Reducing GNSS receiver vulnerabilities
The objective is to raise the bar enough that successful attacks causing significant consequences are difficult to carry out
Reports of problems with GPS appear with increasing frequency. As two of many examples:
▪ USA Today, on October 3, 2017, reported a “Mysterious GPS glitch telling ships they’re parked at an airport…”, apparently due to intentional broadcast of spoofing signals.
▪ Some mobile devices in the exhibition hall at the September 2017 ION GNSS+ conference began reporting time in the year 2014, and locations in Europe. Because of the date change, these devices suffered secondary problems with email and text messaging. The problem was caused when the devices received signals leaking from a GPS constellation simulator.
All satellite-based navigation and timing (satnav) systems in the Global Navigation Satellite System (GNSS) consist of three segments: space segment (the constellation of satellites), ground segment (which monitors and controls the satellites and their signals), and user segment (the antennas, antenna electronics, and receivers), as well as the signals broadcast from the satellites to the user equipment.
In many cases, the reported problems are either caused by, or at least could be mitigated by, satnav user equipment. Yet, like the USA Today headline quoted above, often the problem is blamed on the satnav system, leaving the mistaken impression that there has been a flaw in the space or ground segment, or in the signals.
In these examples and many other cases, the space and ground segment and signals are correct, but imperfect user equipment is the vulnerability. For example:
▪ Regardless of what their inputs are, should maritime receivers on large maritime vessels report position changes of tens of kilometers in a few seconds, altitude under water, and location on an airport runway?
▪ Should mobile devices report “time travel” from 2017 to 2014 and moving thousands of kilometers in a few seconds or minutes?
Sometimes a satnav system’s ground segment or space segment does malfunction, causing signals to provide flawed or erroneous information. GPS experienced this situation in January 2016, when some satellites broadcast an incorrect offset between system time and Universal Coordinated Time. This error did not affect calculation of position or velocity, but did affect some timing receivers. Even in this case, however, since the erroneous broadcast did not conform to the GPS signal interface specification, receivers could have detected and rejected the erroneous information. Yet some receivers were affected by it.
When computer viruses and other malware appeared in the 1980s and 1990s, users did not discard their IBM PCs and Apple Macintoshes, reverting to typewriters and calculators or slide rules. Instead, virus detection, firewalls, and other defenses were introduced. Software assurance practices reduced the presence of exploitable bugs and other vulnerabilities. Users adopted smarter practices in dealing with emails and using the Internet, while more diligently maintaining their software and hardware to address newly found bugs and vulnerabilities. While threats have continued to evolve, so have defenses, allowing personal computers to become an integral part of today’s society.
Modern GNSS receivers are actually computers with specialized inputs and interfaces. Yet in many cases they have been specified, developed, and tested as if they are mere radio receivers. Software assurance practices common in development and maintenance of other types of computers may not be rigorously employed in development of GNSS receivers. Techniques that protect computers from malicious or faulty inputs may be lacking in GNSS receivers, and handling of valid but rare conditions (such as GPS week rollovers or insertion of leap seconds) may not be adequately implemented or tested. Absent are algorithms that apply simple common sense to preclude many of the problems that are experienced, like those in the Black Sea and at ION GNSS+ 2017. Signals from multiple satnav systems are available, but not consistently used to crosscheck each other. Although low cost, low power, inertial sensors and precision clocks exist, they may not be used to crosscheck computations and provide fallback capability. Users may not be thorough or current in installing and maintaining hardware and software, and in practicing the same kind of “cyber hygiene” (such as updating passwords and blocking back doors) that they practice with routers and firewalls.
It’s time for users to demand competent GNSS user equipment that is specified, developed, and tested to exhibit common sense, with receivers that respond appropriately (maintaining operation when possible, failing gracefully when necessary) to attacks, rare events, and even erroneous inputs. It’s time for manufacturers of GNSS chips and receivers to adopt practices and implement capabilities that enable user equipment to operate appropriately in imperfect and threatened environments, rather than implicitly trusting all inputs as valid and correct. It’s time to employ the standards and compliance requirements used for computers and computer software to GNSS receivers and their software. Perhaps it’s time for an organization to perform independent testing, evaluation, and rating of GNSS user equipment against various attacks and challenging conditions, just as the Insurance Institute for Highway Safety does for automobile crashworthiness in the United States.
Cybersecurity for personal computers is never perfect, and defenses need to evolve to defend against new attacks. Similarly, more competent and robust GNSS user equipment will never be perfect, and there will need to be secure ways to upgrade user equipment as improvements become available. There will be challenges in developing and sustaining competent GNSS user equipment, with new opportunities for organizations that can do this well. Even then, the result may not be perfect. But perfect may be the enemy of good enough. Every technology we use has vulnerabilities that can be successfully attacked, given sufficient resources and skill. The objective is to raise the bar enough that successful attacks causing significant consequences are difficult to carry out, and would expose the attacker to enough risk that most attacks are dissuaded.
Let’s work together so that competent GNSS user equipment is developed, employed, and maintained to address the challenges of today and tomorrow.
Approved by MITRE for Public Release; Distribution Unlimited. Case Number 18-2925.
©2018 The MITRE Corporation. All rights reserved.