Projects:2020s1-2290 Untrustworthy GNSS Signal Identification and Generation

From Projects
Revision as of 21:41, 20 April 2020 by A1704234 (talk | contribs)
Jump to: navigation, search

Satellite-based navigation has become so ubiquitous that it is becoming increasingly difficult to find essential services such as health, transport all the way through to military and law enforcement that don’t rely upon it. In 2017, an incident occurred in the Baltic Sea where numerous ships had their GNSS locations placed into an incorrect position. This position was 15km inland.

The potential for these sorts of attacks occurring has motivated our team’s research as we believe that being able to detect this kind of attack is vital. Further, due to the generous availability of new android mobile devices that have both sufficient processing power and access to the GNSS data, our question is:

“Can we detect untrustworthy GNSS signals using the capabilities of a mobile phone?"

Introduction

In order to detect untrustworthy signals, it is important to understand what a Global Navigation Satellite System (GNSS) is: GNSS’s provide location and timing services and have become a prominent part of modern society. GNSS today are used for a myriad of applications; including but not limited to; logistics, agriculture and controlling the electricity grid. Currently there are two fully operational global systems, the USA's GPS and Russia's GLONASS. However, there are two developing global systems which are the EU's Galileo and China's BeiDou. (It is important to note that multiple developing regional systems exist. These are India’s IRNSS and Japan’s QZSS that can provide location capabilities to the surrounding nations.) Each GNSS’s constellation has a different architecture however they all work utilising the same underlying principles. GPS will be used as a generalisation to show how GNSS works. GPS works by a process called trilateration, where the distances (pseudorange) between the receiver and the satellite are used to determine the position and time of the receiver. However, for this to work the receiver would have to know where the satellites are and which satellite it is receiving a signal from. GPS satellites emit multiple signals but for the purpose of explanation we will only consider the legacy civilian L1 carrier frequency. The carrier frequency is used to transmit the course/acquisition (C/A) code and navigational data (ephemeris data) which is combined together. The navigational data is used by the receiver to determine satellites location coordinates and their clock timings. The C/A code is used by the receiver to uniquely identify a satellite. Using the information from the navigational data the receiver can produce its internal version of the C/A code. The receiver then calculates the difference in timing between its internal version of the code and the received code from the satellite to determine the distance between the receiver and the satellite.

Project team

Project students

  • Lachlan Page
  • Ian Crossing
  • Bailey Heading
  • Jack Hilliard

Supervisors

  • Dr Matthew Sorell

Objectives

  • Develop spoofing capability
    • Spoof a phone and make a spoofing testbed
  • Test detection methods on real data
    • Real data gathered from the spoofing testbed
  • Implement one or more detection methods in a real-time app
    • Utilise raw parameters from Android API

Background

Motivation

It is estimated that the complete outage of GNSS for a single day would result in a loss of $1 billion USD to many corporations and individuals [x]. And due to its importance and reliance, GNSS is a potential target of malicious actors. Entire business models have been created which use phones and their inbuilt GNSS receivers, once such example is the ride sharing company Uber. Uber has reported that they deal with software spoofing in which GPS spoofing apps are used to report fake trips [x] and earn the drivers additional income. GNSS spoofing is a new generation of attack. Signals designed to imitate those produced from GNSS satellites are created which produce false location or timing data. GNSS spoofing is of a bigger concern today due to technological advancements. Prior to 2010, high end equipment needed to perform the attacks cost in excess of $100K. Now, due to the advancement of software defined radio, the respective equipment can be purchased for only $200. Last year, recent University of Adelaide graduates Liam Shelby-James and Stefan Normal proposed that a cheap USB to VGA dongle could be used to disrupt GPS on the L1 satellite band [x]. As such there is a need for cheap detection equipment or software to counteract the potential threat. In 2017, an incident occurred in the Baltic Sea [X] where numerous ships had their GNSS locations placed into an incorrect position. This position was 15km inland. In a recent update to the Android API, raw parameters from the GNSS chipset have become available. This presents an opportunity to investigate the usefulness of the parameters for spoofing detection.

Current Research in this Space

There is a significant amount of recent research into GNSS spoofing detection however, very little focuses on the use of mobile phones. Back in 2012, the university of Texas created a dataset of GPS attacks of varying complexity In 2018, Stanford University investigated the use of Android Raw GNSS Measurements in combined with other data available to the phone, such as accelerometer and network location. Last year’s honours group (Liam and Stephan) conducted a significant investigation into the exclusive use of Android Raw GNSS Measurements and recommended several spoofing detection techniques, which Jack will outline later. Liam and Stephan were unable to test on real data due to signal containment issues. Recently, commercial entity REGULUS, sell a software based spoofing detection system that relies on sensor fusion


Method

Results

Conclusion

Risk Management

Risk Management Framework

The risk management framework is based on assessing the likelihood and consequence of credible risks. Combining the likelihood and consequence of each risk results in a risk index ranging from LOW to VERY HIGH. Based on the calculated risk index an assessment is made on what further mitigations, if any, are required.

Table 1: Risk likelihood definitions
Rare (A) There is no expectation that the event/incident will occur
Unlikely (B) There is an expectation that an event/incident is doubtful or improbable to occur
Possible (C) This expectation lies somewhere in the midpoint between “could” and “improbable”
Likely (D) There is an expectation that an event/incident could occur but not certain to occur
Almost certain (E) There is an expectation that an event/incident will occur
Table 2: Risk consequence definitions
Consequence Safety Project Legal (EMI)
Negligible (1) Injury requires minor first aid (e.g. bandaid), short term discomfort (e.g. bruise, headache), no medical treatment Minor change to schedule Negligible generation of EMI, no breach of law
Minor (2) Injury requires first aid treatment Minor change to scope or frequent changes to schedule Breach of the radio communications act that results in no harmful interference to any service or device (e.g. unintentional transmission over 3mW in 915Mhz ISM band)
Moderate (3) Injury requires formal medical treatment (e.g. hospital outpatient/doctors visit) Significant change to scope early in the project, multiple minor changes to scope Unintended leakage in a non ISM band that does not result in harmful interference
Major (4) Injury requiring extensive medical treatment (e.g. hospitalisation) or activities could result in a Notifiable occurrence One team member is unable to complete honours in 2020, significant change to scope late in project Breach of radio communications act resulting in harmful interference to a receiver (e.g. affects GNSS receivers other than the DUT)
Severe (5) Injury resulting in death, permanent incapacity All team members are unable to complete honours to a satisfactory standard in 2020 Breach of radio communications act resulting in disruption to national critical infrastructure (e.g. affects timing in 3G/4G base station)
Table 3: Risk index matrix
Likelihood Consequences
Negligible (1) Minor (2) Moderate (3) Major (4) Severe (5)
Almost Certain (E) MEDIUM E1 HIGH E2 VERY HIGH E3 VERY HIGH E4 VERY HIGH E5
Likely (D) MEDIUM D1 MEDIUM D2 HIGH D3 VERY HIGH D4 VERY HIGH D5
Possible (C) LOW C1 MEDIUM C2 HIGH C3 HIGH C4 VERY HIGH C5
Unlikely (B) LOW B1 LOW B2 MEDIUM B3 MEDIUM B4 HIGH B5
Rare (A) LOW A1 LOW A2 LOW A3 MEDIUM A4 MEDIUM A5
Table 4: Risk index action requirements
Risk Index (RI) Action
VERY HIGH Immediate action required. Cease the activity immediately and implement short term controls. Notify Manager
HIGH Implement short term safety controls immediately. Notify Manager
MEDIUM Short term safety controls implemented to minimise risk of injury, corrective Actions within one month. For project risks, this level may be acceptable however, periodic assessment is required.
LOW Acceptable for non-safety risks. For safety risks, corrective Actions within three months (if possible).

Risk Assessments

Table 5: Summary of assessed risks
Risk Pre mitigation risk index Post mitigation risk index
Interference with GNSS receivers HIGH C4 LOW A3
Supply chain or equipment failure VERY HIGH D4 MEDIUM C2
Intra-state travel restrictions & campus shutdown No Credible Risk No Credible Risk
Team Member Becomes Unavailable VERY HIGH D4 MEDIUM D2
Transfer of physical items VERY HIGH D4 MEDIUM A4

Interference with GNSS receivers

Pre mitigation assessment

It is a breach of legislation to cause harmful interference to a GNSS receiver. This includes generating signals that may be detected in mobile phone base stations or mobile phones of people nearby. The power of radios available for transmission is small and the tests will be conducted inside a steel structure however, it is possible the signals will be detected by a GNSS receiver (e.g. in a passing vehicle or low flying aircraft). Therefore, this risk is classified as HIGH C4 (Possible, Major).

Mitigation Strategy

Create and verify the performance of a containment chamber. This will significantly reduce the EIRP of any device inside the chamber. There is a chance that the performance of the chamber will degrade over time or become damaged. Continuous monitoring will be implemented external to the chamber for leakage detection. In the event of leakage, any transmitting devices shall be immediately shut down. The chamber shall be enclosed inside a secondary containment structure to provide additional attenuation and mitigate the consequence of a brief unintended transmission.

Post mitigation assessment

The mitigations outlined reduce both the likelihood and credible legal consequence to LOW A3 (Rare, Moderate). No further action is required to mitigate this risk.


Supply Chain or Equipment Failure

Pre mitigation assessment

The current plan outlined in this document relies on the acquisition of a suitable mobile phone to collect raw GNSS measurements and support application development. Given the current pandemic of COVID-19 and constant change in available services ant travel restrictions it is considered likely the supply chain will be disrupted. The current plan relies on the ability to collect GNSS data from a phone hence, the disruption to supply chain will result in significant change to project scope. Regardless of supply chain, there is also an unlikely risk that a critical piece of equipment becomes unusable due to damage. The consequence of this is a significant change to project scope. This risk is classified as VERY HIGH D4 (Likely, Major)

Mitigation strategy

The likelihood of this disruption can be mitigated by ordering equipment as soon as possible however, disruption to supply chain remains likely. To mitigate the consequence, the project will be pursued on a theoretical basis using simulated results to get started. If the required equipment and be acquired the project will transition to the use of real data. To facilitate real time application development, an already available phone will be used to implement detection methods basic on the basic parameters available. To mitigate the potential for damage to critical equipment, the equipment used in this project will be reserved for the exclusive use of this project

Post mitigation assessment

The shift to assuming the phone will not become available reduces the project consequence to MINOR. The adjusted assessment is MEDIUM D2 (Likely, Minor). As this risk index is above acceptable level, it will be monitored and reviewed on a weekly basis.


Intra-State Travel Restrictions & Campus Shutdown

Pre mitigation assessment

The project to date has been planned to be completed off campus. This includes construction of a homemade RF testing laboratory and use of personal radio equipment. All data generated and collected can be distributed online and all project files are hosted on OneDrive accessible by all team members. In addition, all meetings have transitioned to online formats. The consequence of campus shutdown or increased travel restrictions will have no impact on the project. This risk is assessed as No Credible Risk.

Mitigation strategy

Not required.

Post mitigation assessment

No further mitigations required. The adjusted assessment remains at No Credible Risk.


Team Member Becomes Unavailable

Pre mitigation assessment

It is likely that a team member may become unavailable due to illness or Australian Defence Force requirements. Unmitigated, this will have a major effect on the project, potentially at a late stage. This risk is assessed as VERY HIGH D4 (Likely, Major)

Mitigation strategy

Work shall be allocated so there is sufficient overlap between project members to allow key milestones to be met. Additionally, the project is divided into distinct milestones which will allow the project to be submitted in a degraded, but acceptable, state.

Post mitigation assessment

The mitigations reduce the consequence to minor. The revised assessment is MEDIUM D2 (Likely, Minor). This risk will require periodic review and further mitigations, especially if the


Transfer of physical items

Pre mitigation assessment

Due to the increased threat of virus transmission among community members appropriate procedures must in place for the transfer of physical items. Transmission of COVID-19 can be reduced among group members by following guidelines set by the government. But the risk occurs with the pathogen remaining on the hard surfaces of equipment. Unmitigated, this will have a major effect on the project and safety of all team members. This risk is assessed as VERY HIGH D4 (Likely, Major)

Mitigation strategy

The hard surfaces of equipment should be thoroughly cleaned. If suitable denatured alcohol or bleach may be used. The preferred technique is using isopropyl alcohol, which is recommended for skin contact. A SOP for item transfer is detailed below which mitigates this risk.

Post mitigation assessment

The SOP reduces the likelihood virus transmission to rare. As the consequence of cannot be lowered through mitigation, transfer of equipment shall occur only when necessary and shall be reviewed on a case by case basis. The adjusted risk is assessed as MEDIUM A4 (Rare, Major).

Standard Operating Procedure for Transfer of Items

Purpose

This Standard Operating Procedure will be used throughout the entirety of this project. The purpose will be to provide guidance on how to safely achieve our desired outcomes during the coronavirus (COVID-19) outbreak currently occurring. The document will be reviewed on as required and updated based on information provided by the Government Health Authorities.

Background

Australia is currently in the midst of a pandemic. This pandemic is caused by a respiratory illness that was first located in Wuhan, China. Aptly named COVID-19 this virus belongs to a large family of viruses that can cause a myriad of symptoms with varying lethality. The latest information on COVID-19 can be sourced from the Australian Government Department Of Health or The World Health Organization (WHO). In Australia, the most likely sources of the virus are:

  • Travellers who have recently returned from overseas
  • Close contact with a confirmed COVID-19 case

Equipment Transfer

For scheduled equipment transfer a risk assessment must be completed to rule out potential transmission of COVID-19. Due to the high risk of transmission, a separate assessment is required for each transfer. Assessments should be completed by the relevant group members and assessed by the remaining individuals with final approval from a project supervisor.

Procedure

Option 1

Goods shall only be transferred using this procedure if the following criteria is met:

  • The person in possession of the goods is not a confirmed case of COVID-19
  • Does not have any COVID-19 symptoms listed
  • Not in 14-Day mandatory isolation

If the criteria Is met, then the recommended goods transfer procedure is outlined below:

  1. The person initially in possession will sanitise the item(s) and place in a box or bag which is sealed.
  2. The sealed box will be delivered to a pre-arranged drop point that provides security and does not require the two parties to meet.
  3. On delivery, the deliverer will wipe the handling surfaces of the box with disinfectant.
  4. The deliveree will disinfect the box again on collection from the drop point.
  5. The items inside the box are cleaned again by the person receiving.

Option 2

The goods are sent using Australia Post. Australia post has implemented zero contact delivery, which mitigates the likelihood of transfer. In addition, for extra precaution the sender should disinfect the surfaces prior to sending and similarly the receiver of the goods should disinfect the surfaces immediately upon collection.

References

[1] a, b, c, "Simple page", In Proceedings of the Conference of Simpleness, 2010.

[2] ...

Retrieved from "https://projectswiki.eleceng.adelaide.edu.au/projects/index.php?title=Projects:2020s1-2290_Untrustworthy_GNSS_Signal_Identification_and_Generation&oldid=14065"