Todd E. Humphreys

Assessing the Spoofing Threat: Development of a Portable GPS Civilian Spoofer

A portable civilian GPS spoofer is implemented on a digital signal processor and used to characterize spoofing effects and develop defenses against civilian spoofing. This work is intended to equip GNSS users and receiver manufacturers with authentication methods that are effective against unsophisticated spoofing attacks. The work also serves to refine the civilian spoofing threat assessment by demonstrating the challenges involved in mounting a spoofing attack.

Evaluation of the vulnerability of phasor measurement units to GPS spoofing attacks

Abstract Results of Global Positioning System (GPS) spoofing tests against phasor measurement units (PMUs) are presented, which demonstrate that PMUs are vulnerable to spoofing attacks. A GPS spoofer can manipulate PMU time stamps by injecting a counterfeit ensemble of GPS signals into the antenna of the PMUs time reference receiver. A spoofer-induced timing error of only a few tens of microseconds causes a PMU to violate the maximum phase error allowed by the applicable standard. These and other larger errors can give automated or human power grid controllers a false perception of the state of the grid, leading to unnecessary, and possibly destabilizing, remedial control actions. To emphasize this threat, this paper shows that a particular PMU-based automatic control scheme currently implemented in Mexico whose control architecture and setpoints have been published in the open literature could be induced by a GPS spoofing attack to trip a primary generator.

Unmanned Aircraft Capture and Control Via GPS Spoofing

The theory and practice of unmanned aerial vehicle UAV capture and control via Global Positioning System GPS signal spoofing are analyzed and demonstrated. The goal of this work is to explore UAV vulnerability to deceptive GPS signals. Specifically, this paper 1 establishes the necessary conditions for UAV capture via GPS spoofing, and 2 explores the spoofers range of possible post-capture control over the UAV. A UAV is considered captured when a spoofer gains the ability to eventually specify the UAVs position and velocity estimates. During post-capture control, the spoofer manipulates the true state of the UAV, potentially resulting in the UAV flying far from its flight plan without raising alarms. Both overt and covert spoofing strategies are considered, as distinguished by the spoofers attempts to evade detection by the target GPS receiver and by the target navigation systems state estimator, which is presumed to have access to non-GPS navigation sensor data. GPS receiver tracking loops are analyzed and tested to assess the spoofers capability for covert capture of a mobile target. The coupled dynamics of a UAV and spoofer are analyzed and simulated to explore practical post-capture control scenarios. A field test demonstrates capture and rudimentary control of a rotorcraft UAV, which results in unrecoverable navigation errors that cause the UAV to crash.

Modeling the Effects of Ionospheric Scintillation on GPS Carrier Phase Tracking

A characterization is given for the behavior of Global Positioning System phase tracking loops in the presence of severe equatorial ionospheric scintillation. The purpose of this work is to develop a simple, general, and realistic scintillation effects model that can be used to improve the scintillation performance of phase tracking loops. The new characterization of scintillation effects proposed herein employs a differentially detected bit error model to predict cycle slipping rates that approximately agree with data-driven simulation tests.

Simulating Ionosphere-Induced Scintillation for Testing GPS Receiver Phase Tracking Loops

A simple model is proposed for simulating equatorial transionospheric radio wave scintillation. The model can be used to test Global Positioning System phase tracking loops for scintillation robustness because it captures the scintillation properties that affect such loops. In the model, scintillation amplitude is assumed to follow a Rice distribution, and the spectrum of the rapidly-varying component of complex scintillation is assumed to follow that of a low-pass second-order Butterworth filter. These assumptions are justified, and the model validated, by comparison with phase-screen-generated and empirical scintillation data in realistic tracking loop tests. The model can be mechanized as a scintillation simulator that expects only two input parameters: the scintillation index S 4 and the decorrelation time tau0. Hardware-in-the-loop tests show how the model can be used to test the scintillation robustness of any compatible GPS receiver.

Data-Driven Testbed for Evaluating GPS Carrier Tracking Loops in Ionospheric Scintillation

A large set of equatorial ionospheric scintillation data has been compiled, used to characterize features of severe scintillation that impact Global Positioning System phase tracking, and used to develop a scintillation testbed for evaluating tracking loops. The data-driven testbed provides researchers a tool for studying, and the receiver developers a tool for testing, the behavior of carrier tracking loops under realistic scintillation conditions. It is known that severe equatorial scintillation causes cycle slipping and, in the worst cases, complete loss of carrier lock. Testbed results indicate that cycle slips are primarily caused by the abrupt, near half-cycle phase changes that occur during the deep power fades of severe equatorial scintillation. For a class of standard tracking loops, parameter values that minimize scintillation-induced cycle slipping are identified.

Signal Characteristics of Civil GPS Jammers

This paper surveys the signal properties of 18 commercially available GPS jammers based on experimental data. The paper is divided into two distinct tests. The first characterizes the jamming signals, and the second test determines the effective range of 4 of the jammers. The first test uses power spectra from discrete Fourier transforms (DFTs) of the time series data to show that all the jammers employ approximately Copyright ©2011 by Ryan H. Mitch, Ryan C. Dougherty, Mark L. Psiaki, Steven P. Powell, and Brady W. O’Hanlon, Jahshan A. Bhatti and Todd E. Humphreys. All rights reserved. Preprint from ION GNSS 2011 the same jamming method, i.e. linear frequency modulation of a single tone. The spectra also show that there are significant jammer-to-jammer variations, including between jammers of the same model, and that a given jammer’s signal may vary over time. The first test also includes measurements of signal power within frequency bands centered at the L1 and L2 frequencies, along with the sweep periods and the sweep range at both frequencies. The second test presents measurements of the attenuation of the jamming signal necessary to allow a commercially available GPS receiver to acquire and track signals from a GPS simulator. From the attenuation levels and some assumptions about the antennas used, upper limits on the effective jamming ranges are calculated for 4 of the jammers, with a resulting maximum range of 6–9 km.

GPS Carrier Tracking Loop Performance in the presence of Ionospheric Scintillations

The performance of several GPS carrier tracking loops is evaluated using wideband GPS data recorded during strong ionospheric scintillations. The aim of this study is to determine the loop structures and parameters that enable good phase tracking during the power fades and phase dynamics induced by scintillations. Constant-bandwidth and variable-bandwidth loops are studied using theoretical models, simulation, and tests with actual GPS signals. Constant-bandwidth loops with loop bandwidths near 15 Hz are shown to lose phase lock during scintillations. Use of the decision-directed discriminator reduces the carrier lock threshold by »1 dB relative to the arctangent and conventional Costas discriminators. A proposed variablebandwidth loop based on a Kalman filter reduces the carrier lock threshold by more than 7 dB compared to a 15-Hz constant-bandwidth loop. The Kalman filter-based strategy employs a soft-decision discriminator, explicitly models the eects of receiver clock noise, and optimally adapts the loop bandwidth to the carrier-to-noise ratio. In extensive simulation and in tests using actual wideband GPS data, the Kalman filter PLL demonstrates improved cycle slip immunity relative to constant bandwidth PLLs.

Detection Strategy for Cryptographic GNSS Anti-Spoofing

A strategy is presented for detecting spoofing attacks against cryptographically-secured Global Navigation Satellite System (GNSS) signals. The strategy is applicable both to military Global Positioning System (GPS) signals and to proposed security-enhanced civil GNSS signals, whose trustworthiness is increasingly an issue of national security. The detection strategy takes the form of a hypothesis test that accounts for the statistical profile of a replay-type spoofing attack. A performance and robustness evaluation demonstrates that the detection test is both powerful and tolerant of some uncertainty in the threat model. The test is validated by experiments conducted on a spoofing testbed.

GPS Spoofing Detection via Dual-Receiver Correlation of Military Signals

Cross-correlation of unknown encrypted signals between two Global Navigation Satellite System (GNSS) receivers is used for spoofing detection of publicly-known signals. This detection technique is one of the strongest known defenses against sophisticated spoofing attacks if the defended receiver has only one antenna. The attack strategy of concern overlays false GNSS radio-navigation signals on top of the true signals. The false signals increase in power, lift the receiver tracking loops off of the true signals, and drag the loops and the navigation solution to erroneous but consistent results. Hypothesis testing theory is used to develop a codeless cross-correlation detection method for use in inexpensive, narrowband civilian GNSS receivers. The detection method is instantiated by using the encrypted military Global Positioning System (GPS) P(Y) code on the L1 frequency in order to defend the publicly-known civilian GPS C/A code. Successful detection of spoofing attacks is demonstrated by off-line processing of recorded RF data from narrowband 2.5 MHz RF front-ends, which attenuate the wideband P(Y) code by 5.5 dB. The new technique can detect attacks using correlation intervals of 1.2 s or less.