Daniel P. Shepard

Evaluation of the vulnerability of phasor measurement units to GPS spoofing attacks

Abstract Results of Global Positioning System (GPS) spoofing tests against phasor measurement units (PMUs) are presented, which demonstrate that PMUs are vulnerable to spoofing attacks. A GPS spoofer can manipulate PMU time stamps by injecting a counterfeit ensemble of GPS signals into the antenna of the PMUs time reference receiver. A spoofer-induced timing error of only a few tens of microseconds causes a PMU to violate the maximum phase error allowed by the applicable standard. These and other larger errors can give automated or human power grid controllers a false perception of the state of the grid, leading to unnecessary, and possibly destabilizing, remedial control actions. To emphasize this threat, this paper shows that a particular PMU-based automatic control scheme currently implemented in Mexico whose control architecture and setpoints have been published in the open literature could be induced by a GPS spoofing attack to trip a primary generator.

Unmanned Aircraft Capture and Control Via GPS Spoofing

The theory and practice of unmanned aerial vehicle UAV capture and control via Global Positioning System GPS signal spoofing are analyzed and demonstrated. The goal of this work is to explore UAV vulnerability to deceptive GPS signals. Specifically, this paper 1 establishes the necessary conditions for UAV capture via GPS spoofing, and 2 explores the spoofers range of possible post-capture control over the UAV. A UAV is considered captured when a spoofer gains the ability to eventually specify the UAVs position and velocity estimates. During post-capture control, the spoofer manipulates the true state of the UAV, potentially resulting in the UAV flying far from its flight plan without raising alarms. Both overt and covert spoofing strategies are considered, as distinguished by the spoofers attempts to evade detection by the target GPS receiver and by the target navigation systems state estimator, which is presumed to have access to non-GPS navigation sensor data. GPS receiver tracking loops are analyzed and tested to assess the spoofers capability for covert capture of a mobile target. The coupled dynamics of a UAV and spoofer are analyzed and simulated to explore practical post-capture control scenarios. A field test demonstrates capture and rudimentary control of a rotorcraft UAV, which results in unrecoverable navigation errors that cause the UAV to crash.

GPS Spoofing Detection via Dual-Receiver Correlation of Military Signals

Cross-correlation of unknown encrypted signals between two Global Navigation Satellite System (GNSS) receivers is used for spoofing detection of publicly-known signals. This detection technique is one of the strongest known defenses against sophisticated spoofing attacks if the defended receiver has only one antenna. The attack strategy of concern overlays false GNSS radio-navigation signals on top of the true signals. The false signals increase in power, lift the receiver tracking loops off of the true signals, and drag the loops and the navigation solution to erroneous but consistent results. Hypothesis testing theory is used to develop a codeless cross-correlation detection method for use in inexpensive, narrowband civilian GNSS receivers. The detection method is instantiated by using the encrypted military Global Positioning System (GPS) P(Y) code on the L1 frequency in order to defend the publicly-known civilian GPS C/A code. Successful detection of spoofing attacks is demonstrated by off-line processing of recorded RF data from narrowband 2.5 MHz RF front-ends, which attenuate the wideband P(Y) code by 5.5 dB. The new technique can detect attacks using correlation intervals of 1.2 s or less.

Evaluation of Smart Grid and Civilian UAV Vulnerability to GPS Spoofing Attacks

Todd E. Humphreys is an assistant professor in the department of Aerospace Engineering and Engineering Mechanics at the University of Texas at Austin, and Director of the UT Radionavigation Laboratory. He received a B.S. and M.S. in Electrical and Computer Engineering from Utah State University and a Ph.D. in Aerospace Engineering from Cornell University. He specializes in applying optimal estimation and signal processing techniques to problems in radionavigation. His recent focus is on radionavigation robustness and security.

An Evaluation of the Vestigial Signal Defense for Civil GPS Anti-Spoofing

A receiver-autonomous non-cryptographic civil GPS antispoofing technique called the vestigial signal defense (VSD) is defined and evaluated. This technique monitors distortions in the complex correlation domain to detect spoofing attacks. Multipath and spoofing interference models are developed to illustrate the challenge of distinguishing the two phenomena in the VSD. A campaign to collect spoofing and multipath data is described, which specific candidate VSD techniques can be tested against. Test results indicate that the presence of multipath complicated the setting of an appropriate spoofing detection threshold.

Civilian GPS Spoofing Detection based on Dual- Receiver Correlation of Military Signals

Cross-correlations of unknown encrypted signals between two civilian GNSS receivers are used to detect spoofing of known open-source signals. This type of detection algorithm is the strongest known defense against sophisticated spoofing attacks if the defended receiver has only one antenna. The attack strategy of concern starts by overlaying false GNSS radio-navigation signals exactly on top of the true signals. The false signals increase in power, lift the receiver tracking loops off of the true signals, and then drag the tracking loops and the navigation solution to erroneous, but consistent results. This paper develops codeless and semi-codeless spoofing detection methods for use in inexpensive, narrow-band civilian GNSS receivers. Detailed algorithms and analyses are developed that use the encrypted military P(Y) code on the L1 GPS frequency in order to defend the open-source civilian C/A code. The new detection techniques are similar to methods used in civilian dualfrequency GPS receivers to track the P(Y) code on L2 by cross-correlating it with P(Y) on L1. Successful detection of actual spoofing attacks is demonstrated by off-line processing of digitally recorded RF data. The codeless technique can detect attacks using 1.2 sec of correlation, and the semi-codeless technique requires correlation intervals of 0.2 sec or less. This technique has been demonstrated in a narrow-band receiver with a 2.5 MHz bandwidth RF front-end that attenuates the P(Y) code by 5.5 dB.

Characterization of Receiver Response to Spoofing Attacks

THESIS Presented to the Faculty of the Undergraduate School of The University of Texas at Austin in Partial Fulfillment of the Requirements for the Degree of BACHELOR OF SCIENCE IN AEROSPACE ENGINEERING

The Texas Spoofing Test Battery: Toward a Standard for Evaluating GPS Signal Authentication Techniques

A battery of recorded spoofing scenarios has been compiled for evaluating civil Global Positioning System (GPS) signal authentication techniques. The battery can be considered the data component of an evolving standard meant to define the notion of spoof resistance for commercial GPS receivers. The setup used to record the scenarios is described. A detailed description of each scenario reveals readily detectable anomalies that spoofing detectors could target to improve GPS security.

High-precision globally-referenced position and attitude via a fusion of visual SLAM, carrier-phase-based GPS, and inertial measurements

A novel navigation system for obtaining high-precision globally-referenced position and attitude is presented and analyzed. The system is centered on a bundle-adjustment-based visual simultaneous localization and mapping (SLAM) algorithm which incorporates carrier-phase differential GPS (CDGPS) position measurements into the bundle adjustment in addition to measurements of point features identified in a subset of the camera images, referred to as keyframes. To track the motion of the camera in real-time, a navigation filter is employed which utilizes the point feature measurements from all non-keyframes, the point feature positions estimated by bundle adjustment, and inertial measurements. Simulations have shown that the system obtains centimeter-level or better absolute positioning accuracy and sub-degree-level absolute attitude accuracy in open outdoor areas. Moreover, the position and attitude solution only drifts slightly with the distance traveled when the system transitions to a GPS-denied environment (e.g., when the navigation system is carried indoors). A novel technique for initializing the globally-referenced bundle adjustment algorithm is also presented which solves the problem of relating the coordinate systems for position estimates based on two disparate sensors while accounting for the distance between the sensors. Simulation results are presented for the globally-referenced bundle adjustment algorithm which demonstrate its performance in the challenging scenario of walking through a hallway where GPS signals are unavailable.

Precise Augmented Reality Enabled by Carrier-Phase Differential GPS

A prototype precise augmented reality (PAR) system that uses carrier phase differential GPS (CDGPS) and an inertial measurement unit (IMU) to obtain sub-centimeter level accurate positioning and degree level accurate attitude is presented. Several current augmented reality systems and applications are discussed and distinguished from a PAR system. The distinction centers around the PAR system’s highly accurate position estimate, which enables tight registration, or alignment of the virtual renderings and the real world. Results from static and dynamic tests of the PAR system are given. These tests demonstrate the positioning and orientation accuracy obtained by the system and how this accuracy translates to remarkably low registration errors, even at short distances from the virtual objects. A list of areas for improvement necessary to create a fully capable PAR system is presented.