Enabling High-Integrity Satellite Navigation for Vehicular...

GNSS Laboratory

Smead Aerospace Engineering Sciences - University of Colorado Boulder

Enabling High-Integrity Satellite Navigation for Vehicular Operations

via Automatic Gain Control

13th Annual Position, Navigation, and Time Symposium

October 29, 2019

Charles Puskar, Nathan Levigne, Dennis AkosUniversity of Colorado Boulder

GNSS Laboratory


Presentation Overview• Background• Recent Experiments• AGC Characterization/Standardization• Conclusion

GNSS Laboratory


Presentation Overview• Background

» GNSS Overview» GNSS RFI, Jamming, and Spoofing

» Automatic Gain Control» Problem Statement

• Recent Experiments

• AGC Characterization/Standardization

• Conclusions

GNSS Laboratory


Global Navigation Satellite System(s) Overview• Global Navigation Satellite Systems

(GNSS). Constellation of satellites that are constantly broadcasting an L-band (1-2 GHz) carrier signal that is superimposed with orbital data and a ranging code

• A receiver collects this signal from at least four satellites, calculates its position and time via trilateration

• Active global constellations: Global Positioning System (GPS), GLONASS, Galileo, and Beidou

Source: Wikipedia

Source: GISGeography

GNSS Laboratory


GNSS Radio Frequency Interference • Radio Frequency Interference (RFI) is any sort of signal

which prevents the true GNSS signal from being obtained

• GNSS is highly vulnerable to RFI due to the low received power

• Many forms of RFI:» Jamming» Spoofing

Source: Bastide, et al. (2003)

GNSS Laboratory


Jamming• The deliberate drowning out of GPS signals using

high power signals in the GPS band (illegal)• Simple, inexpensive, and available online• Recent occurrences:

» Newark airport (2013) [1]» Melbourne airport (2014) [2]» New Jersey Turnpike (2011) [3]

[1] https://www.cnet.com/news/truck-driver-has-gps-jammer-accidentally-jams-newark-airport/, [2] https://www.itnews.com.au/news/melbourne-cabbie-fined-over-gps-jammer-369108,[3] https://insidegnss.com/fcc-fines-operator-of-gps-jammer-that-affected-newark-airport-gbas/

https://www.cnet.com/news/truck-driver-has-gps-jammer-accidentally-jams-newark-airport/

https://www.itnews.com.au/news/melbourne-cabbie-fined-over-gps-jammer-369108

https://insidegnss.com/fcc-fines-operator-of-gps-jammer-that-affected-newark-airport-gbas/

GNSS Laboratory


Spoofing• The deliberate emission of false

GPS signals to change victim's position (illegal)

• More difficult than jamming

• Recent occurrences:» Iran–U.S. RQ-170 incident (2011)

[4]» Black Sea incident (2017) [5]» Uber, drivers actively spoofing and

jamming to get higher position in airport queues (2017) [6]

Source: Insinuator

Source: InsideGNSS

[4] https://www.militaryaerospace.com/articles/2016/05/unmanned-cyber-warfare.html,

[5] https://www.gpsworld.com/spoofing-in-the-black-sea-what-really-happened/,

[6] https://rntfnd.org/2018/03/07/gps-spoofing-a-growing-problem-for-uber-solid-driver/

https://www.militaryaerospace.com/articles/2016/05/unmanned-cyber-warfare.html

https://www.gpsworld.com/spoofing-in-the-black-sea-what-really-happened/

https://insidegnss.com/fcc-fines-operator-of-gps-jammer-that-affected-newark-airport-gbas/

https://rntfnd.org/2018/03/07/gps-spoofing-a-growing-problem-for-uber-solid-driver/

GNSS Laboratory


Tesla Spoofing Vulnerability• June 2019, researchers from Regulus Cyber proved Tesla

Model 3 vulnerable to spoofing[7]

» Remotely granted attackers control of vehicle

• According to Yoav Zangvil (Regulus CTO)» For cars, spoofing attack is confusing in best case, a threat to safety

in severe scenarios

» The more GPS data is leveraged in automated driver assistance systems, the stronger and more unpredictable the effects of spoofing become

Source: InsideGNSS

GNSS Laboratory


Geneva Motor Show Spoofing• In March 2019, GPS units of 7 manufacturer's cars reported

locations in England, year of 2036» Impacted included Audi, Peugeot, Renault, Rolls-Royce, Volkswagen,

Daimler-Benz, and BMW

• Address spoofed was that of RaceLogic» Company makes device that simulates

GPS signals» Managing Director denied their

involvement

• Several months later, no info as to who, why, or how

Source: Julian Thomas via Jalopnik

GNSS Laboratory


Enforcement• Interfering with the GPS band is illegal and carries a large

fine, but the law is difficult to enforce due to the following factors:» Scale: offenders could be located at any place and time» Cost: current methods of detection require specialist with complex and

expensive equipment

• Overall there is a demand for methods of detecting and identifying offenders that is effective, economic, and scalable

Source: itnews

GNSS Laboratory


Automatic Gain Control Background• Circuit designed to dynamically

change gain such that input signal is appropriate for front-end components

• Allows for the use of different antenna and pre-amps

• Works on a feed-back loop

Analog Signal

3.0 V = 162.5 V = 15

.

.

.

.

.

.0.5 V = 10 V = 0

Digital Signal

0 - 160 - inf. [V]

ADC

Source: Iulian Rosu

GNSS Laboratory


GNSS Automatic Gain Control• In all multi-bit ADC receivers• An AGC circuit in a GNSS receiver

differs from a typical receiver:» GNSS signals are below the noise

floor meaning noise is dominant» Instead of using the incoming voltage

the AGC drives the ADC output to a gaussian distribution

Source: GNSS by Hofmann-Wellenhof, et al.

GNSS Laboratory


Where to Detect RFI/Spoofing: AGC

To minimize losses the amplitude of the received signal has

to be adjusted to the range of the

ADC

2.046 MHz≈ -130 dBm

IF (MHz) Freq

Power

≈ -111 dBm(2 MHz BW)

-- GPS C/A

-- Noise floor-- RF filter

• AGC measures the noise floor of the

antenna/receiver (signal captured in the ADC)

• Any additional energy (jamming or spoofing) in

the band will result in an AGC change

• Very low computational metric available on any

multibit GPS/GNSS receiver

» When Android added the availability of raw

GNSS measurements, AGC measurements

were also included

GNSS Laboratory


Problem Statement & Proposed Approach

• GNSS signal interference is an issue with increasing frequency and significance of impact

• AGC is a circuit found in most GNSS receivers that adjusts based on the ambient noise environment of the signal

• Both GNSS jamming and spoofing increase the power of the received signal

• Push to leverage & standardize AGC for jamming/spoofing detection

GNSS Laboratory


Presentation Overview• Background• Recent Experiments

» Vehicular GNSS Signal Degradation» AGC Spoofing Detection

• AGC Characterization/Standardization• Conclusions

GNSS Laboratory


Vehicular GNSS Signal Degradation• Can AGC be effectively used in a vehicle environment”?

» Most of the most common use case for GNSS is vehicle navigation but the in-vehicle environment is not “nice” for satellite navigation

» Multiple electronic elements in modern vehicles and “stray” RFI is a consequence of such electronics

» Signal may be blocked, which limits availability» Signal may be attenuated, which limits accuracy

GNSS Laboratory


Equipment Setup

GNSS Laboratory


Testing Procedure• Steps 001-007

» Purpose• To identify the source of tones generated by

the vehicle and its components» Average trace setting

• Tones are generated constantly or periodically, so an average allows for proper identification

» Step 007• Residual interference from vehicle

components

• Steps 008-013» Max hold trace setting

• Concentration of noise or tones is detrimental

» Data recorded for 10 seconds• Where in the bandwidth are components

generating the most instantenous noise?

• Steps 014-016» Testing with antenna from Google G1 cell phone

Resolution BW 30 KHz

Samples 100

GNSS Laboratory


Single Vehicle Analysis• Blue (Control Plot – Step 001)

à Roof / All Off

• Red (Test Plot – Step 006) à Dashboard / All On

Difference plot• Difference between Blue and Red test• Identify tones and comparison metrics

Chrysler Town & CountryAvg.

Noise (dB)

AreaMaximum

(dB)Minimum

(dB)Std. Dev.

2.8854 1820.72 -79.71 -91.71 1.557

GPS main spectral lobe more affected inside the car

GNSS Laboratory


Component Analysis – Tests 001-006• Most tones

» Test 003 – only engine turned on

• Most significant source of interference

Hyundai Santa Fe

GNSS Laboratory


Component Analysis – Tests 008-013

• Significant noise increases once engine turned on in test 010

Hyundai Santa Fe

Detrimental tonal interference in GPS main spectral lobe

GNSS Laboratory


Comparison Metrics• Average Noise

» Computed noise average from difference plot

» How much noise is generated by vehicle’s components?

• Area» Integral of the difference plot» Comparison of the tones to noise» Large tones will increase this metric

• Maximum, Minimum, Standard Deviation

» Establish range and limits of spectrum

VehicleAvg.

Noise (dB)

Area Max (dB)

Min (dB)

Std. Dev.

Armada2.337 1475.6 -83.283 -92.184 0.991

Commander

4.264 2691.1 -71.013 -90.93 1.367Enclave

2.555 1612.7 -83.788 -91.655 0.993Expedition

4.104 2589.9 -79.286 -90.541 1.711Mountaineer

5.018 3166.5 -75.232 -91.495 3.439Outlook

3.409 2151.4 -85.051 -91.212 0.854Prius

6.945 4382.9 -65.322 -88.352 1.986Santa Fe

3.909 2466.9 -79.322 -91.141 1.306Sequoia

2.849 1798.3 -87.778 -91.786 0.67Suburban

2.694 1700.5 -79.965 -90.96 0.998Tahoe

3.624 2287.1 -82.249 -91.309 1.106Town & Country 2.885 1820.7 -79.714 -91.712 1.557Yukon XL

3.258 2055.9 -82.05 -92.001 1.071

• Green cells• ‘better’ values, cleaner spectrum

• Red cells• worse’ values, noisier spectrum

GNSS Laboratory


Visual Comparison – Top 5 Vehicles

• Top 5 Vehicles

» Armada generates tones closer to L1 frequency than the Sequoia

» Enclave has a strong tone in L1 center frequency

» Outlook generates tones farther from L1 frequency, but ranked lower due to higher degree of noise (difference plots between tests 001 and 006)

GNSS Laboratory


Visual Comparison – Bottom 4 Vehicles• Bottom 4 Vehicles

» Large amounts of noise and tones.

» Expedition and Mountaineer both generate large tones near 1.5805 GHz and both manufactured by Ford. May contain similar components.

» Hybrid Prius tested only while battery was being charged. Significant noise and tones.

(difference plots between tests 001 and 006)

GNSS Laboratory


Vehicular Signal Degradation: Discussion

• The ambient noise environment of the GNSS spectrum varies heavily in vehicles» Dependent on vehicle type» Dependent on vehicle operations

• Changing ambient noise environments could make spectrum power monitoring a less effective interference detection metric» Effective could be mitigated by characterization of vehicle and

operational specific noise conditions

• GNSS antenna placement is impactful within vehicles

GNSS Laboratory


Presentation Overview• Background• Recent Experiments

» Vehicular GNSS Signal Degradation» AGC Spoofing Detection

• AGC Characterization/Standardization• Conclusions

GNSS Laboratory


AGC Spoofing Detection• Developed experiment to

assess AGC’s ability to detect spoofing

• Swedish Military Test Range: Robotförsökplats Norrland (RFN)

• Difficult to perform such experiments outside of a laboratory environment

• Utilize a simplistic repeater spoofer (meaconing) in live testing

Red: Flight Restricted area 130x70 km

Green: Test range

GNSS Laboratory


Spoofer Detection Experiment Setup

GNSS Laboratory


GPS AGC & XYZ Position Data – Driving Towards

• AGC 2-sigma threshold flagged well before GPS RX is captured by spoofer

• Other receivers under test showed similar results

1000

2000

Survey Grade Receiver Results : Driving Toward Spoofer

AG

C le

vel

0

100

200

DX

(m)

0

300

600

DY

(m)

0 20 40 60 80 100 120 140 160-100-50

0

Time (s)

DZ

(m)

GNSS Laboratory


GPS AGC & XYZ Position Data – Driving Away

500

1500

2500Survey Grade Receiver Results : Driving Away From Spoofer

AG

C le

vel

0

75

150

DX

(m)

-400

-200

0

DY

(m)

0 20 40 60 80 100 120-10

10

30

DZ

(m)

Time (s)

• AGC 2-sigma threshold exceed when receiver is powered on

• True position only after AGC returns to normal levels

• Other receivers under test showed similar results

GNSS Laboratory


AGC Spoofer Detection: Discussion

• AGC can be used to detect GNSS signal spoofing» Can detect spoofed signal before malicious signal

affects position and timing results» Can indicate when the spectrum environment is

again safe for use• This detection method can work in the

ambient noise environment of a car

GNSS Laboratory


Presentation Overview• Background• Recent Experiments• AGC Characterization/Standardization

» AGC Characterization Overview» Signal Specific Responses» Receiver Specific Responses» Need for Standarization

• Conclusions

GNSS Laboratory


AGC Characterization Overview• AGC response to input power for a variety of

input signals

• Initially explore three COTS receivers:» SiGe (developed by CU and SiGe)

• GPS L1 receiver w/ 2-bit ADC• AGC given as the VGA voltage

» NT1065 (developed by NT Labs)• Multi-band receiver• AGC given as the VGA gain in dBm

» Ublox M8T (developed by Ublox)• Multi-band• AGC given as a percentage

• Have also tested various Novatel RX and Android platforms

GNSS Laboratory


Signal Specific Responses• Inverse AGC/power relationship apparent

GNSS Laboratory


Receiver Specific Response

• Clear inverse relationship» SiGe w/ varying response» NT1065 w/ consistent

response» M8T w/ Consistent response

GNSS Laboratory


AGC Characterization: Discussion• It is possible to characterize the response of a

receiver's AGC metric to incoming signal power

• This response is dependent on a number of variables» Response is varies signal to signal» Receivers with different hardware/integration have

different responses

• On top of response variability, AGC metric varies heavily between different receivers

GNSS Laboratory


Need for Standarization• Variability of AGC metric units can pose issues for future use

» Can make comparison across receiver types more difficult» Reduces clarity of measurements» Standardization to a known unit with physical meaning, such as the

dB, could solve this problem» Coupling AGC with input spectrum can provide more representative

power measurements

• Some receivers do not make the AGC metric available» Prevents future implementation of metric as a tool against interference

detection and other potential uses

GNSS Laboratory


Presentation Overview• Background• Recent Experiments• AGC Characterization/Standardization• Conclusions

GNSS Laboratory


Conclusions

• GNSS jamming and spoofing attacks are occurring with increasing frequency and increasing significance of impact» Future GNSS dependent technology is particularly vulnerable

• AGC is a component found in nearly all GNSS receivers, and can be used as an interference/spoofing detection tool with little to no modification

• Better characterization and standardization of the AGC and its reporting will provide significantly better usability

GNSS Laboratory


Thank you!

Questions?

Enabling High-Integrity Satellite Navigation for Vehicular...

Documents

Transcript of Enabling High-Integrity Satellite Navigation for Vehicular...