Enabling High-Integrity Satellite Navigation for Vehicular...
Transcript of Enabling High-Integrity Satellite Navigation for Vehicular...
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
Enabling High-Integrity Satellite Navigation for Vehicular Operations
via Automatic Gain Control
13th Annual Position, Navigation, and Time Symposium
October 29, 2019
Charles Puskar, Nathan Levigne, Dennis AkosUniversity of Colorado Boulder
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
Presentation Overview• Background• Recent Experiments• AGC Characterization/Standardization• Conclusion
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
Presentation Overview• Background
» GNSS Overview» GNSS RFI, Jamming, and Spoofing
» Automatic Gain Control» Problem Statement
• Recent Experiments
• AGC Characterization/Standardization
• Conclusions
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
Global Navigation Satellite System(s) Overview• Global Navigation Satellite Systems
(GNSS). Constellation of satellites that are constantly broadcasting an L-band (1-2 GHz) carrier signal that is superimposed with orbital data and a ranging code
• A receiver collects this signal from at least four satellites, calculates its position and time via trilateration
• Active global constellations: Global Positioning System (GPS), GLONASS, Galileo, and Beidou
Source: Wikipedia
Source: GISGeography
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
GNSS Radio Frequency Interference • Radio Frequency Interference (RFI) is any sort of signal
which prevents the true GNSS signal from being obtained
• GNSS is highly vulnerable to RFI due to the low received power
• Many forms of RFI:» Jamming» Spoofing
Source: Bastide, et al. (2003)
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
Jamming• The deliberate drowning out of GPS signals using
high power signals in the GPS band (illegal)• Simple, inexpensive, and available online• Recent occurrences:
» Newark airport (2013) [1]» Melbourne airport (2014) [2]» New Jersey Turnpike (2011) [3]
[1] https://www.cnet.com/news/truck-driver-has-gps-jammer-accidentally-jams-newark-airport/, [2] https://www.itnews.com.au/news/melbourne-cabbie-fined-over-gps-jammer-369108,[3] https://insidegnss.com/fcc-fines-operator-of-gps-jammer-that-affected-newark-airport-gbas/
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
Spoofing• The deliberate emission of false
GPS signals to change victim's position (illegal)
• More difficult than jamming
• Recent occurrences:» Iran–U.S. RQ-170 incident (2011)
[4]» Black Sea incident (2017) [5]» Uber, drivers actively spoofing and
jamming to get higher position in airport queues (2017) [6]
Source: Insinuator
Source: InsideGNSS
[4] https://www.militaryaerospace.com/articles/2016/05/unmanned-cyber-warfare.html,
[5] https://www.gpsworld.com/spoofing-in-the-black-sea-what-really-happened/,
[6] https://rntfnd.org/2018/03/07/gps-spoofing-a-growing-problem-for-uber-solid-driver/
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
Tesla Spoofing Vulnerability• June 2019, researchers from Regulus Cyber proved Tesla
Model 3 vulnerable to spoofing[7]
» Remotely granted attackers control of vehicle
• According to Yoav Zangvil (Regulus CTO)» For cars, spoofing attack is confusing in best case, a threat to safety
in severe scenarios
» The more GPS data is leveraged in automated driver assistance systems, the stronger and more unpredictable the effects of spoofing become
Source: InsideGNSS
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
Geneva Motor Show Spoofing• In March 2019, GPS units of 7 manufacturer's cars reported
locations in England, year of 2036» Impacted included Audi, Peugeot, Renault, Rolls-Royce, Volkswagen,
Daimler-Benz, and BMW
• Address spoofed was that of RaceLogic» Company makes device that simulates
GPS signals» Managing Director denied their
involvement
• Several months later, no info as to who, why, or how
Source: Julian Thomas via Jalopnik
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
Enforcement• Interfering with the GPS band is illegal and carries a large
fine, but the law is difficult to enforce due to the following factors:» Scale: offenders could be located at any place and time» Cost: current methods of detection require specialist with complex and
expensive equipment
• Overall there is a demand for methods of detecting and identifying offenders that is effective, economic, and scalable
Source: itnews
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
Automatic Gain Control Background• Circuit designed to dynamically
change gain such that input signal is appropriate for front-end components
• Allows for the use of different antenna and pre-amps
• Works on a feed-back loop
Analog Signal
3.0 V = 162.5 V = 15
.
.
.
.
.
.0.5 V = 10 V = 0
Digital Signal
0 - 160 - inf. [V]
ADC
Source: Iulian Rosu
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
GNSS Automatic Gain Control• In all multi-bit ADC receivers• An AGC circuit in a GNSS receiver
differs from a typical receiver:» GNSS signals are below the noise
floor meaning noise is dominant» Instead of using the incoming voltage
the AGC drives the ADC output to a gaussian distribution
Source: GNSS by Hofmann-Wellenhof, et al.
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
Where to Detect RFI/Spoofing: AGC
To minimize losses the amplitude of the received signal has
to be adjusted to the range of the
ADC
2.046 MHz≈ -130 dBm
IF (MHz) Freq
Power
≈ -111 dBm(2 MHz BW)
-- GPS C/A
-- Noise floor-- RF filter
• AGC measures the noise floor of the
antenna/receiver (signal captured in the ADC)
• Any additional energy (jamming or spoofing) in
the band will result in an AGC change
• Very low computational metric available on any
multibit GPS/GNSS receiver
» When Android added the availability of raw
GNSS measurements, AGC measurements
were also included
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
Problem Statement & Proposed Approach
• GNSS signal interference is an issue with increasing frequency and significance of impact
• AGC is a circuit found in most GNSS receivers that adjusts based on the ambient noise environment of the signal
• Both GNSS jamming and spoofing increase the power of the received signal
• Push to leverage & standardize AGC for jamming/spoofing detection
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
Presentation Overview• Background• Recent Experiments
» Vehicular GNSS Signal Degradation» AGC Spoofing Detection
• AGC Characterization/Standardization• Conclusions
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
Vehicular GNSS Signal Degradation• Can AGC be effectively used in a vehicle environment”?
» Most of the most common use case for GNSS is vehicle navigation but the in-vehicle environment is not “nice” for satellite navigation
» Multiple electronic elements in modern vehicles and “stray” RFI is a consequence of such electronics
» Signal may be blocked, which limits availability» Signal may be attenuated, which limits accuracy
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
Equipment Setup
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
Testing Procedure• Steps 001-007
» Purpose• To identify the source of tones generated by
the vehicle and its components» Average trace setting
• Tones are generated constantly or periodically, so an average allows for proper identification
» Step 007• Residual interference from vehicle
components
• Steps 008-013» Max hold trace setting
• Concentration of noise or tones is detrimental
» Data recorded for 10 seconds• Where in the bandwidth are components
generating the most instantenous noise?
• Steps 014-016» Testing with antenna from Google G1 cell phone
Resolution BW 30 KHz
Samples 100
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
Single Vehicle Analysis• Blue (Control Plot – Step 001)
à Roof / All Off
• Red (Test Plot – Step 006) à Dashboard / All On
Difference plot• Difference between Blue and Red test• Identify tones and comparison metrics
Chrysler Town & CountryAvg.
Noise (dB)
AreaMaximum
(dB)Minimum
(dB)Std. Dev.
2.8854 1820.72 -79.71 -91.71 1.557
GPS main spectral lobe more affected inside the car
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
Component Analysis – Tests 001-006• Most tones
» Test 003 – only engine turned on
• Most significant source of interference
Hyundai Santa Fe
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
Component Analysis – Tests 008-013
• Significant noise increases once engine turned on in test 010
Hyundai Santa Fe
Detrimental tonal interference in GPS main spectral lobe
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
Comparison Metrics• Average Noise
» Computed noise average from difference plot
» How much noise is generated by vehicle’s components?
• Area» Integral of the difference plot» Comparison of the tones to noise» Large tones will increase this metric
• Maximum, Minimum, Standard Deviation
» Establish range and limits of spectrum
VehicleAvg.
Noise (dB)
Area Max (dB)
Min (dB)
Std. Dev.
Armada2.337 1475.6 -83.283 -92.184 0.991
Commander
4.264 2691.1 -71.013 -90.93 1.367Enclave
2.555 1612.7 -83.788 -91.655 0.993Expedition
4.104 2589.9 -79.286 -90.541 1.711Mountaineer
5.018 3166.5 -75.232 -91.495 3.439Outlook
3.409 2151.4 -85.051 -91.212 0.854Prius
6.945 4382.9 -65.322 -88.352 1.986Santa Fe
3.909 2466.9 -79.322 -91.141 1.306Sequoia
2.849 1798.3 -87.778 -91.786 0.67Suburban
2.694 1700.5 -79.965 -90.96 0.998Tahoe
3.624 2287.1 -82.249 -91.309 1.106Town & Country 2.885 1820.7 -79.714 -91.712 1.557Yukon XL
3.258 2055.9 -82.05 -92.001 1.071
• Green cells• ‘better’ values, cleaner spectrum
• Red cells• worse’ values, noisier spectrum
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
Visual Comparison – Top 5 Vehicles
• Top 5 Vehicles
» Armada generates tones closer to L1 frequency than the Sequoia
» Enclave has a strong tone in L1 center frequency
» Outlook generates tones farther from L1 frequency, but ranked lower due to higher degree of noise (difference plots between tests 001 and 006)
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
Visual Comparison – Bottom 4 Vehicles• Bottom 4 Vehicles
» Large amounts of noise and tones.
» Expedition and Mountaineer both generate large tones near 1.5805 GHz and both manufactured by Ford. May contain similar components.
» Hybrid Prius tested only while battery was being charged. Significant noise and tones.
(difference plots between tests 001 and 006)
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
Vehicular Signal Degradation: Discussion
• The ambient noise environment of the GNSS spectrum varies heavily in vehicles» Dependent on vehicle type» Dependent on vehicle operations
• Changing ambient noise environments could make spectrum power monitoring a less effective interference detection metric» Effective could be mitigated by characterization of vehicle and
operational specific noise conditions
• GNSS antenna placement is impactful within vehicles
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
Presentation Overview• Background• Recent Experiments
» Vehicular GNSS Signal Degradation» AGC Spoofing Detection
• AGC Characterization/Standardization• Conclusions
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
AGC Spoofing Detection• Developed experiment to
assess AGC’s ability to detect spoofing
• Swedish Military Test Range: Robotförsökplats Norrland (RFN)
• Difficult to perform such experiments outside of a laboratory environment
• Utilize a simplistic repeater spoofer (meaconing) in live testing
Red: Flight Restricted area 130x70 km
Green: Test range
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
Spoofer Detection Experiment Setup
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
GPS AGC & XYZ Position Data – Driving Towards
• AGC 2-sigma threshold flagged well before GPS RX is captured by spoofer
• Other receivers under test showed similar results
1000
2000
Survey Grade Receiver Results : Driving Toward Spoofer
AG
C le
vel
0
100
200
DX
(m)
0
300
600
DY
(m)
0 20 40 60 80 100 120 140 160-100-50
0
Time (s)
DZ
(m)
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
GPS AGC & XYZ Position Data – Driving Away
500
1500
2500Survey Grade Receiver Results : Driving Away From Spoofer
AG
C le
vel
0
75
150
DX
(m)
-400
-200
0
DY
(m)
0 20 40 60 80 100 120-10
10
30
DZ
(m)
Time (s)
• AGC 2-sigma threshold exceed when receiver is powered on
• True position only after AGC returns to normal levels
• Other receivers under test showed similar results
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
AGC Spoofer Detection: Discussion
• AGC can be used to detect GNSS signal spoofing» Can detect spoofed signal before malicious signal
affects position and timing results» Can indicate when the spectrum environment is
again safe for use• This detection method can work in the
ambient noise environment of a car
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
Presentation Overview• Background• Recent Experiments• AGC Characterization/Standardization
» AGC Characterization Overview» Signal Specific Responses» Receiver Specific Responses» Need for Standarization
• Conclusions
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
AGC Characterization Overview• AGC response to input power for a variety of
input signals
• Initially explore three COTS receivers:» SiGe (developed by CU and SiGe)
• GPS L1 receiver w/ 2-bit ADC• AGC given as the VGA voltage
» NT1065 (developed by NT Labs)• Multi-band receiver• AGC given as the VGA gain in dBm
» Ublox M8T (developed by Ublox)• Multi-band• AGC given as a percentage
• Have also tested various Novatel RX and Android platforms
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
Signal Specific Responses• Inverse AGC/power relationship apparent
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
Receiver Specific Response
• Clear inverse relationship» SiGe w/ varying response» NT1065 w/ consistent
response» M8T w/ Consistent response
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
AGC Characterization: Discussion• It is possible to characterize the response of a
receiver's AGC metric to incoming signal power
• This response is dependent on a number of variables» Response is varies signal to signal» Receivers with different hardware/integration have
different responses
• On top of response variability, AGC metric varies heavily between different receivers
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
Need for Standarization• Variability of AGC metric units can pose issues for future use
» Can make comparison across receiver types more difficult» Reduces clarity of measurements» Standardization to a known unit with physical meaning, such as the
dB, could solve this problem» Coupling AGC with input spectrum can provide more representative
power measurements
• Some receivers do not make the AGC metric available» Prevents future implementation of metric as a tool against interference
detection and other potential uses
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
Presentation Overview• Background• Recent Experiments• AGC Characterization/Standardization• Conclusions
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
Conclusions
• GNSS jamming and spoofing attacks are occurring with increasing frequency and increasing significance of impact» Future GNSS dependent technology is particularly vulnerable
• AGC is a component found in nearly all GNSS receivers, and can be used as an interference/spoofing detection tool with little to no modification
• Better characterization and standardization of the AGC and its reporting will provide significantly better usability
GNSS Laboratory
Smead Aerospace Engineering Sciences - University of Colorado Boulder
Thank you!
Questions?