NIST Introduces GNSS Threats as New Challenge for Cybersecurity Community

Global Navigation Satellite Systems (GNSS) is a general term describing any satellite constellation that provides positioning, navigation, and timing (PNT) services

GNSS is not only used in your phone for navigation or for self-driving vehicles. Today, GNSS is the primary source of accurate time for national critical infrastructure:

1. Banks, Exchanges, High-Frequency Trading must comply with the stringent requirements of time synchronization. A timestamp error disrupts the integrity of bank transactions.
2. Smart Power Grid System requires exactitude of synchronization to ensure flawless Network Monitoring and Automatic Protection. Time synchronization distortion can lead to cascading faults and large-scale power blackouts.
3. 5G requires the highest timing accuracy up to 65 nanoseconds. This is difficult to achieve in a city with tall buildings, GNSS signal reflection, and many sources of radio interference.
4. Data Centres require sub-millisecond precision timestamping for transactions and distributed data processing, log file accuracy, auditing, and monitoring. GNSS spoofing may cause SSL certificates to fail.
5. DVB-T/T2 in Single Frequency Networks (SFN) mode requires precise and reliable synchronization. In case of low accuracy of the PPS phase, the service falls.

According to the report of the European GNSS Agency, more than 2.9 million GNSS time servers will be sold in the world by the end of this year. It doesn't seem like a lot. But every unit is a source of synchronization for vital infrastructure.

Screenshot from European GNSS Agency Report on Time & Synchronisation User Needs and Requirements

GNSS Vulnerability

The output power of the GNSS satellite transmitter on an orbit of 20,000 km is as low as 60W. So on the Earth's surface the GNSS signal power is about minus 155 dBW. It's a hundred times (20..30 dB) lower than the ambient noise level. That's why GNSS signals are so susceptible to RF interference.

GNSS vulnerability map:

Deliberate attacks on GNSS and how they can affect the time server:

Jamming is noise generation that blocks GNSS signal reception.

It is relatively safe for time servers. Because if the device loses GNSS signals, it goes into a holdover and continues to maintain high time accuracy.?

Spoofing is counterfeiting GNSS signals. This is very dangerous for the time server. Because the device can change its time in as little as 15 seconds after spoofing begins. Take a look at this experiment:

https://youtu.be/si7Y5hx_ZA0

By some accounts, GNSS spoofing use is increasing logarithmically around the world:

https://www.c4reports.org/aboveusonlystars

https://rntfnd.org/2021/03/15/dangerous-costly-to-airlines-eurocontrol-on-gnss-interference/

https://www.dhirubhai.net/pulse/thousands-gnss-jamming-spoofing-incidents-reported-2020-guy-buesnel/

The fact that GNSS has no authentication and is vulnerable to spoofing has long been known. Why is GNSS spoofing only now receiving so much attention?

10 years ago, GPS spoofing used to require considerable technical skills and financial expenses. Now it can be done with low-cost commercial hardware (SDRs like HackRF) and software downloaded from GitHub (e.e., osqzss /gps-sdr-sim ).

So now, any student can organize a spoofing attack on a bank’s processing centre in 15 minutes.

There are hundreds of instructions on YouTube!

Additionally, GNSS spoofing has become the de facto standard of defence against drones in some countries:

https://twitter.com/gpspatron/status/1352675197002932225

This is an example of GNSS spoofing of an automatic anti-drone station:

?

Data from GPSPATRON website https://gpspatron.com/blog/

An anti-drone station monitors the RF and detects drone control signals. When detected, it activates the GNSS spoofer and simulates the coordinates of the nearest airport. For drones, this is a no-fly zone and the drone either lands or flies to the take-off point.?

In this case, spoofing is short-term, lasting a few minutes. But this is enough to crash the synchronization system.

Regulation

To ensure that the nation’s critical infrastructure is resilient to disruptions in GPS, on Feb. 12, 2020, President Trump signed the Executive Order on Strengthening National Resilience through Responsible Use of Positioning, Navigation, and Timing Services .?

A year later, NIST published the final NISTIR 8323: Foundational PNT Profile: Applying the Cybersecurity Framework for the Responsible Use of Positioning, Navigation, and Timing (PNT) Services .?

The goals of this document:

• identify systems, networks, and assets dependent on PNT services;?
• identify appropriate PNT services;?
• detect the disruption and manipulation of PNT services;?
• manage the associated risks to the systems, networks, and assets dependent on PNT services.?
• This profile will help organizations make deliberate, risk-informed decisions on their use of PNT services.

We have highlighted the requirements that relate to GNSS spoofing:

• simulation of GNSS spoofing (and other effects that reduce PNT accuracy) to test the receiver/system?
• detection, classification, logging, and analysis of anomalies in PNT data
• analysis of PNT accuracy/quality
• determination of incident statistics?
• analysis of attack method
• spectrum analysis in GNSS bands?
• spoofing source localization

Obviously, to fulfil all of the above requirements it is necessary to use specialized systems.

Solutions

After researching the limited players in the market, the one company that seem miles ahead of the game are GPSPATRON.

As far as we know, the start-up has been developing a system for analysing the quality of GNSS signals and detecting spoofing for three years.?And they have already conducted successful pilots in Russia. When we asked why in Russia, the start-up’s CEO Maxim Borodko explained that Russia has state-of-the-art electronic warfare and permanently utilizes GNSS spoofing in its territory. Therefore, it is the best region to test the system under real spoofing conditions.

What they offer.

The GPSATRON system consists of two components: the software GP-Cloud and the GNSS probe GP-Probe.?

GP-Probe conducts GNSS signal measurements and transmits raw data to the GP-Cloud for real-time processing. GP-Cloud uses AI for anomaly detection and classification. The device does not contain any spoofing detection algorithms, it is needed for streaming data.

GP-Probe has three GNSS receivers and require three spaced GNSS antenna. It’s needed for spatial signal analysis to ensure detection of a coherent spoofing scenario. Check this video to understand different spoofing types: https://youtu.be/5Mw-NKy1BOM

Additionally, the probe has an embedded FPGA-powered RF signal analyser with 60 MHz bandwidth. It’s needed for RF spectrum analysis.

According to Maxim, the approach with three-channel and RF analyser makes the system the most spoof-proof on the market. And even they can't cheat their own system.??

The most important part of the system is GP-Cloud with an amazing UI. This is a web application that can be deployed to any server or in the cloud. It is designed for true real-time GNSS signal quality monitoring, logging, and post-analysis. This is a high-load solution since it can process 1-Hz raw GNSS data from thousands of connected probes or RTK base stations!

System’s key features

• true real-time spoofing detection with latency less than 3 seconds
• protection against all possible spoofing attack scenarios?
• a single cloud to monitor the entire GNSS-dependent infrastructure

And another interesting fact, the company has developed its own GPS spoofer to test the vulnerability of time servers and regularly posts spoofing reports on its blog.

According to Maxim, GPSPATRON is now looking for stakeholders to conduct pilot projects in the US.

This is a fast-evolving market, and one that seems to be readily ignored by many Governments and institutions around the world.

Is this newly recognised threat the most serious we have faced to date? That I do not know, I can however foresee a mad panic by both Government departments and Corporations once regulation is clarified!

I will be focusing on some of the key attack methods and specific vulnerabilities in my next article.

Thanks for taking the time to read it:)

Simon L