al. [125–127] use multiple co-located GPS

receivers whose calculated positions and times are compared; coinciding locations

indicate an attack. A dual antenna receiver setup to determine the Angle of Arrival

(AoA) of incoming signals is proposed by Montgomery et al. [68] and extended by

Psiaki et al. [88, 89] to include differential carrier phase measurements. Magiera

and Katulski [63] even suggest the use of arrays of antennas showing that antenna

diversity is effective at detecting single antenna spoofers without knowledge of the

target’s position. Although these detection approaches do not require changes to

the GPS infrastructure, they assume more sophisticated GPS receivers which would

significantly increase the complexity, size, costs, and power requirements. This,

however, is contradictory to the objectives of GPS.

On the other hand, techniques for localizing the source of wireless spoofing attacks

also exist in the literature. Chen et al. [15] proposed a localization approach for wire-

less attacks (not specific to GPS satellite signals) based on Received Signal Strength

(RSS) readings from different locations to locate the spoofer. They evaluated their

scheme in 802.11 and 802.15.4 networks. Later, Yang et al. [142, 143] extended

the scheme to deal with attackers which vary their transmission power. Rather

than using direct RSS values, they consider RSS differences at multiple locations.

Bhatti et al. [10] localize GNSS spoofers by comparing TDoAs from a synchronized

array of sensor nodes. A UAV-mounted jammer localization system is implemented

by Perkins et al. [80,81] and they dynamically measure RSS and AoA information to

narrow down possible spoofer positions. It is worth noting that, in principle, almost

any passive localization technique (such as multilateration) could be used to locate

GPS spoofers. However, in contrast to our approach, these methods assume a direct

LoS between the localization system and the attacker. As a consequence, this would

require a dedicated infrastructure which covers all potential attacker positions.

Other works specifically consider spoofing detection and localization with re-

spect to aircraft broadcast signals via Automatic Dependent Surveillance-Broadcast

(ADS-B). Schäfer et al. [105,106] and Strohmeier et al. [119,123] present techniques

to verify position claims using a distributed sensor network. While Baker et al. [5]

design a verification and localization system with a mobile receiver, Moser et al. [69]

devise a multi-receiver spoofing detection system and even evaluate it against a

distributed and coordinated attack. However, the threat model in these works is

different to ours as they consider spoofed ADS-B signals and not spoofed GPS sig-

nals. These techniques are therefore not capable of localizing GPS spoofers in the

same way as in Crowd-GPS-Sec.

5.3 System Model 65

RADAR ADS-B/Flarm

GPS

Satellite-to-Aircraft

Aircraft-to-Ground

Figure 5.1: Schematic overview of currently deployed technologies used to monitorair traffic including GPS, RADAR, and ADS-B/Flarm.

5.3 System Model

While in the past, Radio Detection and Ranging (RADAR) and inertial systems

used to be the two main localization technologies in aviation, GPS is today often

the preferred solution due to its superior accuracy. Modern airliners, smaller aircraft,

gliders, helicopters, or UAVs are almost all equipped with GPS receivers. GPS is

typically used by pilots or UAVs for self-localization but the technology is also used

for remote air-traffic surveillance and collision-avoidance applications. In the latter

cases, aerial vehicles are required to periodically broadcast position and velocity

advertisements to inform neighboring aircraft and ground controllers about their

presence. Larger aerial vehicles generally transmit those messages over the ADS-B

system while smaller and slower vehicles rely on the Flarm [25] system. Irrespective

of the used system, these advertisements contain a position pGPS that is directly

derived from airborne GPS receivers as depicted in Figure 5.1.

In this work, we propose to leverage the position advertisement messages of ADS-

B and Flarm in order to detect and localize GPS spoofers. While ADS-B and Flarm

rely on different radio frequencies and message formats, the underlying concept is

the same. On regular random intervals at transmission time tTX (around twice per

second), aircraft Ai broadcast their current position pGPSi together with their unique

identifiers. Neighboring aerial vehicles and ground stations receive these messages

to generate a recognized air picture. The advertisement messages can be received

over long distances. In ADS-B, messages can be received up to distances of 700 km


when there is a direct LoS between the transmitter and the receiver [110]. In Flarm,

the range is smaller but reception ranges of up to 100 km are possible.

5.4 Attacker Model

GPS spoofing attacks exploit the lack of encryption and authentication of civil-

ian GPS signals by imitating the legitimate signals with the purpose of modifying

the localization or time result of a victim [43, 52, 57, 128, 135]. Technically, spoof-

ing attacks are based on fake GPS signals manipulating the TDoAs of signals that

otherwise use the same payload as real signals. In the past, incidents were re-

ported [9,73,86,100,103,113] where spoofers successfully interfered with the integrity

of GPS-dependent systems, thus rendering the spoofing threat far from being only

of theoretical nature. As a result, currently marketed drones, aircraft, helicopters,

or any kind of vehicles that rely on GPS are prone to spoofing attacks and lack

effective countermeasures.

Based on common assumptions on attacker capabilities and recent incidents, we

assess the resulting threat model. First, we clarify our considered adversary model.

Second, we reason about key assumptions that Crowd-GPS-Sec is based on to de-

tect and localize spoofing attacks. We focus on the common assumption that the

attacker uses a single antenna for transmitting the spoofing signals, but the pro-

posed technique could also be extended to multi-antenna attackers representing an

emerging threat [46].

5.4.1 Threat Model

The attacker’s motivation to interfere with the air safety by injecting false position-

ing information into UAVs or aircraft can be manifold. An attacker may consider

hijacking the targeted victim for an own benefit of acquiring goods or circumvent-

ing flying bans. Even more severe, an attacker may participate in terrorist attacks

by manipulating the air-traffic control or the collision-avoidance systems, e. g., by

spoofing fake position information to fool the safety logic of these systems.

In our adversary model, the attacker is able to transmit specially crafted signals

identical to those broadcasted by GPS satellites but can achieve a higher power at

the target location. The attacker aims at spoofing a moving aircraft or a UAV from

a position on the ground. In order to conduct a stealthy and unnoticed attack, the

spoofer may use a directional antenna oriented towards the victim in the sky. How-

ever, due to the target’s movement, the attacker needs to transmit signals from a

considerable distance, hundreds of meters to kilometers away. We note that typical

5.4 Attacker Model 67

operating altitudes of UAVs range from 60m to 20,000m and their mission radii

vary from 5 km to 200 km and beyond [50]. Hence, if the route taken by the vic-

tim is not predictable, the attacker will be forced to use antennas with wide-beam

propagation patterns. This forces the attacker to transmit signals of such a strength

and propagation that the spoofing signals most likely will not only be received at a

particular primary target location but also over a wider area, affecting other aircraft

and UAVs in the neighborhood. Since the spoofer is targeting moving vehicles, we

further assume that the spoofer is emulating a moving track such as a straight line

or a curve with some potential acceleration.

5.4.2 Validation of Assumptions

Crowd-GPS-Sec relies on two key assumptions which we validate in this section. The

first assumption is that whenever a GPS receiver locks on to the spoofed signals,

the position advertisements of the aircraft and UAVs will contain the spoofed GPS

positions. While commercial GPS receivers are known to be vulnerable to spoofing

attacks [9,40,42,43,52,57], aviation transponders could have additional plausibility

checks to prevent spoofed GPS positions propagating to the broadcasted position

advertisements. The second assumption is that the spoofed signals will not only

affect the target victim of the spoofer but also neighboring aircraft and UAVs. We

validate these two assumptions with controlled lab experiments and simulations with

real-world air traffic data from the OpenSky Network [74].

Spoofing Experiments

We perform GPS spoofing experiments with two Flarm [25] transponders that are

widely deployed. As we could not get formal approval from the national office of com-

munications in Switzerland to perform GPS spoofing experiments in the wild with

real aircraft, we rely on an isolated experimental setup inside a shielded lab environ-

ment. The goal of these experiments is to demonstrate that existing transponders do

not perform any checks on the derived GPS position and that spoofers can precisely

control the position and speed of victim receivers.

Our experimental setup consists of two newest-generation Flarm transponders

from Flarm Technology: a PowerFLARM Core and a PowerFLARM Portable both

with an integrated GPS receiver from u-blox, see Figure 5.2. Worldwide, more than

30,000 manned aircraft, helicopters, and UAVs are equipped with these transpon-

ders [25]. As GPS spoofer, we rely on a Universal Software Radio Peripheral

(USRP) B200 [23] from Ettus Research and the software-defined GPS signal simula-


(a) PowerFLARM Core (b) PowerFLARM Portable

Figure 5.2: Two newest-generation Flarm transponder models. Both transpondershave an integrated GPS receiver but do not provide any protection toGPS spoofing and advertise false positions when spoofed.

tor gps-sdr-sim [76]. To monitor the reported Flarm position advertisements from

the transponders, we use a Raspberry Pi [97] with an RTL-Software Defined Radio

(SDR) dongle [101] and the flare [92] open-source Flarm decoder. All devices are

equipped with omnidirectional antennas.

We put all devices in vicinity of each other and spoof tracks with speeds of 0 km/h,

6 km/h, 30 km/h, 100 km/h, 300 km/h, and 1,000 km/h. The difference between the

fake target positions emitted by the spoofer and the reported positions in the Flarm

advertisements is plotted in Figure 5.3. While the deviation becomes larger with

increasing speed, our experiments confirm that an attacker can exactly control the

derived position and speed at the Flarm devices. Even for speeds up to 1,000 km/h,

the deviation of both spoofed devices is always smaller than 160m, and thus sig-

nificantly smaller than the mandated separation minima in aviation [133]. These

experiments also confirm that such commercial transponders as deployed in aerial

vehicles do not perform plausibility checks on the GPS signal input and simply re-

port the spoofed GPS data in the advertisement messages. This result is inline with

air traffic communications not being protected against wireless attacks [122].

Spoofing Coverage Estimation

To validate the assumption that a GPS spoofer will affect the GPS receivers of

multiple aerial vehicles at the same time, we evaluate the reception range of a spoofer

using the free-space path loss model and a typical airspace density model as observed

by the OpenSky Network in the European airspace.

Since the power of GPS signals when they arrive at the Earth’s surface is very

low and below the noise floor (approx. −160 dBW [130]), the necessary power

to create adequate spoofing signals is accordingly low. We assume an attacker


0 20 40 60 80 100 120 140 160

Deviation [m]

0

0.2

0.4

0.6

0.8

1

CD

F

0

6

30

100

300

1000

Speed [km/h]

Figure 5.3: Cumulative Distribution Function (CDF) of the deviation betweenspoofed and reported positions of the PowerFLARM Core transponder.

with standard equipment, who can reasonably achieve a generated signal power

of 15 dBm (USRP N210 [24]) coupled with an exemplary antenna gain of 12 dBi in

the main lobe. We also consider an additional signal attenuation of approx. 30 dB

due to the fuselage and the downward direction. Based on these estimations, we can

calculate the reception range with regard to the free-space path loss [1]:

Lfs(dkm) = 32.45 + 20 log10(dkm) + 20 log10(fMHz), (5.1)

where dkm is the distance between the source of the signal and the receiver in kilome-

ters and fMHz is the signal frequency given in megahertz; the constant 32.45 depends

on the utilized units. The resulting reception range is based on the signal power

impaired by all attenuation sources and the distance dkm from Equation (5.1):

Power− Lfs(dkm)− Attenuation ≥ −160 [dBW],

which results in a distance dkm of approx. 34 km. Considering our parameter esti-

mations, all aircraft within the main lobe closer than 34 km will receive the spoofing

signal with at least −160 dBW.

Naturally, an attacker will be interested in exceeding these power levels to en-

sure the takeover of the GPS lock at the intended target(s). However, to remain

as stealthy as possible, the attacker is likely to use an attack setup with directional

antennas to avoid a wide signal broadcast detectable by, e. g., ground-based signal

power sensors. A directional antenna setup is characterized by its beamwidth influ-

encing the signal spread and the inclination angle determining how the main lobe

of the signal beam is targeted. Notably, an attack on moving targets requires to


20 25 30 35 40 45 50

Inclination [°]

1

2

3

4

5

Ave

rag

e A

ffe

cte

d A

ircra

ft 50

40

30

20

10

0

Beamwidth [°]

Figure 5.4: The number of affected aircraft depends on the beamwidth of the di-rectional antenna and the inclination angle. The figure uses a realisticairspace density sampled from OpenSky Network data.

increase the beamwidth and to use higher inclination angles, resulting in a certain

proliferation of the affected area.

Based on data from an exemplary day (February 13th, 2017) sampled from the

OpenSky Network, we perform a conservative estimation of the average number

of aircraft possibly affected by a spoofing attack. The results in Figure 5.4 con-

sider randomly selected en-route aircraft in the European airspace. The baseline

(0◦ beamwidth) represents an attacker that can perfectly pinpoint a victim, thus

avoiding secondary targets. Such a small beamwidth is however impossible to achieve

in practice and would further be very sensitive to small orientation errors. As one

can see, small beamwidths and inclination angles already span enough space to af-

fect several aircraft around the intended target, making it highly likely to hit several

additional aircraft. The assumption that our work relies on is therefore realistic for

dense airspaces such as found in Europe.

5.5 Crowd-GPS-Sec

We propose Crowd-GPS-Sec as an independent system infrastructure on the ground

that continuously analyzes the content and the Time of Arrival (ToA) of Flarm

and ADS-B position advertisements. As its name suggests, Crowd-GPS-Sec re-

lies on crowdsourcing to monitor those messages at global scale. The sensors used

for Crowd-GPS-Sec are part of the growing OpenSky Network [74, 107–110, 120], a

crowdsourcing initiative with the purpose to make air traffic communication data

available for research.

5.5 Crowd-GPS-Sec 71

Figure 5.5: Worldwide coverage of Crowd-GPS-Sec as of December 2017.

The vast majority of the sensors are installed and operated by aviation enthusiasts

and volunteers which support the cause of the network. As of December 2017, it

collects more than 200,000 messages per second at peak times from over 700 sensors

which are distributed all over the world as shown in Figure 5.5. Europe and the

American continent exhibit a particular high density of sensors such that individual

position advertisements are most likely being received by more than four sensors.

The goals of Crowd-GPS-Sec are to detect GPS spoofing attacks on aerial vehicles

as quickly as possible and to localize the position of the spoofer(s). To achieve these

goals, Crowd-GPS-Sec has three modules which continuously process all position

advertisements that are received by the OpenSky Network, as shown in Figure 5.6.

The Multilateration (MLAT) module estimates the location of the aircraft based

on the TDoAs of position advertisements between different sensors. This module

is fundamental to Crowd-GPS-Sec as it allows us to determine the true position of

the aircraft independently of the content of the advertised messages. The spoofing

detection module checks for inconsistencies between multilaterated positions and

GPS-derived positions in the advertisement messages as well as for inconsistencies

between position advertisements from different aircraft (e. g., when two aircraft ad-

vertise the same position at the same time). The spoofer localization module, finally,

is triggered only when the spoofing detection module has detected a GPS spoofer. It

then estimates the position of the spoofer by analyzing differences in position adver-

tisements from affected aircraft in consideration of the true positions as estimated

by MLAT. We describe the modules in the next three sections.


Figure 5.6: The system overview of Crowd-GPS-Sec: A spoofer transmits fake GPSsignals received by aircraft that periodically broadcast ADS-B/Flarmposition reports. Ground-based sensors record these reports, which arethen processed for spoofing detection and spoofer localization.

5.6 Multilateration (MLAT)

The implementation of MLAT as an independent aircraft localization will serve as

an auxiliary component for one of the spoofing detection tests and the subsequent

spoofer localization. To implement such a system, we make use of the fact that in

regions with high sensor density position advertisement messages are received by

multiple geographically distributed sensors. Each message is timestamped at the

receiver and can be represented as a simplified tuple of the reported position and

the ToA:

m := (pGPSi , tR), (5.2)

where pGPSi denotes the reported position of aircraft i as derived by GPS and tR is

the timestamp as generated by receiving sensor R.

Since the sensors are geographically distributed, the propagation distances of the

transmitted signals differ. Hence, the same broadcasted message is potentially times-

tamped differently at diverse sensors. If the sensors are synchronized to the same

global clock, e. g., by GPS time synchronization, and are deployed at known posi-

tions, we can formulate relations between the propagation distances and the TDoA:

dist(A,Ri)− dist(A,Rj) = ∆ti,j · c, (5.3)

5.7 GPS Spoofing Detection 73

Figure 5.7: Implementation of an independent aircraft localization scheme based onmultilateration considering the TDoAs of ADS-B/Flarm messages.

where Ri and Rj denote the position of sensor i and the position of sensor j, respec-

tively. The TDoA of the same message from a reference aircraft A between these

sensors is ∆ti,j = ti − tj, and c is the speed of light.

Equation (5.3) is fulfilled for all points that have the same distance difference to

both considered sensors determined by the TDoA. By construction of at least four

relations of this type, we perform multilateration to approximate the position of

the targeted aircraft. Geometrically, each relation describes a hyperbola in 2D and

a hyperboloid in 3D. The intersecting point of all relations indicates the aircraft

position. Figure 5.7 provides a visual interpretation of this multilateration process.

5.7 GPS Spoofing Detection

Spoofing detection is the first step in a mitigation strategy to counter GPS spoofing

attacks. The idea of Crowd-GPS-Sec to detect GPS spoofing attacks is based on the

broadcasted ADS-B/Flarm reports containing potentially spoofed positioning infor-

mation. We propose a verification process consisting of a preceding time alignment

process and two complementary checks.


5.7.1 Time Alignment of Transmissions

Since ADS-B/Flarm messages are broadcasted at variable transmission times, we

need to time-align those reports in order to make them comparable. This is achieved

by incorporating the results from the MLAT computation. To align the position

reports to a reference global time, two steps are performed subsequently.

The first step yields the transmission time tTX at which the aircraft started the

broadcast of the ADS-B/Flarm message:

tTX = tR − dist(A,R)

c, (5.4)

with tR being the time at which sensor R has timestamped the message, dist(A,R)

representing the Euclidean distance between the considered sensor and aircraft, and

c being the speed of light.

The second step is an interpolation to approximate the aircraft position pREF at

a global reference time tREF. We need to consider the following three cases:

pREF =

pTX · (tTX+1 − tREF) + pTX+1 · (tREF − tTX)

tTX+1 − tTX

tTX < tREF

pTX tTX = tREF

pTX · (tREF − tTX−1) + pTX−1 · (tTX − tREF)

tTX − tTX−1

tTX > tREF

(5.5)

with pTX = a denoting the aircraft position at transmission time, TX− 1, TX, and

TX+1 being the previous, current, and next transmission event, respectively. After

this interpolation, all reported positions are time-aligned and can be compared with

respect to the same reference time basis. In the remainder of this work, we assume

time-aligned positions.

5.7.2 Test 1 (Cross-Checks with MLAT)

We propose the implementation of two complementary tests. The first test performs

a cross-check between the reported positions and the estimated real positions from

the previously described MLAT approach. We check for each incoming position

report whether

dist(pMLATi , pGPS

i )?< T1 (5.6)

holds, where pMLATi is the real position of aircraft Ai determined by MLAT, pGPS

i

is the position reported by aircraft Ai using ADS-B/Flarm, dist() is the Euclidean

distance function, and T1 denotes a predefined threshold which tolerates measure-

5.7 GPS Spoofing Detection 75

ment errors in pMLATi and pGPS

i . Choosing the right threshold T1 depends on the

accuracy of the underlying secondary localization method (here MLAT). Smaller T1

lead to higher false positive rates, while larger T1 create more room for undetected

manipulations.

Complexity

Let n be the number of aircraft. Equation (5.6) needs to be checked once for

each aircraft, i. e., n times, resulting in a complexity of O(n). For each sampling

time, we require the positioning information from ADS-B/Flarm and MLAT. The

comparisons of both positioning sources can be parallelized, since the checks for

each aircraft are independent of all other aircraft. As a result, the first test of GPS

spoofing detection scales linearly with the number of simultaneously tracked aircraft.

5.7.3 Test 2 (Multiple Aircraft Comparison)

The second test makes use of the information provided by other aircraft. In particu-

lar, we perform a comparison between reported positions of multiple aircraft. When

multiple aircraft receive the signals from the same spoofer device, they will appear

at the same location [49,128] since the time differences between individual satellites

are emulated on the radio of the spoofer prior transmission. Due to mandatory sep-

aration minima [133], i. e., minimum required distances between en-route aircraft,

similar positions are critical and are caused either by a serious incident, e. g., near-

collision, or a GPS spoofing attack. Eventually, the multiple aircraft comparison

test is defined as:

dist(pGPSi , pGPS

j ) = di,j?> T2, (5.7)

where i and j denote two different aircraft, pGPSi and pGPS

j are the GPS-derived

positions of aircraft i and aircraft j, respectively. Moreover, dist() is the Euclidean

distance function, where di,j is its result, and T2 is a threshold tolerating the GPS

positioning noise. Choosing an appropriate T2 depends on the mandated separation

minima in the considered airspace and the accuracy of the GPS information provided

via position reports. However, as accuracy is one of the design goals of ADS-B and

Flarm and the separation minima are usually in the order of kilometers, a threshold

as small as a few hundreds of meters is appropriate.

Complexity

Let n be the number of aircraft. Since Equation (5.7) considers pairs of aircraft,

a naive implementation would require(

n

2

)

= n2−n2

comparisons resulting in a com-


Table 5.1: Spoofing Detection Tests Comparison

Test Equation Complexity Requirement Advantages

1 dist(pMLATi , pGPS

i )?< T1

O(n) MLATLow ComplexitySingle Detection

2 dist(pGPSi , pGPS

j )?> T2

O(n · log n) NeighborsMLAT IndependenceAttack Separation

plexity of O(n2). However, since Test 2 considers spatial data only, the complexity

can be reduced by implementing nearest neighbor searches based on k-d trees and

cover trees. In fact, since Test 2 fails if there is any neighbor closer than T2,

solving the 1-nearest neighbor (1-NN) problem for each aircraft is sufficient. Us-

ing the aforementioned data structures, this can be accomplished at a complexity

of O(log n) for each aircraft [8], resulting in a global complexity of O(n · log n).

5.7.4 Complementary Design

We propose a complementary design consisting of both tests in parallel. Table 5.1

contains a comparison of the spoofing detection tests. While the first test based on

the cross-check of Equation (5.6) is independent of other flights, the second test based

on the comparison of multiple aircraft of Equation (5.7) is independent of the MLAT

positioning and can thus tolerate bad MLAT performance (e. g., when sensors have

a bad geometric distribution leading to high dilution of precision). Furthermore, the

second test is able to separate multiple spoofing attacks occurring at the same time

as there will be independent sets of coinciding aircraft. The combination of both

tests can overcome the pitfalls of the other and we can achieve a more versatile and

robust spoofing detection.

5.8 GPS Spoofer Localization

After spoofing detection, Crowd-GPS-Sec aims at localizing spoofer devices. This is

the next step in tracing an attacker in order to take appropriate action for shutting

down an attack. We present a novel localization approach to remotely pinpoint such

devices using already available ADS-B/Flarm reports broadcasted by aircraft. We

start by describing the high-level idea and then detail on the functionality of our

localization system based on crowdsourcing.

5.8 GPS Spoofer Localization 77

5.8.1 Localization Model

When a malicious device emits GPS spoofing signals, aircraft within the effective

range will broadcast spoofed positions as contained in their ADS-B/Flarm reports.

All aircraft that receive the same fake GPS signals will report positions on the same

track but timely shifted as a result of the propagation delay caused by different

distances to the spoofing source [128]. In particular, at the same global time, the

aircraft have different synchronizations on the spoofing signals based on how long

it takes for the signals to arrive at the aircraft’s GPS receivers, i. e., aircraft that

receive the fake signals earlier are ahead on the spoofed track, whereas aircraft that

are further away from the spoofer receive the signals at a later point in time and are

thus behind on the track. We extract the position differences from the ADS-B/Flarm

reports and backtrace these deviations to the location of the spoofing device.

Our starting point is the identification of the currently spoofed aircraft, which is

the outcome of the GPS spoofing detection module. For those identified aircraft,

we forward relevant information to the spoofer localization module. We further

require the actual aircraft positions pMLATi and pMLAT

j from MLAT and the mutual

distance di,j between the GPS-derived position reports pGPSi and pGPS

j with Ai, Aj

being aircraft affected by the same spoofing signals.

As a next step, we put the distance between the reported aircraft positions into

relation with the propagation distances and the rate of position change, i. e., the

spoofed track velocity. We can formulate this as follows:

dist(SP, pMLATi )− dist(SP, pMLAT

j ) = di,j ·c

vtrack

, (5.8)

where pMLATi and pMLAT

j indicate the actual position of aircraft Ai and Aj as given

by MLAT, SP is the unknown spoofer location, di,j the distance of the reported

positions, and vtrack the velocity of the spoofed GPS track. The factor cvtrack

relates

the position change rate to the signal propagation speed (close to the speed of light).

We note that we need to assure vtrack 6= 0 and hence require a track of changing

positions. Having related the reported positions to the spoofer location, we solve

each equation towards this location. In particular, each equation describes all points

that have the same mutual distance differences.

Geometric Interpretation

Considering the solutions of one relation of the type given by Equation (5.8), all

potential solutions geometrically describe a hyperbola in two-dimensional space and

a hyperboloid in three-dimensional space with foci pMLATi and pMLAT

j and distance


Figure 5.8: Each relation forms a hyperboloid representing all points with the samedistance differences. For the shown two-dimensional projection, we canconstruct three distinct relations considering three different aircraft.

difference di,j · cvtrack

. With two different relations, the possible solutions describe a

curve, which is the intersection between the hyperboloids. Eventually, three hyper-

boloids intersect in at most two points, whereas four or more hyperboloids narrow

down the location of the spoofer to a single point. The general functionality of this

approach is depicted in Figure 5.8 as a two-dimensional projection.

Requirements

In order to obtain at least four different relations, we need to fulfill one of the

cases shown in Table 5.2. In particular, we either require four or more different

reference aircraft or, in the case we have less, we need to gather reports from the

same reference aircraft but from different locations. In other words, reports sent by

only two aircraft but from four different positions are already sufficient to perform

spoofer localization. Since we consider moving targets, the transmission origins will

naturally change likewise. Hence, we are able to trade the number of spoofed aircraft

with the required observation time, which we can formulate as follows:

(

m

2

)

· tp ≥ 4, (5.9)

where m is the number of spoofed aircraft and tp denotes the number of observed

samples from different aircraft positions. The binomial coefficient provides the num-

5.8 GPS Spoofer Localization 79

Table 5.2: Localization Requirements

Affected Aircraft Possibility of Localization

1 Localization not possible2 At least 4 different locations3 At least 2 different locations4+ Localization possible

ber of possible relations. Equation (5.9) defines the minimum requirement for our

spoofer localization. If fulfilled, we can construct at least four relations and eventu-

ally determine a distinct solution for the spoofer location.

Comparison with MLAT

The described localization approach exhibits similarities to the MLAT process of

Section 5.6 but is characterized by decisive differences as compared in Table 5.3.

Our approach uses the position information included in the ADS-B/Flarm reports,

whereas MLAT is based on the TDoAs at multiple sensors. We want to highlight

that it is not possible to trace the location of spoofing devices with MLAT. In our

approach, we thus exploit a characteristic that is attacker-controlled such as the

spoofed positions in the advertisements. As a result, we obtain a multilateration

with switched roles, i. e., the references are moving aircraft as compared to the

stationary ADS-B/Flarm sensors. Since the considered measure is shifted from time

to positioning information, we need to adjust the scaling factor with the velocity

of the spoofed track. As a beneficial side effect, this diminishes the factor with

which the uncertainties in the GPS-derived positions are multiplied and consequently

reduces the noise impact on the localization accuracy.

5.8.2 Error Minimization

In contrast to a definite analytic solution considering relations based on Equa-

tion (5.8), real-world signal reception and measurements suffer from several error

sources and hence prevent a distinct solution for the spoofer position. Both the

positions from MLAT as well as the reported spoofed GPS positions are affected by

noise. Notably, the interpolation process for time-alignment induces even more noise

into the system. Consequently, compared to the theoretical analysis, the constructed

hyperboloids do not intersect in a distinct point but rather mark an area.


Table 5.3: Localization Scenario Comparison

Approach MLAT Spoofer Localization

Scenario

Equationdist(A,Ri)−dist(A,Rj) =

∆ti,j · cdist(SP, pMLAT

i )−dist(SP, pMLATj ) =

di,j · cvtrack

References Sensors Aircraft

Target Aircraft Spoofer

Measure Time Position

Scaling Factor cc

vtrack

In order to find the optimal solution for the spoofer position SP, we formulate the

following error function Et(·):

Et(SP, i, j) = dist(SP, pMLATi )− dist(SP, pMLAT

j )− di,j ·c

vtrack

, (5.10)

where di,j is the distance in the reported ADS-B/Flarm positions and t is the current

sample time. The real aircraft positions are denoted by pMLATi and pMLAT

j , and c is

the speed of light.

All resulting errors add up to the overall error, which we try to minimize by

computing the Root Mean Square Error (RMSE). Eventually, our algorithm outputs

the most likely spoofer position:

argminSP

√

√

√

√

∑∞

t=1

∑m

i=1

∑i−1j=1 Et(SP, i, j)2

t ·(

m2

2−m

) , (5.11)

with t indicating the sample time corresponding to Equation (5.10). The inner

two sums aggregate the errors of the relations between all spoofed aircraft, whereas

the outer sum aggregates the errors over all sample times. The argument with the

minimum error is calculated to be the best approximation of the spoofer position.

When time progresses, the total number of relations considering different refer-

ences increases. This also affects the error minimization process by expanding the

system of equations that are simultaneously evaluated. However, the complexity

increase is only linear and, as we will show, this process stabilizes quickly. As

5.9 Evaluation 81

all measurements are affected by noise, more relations are beneficial to reduce the

system-intrinsic errors and the localization is predicted to gain precision.

5.8.3 Improved Filtering

For GPS spoofing attacks targeting multiple aircraft, we identify an additional op-

timization technique that helps to lower the impact of uncertainty in the reported

positions even further. As all affected aircraft receive the same spoofing signals,

they report positions on the same track irrelevant of timing information. This al-

lows to better predict the underlying track by incorporating all available reports.

Consequently, we can apply a subsequent filtering of the spoofed aircraft positions.

In particular, we apply a projection of the reported positions on the combined

estimated track. Notably, with this projection we cannot correct timing inaccuracies,

but we can better estimate the most likely position at the current measurement time.

The (orthogonal) projection provides the least error with respect to the estimated

track and can be described as:

pGPSi − pGPS

i

′ ⊥ track, (5.12)

where pGPSi is the noisy GPS position and pGPS

i

′ is the projected point with pGPSi −

pGPSi

′ being orthogonal on the estimated track. Moreover, we do not necessarily

require a continuous straight line but the track can also contain separated segments,

which are then evaluated separately to apply the projection.

5.9 Evaluation

To evaluate the applicability of Crowd-GPS-Sec to real-world air traffic, we assess its

performance in terms of spoofing detection and accuracy of the spoofer localization.

In particular, we have implemented Crowd-GPS-Sec and applied it to real-world

data from the OpenSky Network. Moreover, we have built a simulation framework

to generate results with respect to spoofing scenarios.

5.9.1 Spoofing Detection Performance

We compare our two spoofing detection tests with regard to their coverage, detection

delay, and detection rate. The tests are applied to air traffic data of Central Europe

as received by the OpenSky Network over a period of one hour. The dataset contains

141,693 unique positions of 142 aircraft.


1 2 3 4 5 6 7 8 9 10 11 12

Attacker Range [km]

0

0.2

0.4

0.6

0.8

Dete

ction R

ate

Test 1 only

Test 1 and 2

Test 2 only

Figure 5.9: Detection rates and coverage of Test 1 and Test 2 in the consideredOpenSky Network dataset depending on the attacker’s range.

Coverage

We define the coverage of a test as the percentage of aircraft positions that is pro-

tected by a test. Protection means that a test indicates a spoofing attack if the

aircraft is indeed spoofed. For simplicity, we assume that the attacker is using an

omnidirectional antenna and is positioned right underneath the target using exactly

the required transmission power to have the target aircraft lock on the spoofer. This

results in an attack range in the form of a sphere with a radius of the altitude of

the aircraft. Note that this setup models an unrealistically optimal attacker since in

reality, the attacker may not be able to stay exactly underneath the target aircraft as

the aircraft is moving and it may use higher transmission powers than the minimal

required power.

Since both tests rely on different features, the sets of positions covered by one

test are different from the sets covered by the other test, but there are overlaps.

We therefore analyze how many aircraft in our dataset are covered by which test.

Figure 5.9 shows the fractions of aircraft in the dataset covered by Test 1 (Cross-

Checks with MLAT), Test 2 (Multiple Aircraft Comparison), or both depending

on the target’s altitude. While 61.2% of the aircraft are covered by Test 1 alone,

only 2.9% are covered solely by Test 2. Further, 8.9% are covered by both tests at

the same time. Hence, Test 1 clearly outperforms Test 2 with respect to coverage.

This result is not surprising since the receiver density of the OpenSky Network is

high (which benefits Test 1), while the aircraft density (which Test 2 relies on) is

limited due to separation minima. In total, we can summarize that if the spoofer’s

target is at an altitude above 11 km and the spoofer is directly underneath the

target, the detection rate is about 75% using either of the two tests. If the spoofer

5.9 Evaluation 83

0 2 4 6 8 10 12

Altitude [km]

0

0.2

0.4

0.6

0.8

1

CD

F

Test 2

All

Test 1

Figure 5.10: Comparison of the detection rates of Test 1 and Test 2 in the OpenSkyNetwork dataset depending on the target’s altitude.

uses higher transmission powers or if it is not directly underneath the target, the

detection rate increases quickly towards 100%.

By design, Test 1 directly depends on multilateration coverage and should there-

fore work better at high altitudes where aircraft are tracked by more sensors. In

contrast, Test 2 benefits from dense airspaces since close aircraft protect one another

from a security viewpoint. To further investigate this effect, we considered the cu-

mulative distribution of the altitudes of all aircraft and compared it to those of the

aircraft protected by either of the tests. The results are shown in Figure 5.10. As

expected, Test 2 has a distribution similar to all altitudes. The steep inclines in its

distribution confirm that it is most effective at the common altitudes above 10 km

(en-route flights) and at around 1 km (approach areas). Most aircraft detected by

Test 1, on the other hand, were higher than 10 km which also complies with the

above hypothesis.

Detection Delay

We define the detection delay as the delay between the point in time when an at-

tack takes effect, i. e., when the aircraft’s GPS sensor locks on to the spoofed signal

until the detection test indicates the attack. As for Test 1, this corresponds to the

delay between receiving the ADS-B position and the MLAT position updates. To

evaluate this, we used the open-source MLAT implementation [55] with the Open-

Sky Network’s real-time data stream and measured the time between the reception

of an ADS-B position and the emission of the respective position by the MLAT

implementation. As for Test 2, the delay can be reduced to the inter-arrival times

between spoofed position reports. Figure 5.11 shows the distributions for the delays


0 5 10 15 20 25 30

Time [s]

0

0.2

0.4

0.6

0.8

1

CD

F

Test 2

Test 1

Figure 5.11: Comparison of the detection times of Test 1 and Test 2 in the OpenSkyNetwork dataset.

of the two tests. The delay of Test 1 is a result of the delay of the relatively long

MLAT calculations. Test 2, on the other hand, can detect an attack as soon as a

false position report is received from two different aircraft. Note that the position

broadcast interval of ADS-B is random within an interval of 0.4 s to 0.6 s, explaining

the average detection delay close to 0.5 s.

Conclusion

The results of our evaluation show that with realistic air traffic and implementation

characteristics, the two tests can reach a detection rate of up to 75% when the

attacker is directly underneath the target. While Test 1 performs much better

in terms of coverage and detection rate, the detection delay is much smaller for

Test 2. These results encourage a complementary implementation as proposed in

Section 5.7.4.

5.9.2 Spoofer Localization Performance

To evaluate Crowd-GPS-Sec in terms of GPS spoofer localization accuracy, we have

built a simulation framework in MATrix LABoratory (MATLAB), which allows us

to analyze spoofing scenarios in a controlled environment without having to spoof

real aircraft. In particular, we assess the impact of noise in the GPS-derived position

reports, MLAT positioning noise, and spoofed track velocity.

Simulation Framework

While we are interested in results from varying parameter sets, we otherwise incor-

porate realistic data observed by the sensor infrastructure of the OpenSky Network.

5.9 Evaluation 85

Table 5.4: Simulation Framework Parameters

Class Parameter Parameter Range Default

EnvironmentSensor Density 10 . . . 100

[

1(100 km)2

]

OpenSky

Airspace Density 10 . . . 100[

1(100 km)2

]

OpenSky

AircraftFlightpath random OpenSkyFlight Altitude 0 . . . 10,000 [m] OpenSkyAirspeed 0 . . . 1,000 [km/h] OpenSky

SpooferSpoofer Position random randomSpoofing Range 10 . . . 200 [km] 100 kmSpoofed Track Velocity 0 . . . 10,000 [km/h] 1,000 km/h

ErrorsGPS Noise (std) 0.01 . . . 4 [m] 4mMLAT Noise (std) 1 . . . 100 [m] 10m

Table 5.4 contains an overview of the utilized simulation parameters. In the default

case, our simulation samples aircraft from the OpenSky Network including reported

positions, altitudes, airspeeds, and headings. The spoofer is randomly positioned

in an exemplary area of (400 km)2 and its range is set to 100 km spoofing a track

of 1,000 km/h. By selectively modifying these default settings, we are able to sim-

ulate different airspace constellations, attacker configurations, and noise impacts of

MLAT and GPS. In particular, we consider standard assumptions taken from speci-

fications [130] and technical reports [71] as well as more optimistic assumptions that

could be achieved with more sophisticated equipment.

To simulate the impact of GPS spoofing on aircraft, we imitate position reports

from already spoofed aircraft by incorporating the attacker-controlled positions and

adding Gaussian noise according to the considered noise model. Subsequently, we

apply standard noise correction techniques based on a Kalman filter [56]. For the

error minimization considering distance relations, we implement a numerical solver.

To cope with an increasing number of equations, we only evaluate the relations

at discrete time intervals which are defined as the time that has elapsed since the

spoofing attack was launched, ranging from a few seconds up to 15 minutes.

Metrics

In order to quantify our results we define two metrics. First, we consider the distance

between the actual spoofer position and our estimation. Second, we construct a

circle around our estimated position with a radius equal to the distance to the

actual spoofer. We consider this to be the search space to find the attacker and we


0 5 10 15

Elapsed Time after Spoofing Attack [min]

101

102

103

104

105

106

Dis

tance to S

poofe

r [m

]4 2 1 0.5 0.1 0.01

Figure 5.12: The impact of GPS noise ranging from σGPS = 4m to 0.01m on thespoofer localization, depicted including standard deviation errorbars.The MLAT positioning accuracy is fixed to σMLAT = 10m.

compare it to the observed area of (400 km)2, on which the spoofer was randomly

positioned. For each of the analyzed parameter sets, we performed 200 randomized

simulation runs and averaged the results.

5.9.3 Impact of GPS Accuracy

Figure 5.12 depicts the impact of high GPS noise (σGPS = 4m) to low GPS noise

(σGPS = 0.01m) applied to the latitude and longitude direction. We do not require

altitude information for spoofer localization and can therefore neglect altitude inac-

curacies. We conclude that the extent of noise in the reported GPS positions is a

dominating factor that can make the difference between a few kilometers and merely

tens of meters in spoofer localization. In particular, we achieve an average localiza-

tion accuracy of approx. 8.2 km for σGPS = 4m, approx. 1.7 km for σGPS = 1m, and

approx. 149m for σGPS = 0.1m, each after 15 minutes.

Considering the search space, we need to scan approx. 0.13% for σGPS = 4m,

approx. 5.8× 10−5 for σGPS = 1m, and approx. 4.4× 10−7 for σGPS = 0.1m, again

after 15 minutes. Furthermore, we observe that the localization accuracy increases

rapidly within the first few minutes, whereas after 5min the accuracy only improves

slowly. From 5min to 15min, the distance roughly halves. As a result, we can

already give a good spoofer position estimation in a timely manner after the spoofing

attack is launched and narrow it down to a more exact position after a few minutes.

5.9 Evaluation 87

0 5 10 15


103

104

105

106

Dis

tance to S

poofe

r [m

]

100 50 10 5 1

Figure 5.13: The considered MLAT positioning noise in the range of σMLAT = 100mto 1m do not show any significant impact on the localization accuracy.The results are based on a high GPS noise of σGPS = 4m.

5.9.4 Impact of MLAT Accuracy

Another uncertainty of our localization approach is the accuracy of the MLAT po-

sitioning that we require to determine the actual (unspoofed) aircraft positions. We

choose to vary the MLAT accuracy between high noise (σMLAT = 100m) and lower

noise levels (σMLAT = 1m), each representing the standard deviation in latitude,

longitude, and altitude. Figure 5.13 contains the impact on the localization of dif-

ferent MLAT noise levels. In contrast to the strong dependence on the GPS noise in

the spoofed measurements, the MLAT noise has little impact on the accuracy of the

spoofer localization. As a result, our localization approach does not rely on highly

accurate MLAT measurements of the actual aircraft position and can still perform

decently on relatively noisy data.

5.9.5 Impact of Spoofed Track Velocity

As the spoofed track velocity vtrack is part of the scaling factor in the distance

relations in Equation (5.8), we identify it to be another important parameter. The

results for varying spoofed track velocities are depicted in Figure 5.14. For a spoofed

track velocity of vtrack = 300 km/h, the accuracy decreases by nearly one fourth. The

accuracy decreases further for a track velocity of vtrack = 100 km/h. Eventually, for

track speeds lower than vtrack = 30 km/h, the spoofer localization fails to narrow

down a useful search radius. However, considering less GPS noise, we expect to see

better results even for lower track velocities. The strong dependence on the track

velocity is due to the scaling factor, which relates the observed distances to the

spoofed track velocity and the speed of light. Hence, low velocities result in smaller


0 5 10 15


103

104

105

106

Dis

tance to S

poofe

r [m

]6 30 100 300 1000

Figure 5.14: The spoofed track velocity is analyzed between vtrack = 6km/h to1,000 km/h. The results consider a GPS noise level of σGPS = 1mand an MLAT positioning accuracy error of σMLAT = 10m.

distance differences among the spoofed aircraft and are relatively more affected by

system-intrinsic noise.

5.10 Discussion

The evaluation of Crowd-GPS-Sec revealed the localization performance considering

different external as well as attacker-controlled parameters. We now discuss selected

topics and elaborate on combined error effects, the possibility to locate spoofers of

stationary targets, and the applicability to other sensor networks.

5.10.1 Combined Error Effects

The spoofer localization accuracy of Crowd-GPS-Sec depends on the GPS error,

the MLAT error, and the spoofed track velocity. These three parameters are all

components of the relations defined in Equation (5.8) and thus impact the accuracy

of the solution. While the MLAT noise is less decisive, the GPS noise and the

spoofed track velocity are significantly affecting the achievable accuracy. This is

due to the small differences in spoofed aircraft positions with respect to the speed

of light divided by the spoofed track velocity. In general, we expose the following

relationship between the localization error E, the GPS noise σGPS, and the spoofed

track velocity vtrack:

E ∝√2 · σGPS

vtrack, (5.13)

5.10 Discussion 89

with σGPS being scaled with√2 due to the Euclidean distance based on two normally

distributed points in space. Hence, we can expect to see similar results for low track

velocities with low GPS noise and high track velocities with high GPS noise.

5.10.2 Localizing Spoofers of Stationary Targets

The attacker model considered in this work assumes that the spoofer’s target is a

moving object. If instead the target is stationary, the attacker could also spoof con-

stant positions. While spoofing detection would still work, the spoofer localization

would fail since the differences in propagation delays between spoofer and aircraft

would not be reflected in the reported position differences (compare di,j in Equa-

tion (5.10)). One way to cope with such attackers is to additionally propagate GPS

time synchronization information to the ground infrastructure. As time is evolving,

the spoofer would have to imitate a progressing GPS time to remain undetected by

the target. Having information about the time synchronization of affected aircraft

would allow performing a localization by analogy. More specifically, if t denotes

the real reference time and tGPSi the reported time of aircraft i, the relation from

Equation (5.8) can be rewritten to:

dist(SP, pMLATi )− dist(SP, pMLAT

j ) = (tGPSi − tGPS

j ) · cδ, (5.14)

where δ denotes a factor representing the spoofed GPS clock’s speed. Equation (5.14)

is independent from the spoofed position and therefore allows localizing spoofers,

even if the target is stationary.

5.10.3 Applicability to Other Networks

The underlying idea of Crowd-GPS-Sec does not only apply to aircraft but can

also be relevant to GPS spoofing attacks on cars, trucks, ships, or other vehicles on

ground. Similar to the broadcasting of avionic position reports via ADS-B or Flarm,

vehicular systems could also report state information to, e. g., roadside units. The

combined reports can then be used to run our spoofing detection and localization

scheme. Even though the speeds of vehicles are comparably low, the density of

affected targets is much higher and the GPS filtering is expected to be more con-

ditioned. Eventually, we envision the merging of information provided by different

networks. In particular, each spoofed system, such as aircraft, vehicles, vessels, etc.,

can collaborate by sharing their information in a crowdsourcing manner.


5.11 Summary

In this work, we presented Crowd-GPS-Sec, an independent system to detect and

localize GPS spoofing attacks targeted at aircraft and UAVs. Crowd-GPS-Sec is

lightweight and leverages existing wireless air traffic broadcast infrastructures, the

ADS-B and Flarm systems, to identify spoofing attacks from a remote location—

possibly far from where the attack is happening. We have shown that our approach

is effective at localizing spoofing devices by using differences in reported positions

by multiple aircraft. Using simulations based on real-world input from the OpenSky

Network, we have demonstrated that Crowd-GPS-Sec achieves attack detection de-

lays below two seconds and an attacker localization accuracy of around 150 meters

after 15 minutes of monitoring time.

Alone we can do so little; together we can do so much.

— Helen Keller

6Trust Establishment for Aircraft

Broadcast Signals

Contents

6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 93


6.1.2 Contribution . . . . . . . . . . . . . . . . . . . . . . . 94

6.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . 95

6.3 System Model . . . . . . . . . . . . . . . . . . . . . . . . 97

6.4 Attacker Model . . . . . . . . . . . . . . . . . . . . . . . 98

6.5 Design of an ADS-B Trust System . . . . . . . . . . . . 100

6.6 ADS-B Message Trust . . . . . . . . . . . . . . . . . . . 101

6.6.1 Sanity Check . . . . . . . . . . . . . . . . . . . . . . 102

6.6.2 Differential Check . . . . . . . . . . . . . . . . . . . . 103

6.6.3 Dependency Check . . . . . . . . . . . . . . . . . . . 103

6.6.4 Cross Check . . . . . . . . . . . . . . . . . . . . . . . 104

6.7 Attack Analysis . . . . . . . . . . . . . . . . . . . . . . . 105

6.7.1 Type of Attack . . . . . . . . . . . . . . . . . . . . . 105

6.7.2 Affected Sensors . . . . . . . . . . . . . . . . . . . . . 107

6.8 Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . 107

6.8.1 GPS Spoofing . . . . . . . . . . . . . . . . . . . . . . 108

6.8.2 ADS-B Spoofing . . . . . . . . . . . . . . . . . . . . . 108

91

92 Chapter 6 Trust Establishment for Aircraft Broadcast Signals

6.8.3 Sensor Control/Sybil Attack . . . . . . . . . . . . . . . 108

6.9 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . 109

6.9.1 Attack Detection Performance . . . . . . . . . . . . . . 109

6.9.2 Attack Analysis: Type of Attack . . . . . . . . . . . . 112

6.9.3 Attack Analysis: Affected Sensors . . . . . . . . . . . . 113

6.9.4 Impact: Grid Resolution . . . . . . . . . . . . . . . . . 113

6.10 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . 114

6.10.1 Implicit Data Source Trust . . . . . . . . . . . . . . . 114

6.10.2 Attacker’s Knowledge . . . . . . . . . . . . . . . . . . 114

6.10.3 False Alarm Events . . . . . . . . . . . . . . . . . . . 115

6.10.4 Current Attack Resilience . . . . . . . . . . . . . . . . 115

6.10.5 Optimizing Sensor Deployment . . . . . . . . . . . . . 116

6.10.6 Extensions . . . . . . . . . . . . . . . . . . . . . . . . 117

6.11 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

6.1 Introduction 93

6.1 Introduction

The monitoring of air traffic has evolved from an analog Radio Detection and Rang-

ing (RADAR)-based system to a digitally-aided surveillance infrastructure. By 2020,

all aircraft are required to be equipped with transmitters to periodically broadcast

status reports that inform others about identification, position, movement, and addi-

tional status codes [132]. Protocols such as the Automatic Dependent Surveillance-

Broadcast (ADS-B) will become mandatory to access most of the world’s airspace

and already constitutes the de facto standard for air traffic monitoring.


While the aviation industry is characterized by very long development cycles—up

to several decades—, applications that mandate high safety guarantees are usually

lagging behind advancements on the security side. As such, ADS-B reports are

neither encrypted nor authenticated. At the same time, the open specification of

ADS-B promotes the collection and free usage of aircraft reports. Simple sensors

can decode aircraft reports and gain a real-time view of their surrounding airspace.

A network that combines more than 850 user-operated ground-based sensors in a

crowdsourcing manner is the OpenSky Network [74, 107–110, 120]. This network

collects and stores air traffic data from around the world and makes them available

for research.

Since ADS-B lacks fundamental security practices, the risk potential of attacks

targeting air traffic has long been discussed [18, 48, 66, 104, 118, 121]. These works

demonstrate how attackers can interfere with aircraft sensors and how fake aircraft

messages can be injected into air traffic monitoring systems [18]. For instance, ad-

versaries with affordable Commercial Off-the-Shelf (COTS) hardware and moderate

knowledge can generate ADS-B messages containing arbitrary data encapsulated in

valid reports trying to remain unnoticed by protection schemes [118,121]. The con-

sequences of such attacks range from flight controller distractions up to violations

of mandatory safety separations, and eventually increasing the possibility of aircraft

collisions. Since these attacks are far from being only of academic nature, security

solutions are urgently needed to protect the integrity of air traffic surveillance [17].

In fact, trust establishment is an open and central problem in the aviation industry

and emerging concerns have already reached the public [17, 32, 40, 42, 146]. Sim-

ilar shortcomings exist for the Global Positioning System (GPS), whose location

information is embedded in ADS-B reports.


Research Question. We state the following research question: How can we es-

tablish self-contained trust in ADS-B aircraft reports without external channels or

modifications only using the already implemented infrastructure? In particular, the

solution should be able to distinguish between normal operation and attack patterns.

6.1.2 Contribution

To answer the demands for more security in the safety-driven aviation industry,

we propose a data-centric [98] trust evaluation system with the goal of assessing the

trustworthiness of ADS-B reports using data that is already collected at a wide scale.

We refer to trust in the sense that messages are trustworthy when they originate from

functional, non-malicious sources. In contrast, error-prone or attacker-controlled

messages trying to harm the system should be detected and potentially filtered out.

Furthermore, we explore the identification of the attack type and the traceability of

malicious sensors.

The development of such a system faces several challenges imposed by the strongly

regulated aviation industry. Viable solutions need to be lightweight in the sense that

they do not require any modifications on the deployed hardware or software pro-

tocols. In particular, security systems should not interfere or interact with other

systems already in place to avoid lengthy (re)certification processes [17]. Preferably,

applicable solutions are augmentation systems that operate autonomously with sen-

sor input already available. We develop our system to fulfill all these challenges.

At the core of our system, we make use of the crowdsourcing nature of a sensor

network in which user-collected data cross-validates the data provided by other users.

This allows forming a network of trusted sensors based on mutual auditing and

wireless witnessing. Wireless witnessing is the collaborative process of observing the

status of a distributed wireless system. We apply it in the security context to assess

and validate the trustworthiness of ADS-B messages based on reception events. In

particular, we implement a Machine Learning (ML)-based verification test that is

trained on typical message reception patterns. In fact, the collaboration of sensors

characterizes the expected reception behavior of aircraft reports transmitted from

certain airspace segments while automatically factoring in natural message loss.

Our system can reliably differentiate between normal air traffic broadcasts and

suspicious messages diverging from expected patterns. Furthermore, our system can

recognize the type of attack, e. g., GPS spoofing, ADS-B spoofing, and even Sybil

attacks to trace malicious sensors. We achieve high detection rates and identify the

sensor redundancy as an important factor. To further harden the network against

attacks, new sensors can be integrated by providing consistent snapshots of their

6.2 Related Work 95

airspaces. Since our system is solely based on an already existing infrastructure and

does not require any modifications on aviation systems, it is lightweight and could be

implemented today easing very long certification processes. In contrast to existing

solutions for air traffic verification [105,106], we do not require the measurement of

time or frequency shifts, but only use discrete sensor events.

Summary. In summary, the contributions of this work are:

• We propose and detail the first comprehensive approach to evaluate the trust-

worthiness of ADS-B aircraft reports based on an existing infrastructure of

crowdsourcing sensors.

• We demonstrate the applicability of our approach by incorporating real-world

flight data already collected by geographically distributed sensors at a large

scale.

• We simulate prominent attacks on GPS and ADS-B, detect their presence via

validation in our trust system, and draw conclusions about their type and

origin.

• We elaborate on network expansion and optimized sensor deployment to fur-

ther harden the network against attacks in the future.

The contributions of this work resulted from a collaboration with William Sey-

mour, Christina Pöpper, and Ivan Martinovic.

6.2 Related Work

The foundation of this work is partly based on the work by Raya et al. [98] who were

the first to propose a framework for data-centric trust establishment with a focus

on short-lived associations in volatile environments. While our proposal for trust

establishment specifically targets ADS-B based air traffic surveillance, similar trust

requirements exist for Vehicular Ad Hoc Networks (VANETs) or industrial wireless

sensor networks. While Petit et al. [83] discuss detection systems for VANETs based

on dynamic thresholds, Ruj et al. [102] focus on validating message consistency to

identify misbehavior. While Sun et al. [124] present a trust framework for VANETs

to detect faulty data, Hundman et al. [44] apply similar data verification schemes for

spacecraft. Wang et al. [134] analyze the feasibility of false data filtering in general

sensor networks and Henningsen et al. [38] especially focus on industrial networks. In

comparison, our system is tailored towards a network of geographically distributed

sensors.


While in practice still vulnerable, the insecurity of ADS-B has long been high-

lighted from an academic perspective. Purton et al. [91] analyzed critical informa-

tion flows and focused primarily on technical solutions. They applied a qualitative

assessment method [137] that identified potential shortcomings. In contrast, McCal-

lie et al. [66] applied a risk analysis to assess the impact of different attack vectors

and recommended solutions to be incorporated into the ADS-B implementation plan.

Moreover, Strohmeier et al. [118,121] provide an overview of system-inherent prob-

lems and illustrate the security challenges of ADS-B in future air traffic monitoring.

There are several open attack vectors that, from a scientific perspective, would al-

low attacking ADS-B on different levels. Nevertheless, we must always consider the

necessary effort for an attack and its feasibility in a real-world scenario.

Moser et al. [69] take a perspective on the feasibility of attacking ADS-B commu-

nication and consider an attacker using a multi-device setup. Recent work showed

that such strong adversaries become increasingly realistic [46]. Furthermore, Costin

and Aurélien [18] demonstrated that the step from a scientific attack concept to a

real attack is not necessarily too wide and managed to inject fake aircraft messages

into live surveillance monitors. Later, Schäfer et al. [104] experimentally analyzed

the practicability of known threats revealing startling results. Besides these pro-

posals, which all focus on aviation applications, Balduzzi et al. [6] proved that also

maritime traffic via Automatic Identification System (AIS) broadcast messages can

be the target of successful attacks. While the physical constraints of vehicles differ

a lot, the similarity of communication channels helps to map well-known attacks to

this new context.

Besides the large body of offensive work, defensive proposals exist in recent re-

search. Schäfer et al. [105, 106] propose the usage of timing or Doppler shift char-

acteristics to detect attacks on ADS-B. While this cannot protect from attacks, it

still helps to identify malicious or inaccurate messages. Other location verification

schemes and anomaly detection methods are based on RADAR observations [85] or

statistical tests [119]. First results based on cross-referencing within a distributed

sensor network are illustrated by Strohmeier et al. [123]. Wesson et al. [139] discuss

solutions based on cryptography. Our system, on the other hand, requires no addi-

tional measurement information different from already collected data and can thus

be implemented without any modifications.

Aside from ADS-B and AIS, the insecurity of GPS has been repeatedly demon-

strated, while Humphreys et al. [43] were the first to publish an attack on GPS, where

they managed to spoof GPS signals. Tippenhauer et al. [128] later analyzed the re-

quirements of successful GPS spoofing attacks and reasoned about possible attacker

6.3 System Model 97

positions when facing a specific sensor deployment. Considering multiple sensors,

countermeasures exist for the detection of GPS spoofing attacks [49, 125–127, 144]

and also for spoofer localization [47, 48, 144]. However, these countermeasures de-

pend on ground-based sensors and do not exploit the network volatility. This limits

the impact and consequences to a fraction of real-world use cases.

Overall, we experience a gap between theoretically proposed defenses and deployed

countermeasures. Hence, protecting ADS-B is an open challenge that demands

scientific advances to consider the requirements and limitations of the real world.

6.3 System Model

In recent years, traditional analog RADAR-based systems for air traffic monitoring

have been augmented with digital means for active wireless communication. To

communicate with ground stations and other aerial vehicles, aircraft are mandated

to be equipped with ADS-B transponders that periodically broadcast status mes-

sages [132]. Additionally, an aircraft identification, information on speed, track, and

acceleration along with further observation data is transmitted. The positioning

information is derived via GPS, which is the preferred method for self-localization.

A set of geographically distributed sensors receives these reports and their data

is shared with others in a crowdsourcing manner. A central server processes the

forwarded reports and makes the collected data accessible. Overall, we are faced with

the high mobility of aircraft on the one hand, while on the other hand, the receiving

sensors are stationary and are less likely to move significantly. Figure 6.1 depicts

an overview of our system model that we consider to assess the trustworthiness of

ADS-B aircraft reports.

We define trust in our system as the certainty of an ADS-B message to be the result

of normal behavior and not disrupted by malfunctioning or active manipulation. To

this end, a trusted message represents valid data transmitted by genuine sources.

On the other hand, an untrustworthy message is identified as erroneous or fake

data that should be discarded from further processing. While the traditional notion

of trust had been entity-centric and rigid, today’s fast-changing ad hoc networks

necessitate the adjustment of trust models. Hence, we seek to establish a data-centric

trust model in consideration of short-lived associations in volatile environments as

introduced by Raya et al. [98]. In particular, we design a trust system that is

driven by data reported by distributed sensors that share their observations within

a network. The combination of redundant views enables the system to cross-validate

reported data and eventually establishes a form of wireless witnessing.


Aircraft

ADS-B Sensors

Satellites

GPS

ADS-B

Broadcast

Central

Server

Figure 6.1: Our considered system model of GPS satellites, aircraft, ADS-B sensors,and the processing central server.

6.4 Attacker Model

Since the ADS-B protocol is openly specified, the modulation and data frame pat-

terns are known. ADS-B operates at a frequency of 1,090MHz and the reception

range can reach up to 700 km making the signals decodable on simple COTS hard-

ware such as Universal Software Radio Peripherals (USRPs) [23,24], or even cheaper

Software Defined Radios (SDRs) like RTL-SDR dongles [101], which are available

for as low as $20. The availability of SDRs not only allows passive eavesdropping

but also led to software tools for active ADS-B transmission [19] or the generation of

fake GPS signals [76]. Surprisingly, the ADS-B protocol lacks fundamental security

measures, and neither applies encryption nor authentication.

Our adversary model comprises several prominent attack vectors, which we cat-

egorize according to their intended target and their scope. Table 6.1 shows an

overview. We evaluate our proposed system against these attacks. Moreover, we

argue in Section 6.10.2 that attackers with complete knowledge about our verifica-

tion scheme cannot bypass our implementation of wireless witnessing and can be

detected as well.

GPS Spoofing. The airborne (self)-positioning sensors process received GPS sig-

nals from multiple satellites to embed the results in the broadcasted ADS-B reports.

One attack scenario considers the spoofing of GPS signals where an attacker sends

out specially crafted signals at a considerable signal strength [43, 128]. As a re-

sult, an attacker can inject false positioning or timing information into the aircraft

systems inducing the processing of fake attacker-controlled data [48].


Table 6.1: Attack Vectors

Target Attack Scope Effort

Aircraft GPS Spoofing - Moderate

ADS-B Sensor ADS-B SpoofingSingle ModerateMultiple High

Central ServerSensor Control Single LowSybil Attack Multiple High

ADS-B Spoofing (Single). An attacker capable of generating fake ADS-B mes-

sages can transmit arbitrary reports with full control over their contents. These

bogus messages may represent, e. g., any aircraft identifier, positioning solution,

or movement information [18, 66, 104]. Receivers of such messages will decode the

message contents and forward the sensed information to the central server. We dif-

ferentiate this attack according to the number of affected sensors. An attacker that

is limited in its effective range is likely to only affect single sensors due to their broad

spatial distribution.

ADS-B Spoofing (Multiple). A large-scale attacker may also be capable of tar-

geting multiple geographically distributed sensors at the same time. This attacker,

however, requires multiple antennas or a high elevated, high power antenna. The

attack is conducted in a broadcast fashion and is expected to affect all sensors within

its predetermined area. As a result, more than one sensor would receive the same

fake report and forward it to the central server.

Sensor Control. Due to the open nature of the surveillance network, attackers

can operate their own sensors and become part of the crowdsourcing infrastructure.

Having full control over a sensor, an attacker is able to inject arbitrary data en-

capsulated in genuine ADS-B reports [104]. This attack can be performed without

broadcasting false sensor inputs and can be directly conducted on the network level.

Sybil Attack. A large-scale attacker operating multiple sensors to capture the

network’s protection systems can perform a Sybil attack [21]. An attacker deploys a

significant number of sensors at potentially different locations to decisively influence

the system’s behavior. As a result, a Sybil attacker may completely overtake the

system’s mechanics while remaining unnoticed by the protection systems. This

constitutes one of the most powerful attacks against sensor networks.


6.5 Design of an ADS-B Trust System

We propose a system to establish a dynamic verification of ADS-B messages for air

traffic surveillance. We first describe the specifics of our considered data and state

general network statistics. We then define (i) verification tests checking the contents

of a message and (ii) an ML classifier evaluating the metadata of a message.

As the source of our considered data, we utilize real-world air traffic data from

the OpenSky Network [74,107–110,120]. The sensors are installed and operated by

volunteers, which can either remain anonymous or register themselves by providing

personal data. Over 850 sensors promote the coverage of the network that exhibits

a particular high sensor density in Europe and on the American continent. The

network relies on user-provided data, processes the data on centralized servers, and

offers access to the collected data of around 20 billion messages per day. Notably,

nodes in the network are not equipped with any cryptographic means or certificates,

which would hinder the growth of the sensor network and contradict the easy access

to the crowdsourcing platform. While other air traffic sensor networks exist, we

make use of the research-friendly data sharing of this network.

For the sake of simplification, we initially restrict the considered data to the Euro-

pean airspace where the OpenSky Network sensor density is the highest. To further

reduce complexity, we divide this space into non-overlapping clusters C and assign

each cluster a latitude and longitude index as the coordinates of its center. Hence,

the considered environment becomes the union of all clusters CLAT,LON. We imple-

ment the size of each cluster as a trade-off between sensitivity and generalization.

In order to get a better understanding of the data provided by the OpenSky Net-

work, we present basic statistics including sensor coverages and the total number of

processed ADS-B messages with respect to their spatial distribution. These evalu-

ations are based on data collected from an entire day (July 2nd, 2018) resulting in

a total of 182,824,762 messages broadcasted by real aircraft. Figure 6.2a depicts a

heat map of the spatial distribution of all recorded ADS-B reports on the exemplary

day. As one can see, most reports originated from a few cluster areas close to central

European airports. Notably, the database only contains messages that reached at

least one contributing sensor.

The overall coverage of the network is the combination of all participating sensors.

Since the individual sensor coverages can significantly overlap with each other, the

redundancy of the coverage is higher in areas with more sensors as compared to

rural areas. Figure 6.2b shows the aggregated sensor coverage of the OpenSky

Network as of July 2nd, 2018. The heatmap depicts the number of sensors that

simultaneously cover an indicated area. A total of 613 different sensors reported data

6.6 ADS-B Message Trust 101

(a) Total Messages (b) Sensor Coverage

Figure 6.2: Spatial distribution of captured reports and sensor coverage of the Open-Sky Network in Europe for the exemplary day (July 2nd, 2018).

for the exemplary day and the considered airspace. We notice a strong dominance

in Central Europe, where the most participating sensors are operated.

For the remainder of this work, we use the following notations. The network is

formed by a set of ground-based sensors R, where each sensor is referred to as Ri ∈ R.

Each ADS-B message m can be received by an arbitrary number ≥ 1 of sensors Ri,

hence the link (m,Ri) exists. Due to noise effects and message collisions, message

loss can naturally occur and we denote the probability that sensor Ri receives a

message transmitted from cluster Cj as Prec(Ri, Cj). Moreover, the messages are

timestamped by the receiving sensors, where t is the issued timestamp. When a

message is not picked up by any sensor, it is consequently not in the considered

database.

6.6 ADS-B Message Trust

In order to assess the trustworthiness of ADS-B messages, we design an evalua-

tion process consisting of four verification tests, namely (i) sanity, (ii) differential,

(iii) dependency, and (iv) cross check. While the former three tests are stated for

the sake of completion, we focus on the cross check that is tailored towards the ex-

isting sensor infrastructure to implement wireless witnessing. The system overview

is depicted in Figure 6.3 and is developed in the following.


DIFFERENTIAL

CHECK

DEPENDENCY

CHECK

CROSS

CHECK

SANITY

CHECK

Defined Value

Range

Maximal

Change

Physical

Restrictions

Sensor

Coverage

OK OK

Content Metadata

ATTACK ANALYSIS

Type of Attack Affected Sensors

FAILED

OK OK

FAILED FAILED FAILED

Figure 6.3: The process of ADS-B trust evaluation including four different verifica-tion tests, their utilized data, and conditional branching to the subse-quent attack analysis.

Table 6.2: Sanity Check

Category Parameter Range

PositionLatitude −90◦ to 90◦

Longitude −180◦ to 180◦

Altitude −3m to 20,000m

MovementVelocity 0 km/h to 1,200 km/hTrue Track 0◦ to 360◦

Vertical Rate −50m/s to 50m/s

IdentificationICAO Identifier Registered AircraftCall Sign Assigned Call Signs

6.6.1 Sanity Check

The sanity check represents a message content verification with respect to defined

value ranges. Where values are not restricted by definition, we apply physical pos-

sibility bounds. Sanity checks are specific to the message content, i. e., the reported

aircraft status. Table 6.2 provides an overview of the implemented sanity check.

Position. The reported position contains information about the latitude, longitude,

and altitude. The latitude is only defined in the range of −90◦ to 90◦, whereas the

longitude is defined over −180◦ to 180◦. The altitude is not bounded by its definition

but by physical restrictions ranging from approximately −3m, which is the altitude

of the lowest European airport, Amsterdam Airport Schiphol. For the maximum

altitude, we use a bound of 20,000m, which is hardly reachable for casual air traffic.

Movement. While airborne, the velocity is expected to be positive and bounded by

the maximum speed of the specific aircraft type, usually less than approx. 1,200 km/h.

The direction of movement, referred to as the true track, is defined by the angle

6.6 ADS-B Message Trust 103

Table 6.3: Differential Check

Parameter Maximal Change per Second

Horizontal Position 500mAltitude 100mTrue Track 10◦

Velocity 25 km/hVertical Rate 10m/s

aligned with the True North in the range of 0◦ to 360◦. Moreover, the vertical rate

is also aircraft-dependent and is expected to not exceed ±50m/s.

Identification. Each aircraft is assigned a unique identification, the International

Civil Aviation Organization (ICAO) 24-bit registration identity. This identifier can

be checked against databases that contain currently assigned ICAO registrations.

In addition, each aircraft is assigned a volatile call sign, which can also be verified.

6.6.2 Differential Check

The differential check considers changes between succeeding ADS-B messages from

the same aircraft. These checks, therefore, require the assignment of messages to

tracks based on the included identifier. In consideration of the message update rate

and broadcast frequency, we identify reasonable maximal changes per second that

conform to the inertia and aircraft capabilities as well as covered by observations of

real flight data. Table 6.3 contains the implemented tolerable parameter changes.

In cases where we receive updated ADS-B reports after a prolonged loss of commu-

nication, e. g., due to missing sensor coverage, we incorporate the lack of data by

scaling the tolerable maximal change with the missed time period.

6.6.3 Dependency Check

The dependency check verifies relationships between physically-dependent parame-

ters by considering subsequent reports from the same aircraft. In total, we formulate

three different tests. Based on the current position, velocity, and true track, we com-

pare predicted positions with the actually reported coordinates in the subsequent

message. We perform this check for both horizontal as well as vertical movements

and allow for a deviation up to 100m, which we have empirically derived from the

available dataset. A further dependency exists between the reported altitude and

the aircraft indicating to be on ground. We coarsely perform this check against the


Table 6.4: Dependency Check

Relationship Tolerance

Horizontal Position ↔ Velocity + True Track 100mAltitude ↔ Vertical Rate 100mAltitude ↔ Aircraft on Ground 1,707m

elevation of the highest European airport (1,707m), Samedan Airport of Switzer-

land. Notably, more fine-grained information about the geographical topology would

benefit the test validity. Table 6.4 shows the implemented dependency checks.

6.6.4 Cross Check

The cross check utilizes the spatial redundancy of the surveillance network in a col-

laborating manner. Participating sensors are widely distributed and their coverages

overlap significantly, as shown in Figure 6.2b. Even though the sensor locations

are unknown, we can estimate which sensors observe which airspace via inspecting

the reported positions embedded in their received ADS-B reports. Hence, in our

grid-based approach, each cluster Cj can be dedicated to covering sensors Ri such

that the following equation holds:

Prec(Ri, C) > 0. (6.1)

If for an indicated cluster Cj multiple sensors Ri cover the same area such that

Prec(Ri, C) > 0, we can countercheck the received message information by consulting

all designated sensors. In areas observed by none or a single sensor, a cross check

cannot be applied. For each sensor covering the reported position, we distinguish

two discrete events: the sensor has received the message or the sensor has not receive

the message:

Xm,Ri=

0 ∄(m,Ri)

1 ∃(m,Ri).

Due to noise effects and signal collisions, sensors naturally experience a message

loss in the range of 10% to 75% depending on the distance to the origin, obstacles

in view, or the airspace density [107]. Hence, the case of missing a report does not

causally imply unusual behavior or the existence of attacks and needs to be factored

in accordingly. We refer to the combination of events Xm,Ri, Ri ∈ R as the observed

message reception pattern for a report broadcasted from the claimed position. Each

6.7 Attack Analysis 105

sensed message is therefore mapped to a vector representing the reception events for

every sensor:~Xm =

[

Xm,R1, Xm,R2

, · · · , Xm,Rn−1, Xm,Rn

]

, (6.2)

where n is the total number of sensors in the network. For our considered scenario,

we obtain a vector with 613 entries, which represents the message reception pattern.

These patterns exhibit a certain variance and cannot be translated into fixed rules

due to the non-deterministic sensor reception. Hence, we choose a ML approach

to handle the huge amount of available data and simultaneously consider unknown

external effects.

In particular, for each of the 182,824,762 recorded ADS-B reports, we determine

which of the 613 sensors reported that specific message. In combination with the

embedded positioning information, we learn typical reception patterns for the entire

day and label the data to be the result of normal operating air traffic and sensors.

After processing all reports, each cluster Cj is assigned with actually observed mes-

sage reception patterns and we assume these patterns to represent normal behavior.

We discuss this assumption in Section 6.10.1 and reason about its validity.

Algorithm Choice. In general, we use a binary classification to distinguish be-

tween normally observed reception patterns and patterns resulting from erroneous

or malicious behavior. In particular, we chose to use an ensemble algorithm with

bagged decision trees, i. e. random forests. In essence, this creates many different

trees that independently make a decision on a given input pattern. This approach

is more robust and prevents overfitting as compared to simple decision trees. For

more information on ML algorithms, and especially on random forests, we refer to

an article by Leo Breimann [11].

6.7 Attack Analysis

In the case one of our four verification tests indicates unusual behavior, an attack

analysis is triggered that tries to further reason about (i) the type of attack and

(ii) the affected sensors. Depending on which test triggered the attack analysis,

different conclusions can be drawn on the causing of an alarm.

6.7.1 Type of Attack

We notice that our three attack classes, i. e., GPS spoofing, ADS-B spoofing, and

sensor control/Sybil attack, can be characterized by the type of manipulation they

cause on the message, respectively on the network. This can either be on the content


Table 6.5: Sensitivity to Attacks

Attack Vector Sanity

Differen

tial

Dep

ende

ncy

Cross

GPS Spoofing # G#

ADS-B Spoofing (Single) G# G# G#

ADS-B Spoofing (Multiple) G# G# G# H#

Sensor Control G# G# G#

Sybil Attack G# G# G# H#

# not indicative, G# potentially indicative always indicative, H# network dependent

of the ADS-B messages directly, or more subtle on the metadata of the message

reception. While the sanity, differential, and dependency checks can verify the

message payload, the cross check evaluates the message metadata. For each attack

vector, we identify which verification test may be indicative and provide an overview

in Table 6.5.

Sanity Check. A sanity check detects defined value range violations. These can

occur when a report is not originating from a genuine airborne ADS-B transmitter.

However, specifically crafted messages during an ADS-B spoofing attack on ground-

based sensors may also contain data outside their definition ranges. If a sensor is

entirely under the control of an attacker, the forwarded reports may also contain

bogus data.

Differential Check. A differential check is indicative to unusual jumps in the data.

A GPS spoofing attack may hence be detectable if the position exhibits a sudden

jump. All other attacks can also trigger an alarm for this test depending on the

variance in the generated fake data.

Dependency Check. A dependency check detects inconsistencies between de-

pendable data from independent sensors within the aircraft. Since a successful GPS

spoofing attack only affects the GPS-related sensors, other information on the move-

ment or on the heading will likely result in a violation. Again, the other attacks can

also fail this test if the fake reports do not satisfy parameter dependencies.

Cross Check. A cross check tries to decide if the message reception pattern is

the result of normal behavior or is due to some kind of attack. A message from

an aircraft affected by a GPS spoofing attack indicates a wrong position and the

reception pattern will likely differ from the actual reception pattern from the real

6.8 Simulation 107

location. For the other attacks, the validity of the cross check depends upon the

number of sensors that observe the claimed aircraft position. The more sensors si-

multaneously cover an area, the less likely it will be that only a specific number of

sensors, e. g., affected by an ADS-B spoofing attack, receive that specific message.

Similar considerations apply for attackers adding sensors to the network by con-

trolling their behavior. Nevertheless, the unaffected sensors will not report injected

messages which is eventually reflected in an unusual reception pattern. For both

attack classes, message reception patterns are easier to decide the more sensors are

participating.

6.7.2 Affected Sensors

If we successfully detect unusual behavior and potentially identified the type of at-

tack, we try to also reason about the affected ADS-B sensors. We generally distin-

guish between passively and actively participating sensors during an attack. While

we can tag all sensors that reported an untrustworthy message as potentially mali-

cious, we are interested which sensors are indeed attacker-controlled. These compro-

mised sensors are actively trying to disrupt the network. We, therefore, identify all

sensors that reported messages clearly assigned to a sensor control/Sybil attack as

malicious. Their identification allows the disconnection from the network to restore

the network’s integrity.

On the other hand, sensors that are victim to an attack themselves may only be

temporarily disconnected from the network. Sensors that are recognized in such

a way can later be reactivated. The tracing of affected sensors also allows for a

coarse localization an attack. Even though sensor locations are unknown, coverages

of the sensors can be estimated and consequently a rough attacker position could

be narrowed down.

6.8 Simulation

While the characteristics of normally operating air traffic can be learned from the

actually sensed broadcasted ADS-B messages, attack scenarios need to be emulated

based on realistic assumptions and experience. Assuming that no apparent attacks

are present on the exemplary day (July 2nd, 2018), we use all messages to map

trustworthy reports and typical message reception patterns. In the following, we

describe how we simulated the three considered attack classes, i. e., GPS spoofing,

ADS-B spoofing, and sensor control/Sybil attack. For each attack scenario, we

generate 1,000,000 different fake reports representing the respective attack.


6.8.1 GPS Spoofing

To emulate a successful GPS spoofing attack, we manipulate the reported GPS-

derived positioning information embedded in ADS-B reports. In particular, we ran-

domly sample 1,000,000 real aircraft messages from the OpenSky Network database

and exchange the GPS position while all other data fields and the sensors that re-

ceived the message remain the same. The embedded position is exchanged with a

random position within the coverage of the sensor network. We label the messages

as resulting from a GPS spoofing attack and feed them to our ML classifier.

6.8.2 ADS-B Spoofing

To realistically emulate an ADS-B spoofing attack, we are faced with the problem

of unknown sensor locations. This prevents us from declaring a specific area where

such an attack would affect all situated sensors. As a solution, we consider all

sensors observing a specific area as potential victims of an ADS-B spoofing attack.

Nevertheless, an attacker would face the same problem and cannot directly target

sensors but would need to blindly affect larger regions to reach multiple sensors. We

differentiate the attack according to how many sensors are the victim of the attack,

i. e., a single sensor, half of the sensors, or all sensors.

We again generate 1,000,000 messages for each scenario by randomized sampling

from real-world aircraft reports, but adjust the receiving sensors depending on the

considered coverage and how many sensors are affected by the attack. We use real

aircraft reports to represent an attacker trying to inject authentic ghost aircraft into

the network by sending those messages to the scenario-dependent number of sensors.

6.8.3 Sensor Control/Sybil Attack

In a sensor control/Sybil attack, an attacker adds sensors to the network that are

under the attacker’s synchronized control. We assume that the attacker’s sensors

initially behave normally to remain unnoticed prior to any fake message injection.

When an attack is launched, all controlled sensors mutually try to report the same

fake message. We again differentiate between the number of controlled sensors with

regard to the number of benign sensors, i. e., a single sensor, half of the benign

sensors, or equality between attacker sensors and other sensors.

Again, we sample 1,000,000 messages to obtain real-world ADS-B reports and then

try to inject each message from the attacker-controlled sensors. Notably, the other

sensors that cover the same cluster do not report the reception of such messages. We

assume that the attacker utilizes all controlled sensors to inject the same message.

6.9 Evaluation 109

6.9 Evaluation

We split the evaluation of our developed ADS-B trust system into (i) performance

of detecting each considered attack, (ii) distinguishing between the attack vectors,

(iii) identifying the affected sensors, and (iv) analyzing the impact of different grid

resolutions.

6.9.1 Attack Detection Performance

For our three attack classes, i. e., GPS spoofing, ADS-B spoofing, and sensor con-

trol/Sybil attack, we shortly describe which message content triggered an alarm and

then focus on the ML supported cross check. We train our binary random forest

classifier with an equal number of messages from normal operation and all simulated

attack scenarios. We then separately test the same trained classifier against each

specific attack scenario using messages separated from the training phase. Moreover,

we analyze the detection performance within areas of different sensor coverages, i. e.,

3, 5, 10, 20, 50 sensors that are simultaneously observing the same airspace. For our

prototype implementation, we initially consider a grid resolution of roughly 7 km.

GPS Spoofing

While a smooth position deviation may actually pass the differential test, our depen-

dency test consistently triggered alarms indicating mismatches between predicted

positions and the current aircraft movement. Even though we account for a specific

uncertainty threshold, at a certain point the attack exceeds this threshold. For our

prototype implementation and for the cross check to apply, we assume a deviation

of at least the considered grid resolution. Smaller GPS position deviations would

be mapped to the same cluster and consequently the same reception pattern at re-

ceiving sensors. Notably, higher resolutions may drastically increase the sensitivity

to the attack.

Our detection performance of GPS spoofing attacks is stated in Table 6.6. The

measure used to compare the performance is the True Positive Rate (TPR), which

represents the probability that a message from a certain class is labeled correctly.

Notably, all detection rates were obtained with respect to a single message and are

further improved when considering multiple consecutive reports (from different grid

clusters), as discussed in Section 6.10.3.

Results. While the dependency check is generally effective in detecting GPS spoof-

ing attacks, in cases where additional information might be missing, the cross check

is sufficient to detect such attacks with a high probability. In clusters with higher


Table 6.6: GPS Spoofing Detection Performance (TPR [%])

Sensor Coverage 3 5 10 20 50

Normal Operation 86.37 89.10 94.42 97.08 98.65GPS Spoofing 96.38 94.36 94.62 95.02 96.03

Table 6.7: ADS-B Spoofing Detection Performance (TPR [%])


Normal Operation 86.37 89.10 94.42 97.08 98.65ADS-B Spoofing (single) 41.75 44.23 75.19 94.83 95.20ADS-B Spoofing (half) 57.19 61.30 73.31 78.92 97.37ADS-B Spoofing (all) 76.47 83.18 88.10 96.81 99.96

sensor coverages, our classifier better predicts from which scenario the message re-

sulted. With increasing sensor coverage, the uncertainty diminishes and therefore

the decision gains more validity. As a result, we can identify GPS spoofing attacks

with a probability of approx. 94% to 96%. Notably, the cross check is limited to de-

tecting attacks that manipulate positioning information by at least that much such

that the message reception pattern differs from the real location. In other words,

false positions that still remain within the same grid cluster cannot be detected

using the reception patterns alone.

ADS-B Spoofing

For the evaluation of the ADS-B spoofing detection performance, we focus on the

outcome of the cross check. Since an attacker is able to generate arbitrary reports,

we assume that an attacker successfully passes all tests on the message contents to

remain undetectable by the sanity, differential, and dependency test. We analyze our

detection performance according to different number of affected victims and within

regions of different sensor coverages. The results are given as TPRs in Table 6.7.

We evaluate each scenario according to the number of affected sensors, i. e., a single

sensor, half of the sensors, or all sensors, separately.

Results. Our ML-based cross check is able to effectively detect ADS-B spoofing

attacks. The sensor coverage is a crucial parameter of the detection performance.

The values stated in Table 6.7 represent the mean over all regions with the stated

coverage. In general, the higher the sensor coverage, the more likely it is that the

attack is indeed detected. With respect to the natural message loss, too many

or too few sensors reporting the same message is an unusual observation. As a

6.9 Evaluation 111

Table 6.8: Sensor Control/Sybil Attack Detection Performance (TPR [%])


Normal Operation 86.37 89.10 94.42 97.08 98.65Sensor Control 41.71 46.36 79.60 94.33 99.66Sybil Attack (half) 14.29 75.95 80.64 95.87 99.95Sybil Attack (same) 98.91 99.69 99.90 99.97 100.00

consequence, an optimized attacker strategy would try to emulate typical reception

patterns and only affect a specific number of sensors. However, since sensors are

geographically distributed at unknown positions, an attacker cannot systematically

control which and how many sensors receive the fake reports. Eventually, an attacker

may broadcast from a location close to the designated position to emulate realistic

message reception. However, the attack would then become a legitimate broadcast

of ADS-B reports from the advertised position.

Sensor Control/Sybil Attack

To evaluate our detection performance of sensor control/Sybil attacks, we again fo-

cus on the outcome of the cross check. Our simulated attack messages are crafted in

a way that all pass the message content verification and need to be detected by their

metadata. For the analysis, we consider different sensor coverage regions in which

the attacker adds different numbers of compromised sensors, i. e., a single sensor,

half of the sensors, or the same number of sensors already observing that specific

airspace. Notably, the attackers’ sensors initially participate normally and are al-

ready considered when deciding message reception patterns. Table 6.8 separately

compares TPRs for correctly classifying normal and attack messages.

Results. We successfully distinguish between messages resulting from sensor con-

trol/Sybil attacks and reports from normal operation. However, in regions of low

sensor coverage, the attack is hardly detected. As a result, the validity of the cross

check requires a certain number of sensors to effectively detect Sybil attacks. We

even recognize a slightly better detection performance as compared to ADS-B spoof-

ing messages. The reasoning behind this is based on the fact that other sensors in the

same area will not report the reception of the fake message that is directly injected

by compromised sensors. This represents a very unlikely case of a high number of

sensors missing on the same message. The higher the coverage of the sensors is, the

more unlikely these events become. Moreover, an attacker cannot emulate realistic

reception patterns by direct message injection considering that sensors are deployed

at unknown locations.


ADS-B

Spoofing

GPS

Spoofing

Sybil

AttackTPR TNR

Sybil

Attack<1% 2% 98%

Predicted Class

2%98%

Tr

ue

Cla

ss

ADS-B

Spoofing<1% 89% 11% 11%89%

GPS

Spoofing99% <1% <1% 1%99%

Figure 6.4: The confusion matrix of our ML classifier deciding the type of attackwhen confronted with random messages resulting from: Normal Opera-tion, GPS Spoofing, ADS-B Spoofing, or Sybil Attack.

6.9.2 Attack Analysis: Type of Attack

If one of our verification tests issues an alarm and an attack is detected, we further

try to identify the type of attack. In order to evaluate the ability to differentiate

between attacks, we consider the results of the cross check verification. In par-

ticular, we train our classifier with messages from all the analyzed attacks, i. e.,

GPS spoofing, ADS-B spoofing, and sensor control/Sybil attack. We then test the

classifier against messages randomly sampled from messages identified as malicious.

Figure 6.4 depicts a confusion matrix while considering an exemplary coverage of

ten sensors. Furthermore, for the ADS-B spoofing attack and the Sybil attack, we

consider an attacker affecting half of the monitoring sensors. Aside from the TPR,

we provide the complementary True Negative Rate (TNR).

Results. The messages resulting from a simulated GPS spoofing attack are assigned

to the matching class in 99% of the cases. While, only 89% of ADS-B attack re-

ports are correctly detected, a huge proportion of 11% of those messages are falsely

decided to reflect a Sybil attack. In particular, we simulated this attack with a very

beneficial attacker setup replicating typical reception patterns by simultaneously

affecting multiple sensors. This constitutes the most stealthy attack with respect

to our classifier. In comparison, Sybil attacks are correctly classified with a prob-

ability of 98% and only 2% are decided to result from ADS-B spoofing. Notably,

all of the shown results are based on a single message classification. To further re-

duce the probability of false alarms, we discuss the requirements of successive false

classifications in Section 6.10.3.

6.9 Evaluation 113

6.9.3 Attack Analysis: Affected Sensors

We generally differentiate between sensors that are victims themselves misused as

passive attack actors and sensors that are actively collaborating and causing the

attack. For instance, in GPS spoofing attacks and ADS-B spoofing attacks, sensors

may be faced with bogus input data. While their input data may be bogus, passive

victim sensors are still functioning correctly and are otherwise conform with their

intended behavior. While for GPS spoofing attacks the sensor reception patterns

reflect normal behavior but for a different message origin, the reception patterns

for ADS-B spoofing attacks are altered. If our attack analysis reveals the type of

attack being of the latter case, the reporting sensors may be disconnected from the

network and excluded from the cross checking procedure of other messages. These

sensors are directly affected by the attacker and their sensing of messages cannot

be trusted. However, after the attack is concluded, the identified sensors may be

reactivated and again contribute to the network.

In contrast, if the attack analysis reveals a sensor control/Sybil attack, we are

faced with compromised sensors actively launching attacks on the network. All

sensors that reported the reception of identified attack messages are considered a

part of an attacker-controlled sensor union. Any shared messages from such sensors

cannot be considered trustworthy. Their participating in the crowdsourcing network

is shut down and their forwarded messages are filtered out accordingly to recover

the integrity of the network.

6.9.4 Impact: Grid Resolution

The resolution of our considered underlying grid determines the clustering process

of assigning messages and sensors to the same cluster Cj. The higher the grid reso-

lution, the finer is the differentiation between regions and eventually their reception

patterns. However, increasing the grid resolution not only increases the computa-

tional load but can also lead to overfitting areas to the monitoring sensors. For

instance, since we do not know the exact locations of sensors, we need to learn them

from their reported ADS-B messages. The chances that a sensor reported no mes-

sage from a specific area increases with smaller sizes even though the sensor might

actually observe that airspace. We evaluated the impact of the grid resolution for

edge lengths of 70 km, 35 km, 14 km, and 7 km and gained the following insights.

The greater the proliferation of a cluster is, the more sensors are potentially

observing at least parts of the area. As a consequence, the reception patterns feature

more active sensors and have a higher variance. However, this also makes it harder


to have a clear distinction between normal operation and malicious patterns. On the

other hand, a too small cluster area actually prevents a generalized estimation and

thus also decreases the validity. For our analysis, we achieve a reasonable trade-off

for a grid size of 7 km, with which all the presented results were gathered.

6.10 Discussion

We discuss important parameters of our developed system, e. g., (i) implicit trust in

the data source, (ii) attacker’s knowledge, (iii) false alarm events, (iv) the current

attack resilience, (v) optimized sensor deployment, and (vi) further extensions.

6.10.1 Implicit Data Source Trust

We base the evaluation of our trust system on data provided by the OpenSky Net-

work, which records real-world air traffic reports. However, we take the data “as is”

and consider it to represent normal behavior. We cannot exclude the existence of

erroneous data or even reports that resulted from some kind of attack. Nevertheless,

we thoroughly analyzed the messages of our considered exemplary day (July 2nd,

2018) without any findings. While our system is designed to analyze live data, our

system can also be used to find unusual data retrospectively and potential attacks

in the recorded air traffic messages of arbitrary days.

6.10.2 Attacker’s Knowledge

In our performance analysis of detecting different attacks, we considered attackers

controlling a certain number of sensors. However, an attacker with full awareness of

our detection scheme might try to optimize the pursued attack strategy and imitate

authentic reception patterns. For both ADS-B spoofing and Sybil attacks, it can

only be achieved to a certain degree and cannot overcome the detection in regions

with enough sensor redundancy. Even a fully aware attacker does not know the

locations of other sensors, and hence it is not possible to manipulate them in a

targeted manner (e. g., through ADS-B spoofing). Moreover, an attacker cannot

access the unprocessed readings of other sensors in an effort to localize them. In the

case of ADS-B spoofing, where an attacker affects multiple sensors, victims cannot

separately be targeted. A Sybil attacker, however, could try to emulate realistic

reception patterns via compromised sensors, but cannot do so with the sound user-

controlled sensors. We, therefore, argue that even an attacker, fully aware of our

detection scheme, cannot overcome it due to the concealed locations of other sensors.

6.10 Discussion 115

Table 6.9: False Alarm Probability [%]

Consecutive Messages 1 2 3 4 5

3 13.63 1.86 0.25 0.03 <0.015 10.90 1.19 0.13 0.01 <0.01

Coverage 10 5.58 0.34 0.02 <0.01 <0.0120 2.92 0.09 <0.01 <0.01 <0.0150 1.35 0.02 <0.01 <0.01 <0.01

6.10.3 False Alarm Events

Even though our ML-based cross check exhibits a high detection performance, the

probability of false alarm events is non-negligible. A false alarm is triggered when an

ADS-B message is incorrectly labeled as the result of an attack while originating from

normal operation. Depending on the sensor coverage of the considered airspace, the

false alarm rate can reach approx. 14%, which is unacceptably high for a productive

system. However, we want to highlight again that all results in Tables 6.6 - 6.8 are

referred to a single, separated message. By requiring multiple, consecutive reports

that are detected as malicious, the false alarm rate can be lowered drastically.

The chances of false alarms by requiring several false classifications in succession

is stated in Table 6.9. Notably, for this evaluation, we assume that the successive

aircraft reports are sent from different grid areas with distinct message reception

patterns. This is naturally satisfied as aircraft are moving constantly when en-route.

By increasing the number of consecutive messages, the false alarm probability can

be brought down to reasonable levels even for low-density regions.

6.10.4 Current Attack Resilience

The crowdsourcing sensors are at the core of our trust system and their distribution

and density are of utter importance for the detection of attacks. The validity of the

cross check, i. e., wireless witnessing, increases with the number of sensors covering

a certain air segment. Thus, the higher the redundancy is, the better malicious

attacks and sensors can be detected. We analyzed the current resilience of the

OpenSky Network by considering regions related to the evaluated coverages, i. e., 3,

5, 10, 20, and 50 sensors. Figure 6.5a depicts areas that already provide at least the

indicated number of sensor redundancy. Further, Table 6.10 states the breakdown of

the total covered area and relates it to the total surface of the European continent.


(a) Resilience (b) Optimized Deployment

Figure 6.5: The resilience measured in sensor redundancy and identified regions thatwould benefit the most by optimized sensor deployment, both consider-ing the currently deployed infrastructure as of July 2nd, 2018.

Table 6.10: Coverage Regions

Coverage ≥ 3 ≥ 5 ≥ 10 ≥ 20 ≥ 50

Area [km2] 705,649 568,859 379,556 253,595 93,032Total [%] 69.32 55.88 37.28 24.91 9.14

6.10.5 Optimizing Sensor Deployment

To further develop the security of the network, we encourage the deployment of

new sensors in less covered areas or optimize the current geographical distribution.

While the latter is not a viable solution since sensors are naturally deployed in the

vicinity of the operating user and cannot be freely moved around, we follow the first

approach of optimized network expansion. From the coverage information of existing

sensors in the network (see Figure 6.5a), we can learn how to optimize the placement

of new sensors with the goal of filling blind spots. Our optimization target is an

overall coverage increase and therefore a hardening against attacks.

To provide an overview of areas that would benefit the most from the deployment

of new sensors, we weight the need for better coverage according to the sensor

redundancy of the network. The lower the current coverage is, the higher is the

demand for new sensors. We restrict possible locations to be on land. We further

assume an average reception range of 400 km and simplify the observable airspace to

be a circle around the sensor. Figure 6.5b depicts areas according to their coverage

increase for the entire network. While in Central Europe the deployment of new

6.11 Summary 117

sensors does not significantly impact the overall resilience against attacks, especially

sensor setups close to the coastlines can heavily increase the attack resilience.

6.10.6 Extensions

We discuss three extensions of our trust system with the goal of better reflecting

real-world characteristics as well as introducing a sensor reputation to weight the

impact on the trust assessment process. Further, dynamic learning strategies can

keep attack detection strategies updated.

Time Dependence. Since ADS-B broadcasts use the wireless medium, message

collisions can occur when the frequency band is saturated. The resulting rate of

message loss is dependent on the airspace density which in turn changes over time

based on the operating hours of airports. The more aircraft share the same medium,

the higher the chances are of messages being lost. While our current system esti-

mates reception probabilities based on averaged observations, a future extension of

our trust system may account for time-dependent message losses.

Sensor Reputation. In the currently deployed crowdsourcing network, we con-

sider each sensor as equivalent to any other sensor. However, a portion of the sensors

are operated by personal contacts or registered users. Those sensors are expected

to be less likely to participate in active attacks and we could link the reputation of

the operator to its possessed sensors. To further refine the sensor reputation, the

hardware implementation could also be taken into account, where some implemen-

tations are more robust to faults than others. By incorporating sensor reputation,

the validity of telling normal behavior and attack scenarios apart could be further

improved.

Dynamic Learning. Finally, we envision the implementation of dynamic learning

techniques. A dynamic learning approach could constantly be updated to incorpo-

rate shifts in the message reception patterns which can occur when, e. g., sensors

are joining or leaving the network, the reception range of sensors changes, or trans-

mission ranges are altered. Moreover, new attack vectors may arise in the future. A

(re-)training of our classifier with updated attack vector definitions ensures that the

trust evaluation process keeps its validity while facing currently unknown attacks.

6.11 Summary

This work approached a trust evaluation system for ADS-B based air traffic surveil-

lance using an already existing infrastructure of crowdsourcing sensors. We demon-


strated how our solution leverages sensor redundancy to establish wireless witnessing

to protect an otherwise unsecured open system. To this end, we tested our system

against prominent attack vectors showing that we cannot only detect them but also

draw conclusions about their type and the participating sensors. The validity of

our trust evaluation process depends on the redundancy of sensors observing the

same airspace segments. Moreover, we outlined considerations for future sensor

deployment hardening the network’s security by optimized expansion.

The finish line is just the beginning of a whole new

race.

— Unknown

7Conclusion

Contents

7.1 Key Results . . . . . . . . . . . . . . . . . . . . . . . . . 120

7.2 Directions for Future Work . . . . . . . . . . . . . . . . 121

7.3 Concluding Remarks . . . . . . . . . . . . . . . . . . . . 122

119

120 Chapter 7 Conclusion

7.1 Key Results

Based on the insight that today’s adversaries are progressively advancing in their

available tools, we identified the need for new security approaches to harden satellite-

based navigation systems against updated attacker models. In addition, proposals

need to fulfill restrictions imposed by safety-critical domains to ease the process

of implementation and certification. As a result, we developed lightweight security

solutions that do not require any modifications to the already existing infrastructure.

In the following, we sum up the key results of this dissertation.

Starting with a thorough review of the state of the art concerning attacks on

satellite-based navigation systems and existing countermeasures, we recognized an

increasing gap between the attacker side and the models against which countermea-

sures are evaluated. With the currently available tools and assuming a moderate

knowledge of signal processing, we were able to implement a simple multi-antenna

attacker that is often deemed as too complex or too expensive. This type of attacker

could successfully circumvent countermeasures that neglect the advancements in at-

tacker capabilities.

To this end, we proposed the deployment of four receivers in a predefined forma-

tion to detect Global Positioning System (GPS) spoofing attacks—even considering

the presence of multi-antenna attackers. To demonstrate the viability of our ap-

proach, we implemented a prototype and analyzed its detection performance both

under normal operation and under spoofing attacks. An in-depth error analysis and

the insight that GPS errors are spatially correlated allowed to significantly reduce

the required distances to 5m and an area of 26m2. Hence, the countermeasure can

be instantiated on smaller vehicles while maintaining reliable attack detection and

negligible false alarm rates.

Taking GPS spoofing detection one step further, we proposed Crowd-GPS-Sec as

a crowdsourcing system to detect and localize the signal source of spoofing attack-

ers. The developed scheme uses GPS-inferred Automatic Dependent Surveillance-

Broadcast (ADS-B) aircraft status reports and does not require to be the attacker’s

target itself but can work remotely from where the attack is happening. We designed

Crowd-GPS-Sec without modifications of the existing infrastructure and only con-

sidering already collected reports gathered by the OpenSky Network. As a prereq-

uisite, we implement Multilateration (MLAT) based on Time Difference of Arrival

(TDoA) measurements to independently localize aircraft within a few hundred me-

ters. Further, we formulate two different spoofing detection tests and analyze their

combined detection rate to be approx. 75% and approaching 100% for attackers

with increased range. Eventually, we analyzed the spoofer localization performance

7.2 Directions for Future Work 121

of Crowd-GPS-Sec using extensive simulations and a prototype implementation pro-

cessing real-world aircraft reports. Depending on the considered error model, we

achieved a localization accuracy of approx. 150m after 15min of monitoring time.

To additionally detect attacks on the ADS-B protocol, we pursued a form of

wireless witnessing to assess the trustworthiness of aircraft reports. In particular,

we designed a set of verification tests with a focus on a Machine Learning (ML)

supported cross check making use of the geographical distribution of sensors and

discrete reception events. Again, our system is lightweight in the sense that it

does not require any modifications to the existing infrastructure. Using real-world

air traffic data and simulated attack scenarios, we successfully classified ADS-B

reports to result from normal operation or one of our considered attacks, i. e., GPS

spoofing, ADS-B spoofing, or a Sybil attack. The differentiation gains validity with

an increase in sensor redundancy. Further, we identified the type of attack and

revealed malicious sensors with a high chance of 89% to 99%. Concluding, we

elaborated on optimized sensor deployment and identified the most beneficial regions

for new sensors to further harden the system against attacks.

7.2 Directions for Future Work

To further promote the security of GPS-dependent systems, we point out promising

directions for future work. In particular, we want to highlight the following five

aspects that have emerged during our work.

Implementation and Analysis of Multi-Antenna Attacks

While we presented initial results from a basic multi-antenna implementation, a

thorough evaluation could reveal more insights on how countermeasures behave in

the presence of this type of attack. For instance, a proper attack setup may serve

as a tool to test the protection of concrete countermeasure implementations. Such

a tool can help to substantiate the theoretical resistance of our multi-receiver GPS

spoofing detection. Furthermore, the implementation of a multi-antenna attacker

could help to assess the validity of Crowd-GPS-Sec and its spoofing detection tests

concerning this attacker. Overall, the multi-antenna attacker may have a significant

impact on how we design countermeasures in the future.

Consideration of Mobile Receivers

In its current form, our multi-receiver spoofing detection is instantiated with four

stationary receivers. The consideration of mobile receivers allows dynamical adjust-

122 Chapter 7 Conclusion

ments of the formation as well as affect the error characteristics of mutual distances.

Moreover, the countermeasure may be ported to Unmanned Aerial Vehicle (UAV)

formations, vehicle convoys, or general ad hoc networks to unite against GPS spoof-

ing attacks.

Cross-Network Information Exchange

Our crowdsourcing-based proposals consider multiple data sources, e. g., the ADS-

B sensors of the OpenSky Network. However, the gathered information originates

from the same network limited to the currently participating sensors. To broaden

the available information base, we envision a cross-network information exchange.

Similar to the air traffic surveillance infrastructure, sensor networks exist for marine

traffic or road traffic based on roadside units. Cooperation between these networks

can provide more data for Crowd-GPS-Sec to better detected and localize spoofing

attacks.

Spoofer Localization of Known GPS Spoofing Incidents

While we evaluated the localization performance of Crowd-GPS-Sec based on sim-

ulated attack scenarios, the localization of an unknown real-world attacker remains

an open task. For instance, the spoofer that caused the Black Sea GPS spoofing

incident has never been exposed. Notably, the targeted area was not covered by the

OpenSky Network at the time of happening.

Heuristic Anomaly Detection for ADS-B Reports

Our designed verification system for ADS-B aircraft reports is comparable to the

functioning of Intrusion Detection Systems (IDSs). In essence, we estimate the prob-

ability that a message originated from normal operation or deliberate manipulation

and, hence, we perform anomaly detection. This topic is well-researched in the net-

work security community. Our verification system could adapt known techniques,

e. g., implement a heuristic approach similar to how antivirus software determines

whether files are sound or malicious.

7.3 Concluding Remarks

The technical advancements of recent years have significantly extended the avail-

able attacker tools to threaten applications that rely on satellite-based navigation

systems. The pervasive dependency on the integrity of positioning and time infor-

7.3 Concluding Remarks 123

mation necessitates strong security requirements. However, we observe a striking

mismatch between the feasibility of attacks and the implemented countermeasures.

Even more aggravating, regulators impose restrictions on possible modifications and

therefore demand lightweight security solutions.

To this end, we addressed the challenge of retrofitting security into GPS-dependent

systems. Our proposals demonstrate that these challenges can indeed be approached

and effective countermeasures are available. We are—still—in the position to im-

prove the current security systems and act proactively, rather than to react after

the damage is already done. All that is left is taking our ideas from prototype to

production.

List of Figures

1.1 Schematic Overview of Contributions . . . . . . . . . . . . . . . . . . 4

2.1 Reception of GPS Satellite Signals . . . . . . . . . . . . . . . . . . . . 11

2.2 Positioning via Trilateration . . . . . . . . . . . . . . . . . . . . . . . 13

2.3 Aircraft Broadcast Reports . . . . . . . . . . . . . . . . . . . . . . . . 16

3.1 Single Antenna Attacker . . . . . . . . . . . . . . . . . . . . . . . . . 20

3.2 Multi-Antenna Attacker . . . . . . . . . . . . . . . . . . . . . . . . . 22

4.1 Multi-Receiver Deployment . . . . . . . . . . . . . . . . . . . . . . . 34

4.2 Attack on Multiple Receivers . . . . . . . . . . . . . . . . . . . . . . 35

4.3 Multi-Receiver Formations . . . . . . . . . . . . . . . . . . . . . . . . 38

4.4 Hardware and Experimental Setup . . . . . . . . . . . . . . . . . . . 42

4.5 Reported Receiver Positions . . . . . . . . . . . . . . . . . . . . . . . 43

4.6 Deviations from Mean Position - Authentic . . . . . . . . . . . . . . . 43

4.7 Distance Distributions - Authentic . . . . . . . . . . . . . . . . . . . 44

4.8 Additional Measurements . . . . . . . . . . . . . . . . . . . . . . . . . 46

4.9 Deviations from Mean Position - Spoofing . . . . . . . . . . . . . . . 47

4.10 Distance Distributions - Spoofing . . . . . . . . . . . . . . . . . . . . 48

4.11 Evaluation of Different Radii . . . . . . . . . . . . . . . . . . . . . . . 51

4.12 Detection Performance . . . . . . . . . . . . . . . . . . . . . . . . . . 52

4.13 Prototype Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . 54

4.14 Deciding Authentic and Spoofing Scenarios . . . . . . . . . . . . . . . 55

4.15 Analysis of Different Functions f(·) . . . . . . . . . . . . . . . . . . . 55

5.1 Overview of Air Traffic Monitoring Techniques . . . . . . . . . . . . . 65

5.2 Experimental Hardware . . . . . . . . . . . . . . . . . . . . . . . . . 68

5.3 Reported Spoofed Positions . . . . . . . . . . . . . . . . . . . . . . . 69

5.4 Number of Affected Aircraft . . . . . . . . . . . . . . . . . . . . . . . 70

5.5 Coverage of Crowd-GPS-Sec . . . . . . . . . . . . . . . . . . . . . . . 71

5.6 System Overview of Crowd-GPS-Sec . . . . . . . . . . . . . . . . . . 72

5.7 Aircraft Localization via Multilateration . . . . . . . . . . . . . . . . 73

5.8 Spoofer Localization . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

5.9 Detection Rates and Coverage . . . . . . . . . . . . . . . . . . . . . . 82

5.10 Comparison of the Detection Rates . . . . . . . . . . . . . . . . . . . 83

5.11 Comparison of the Detection Times . . . . . . . . . . . . . . . . . . . 84

125

126 List of Figures

5.12 Impact of GPS Noise . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

5.13 Impact of MLAT Noise . . . . . . . . . . . . . . . . . . . . . . . . . . 87

5.14 Impact of Spoofed Track Velocity . . . . . . . . . . . . . . . . . . . . 88

6.1 System Model for ADS-B Trust Establishment . . . . . . . . . . . . . 98

6.2 Distribution of Messages and Sensor Coverage . . . . . . . . . . . . . 101

6.3 ADS-B Trust Evaluation Process . . . . . . . . . . . . . . . . . . . . 102

6.4 Type of Attack - Confusion Matrix . . . . . . . . . . . . . . . . . . . 112

6.5 Resilience and Optimized Deployment . . . . . . . . . . . . . . . . . . 116

List of Tables

2.1 GPS L1 C/A Error Sources and UERE [39,79] . . . . . . . . . . . . . 14

3.1 Related Work Considering Multi-Antenna Attacks . . . . . . . . . . . 24

3.2 Selected Publications Providing Multi-Antenna Results . . . . . . . . 25

4.1 Receiver Placement and Relative Distances . . . . . . . . . . . . . . . 42

4.2 Error Distribution Parameters - Authentic . . . . . . . . . . . . . . . 44

4.3 Error Distribution Parameters - Spoofing . . . . . . . . . . . . . . . . 49

4.4 Simulation Parameter Sets . . . . . . . . . . . . . . . . . . . . . . . . 50

4.5 Function f(·) Performance (Lower is Better) . . . . . . . . . . . . . . 56

5.1 Spoofing Detection Tests Comparison . . . . . . . . . . . . . . . . . . 76

5.2 Localization Requirements . . . . . . . . . . . . . . . . . . . . . . . . 79

5.3 Localization Scenario Comparison . . . . . . . . . . . . . . . . . . . . 80

5.4 Simulation Framework Parameters . . . . . . . . . . . . . . . . . . . 85

6.1 Attack Vectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

6.2 Sanity Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

6.3 Differential Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

6.4 Dependency Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

6.5 Sensitivity to Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

6.6 GPS Spoofing Detection Performance (TPR [%]) . . . . . . . . . . . 110

6.7 ADS-B Spoofing Detection Performance (TPR [%]) . . . . . . . . . . 110

6.8 Sensor Control/Sybil Attack Detection Performance (TPR [%]) . . . 111

6.9 False Alarm Probability [%] . . . . . . . . . . . . . . . . . . . . . . . 115

6.10 Coverage Regions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

127

List of Abbreviations

ADS-B . . . . . Automatic Dependent Surveillance-Broadcast

AIS . . . . . . . Automatic Identification System

AoA . . . . . . . Angle of Arrival

C/A . . . . . . . Coarse/Acquisition

CDF . . . . . . Cumulative Distribution Function

CDMA . . . . . Code Division Multiple Access

COTS . . . . . . Commercial Off-the-Shelf

CPS . . . . . . . Cyber-Physical System

EER . . . . . . . Equal Error Rate

FAA . . . . . . . Federal Aviation Administration

GLONASS . . . Global Navigation Satellite System

GNSS . . . . . . Global Navigation Satellite System

GPS . . . . . . . Global Positioning System

ICAO . . . . . . International Civil Aviation Organization

IDS . . . . . . . Intrusion Detection System

IoT . . . . . . . Internet of Things

LoS . . . . . . . Line of Sight

MATLAB . . . MATrix LABoratory

ML . . . . . . . Machine Learning

MLAT . . . . . Multilateration

NAVSTAR . . . Navigation System with Timing and Ranging

NMEA . . . . . National Marine Electronics Association

PDF . . . . . . . Probability Density Function

129

130 List of Abbreviations

PRN . . . . . . Pseudorandom Noise

PVT . . . . . . Position, Velocity and Time

RADAR . . . . Radio Detection and Ranging

RMSE . . . . . Root Mean Square Error

RSS . . . . . . . Received Signal Strength

SA . . . . . . . . Selective Availability

SDR . . . . . . . Software Defined Radio

SNR . . . . . . . Signal-to-Noise Ratio

TDoA . . . . . . Time Difference of Arrival

TNR . . . . . . True Negative Rate

ToA . . . . . . . Time of Arrival

TPR . . . . . . True Positive Rate

UAV . . . . . . Unmanned Aerial Vehicle

UEE . . . . . . User Equipment Error

UERE . . . . . User Equivalent Range Error

URE . . . . . . User Range Error

USRP . . . . . . Universal Software Radio Peripheral

VANET . . . . Vehicular Ad Hoc Network

Bibliography

[1] D. L. Adamy, EW 101: A First Course in Electronic Warfare, 1st ed. Artech

House, 2001.

[2] I. Akkaya, E. A. Lee, and P. Derler, “Model-Based Evaluation of GPS Spoofing

Attacks on Power Grid Sensors,” in Workshop on Modeling and Simulation of

Cyber-Physical Energy Systems (MSCPES ’13). Berkeley, CA, USA: IEEE,

May 2013.

[3] D. M. Akos, “Who’s Afraid of the Spoofer? GPS/GNSS Spoofing Detection

via Automatic Gain Control (AGC),” NAVIGATION, Journal of the Institute

of Navigation, vol. 59, no. 4, pp. 281–290, Dec. 2012.

[4] Arduino. Arduino Uno Rev3. [Online]. Available: https://www.arduino.cc/

en/Main/ArduinoBoardUno

[5] R. Baker and I. Martinovic, “Secure Location Verification with a Mobile Re-

ceiver,” in ACM Workshop on Cyber-Physical Systems Security & Privacy

(CPS-SPC ’16). Vienna, Austria: ACM, Oct. 2016, pp. 35–46.

[6] M. Balduzzi, A. Pasta, and K. Wilhoit, “A Security Evaluation of AIS Au-

tomated Identification System,” in Annual Computer Security Applications

Conference (ACSAC ’14). New Orleans, LA, USA: ACM, Dec. 2014, pp.

436–445.

[7] M. Bartolucci, J. A. del Peral-Rosado, R. Estatuet-Castillo, J. A. García-

Molina, M. Crisci, and G. E. Corazza, “Synchronisation of Low-Cost Open

Source SDRs for Navigation Applications,” in ESA Workshop on Satellite

Navigation Technologies and European Workshop on GNSS Signals and Signal

Processing (NAVITEC ’16). Noordwijk, Netherlands: IEEE, Dec. 2016.

[8] A. Beygelzimer, S. Kakade, and J. Langford, “Cover Trees for Nearest Neigh-

bor,” in International Conference on Machine Learning (ICML ’06). Pitts-

burgh, PA, USA: ACM, Jun. 2006, pp. 97–104.

[9] J. A. Bhatti and T. E. Humphreys, “Hostile Control of Ships via False GPS

Signals: Demonstration and Detection,” NAVIGATION, Journal of the Insti-

tute of Navigation, vol. 64, no. 1, pp. 51–66, May 2017.

131

132 Bibliography

[10] J. A. Bhatti, T. E. Humphreys, and B. M. Ledvina, “Development and Demon-

stration of a TDOA-Based GNSS Interference Signal Localization System,”

in IEEE/ION Position, Location and Navigation Symposium (PLANS ’12).

Myrtle Beach, SC, USA: IEEE, Apr. 2012, pp. 455–469.

[11] L. Breiman, “Random Forests,” Machine Learning, vol. 45, no. 1, pp. 5–32,

Oct. 2001.

[12] A. Broumandan, A. Jafarnia-Jahromi, V. Dehghanian, J. Nielsen, and

G. Lachapelle, “GNSS Spoofing Detection in Handheld Receivers based on

Signal Spatial Correlation,” in IEEE/ION Position, Location and Navigation

Symposium (PLANS ’12). Myrtle Beach, SC, USA: IEEE, Apr. 2012, pp.

479–487.

[13] M. Burgess. (2017, Sep.) When a tanker vanishes, all the evidence points to

Russia. WIRED. [Online]. Available: https://www.wired.co.uk/article/black-

sea-ship-hacking-russia

[14] A. Cavaleri, B. Motella, M. Pini, and M. Fantino, “Detection of Spoofed GPS

Signals at Code and Carrier Tracking Level,” in ESA Workshop on Satellite

Navigation Technologies and European Workshop on GNSS Signals and Signal

Processing (NAVITEC ’10). Noordwijk, Netherlands: IEEE, Dec. 2010.

[15] Y. Chen, W. Trappe, and R. P. Martin, “Detecting and Localizing Wireless

Spoofing Attacks,” in Annual IEEE Communications Society Conference on

Sensor, Mesh and Ad Hoc Communications and Networks (SECON ’07). San

Diego, CA, USA: IEEE, Jun. 2007, pp. 193–202.

[16] Committee on the Future of the Global Positioning System; Commission on

Engineering and Technical Systems; National Research Council, The Global

Positioning System: A Shared National Asset - Recommendations for Techni-

cal Improvements and Enhancements. National Academy Press, 1995.

[17] P. Cooper, “Aviation Cybersecurity–Finding Lift, Minimizing Drag,” Atlantic

Council, Tech. Rep., Nov. 2017, underwritten by Thales.

[18] A. Costin and A. Francillon, “Ghost in the Air(Traffic): On insecurity of ADS-

B protocol and practical attacks on ADS-B devices,” Black Hat USA, Tech.

Rep., Jul. 2012.

[19] crescentvenus. (2018) WALB (Wireless Attack Launch Box). GitHub

Repository. [Online]. Available: https://github.com/crescentvenus/WALB

Bibliography 133

[20] S. Daneshmand, A. Jafarnia-Jahromi, A. Broumandan, and G. Lachapelle, “A

Low-Complexity GPS Anti-Spoofing Method Using a Multi-Antenna Array,”

in International Technical Meeting of The Satellite Division of the Institute of

Navigation (ION GNSS ’12), Nashville, TN, USA, Sep. 2012, pp. 1233–1243.

[21] J. R. Douceur, “The Sybil Attack,” in Revised Papers from the First Inter-

national Workshop on Peer-to-Peer Systems (IPTPS ’01). Cambridge, MA,

USA: Springer, Jan. 2002, pp. 251–260.

[22] R. D. Easton and E. F. Frazier, GPS Declassified: From Smart Bombs to

Smartphones. Potomac Books, 2013.

[23] Ettus Research. USRP B200. [Online]. Available: https://www.ettus.com/

product/details/UB200-KIT

[24] Ettus Research. USRP N210. [Online]. Available: https://www.ettus.com/

product/details/UN210-KIT

[25] Flarm Technology, “System Design and Compatibility,” Tech. Rep., Aug. 2015.

[26] G. S. Gadgets. HackRF One. [Online]. Available: https://greatscottgadgets.

com/hackrf/

[27] G. Gibbons. (2013, Aug.) FCC Fines Operator of GPS Jammer

That Affected Newark Airport GBAS. Inside GNSS. [Online]. Available:

http://www.insidegnss.com/node/3676

[28] Centre Tecnológic de Telecomunicacions de Catalunya (CTTC). GNSS-SDR -

An open source Global Navigation Satellite Systems software-defined receiver.

[Online]. Available: https://gnss-sdr.org

[29] The GNU Radio Foundation. GNU Radio - The Free & Open Software Radio

Ecosystem. [Online]. Available: https://www.gnuradio.org

[30] S. Goff. (2017, Jul.) Reports of Mass GPS Spoofing Attack in the Black

Sea Strengthen Calls for PNT Backup. Inside GNSS. [Online]. Available:

http://www.insidegnss.com/node/5555

[31] D. Goward. (2017, Jul.) Mass GPS Spoofing Attack in Black Sea?

The Maritime Executive. [Online]. Available: https://www.maritime-

executive.com/editorials/mass-gps-spoofing-attack-in-black-sea

134 Bibliography

[32] A. Greenberg. (2012, Jul.) Next-Gen Air Traffic Control Vulnerable

To Hackers Spoofing Planes Out Of Thin Air. Forbes. [Online]. Avail-

able: https://www.forbes.com/sites/andygreenberg/2012/07/25/next-gen-

air-traffic-control-vulnerable-to-hackers-spoofing-planes-out-of-thin-air

[33] C. Günther, “A Survey of Spoofing and Counter-Measures,” NAVIGATION,

Journal of the Institute of Navigation, vol. 61, no. 3, pp. 159–177, Sep. 2014.

[34] Z. Haider and S. Khalid, “Survey on Effective GPS Spoofing Countermea-

sures,” in International Conference on Innovative Computing Technology (IN-

TECH ’16). Dublin, Ireland: IEEE, Aug. 2016, pp. 573–577.

[35] G. W. Hein, F. Kneissl, J.-Á. Ávila-Rodríguez, and S. Wallner, “Authen-

ticating GNSS: Proofs against Spoofs, Part 1,” Inside GNSS, vol. 2, no. 5

(July/August), pp. 58–63, Jul. 2007.

[36] G. W. Hein, F. Kneissl, J.-Á. Ávila-Rodríguez, and S. Wallner, “Authen-

ticating GNSS: Proofs against Spoofs, Part 2,” Inside GNSS, vol. 2, no. 6

(September/October), pp. 71–78, Sep. 2007.

[37] L. Heng, J. J. Makela, A. D. Domínguez-García, R. B. Bobba, W. H. Sanders,

and G. X. Gao, “Reliable GPS-Based Timing for Power Systems: A Multi-

Layered Multi-Receiver Architecture,” in Power and Energy Conference at

Illinois (PECI ’14). Champaign, IL, USA: IEEE, Feb. 2014, pp. 196–202.

[38] S. Henningsen, S. Dietzel, and B. Scheuermann, “Misbehavior Detection in

Industrial Wireless Networks: Challenges and Directions,” Mobile Networks

and Applications, vol. 23, no. 5, pp. 1330–1336, Oct. 2018.

[39] B. Hofmann-Wellenhof, H. Lichtenegger, and J. Collins, Global Positioning

System: Theory and Practice, 5th ed. Springer, 2001.

[40] T. E. Humphreys, “Statement on the Vulnerability of Civil Unmanned Aerial

Vehicles and Other Systems to Civil GPS Spoofing,” University of Texas at

Austin, Tech. Rep., Jul. 2012, Submitted to the Subcommittee on Oversight,

Investigations, and Management of the House Committee on Homeland Secu-

rity.

[41] T. E. Humphreys, “Detection Strategy for Cryptographic GNSS Anti-

Spoofing,” IEEE Transactions on Aerospace and Electronic Systems, vol. 49,

no. 2, pp. 1073–1090, Apr. 2013.

Bibliography 135

[42] T. E. Humphreys, “Statement on the Security Threat Posed By Unmanned

Aerial Systems and Possible Countermeasures,” University of Texas at Austin,

Tech. Rep., Mar. 2015, Submitted to the Subcommittee on Oversight and

Management Efficiency of the House Committee on Homeland Security.

[43] T. E. Humphreys, B. M. Ledvina, M. L. Psiaki, B. W. O’Hanlon, and P. M.

Kintner, Jr., “Assessing the Spoofing Threat: Development of a Portable GPS

Civilian Spoofer,” in International Technical Meeting of The Satellite Division

of the Institute of Navigation (ION GNSS ’08), Savannah, GA, USA, Sep.

2008, pp. 2314–2325.

[44] K. Hundman, V. Constantinou, C. Laporte, I. Colwell, and T. Soderstrom,

“Detecting Spacecraft Anomalies Using LSTMs and Nonparametric Dynamic

Thresholding,” in ACM SIGKDD International Conference on Knowledge Dis-

covery and Data Mining (KDD ’18). London, United Kingdom: ACM, Aug.

2018, pp. 387–395.

[45] A. Jafarnia-Jahromi, A. Broumandan, J. Nielsen, and G. Lachapelle, “GPS

Vulnerability to Spoofing Threats and a Review of Antispoofing Techniques,”

International Journal of Navigation and Observation, vol. 2012, May 2012,

Article ID 127072.

[46] K. Jansen and C. Pöpper, “Opinion: Advancing Attacker Models of Satellite-

based Localization Systems—The Case of Multi-device Attackers,” in ACM

Conference on Security and Privacy in Wireless and Mobile Networks

(WiSec ’17). Boston, MA, USA: ACM, Jul. 2017, pp. 156–159.

[47] K. Jansen, M. Schäfer, V. Lenders, C. Pöpper, and J. Schmitt, “POSTER:

Localization of Spoofing Devices using a Large-scale Air Traffic Surveillance

System,” in ACM Asia Conference on Computer and Communications Secu-

rity (ASIACCS ’17). Abu Dhabi, United Arab Emirates: ACM, Apr. 2017,

pp. 914–916.

[48] K. Jansen, M. Schäfer, D. Moser, V. Lenders, C. Pöpper, and J. Schmitt,

“Crowd-GPS-Sec: Leveraging Crowdsourcing to Detect and Localize GPS

Spoofing Attacks,” in IEEE Symposium on Security and Privacy (SP ’18).

San Francisco, CA, USA: IEEE, May 2018, pp. 1018–1031.

[49] K. Jansen, N. O. Tippenhauer, and C. Pöpper, “Multi-Receiver GPS Spoof-

ing Detection: Error Models and Realization,” in Annual Computer Security

136 Bibliography

Applications Conference (ACSAC ’16). Los Angeles, CA, USA: ACM, Dec.

2016, pp. 237–250.

[50] The Executive Director of the Joint Air Power Competence Centre (JAPCC),

“Strategic Concept of Employment for Unmanned Aircraft Systems in NATO,”

Joint Air Power Competence Centre (JAPCC), Tech. Rep. UAS CONEMP

Report, Jan. 2010.

[51] X. Jiang, J. Zhang, B. J. Harding, J. J. Makela, and A. D. Domínguez-García,

“Spoofing GPS Receiver Clock Offset of Phasor Measurement Units,” IEEE

Transactions on Power Systems, vol. 28, no. 3, pp. 3253–3262, Feb. 2013.

[52] John A. Volpe National Transportation Systems Center, “Vulnerability Assess-

ment of the Transportation Infrastructure Relying on the Global Positioning

System,” United States Department of Transportation, Tech. Rep., Aug. 2001.

[53] M. Jones. (2017, Oct.) Spoofing in the Black Sea: What really happened?

GPS World. [Online]. Available: http://gpsworld.com/spoofing-in-the-black-

sea-what-really-happened/

[54] A. Jovanovic, C. Botteron, and P.-A. Fariné, “Multi-test Detection and Protec-

tion Algorithm Against Spoofing Attacks on GNSS Receivers,” in IEEE/ION

Position, Location and Navigation Symposium (PLANS ’14). Monterey, CA,

USA: IEEE, May 2014, pp. 1258–1271.

[55] O. Jowett. (2016) mlat-server. GitHub Repository. [Online]. Available:

https://github.com/mutability/mlat-server

[56] R. E. Kalman, “A New Approach to Linear Filtering and Prediction Prob-

lems,” Transactions of the ASME–Journal of Basic Engineering, vol. 82, no.

Series D, pp. 35–45, 1960.

[57] A. J. Kerns, D. P. Shepard, J. A. Bhatti, and T. E. Humphreys, “Unmanned

Aircraft Capture and Control Via GPS Spoofing,” Journal of Field Robotics,

vol. 31, no. 4, pp. 617–636, Apr. 2014.

[58] K. Kohls, K. Jansen, D. Rupprecht, T. Holz, and C. Pöpper, “On the Chal-

lenges of Geographical Avoidance for Tor,” in Network and Distributed System

Security Symposium (NDSS ’19). San Diego, CA, USA: Internet Society,

Feb. 2019.

Bibliography 137

[59] M. G. Kuhn, “An Asymmetric Security Mechanism for Navigation Signals,”

in International Workshop on Information Hiding (IH ’04). Toronto, ON,

Canada: Springer, May 2004, pp. 239–252.

[60] B. M. Ledvina, W. J. Bencze, B. Galusha, and I. Miller, “An In-Line Anti-

Spoofing Device for Legacy Civil GPS Receivers,” in International Technical

Meeting of The Institute of Navigation (ION ’10), San Diego, CA, USA, Jan.

2010, pp. 698–712.

[61] I. Leveson, “GPS Civilian Economic Value to the U.S., Interim Report,” ASRC

Federal Research and Technology Solutions, Inc., Tech. Rep., Aug. 2015, Pre-

pared for the National Executive Committeefor Space-Based Positioning, Nav-

igation and Timing.

[62] M. Lichtman, J. D. Poston, S. Amuru, C. Shahriar, T. C. Clancy, R. M.

Buehrer, and J. H. Reed, “A Communications Jamming Taxonomy,” IEEE

Security & Privacy, vol. 14, no. 1, pp. 47–54, Feb. 2016.

[63] J. Magiera and R. J. Katulski, “Detection and Mitigation of GPS Spoofing

Based on Antenna Array Processing,” Journal of Applied Research and Tech-

nology, vol. 13, no. 1, pp. 45–57, Feb. 2015.

[64] Maritime Administration, “2017-005A-GPS Interference-Black Sea,” United

States Department of Transportation, Tech. Rep. 2017-005A, Jul. 2017.

[65] “MATLAB and Statistics and Machine Learning Toolbox Release 2018a,” The

MathWorks, Inc., Natick, MA, USA.

[66] D. McCallie, J. Butts, and R. Mills, “Security analysis of the ADS-B imple-

mentation in the next generation air transportation system,” International

Journal of Critical Infrastructure Protection, vol. 4, no. 2, pp. 78–87, Aug.

2011.

[67] J. R. van der Merwe, X. Zubizarreta, I. Lukčin, A. Rügamer, and W. Felber,

“Classification of Spoofing Attack Types,” in European Navigation Conference

(ENC ’18). Gothenburg, Sweden: IEEE, May 2018, pp. 91–99.

[68] P. Y. Montgomery, T. E. Humphreys, and B. M. Ledvina, “Receiver-

Autonomous Spoofing Detection: Experimental Results of a Multi-antenna

Receiver Defense Against a Portable Civil GPS Spoofer,” in International

Technical Meeting of The Institute of Navigation (ION ’09), Anaheim, CA,

USA, Jan. 2009, pp. 124–130.

138 Bibliography

[69] D. Moser, P. Leu, V. Lenders, A. Ranganathan, F. Ricciato, and S. Čapkun,

“Investigation of Multi-device Location Spoofing Attacks on Air Traffic Con-

trol and Possible Countermeasures,” in Annual International Conference on

Mobile Computing and Networking (MobiCom ’16). New York, USA: ACM,

Oct. 2016, pp. 375–386.

[70] National Marine Electronics Association, NMEA 0183, The Standard for In-

terfacing Marine Electronics, National Marine Electronics Association Std.,

Rev. Version 4.10, Jun. 2012.

[71] W. H. L. Neven, T. J. Quilter, R. Weedon, and R. A. Hogendoorn, “Wide Area

Multilateration,” National Aerospace Laboratory (NLR), Tech. Rep. NLR-CR-

2004-472, Aug. 2015.

[72] T. Nighswander, B. M. Ledvina, J. Diamond, R. Brumley, and D. Brumley,

“GPS Software Attacks,” in ACM Conference on Computer and Communica-

tions Security (CCS ’12). Raleigh, NC, USA: ACM, Oct. 2012, pp. 450–461.

[73] R. Oliphant. (2016, Oct.) Is Kremlin cyber warfare behind Moscow GPS

quirk sending Uber cars and Pokemon Go players to strange destinations?

The Telegraph. [Online]. Available: http://www.telegraph.co.uk/news/2016/

10/21/is-kremlin-cyber-warfare-behind-moscow-gps-quirk-sending-uber-ca/

[74] The OpenSky Network. Open Air Traffic Data for Research. [Online].

Available: https://opensky-network.org/

[75] J. I. Øren and T. A. Jensen, “Norway Communications Authority Report GPS

Jamming,” National Communications Authority, Tech. Rep., Sep. 2017.

[76] OSQZSS. (2018) Software-Defined GPS Signal Simulator. GitHub Repository.

[Online]. Available: https://github.com/osqzss/gps-sdr-sim

[77] P. Papadimitratos and A. Jovanovic, “GNSS-based Positioning: Attacks

and Countermeasures,” in IEEE Military Communications Conference (MIL-

COM ’08). San Diego, CA, USA: IEEE, Nov. 2008.

[78] P. Papadimitratos and A. Jovanovic, “Protection and Fundamental Vulnera-

bility of GNSS,” in IEEE International Workshop on Satellite and Space Com-

munications (IWSSC ’08). Toulouse, France: IEEE, Oct. 2008, pp. 167–171.

[79] B. W. Parkinson, J. J. Spilker Jr., P. Axelrad, and P. Enge, Global Positioning

System: Theory and Applications. American Institute of Aeronautics and

Astronautics, 1996, vol. I.

Bibliography 139

[80] A. Perkins, L. Dressel, S. Lo, and P. Enge, “Antenna Characterization for

UAV Based GPS Jammer Detection,” in International Technical Meeting of

The Satellite Division of the Institute of Navigation (ION GNSS+ ’15), Tampa,

FL, USA, Sep. 2015, pp. 1684–1695.

[81] A. Perkins, L. Dressel, S. Lo, T. Reid, K. Gunning, and P. Enge, “Demon-

stration of UAV-Based GPS Jammer Localization During a Live Interference

Exercise,” in International Technical Meeting of The Satellite Division of the

Institute of Navigation (ION GNSS+ ’16), Portland, OR, USA, Sep. 2016, pp.

3094–3106.

[82] K. M. Pesyna, Jr., R. W. Heath, Jr., and T. E. Humphreys, “Centimeter Po-

sitioning with a Smartphone-Quality GNSS Antenna,” in International Tech-

nical Meeting of The Satellite Division of the Institute of Navigation (ION

GNSS+ ’14), Tampa, FL, USA, Sep. 2014, pp. 1568–1577.

[83] J. Petit, M. Feiri, and F. Kargl, “Spoofed Data Detection in VANETs using

Dynamic Thresholds,” in IEEE Vehicular Networking Conference (VNC ’11).

Amsterdam, Netherlands: IEEE, Nov. 2011, pp. 25–32.

[84] C. Pöpper, M. Strasser, and S. Čapkun, “Jamming-resistant Broadcast

Communication without Shared Keys,” in USENIX Security Symposium

(USENIX ’09). Montreal, QC, Canada: USENIX, Aug. 2009, pp. 231–248.

[85] K. Pourvoyeur and R. Heidger, “Secure ADS-B usage in ATC tracking,” in

Tyrrhenian International Workshop on Digital Communications - Enhanced

Surveillance of Aircraft and Vehicles (TIWDC/ESAV ’14). Rome, Italy:

IEEE, Sep. 2014, pp. 35–40.

[86] M. L. Psiaki and T. E. Humphreys, “Attackers can spoof navigation signals

without our knowledge. Here’s how to fight back GPS lies,” IEEE Spectrum,

vol. 53, no. 8, pp. 26–32; 52–53, Aug. 2016.

[87] M. L. Psiaki and T. E. Humphreys, “GNSS Spoofing and Detection,” Proceed-

ings of the IEEE, vol. 104, no. 6, pp. 1258–1270, Jun. 2016.

[88] M. L. Psiaki, B. W. O’Hanlon, J. A. Bhatti, D. P. Shepard, and T. E.

Humphreys, “Civilian GPS Spoofing Detection based on Dual-Receiver Corre-

lation of Military Signals,” in International Technical Meeting of The Satellite

Division of the Institute of Navigation (ION GNSS ’11), Portland, OR, USA,

Sep. 2011, pp. 2619–2645.

140 Bibliography

[89] M. L. Psiaki, B. W. O’Hanlon, S. P. Powell, J. A. Bhatti, K. D. Wesson, T. E.

Humphreys, and A. Schofield, “GNSS Spoofing Detection using Two-Antenna

Differential Carrier Phase,” in International Technical Meeting of The Satellite

Division of the Institute of Navigation (ION GNSS+ ’14), Tampa, FL, USA,

Sep. 2014, pp. 2776–2800.

[90] M. L. Psiaki, S. P. Powell, and B. W. O’Hanlon, “GNSS Spoofing Detection

Using High-Frequency Antenna Motion and Carrier-Phase Data,” in Interna-

tional Technical Meeting of The Satellite Division of the Institute of Navigation

(ION GNSS+ ’13), Nashville, TN, USA, Sep. 2013, pp. 2949–2991.

[91] L. Purton, H. Abbass, and S. Alam, “Identification of ADS-B System Vulnera-

bilities and Threats,” in Australasian Transport Research Forum (ATRF ’10),

Canberra, Australia, Sep. 2010.

[92] S. Pusep. (2017) nRF905 demodulator/FLARM decoder. GitHub Repository.

[Online]. Available: https://github.com/creaktive/flare

[93] Racelogic. LabSat 3 GPS Simulator. [Online]. Available: https://www.labsat.

co.uk/index.php/en/products/labsat-3

[94] D. S. Radin, “GPS Spoofing Detection Using Multiple Antennas and Individ-

ual Space Vehicle Pseudoranges,” Master’s Thesis, University of Rhode Island,

2015.

[95] D. S. Radin, P. F. Swaszek, K. C. Seals, and R. J. Hartnett, “GNSS Spoof De-

tection Based Upon Pseudoranges from Multiple Receivers,” in International

Technical Meeting of The Institute of Navigation (ION ’15), Dana Point, CA,

USA, Jan. 2015, pp. 657–671.

[96] A. Ranganathan, H. Ólafsdóttir, and S. Čapkun, “SPREE: A Spoofing Resis-

tant GPS Receiver,” in Annual International Conference on Mobile Computing

and Networking (MobiCom ’16). New York, USA: ACM, Oct. 2016, pp. 348–

360.

[97] Raspberry Pi Foundation. Raspberry Pi. [Online]. Available: https:

//www.raspberrypi.org

[98] M. Raya, P. Papadimitratos, V. D. Gligor, and J.-P. Hubaux, “On Data-

Centric Trust Establishment in Ephemeral Ad Hoc Networks,” in IEEE Con-

ference on Computer Communications (INFOCOM ’08). Phoenix, AZ, USA:

IEEE, Apr. 2008, pp. 1912–1920.

Bibliography 141

[99] B. A. Renfro, A. Terry, and N. Boeker, “An Analysis of Global Positioning Sys-

tem (GPS) Standard Positioning System (SPS) Performance for 2016,” Space

and Geophysics Laboratory - Applied Research Laboratories - The University

of Texas at Austin, Tech. Rep. TR-SGL-17-06, May 2017.

[100] K. Rothrock. (2016, Oct.) The Kremlin Eats GPS for Breakfast -

Why geolocation in central Moscow has become a real headache. The

Moscow Times. [Online]. Available: https://themoscowtimes.com/articles/

the-kremlin-eats-gps-for-breakfast-55823

[101] RTL-SDR.COM. RTL-SDR (RTL2832U) and software defined radio news

and projects. Also featuring Airspy, HackRF, FCD, SDRplay and more.

[Online]. Available: https://www.rtl-sdr.com

[102] S. Ruj, M. A. Cavenaghi, Z. Huang, A. Nayak, and I. Stojmenovic, “On Data-

Centric Misbehavior Detection in VANETs,” in IEEE Vehicular Technology

Conference (VNC Fall ’11). San Francisco, CA, USA: IEEE, Sep. 2011.

[103] M.-A. Russon. (2015, May) Wondering how to hack a military drone? It’s all

on Google. International Business Times. [Online]. Available: https://www.

ibtimes.co.uk/wondering-how-hack-military-drone-its-all-google-1500326

[104] M. Schäfer, V. Lenders, and I. Martinovic, “Experimental Analysis of Attacks

on Next Generation Air Traffic Communication,” in International Conference

on Applied Cryptography and Network Security (ACNS ’13). Banff, AB,

Canada: Springer, Jun. 2013, pp. 253–271.

[105] M. Schäfer, V. Lenders, and J. Schmitt, “Secure Track Verification,” in IEEE

Symposium on Security and Privacy (SP ’15). San Jose, CA, USA: IEEE,

May 2015, pp. 199–213.

[106] M. Schäfer, P. Leu, V. Lenders, and J. Schmitt, “Secure Motion Verification

using the Doppler Effect,” in ACM Conference on Security and Privacy in

Wireless and Mobile Networks (WiSec ’16). Darmstadt, Germany: ACM,

Jul. 2016, pp. 135–145.

[107] M. Schäfer, M. Strohmeier, V. Lenders, I. Martinovic, and M. Wilhelm,

“Bringing up OpenSky: A Large-scale ADS-B Sensor Network for Research,”

in International Symposium on Information Processing in Sensor Networks

(IPSN ’14). Berlin, Germany: IEEE, Apr. 2014, pp. 83–94.

142 Bibliography

[108] M. Schäfer, M. Strohmeier, M. Smith, M. Fuchs, V. Lenders, M. Liechti, and

I. Martinovic, “OpenSky Report 2017: Mode S and ADS-B Usage of Military

and other State Aircraft,” in IEEE/AIAA Digital Avionics Systems Conference

(DASC ’17). St. Petersburg, FL, USA: IEEE, Sep. 2017.

[109] M. Schäfer, M. Strohmeier, M. Smith, M. Fuchs, V. Lenders, and I. Marti-

novic, “OpenSky Report 2018: Assessing the Integrity of Crowdsourced Mode

S and ADS-B Data,” in IEEE/AIAA Digital Avionics Systems Conference

(DASC ’18). London, United Kingdom: IEEE, Sep. 2018.

[110] M. Schäfer, M. Strohmeier, M. Smith, M. Fuchs, R. Pinheiro, V. Lenders,

and I. Martinovic, “OpenSky Report 2016: Facts and Figures on SSR Mode

S and ADS-B Usage,” in IEEE/AIAA Digital Avionics Systems Conference

(DASC ’16). Sacramento, CA, USA: IEEE, Sep. 2016.

[111] D. Schmidt, K. Radke, S. Camtepe, E. Foo, and M. Ren, “A Survey and Anal-

ysis of the GNSS Spoofing Threat and Countermeasures,” ACM Computing

Surveys, vol. 48, no. 4, May 2016.

[112] L. Scott, “Anti-Spoofing & Authenticated Signal Architectures for Civil Nav-

igation Systems,” in International Technical Meeting of The Satellite Division

of the Institute of Navigation (ION GPS/GNSS ’03), Portland, OR, USA,

Sep. 2003, pp. 1543–1552.

[113] C. Sebastian. (2016, Dec.) Getting lost near the Kremlin? Russia could

be ’GPS spoofing’. CNNMoney. [Online]. Available: http://money.cnn.com/

2016/12/02/technology/kremlin-gps-signals/index.html

[114] G. Seeber, Satellite Geodesy: Foundations, Methods, and Applications, 2nd ed.

de Gruyter, 2003.

[115] S.-H. Seo, B.-H. Lee, S.-H. Im, and G.-I. Jee, “Effect of Spoofing on Unmanned

Aerial Vehicle using Counterfeited GPS Signal,” Journal of Positioning, Nav-

igation, and Timing, vol. 4, no. 2, pp. 57–65, Jun. 2015.

[116] D. P. Shepard, T. E. Humphreys, and A. A. Fansler, “Evaluation of the Vul-

nerability of Phasor Measurement Units to GPS Spoofing Attacks,” in Annual

IFIP WG 11.10 International Conference on Critical Infrastructure Protection

(ICCIP ’12), Washington, D.C., USA, Mar. 2012.

[117] D. Steinmetzer, M. Schulz, and M. Hollick, “Lockpicking Physical Layer Key

Exchange: Weak Adversary Models Invite the Thief,” in ACM Conference on

Bibliography 143

Security and Privacy in Wireless and Mobile Networks (WiSec ’15). New

York City, USA: ACM, Jun. 2015.

[118] M. Strohmeier, V. Lenders, and I. Martinovic, “On the Security of the Au-

tomatic Dependent Surveillance-Broadcast Protocol,” IEEE Communications

Surveys & Tutorials, vol. 17, no. 2, pp. 1066–1087, Oct. 2014.

[119] M. Strohmeier, V. Lenders, and I. Martinovic, “Lightweight Location Verifi-

cation in Air Traffic Surveillance Networks,” in ACM Cyber-Physical System

Security Workshop (CPSS ’15). Singapore, Republic of Singapore: ACM,

Apr. 2015, pp. 49–60.

[120] M. Strohmeier, M. Schäfer, M. Fuchs, V. Lenders, and I. Martinovic, “Open-

Sky: A Swiss Army Knife for Air Traffic Security Research,” in IEEE/AIAA

Digital Avionics Systems Conference (DASC ’15). Prague, Czech Republic:

IEEE, Sep. 2015.

[121] M. Strohmeier, M. Schäfer, V. Lenders, and I. Martinovic, “Realities and

Challenges of NextGen Air Traffic Management: The Case of ADS-B,” IEEE

Communications Magazine, vol. 52, no. 5, pp. 111–118, May 2014.

[122] M. Strohmeier, M. Schäfer, R. Pinheiro, V. Lenders, and I. Martinovic, “On

Perception and Reality in Wireless Air Traffic Communication Security,” IEEE

Transactions on Intelligent Transportation Systems, vol. 18, no. 6, pp. 1338–

1357, Jun. 2017.

[123] M. Strohmeier, M. Smith, M. Schäfer, V. Lenders, and I. Martinovic, “Crowd-

sourcing Security for Wireless Air Traffic Communications,” in International

Conference on Cyber Conflict (CyCon ’17). Tallinn, Estonia: IEEE, May

2017.

[124] M. Sun, M. Li, and R. Gerdes, “A Data Trust Framework for VANETs En-

abling False Data Detection and Secure Vehicle Tracking,” in IEEE Conference

on Communications and Network Security (CNS ’17). Las Vegas, NV, USA:

IEEE, Oct. 2017.

[125] P. F. Swaszek and R. J. Hartnett, “Spoof Detection Using Multiple COTS

Receivers in Safety Critical Applications,” in International Technical Meeting

of The Satellite Division of the Institute of Navigation (ION GNSS+ ’13),

Nashville, TN, USA, Sep. 2013, pp. 2921–2930.

144 Bibliography

[126] P. F. Swaszek and R. J. Hartnett, “A Multiple COTS Receiver GNSS Spoof

Detector – Extensions,” in International Technical Meeting of The Institute of

Navigation (ION ’14), San Diego, CA, USA, Jan. 2014, pp. 316–326.

[127] P. F. Swaszek, R. J. Hartnett, M. V. Kempe, and G. W. Johnson, “Analysis

of a Simple, Multi-Receiver GPS Spoof Detector,” in International Technical

Meeting of The Institute of Navigation (ION ’13), San Diego, CA, USA, Jan.

2013, pp. 884–892.

[128] N. O. Tippenhauer, C. Pöpper, K. B. Rasmussen, and S. Čapkun, “On the

Requirements for Successful GPS Spoofing Attacks,” in ACM Conference on

Computer and Communications Security (CCS ’11). Chicago, IL, USA: ACM,

Oct. 2011, pp. 75–86.

[129] J. B.-Y. Tsui, Fundamentals of Global Positioning System Receivers: A Soft-

ware Approach, 2nd ed. John Wiley & Sons, 2005.

[130] United States Department of Defense, Global Positioning System Standard

Positioning Service Performance Standard, United States Government Std.,

Rev. 4th Edition, Sep. 2008.

[131] United States Department of Homeland Security. Critical Infrastructure Sec-

tors. [Online]. Available: https://www.dhs.gov/cisa/critical-infrastructure-

sectors

[132] United States Department of Transportation, Automatic Dependent

Surveillance-Broadcast (ADS-B) Out Performance Requirements To Support

Air Traffic Control (ATC) Service; Final Rule, Federal Aviation Administra-

tion, May 2010.

[133] United States Department of Transportation, Air Traffic Control - JO

7110.65X, Federal Aviation Administration, Sep. 2017.

[134] J. Wang, Z. Liu, S. Zhang, and X. Zhang, “Defending collaborative false data

injection attacks in wireless sensor networks,” Information Sciences, vol. 254,

pp. 39–53, Jan. 2014.

[135] J. S. Warner and R. G. Johnston, “A Simple Demonstration that the Global

Positioning System (GPS) is Vulnerable to Spoofing,” The Journal of Security

Administration, vol. 25, no. 2, pp. 19–28, 2002.

[136] J. S. Warner and R. G. Johnston, “GPS Spoofing Countermeasures,” Home-

land Security Journal, Dec. 2003.

Bibliography 145

[137] H. Weihrich, “The TOWS Matrix—A Tool for Situational Analysis,” Long

Range Planning, vol. 15, no. 2, pp. 54–66, Apr. 1982.

[138] H. Wen, P. Y.-R. Huang, J. Dyer, A. Archinal, and J. Fagan, “Countermea-

sures for GPS Signal Spoofing,” in International Technical Meeting of The

Satellite Division of the Institute of Navigation (ION GNSS ’05), Long Beach,

CA, USA, Sep. 2005, pp. 1285–1290.

[139] K. D. Wesson, T. E. Humphreys, and B. L. Evans, “Can Cryptography Secure

Next Generation Air Traffic Surveillance?” The University of Texas at Austin,

Tech. Rep., Mar. 2014.

[140] K. D. Wesson, M. Rothlisberger, and T. E. Humphreys, “Practical Cryp-

tographic Civil GPS Signal Authentication,” NAVIGATION, Journal of the

Institute of Navigation, vol. 59, no. 3, pp. 177–193, Sep. 2012.

[141] K. D. Wesson, D. P. Shepard, J. A. Bhatti, and T. E. Humphreys, “An Evalu-

ation of the Vestigial Signal Defense for Civil GPS Anti-Spoofing,” in Interna-

tional Technical Meeting of The Satellite Division of the Institute of Navigation

(ION GNSS ’11), Portland, OR, USA, Sep. 2011, pp. 2646–2656.

[142] J. Yang, Y. Chen, and W. Trappe, “Detecting Spoofing Attacks in Mobile

Wireless Environments,” in Annual IEEE Communications Society Conference

on Sensor, Mesh and Ad Hoc Communications and Networks (SECON ’09).

Rome, Italy: IEEE, Jun. 2009, pp. 189–197.

[143] J. Yang, Y. Chen, W. Trappe, and J. Cheng, “Detection and Localization

of Multiple Spoofing Attackers in Wireless Networks,” IEEE Transactions on

Parallel and Distributed Systems, vol. 24, no. 1, pp. 44–58, Apr. 2013.

[144] D.-Y. Yu, A. Ranganathan, T. Locher, S. Čapkun, and D. Basin, “Short Paper:

Detection of GPS Spoofing Attacks in Power Grids,” in ACM Conference on

Security and Privacy in Wireless and Mobile Networks (WiSec ’14). Oxford,

United Kingdom: ACM, Jul. 2014, pp. 99–104.

[145] K. C. Zeng, S. Liu, Y. Shu, D. Wang, H. Li, Y. Dou, G. Wang, and Y. Yang,

“All Your GPS Are Belong To Us: Towards Stealthy Manipulation of Road

Navigation Systems,” in USENIX Security Symposium (USENIX ’18). Bal-

timore, MD, USA: USENIX, Aug. 2018, pp. 1527–1544.

146 Bibliography

[146] K. Zetter. (2012, Jul.) Air Traffic Controllers Pick the Wrong Week to Quit

Using Radar. WIRED. [Online]. Available: https://www.wired.com/2012/07/

adsb-spoofing/

Detection and localization of attacks on satellite-based ...

Documents

Transcript of Detection and localization of attacks on satellite-based ...