Secure GPS for Aviation

The Global Position System (GPS) is increasingly being used for crucial safety and security applications such as emergency response services, law enforcement, cargo security, nuclear materials transport, aircraft navigation, and critical time & synchronization standards for utilities, telecommunications, and computer networks. This heavy reliance on GPS may be a mistake. The Department of Transportation (DOT) has warned that the civilian GPS signals-which are the only ones available to most government users and all private users-are not secure. Few GPS users are paying attention.

Countermeasures

Several of the countermeasures proposed are based on signal strength, which must (at least initially) be higher for the fake signal than the true signal from space. Some of the other countermeasures involve recognizing the characteristics of the satellite simulator itself.

Many (if not all) GPS receivers display the signal strength and satellite number for each of the satellites it is receiving data from. It is unknown if any receivers that store this data and compare the information from one moment to the next.

One or more of the following seven countermeasures should allow suspicious GPS signal activity to be detected:

• Monitor the absolute GPS signal strength: This countermeasure involves monitoring and recording the average signal strength. A comparision would be performed on the observed signal strength to the expected signal strength of about -163 dBw (5 x 10-17 watts). If the absolute value of the observed signal exceeds some preset threshold, the GPS receiver would alert the user. This countermeasure is based on the idea that relatively unsophisticated GPS spoofing attacks will tend to use GPS satellite simulators. Such simulators will typically provide signal strengths many orders of magnitude larger than any possible satellite signal at the Earth's surface. This is an unambiguous indication of a spoofing attack.
  
  
• Monitor the relative GPS signal strength: The receiver software could be modified so that the average signal strength could be recorded and compared from one moment to the next. An extremely large change in relative signal strength would be characteristic of an adversary starting to generate a counterfeit GPS signal to override the true satellite GPS signals.11 If the signal increases beyond some preset threshold, an alarm would sound and the end user could be alerted.
  
  
• Monitor the strength of each received satellite signal: This countermeasure is an extension of the above two techniques. Here, the relative and absolute signal strengths are tested individually for each of the incoming satellite signals. Signals from a GPS satellite simulator will tend to make the signal coming from each artificial satellite of equal strength. Real satellite signals, however, vary from satellite to satellite and change over time. The idea here is that if the signal characteristics are too perfect, there is probably something wrong and the user should be alerted. Like the previous two countermeasures, this countermeasure could be implemented by modifying the existing software code of the GPS receiver.
  
  
• Monitor satellite identification codes and the number of satellite signals received: GPS satellite simulators transmit signals from multiple satellites (typically 10)-more than the number of real satellites often detected by a GPS receiver in the field at a given time. Many commercial GPS receivers display satellite identification information but do not record this data or compare it to previously recorded data. Keeping track of both the number of satellite signals received and the satellite identification codes over time may prove helpful in determining whether foul play is occurring. This is especially true of an unsophisticated spoofing attack where the adversary does not attempt to mimic the true satellite constellation at a given time.
  
  
• Check the time intervals: With most GPS satellite simulators, the time between the artificial signal from each satellite and the next is a constant. This is not the case with real satellites. In other words, the receiver may pick up the true signal from one satellite and then a few moments later pick up a signal from another satellite, etc. With the satellite simulator, the receiver would pick up signals from all of the "satellites" simultaneously. This is an exploitable feature of the satellite simulator that could be used to tell whether the signals were coming from the true source or a false simulator-based source.
  
  
• Do a time comparison: Many current GPS receivers do not have an accurate clock. By using timing data from an accurate, continuously running clock to compare with the time derived from the GPS signal, there can be a check on the veracity of the received GPS signals. If the time deviates beyond some threshold, the user can be alerted to the possibility of a spoofing attack. As the Vulnerability Assessment Team has demonstrated, very accurate clocks can be small and inexpensive and operate on very low power.
  
  
• Perform a sanity check: A small, solid-state accelerometer and compass can be used to independently monitor the physical trajectory (heading, velocity, etc.) of the receiver mounted, for example, on a moving truck. The information provided by this approach can be used to double-check the current position fix reported by the GPS receiver based on a previously reported position. In a sophisticated spoofing attack, the adversary would send a false signal reporting the moving target's true position and then gradually walk the target to a false position. This is how an attack on a cargo truck might occur. The accelerometer would serve as a relative (not absolute) backup positioning system, which could be used to compare to the position reported by the GPS receiver. A discrepancy between the accelerometer and the receiver would raise a red flag and alert the user.

All seven strategies can be implemented by retrofitting existing GPS receivers; it is not necessary to redesign them. Strategies one through five can be implemented primarily through software alone. Strategy six could be implemented through software, or else a more accurate clock could be fitted onto the existing GPS receiver. Strategy seven would require both hardware and software implementation to work properly. A proof of principle for countermeasures one through seven could be demonstrated fairly quickly.