Appeaed in Homeland Security Journal, December 12, 2003

GPSSpoofingCountermeasures
JonS.Warner,Ph.D.andRogerG.Johnston,Ph.D.,CPP VulnerabilityAssessmentTeam LosAlamosNationalLaboratory LosAlamos,NewMexico,87545

Abstract: CivilianGlobalPositioningSystem(GPS)receiversarevulnerabletoanumberof differentattackssuchasblocking,jamming,andspoofing.Thegoalofsuch attacksiseithertopreventapositionlock(blockingandjamming),ortofeedthe receiverfalseinformationsothatitcomputesanerroneoustimeorlocation (spoofing).GPSreceiversaregenerallyawareofwhenblockingorjammingis occurringbecausetheyhavealossofsignal.Spoofing,however,isa surreptitiousattack.Currently,nocountermeasuresareinusefordetecting spoofingattacks.Webelieve,however,thatitispossibletoimplementsimple, lowcostcountermeasuresthatcanberetrofittedontoexistingGPSreceivers. Thiswould,attheveryleast,greatlycomplicatespoofingattacks. Introduction: ThecivilianGlobalPositioningSystem(GPS)iswidelyusedbybothgovernment andprivateindustryformanyimportantapplications.Someofthese applicationsincludepublicsafetyservicessuchaspolice,fire,rescueand ambulance.Thecargoindustry,buses,taxis,railcars,deliveryvehicles, agriculturalharvesters,privateautomobiles,spacecraft,marineandairborne trafficalsouseGPSsystemsfornavigation.Infact,theFederalAviation Administration(FAA)isintheprocessofdraftinganinstructionrequiringthat allradionavigationsystemsaboardaircraftuseGPS[1].Additionalusesinclude hikingandsurveying,aswellasbeingusedinrobotics,cellphones,animal trackingandevenGPSwristwatches.Utilitycompaniesandtelecommunication companiesuseGPStimingsignalstoregulatethebasefrequencyoftheir distributiongrids.GPStimingsignalsarealsousedbythefinancialindustry,the broadcastindustry,mobiletelecommunicationproviders,theinternational financialindustry,banking(formoneytransfersandtimelocks),andother

distributedcomputernetworkapplications[2,3].Inshort,anyonewhowantsto knowtheirexactlocation,velocity,ortimemightfindGPSuseful. Unfortunately,thecivilianGPSsignalsarenotsecure[1].OnlythemilitaryGPS signalsareencrypted(authenticated),butthesearegenerallyunavailableto civilians,foreigngovernments,andmostoftheU.S.government,includingmost oftheDepartmentofDefense(DoD).Plansareunderwaytoupgradetheexisting GPSsystem,buttheyapparentlydonotincludeaddingencryptionor authenticationtothecivilianGPSsignal[4,5]. TheGPSsignalstrengthmeasuredatthesurfaceoftheEarthisabout160dBw (1x1016Watts),whichisroughlyequivalenttoviewinga25Wattlightbulbfrom adistanceof10,000miles.Thisweaksignalcanbeeasilyblockedbydestroying orshieldingtheGPSreceiversantenna.TheGPSsignalcanalsobeeffectively jammedbyasignalofasimilarfrequency,butgreaterstrength.Blockingand jamming,however,arenotthegreatestsecurityrisk,becausetheGPSreceiver willbefullyawareitisnotreceivingtheGPSsignalsneededtodetermine positionandtime.AmoreperniciousattackinvolvesfeedingtheGPSreceiver fakeGPSsignalssothatitbelievesitislocatedsomewhereinspaceandtimethat itisnot.Thisspoofingattackismoreelegantthanjammingbecauseitis surreptitious. TheVulnerabilityAssessmentTeam(VAT)atLosAlamosNationalLaboratory (LANL)hasrecentlydemonstratedtheeasewithwhichcivilianGPSspoofing attackscanbeimplemented[6].Thisspoofingismosteasilyaccomplishedby usingaGPSsatellitesimulator.SuchGPSsatellitesimulatorsareuncontrolled, andwidelyavailable.Toconductthespoofingattack,anadversarybroadcastsa fakeGPSsignalwithahighersignalstrengththanthetrueGPSsignal.TheGPS receiverbelievesthatthefakesignalisactuallythetrueGPSsignalfromspace, andignoresthetrueGPSsignal.Thereceiverthenproceedstocalculate erroneouspositionortimeinformationbasedonthisfalsesignal. HowDoesGPSwork? TheGPSisoperatedbyDoD.Itconsistsofaconstellationof27satellites(24 activeand3standby)in6separateorbitsandreachedfullofficialoperational capabilitystatusonJuly17,1995[7].GPSusershavetheabilitytoobtaina3D position,velocityandtimefixinalltypesofweather,24hoursaday.GPSusers canlocatetheirpositiontowithin18ftonaverageor6090ftforaworstcase 3Dfix[8]. EachGPSsatellitebroadcaststwosignals,acivilianunencryptedsignalanda

militaryencryptedsignal.ThecivilianGPSsignalwasneverintendedforcritical orsecurityapplications,thoughthatis,unfortunately,howitisnowoftenused. TheDoDreservesthemilitaryencryptedGPSsignalforsensitiveapplications suchassmartweapons. Thispaperwillbefocusingonthecivilian(unencrypted)GPSsignal.Any discussionofcivilianGPSvulnerabilitiesarefullyunclassified[9].Thecarrier wavefortheciviliansignalisthesamefrequency(1575.2MHz)foralloftheGPS satellites.TheC/AcodeprovidestheGPSreceiverontheEarthssurfacewitha uniqueidentificationnumber(a.k.a.PRNorPseudoRandomNoisecode).In thismanner,eachsatellitetransmitsauniqueidentificationnumberthatallows theGPSreceivertoknowwhichsatellitesitisreceivingsignalsfrom.The Nav/SystemdataprovidestheGPSreceiverwithinformationabouttheposition ofallthesatellitesintheconstellationaswellasprecisetimingdatafromthe atomicclocksaboardthesatellites.

GPS Satellite Signals

L1 Carrier 1575.2 MHz
Mixer

L1 Civilian Signal

C/A Code 1.023 MHz

Combiner

Nav/System Data 50 Hz P-Code 10.23 MHz

Combiner

L2 Carrier 1227.6 MHz

Encryption Code
Mixer

L2 Military Signal

Figure 1: GPS signal structure. ThereceivercontinuouslylistensfortheGPSsignalsfromspace.TheGPS receiverlocksontothesignalsfromseveralGPSsatellitessimultaneously.The actualnumberofsatellitesthereceiverlocksontoisdeterminedby:1)the numberofsatellitesinviewofthereceiverand2)themaximumnumberof satellitesthereceiverhardwareisdesignedtoaccommodate.BecauseoftheC/A codeidentification,theGPSreceiverknowsexactlywhichsatellitesitisreceiving datafromatanygiventime. Oncetheidentificationcodesforeachofthereceivedsatellitesignalsare recognized,theGPSreceivergeneratesaninternalcopyofthesatellites

identificationcodes.Eachsatellitetransmitsitsidentificationcodesin1 millisecondintervals.Thereceivercomparesitsinternallygeneratedcode againsttherepeatingC/Acodefromspaceandlooksforanylagfromthe expected1millisecondinterval.Anydeviationfromthe1millisecondintervalis assumedtobethetraveltimeoftheGPSsignalfromspace.Oncethetraveltime ( T)isdetermined,thereceiverthencalculatesthedistancefromitselftoeach satelliteusingthefollowingformula:Distance= TxSpeedofLight.

Figure 2: Example of GPS signal time delay. Oneproblemwiththismethodisthattheclocksonthereceiverarenotas accurateastheatomicclocksonboardthesatellites.Inadditiontothetime correctionfromtheNAV/SYSdatainformationfromthesatellites,theGPS receiverhasaclevermethodofdeterminingitsownclockerror,whichwewill discussinafewmoments. Aspreviouslymentioned,thereceiverreceivesthesignalsfromseveralGPS satellitessimultaneously.Therefore,thedistancetoseveralsatellitesareknown atanygiventime.Figure3givesaconceptualoverviewgiventhedistanceof threeGPSsatellites(denotedbythestarsymbol).NotethatinFigure3thatthe rangestothesatellite,asmeasuredbytheGPSreceiver,donotoverlapata singlepoint.Themeasuredandtruerangesdifferduetotheclockerrorsinthe receivermentionedearlier.Theresultisadistanceerrorseenbythereceiver, whichisrepresentedbythedottedlineinfigure3.

Atthispoint,thereceiverknowsitissomewhereintheareaofoverlapshownby thedottedline(figure3).Thereceivertheninterpolatesthisoverlapareatofind thecenter.Theresultofthisinterpolationgivestwoimportantpiecesof information;1)whatthepositionofthereceiverisand2)theclockerrorofthe receiver.Inessencethereceiverusesthecorrectpositioninformationto determineitsownclockerror. Themoresatellitesinvolved,thesmallertheareaofoverlapandthebetterthe positionfixwillbe.Intheory,threesatellitesareallthatisneededforaposition fix.However,inpractice,fourormoresatellitesareneededtoacquirean Figure 3: 2-D representation of accuratelatitude,longitudeandaltitudefix. finding a position. Notethatonlyonesatelliteisrequiredforatimefix.Thepositionisinitially foundinanX,Y,ZEarthcentered/EarthFixedcoordinateframeandthen convertedtoLatitude,LongitudeandAltitude. Countermeasures: Severalofthecountermeasuresweproposearebasedonsignalstrength,which must(atleastinitially)behigherforthefakesignalthanthetruesignalfrom space.Someoftheothercountermeasuresinvolverecognizingthecharacteristics ofthesatellitesimulatoritself. Many(ifnotall)GPSreceiversdisplaythesignalstrengthandsatellitenumber foreachofthesatellitesitisreceivingdatafrom.Weareunawareofany receiversthatstorethisdataandcomparetheinformationfromonemomentto thenext. OneormoreofthefollowingcountermeasuresshouldallowsuspiciousGPS signalactivitytobedetected: 1)MonitortheabsoluteGPSsignalstrength:Thiscountermeasureinvolves monitoringandrecordingtheaveragesignalstrength.Wewouldcomparethe observedsignalstrengthtotheexpectedsignalstrengthofabout163dBw(5x 1017watts).Iftheabsolutevalueoftheobservedsignalexceedssomepreset threshold,theGPSreceiverwouldalerttheuser.Thiscountermeasureisbased ontheideathatrelativelyunsophisticatedGPSspoofingattackswilltendtouse GPSsatellitesimulators.Suchsimulatorswilltypicallyprovidesignalstrengths

manyordersofmagnitudelargerthananypossiblesatellitesignalattheEarths surface.Thisisanunambiguousindicationofaspoofingattack. 2)MonitortherelativeGPSsignalstrength:Thereceiversoftwarecouldbe modifiedsothattheaveragesignalstrengthcouldberecordedandcompared fromonemomenttothenext.Anextremelylargechangeinrelativesignal strengthwouldbecharacteristicofanadversarystartingtogenerateacounterfeit GPSsignaltooverridethetruesatelliteGPSsignals[6].Ifthesignalincreases beyondsomepresetthreshold,analarmwouldsoundandtheendusercouldbe alerted. 3)Monitorthesignalstrengthofeachreceivedsatellitesignal:This countermeasureisanextensionoftheabovetwotechniques.Here,therelative andabsolutesignalstrengthsaretestedindividuallyforeachoftheincoming satellitesignals.SignalsfromaGPSsatellitesimulatorwilltendtomakethe signalcomingfromeachartificialsatelliteofequalstrength.Realsatellite signals,however,varyfromsatellitetosatelliteandchangeovertime.Theidea hereisthatifthesignalcharacteristicsaretooperfect,thereisprobably somethingwrongandtheusershouldbealerted.Liketheprevioustwo countermeasures,thiscountermeasurecouldbeimplementedbymodifyingthe existingsoftwarecodeoftheGPSreceiver. 4)Monitorsatelliteidentificationcodesandnumberofsatellitesignals received:GPSsatellitesimulatorstransmitsignalsfrommultiplesatellites (typically10)morethanthenumberofrealsatellitesoftendetectedbyaGPS receiverinthefieldatagiventime.ManycommercialGPSreceiversdisplay satelliteidentificationinformation,butdonotrecordthisdataorcompareto previouslyrecordeddata.Keepingtrackofboththenumberofsatellitesignals receivedandthesatelliteidentificationcodesovertimemayprovehelpfulin determiningiffoulplayisoccurring.Thisisespeciallytrueofan unsophisticatedspoofingattackwheretheadversarydoesnotattempttomimic thetruesatelliteconstellationatagiventime. 5)Checkthetimeintervals:WithmostGPSsatellitesimulators,thetime betweentheartificialsignalfromeachsatelliteandthenextisaconstant.Thisis notthecasewithrealsatellites.Inotherwords,thereceivermaypickupthetrue signalfromonesatelliteandthenafewmomentslaterpickupasignalfrom anothersatellite,etc.Withthesatellitesimulator,thereceiverwouldpickup signalsfromallofthesatellitessimultaneously.Thisisanexploitablefeature ofthesatellitesimulatorthatcouldbeusedtotellifthesignalswerecoming fromthetruesourceorafalsesimulatorbasedsource.

6)Doatimecomparison:ManycurrentGPSreceiversdonothaveanaccurate clock.Byusingtimingdatafromanaccurate,continuouslyrunningclockto comparetothetimederivedfromtheGPSsignal,wecancheckontheveracityof thereceivedGPSsignals.Ifthetimedeviatesbeyondsomethreshold,theuser canbealertedtothepossibilityofaspoofingattack.AstheVAThas demonstrated,veryaccurateclockscanbesmallandinexpensive,andoperateon verylowpower. 7)Performasanitycheck:Asmall,solidstateaccelerometerandcompasscan beusedtoindependentlymonitorthephysicaltrajectoryofthereceiver (heading,velocity,etc.),mounted,forexample,onamovingtruck.The informationprovidedbythisapproachcanbeusedtodoublecheckthecurrent positionfixreportedbytheGPSreceiverbasedonapreviouslyreported position.Inasophisticatedspoofingattack,theadversarywouldsendafalse signalreportingthemovingtargetstruepositionandthengraduallywalkthe targettoafalseposition.Thisishowanattackonacargotruckmightoccurfor instance.Theaccelerometerwouldserveasarelative(notabsolute)backup positioningsystem,whichcouldbeusedtocomparetothepositionreportedby theGPSreceiver.Adiscrepancybetweentheaccelerometerandthereceiver wouldraisearedflagandalerttheuser. Allofthestrategies17canbeimplementedbyretrofittingexistingGPS receivers;itisnotnecessarytoredesignthem.Strategies15canbeimplemented primarilythroughsoftwarealone.Strategy6couldbeimplementedthrough software,orelseamoreaccurateclockcouldbefittedontotheexistingGPS receiver.Strategy7wouldrequirebothhardwareandsoftwareimplementation toworkproperly.Webelieveaproofofprincipleforcountermeasures17canbe demonstratedfairlyquickly. Conclusion Althoughthecountermeasuresproposedinthispaperwillnotstopspoofing attacks,theywillalerttheuseroftheGPSreceivertosuspiciousactivity.This willdecreasetheoddsthataspoofingattackcansucceed,andwillalsorequire adversariestodeploymoresophisticatedmethodsthanthesimpleattackwe havepreviouslydemonstrated[6].Webelievethepotentialcountermeasures proposedinthispapercanbeimplementedeasilyandinexpensively,including byretrofittingexistingGPSreceivers. Disclaimer&Acknowledgements Theviewsexpressedinthispaperarethoseoftheauthorsandshouldnot necessarilybeascribedtoLosAlamosNationalLaboratory,ortheUnitedStates

DepartmentofEnergy.AnthonyGarcia,AdamPacheco,RonMartinez,Leon Lopez,andSoniaTrujillocontributedtothiswork. References:

1

JohnA.VolpeNationalTransportationSystemsCenter,Vulnerability AssessmentOfTheTransportationInfrastructureRelyingOnTheGlobal PositioningSystem,FinalReport.,DepartmentofTransportation,2001, http://www.navcen.uscg.gov/archive/2001/Oct/FinalReportv4.6.pdf. S.J.Harding,StudyintotheimpactoncapabilityofU.K.commercialand domesticservicesresultingfromthelossofGPSsignals,Qinetiq,2001, www.radio.gov.uk/topics/research/topics/other/gpsreport/gps report.pdf. L.Brutt,NS/EPImplicationofGPStiming,OfficeofthemanagerNational CommunicationsSystem;TechnicalNotes,TechnologyandStandards Division6(2)(1999), www.ncs.gov/n2/content/technote/tnv6n2/tnv6n2.htm. CommitteeontheFutureoftheGlobalPositioningSystem;National ResearchCouncil;AeronauticsandSpaceEngineeringBoard,TheGlobal PositioningSystem:ASharedNationalAssetRecommendationsforTechnical ImprovementsandEnhancements.(NationalAcademyPress,1995), www.nap.edu/books/0309052831/html/index.html. AirForcerelease,AirForceNAVSTARGlobalPositioningSystemFactSheet, FloridaTodaySpaceOnline(1999), www.floridatoday.com/space/explore/stories/1999b/100399f.htm. J.WarnerandR.Johnston,AsimpledemonstrationthattheGlobalPositioning System(GPS)isvulnerabletospoofing,JournalofSecurityAdministration, 25,19(2002). USCoastGuard,GPSFrequentlyAskedQuestions,2003, http://www.navcen.uscg.gov/faq/gpsfaq.htm. USAirForce,GPSSupportCenter,(2003), https://www.peterson.af.mil/GPS_Support/. HeadquartersAirForceSpaceCommand,NAVSTARGlobalPositioning SystemOperationsProtectGuide,PetersonAirForceBase.