assessing the likelihood of gnss spoofing attacks on rpas
play

Assessing the likelihood of GNSS spoofing attacks on RPAS Mike - PowerPoint PPT Presentation

Dec 04, 2022 •336 likes •593 views

Assessing the likelihood of GNSS spoofing attacks on RPAS Mike Maarse UvA/NLR 30-06-2016 Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 1 / 25 Introduction Motivation/relevance Growing number of RPAS in professional use Many system

  1. Assessing the likelihood of GNSS spoofing attacks on RPAS Mike Maarse UvA/NLR 30-06-2016 Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 1 / 25

  2. Introduction Motivation/relevance Growing number of RPAS in professional use ◮ Many system configurations Numerous threats on wireless communications Notable recent ”efforts” ◮ Iran spoofs US Lockheed Martin RQ-170 (2011) ◮ Maldrone: First backdoor for drones (Sasi, 2015) ◮ MiTM attack on RPAS telemetry link (Rodday, 2015) Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 2 / 25

  3. Introduction Motivation/relevance Growing number of RPAS in professional use ◮ Many system configurations Numerous threats on wireless communications Notable recent ”efforts” ◮ Iran spoofs US Lockheed Martin RQ-170 (2011) ◮ Maldrone: First backdoor for drones (Sasi, 2015) ◮ MiTM attack on RPAS telemetry link (Rodday, 2015) Growing number * many * numerous = ”a lot” We need a systematic approach! Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 3 / 25

  4. Introduction Research questions 1. How can we define a systematic approach to study and model attack paths of wireless attacks on an RPAS? 2. How can we apply the defined approach in a practical experiment using a GNSS receiver to establish the likelihood of such an attack? Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 4 / 25

  5. Approach Classify the target (sub-)system 1 Specify a systematic approach 2 Create threat model 3 Establish likelihood of GNSS receiver attacks 4 ◮ ...through practical experimentation Evaluate the risk 5 Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 5 / 25

  6. Remotely Piloted Aircraft Systems Main components Remotely Piloted Aircraft (RPA) Remote Pilot Station (RPS) Command & Control link (C2) Figure 1: Operation within RLOS Figure 2: Long range operation Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 6 / 25

  7. Remotely Piloted Aircraft Systems Example implementations Figure 3: DJI Phantom hardware Figure 4: NASA research Predator Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 7 / 25

  8. Remotely Piloted Aircraft Target system classification Level Sensor type Output I GNSS Latitude, longitude, altitude, time Pitot-static Altitude, airspeed, temperature, pressure II Magnetometer Heading Accelerometer Accelerations Gyroscope Pitch, roll, yaw angles Table 1: Target system’s PNT capabilities Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 8 / 25

  9. Remotely Piloted Aircraft How does it work? Figure 5: Component interaction Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 9 / 25

  10. Attacking the RPAS Remote operation makes the system vulnerable What does the attacker want to achieve? Monitor/eavesdrop communications Influence system behaviour ◮ Gain trajectory control ◮ Permanently disable (part of) the system Proven methods Listening in on unencrypted video feed Attacking the C2/telemetry link Attacking the GNSS receiver Upload malware Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 10 / 25

  11. Threat modelling Attack-Defence Trees Developed by University of Luxembourg ◮ Based on Attack Trees formalism (Schneier, 1999) Breaks down attack scenarios, include countermeasures Figure 6: Top level RPAS attacks Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 11 / 25

  12. SPOOFING TIME! (literally) Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 12 / 25

  13. Staging the attack Goal Control the RPA’s trajectory by altering the perceived position and time. Related work/inspiration GPS-SDR-SIM (Ebinuma, 2015) What do we need to do? Obtain GPS ephemeris data 1 Set target coordinates 2 ◮ Fixed latitude, longitude, altitude ◮ Path in ECEF database ◮ Path in NMEA sentences Generate I/Q samples binary 3 Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 13 / 25

  14. Staging the attack Lab setup Figure 7: Experiment setup Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 14 / 25

  15. Execution Transmitting the samples Figure 8: Equipment in action Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 15 / 25

  16. Execution What just happened? Figure 9: Recorded path and receiver output Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 16 / 25

  17. Execution Observations Binary sample rate should match transmitter sample rate... Potential storage issues ◮ Large binary files (approx. 3GB for 5 min. of traffic) ◮ Underflow errors due to slow disk reads Matching NMEA input to NMEA output Single satellite signal affects receiver clock Timeframe Given the adversary is prepared, the position reported by the GPS receiver can be compromised in less than a minute . Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 17 / 25

  18. Risk evaluation Chance of occurring Relatively easy to execute Less obvious than jamming Hardware is getting cheap Impact Reduced PNT capabilities Consequences depend on many factors Adversary’s profile (e.g. resources, skill) Target system’s PNT capabilities Implemented countermeasures Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 18 / 25

  19. Future work Use results in full risk analysis Security analysis of GNSS augmentation systems More GNSS spoofing! ◮ Perform attack on ”live” RPAS ◮ Multi-constellation GNSS receivers Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 19 / 25

  20. Summary Conclusion It is possible to define a systematic approach... ◮ ...but needs to be kept up-to-date Refining threat models require expert knowledge Experiment shows GPS signal spoofing requires little effort Current GNSS implementations are vulnerable ◮ Use of unauthenticated and unencrypted signals ◮ Signals from space are easily overpowered ◮ Relatively cheap equipment Spoofing attacks are highly likely Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 20 / 25

  21. Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 21 / 25

  22. Appendix I - Target system classification Target system classification Level Sensor type Output I GNSS Latitude, longitude, altitude, time Pitot-static Altitude, airspeed, temperature, pressure II Magnetometer Heading Accelerometer Accelerations Gyroscope Pitch, roll, yaw angles III Radio altimeter Altitude Inertial Measurement Unit Angular rates, forces Attitude Heading Reference System Angular rates, forces, attitude, heading IV Radio navigation equipment Position fix Inertial Navigation System Position, orientation, velocity V RADAR, LiDAR, ground reference Full situational awareness Table 2: PNT capability levels Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 22 / 25

  23. Appendix II - Attack execution How does this affect the RPAS? Figure 10: Compromised state Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 23 / 25

  24. Appendix III - Risk evaluation But wait, there is a model for that! Figure 11: Bow tie model Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 24 / 25

  25. Appendix IV - Spoofing mitigation Available techniques Monitor signal strength Encrypt the signal Monitor (calculated) drift Detect signal geometry Combination of the above Source: M. L. Psiaki and T. E. Humphreys, ”GNSS Spoofing and Detection,” in Proceedings of the IEEE, vol. 104, no. 6, pp. 1258-1270, June 2016. Mike Maarse (UvA/NLR) RP2 Presentation 30-06-2016 25 / 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

disclaimer: half-baked ideas IP spoofing is a well-known problem a key component of such

disclaimer: half-baked ideas IP spoofing is a well-known problem a key component of such

disclaimer: half-baked ideas IP spoofing is a well-known problem a key component of such DDoS attacks addressing spoofing attempts to eliminate spoofing, not adopted IETF BCPs 38-84, ISOC MANRS scrubbing centers (eg Akamai,

700 views • 19 slides
BLESA: Spoofing Attacks against Reconnections in Bluetooth Low Energy Jianliang Wu 1 , Yuhong Nan

BLESA: Spoofing Attacks against Reconnections in Bluetooth Low Energy Jianliang Wu 1 , Yuhong Nan

BLESA: Spoofing Attacks against Reconnections in Bluetooth Low Energy Jianliang Wu 1 , Yuhong Nan 1 , Vireshwar Kumar 1 , Dave (Jing) Tian 1 , Antonio Bianchi 1 , Mathias Payer 2 , Dongyan Xu 1 1 Purdue University 2 EPFL Motivation Bluetooth

626 views • 18 slides
Recent trends in Interference Mitigation and Spoofing Detection ! Fabio Dovis ! Electronics Dept.,

Recent trends in Interference Mitigation and Spoofing Detection ! Fabio Dovis ! Electronics Dept.,

Recent trends in Interference Mitigation and Spoofing Detection ! Fabio Dovis ! Electronics Dept., Politecnico di Torino, Italy ! !"#$%&''()*++,(-./0121,(3*4*54)*++( Outline ! GNSS vulnerabilities ! Classification of interfering

970 views • 50 slides
European RPAS Roadmap RPAS Activities in SESAR 2020 ICNS 2015 Washington Dulles Airport - April

European RPAS Roadmap RPAS Activities in SESAR 2020 ICNS 2015 Washington Dulles Airport - April

European RPAS Roadmap RPAS Activities in SESAR 2020 ICNS 2015 Washington Dulles Airport - April 22 nd 2015 European Vision for RPAS integration Safe operation into non-segregated airspace: - the regulatory framework - enabling

603 views • 22 slides
International Cooperation on GNSS: A Provider Perspective on the ICG International GNSS (IGNSS)

International Cooperation on GNSS: A Provider Perspective on the ICG International GNSS (IGNSS)

International Cooperation on GNSS: A Provider Perspective on the ICG International GNSS (IGNSS) Conference Sydney, Australia Jeffrey Auerbach Office of Space and Advanced Technology U.S. Department of State 7-9 Febru ruary y 2018 GNSS: A

521 views • 33 slides
European GNSS Applications in H2020 Agenda European GNSS Agency EU-GNSS potential FP7-

European GNSS Applications in H2020 Agenda European GNSS Agency EU-GNSS potential FP7-

European GNSS Applications in H2020 Agenda European GNSS Agency EU-GNSS potential FP7- experience and results H2020 opportunities Agenda European GNSS Agency The European GNSS Agency (GSA) Staff: 100 Headquarters: Prague GSA manages

850 views • 38 slides
Taylor Expansion of Maximum Likelihood Attacks Institut Nicolas Bruneau 1 , 2 , Sylvain Guilley 1

Taylor Expansion of Maximum Likelihood Attacks Institut Nicolas Bruneau 1 , 2 , Sylvain Guilley 1

Taylor Expansion of Maximum Likelihood Attacks Institut Nicolas Bruneau 1 , 2 , Sylvain Guilley 1 , 3 , Mines-Telecom Annelie Heuser 1 , Olivier Rioul 1 , cois-Xavier Standaert 4 , Yannick Teglia 5 Fran 1 T el ecom-ParisTech, Crypto

1.04k views • 62 slides
Taylor Expansion of Maximum Likelihood Attacks Institut Nicolas Bruneau 1 , 2 , Sylvain Guilley 1

Taylor Expansion of Maximum Likelihood Attacks Institut Nicolas Bruneau 1 , 2 , Sylvain Guilley 1

Taylor Expansion of Maximum Likelihood Attacks Institut Nicolas Bruneau 1 , 2 , Sylvain Guilley 1 , 3 , Mines-Telecom Annelie Heuser 1 , Olivier Rioul 1 , cois-Xavier Standaert 4 , Yannick Teglia 2 Fran 1 T el ecom-ParisTech, Crypto

913 views • 60 slides
TCP/IP: sniffing, ARP attacks, IP fragmentation Network Security Lecture 3 Recap and overview

TCP/IP: sniffing, ARP attacks, IP fragmentation Network Security Lecture 3 Recap and overview

TCP/IP: sniffing, ARP attacks, IP fragmentation Network Security Lecture 3 Recap and overview Last time Today TCP/IP Attacks IP Sniffing Ethernet Spoofing ARP Hijacking (ARP) Tools/libraries Libnet,

729 views • 37 slides
Facilitating Industrial GNSS Cooperation Across Continents The GNSS.asia team EUROPE Rainer

Facilitating Industrial GNSS Cooperation Across Continents The GNSS.asia team EUROPE Rainer

Facilitating Industrial GNSS Cooperation Across Continents The GNSS.asia team EUROPE Rainer Horn Lukas Lanneau Daniel Ludwig Global Coordinator Project Manager Asia Expert STP STP DLC Fabrizio Mura Hyemi Hwang Davof Xu GNSS.asia

314 views • 29 slides
Assessing Targeted Attacks in Incident Response Threat Correlation Jan 2017

Assessing Targeted Attacks in Incident Response Threat Correlation Jan 2017

Assessing Targeted Attacks in Incident Response Threat Correlation Jan 2017 www.lookingglasscyber.com PRESENTER: Allan Thomson, CTO Dr Jamison Day, Principal Data Scientist 2017 LookingGlass Cyber Solutions Inc. 1 What threats are

344 views • 21 slides
The Spoofer Project Rob Beverly <rbeverly@mit.edu> MIT CSAIL March 30, 2005 Spoofer

The Spoofer Project Rob Beverly <rbeverly@mit.edu> MIT CSAIL March 30, 2005 Spoofer

The Spoofer Project Rob Beverly <rbeverly@mit.edu> MIT CSAIL March 30, 2005 Spoofer Project Background High-profile spoofing-based DDoS attacks in 2000, 2001 Does spoofing really matter in 2005? All ISP filter, right?

346 views • 10 slides
AN OVERVIEW OF THE CARGO TRANSPORT RPAS RESEARCH AND DEVELOPMENT PROJECT Avv. Donatello Gianni

AN OVERVIEW OF THE CARGO TRANSPORT RPAS RESEARCH AND DEVELOPMENT PROJECT Avv. Donatello Gianni

REMOTELY PILOTED AIRCRAFT SYSTEMS (RPAS) AN OVERVIEW OF THE CARGO TRANSPORT RPAS RESEARCH AND DEVELOPMENT PROJECT Avv. Donatello Gianni 1 U-Avitalia is a company duly incorporated in italy that promotes, projects, organizes and coordinates

341 views • 14 slides
U.S. International GNSS Activities International GNSS (IGNSS) Conference Sydney, Australia

U.S. International GNSS Activities International GNSS (IGNSS) Conference Sydney, Australia

GPS Civil Service Update & U.S. International GNSS Activities International GNSS (IGNSS) Conference Sydney, Australia Jeffrey Auerbach Office of Space and Advanced Technology U.S. Department of State 06 December 2016 Overview Policy

373 views • 26 slides
GNSS Market Access Jason Y. Kim U.S. Department of Commerce 9th Meeting of the International

GNSS Market Access Jason Y. Kim U.S. Department of Commerce 9th Meeting of the International

GNSS Market Access Jason Y. Kim U.S. Department of Commerce 9th Meeting of the International Committee on GNSS Prague, Czech Republic -- November 2014 U.S. National Space Policy The United States shall engage with foreign GNSS providers to:

351 views • 8 slides
Speaker Verification Haizhou Li Acknowledgement: Zhizheng Wu, Tomi Kinnunen, Nicholas Evans,

Speaker Verification Haizhou Li Acknowledgement: Zhizheng Wu, Tomi Kinnunen, Nicholas Evans,

Voice Conversion and Anti-spoofing of Speaker Verification Haizhou Li Acknowledgement: Zhizheng Wu, Tomi Kinnunen, Nicholas Evans, Junichi Yamagishi, Xiaohai Tian 1 Agenda Spoofing Attacks Voice Conversion Artifacts ASVspoof

915 views • 53 slides
Purpose Our intent is to discuss proposed new capabilities of DTCP which have been referred

Purpose Our intent is to discuss proposed new capabilities of DTCP which have been referred

DTCP+ For discussion with 3S April 14, 2010 1 Purpose Our intent is to discuss proposed new capabilities of DTCP which have been referred to as DTCP+ We have had two previous reviews and have prepared a near-final draft

673 views • 29 slides
Spurring IT Innovation Are You Ready for Independence? Presenters: Kelsie Page, Executive

Spurring IT Innovation Are You Ready for Independence? Presenters: Kelsie Page, Executive

Spurring IT Innovation Are You Ready for Independence? Presenters: Kelsie Page, Executive Director, Charleston Research Institute Mary Thornton, Director of Data Integrity, Palo Alto Veterans Institute for Research 1 Spurring IT

444 views • 32 slides
ModernBiz $ # Agenda Part 1: Introduction Part 2: Solutions Part 3: Next steps Technology as

ModernBiz $ # Agenda Part 1: Introduction Part 2: Solutions Part 3: Next steps Technology as

ModernBiz $ # Agenda Part 1: Introduction Part 2: Solutions Part 3: Next steps Technology as a differentiator Grow efficiently Why Microsoft? ModernBiz Business anywhere Get started Solutions for your business Safeguard your business

1k views • 59 slides
Flexy 205 Remote Machine Data Remote Access Jacob Hinsch jgh@wexoe.dk Obstacles for Industry

Flexy 205 Remote Machine Data Remote Access Jacob Hinsch jgh@wexoe.dk Obstacles for Industry

Flexy 205 Remote Machine Data Remote Access Jacob Hinsch jgh@wexoe.dk Obstacles for Industry 4.0 in your factory Unique and proprietary protocols, sometimes on legacy machines Machines not providing valuable data IT involvement has

801 views • 39 slides
The Connected Car Study Telematics systems available for 3 rd Parties in comparison to OEMs

The Connected Car Study Telematics systems available for 3 rd Parties in comparison to OEMs

The Connected Car Study Telematics systems available for 3 rd Parties in comparison to OEMs telematics systems Status quo, future trends Study Report based on practical field tests and Internet Research Dr. Christian Knobloch, Knobloch

753 views • 30 slides
Mercury: Enabling Remote Procedure Call for High-Performance Computing J. Soumagne, D. Kimpe , J.

Mercury: Enabling Remote Procedure Call for High-Performance Computing J. Soumagne, D. Kimpe , J.

Mercury: Enabling Remote Procedure Call for High-Performance Computing J. Soumagne, D. Kimpe , J. Zounmevo, M. Chaarawi, Q. Koziol, A. Afsahi, and R. Ross The HDF Group, Argonne National Laboratory , Queens University November 26, 2013 RPC

850 views • 62 slides
Investor Presentation April 2018 1 Safe Harbor During the course of this presentation the

Investor Presentation April 2018 1 Safe Harbor During the course of this presentation the

Investor Presentation April 2018 1 Safe Harbor During the course of this presentation the Company will be making forward-looking statements (as such term is defined in the Private Securities Litigation Reform Act of 1995) that are based on our

563 views • 38 slides
Distribution & Services Analyst Day 2018 Joe Reniers President, Distribution &

Distribution & Services Analyst Day 2018 Joe Reniers President, Distribution &

Distribution & Services Analyst Day 2018 Joe Reniers President, Distribution & Services Cautionary Statement Statements contained in this presentation with respect to the future are forward-looking statements. These statements reflect

496 views • 36 slides

More recommend