Detection and Localization of Attacks on Satellite-Based Navigation Systems Dissertation zur Erlangung des Grades eines Doktor-Ingenieurs der Fakultät für Elektrotechnik und Informationstechnik an der Ruhr-Universität Bochum vorgelegt von Kai Jansen geboren in Iserlohn Bochum, Dezember 2018
156
Embed
Detection and localization of attacks on satellite-based ...
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Detection and Localization of
Attacks on Satellite-Based
Navigation Systems
Dissertation
zur Erlangung des Grades eines Doktor-Ingenieurs
der Fakultät für Elektrotechnik und Informationstechnik
an der Ruhr-Universität Bochum
vorgelegt von
Kai Jansen
geboren in Iserlohn
Bochum, Dezember 2018
ii
Dissertation eingereicht am: 11. Dezember 2018
Tag der mündlichen Prüfung: 6. März 2019
Gutachter:
Prof. Dr. Aydin Sezgin, Ruhr-Universität Bochum
Zweitgutachterin:
Prof. Dr. Christina Pöpper, New York University Abu Dhabi
Drittgutachter:
Prof. Dr. Ivan Martinovic, University of Oxford
Abstract
The worldwide coverage of satellite-based navigation systems, such as the Global
Positioning System (GPS), facilitates self-localization and time synchronization in
outdoor environments. Location and time awareness are integral components of a
wide field of applications including, but not limited to, emergency localization, au-
tonomous vehicles, and aviation. However, the strong dependence on the integrity of
GPS makes systems susceptible to signal outage, or even more severe, to deliberate
manipulation. The latter is referred to as spoofing attacks, a powerful attack class
against GPS-dependent systems and challenging to protect against. In addition, the
tools available to attackers get increasingly more sophisticated and affordable. As a
consequence, we perceive a discrepancy between how critical systems are protected
and the feasibility of attacks.
In order to overcome this discrepancy, we propose countermeasures to harden
GPS-dependent systems against spoofing attacks. Moreover, our targeted domains,
in particular aviation, impose strict requirements on possible modifications to avoid
prolonged (re)certification processes. We address demanding real-world require-
ments and design lightweight countermeasures that can be realized with commercial
hardware or can even be implemented with the already existing infrastructure. For
instance, we develop effective mechanisms for the detection of GPS spoofing attacks.
Further, we tackle the challenge of spoofer localization and propose Crowd-GPS-Sec
as a system for pinpointing an attacker via Automatic Dependent Surveillance-
Broadcast (ADS-B) aircraft messages. Furthermore, we design a verification scheme
based on wireless witnessing to assess the trustworthiness of ADS-B aircraft reports.
In conclusion, we evaluate and implement different security solutions for the de-
tection and localization of attacks on satellite-based navigation systems. We theo-
retically analyze the viability of our proposals and develop prototypes demonstrating
their effectiveness. These solutions can be implemented today to improve the secu-
rity of GPS-dependent systems immediately.
iii
Kurzfassung
Die weltweite Abdeckung durch satellitengestützte Navigationssysteme, wie bei-
spielsweise das Global Positioning System (GPS), ermöglicht die Lokalisierung und
zeitliche Synchronisation. Orts- und Zeitbewusstsein sind wesentliche Bestandteile
and even modern ships [9]. Apart from academic research, spoofing attacks can be
perceived in the real world as well. For instance, it is used as a defense against
GPS-controlled UAVs around the Kremlin in Russia [73, 100, 113] or impairs the
navigation of ships in the Black Sea [13, 30, 31, 53, 64]. These works and incidents
have highlighted the threat of GPS spoofing and identified the lack of suitable coun-
termeasures. To counter this threat, our objective is the design of effective, ready-
to-use countermeasures.
3.3 Advancing Attacker Models
Generally speaking, distance-based localization systems are challenging to protect
and are usually prone to spoofing attacks, e. g., fake GPS signals can be specifically
generated to confuse the localization procedure of a targeted receiver to inject false
position or time information. When the first affordable GPS spoofing systems be-
came available, the research community was compelled to react to this new threat.
The proposed countermeasures were designed to defend against attackers that use
one spoofing system to generate a mixture of false signals transmitted over a single
antenna (see Figure 3.1). This constraint stands in contrast to the normal operation
20 Chapter 3 Attacks on Satellite-Based Navigation Systems
Attacker Receiver
Receiver ts1s2 s
3s4
Figure 3.1: An attacker with a single antenna needs to transmit a signal mixture ofmultiple satellite signals, which determines the TDoA at the receiver.
scenario, where each signal is emitted by a different satellite located at distributed
positions (compare Figure 2.1).
The proposed countermeasures against these attackers are mainly based on signal
characteristics that cannot be correctly emulated by single-antenna systems such
as geometric features [49, 94, 95, 125–127], signal correlations [12, 37, 60, 88], relative
carrier phases [14,63,68,90], Doppler effects [106], or signal arrival times [105]. The
common assumption is that an attacker can only utilize single-antenna spoofing
systems and that using multiple devices is deemed too complex or too expensive.
With regard to technical advancements and significant cost reductions to deploy
several spoofing devices simultaneously, these assumptions need to be considered
outdated. However, today’s security solutions are still based on the single-antenna
attacker model and neglect the fact that the multi-device attacker has become a
reality [69]. As a result, systems with this outdated attacker model need to be
considered potentially insecure.
As an exemplary case, a multi-device attacker may successfully attack systems
based on distributed sensor infrastructures such as two proposals to secure air traf-
fic from Schäfer et al. [105, 106]. While the former system is based on unspoofable
time offsets [105], the latter builds on the integrity of Doppler shifts [106]. Nev-
ertheless, a multi-device attacker can adjust both properties at different locations
accordingly, e. g., to inject fake aircraft remaining undetectable by the respective
system. Furthermore, anti-spoofing systems based on signal characteristics such as
the AoA [60] or spatial correlation [12] may be circumvented by deploying multiple
antennas transmitting from different directions. Such systems could also emulate
realistic multipath propagation.
3.3.1 Attack Advancements
The GPS spoofing threat was first brought to the wider attention of the public by
the Volpe report [52] in 2001. The report states that malicious parties could be able
to deploy attacks against systems relying on GPS concerning the system’s inherent
lack of confidentiality and authentication. The spoofing threat became a reality
3.3 Advancing Attacker Models 21
in 2008 when Humphreys et al. [43] presented a custom-built, portable GPS spoofer
to generate false satellite signals with which they demonstrated the vulnerability of
GPS-dependent systems to spoofing attacks.
In the meantime, GPS satellite simulators—mainly designed for developing and
testing purposes—dropped significantly in cost from approx. $100,000 [60] to a few
thousand dollars. These devices can be turned into spoofing systems, limited only by
the accompanying software tools. Eventually, at DEFCON 2015, a Software Defined
Radio (SDR) GPS spoofer was presented [76] that is fully customizable and only
requires off-the-shelf SDRs such as a HackRF [26] or a Universal Software Radio
Peripheral (USRP) [23, 24], which lowers the costs for a single spoofing system to
a few hundred dollars. Several systems of this type can be utilized to transmit
different signals realizing a multi-antenna attacker with COTS hardware.
As a result, we conclude that, during the last decade, the cost and complexity
to build a GPS spoofing system lowered significantly. While the threat of facing
a multi-antenna attacker could be considered minimal ten years ago, nowadays we
need to factor the deployment of such an attacker into our attacker models as it has
become well feasible, thus changing our security assumptions and raising the risk for
applications relying on GPS for safety- or security-critical decisions and processes.
3.3.2 Multi-Antenna Attacker
The multi-antenna attacker utilizes (at least) four antennas each sending out a
different satellite signal. These signals arrive at the receivers as individual signals
with specific attacker-chosen time offsets. If chosen appropriately, the signals can be
resolved to a position that is determined by the actual satellite positions included
in the ephemeris data and the corresponding Time of Arrival (ToA). With one
satellite signal per antenna, the attacker can adjust the ToAs by repositioning the
corresponding antenna or inducing signal delays. Note that this is different from
the standard attacker setup, where a mixture of satellite signals is emitted from the
same source [12, 14, 43, 49, 60, 68, 90, 94–96, 128]. We want to stress that such an
attacker was only theoretically proposed in [128], but no practical implementations
are known.
Implementation of a Multi-Antenna Attacker
To illustrate advancements in attacker capabilities, we deploy a simple yet effective
setup to generate multiple separated spoofing signals (see Figure 3.2). The imple-
22 Chapter 3 Attacks on Satellite-Based Navigation Systems
Attacker
gnuradio
USRP 2
USRP 4USRP 3
USRP 1
Victim
gnss-sdr
GPS Receiver
Figure 3.2: An experimental multi-antenna attacker setup consisting of four synchro-nized USRPs operated by gnuradio targeting a victim’s GPS receiver.
mentation of a multi-antenna attacker allows us to be more flexible and to attack
systems that assume an attacker cannot leverage these many degrees of freedom.
In particular, we deploy a setup of four USRPs N210 [24] from Ettus Research,
each transmitting a different satellite signal. These signals are generated by the
software tool gps-sdr-sim [76] for four satellites randomly selected from all visible
satellites at the spoofed position and time. All USRPs are connected via a network
switch and a standard laptop running gnuradio [29] positioned equidistantly around
the targeted receiver. A gnuradio block was designed that synchronously provides
the USRPs with the necessary precomputed data samples. The USRPs are coupled
with passive GPS antennas. The targeted GPS receiver is another USRP N210
device connected to a second laptop running gnss-sdr [28] to analyze the capability
of the multi-antenna attacker. We performed this experiment in a shielded indoor
environment to minimize potential signal leakages to the outside.
Insights
With this simple test setup, we gathered the following three insights. (i) We were
able to spoof the receiver with four spoofing devices each emitting a different satellite
signal. By placing the spoofer’s antennas equidistant to the receiver and a time
synchronization via gnuradio, we achieved a stable position lock on the spoofing
signals. (ii) The targeted receiver acquired a lock on the spoofing signals after
approx. 50 s, which is in the range of the duration of a normal warm start. (iii) The
achieved position accuracy was within an error of approx. 20 km.
3.3 Advancing Attacker Models 23
Implementation Challenges
Notably, the time synchronization between the spoofing signals is a crucial require-
ment for a stable lock and eventually injecting the desired position. For instance,
a time offset of 1ms causes an offset in the pseudorange of approx. 300 km. This
offset can lead to unstable calculations and high position errors. Despite the high
dependency on the time synchronization, we were able to achieve comparably good
accuracy with the help of error correction procedures in the targeted receiver. More-
over, all results have been gathered in a non-laboratory environment, and are ex-
pected to increase in accuracy and stability by implementing an external time pulse
reference [7].
Results
As a result, we were able to successfully spoof the targeted receiver with a setup
that uses four antennas that each emit a different satellite signal. This setup allows
us to dynamically adjust single satellite signals separately from each other. Hence,
we obtain the complete freedom of how to manipulate the target, i. e., we can change
individual pseudoranges, signal amplitudes, Doppler frequencies, AoAs, or ToAs to
emulate the desired behavior. This can either be achieved by changing the geometric
setup or delaying signals. Eventually, we can attack systems that are based on
the assumption that signals are transmitted as a mixture and cannot be changed
individually.
It is noteworthy that the costs of the deployed attacking setup are moderate
and can be further decreased by using cheaper SDRs such as a HackRF One [26],
which is expected to perform equally good. The required knowledge can also be
considered low as most software is freely available online and the gnuradio block can
be generated by automated tools. This setup implements a fully customizable multi-
antenna attacker that can be used to target present secure localization systems.
3.3.3 Related Work and Impact
While there exists a multitude of related work on how to protect localization systems,
the attacker model assumptions differ significantly. For instance, several counter-
measure proposals only consider a single-antenna attacker and state that a multi-
antenna attacker is too complex, too costly, or too impractical [12, 14, 37, 43, 45, 60,
68, 90, 94, 95, 125–127]. The presented solutions are shown to be secure against the
single-antenna attacker model, but considering a more realistic attacker, they need
to be re-evaluated. Table 3.1 contains an overview of related work on localization
24 Chapter 3 Attacks on Satellite-Based Navigation Systems
Table 3.1: Related Work Considering Multi-Antenna Attacks
Reference YearMulti-Antenna Attacker Potentially AttackDeemed Too Complex Vulnerable Resistant
[43] 2008 ✓ —1 —1
[68] 2009 ✓ ✓ ✗
[60] 2010 ✓ ✓ ✗
[14] 2010 ✓ ✓ ✗
[128] 2011 ✗ —1 ✓2
[12] 2012 ✓ ✓ ✗
[45] 2012 ✓ ✓ ✗
[90] 2013 ✓ ✓ ✗
[125–127] 2013/14 ✓ ✓3 ✓4
[37] 2014 ✓ ✓ ✗
[144] 2014 ✗ ✗ ✓
[94, 95] 2015 ✓ ✓3 ✓4
[117] 2015 ✗ —1 —1
[105,106] 2015/16 ✗ ✓ ✗
[69] 2016 ✗ —1 —1
[96] 2016 ✗ ✗5 ✓5
[49] 2016 ✗ ✗ ✓
1focus on attacks rather than countermeasures2provide a proof for the security of four and more receivers3with three or less receivers4with four or more receivers5secure according to the authors, but we argue that using more antennas as available
channels in the receiver may also circumvent this countermeasure
systems that consider the multi-antenna attacker model and the resistance of the
proposed solutions to such attacks.
Moreover, countermeasure solutions assuming the outdated single-antenna at-
tacker model [12, 14, 37, 45, 60, 68, 90, 105, 106] may be deemed vulnerable against a
stronger attacker. In particular, we need to consider those works as potentially inse-
cure and to fall victim to more sophisticated attackers. On the other hand, solutions
based on multiple receivers monitoring satellite pseudoranges [94,95,125–127] can be
shown to be secure using four or more receivers according to Tippenhauer et al. [128].
As a consequence, countermeasures that were already designed with an extended
attacker model in mind exhibit better security against the multi-antenna attacker [49,
96, 144]. Notably, while Ranganathan et al. [96] state that their system is secure
against any currently known attacker, the countermeasure makes use of a limited
number of channels. Raising the number of attacking devices above the number of
channels, the countermeasure could potentially be circumvented.
Figure 4.1: Our system model consists of a multi-device deployment of GPS receiversat fixed positions. The receivers are interconnected to share calculatedGPS positions given that at least four satellite signals are available.
result of one or more victims. The attacker is capable of generating fake GPS
signals with the same signal characteristics as authentic GPS signals. We distinguish
between two scenarios for the attacker antennas: (i) a single-antenna attacker and
(ii) a multi-antenna attacker. In the first case, the attacker is restricted to a single-
antenna setup, where all spoofing signals are sent from the same source. In the
second case, the attacker can utilize multiple antennas gaining more freedom for the
transmission of signals to send potentially different signals from various locations.
We assume that all receivers obtain signals from the same sources, i. e., receivers
are not shielded from the reception of signals seen by other receivers. As shown in
related work [128, 135], a single-antenna attacker can successfully spoof individual
victims to an arbitrary location and time by sending spoofing signals that have
constant TDoAs with respect to each other, independently of the location of the
receiver. As a result, multiple receivers in range of the attacker would all compute
the same localization result (with minor time differences due to their respective
distances to the attacker). This scenario is depicted in Figure 4.2.
For the multi-antenna adversary model, spoofing individual position solutions
for less than four receivers becomes theoretically possible as shown by Tippen-
hauer et al. [128]. By selectively positioning antennas, an attacker may succeed
in satisfying expected relative TDoAs as long as the number of receiving antennas
does not exceed a certain threshold. We discuss the resilience of our countermeasure
Figure 4.3: The multi-receiver spoofing detection countermeasure can be instanti-ated with different number of receivers distributed on a virtual circle.
Notably, the more receivers we use, the more different distances between all pos-
sible receiver pairs are obtained according and are used by the function f(·). While
for n = 2 we only have one single distance, for n = 4 we already have six (par-
tially dependent) distances. The number of connections can be calculated according
to(
2n
)
. For the actual detection system, we mostly consider a setup with n = 4
receivers. That is the least amount of receivers required while protecting against
the multiple-antenna attacker [128] as discussed in Section 4.10.2.
4.5.3 Leveraging Environmental Errors
The noise of the position solution experienced by receivers is a determining factor
for the performance of our countermeasure. We introduced general GPS errors in
Section 2.2.4, and we now apply the error model to our spoofing detection approach.
In prior work [125,126], the User Equivalent Range Error (UERE) as introduced in
Section 2.2.4 was modeled to be identical for authentic and spoofing signals. We now
argue that this is not the case in practice, and a more realistic model can improve
the countermeasure performance. On closer inspection, the UERE is a composition
of two components. The satellite system-intrinsic User Range Error (URE) includes
environmental errors, whereas the User Equipment Error (UEE) is caused by the
receiver design [130]. This is particularly relevant for two reasons:
(a) We claim that the environmental errors are to a certain degree location-
specific—i. e., several receivers at the same location will experience correlated en-
vironmental errors. The intuition is that this will make our countermeasure more
reliable in normal operating conditions, as position shifts are partially correlated.
(a) Arduino UNO GPS Receiver (b) Experimental Setup
Figure 4.4: In the experimental setup, four Arduino UNO GPS receivers are posi-tioned on a wooden bench (circles) connected to a central laptop.
Table 4.1: Receiver Placement and Relative Distances
Receiver Side dC [m] dR1[m] dR2
[m] dR3[m] dR4
[m]
R1 East 7.00 - 8.06 13.00 9.90R2 South 4.00 8.06 - 7.21 11.00R3 West 6.00 13.00 7.21 - 9.22R4 North 7.00 9.90 11.00 9.22 -
In the initial measurements, four receivers were arranged in a cross-like formation
with side lengths of approx. 4m to 7m as depicted in Figure 4.4b. Each receiver
generates National Marine Electronics Association (NMEA) 0183 [70] data sentences
while processing the received signals. The data is constantly stored on a controlling
laptop connected via USB, which also powers the receivers. With a total of four
receivers, we obtain six distinct distances matching each device with each other. For
the specific relative distances we refer to Table 4.1, in which dC is the distance to
the center (as measured by hand), and dRiis the calculated distance to the other
receivers. The overall formation is aligned to the cardinal directions North, South,
East, and West, which was set up for approx. 2.5 h at a place with clear Line of
Sight (LoS) to the sky.
4.6.2 Measurement Analysis
We next evaluate the recorded data and derive suitable parameters for the sub-
sequent simulations. The position map in Figure 4.5 indicates that the reported
positions are scattered around four points, which in our case closely reflect the ac-
tual receiver placement. However, the deviation from the interim positions to the
actual placement can reach several meters. Figure 4.6 shows the development of
these distances over the course of the experiment. While the average distance er-
ror µ ranges from approx. 0.79m for R4 to 1.61m for R3, the standard deviation σ
4.6 Experimental Evaluation of Authentic Signals 43
13.615 13.620 13.625 13.630
Longitude E 7° [']
30.424
30.426
30.428
30.430
30.432
30.434
Latitu
de N
51°
[']
Figure 4.5: Illustration of the receiver placements on the wooden bench (dashedlines) including reported positions, where “X” indicates the mean posi-tions over the measurement duration.
0 20 40 60 80 100 120 140
Measurement Duration [min]
0
1
2
3
4
Dis
tan
ce
fro
m M
ea
n [
m]
Figure 4.6: The calculated distances between the reported positions and their re-spective means (close to the actual positions).
varies between approx. 0.41m for R4 and 0.87m for R3. In comparison to the values
reported in Table 2.1, the positions measured during the experiment are very stable.
Since our spoofing detection mechanism takes the relative distances into account,
we calculate the distances between the reported positions. The results are depicted
in Figure 4.7. The histogram uses a bin width of 0.5m. The average distances are
all within 1m from the actual distances noted in Table 4.1. In Section 4.5.4, we
concluded that the underlying distribution is Rician. We try to align the respec-
tive PDF from Equation (4.4) with the measurements. The solid line represents a
normalized best fit based on a Rician distribution. The gap between the theoretical
distribution and the recorded data is due to correlations of position errors (distances
tend to be smaller) and limitations of the measurement setup. The parameters of
the distributions are included in Table 4.2. In particular, the noncentrality param-
eter s closely reflects the average distance µ, whereas the scale parameter σ reflects
the standard deviation of the dataset.
As an illustrative example, we focus on a single distance. Considering the CDF of
the Rician distribution from Equation (4.5), we are able to calculate the probability
that a certain threshold λ is exceeded. In particular, we can determine the point
at which 1% of the distribution is accumulated. According to the CDF, we expect
that 99% of the distances exceed this fix point such that
Pr{dGPS ≤ d99} = 1−Q1
(
s
σ,d99σ
)
,
where d99 represents the distance that is shorter than 99% of all distances. With
this equation we can calculate thresholds that belong to different probabilities. The
distances corresponding to the 99% threshold for each pair of co-located receivers
are shown in Table 4.2. For instance, the distance R3 — R4 (µ = 9.87m) is expected
to be below 6.42m in only 1% of the cases and is calculated to be maintained 99%
of the times, which is approx. 3.4m less than the actual distance based on the initial
measurements.
4.6 Experimental Evaluation of Authentic Signals 45
A further aspect of our measurement analysis is how position changes correlate
spatially. We expect a correlation between the position deviations of co-located re-
ceivers since the system-intrinsic URE is an environment-dependent error. To iden-
tify its extent, we compute Pearson’s correlation coefficient ρ from Equation (4.3)
between the reported positions. The results of our measurements are listed in Ta-
ble 4.2. For better clarity, ρ is partitioned in a latitude and a longitude component.
We recognize a consistent positive correlation. Even though the extent of correlation
differs between the receivers due to noise effects (ρLAT for R1 — R2 is an outlier),
the correlation is considerable and throughout positive.
4.6.3 Additional Measurements
We conducted further measurements to confirm our error modeling approach in
different environments, e. g., receivers were placed close to metallic walls. Over
different time periods (up to three days non-stop) measurements were collected to
assess the effects of signal reflections and changing meteorological conditions. For
the sake of clarity, we only present resulting parameters for the standard deviation
and the correlation here.
For receivers with clear LoS, but under multipath effects, we experienced a typical
position noise in the range of σ ≈ 0.75 to σ ≈ 3.06, where the latter occurred close
to a reflecting metallic wall. Similar degradations were observed for the correlation
between position changes. Additional noise sources can impair the correlation to ρ ≈0.27 for direct wall reflections. However, correlations of ρ ≈ 0.82 were still perceived
for receivers affected by multipath signal components but with clear LoS.
3-day Experiment
This experiment was run over the course of three days non-stop with n = 4 receivers
and changing weather conditions. Over 1,200,000 data points for each receiver were
recorded. Figure 4.8 shows a histogram of all relative distances. We note that the
real distances between the receivers were relatively small to shelter the devices from
rain. Outliers are still visible and could be caused by changing temperature and
weather conditions.
4.6.4 Results
In conclusion, the localization precision of the utilized COTS receivers for authentic
signals is within typical standard deviations of σ ≈ 0.5, . . . , 3. The correlation be-
tween the position shifts is significantly positive and stabilizes at ρ ≈ 0.4, . . . , 0.6 for
Figure 4.8: Stabilized distance distributions over a three-day measurement periodwith n = 4 receivers, with fitted Rician distribution (bin width of 0.5m).
long-term measurements. We validated our findings with experiments in changing
environments, at different days, and varying measurement periods.
4.7 Experimental Evaluation of Spoofed Signals
In the previous section, we investigated the localization error for authentic signals.
We now present experimental results on the localization error for spoofed signals,
using the same receivers as in the previous experiments.
4.7.1 Experimental Setup
In our measurement setup, the spoofing attack is realized via a GPS signal sim-
ulator that is capable of generating arbitrary civilian GPS signals (LabSat 3 [93]
from Racelogic). These signals can be composed with attacker-chosen parameters
such as signal power or position solution. With the supplied software tools, we are
able to generate scenarios, which emulate similar conditions as were present during
our measurements for the authentic signals. In particular, the simulator uses the
ephemeris data for that specific place and time period.
Since the satellite simulator aggregates a mix of satellite signals into a signal
that is resolvable to one specific location, we choose the coordinates of one of the
receivers from our initial measurements as the spoofed position. The spoofing signal
was sent wirelessly during limited time periods and all receivers obtained the signal
at approximately the same power levels. In order to imitate the authentic scenario
as closely as possible, we adapted the external antennas inclination to the new AoAs
due to the ground-level simulator. A sophisticated attacker is assumed to send out
signals from higher positions avoiding the antenna adjustments. During the (indoor)
4.7 Experimental Evaluation of Spoofed Signals 47
0 20 40 60 80 100 120 140
Measurement Duration [min]
0
0.5
1
1.5
Dis
tance fro
m M
ean [m
]
Figure 4.9: The progression of the calculated distances to their respective meansreveals a close spatial correlation in the spoofing scenario.
experiment, the receivers were shielded from real GPS signals in order to acquire a
quick fix to the spoofing signals as well as to prevent signal leakages to the outside.
In less than one minute, the receivers locked onto the spoofing signal and kept tuning
to process all available satellites from the signal. The spoofing attack was performed
with the same GPS time and for the same duration as for the outdoor measurement.
4.7.2 Measurement Analysis
The analysis of the recorded measurements reveals the following insights. All re-
ported positions closely reflect the preconfigured location for which the GPS signals
were generated. Within the given precision, the mean of the reported positions is
the same for all receivers, independent of the actual positioning or formation.
In consideration of the reported positions as shown in Figure 4.9, all four traces
exhibit similar patterns and, over the course of the experiment, we can recognize
periods in which the distance to the mean positions concurrently increases or de-
creases. In these periods, we assume that the simulator imitates the changing signal
quality at the chosen location and time by adjusting the impact of system-intrinsic
UREs. The average distance µ from the means varies between approx. 0.47m for R4
and 0.57m for R3, whereas the standard deviation σ ranges from approx. 0.21m
for R4 to 0.29m for R3. In comparison to the outdoor measurements, both quan-
tities are roughly halved. We conclude that the reported positions are less affected
by errors.
In consideration of the relative distances, the resulting distribution is depicted in
Figure 4.10. To increase the resolution, the applied bin width is refined to 0.1m.
As analyzed in Section 4.5.4, the distances follow a Rayleigh distribution, for which
using MATLAB in order to calculate the expected performance of different receiver
formations. In addition, the framework finds optimal decision thresholds λ with
respect to corresponding detection probabilities pd and false alarm probabilities pfa.
Within the simulation framework, we pursue two goals: (i) Simulate the coun-
termeasure for n receivers (we focus on n = 4) considering different distribution
parameters including distance, standard deviation, and correlation. (ii) Evaluate
different instantiations of the function f(·), which is the determining function for
the decision mechanism in Equation (4.2). For the analysis with n = 4 receivers, we
chose a normalized majority voting, where longer distances (diagonal in a square)
are more significant. The reasoning behind the selection is given in Section 4.10.1.
4.8.1 Simulated Parameter Sets
Based on real-world measurements, we consider five different error models repre-
senting different scenarios and measurement environments, see Table 4.4. The first
scenario considers high noise from our worst case measurements (Case 1). On the
other hand, the fifth scenario includes the most stable position solutions that we
measured (Case 5). The other scenarios are intermediate steps between these two
extremes (Cases 2, 3, 4). Notably, the third scenario represents an error model for
which authentic and spoofing signals suffer from the same extent of errors.
The simulation covers varying receiver distances given as the radius r of the virtual
circle, gradually increased from 0m to 15m with a step size of 0.01m. The number of
generated measurements is 10,000,000 for each receiver position and each simulation
run. The error modeling is realized by adding Gaussian noise with the corresponding
distribution parameters that also maintain correlations between generated datasets.
4.8 Simulation of the Countermeasure 51
1 2 3 4 5 10 15
r [m]
10-6
10-4
10-2
100
EE
R
Case 1
Case 2
Case 3
Case 4
Case 5
Figure 4.11: The resulting EER for n = 4 receivers equidistantly positioned on avirtual circle with different radii r and distinct error parameter sets.
4.8.2 Performance Metric
As the first measure of performance, we consider Equal Error Rates (EERs), i. e.,
1− pd!= pfa. (4.8)
In other words, our decision threshold λ is chosen in such a way that the probabil-
ity of a false alarm pfa is equal to the probability of a missed detection pd. However,
we notice that the occurrence of spoofing and non-spoofing scenarios is not equally
distributed. In most cases, the receivers operate with authentic signals, whereas an
actual attack is very unlikely. False alarms are generally more likely to occur than
false detections and thus would need to be weighted more than missed detections.
The usage of the EER gives us a worst case estimation with a stronger focus on reli-
able detection; the distance between receivers may be decreased further if we allow
poorer detection probabilities. At the same time, missed detections typically incur
a larger security risk than false detections. To account for these considerations, we
later additionally report results individually for the probabilities of false alarms pfa
and missed detection pd.
4.8.3 Detection Performance
We examine the detection performance of our detection mechanism for n = 4 re-
ceivers. The results under consideration of the error scenarios from Table 4.4 are
depicted in Figure 4.11. The required receiver distances differ substantially for each
of the simulated cases. For example, a radius of approx. 11m is needed for an
EER of 10−6 in the worst measured scenario (Case 1). An EER of 10−6 equals
Figure 4.13: The outdoor deployment of our GPS spoofing detection prototype withn = 4 receivers in a distance of d = 5.00m (metallic wall to the right).
that optimizes both the detection and the false alarm probability. The normalized
majority distance for the authentic measurements is constantly above the thresh-
old, whereas in the spoofing case it is always below. If any of the measurements
cross the threshold line, either a false alarm or a missed spoofing would occur. A
sliding-window approach could compensate single threshold under- or overcuts.
With our prototype implementation we have demonstrated that the detection
mechanism is applicable to n = 4 receivers positioned in a square formation of
edge length d = 5.00m or a circle with radius r ≈ 3.54m. For the duration of the
experiment we encountered no false alarms and no missed spoofing events.
4.10 Discussion
We now discuss further aspects of the developed multi-receiver GPS spoofing de-
tection system. We first analyze different instantiations of function f(·) and their
impact on the decision making process. We then reason about the resilience of our
countermeasure even against multi-antenna attackers and finally outline directions
for future research.
4.10.1 Selection of Function f(·)To find an optimized function f(·) for the implementation in Equation 4.2, we con-
sider four different instantiations, which represent a minimal, maximal, majority,
4.10 Discussion 55
0 20 40 60 80 100 120 140 160
Measurement Duration [min]
0
2
4
6
8
No
rma
lize
d M
ajo
rity
[m
]
Authentic
Spoofing
Figure 4.14: The normalized majority distance for authentic GPS signals (top) andunder spoofing (bottom). The line represents the decision threshold λ.
0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5
r [m]
10-6
10-4
10-2
100
EE
R
Figure 4.15: EER for different radii considering four different instantiations of func-tion f(·) with n = 4 receivers and same error distributions (Case 3).
and normalized approach. The minimal and maximal functions only consider the
minimal, respectively the maximal, measured distance from the set of all distances.
The majority approach performs a voting mechanism which decides for spoofing
when the majority of distances, i. e., four out of six, fall below the decision threshold.
The normalized approach further makes distances more significant depending on
their relative length compared to others, e. g., the diagonal in a square is√2-times
longer than the edges.
For instance, we consider n = 4 receivers resulting in six distances in total. Ex-
emplarily, we present results considering the error model with the same error dis-
tributions for spoofing and non-spoofing conditions (Case 3) from Table 4.4. We
are able to identify the best choice for the function f(·) for this specific model and
give hints towards the impact of changing error models. Figure 4.15 compares per-
While Global Navigation Satellite Systems (GNSSs) have become the de facto stan-
dard means of navigation and tracking services in outdoor environments on the
Earth’s surface, their services also play an important role for aerial applications.
With its ubiquitous coverage, Global Positioning System (GPS) is often a mission
critical factor for aircraft navigation as well as for Unmanned Aerial Vehicles (UAVs),
ranging from consumer-class mini or micro drones to tactical and strategic UAVs.
5.1.1 Problem Statement
Although GPS is commonly used in aviation, the system is not secure, i. e., civilian
(public) GPS signals sent by the satellites are neither authenticated nor encrypted.
As a consequence, aircraft and UAVs are vulnerable to GPS signal spoofing attacks,
where a malicious transmitter emits signals similar to those from the satellites but
at a higher power and, potentially, at slightly different time delays. The aircraft’s
GPS receiver will likely lock on to the spoofed signal as it arrives with a higher
signal strength than the authentic signals. By selectively varying the time offsets of
the spoofed satellite signals, attackers are able to mimic arbitrary positions. These
kinds of spoofing attacks are well-known [40, 43, 52, 86, 128] and have been shown
to be feasible in the real-world [9, 40]. In fact, GPS spoofing has allegedly been
used to hijack a CIA stealth drone (RQ-170) in Iran in 2011 [103] or luring ships
off their course [9, 86]. Moreover, GPS spoofing has been used as a defense against
GPS-controlled UAVs flying in the vicinity of the Kremlin in Russia [73,100,113]. In
particular, in 2017, a mass GPS spoofing incident occurred in the Black Sea [13,30,
31,53,64]—an attack executed by an unknown spoofer from an unknown position.
Over the years, the price to perform GPS spoofing attacks has dramatically
dropped as detailed in Section 3.3. Mobile Commercial Off-the-Shelf (COTS) GPS
spoofing devices are available for less than $1,000 [86] and publicly available soft-
ware tools [76] allow the generation of arbitrary GPS signals. The price fall and
low-expertise requirements raise the risk for applications relying on GPS for safety-
or security-critical decisions and processes. The democratization of GPS spoofing
technologies has triggered the development of various countermeasures, which can
be coarsely categorized into three classes: (i) data bit level, (ii) signal processing
level, and (iii) navigation and position solution level [45]. Since the majority of
countermeasures proposals require far-reaching modifications of either the GPS in-
frastructure or the receiving devices, they are unlikely to be implemented in the
near future.
62 Chapter 5 Crowdsourced GPS Spoofing Detection and Spoofer Localization
Research Question. We state the following research question: How can we detect
(and potentially localize) GPS spoofing attacks without requiring any modifications on
the currently available satellite and receiver infrastructure? Moreover, the solution
should be suitable for a geographically distributed sensor network via crowdsourcing
collaboration.
5.1.2 Contribution
Driven by the increasing threat and the lack of realistic short-term solutions, we
propose Crowd-GPS-Sec, a system that detects and localizes GPS spoofing attacks
on aerial vehicles without the need to update the satellites’ signals nor the logic
of the airborne GPS receivers. Crowd-GPS-Sec leverages crowdsourcing to moni-
tor the position advertisements derived from GPS that aircraft and UAVs periodi-
cally broadcast for air traffic surveillance. Using those advertisements, we devise a
GPS spoofing detection and localization solution that analyzes the contents and the
Time Difference of Arrivals (TDoAs) of these surveillance messages as received by
distributed sensors on the ground.
We evaluate Crowd-GPS-Sec with simulations and real-world data from the Open-
Sky Network [74,107], a crowdsourcing initiative which maintains a network of more
than 850 air traffic communication sensors around the world. Our implementation
of Crowd-GPS-Sec is able to globally detect GPS spoofing attacks in less than two
seconds and to localize the attacker up to an accuracy of 150 meters after 15 minutes
of monitoring time.
While the problem addressed in this work is related to spoofing detection and
localization in classical direction finding [20,63,68] and multilateration systems [69],
there is one fundamental difference and unique advantage. Instead of trying to de-
tect and localize the GPS spoofer through direct measurements of its own signals, we
rely on indirect measurements from position advertisements that aircraft are broad-
casting. This approach enables us to detect and localize the spoofer even when there
is no direct Line of Sight (LoS) between a sensor and a spoofer. Maintaining a LoS
to an aircraft is much simpler and thus more effective since aircraft are in the sky
and use high transmission power levels which render the signals receivable from the
ground up to several hundred kilometers away. Another major advantage is that
Crowd-GPS-Sec relies on data from air traffic monitoring sensors that are already
widely deployed around the world. Thus, our solution does not require a dedicated
GPS signal acquisition infrastructure for spoofing detection and localization. To the
best of our knowledge, this work is the first to propose a GPS spoofing countermea-
5.2 Related Work 63
sure which takes advantage of considering indirect GPS-inferred data rather than
raw GPS signals.
Summary. In summary, our work makes the following contributions:
• We propose Crowd-GPS-Sec and elaborate on the idea to provide security via
an existing infrastructure of crowdsourcing sensors.
• We present algorithms for the detection of GPS spoofing attacks on airborne
targets by using aircraft reports and multilateration.
• We provide a novel technique for the localization of GPS spoofers based on
position differences between pairs of spoofed aircraft.
• We report on experiments with aircraft transponders and assess the perfor-
mance of Crowd-GPS-Sec analyzing real-world air traffic control data.
The contributions of this work resulted from a collaboration with Matthias Schäfer,
Daniel Moser, Vincent Lenders, Christina Pöpper, and Jens Schmitt.
5.2 Related Work
As GPS is known to be vulnerable to spoofing attacks [40, 42, 45, 52, 135], several
works demonstrated their feasibility [9, 43, 57, 86]. Attacks can target different do-
mains such as vehicle navigation systems [9, 57, 86, 115, 145] or critical infrastruc-
tures [144]. Tippenhauer et al. [128] analyzed the requirements for successful GPS
spoofing attacks. It is worth noting that GPS spoofing has also been proposed as
a countermeasure, e. g., to defend against hostile UAVs [42, 57, 73, 113] by means of
hijacking or misguidance.
A rich body of countermeasures specific to GPS exists in the literature which
can be categorized into prevention and detection measures. In order to prevent
spoofing of GPS signals, several works propose the use of cryptographic techniques
to authenticate satellite signals [35,36,41,59,112,141]. This is similar to how military
GPS signals are protected. However, cryptographic techniques require profound
modifications of the GPS infrastructure as well as a key distribution system which
is challenging to implement for applications with disconnected receivers. Further,
the use of encryption alone does not protect against signal replaying attacks [77,78].
The detection of GPS spoofing attacks also received considerable attention in the
literature providing a broad overview [33,34,45,54,87,111,138] on different detection
techniques.
64 Chapter 5 Crowdsourced GPS Spoofing Detection and Spoofer Localization
A different class of detection approaches deploys multiple receiving antennas. Tip-
penhauer et al. [49, 128] and Swaszek et al. [125–127] use multiple co-located GPS
receivers whose calculated positions and times are compared; coinciding locations
indicate an attack. A dual antenna receiver setup to determine the Angle of Arrival
(AoA) of incoming signals is proposed by Montgomery et al. [68] and extended by
Psiaki et al. [88, 89] to include differential carrier phase measurements. Magiera
and Katulski [63] even suggest the use of arrays of antennas showing that antenna
diversity is effective at detecting single antenna spoofers without knowledge of the
target’s position. Although these detection approaches do not require changes to
the GPS infrastructure, they assume more sophisticated GPS receivers which would
significantly increase the complexity, size, costs, and power requirements. This,
however, is contradictory to the objectives of GPS.
On the other hand, techniques for localizing the source of wireless spoofing attacks
also exist in the literature. Chen et al. [15] proposed a localization approach for wire-
less attacks (not specific to GPS satellite signals) based on Received Signal Strength
(RSS) readings from different locations to locate the spoofer. They evaluated their
scheme in 802.11 and 802.15.4 networks. Later, Yang et al. [142, 143] extended
the scheme to deal with attackers which vary their transmission power. Rather
than using direct RSS values, they consider RSS differences at multiple locations.
Bhatti et al. [10] localize GNSS spoofers by comparing TDoAs from a synchronized
array of sensor nodes. A UAV-mounted jammer localization system is implemented
by Perkins et al. [80,81] and they dynamically measure RSS and AoA information to
narrow down possible spoofer positions. It is worth noting that, in principle, almost
any passive localization technique (such as multilateration) could be used to locate
GPS spoofers. However, in contrast to our approach, these methods assume a direct
LoS between the localization system and the attacker. As a consequence, this would
require a dedicated infrastructure which covers all potential attacker positions.
Other works specifically consider spoofing detection and localization with re-
spect to aircraft broadcast signals via Automatic Dependent Surveillance-Broadcast
(ADS-B). Schäfer et al. [105,106] and Strohmeier et al. [119,123] present techniques
to verify position claims using a distributed sensor network. While Baker et al. [5]
design a verification and localization system with a mobile receiver, Moser et al. [69]
devise a multi-receiver spoofing detection system and even evaluate it against a
distributed and coordinated attack. However, the threat model in these works is
different to ours as they consider spoofed ADS-B signals and not spoofed GPS sig-
nals. These techniques are therefore not capable of localizing GPS spoofers in the
same way as in Crowd-GPS-Sec.
5.3 System Model 65
RADAR ADS-B/Flarm
GPS
Satellite-to-Aircraft
Aircraft-to-Ground
Figure 5.1: Schematic overview of currently deployed technologies used to monitorair traffic including GPS, RADAR, and ADS-B/Flarm.
5.3 System Model
While in the past, Radio Detection and Ranging (RADAR) and inertial systems
used to be the two main localization technologies in aviation, GPS is today often
the preferred solution due to its superior accuracy. Modern airliners, smaller aircraft,
gliders, helicopters, or UAVs are almost all equipped with GPS receivers. GPS is
typically used by pilots or UAVs for self-localization but the technology is also used
for remote air-traffic surveillance and collision-avoidance applications. In the latter
cases, aerial vehicles are required to periodically broadcast position and velocity
advertisements to inform neighboring aircraft and ground controllers about their
presence. Larger aerial vehicles generally transmit those messages over the ADS-B
system while smaller and slower vehicles rely on the Flarm [25] system. Irrespective
of the used system, these advertisements contain a position pGPS that is directly
derived from airborne GPS receivers as depicted in Figure 5.1.
In this work, we propose to leverage the position advertisement messages of ADS-
B and Flarm in order to detect and localize GPS spoofers. While ADS-B and Flarm
rely on different radio frequencies and message formats, the underlying concept is
the same. On regular random intervals at transmission time tTX (around twice per
second), aircraft Ai broadcast their current position pGPSi together with their unique
identifiers. Neighboring aerial vehicles and ground stations receive these messages
to generate a recognized air picture. The advertisement messages can be received
over long distances. In ADS-B, messages can be received up to distances of 700 km
66 Chapter 5 Crowdsourced GPS Spoofing Detection and Spoofer Localization
when there is a direct LoS between the transmitter and the receiver [110]. In Flarm,
the range is smaller but reception ranges of up to 100 km are possible.
5.4 Attacker Model
GPS spoofing attacks exploit the lack of encryption and authentication of civil-
ian GPS signals by imitating the legitimate signals with the purpose of modifying
the localization or time result of a victim [43, 52, 57, 128, 135]. Technically, spoof-
ing attacks are based on fake GPS signals manipulating the TDoAs of signals that
otherwise use the same payload as real signals. In the past, incidents were re-
ported [9,73,86,100,103,113] where spoofers successfully interfered with the integrity
of GPS-dependent systems, thus rendering the spoofing threat far from being only
of theoretical nature. As a result, currently marketed drones, aircraft, helicopters,
or any kind of vehicles that rely on GPS are prone to spoofing attacks and lack
effective countermeasures.
Based on common assumptions on attacker capabilities and recent incidents, we
assess the resulting threat model. First, we clarify our considered adversary model.
Second, we reason about key assumptions that Crowd-GPS-Sec is based on to de-
tect and localize spoofing attacks. We focus on the common assumption that the
attacker uses a single antenna for transmitting the spoofing signals, but the pro-
posed technique could also be extended to multi-antenna attackers representing an
emerging threat [46].
5.4.1 Threat Model
The attacker’s motivation to interfere with the air safety by injecting false position-
ing information into UAVs or aircraft can be manifold. An attacker may consider
hijacking the targeted victim for an own benefit of acquiring goods or circumvent-
ing flying bans. Even more severe, an attacker may participate in terrorist attacks
by manipulating the air-traffic control or the collision-avoidance systems, e. g., by
spoofing fake position information to fool the safety logic of these systems.
In our adversary model, the attacker is able to transmit specially crafted signals
identical to those broadcasted by GPS satellites but can achieve a higher power at
the target location. The attacker aims at spoofing a moving aircraft or a UAV from
a position on the ground. In order to conduct a stealthy and unnoticed attack, the
spoofer may use a directional antenna oriented towards the victim in the sky. How-
ever, due to the target’s movement, the attacker needs to transmit signals from a
considerable distance, hundreds of meters to kilometers away. We note that typical
5.4 Attacker Model 67
operating altitudes of UAVs range from 60m to 20,000m and their mission radii
vary from 5 km to 200 km and beyond [50]. Hence, if the route taken by the vic-
tim is not predictable, the attacker will be forced to use antennas with wide-beam
propagation patterns. This forces the attacker to transmit signals of such a strength
and propagation that the spoofing signals most likely will not only be received at a
particular primary target location but also over a wider area, affecting other aircraft
and UAVs in the neighborhood. Since the spoofer is targeting moving vehicles, we
further assume that the spoofer is emulating a moving track such as a straight line
or a curve with some potential acceleration.
5.4.2 Validation of Assumptions
Crowd-GPS-Sec relies on two key assumptions which we validate in this section. The
first assumption is that whenever a GPS receiver locks on to the spoofed signals,
the position advertisements of the aircraft and UAVs will contain the spoofed GPS
positions. While commercial GPS receivers are known to be vulnerable to spoofing
attacks [9,40,42,43,52,57], aviation transponders could have additional plausibility
checks to prevent spoofed GPS positions propagating to the broadcasted position
advertisements. The second assumption is that the spoofed signals will not only
affect the target victim of the spoofer but also neighboring aircraft and UAVs. We
validate these two assumptions with controlled lab experiments and simulations with
real-world air traffic data from the OpenSky Network [74].
Spoofing Experiments
We perform GPS spoofing experiments with two Flarm [25] transponders that are
widely deployed. As we could not get formal approval from the national office of com-
munications in Switzerland to perform GPS spoofing experiments in the wild with
real aircraft, we rely on an isolated experimental setup inside a shielded lab environ-
ment. The goal of these experiments is to demonstrate that existing transponders do
not perform any checks on the derived GPS position and that spoofers can precisely
control the position and speed of victim receivers.
Our experimental setup consists of two newest-generation Flarm transponders
from Flarm Technology: a PowerFLARM Core and a PowerFLARM Portable both
with an integrated GPS receiver from u-blox, see Figure 5.2. Worldwide, more than
30,000 manned aircraft, helicopters, and UAVs are equipped with these transpon-
ders [25]. As GPS spoofer, we rely on a Universal Software Radio Peripheral
(USRP) B200 [23] from Ettus Research and the software-defined GPS signal simula-
68 Chapter 5 Crowdsourced GPS Spoofing Detection and Spoofer Localization
(a) PowerFLARM Core (b) PowerFLARM Portable
Figure 5.2: Two newest-generation Flarm transponder models. Both transpondershave an integrated GPS receiver but do not provide any protection toGPS spoofing and advertise false positions when spoofed.
tor gps-sdr-sim [76]. To monitor the reported Flarm position advertisements from
the transponders, we use a Raspberry Pi [97] with an RTL-Software Defined Radio
(SDR) dongle [101] and the flare [92] open-source Flarm decoder. All devices are
equipped with omnidirectional antennas.
We put all devices in vicinity of each other and spoof tracks with speeds of 0 km/h,
6 km/h, 30 km/h, 100 km/h, 300 km/h, and 1,000 km/h. The difference between the
fake target positions emitted by the spoofer and the reported positions in the Flarm
advertisements is plotted in Figure 5.3. While the deviation becomes larger with
increasing speed, our experiments confirm that an attacker can exactly control the
derived position and speed at the Flarm devices. Even for speeds up to 1,000 km/h,
the deviation of both spoofed devices is always smaller than 160m, and thus sig-
nificantly smaller than the mandated separation minima in aviation [133]. These
experiments also confirm that such commercial transponders as deployed in aerial
vehicles do not perform plausibility checks on the GPS signal input and simply re-
port the spoofed GPS data in the advertisement messages. This result is inline with
air traffic communications not being protected against wireless attacks [122].
Spoofing Coverage Estimation
To validate the assumption that a GPS spoofer will affect the GPS receivers of
multiple aerial vehicles at the same time, we evaluate the reception range of a spoofer
using the free-space path loss model and a typical airspace density model as observed
by the OpenSky Network in the European airspace.
Since the power of GPS signals when they arrive at the Earth’s surface is very
low and below the noise floor (approx. −160 dBW [130]), the necessary power
to create adequate spoofing signals is accordingly low. We assume an attacker
5.4 Attacker Model 69
0 20 40 60 80 100 120 140 160
Deviation [m]
0
0.2
0.4
0.6
0.8
1
CD
F
0
6
30
100
300
1000
Speed [km/h]
Figure 5.3: Cumulative Distribution Function (CDF) of the deviation betweenspoofed and reported positions of the PowerFLARM Core transponder.
with standard equipment, who can reasonably achieve a generated signal power
of 15 dBm (USRP N210 [24]) coupled with an exemplary antenna gain of 12 dBi in
the main lobe. We also consider an additional signal attenuation of approx. 30 dB
due to the fuselage and the downward direction. Based on these estimations, we can
calculate the reception range with regard to the free-space path loss [1]:
where dkm is the distance between the source of the signal and the receiver in kilome-
ters and fMHz is the signal frequency given in megahertz; the constant 32.45 depends
on the utilized units. The resulting reception range is based on the signal power
impaired by all attenuation sources and the distance dkm from Equation (5.1):
Power− Lfs(dkm)− Attenuation ≥ −160 [dBW],
which results in a distance dkm of approx. 34 km. Considering our parameter esti-
mations, all aircraft within the main lobe closer than 34 km will receive the spoofing
signal with at least −160 dBW.
Naturally, an attacker will be interested in exceeding these power levels to en-
sure the takeover of the GPS lock at the intended target(s). However, to remain
as stealthy as possible, the attacker is likely to use an attack setup with directional
antennas to avoid a wide signal broadcast detectable by, e. g., ground-based signal
power sensors. A directional antenna setup is characterized by its beamwidth influ-
encing the signal spread and the inclination angle determining how the main lobe
of the signal beam is targeted. Notably, an attack on moving targets requires to
70 Chapter 5 Crowdsourced GPS Spoofing Detection and Spoofer Localization
20 25 30 35 40 45 50
Inclination [°]
1
2
3
4
5
Ave
rag
e A
ffe
cte
d A
ircra
ft 50
40
30
20
10
0
Beamwidth [°]
Figure 5.4: The number of affected aircraft depends on the beamwidth of the di-rectional antenna and the inclination angle. The figure uses a realisticairspace density sampled from OpenSky Network data.
increase the beamwidth and to use higher inclination angles, resulting in a certain
proliferation of the affected area.
Based on data from an exemplary day (February 13th, 2017) sampled from the
OpenSky Network, we perform a conservative estimation of the average number
of aircraft possibly affected by a spoofing attack. The results in Figure 5.4 con-
sider randomly selected en-route aircraft in the European airspace. The baseline
(0◦ beamwidth) represents an attacker that can perfectly pinpoint a victim, thus
avoiding secondary targets. Such a small beamwidth is however impossible to achieve
in practice and would further be very sensitive to small orientation errors. As one
can see, small beamwidths and inclination angles already span enough space to af-
fect several aircraft around the intended target, making it highly likely to hit several
additional aircraft. The assumption that our work relies on is therefore realistic for
dense airspaces such as found in Europe.
5.5 Crowd-GPS-Sec
We propose Crowd-GPS-Sec as an independent system infrastructure on the ground
that continuously analyzes the content and the Time of Arrival (ToA) of Flarm
and ADS-B position advertisements. As its name suggests, Crowd-GPS-Sec re-
lies on crowdsourcing to monitor those messages at global scale. The sensors used
for Crowd-GPS-Sec are part of the growing OpenSky Network [74, 107–110, 120], a
crowdsourcing initiative with the purpose to make air traffic communication data
available for research.
5.5 Crowd-GPS-Sec 71
Figure 5.5: Worldwide coverage of Crowd-GPS-Sec as of December 2017.
The vast majority of the sensors are installed and operated by aviation enthusiasts
and volunteers which support the cause of the network. As of December 2017, it
collects more than 200,000 messages per second at peak times from over 700 sensors
which are distributed all over the world as shown in Figure 5.5. Europe and the
American continent exhibit a particular high density of sensors such that individual
position advertisements are most likely being received by more than four sensors.
The goals of Crowd-GPS-Sec are to detect GPS spoofing attacks on aerial vehicles
as quickly as possible and to localize the position of the spoofer(s). To achieve these
goals, Crowd-GPS-Sec has three modules which continuously process all position
advertisements that are received by the OpenSky Network, as shown in Figure 5.6.
The Multilateration (MLAT) module estimates the location of the aircraft based
on the TDoAs of position advertisements between different sensors. This module
is fundamental to Crowd-GPS-Sec as it allows us to determine the true position of
the aircraft independently of the content of the advertised messages. The spoofing
detection module checks for inconsistencies between multilaterated positions and
GPS-derived positions in the advertisement messages as well as for inconsistencies
between position advertisements from different aircraft (e. g., when two aircraft ad-
vertise the same position at the same time). The spoofer localization module, finally,
is triggered only when the spoofing detection module has detected a GPS spoofer. It
then estimates the position of the spoofer by analyzing differences in position adver-
tisements from affected aircraft in consideration of the true positions as estimated
by MLAT. We describe the modules in the next three sections.
72 Chapter 5 Crowdsourced GPS Spoofing Detection and Spoofer Localization
Figure 5.6: The system overview of Crowd-GPS-Sec: A spoofer transmits fake GPSsignals received by aircraft that periodically broadcast ADS-B/Flarmposition reports. Ground-based sensors record these reports, which arethen processed for spoofing detection and spoofer localization.
5.6 Multilateration (MLAT)
The implementation of MLAT as an independent aircraft localization will serve as
an auxiliary component for one of the spoofing detection tests and the subsequent
spoofer localization. To implement such a system, we make use of the fact that in
regions with high sensor density position advertisement messages are received by
multiple geographically distributed sensors. Each message is timestamped at the
receiver and can be represented as a simplified tuple of the reported position and
the ToA:
m := (pGPSi , tR), (5.2)
where pGPSi denotes the reported position of aircraft i as derived by GPS and tR is
the timestamp as generated by receiving sensor R.
Since the sensors are geographically distributed, the propagation distances of the
transmitted signals differ. Hence, the same broadcasted message is potentially times-
tamped differently at diverse sensors. If the sensors are synchronized to the same
global clock, e. g., by GPS time synchronization, and are deployed at known posi-
tions, we can formulate relations between the propagation distances and the TDoA:
dist(A,Ri)− dist(A,Rj) = ∆ti,j · c, (5.3)
5.7 GPS Spoofing Detection 73
Figure 5.7: Implementation of an independent aircraft localization scheme based onmultilateration considering the TDoAs of ADS-B/Flarm messages.
where Ri and Rj denote the position of sensor i and the position of sensor j, respec-
tively. The TDoA of the same message from a reference aircraft A between these
sensors is ∆ti,j = ti − tj, and c is the speed of light.
Equation (5.3) is fulfilled for all points that have the same distance difference to
both considered sensors determined by the TDoA. By construction of at least four
relations of this type, we perform multilateration to approximate the position of
the targeted aircraft. Geometrically, each relation describes a hyperbola in 2D and
a hyperboloid in 3D. The intersecting point of all relations indicates the aircraft
position. Figure 5.7 provides a visual interpretation of this multilateration process.
5.7 GPS Spoofing Detection
Spoofing detection is the first step in a mitigation strategy to counter GPS spoofing
attacks. The idea of Crowd-GPS-Sec to detect GPS spoofing attacks is based on the
plexity of O(n2). However, since Test 2 considers spatial data only, the complexity
can be reduced by implementing nearest neighbor searches based on k-d trees and
cover trees. In fact, since Test 2 fails if there is any neighbor closer than T2,
solving the 1-nearest neighbor (1-NN) problem for each aircraft is sufficient. Us-
ing the aforementioned data structures, this can be accomplished at a complexity
of O(log n) for each aircraft [8], resulting in a global complexity of O(n · log n).
5.7.4 Complementary Design
We propose a complementary design consisting of both tests in parallel. Table 5.1
contains a comparison of the spoofing detection tests. While the first test based on
the cross-check of Equation (5.6) is independent of other flights, the second test based
on the comparison of multiple aircraft of Equation (5.7) is independent of the MLAT
positioning and can thus tolerate bad MLAT performance (e. g., when sensors have
a bad geometric distribution leading to high dilution of precision). Furthermore, the
second test is able to separate multiple spoofing attacks occurring at the same time
as there will be independent sets of coinciding aircraft. The combination of both
tests can overcome the pitfalls of the other and we can achieve a more versatile and
robust spoofing detection.
5.8 GPS Spoofer Localization
After spoofing detection, Crowd-GPS-Sec aims at localizing spoofer devices. This is
the next step in tracing an attacker in order to take appropriate action for shutting
down an attack. We present a novel localization approach to remotely pinpoint such
devices using already available ADS-B/Flarm reports broadcasted by aircraft. We
start by describing the high-level idea and then detail on the functionality of our
localization system based on crowdsourcing.
5.8 GPS Spoofer Localization 77
5.8.1 Localization Model
When a malicious device emits GPS spoofing signals, aircraft within the effective
range will broadcast spoofed positions as contained in their ADS-B/Flarm reports.
All aircraft that receive the same fake GPS signals will report positions on the same
track but timely shifted as a result of the propagation delay caused by different
distances to the spoofing source [128]. In particular, at the same global time, the
aircraft have different synchronizations on the spoofing signals based on how long
it takes for the signals to arrive at the aircraft’s GPS receivers, i. e., aircraft that
receive the fake signals earlier are ahead on the spoofed track, whereas aircraft that
are further away from the spoofer receive the signals at a later point in time and are
thus behind on the track. We extract the position differences from the ADS-B/Flarm
reports and backtrace these deviations to the location of the spoofing device.
Our starting point is the identification of the currently spoofed aircraft, which is
the outcome of the GPS spoofing detection module. For those identified aircraft,
we forward relevant information to the spoofer localization module. We further
require the actual aircraft positions pMLATi and pMLAT
j from MLAT and the mutual
distance di,j between the GPS-derived position reports pGPSi and pGPS
j with Ai, Aj
being aircraft affected by the same spoofing signals.
As a next step, we put the distance between the reported aircraft positions into
relation with the propagation distances and the rate of position change, i. e., the
spoofed track velocity. We can formulate this as follows:
dist(SP, pMLATi )− dist(SP, pMLAT
j ) = di,j ·c
vtrack
, (5.8)
where pMLATi and pMLAT
j indicate the actual position of aircraft Ai and Aj as given
by MLAT, SP is the unknown spoofer location, di,j the distance of the reported
positions, and vtrack the velocity of the spoofed GPS track. The factor cvtrack
relates
the position change rate to the signal propagation speed (close to the speed of light).
We note that we need to assure vtrack 6= 0 and hence require a track of changing
positions. Having related the reported positions to the spoofer location, we solve
each equation towards this location. In particular, each equation describes all points
that have the same mutual distance differences.
Geometric Interpretation
Considering the solutions of one relation of the type given by Equation (5.8), all
potential solutions geometrically describe a hyperbola in two-dimensional space and
a hyperboloid in three-dimensional space with foci pMLATi and pMLAT
j and distance
78 Chapter 5 Crowdsourced GPS Spoofing Detection and Spoofer Localization
Figure 5.8: Each relation forms a hyperboloid representing all points with the samedistance differences. For the shown two-dimensional projection, we canconstruct three distinct relations considering three different aircraft.
difference di,j · cvtrack
. With two different relations, the possible solutions describe a
curve, which is the intersection between the hyperboloids. Eventually, three hyper-
boloids intersect in at most two points, whereas four or more hyperboloids narrow
down the location of the spoofer to a single point. The general functionality of this
approach is depicted in Figure 5.8 as a two-dimensional projection.
Requirements
In order to obtain at least four different relations, we need to fulfill one of the
cases shown in Table 5.2. In particular, we either require four or more different
reference aircraft or, in the case we have less, we need to gather reports from the
same reference aircraft but from different locations. In other words, reports sent by
only two aircraft but from four different positions are already sufficient to perform
spoofer localization. Since we consider moving targets, the transmission origins will
naturally change likewise. Hence, we are able to trade the number of spoofed aircraft
with the required observation time, which we can formulate as follows:
(
m
2
)
· tp ≥ 4, (5.9)
where m is the number of spoofed aircraft and tp denotes the number of observed
samples from different aircraft positions. The binomial coefficient provides the num-
5.8 GPS Spoofer Localization 79
Table 5.2: Localization Requirements
Affected Aircraft Possibility of Localization
1 Localization not possible2 At least 4 different locations3 At least 2 different locations4+ Localization possible
ber of possible relations. Equation (5.9) defines the minimum requirement for our
spoofer localization. If fulfilled, we can construct at least four relations and eventu-
ally determine a distinct solution for the spoofer location.
Comparison with MLAT
The described localization approach exhibits similarities to the MLAT process of
Section 5.6 but is characterized by decisive differences as compared in Table 5.3.
Our approach uses the position information included in the ADS-B/Flarm reports,
whereas MLAT is based on the TDoAs at multiple sensors. We want to highlight
that it is not possible to trace the location of spoofing devices with MLAT. In our
approach, we thus exploit a characteristic that is attacker-controlled such as the
spoofed positions in the advertisements. As a result, we obtain a multilateration
with switched roles, i. e., the references are moving aircraft as compared to the
stationary ADS-B/Flarm sensors. Since the considered measure is shifted from time
to positioning information, we need to adjust the scaling factor with the velocity
of the spoofed track. As a beneficial side effect, this diminishes the factor with
which the uncertainties in the GPS-derived positions are multiplied and consequently
reduces the noise impact on the localization accuracy.
5.8.2 Error Minimization
In contrast to a definite analytic solution considering relations based on Equa-
tion (5.8), real-world signal reception and measurements suffer from several error
sources and hence prevent a distinct solution for the spoofer position. Both the
positions from MLAT as well as the reported spoofed GPS positions are affected by
noise. Notably, the interpolation process for time-alignment induces even more noise
into the system. Consequently, compared to the theoretical analysis, the constructed
hyperboloids do not intersect in a distinct point but rather mark an area.
80 Chapter 5 Crowdsourced GPS Spoofing Detection and Spoofer Localization
Table 5.3: Localization Scenario Comparison
Approach MLAT Spoofer Localization
Scenario
Equationdist(A,Ri)−dist(A,Rj) =
∆ti,j · cdist(SP, pMLAT
i )−dist(SP, pMLATj ) =
di,j · cvtrack
References Sensors Aircraft
Target Aircraft Spoofer
Measure Time Position
Scaling Factor cc
vtrack
In order to find the optimal solution for the spoofer position SP, we formulate the
following error function Et(·):
Et(SP, i, j) = dist(SP, pMLATi )− dist(SP, pMLAT
j )− di,j ·c
vtrack
, (5.10)
where di,j is the distance in the reported ADS-B/Flarm positions and t is the current
sample time. The real aircraft positions are denoted by pMLATi and pMLAT
j , and c is
the speed of light.
All resulting errors add up to the overall error, which we try to minimize by
computing the Root Mean Square Error (RMSE). Eventually, our algorithm outputs
the most likely spoofer position:
argminSP
√
√
√
√
∑∞
t=1
∑m
i=1
∑i−1j=1 Et(SP, i, j)2
t ·(
m2
2−m
) , (5.11)
with t indicating the sample time corresponding to Equation (5.10). The inner
two sums aggregate the errors of the relations between all spoofed aircraft, whereas
the outer sum aggregates the errors over all sample times. The argument with the
minimum error is calculated to be the best approximation of the spoofer position.
When time progresses, the total number of relations considering different refer-
ences increases. This also affects the error minimization process by expanding the
system of equations that are simultaneously evaluated. However, the complexity
increase is only linear and, as we will show, this process stabilizes quickly. As
5.9 Evaluation 81
all measurements are affected by noise, more relations are beneficial to reduce the
system-intrinsic errors and the localization is predicted to gain precision.
5.8.3 Improved Filtering
For GPS spoofing attacks targeting multiple aircraft, we identify an additional op-
timization technique that helps to lower the impact of uncertainty in the reported
positions even further. As all affected aircraft receive the same spoofing signals,
they report positions on the same track irrelevant of timing information. This al-
lows to better predict the underlying track by incorporating all available reports.
Consequently, we can apply a subsequent filtering of the spoofed aircraft positions.
In particular, we apply a projection of the reported positions on the combined
estimated track. Notably, with this projection we cannot correct timing inaccuracies,
but we can better estimate the most likely position at the current measurement time.
The (orthogonal) projection provides the least error with respect to the estimated
track and can be described as:
pGPSi − pGPS
i
′ ⊥ track, (5.12)
where pGPSi is the noisy GPS position and pGPS
i
′ is the projected point with pGPSi −
pGPSi
′ being orthogonal on the estimated track. Moreover, we do not necessarily
require a continuous straight line but the track can also contain separated segments,
which are then evaluated separately to apply the projection.
5.9 Evaluation
To evaluate the applicability of Crowd-GPS-Sec to real-world air traffic, we assess its
performance in terms of spoofing detection and accuracy of the spoofer localization.
In particular, we have implemented Crowd-GPS-Sec and applied it to real-world
data from the OpenSky Network. Moreover, we have built a simulation framework
to generate results with respect to spoofing scenarios.
5.9.1 Spoofing Detection Performance
We compare our two spoofing detection tests with regard to their coverage, detection
delay, and detection rate. The tests are applied to air traffic data of Central Europe
as received by the OpenSky Network over a period of one hour. The dataset contains
141,693 unique positions of 142 aircraft.
82 Chapter 5 Crowdsourced GPS Spoofing Detection and Spoofer Localization
1 2 3 4 5 6 7 8 9 10 11 12
Attacker Range [km]
0
0.2
0.4
0.6
0.8
Dete
ction R
ate
Test 1 only
Test 1 and 2
Test 2 only
Figure 5.9: Detection rates and coverage of Test 1 and Test 2 in the consideredOpenSky Network dataset depending on the attacker’s range.
Coverage
We define the coverage of a test as the percentage of aircraft positions that is pro-
tected by a test. Protection means that a test indicates a spoofing attack if the
aircraft is indeed spoofed. For simplicity, we assume that the attacker is using an
omnidirectional antenna and is positioned right underneath the target using exactly
the required transmission power to have the target aircraft lock on the spoofer. This
results in an attack range in the form of a sphere with a radius of the altitude of
the aircraft. Note that this setup models an unrealistically optimal attacker since in
reality, the attacker may not be able to stay exactly underneath the target aircraft as
the aircraft is moving and it may use higher transmission powers than the minimal
required power.
Since both tests rely on different features, the sets of positions covered by one
test are different from the sets covered by the other test, but there are overlaps.
We therefore analyze how many aircraft in our dataset are covered by which test.
Figure 5.9 shows the fractions of aircraft in the dataset covered by Test 1 (Cross-
Checks with MLAT), Test 2 (Multiple Aircraft Comparison), or both depending
on the target’s altitude. While 61.2% of the aircraft are covered by Test 1 alone,
only 2.9% are covered solely by Test 2. Further, 8.9% are covered by both tests at
the same time. Hence, Test 1 clearly outperforms Test 2 with respect to coverage.
This result is not surprising since the receiver density of the OpenSky Network is
high (which benefits Test 1), while the aircraft density (which Test 2 relies on) is
limited due to separation minima. In total, we can summarize that if the spoofer’s
target is at an altitude above 11 km and the spoofer is directly underneath the
target, the detection rate is about 75% using either of the two tests. If the spoofer
5.9 Evaluation 83
0 2 4 6 8 10 12
Altitude [km]
0
0.2
0.4
0.6
0.8
1
CD
F
Test 2
All
Test 1
Figure 5.10: Comparison of the detection rates of Test 1 and Test 2 in the OpenSkyNetwork dataset depending on the target’s altitude.
uses higher transmission powers or if it is not directly underneath the target, the
detection rate increases quickly towards 100%.
By design, Test 1 directly depends on multilateration coverage and should there-
fore work better at high altitudes where aircraft are tracked by more sensors. In
contrast, Test 2 benefits from dense airspaces since close aircraft protect one another
from a security viewpoint. To further investigate this effect, we considered the cu-
mulative distribution of the altitudes of all aircraft and compared it to those of the
aircraft protected by either of the tests. The results are shown in Figure 5.10. As
expected, Test 2 has a distribution similar to all altitudes. The steep inclines in its
distribution confirm that it is most effective at the common altitudes above 10 km
(en-route flights) and at around 1 km (approach areas). Most aircraft detected by
Test 1, on the other hand, were higher than 10 km which also complies with the
above hypothesis.
Detection Delay
We define the detection delay as the delay between the point in time when an at-
tack takes effect, i. e., when the aircraft’s GPS sensor locks on to the spoofed signal
until the detection test indicates the attack. As for Test 1, this corresponds to the
delay between receiving the ADS-B position and the MLAT position updates. To
evaluate this, we used the open-source MLAT implementation [55] with the Open-
Sky Network’s real-time data stream and measured the time between the reception
of an ADS-B position and the emission of the respective position by the MLAT
implementation. As for Test 2, the delay can be reduced to the inter-arrival times
between spoofed position reports. Figure 5.11 shows the distributions for the delays
84 Chapter 5 Crowdsourced GPS Spoofing Detection and Spoofer Localization
0 5 10 15 20 25 30
Time [s]
0
0.2
0.4
0.6
0.8
1
CD
F
Test 2
Test 1
Figure 5.11: Comparison of the detection times of Test 1 and Test 2 in the OpenSkyNetwork dataset.
of the two tests. The delay of Test 1 is a result of the delay of the relatively long
MLAT calculations. Test 2, on the other hand, can detect an attack as soon as a
false position report is received from two different aircraft. Note that the position
broadcast interval of ADS-B is random within an interval of 0.4 s to 0.6 s, explaining
the average detection delay close to 0.5 s.
Conclusion
The results of our evaluation show that with realistic air traffic and implementation
characteristics, the two tests can reach a detection rate of up to 75% when the
attacker is directly underneath the target. While Test 1 performs much better
in terms of coverage and detection rate, the detection delay is much smaller for
Test 2. These results encourage a complementary implementation as proposed in
Section 5.7.4.
5.9.2 Spoofer Localization Performance
To evaluate Crowd-GPS-Sec in terms of GPS spoofer localization accuracy, we have
built a simulation framework in MATrix LABoratory (MATLAB), which allows us
to analyze spoofing scenarios in a controlled environment without having to spoof
real aircraft. In particular, we assess the impact of noise in the GPS-derived position
reports, MLAT positioning noise, and spoofed track velocity.
Simulation Framework
While we are interested in results from varying parameter sets, we otherwise incor-
porate realistic data observed by the sensor infrastructure of the OpenSky Network.
Table 5.4 contains an overview of the utilized simulation parameters. In the default
case, our simulation samples aircraft from the OpenSky Network including reported
positions, altitudes, airspeeds, and headings. The spoofer is randomly positioned
in an exemplary area of (400 km)2 and its range is set to 100 km spoofing a track
of 1,000 km/h. By selectively modifying these default settings, we are able to sim-
ulate different airspace constellations, attacker configurations, and noise impacts of
MLAT and GPS. In particular, we consider standard assumptions taken from speci-
fications [130] and technical reports [71] as well as more optimistic assumptions that
could be achieved with more sophisticated equipment.
To simulate the impact of GPS spoofing on aircraft, we imitate position reports
from already spoofed aircraft by incorporating the attacker-controlled positions and
adding Gaussian noise according to the considered noise model. Subsequently, we
apply standard noise correction techniques based on a Kalman filter [56]. For the
error minimization considering distance relations, we implement a numerical solver.
To cope with an increasing number of equations, we only evaluate the relations
at discrete time intervals which are defined as the time that has elapsed since the
spoofing attack was launched, ranging from a few seconds up to 15 minutes.
Metrics
In order to quantify our results we define two metrics. First, we consider the distance
between the actual spoofer position and our estimation. Second, we construct a
circle around our estimated position with a radius equal to the distance to the
actual spoofer. We consider this to be the search space to find the attacker and we
86 Chapter 5 Crowdsourced GPS Spoofing Detection and Spoofer Localization
0 5 10 15
Elapsed Time after Spoofing Attack [min]
101
102
103
104
105
106
Dis
tance to S
poofe
r [m
]4 2 1 0.5 0.1 0.01
Figure 5.12: The impact of GPS noise ranging from σGPS = 4m to 0.01m on thespoofer localization, depicted including standard deviation errorbars.The MLAT positioning accuracy is fixed to σMLAT = 10m.
compare it to the observed area of (400 km)2, on which the spoofer was randomly
positioned. For each of the analyzed parameter sets, we performed 200 randomized
simulation runs and averaged the results.
5.9.3 Impact of GPS Accuracy
Figure 5.12 depicts the impact of high GPS noise (σGPS = 4m) to low GPS noise
(σGPS = 0.01m) applied to the latitude and longitude direction. We do not require
altitude information for spoofer localization and can therefore neglect altitude inac-
curacies. We conclude that the extent of noise in the reported GPS positions is a
dominating factor that can make the difference between a few kilometers and merely
tens of meters in spoofer localization. In particular, we achieve an average localiza-
tion accuracy of approx. 8.2 km for σGPS = 4m, approx. 1.7 km for σGPS = 1m, and
approx. 149m for σGPS = 0.1m, each after 15 minutes.
Considering the search space, we need to scan approx. 0.13% for σGPS = 4m,
approx. 5.8× 10−5 for σGPS = 1m, and approx. 4.4× 10−7 for σGPS = 0.1m, again
after 15 minutes. Furthermore, we observe that the localization accuracy increases
rapidly within the first few minutes, whereas after 5min the accuracy only improves
slowly. From 5min to 15min, the distance roughly halves. As a result, we can
already give a good spoofer position estimation in a timely manner after the spoofing
attack is launched and narrow it down to a more exact position after a few minutes.
5.9 Evaluation 87
0 5 10 15
Elapsed Time after Spoofing Attack [min]
103
104
105
106
Dis
tance to S
poofe
r [m
]
100 50 10 5 1
Figure 5.13: The considered MLAT positioning noise in the range of σMLAT = 100mto 1m do not show any significant impact on the localization accuracy.The results are based on a high GPS noise of σGPS = 4m.
5.9.4 Impact of MLAT Accuracy
Another uncertainty of our localization approach is the accuracy of the MLAT po-
sitioning that we require to determine the actual (unspoofed) aircraft positions. We
choose to vary the MLAT accuracy between high noise (σMLAT = 100m) and lower
noise levels (σMLAT = 1m), each representing the standard deviation in latitude,
longitude, and altitude. Figure 5.13 contains the impact on the localization of dif-
ferent MLAT noise levels. In contrast to the strong dependence on the GPS noise in
the spoofed measurements, the MLAT noise has little impact on the accuracy of the
spoofer localization. As a result, our localization approach does not rely on highly
accurate MLAT measurements of the actual aircraft position and can still perform
decently on relatively noisy data.
5.9.5 Impact of Spoofed Track Velocity
As the spoofed track velocity vtrack is part of the scaling factor in the distance
relations in Equation (5.8), we identify it to be another important parameter. The
results for varying spoofed track velocities are depicted in Figure 5.14. For a spoofed
track velocity of vtrack = 300 km/h, the accuracy decreases by nearly one fourth. The
accuracy decreases further for a track velocity of vtrack = 100 km/h. Eventually, for
track speeds lower than vtrack = 30 km/h, the spoofer localization fails to narrow
down a useful search radius. However, considering less GPS noise, we expect to see
better results even for lower track velocities. The strong dependence on the track
velocity is due to the scaling factor, which relates the observed distances to the
spoofed track velocity and the speed of light. Hence, low velocities result in smaller
88 Chapter 5 Crowdsourced GPS Spoofing Detection and Spoofer Localization
0 5 10 15
Elapsed Time after Spoofing Attack [min]
103
104
105
106
Dis
tance to S
poofe
r [m
]6 30 100 300 1000
Figure 5.14: The spoofed track velocity is analyzed between vtrack = 6km/h to1,000 km/h. The results consider a GPS noise level of σGPS = 1mand an MLAT positioning accuracy error of σMLAT = 10m.
distance differences among the spoofed aircraft and are relatively more affected by
system-intrinsic noise.
5.10 Discussion
The evaluation of Crowd-GPS-Sec revealed the localization performance considering
different external as well as attacker-controlled parameters. We now discuss selected
topics and elaborate on combined error effects, the possibility to locate spoofers of
stationary targets, and the applicability to other sensor networks.
5.10.1 Combined Error Effects
The spoofer localization accuracy of Crowd-GPS-Sec depends on the GPS error,
the MLAT error, and the spoofed track velocity. These three parameters are all
components of the relations defined in Equation (5.8) and thus impact the accuracy
of the solution. While the MLAT noise is less decisive, the GPS noise and the
spoofed track velocity are significantly affecting the achievable accuracy. This is
due to the small differences in spoofed aircraft positions with respect to the speed
of light divided by the spoofed track velocity. In general, we expose the following
relationship between the localization error E, the GPS noise σGPS, and the spoofed
track velocity vtrack:
E ∝√2 · σGPS
vtrack, (5.13)
5.10 Discussion 89
with σGPS being scaled with√2 due to the Euclidean distance based on two normally
distributed points in space. Hence, we can expect to see similar results for low track
velocities with low GPS noise and high track velocities with high GPS noise.
5.10.2 Localizing Spoofers of Stationary Targets
The attacker model considered in this work assumes that the spoofer’s target is a
moving object. If instead the target is stationary, the attacker could also spoof con-
stant positions. While spoofing detection would still work, the spoofer localization
would fail since the differences in propagation delays between spoofer and aircraft
would not be reflected in the reported position differences (compare di,j in Equa-
tion (5.10)). One way to cope with such attackers is to additionally propagate GPS
time synchronization information to the ground infrastructure. As time is evolving,
the spoofer would have to imitate a progressing GPS time to remain undetected by
the target. Having information about the time synchronization of affected aircraft
would allow performing a localization by analogy. More specifically, if t denotes
the real reference time and tGPSi the reported time of aircraft i, the relation from
Equation (5.8) can be rewritten to:
dist(SP, pMLATi )− dist(SP, pMLAT
j ) = (tGPSi − tGPS
j ) · cδ, (5.14)
where δ denotes a factor representing the spoofed GPS clock’s speed. Equation (5.14)
is independent from the spoofed position and therefore allows localizing spoofers,
even if the target is stationary.
5.10.3 Applicability to Other Networks
The underlying idea of Crowd-GPS-Sec does not only apply to aircraft but can
also be relevant to GPS spoofing attacks on cars, trucks, ships, or other vehicles on
ground. Similar to the broadcasting of avionic position reports via ADS-B or Flarm,
vehicular systems could also report state information to, e. g., roadside units. The
combined reports can then be used to run our spoofing detection and localization
scheme. Even though the speeds of vehicles are comparably low, the density of
affected targets is much higher and the GPS filtering is expected to be more con-
ditioned. Eventually, we envision the merging of information provided by different
networks. In particular, each spoofed system, such as aircraft, vehicles, vessels, etc.,
can collaborate by sharing their information in a crowdsourcing manner.
90 Chapter 5 Crowdsourced GPS Spoofing Detection and Spoofer Localization
5.11 Summary
In this work, we presented Crowd-GPS-Sec, an independent system to detect and
localize GPS spoofing attacks targeted at aircraft and UAVs. Crowd-GPS-Sec is
lightweight and leverages existing wireless air traffic broadcast infrastructures, the
ADS-B and Flarm systems, to identify spoofing attacks from a remote location—
possibly far from where the attack is happening. We have shown that our approach
is effective at localizing spoofing devices by using differences in reported positions
by multiple aircraft. Using simulations based on real-world input from the OpenSky
Network, we have demonstrated that Crowd-GPS-Sec achieves attack detection de-
lays below two seconds and an attacker localization accuracy of around 150 meters
after 15 minutes of monitoring time.
Alone we can do so little; together we can do so much.
The monitoring of air traffic has evolved from an analog Radio Detection and Rang-
ing (RADAR)-based system to a digitally-aided surveillance infrastructure. By 2020,
all aircraft are required to be equipped with transmitters to periodically broadcast
status reports that inform others about identification, position, movement, and addi-
tional status codes [132]. Protocols such as the Automatic Dependent Surveillance-
Broadcast (ADS-B) will become mandatory to access most of the world’s airspace
and already constitutes the de facto standard for air traffic monitoring.
6.1.1 Problem Statement
While the aviation industry is characterized by very long development cycles—up
to several decades—, applications that mandate high safety guarantees are usually
lagging behind advancements on the security side. As such, ADS-B reports are
neither encrypted nor authenticated. At the same time, the open specification of
ADS-B promotes the collection and free usage of aircraft reports. Simple sensors
can decode aircraft reports and gain a real-time view of their surrounding airspace.
A network that combines more than 850 user-operated ground-based sensors in a
crowdsourcing manner is the OpenSky Network [74, 107–110, 120]. This network
collects and stores air traffic data from around the world and makes them available
for research.
Since ADS-B lacks fundamental security practices, the risk potential of attacks
targeting air traffic has long been discussed [18, 48, 66, 104, 118, 121]. These works
demonstrate how attackers can interfere with aircraft sensors and how fake aircraft
messages can be injected into air traffic monitoring systems [18]. For instance, ad-
versaries with affordable Commercial Off-the-Shelf (COTS) hardware and moderate
knowledge can generate ADS-B messages containing arbitrary data encapsulated in
valid reports trying to remain unnoticed by protection schemes [118,121]. The con-
sequences of such attacks range from flight controller distractions up to violations
of mandatory safety separations, and eventually increasing the possibility of aircraft
collisions. Since these attacks are far from being only of academic nature, security
solutions are urgently needed to protect the integrity of air traffic surveillance [17].
In fact, trust establishment is an open and central problem in the aviation industry
and emerging concerns have already reached the public [17, 32, 40, 42, 146]. Sim-
ilar shortcomings exist for the Global Positioning System (GPS), whose location
information is embedded in ADS-B reports.
94 Chapter 6 Trust Establishment for Aircraft Broadcast Signals
Research Question. We state the following research question: How can we es-
tablish self-contained trust in ADS-B aircraft reports without external channels or
modifications only using the already implemented infrastructure? In particular, the
solution should be able to distinguish between normal operation and attack patterns.
6.1.2 Contribution
To answer the demands for more security in the safety-driven aviation industry,
we propose a data-centric [98] trust evaluation system with the goal of assessing the
trustworthiness of ADS-B reports using data that is already collected at a wide scale.
We refer to trust in the sense that messages are trustworthy when they originate from
functional, non-malicious sources. In contrast, error-prone or attacker-controlled
messages trying to harm the system should be detected and potentially filtered out.
Furthermore, we explore the identification of the attack type and the traceability of
malicious sensors.
The development of such a system faces several challenges imposed by the strongly
regulated aviation industry. Viable solutions need to be lightweight in the sense that
they do not require any modifications on the deployed hardware or software pro-
tocols. In particular, security systems should not interfere or interact with other
systems already in place to avoid lengthy (re)certification processes [17]. Preferably,
applicable solutions are augmentation systems that operate autonomously with sen-
sor input already available. We develop our system to fulfill all these challenges.
At the core of our system, we make use of the crowdsourcing nature of a sensor
network in which user-collected data cross-validates the data provided by other users.
This allows forming a network of trusted sensors based on mutual auditing and
wireless witnessing. Wireless witnessing is the collaborative process of observing the
status of a distributed wireless system. We apply it in the security context to assess
and validate the trustworthiness of ADS-B messages based on reception events. In
particular, we implement a Machine Learning (ML)-based verification test that is
trained on typical message reception patterns. In fact, the collaboration of sensors
characterizes the expected reception behavior of aircraft reports transmitted from
certain airspace segments while automatically factoring in natural message loss.
Our system can reliably differentiate between normal air traffic broadcasts and
suspicious messages diverging from expected patterns. Furthermore, our system can
recognize the type of attack, e. g., GPS spoofing, ADS-B spoofing, and even Sybil
attacks to trace malicious sensors. We achieve high detection rates and identify the
sensor redundancy as an important factor. To further harden the network against
attacks, new sensors can be integrated by providing consistent snapshots of their
6.2 Related Work 95
airspaces. Since our system is solely based on an already existing infrastructure and
does not require any modifications on aviation systems, it is lightweight and could be
implemented today easing very long certification processes. In contrast to existing
solutions for air traffic verification [105,106], we do not require the measurement of
time or frequency shifts, but only use discrete sensor events.
Summary. In summary, the contributions of this work are:
• We propose and detail the first comprehensive approach to evaluate the trust-
worthiness of ADS-B aircraft reports based on an existing infrastructure of
crowdsourcing sensors.
• We demonstrate the applicability of our approach by incorporating real-world
flight data already collected by geographically distributed sensors at a large
scale.
• We simulate prominent attacks on GPS and ADS-B, detect their presence via
validation in our trust system, and draw conclusions about their type and
origin.
• We elaborate on network expansion and optimized sensor deployment to fur-
ther harden the network against attacks in the future.
The contributions of this work resulted from a collaboration with William Sey-
mour, Christina Pöpper, and Ivan Martinovic.
6.2 Related Work
The foundation of this work is partly based on the work by Raya et al. [98] who were
the first to propose a framework for data-centric trust establishment with a focus
on short-lived associations in volatile environments. While our proposal for trust
establishment specifically targets ADS-B based air traffic surveillance, similar trust
requirements exist for Vehicular Ad Hoc Networks (VANETs) or industrial wireless
sensor networks. While Petit et al. [83] discuss detection systems for VANETs based
on dynamic thresholds, Ruj et al. [102] focus on validating message consistency to
identify misbehavior. While Sun et al. [124] present a trust framework for VANETs
to detect faulty data, Hundman et al. [44] apply similar data verification schemes for
spacecraft. Wang et al. [134] analyze the feasibility of false data filtering in general
sensor networks and Henningsen et al. [38] especially focus on industrial networks. In
comparison, our system is tailored towards a network of geographically distributed
sensors.
96 Chapter 6 Trust Establishment for Aircraft Broadcast Signals
While in practice still vulnerable, the insecurity of ADS-B has long been high-
lighted from an academic perspective. Purton et al. [91] analyzed critical informa-
tion flows and focused primarily on technical solutions. They applied a qualitative
assessment method [137] that identified potential shortcomings. In contrast, McCal-
lie et al. [66] applied a risk analysis to assess the impact of different attack vectors
and recommended solutions to be incorporated into the ADS-B implementation plan.
Moreover, Strohmeier et al. [118,121] provide an overview of system-inherent prob-
lems and illustrate the security challenges of ADS-B in future air traffic monitoring.
There are several open attack vectors that, from a scientific perspective, would al-
low attacking ADS-B on different levels. Nevertheless, we must always consider the
necessary effort for an attack and its feasibility in a real-world scenario.
Moser et al. [69] take a perspective on the feasibility of attacking ADS-B commu-
nication and consider an attacker using a multi-device setup. Recent work showed
that such strong adversaries become increasingly realistic [46]. Furthermore, Costin
and Aurélien [18] demonstrated that the step from a scientific attack concept to a
real attack is not necessarily too wide and managed to inject fake aircraft messages
into live surveillance monitors. Later, Schäfer et al. [104] experimentally analyzed
the practicability of known threats revealing startling results. Besides these pro-
posals, which all focus on aviation applications, Balduzzi et al. [6] proved that also
maritime traffic via Automatic Identification System (AIS) broadcast messages can
be the target of successful attacks. While the physical constraints of vehicles differ
a lot, the similarity of communication channels helps to map well-known attacks to
this new context.
Besides the large body of offensive work, defensive proposals exist in recent re-
search. Schäfer et al. [105, 106] propose the usage of timing or Doppler shift char-
acteristics to detect attacks on ADS-B. While this cannot protect from attacks, it
still helps to identify malicious or inaccurate messages. Other location verification
schemes and anomaly detection methods are based on RADAR observations [85] or
statistical tests [119]. First results based on cross-referencing within a distributed
sensor network are illustrated by Strohmeier et al. [123]. Wesson et al. [139] discuss
solutions based on cryptography. Our system, on the other hand, requires no addi-
tional measurement information different from already collected data and can thus
be implemented without any modifications.
Aside from ADS-B and AIS, the insecurity of GPS has been repeatedly demon-
strated, while Humphreys et al. [43] were the first to publish an attack on GPS, where
they managed to spoof GPS signals. Tippenhauer et al. [128] later analyzed the re-
quirements of successful GPS spoofing attacks and reasoned about possible attacker
6.3 System Model 97
positions when facing a specific sensor deployment. Considering multiple sensors,
countermeasures exist for the detection of GPS spoofing attacks [49, 125–127, 144]
and also for spoofer localization [47, 48, 144]. However, these countermeasures de-
pend on ground-based sensors and do not exploit the network volatility. This limits
the impact and consequences to a fraction of real-world use cases.
Overall, we experience a gap between theoretically proposed defenses and deployed
countermeasures. Hence, protecting ADS-B is an open challenge that demands
scientific advances to consider the requirements and limitations of the real world.
6.3 System Model
In recent years, traditional analog RADAR-based systems for air traffic monitoring
have been augmented with digital means for active wireless communication. To
communicate with ground stations and other aerial vehicles, aircraft are mandated
to be equipped with ADS-B transponders that periodically broadcast status mes-
sages [132]. Additionally, an aircraft identification, information on speed, track, and
acceleration along with further observation data is transmitted. The positioning
information is derived via GPS, which is the preferred method for self-localization.
A set of geographically distributed sensors receives these reports and their data
is shared with others in a crowdsourcing manner. A central server processes the
forwarded reports and makes the collected data accessible. Overall, we are faced with
the high mobility of aircraft on the one hand, while on the other hand, the receiving
sensors are stationary and are less likely to move significantly. Figure 6.1 depicts
an overview of our system model that we consider to assess the trustworthiness of
ADS-B aircraft reports.
We define trust in our system as the certainty of an ADS-B message to be the result
of normal behavior and not disrupted by malfunctioning or active manipulation. To
this end, a trusted message represents valid data transmitted by genuine sources.
On the other hand, an untrustworthy message is identified as erroneous or fake
data that should be discarded from further processing. While the traditional notion
of trust had been entity-centric and rigid, today’s fast-changing ad hoc networks
necessitate the adjustment of trust models. Hence, we seek to establish a data-centric
trust model in consideration of short-lived associations in volatile environments as
introduced by Raya et al. [98]. In particular, we design a trust system that is
driven by data reported by distributed sensors that share their observations within
a network. The combination of redundant views enables the system to cross-validate
reported data and eventually establishes a form of wireless witnessing.
98 Chapter 6 Trust Establishment for Aircraft Broadcast Signals
Aircraft
ADS-B Sensors
Satellites
GPS
ADS-B
Broadcast
Central
Server
Figure 6.1: Our considered system model of GPS satellites, aircraft, ADS-B sensors,and the processing central server.
6.4 Attacker Model
Since the ADS-B protocol is openly specified, the modulation and data frame pat-
terns are known. ADS-B operates at a frequency of 1,090MHz and the reception
range can reach up to 700 km making the signals decodable on simple COTS hard-
ware such as Universal Software Radio Peripherals (USRPs) [23,24], or even cheaper
Software Defined Radios (SDRs) like RTL-SDR dongles [101], which are available
for as low as $20. The availability of SDRs not only allows passive eavesdropping
but also led to software tools for active ADS-B transmission [19] or the generation of
fake GPS signals [76]. Surprisingly, the ADS-B protocol lacks fundamental security
measures, and neither applies encryption nor authentication.
Our adversary model comprises several prominent attack vectors, which we cat-
egorize according to their intended target and their scope. Table 6.1 shows an
overview. We evaluate our proposed system against these attacks. Moreover, we
argue in Section 6.10.2 that attackers with complete knowledge about our verifica-
tion scheme cannot bypass our implementation of wireless witnessing and can be
detected as well.
GPS Spoofing. The airborne (self)-positioning sensors process received GPS sig-
nals from multiple satellites to embed the results in the broadcasted ADS-B reports.
One attack scenario considers the spoofing of GPS signals where an attacker sends
out specially crafted signals at a considerable signal strength [43, 128]. As a re-
sult, an attacker can inject false positioning or timing information into the aircraft
systems inducing the processing of fake attacker-controlled data [48].
6.4 Attacker Model 99
Table 6.1: Attack Vectors
Target Attack Scope Effort
Aircraft GPS Spoofing - Moderate
ADS-B Sensor ADS-B SpoofingSingle ModerateMultiple High
Central ServerSensor Control Single LowSybil Attack Multiple High
ADS-B Spoofing (Single). An attacker capable of generating fake ADS-B mes-
sages can transmit arbitrary reports with full control over their contents. These
bogus messages may represent, e. g., any aircraft identifier, positioning solution,
or movement information [18, 66, 104]. Receivers of such messages will decode the
message contents and forward the sensed information to the central server. We dif-
ferentiate this attack according to the number of affected sensors. An attacker that
is limited in its effective range is likely to only affect single sensors due to their broad
spatial distribution.
ADS-B Spoofing (Multiple). A large-scale attacker may also be capable of tar-
geting multiple geographically distributed sensors at the same time. This attacker,
however, requires multiple antennas or a high elevated, high power antenna. The
attack is conducted in a broadcast fashion and is expected to affect all sensors within
its predetermined area. As a result, more than one sensor would receive the same
fake report and forward it to the central server.
Sensor Control. Due to the open nature of the surveillance network, attackers
can operate their own sensors and become part of the crowdsourcing infrastructure.
Having full control over a sensor, an attacker is able to inject arbitrary data en-
capsulated in genuine ADS-B reports [104]. This attack can be performed without
broadcasting false sensor inputs and can be directly conducted on the network level.
Sybil Attack. A large-scale attacker operating multiple sensors to capture the
network’s protection systems can perform a Sybil attack [21]. An attacker deploys a
significant number of sensors at potentially different locations to decisively influence
the system’s behavior. As a result, a Sybil attacker may completely overtake the
system’s mechanics while remaining unnoticed by the protection systems. This
constitutes one of the most powerful attacks against sensor networks.
100 Chapter 6 Trust Establishment for Aircraft Broadcast Signals
6.5 Design of an ADS-B Trust System
We propose a system to establish a dynamic verification of ADS-B messages for air
traffic surveillance. We first describe the specifics of our considered data and state
general network statistics. We then define (i) verification tests checking the contents
of a message and (ii) an ML classifier evaluating the metadata of a message.
As the source of our considered data, we utilize real-world air traffic data from
the OpenSky Network [74,107–110,120]. The sensors are installed and operated by
volunteers, which can either remain anonymous or register themselves by providing
personal data. Over 850 sensors promote the coverage of the network that exhibits
a particular high sensor density in Europe and on the American continent. The
network relies on user-provided data, processes the data on centralized servers, and
offers access to the collected data of around 20 billion messages per day. Notably,
nodes in the network are not equipped with any cryptographic means or certificates,
which would hinder the growth of the sensor network and contradict the easy access
to the crowdsourcing platform. While other air traffic sensor networks exist, we
make use of the research-friendly data sharing of this network.
For the sake of simplification, we initially restrict the considered data to the Euro-
pean airspace where the OpenSky Network sensor density is the highest. To further
reduce complexity, we divide this space into non-overlapping clusters C and assign
each cluster a latitude and longitude index as the coordinates of its center. Hence,
the considered environment becomes the union of all clusters CLAT,LON. We imple-
ment the size of each cluster as a trade-off between sensitivity and generalization.
In order to get a better understanding of the data provided by the OpenSky Net-
work, we present basic statistics including sensor coverages and the total number of
processed ADS-B messages with respect to their spatial distribution. These evalu-
ations are based on data collected from an entire day (July 2nd, 2018) resulting in
a total of 182,824,762 messages broadcasted by real aircraft. Figure 6.2a depicts a
heat map of the spatial distribution of all recorded ADS-B reports on the exemplary
day. As one can see, most reports originated from a few cluster areas close to central
European airports. Notably, the database only contains messages that reached at
least one contributing sensor.
The overall coverage of the network is the combination of all participating sensors.
Since the individual sensor coverages can significantly overlap with each other, the
redundancy of the coverage is higher in areas with more sensors as compared to
rural areas. Figure 6.2b shows the aggregated sensor coverage of the OpenSky
Network as of July 2nd, 2018. The heatmap depicts the number of sensors that
simultaneously cover an indicated area. A total of 613 different sensors reported data
6.6 ADS-B Message Trust 101
(a) Total Messages (b) Sensor Coverage
Figure 6.2: Spatial distribution of captured reports and sensor coverage of the Open-Sky Network in Europe for the exemplary day (July 2nd, 2018).
for the exemplary day and the considered airspace. We notice a strong dominance
in Central Europe, where the most participating sensors are operated.
For the remainder of this work, we use the following notations. The network is
formed by a set of ground-based sensors R, where each sensor is referred to as Ri ∈ R.
Each ADS-B message m can be received by an arbitrary number ≥ 1 of sensors Ri,
hence the link (m,Ri) exists. Due to noise effects and message collisions, message
loss can naturally occur and we denote the probability that sensor Ri receives a
message transmitted from cluster Cj as Prec(Ri, Cj). Moreover, the messages are
timestamped by the receiving sensors, where t is the issued timestamp. When a
message is not picked up by any sensor, it is consequently not in the considered
database.
6.6 ADS-B Message Trust
In order to assess the trustworthiness of ADS-B messages, we design an evalua-
tion process consisting of four verification tests, namely (i) sanity, (ii) differential,
(iii) dependency, and (iv) cross check. While the former three tests are stated for
the sake of completion, we focus on the cross check that is tailored towards the ex-
isting sensor infrastructure to implement wireless witnessing. The system overview
is depicted in Figure 6.3 and is developed in the following.
102 Chapter 6 Trust Establishment for Aircraft Broadcast Signals
DIFFERENTIAL
CHECK
DEPENDENCY
CHECK
CROSS
CHECK
SANITY
CHECK
Defined Value
Range
Maximal
Change
Physical
Restrictions
Sensor
Coverage
OK OK
Content Metadata
ATTACK ANALYSIS
Type of Attack Affected Sensors
FAILED
OK OK
FAILED FAILED FAILED
Figure 6.3: The process of ADS-B trust evaluation including four different verifica-tion tests, their utilized data, and conditional branching to the subse-quent attack analysis.
Table 6.2: Sanity Check
Category Parameter Range
PositionLatitude −90◦ to 90◦
Longitude −180◦ to 180◦
Altitude −3m to 20,000m
MovementVelocity 0 km/h to 1,200 km/hTrue Track 0◦ to 360◦
consequence, an optimized attacker strategy would try to emulate typical reception
patterns and only affect a specific number of sensors. However, since sensors are
geographically distributed at unknown positions, an attacker cannot systematically
control which and how many sensors receive the fake reports. Eventually, an attacker
may broadcast from a location close to the designated position to emulate realistic
message reception. However, the attack would then become a legitimate broadcast
of ADS-B reports from the advertised position.
Sensor Control/Sybil Attack
To evaluate our detection performance of sensor control/Sybil attacks, we again fo-
cus on the outcome of the cross check. Our simulated attack messages are crafted in
a way that all pass the message content verification and need to be detected by their
metadata. For the analysis, we consider different sensor coverage regions in which
the attacker adds different numbers of compromised sensors, i. e., a single sensor,
half of the sensors, or the same number of sensors already observing that specific
airspace. Notably, the attackers’ sensors initially participate normally and are al-
ready considered when deciding message reception patterns. Table 6.8 separately
compares TPRs for correctly classifying normal and attack messages.
Results. We successfully distinguish between messages resulting from sensor con-
trol/Sybil attacks and reports from normal operation. However, in regions of low
sensor coverage, the attack is hardly detected. As a result, the validity of the cross
check requires a certain number of sensors to effectively detect Sybil attacks. We
even recognize a slightly better detection performance as compared to ADS-B spoof-
ing messages. The reasoning behind this is based on the fact that other sensors in the
same area will not report the reception of the fake message that is directly injected
by compromised sensors. This represents a very unlikely case of a high number of
sensors missing on the same message. The higher the coverage of the sensors is, the
more unlikely these events become. Moreover, an attacker cannot emulate realistic
reception patterns by direct message injection considering that sensors are deployed
at unknown locations.
112 Chapter 6 Trust Establishment for Aircraft Broadcast Signals
ADS-B
Spoofing
GPS
Spoofing
Sybil
AttackTPR TNR
Sybil
Attack<1% 2% 98%
Predicted Class
2%98%
Tr
ue
Cla
ss
ADS-B
Spoofing<1% 89% 11% 11%89%
GPS
Spoofing99% <1% <1% 1%99%
Figure 6.4: The confusion matrix of our ML classifier deciding the type of attackwhen confronted with random messages resulting from: Normal Opera-tion, GPS Spoofing, ADS-B Spoofing, or Sybil Attack.
6.9.2 Attack Analysis: Type of Attack
If one of our verification tests issues an alarm and an attack is detected, we further
try to identify the type of attack. In order to evaluate the ability to differentiate
between attacks, we consider the results of the cross check verification. In par-
ticular, we train our classifier with messages from all the analyzed attacks, i. e.,
GPS spoofing, ADS-B spoofing, and sensor control/Sybil attack. We then test the
classifier against messages randomly sampled from messages identified as malicious.
Figure 6.4 depicts a confusion matrix while considering an exemplary coverage of
ten sensors. Furthermore, for the ADS-B spoofing attack and the Sybil attack, we
consider an attacker affecting half of the monitoring sensors. Aside from the TPR,
we provide the complementary True Negative Rate (TNR).
Results. The messages resulting from a simulated GPS spoofing attack are assigned
to the matching class in 99% of the cases. While, only 89% of ADS-B attack re-
ports are correctly detected, a huge proportion of 11% of those messages are falsely
decided to reflect a Sybil attack. In particular, we simulated this attack with a very
beneficial attacker setup replicating typical reception patterns by simultaneously
affecting multiple sensors. This constitutes the most stealthy attack with respect
to our classifier. In comparison, Sybil attacks are correctly classified with a prob-
ability of 98% and only 2% are decided to result from ADS-B spoofing. Notably,
all of the shown results are based on a single message classification. To further re-
duce the probability of false alarms, we discuss the requirements of successive false
classifications in Section 6.10.3.
6.9 Evaluation 113
6.9.3 Attack Analysis: Affected Sensors
We generally differentiate between sensors that are victims themselves misused as
passive attack actors and sensors that are actively collaborating and causing the
attack. For instance, in GPS spoofing attacks and ADS-B spoofing attacks, sensors
may be faced with bogus input data. While their input data may be bogus, passive
victim sensors are still functioning correctly and are otherwise conform with their
intended behavior. While for GPS spoofing attacks the sensor reception patterns
reflect normal behavior but for a different message origin, the reception patterns
for ADS-B spoofing attacks are altered. If our attack analysis reveals the type of
attack being of the latter case, the reporting sensors may be disconnected from the
network and excluded from the cross checking procedure of other messages. These
sensors are directly affected by the attacker and their sensing of messages cannot
be trusted. However, after the attack is concluded, the identified sensors may be
reactivated and again contribute to the network.
In contrast, if the attack analysis reveals a sensor control/Sybil attack, we are
faced with compromised sensors actively launching attacks on the network. All
sensors that reported the reception of identified attack messages are considered a
part of an attacker-controlled sensor union. Any shared messages from such sensors
cannot be considered trustworthy. Their participating in the crowdsourcing network
is shut down and their forwarded messages are filtered out accordingly to recover
the integrity of the network.
6.9.4 Impact: Grid Resolution
The resolution of our considered underlying grid determines the clustering process
of assigning messages and sensors to the same cluster Cj. The higher the grid reso-
lution, the finer is the differentiation between regions and eventually their reception
patterns. However, increasing the grid resolution not only increases the computa-
tional load but can also lead to overfitting areas to the monitoring sensors. For
instance, since we do not know the exact locations of sensors, we need to learn them
from their reported ADS-B messages. The chances that a sensor reported no mes-
sage from a specific area increases with smaller sizes even though the sensor might
actually observe that airspace. We evaluated the impact of the grid resolution for
edge lengths of 70 km, 35 km, 14 km, and 7 km and gained the following insights.
The greater the proliferation of a cluster is, the more sensors are potentially
observing at least parts of the area. As a consequence, the reception patterns feature
more active sensors and have a higher variance. However, this also makes it harder
114 Chapter 6 Trust Establishment for Aircraft Broadcast Signals
to have a clear distinction between normal operation and malicious patterns. On the
other hand, a too small cluster area actually prevents a generalized estimation and
thus also decreases the validity. For our analysis, we achieve a reasonable trade-off
for a grid size of 7 km, with which all the presented results were gathered.
6.10 Discussion
We discuss important parameters of our developed system, e. g., (i) implicit trust in
the data source, (ii) attacker’s knowledge, (iii) false alarm events, (iv) the current
attack resilience, (v) optimized sensor deployment, and (vi) further extensions.
6.10.1 Implicit Data Source Trust
We base the evaluation of our trust system on data provided by the OpenSky Net-
work, which records real-world air traffic reports. However, we take the data “as is”
and consider it to represent normal behavior. We cannot exclude the existence of
erroneous data or even reports that resulted from some kind of attack. Nevertheless,
we thoroughly analyzed the messages of our considered exemplary day (July 2nd,
2018) without any findings. While our system is designed to analyze live data, our
system can also be used to find unusual data retrospectively and potential attacks
in the recorded air traffic messages of arbitrary days.
6.10.2 Attacker’s Knowledge
In our performance analysis of detecting different attacks, we considered attackers
controlling a certain number of sensors. However, an attacker with full awareness of
our detection scheme might try to optimize the pursued attack strategy and imitate
authentic reception patterns. For both ADS-B spoofing and Sybil attacks, it can
only be achieved to a certain degree and cannot overcome the detection in regions
with enough sensor redundancy. Even a fully aware attacker does not know the
locations of other sensors, and hence it is not possible to manipulate them in a
targeted manner (e. g., through ADS-B spoofing). Moreover, an attacker cannot
access the unprocessed readings of other sensors in an effort to localize them. In the
case of ADS-B spoofing, where an attacker affects multiple sensors, victims cannot
separately be targeted. A Sybil attacker, however, could try to emulate realistic
reception patterns via compromised sensors, but cannot do so with the sound user-
controlled sensors. We, therefore, argue that even an attacker, fully aware of our
detection scheme, cannot overcome it due to the concealed locations of other sensors.
Even though our ML-based cross check exhibits a high detection performance, the
probability of false alarm events is non-negligible. A false alarm is triggered when an
ADS-B message is incorrectly labeled as the result of an attack while originating from
normal operation. Depending on the sensor coverage of the considered airspace, the
false alarm rate can reach approx. 14%, which is unacceptably high for a productive
system. However, we want to highlight again that all results in Tables 6.6 - 6.8 are
referred to a single, separated message. By requiring multiple, consecutive reports
that are detected as malicious, the false alarm rate can be lowered drastically.
The chances of false alarms by requiring several false classifications in succession
is stated in Table 6.9. Notably, for this evaluation, we assume that the successive
aircraft reports are sent from different grid areas with distinct message reception
patterns. This is naturally satisfied as aircraft are moving constantly when en-route.
By increasing the number of consecutive messages, the false alarm probability can
be brought down to reasonable levels even for low-density regions.
6.10.4 Current Attack Resilience
The crowdsourcing sensors are at the core of our trust system and their distribution
and density are of utter importance for the detection of attacks. The validity of the
cross check, i. e., wireless witnessing, increases with the number of sensors covering
a certain air segment. Thus, the higher the redundancy is, the better malicious
attacks and sensors can be detected. We analyzed the current resilience of the
OpenSky Network by considering regions related to the evaluated coverages, i. e., 3,
5, 10, 20, and 50 sensors. Figure 6.5a depicts areas that already provide at least the
indicated number of sensor redundancy. Further, Table 6.10 states the breakdown of
the total covered area and relates it to the total surface of the European continent.
116 Chapter 6 Trust Establishment for Aircraft Broadcast Signals
(a) Resilience (b) Optimized Deployment
Figure 6.5: The resilience measured in sensor redundancy and identified regions thatwould benefit the most by optimized sensor deployment, both consider-ing the currently deployed infrastructure as of July 2nd, 2018.