Location-independent GNSS Relay Attacks
A Lazy Attacker's Guide to Bypassing Navigation Message Authentication
The lack of message authentication permits the generation of fake satellite signals that can falsify a receiver’s location. To this extent, several countermeasures based on cryptographic authentication to protect against attackers generating spoofing signals are being proposed. For example, the recently launched Galileo’s Open Service Navigation Message Authentication (OSNMA) authenticates the navigation message contents based on the TESLA protocol and one-way hash functions. To modernize next-generation GPS, the United States Department of Defense is also exploring using Chips Message Robust Authentication (CHIMERA). The above countermeasures aim to protect the integrity of the navigation message contents. Since in GNSS, the user’s location is computed based on both the navigation message contents and its time of arrival, such localization is still vulnerable to signal relay/replay attacks.
In this work, we demonstrate the possibility of spoofing a GNSS receiver to arbitrary locations without modifying the navigation messages. Due to increasing spoofing threats, Galileo and GPS are evaluating broadcast authentication techniques to validate the integrity of navigation messages. Prior work required an adversary to record the GNSS signals at the intended spoofed location and relay them to the victim receiver. Our attack demonstrates the ability of an adversary to receive signals close to the victim receiver and in real-time generate spoofing signals for an arbitrary location without modifying the navigation message contents.
We exploit the essential common reception and transmission time method used to estimate pseudorange in GNSS receivers, thereby potentially rendering any cryptographic authentication useless. We build a proof-of-concept real-time spoofer capable of receiving authenticated GNSS signals and generating spoofing signals for any arbitrary location and motion without requiring any high-speed communication networks or modifying the message contents.
Our evaluations show that it is possible to spoof a victim receiver to locations as far as 4000 km away from the actual location and with any dynamic motion path. This work further highlights the fundamental limitations in securing a broadcast signaling-based localization system even if all communications are cryptographically protected.
The attacker receives signals at a fixed location and synthesizes a new signal by applying appropriate delays to the received navigation messages enabling the attacker to spoof the victim receiver to an arbitrary location (a, b, or c) or a trajectory without any physical movement.
In a signal spoofing attack, an adversary can manipulate position estimation by either modifying the content of the navigation messages or the propagation delay. Since the goal is to keep the message content authenticated, we design our attack strategy to manipulate the reception time estimation method used for the pseudorange estimation. Suppose an adversary records and replays the GNSS signals, i.e., delays all the satellite signals by the same amount. In that case, the victim receiver’s spoofed location is limited to where the adversary recorded the signal. Given a set of satellite signals, our attacker continuously calculates and applies appropriate delays to spoof the victim to a specific location.
The above figure describes the stages of the proposed attack based on manipulating the common reception time. (a) GNSS satellite transmission time (b) relative time of arrival in attacker receiver (c) relative times at attacker TX after attacker modifications (d) relative time of arrival in victim's receiver.
Our attack comprises three key components: i) NAVMSG streamer, ii) Delay Estimator, and iii) Spoofing Signal Synthesizer. Authentication mechanisms like OSNMA and Chimera enforce timing constraints, meaning navigation messages arriving after key disclosure will be discarded by the receiver. To achieve this, the NAVMSG streamer exploits the non-necessity of decoding the entire content of the navigation messages, as the attack does not manipulate the navigation message data in any way. The delay estimator module calculates the necessary delays for each visible satellite signal to spoof the victim receiver to a target location. The spoofing signal synthesizer module applies the delays to the satellite signals forwarded by the NAVMSG streamer. It carefully selects the satellite signals to apply the delays and combines them before spoofing the victim receiver during the synthesis process.
Commercial receivers, like ublox ZED-F9P, which we tested in our experiments, can use the SBAS messages to check the integrity of the received GPS data. When SBAS integrity checks are enabled, the navigation engine uses data from only those satellites whose integrity is verified by comparing it with SBAS data. Thus, if a particular satellite doesn’t pass this integrity check, it is ignored, and data from that satellite is not used in PVT calculations. If enough satellites fail the check, the receiver won’t obtain a position fix. To test our attack against such integrity checks, we conducted an experiment where we first combined our synthesized signal with live SBAS signals. We feed the combined signal to an off-the-shelf uBlox receiver. The receiver tracks SBAS signals as well as our signals and successfully obtains a 3-dimensional position fix with integrity verified. This confirms that the real-time signals we generate pass the applied integrity checks.
In this work, we designed and developed an attack that allows spoofing a victim receiver's location or motion without modifying the legitimate signal's navigation message contents. Specifically, we demonstrated how an attacker can temporally manipulate legitimate satellite signals received at a victim's true location in real-time to generate signals that correspond to arbitrary locations and motions far away from the victim's actual position. This is in contrast to prior work that required an attacker to be present and record legitimate satellite signals at the location they intend to spoof the victim's receiver. We also demonstrated the ability to generate spoofing signals that correspond to any arbitrary dynamic motion independent of the attacker or victim receiver's motion. We analyzed the effect of factors like sampling rate, satellite constellation, and orbits on the accuracy of the spoofed location and discussed the effectiveness of existing spoofing detection and mitigation techniques countermeasures against the proposed attack.
CISPA Helmholtz Center for Information Security
Please feel free to contact us for more information.