GNSS Jamming and Spoofing – Galileo's Authentication Algorithm Part 3 (2020)
berthub.euThe OSNMA protocol discussed is based on Timed Efficient Stream Loss-Tolerant Authentication (TESLA):
> This document introduces Timed Efficient Stream Loss-tolerant Authentication (TESLA). TESLA allows all receivers to check the integrity and authenticate the source of each packet in multicast or broadcast data streams. TESLA requires no trust between receivers, uses low-cost operations per packet at both sender and receiver, can tolerate any level of loss without retransmissions, and requires no per-receiver state at the sender. TESLA can protect receivers against denial of service attacks in certain circumstances. Each receiver must be loosely time-synchronized with the source in order to verify messages, but otherwise receivers do not have to send any messages. TESLA alone cannot support non-repudiation of the data source to third parties.
* https://tools.ietf.org/html/rfc4082
* A. Perrig, R. Canetti, J. Tygar and D. Song, “Efficient Authentication and Signing of Multicast Streams over Lossy Channels,” IEEE Symposium on Security and Privacy, pp. 56-73, May 2000.
Part 1 also has a brief explanation of TESLA: https://berthub.eu/articles/posts/galileos-authentication-al...
> Military solutions will fall back to inertial, celestial or optical guidance, and people using GPS for navigation will at worst show up where they need to be somewhat later than planned.
The US Navy re-started celestial navigation a few years ago:
* https://www.npr.org/2016/02/22/467210492/u-s-navy-brings-bac...
This (1960s?) US government produced (45m) video video gives a pretty good overview:
* https://www.youtube.com/watch?v=UV1V9-nnaAs
For those wanting to invest (substantially) more time, the two videos by "Tippecanoe Boats" are slightly rambling at times, but he does lay things out pretty well by the end of it (second is largely examples):
>> Military solutions will fall back to inertial, celestial or optical guidance, and people using GPS for navigation will at worst show up where they need to be somewhat later than planned.
> The US Navy re-started celestial navigation a few years ago:
Also, the SR-71, B-1, and B-2 and other aircraft have automated celestial navigation systems to provide corrections to their INSs:
https://www.thedrive.com/the-war-zone/17207/sr-71s-r2-d2-cou...
Honestly, for military applications, GPS seems to be mainly useful for bad weather and providing navigation to the smallest units (and I'd think a small unit would be able fall back to a map and compass).
ICBMs also use celestial navigation systems for same reasons.
This kind of weapon has a backup INS
https://en.wikipedia.org/wiki/Joint_Direct_Attack_Munition
The INS doesn't need to be terribly high performance because it only needs to work for the time it takes a bomb to fall from the sky.
These military instructional videos are so great. They explain a lot of concepts very clearly. Nowadays videos seem to be more casual, with more focus on practice than understanding the theory.
Another question for knowledgeable people here:
Can I not just run two GNSS receivers 10 meters apart (on a ship), and if they report as having the same position, then I know someone is spoofing?
It should be really hard to beamform the spoofing to spoof two different locations, at least from a distance because of the precise angles needed.
Yes, this assumes that my real GNSS signal is good enough that they normally are 10M apart.
The article addresses that scenario, and confirms that using multiple receivers would allow you to reliably detect spoofing. They'd report the same location but a slightly different time.
Yes, but such countermeasures (like the ones mentioned in the article) are about one receiver doing fancy RF tricks. What I'm proposing is something entirely done by two cheap and existing receivers today, by the end user.
There's a patent on that one.
So if I understand this right the signature is 32bits times 24 times 15 per full frame?
After the fact, why exactly can I not precalculate my spoofed data stream?
I just need to spend:
3*2^31*24*15*(spoof_seconds/30) ops (on average)?
Sure, not cheap, but hardly hard even for even a hobbyist.
So ~2^45 ops to spoof 10 minutes of data? That's doable.
Is my math off?
I have more faith in the direction finding aspects. Here's from the article, an understatement of the year:
> To beat these simple tricks, a spoofer will need to have multiple transmitters that actually show the same parallax as the actual satellites. However, you can only do this by placing your transmitters next to the satellites - in space. This raises the bar significantly.
The HN formatting is eating your * signs...
Thanks. Fixed.
Some people say that there isn't much open literature on GPS anti-spoofing, but there are many patents filed by the likes of Lockheed-Martin, Boeing, BAE, etc.
I find the multiple antenna answers interesting.
For instance, one of the easier attack scenarios against an airplane is to have a directional antenna on the ground. Because airplanes broadcast their GPS position via ADS-B, you could also know that you'd succeeded.
In a case like that, however, the radio signal from the ground would be stronger than the signal from the sky and it would be obvious what was going on, unless the attacker managed to get the power level just right.
With multiple receivers you also will see very different results with spoofing than with a real signal. For instance if you had a receiver at the front of the airplane and one at the back of the airplane, the time delay for all the fake satellites would be the same (they all come from the same place) whereas the time delays (e.g. position) would be noticeably different from real sats.
if an attacker knows that the plane has two antennas, and their exact locations, he/she can generate the "correct" signals at each plane antenna with two attacker antennas and lots of math.
Getting their exact locations is simplified by the fact the location is being transmitted by ADS-B...
Nice.
That sounds tricky though. You need to be very precise. The attacker needs to provide different received signal to two antennas meters (at most!) apart, at a distance of maybe kilometers, on a moving target. That's a hair thin angle.
The aircraft just needs to TDoA "did it come from above or below (assuming an attack from the ground). That's 180 degrees.
Or am I missing something? Unless I am, this doesn't sound feasible to me.
The equipment I have pictured in my mind is one of the two-axis trackers that radio hams use to track satellites with a long but narrow Yagi-Uda antenna. (If that can handle the bandwidth)
These tend to move in jerks and will get in real trouble if you try to move them over the zenith, but they do a great job with LEO satellites and would do OK to uplink one signal to an airplane.
You might be able to hit two receivers if you had a phased array antenna like the Starlink antenna but bigger, but now it isn't a simple hacking project anymore.
BTW, don't try it. There are certain things like aviation and nuclear power that "Posse Comitatus" doesn't apply to and you could find yourself looking down the barrel of an M4 carbine and getting frog-talk from the USMC much quicker than you'd expect.
The gain of a Yagi (even these ridiculously long ones) I don't think are anywhere near precise enough. Keep in mind that even a 20dB gain antenna (simplified, since radiation patterns are complicated) only focuses the radiation pattern into 3.6 degrees. That's over 7 times the diameter of the moon in the sky.
I think even at GNSS frequencies you may need Arecibo-sized antennas to get useful directivities. E.g. check this diagram: http://www.coseti.org/9006-013.htm
No, I think a phased array is a better bet, but if it's possible to steer that tightly, you'd need a shitload of antennas. Like, a shitload. E.g. US PAVE PAWS active phased array has 2677 antennas to create a 2.2 degree beam. "Only" ~4.5 moons.
I don't know the maths, but that probably means millions or billions of antennas to beamform this right.
So yeah, I'm staying with "not feasible", probably even for a superpower.
You don't need to make a finely focussed beam... You simply need to be able to put nulls at each of the planes antennas.
If the attacker has two antennas on the ground, say 1km apart, and the plane is 1km up, then no real precision is required - there exists a phase offset between your two antennas where only one of the planes antennas picks up your signal, and the other antenna picks up nothing. If the plane where stationary, this could be found by a simple sweep of possible phase offsets.
If the plane is moving, it becomes harder to find and track the necessary offset, but if the plane is flying half way between the attackers ground based antennas, the offset is ~constant, so a sweep again starts to look doable...
So TX1 sends data headed for RX1, plus the TX2 signal phase-modulated to cancel out TX2 at RX1?
I don't know how much an aircraft shakes, but if I understand what you're saying then this is possibly even harder. You'd need to predict the positions in fractions of a wavelength, don't you? And atmospheric changes could possibly affect it too.
> If the plane is moving
In the air, they tend to. On the ground accurate positioning is less important to protect.
> Because airplanes broadcast their GPS position via ADS-B, you could also know that you'd succeeded.
If the GPS is integrated with inertial navigation systems, the effect of GPS spoofing on the computation of the position (that could be observed by ADS-B) might prove tricky to anticipate.
Is there any cheap, open source alternative to GPS for navigation? I'm thinking of an electronic sextant (or star tracker) for rough position estimation, with a few km accuracy.
I'm somewhat annoyed at the accelerometer/gyroscopes that are available to the public, it is like they are all gimped to prevent you from building a weapons guidance system.
For instance, the Wiimote doesn't have the dynamic range to handle the highest accelerations you can generate waving your arms, which makes it hard to use that kind of thing for athletic training.
They're not 'gimped' by any sort of conspiracy.
It's just extremely hard to make a pure INS navigation system.
Even if you could measure your acceleration accurate to 0.00001 m/s/s, because it gets integrated twice to give position even that tiny error is going to give you a position that's out by 100m after an hour.
And measuring acceleration precise to 0.00001 m/s/s is a demanding task - like weighing a car so precisely you could count the pages of a book on the back seat.
That level of precision simply isn't available in the affordable MEMS market segment.
> They're not 'gimped' by any sort of conspiracy.
It bothers me when people go around labeling random stuff conspiracies like that's a legit dismissal. If they were 'gimped', they wouldn't be the only hardware. GPS is still gimped and will shut off over a certain height and speed specifically to prevent use in missiles. And the precision used to be regulated, not by expense, but to give the military the superior tool.
Specifically the position was originally deliberately noisy thus reducing its effective precision in the short term†. This was called "Selective Availability" and the US military were supposed to buy military receivers which handled a different channel on which noise was not introduced, thus giving them an advantage over an enemy lacking this feature - but this misunderstands economy of scale. So faced with a situation where your army is much more technically sophisticated and would benefit from GPS precision, but the GPS receivers everybody has in stock are for civilians and so suffer from the noise, the correct US decision was "Turn off Selective Availability" and it has been switched off ever since. Newer GPS birds lack this pointless feature entirely.
†Because it's "just" noisy you can wait, and average out the noise. If you stand in one place patiently recording your apparent position, for long enough, the average is much more accurate. Or, one station which knows exactly where it is uses short range radio to tell moving stations what the error currently is in the signal, improving their accuracy. The latter is known as DGPS and still makes some sense without Selective Availability because the ionospheric conditions will be similar at a short range too, reducing error from those.
The parent poster is not talking about that, he/she is talking about the COCOM limits placed on GPS receivers sold commercially: the GPS would not provide an output when traveling faster than 1900km/h at an altitude over 18km (though some manufacturers used a logical OR instead of an AND). This limits still applies and you need to get a special license if you want to get these limits removed (or you can buy Chinese).
The parent poster wrote:
>And the precision used to be regulated, not by expense, but to give the military the superior tool.
Which was, as I said, referring to Selective Availability, and has nothing to do with the arbitrary limits which are still imposed on US made receivers.
But GPS is irrelevant to PaulHoule's statement about the Wiimote - the wiimote doesn't contain a GPS receiver.
The price difference between a Wiimote and an OxTS RT3000 is because a high-precision sensors and super-low-noise electronics are difficult.
ITAR doesn't stop you and me from buying an RT3000 - the thing stopping us is the fact it costs as much as a midrange car.
> It's just extremely hard to make a pure INS navigation system.
But if you go to the ATM machine and pull out enough cash after entering your PIN number, you can pay enough to make it happen.
I've seen lists of "dual use" technologies which are export restricted, and INS is one of those.
> like they are all gimped to prevent you from building a weapons guidance system.
You can buy RLGN off the shelf for a couple thousand bucks. You can buy gyrocompass-capable MEMS off of digi-key for dozens of dollars (Murata). Its just market forces and cost. You don't need super stable IMUs for game controllers.
They are definitely gimped to prevent you from using them in weapons. GPS receivers are the same way. Non Military units wont work outside of certain parameters.
Here's a good map/report on Russian in action GNSS spoofing - https://www.c4reports.org/aboveusonlystars
Our news org did an investigation into this as well, and also demonstrated how a simple HackRF could be used to fool most modern GPS receivers: https://nrkbeta.no/2017/09/18/gps-freaking-out-maybe-youre-t...