Threat Development Parallels Information/Communication Technology
By Oscar Pozzobon
The GNSS interference session this year at the ION-GNSS conference in Nashville was one of the most crowded, confirming the need of all sectors of the community to understand the threats in GNSS and how they can be mitigated. In that context I received one of the most challenging questions of my career: “Can we predict the future of GNSS security?” What is the status of civil and commercial GNSS security today? Which are the threats and risks and how they are mitigated? Where are we going and what shall we expect from the future?
I decided to tackle this topic carefully, using as a basis and inspiration the history of information and communication technology (ICT) security: from the first threats and attacks of the 1980s to a glance at what technology offers today.
Secondly, to obtain different perspectives — and shift the blame to someone else if one day these predictions should prove to be wrong — I solicited the opinions of three other experts and colleagues in the domain of GNSS and security: Logan Scott, Todd Humphreys, and David Last.
Snapshots from History
The Internet was officially born in 1969 when the U.S. Defense Advanced Research Projects Agency (DARPA) crated the Advanced Research Projects Agency Network (ARPANET). A short 11 years later, the 414 Gang, a computer-hacking organization (the term hacking was coined at the Massachusetts Institute of Technology as early as the 1960s) performed one of the first attacks and frauds upon computer systems. In 1983 the first computer virus was discovered. In 1988 the Computer Emergency Response Team (CERT) was created to report and disseminate information on the threats, and AT&T Bell Labs created the first concept of firewalls. Some readers may recall the 1983 movie War Games, which found Hollywood hard at work on cyber-attacks, denial, and deception to computer systems at a time when we had only six GPS satellites in orbit. One year later, Steven M. Bellovin published a paper on the possibility of performing a transmission control protocol/internet protocol (TCP/IP) Spoofing attack.
Six years after that paper, in 1995, the Computer Incident Advisory Committee (CIAC) reported the first TCP/IP spoofing attack to a system. In another four years, the first denial of service (DoS) attack to computer networks was reported by the CERT. A DoS attack consists of several computer systems sending unsolicited requests to the target, causing a saturation of network and computer resources. In terms of objectives, it could be compared to what jamming causes in GNSS systems.
Between 1984 and 1986, Dorothy Denning and Peter Neumann researched and developed the first model of a real-time intrusion detection system (IDS). This prototype was initially a rule-based expert system trained to detect known malicious activity. I like to think that this could be compared to today’s jamming detection and localization systems.
In the 1990s, the need for guidelines to provide general outlines as well as specific techniques for implementing security became a pressing one for all organizations. The first standard, originally published by the British Standards Institution (BSI) in 1995 was the BS 7799, was later adopted by the International Organization for Standardization (ISO) as the ISO/International Electrotechnical Commission (IEC) 27000 series.
Information technology today can be security-evaluated via the Common Criteria (CC) standard (ISO/IEC 15408), which allows computer-systems certification. CC is a framework in which computer system users can specify their security functional and assurance requirements. The Federal Information Processing Standard (FIPS) 140 is an alternative standard for cryptographic modules, developed by the U.S. Federal Information Processing Standards.
The Nessus Project, started by Renaud Deraison in 1998, set as its objective the provision of an open-source vulnerability-assessment tool. Since 2000, Nessus has become one of most popular tools for computer-network security and vulnerability assessment, used by more than 75,000 organizations worldwide.
ICT security today is assured in a lifecycle composed by CERT managing the threats notifications, ISO/IEC 27000 managing the processes, and CC/FIPS 140 defining the security requirements for the system and vulnerability assessment tools to certify the robustness.
Now, Where Are We in GNSS?
Radio-frequency interferences (RFI) or jamming cases can hardly be tracked, as they are difficult to detect and have a long history in the military domain. Recent incidents such the one at Newark International Airport show that the threat is increasing and demonstrate the need for mitigation strategies. GNSS signal falsification frauds, or spoofing, seems to as yet have no evident cases in the civil domain.
The Volpe Report of September 10, 2001 is one of the first government public announcements of GNSS threats, including jamming and spoofing. More than 10 years, later the unmanned aerial vehicle (UAV) experiment coordinated by Todd Humphreys at the University of Texas proved that such attacks are feasible.
In GNSS, jamming detection (and sometime mitigation) are nowadays commercial options for some professional and mass-market GNSS receivers. Spoofing detection has been available in commercial prototype receivers since 2008 (among others, the Trusted GNSS Receiver (TIGER) funded by the European GNSS Agency. In 2012 we have seen the presentation of the first civil GNSS security testbed. For examples of the latter, see the University of Texas TEXBAT initiative, mentioned on page 37, and the GNSS Authentication and User Protection System Simulator (GAUPSS) project, which involved the development of software and algorithms that were integrated and tested in the radio navigation laboratory of the European Space Agency/ European Space Research and Technology Centre (ESA/ESTEC) in Noordwijk, the Netherlands.
I will make the assertion that compared to ICT security, civil GNSS security seems to be reliving the early days of the 1980s: first publication of attack concepts, first publicly known attacks, no standards, and only prototype mitigation strategies. With a gap of almost 30 years, at least four mid-Earth orbit GNSS systems becoming operational in the next few years, and an annual 10 percent growth rate of GNSS applications, the era of civil GNSS security begins now.
The Question Why
Logan Scott is a consultant specializing in radio-frequency signal processing and waveform design for communications, navigation, radar, and emitter location. His opinion on the future threat leaves no doubts:
“In assessing security threats, an important starting question is ‘Why would someone do that?’ If there is no motivation, chances are, there won’t be an attack. Over the last five years or so, the combination of ubiquitous, low-cost communications systems and satellite navigation has moved civil GNSS positioning and timing into use domains where there are stronger motivations for an attack. Specifically, widespread use in asset monitoring and tracking encourages jamming attacks and so, we are seeing more such attack. As GNSS becomes more deeply embedded into societal infrastructure, we can expect to see more attacks of increasing sophistication. Motivation will be there.”
David Last is a consultant engineer and expert witness specializing in radio-navigation and communications systems. He operates in the domain of covert tracking and law enforcement,, an area where interference can be tempting. As expert in the field, and to the best of his knowledge, he believes that “although there are some cases of jamming, we have seen no events of spoofing — so far. To date, all we have seen from criminals are crude jamming attacks. Attacks by technically sophisticated aggressors who understand GNSS vulnerability have yet to start. They will be much more serious.
“Furthermore, when the receiver stops receiving data in a court case, we can’t say it’s jamming: we can mention that is one of the things that stops the signal. Law enforcement is now beginning to use receivers that can perform jamming detection.”
David Last’s opinion on the issue of potential low-cost spoofers appearing in the near future was also provocative: “Criminals don’t buy things, they steal them.”
The Time is Right, Now
An ICT security standard arrived about 10 years after the first publication and case reports of attacks. Are we at the right time, now, to consider security certification of GNSS receivers?
Logan Scott’s opinion is that receivers should be certified in order to provide awareness of the attacks:
“Today, essentially all houses and buildings have smoke alarms. Smoke alarms don’t put out fires but they do alert the occupants to the probability that there is a problem. Similarly, GNSS receiver situation awareness regarding jamming and spoofing is a first step towards militating against attacks on GNSS components. As civil receivers stand today, many don’t discriminate between loss of lock due to signal attenuation and loss of lock due to jamming. This needs to change.
“Fairly simple algorithms can detect most types of jamming and spoofing. Jammers and simple spoofers almost invariably affect automatic gain control gain settings. They are easy to detect. More sophisticated spoofers have difficulty covering apparent direction of arrival and can be detected using some simple antenna techniques.
“The problem for the user community at large is in knowing whether or not a receiver maintains adequate situational awareness. This is where test-based receiver certification can play a role.”
Awareness is indeed needed to notify to the application the security and authentication state. GNSS authentication integrated in the system still lies far off.
Not only is implementing authentication without compromising user cost and simplicity challenging, but the impact on the ground and space segment in GNSS to maintain legacy signals compatibility is also considerable.
We believe that user-based authentication will be the Plan B for the next 5–10 years. This requires the development of receiver techniques and the use of security testbeds as the baseline for vulnerability assessment, in the same way the Nessus tool was used in the 1990s for computer network assessment.
On the test approach, Logan Scott stresses that “Using a series of canned scenarios, GNSS receivers can be tested to determine how well they maintain situational awareness. Do well enough, and the receiver can be stamped as certified, much like an Underwriters Laboratory (UL) label. The test process can be automated and conducted by an independent third party, similar to the way cellular equipment is certified.
“Additional certifications might include cyber security aspects such as accepting only digitally-signed software updates and maps, providing attestation capabilities, and use of authenticatable GNSS signals.
“The benefit for the non-expert user community is that they have a basis for selecting GNSS receivers, secure in the knowledge that they meet minimum performance standards.”
Ringing in my third fellow expert, I asked Todd Humphreys, assistant professor in the Department of Aerospace Engineering at the University of Texas at Austin, for his opinion regarding the future of GNSS security testing.
“A testbed capable of simulating realistic spooﬁng attacks is needed so that the efficacy of proposed civil GPS signal authentication techniques can be experimentally evaluated. A generic testbed capable of evaluating all known authentication techniques would be prohibitively expensive; for example, it would require a large anechoic chamber for evaluating receiver-autonomous antenna-oriented techniques. But if the scope of evaluation is limited to receiver-autonomous signal-processing-oriented techniques and networked techniques, then it is possible not only to develop an inexpensive testbed but to share the testbed’s data component so that the tests can be replicated in laboratories across the globe.
“In October, we released the Texas Spooﬁng Test Battery (TEXBAT), a set of six high-ﬁdelity digital recordings of live static and dynamic GPS L1 C/A spooﬁng tests conducted by the Radionavigation Laboratory of the University of Texas at Austin. National Instruments is hosting TEXBAT on cloud servers so that anyone can download it.
“The battery can be considered the data component of an evolving standard meant to deﬁne the notion of spoof resistance for civil GPS receivers. According to this standard, successful detection of or imperviousness to all spooﬁng attacks in TEXBAT, or a future version thereof, could be considered sufficient to certify a civil GPS receiver as spoof-resistant.
“This is a spoofing-specific version of the ‘not stupid’ certification that Logan Scott has suggested for GNSS receivers. In my July congressional testimony, I advocated requiring a ‘spoof resistance’ certification for GNSS devices that are used in critical infrastructure.”
Looking into the Future
Now I turn and attempt to answer the final question: Can we predict the future of civil GNSS security?
I believe that we can predict that, unfortunately, attacks will increase, and new attacks will be discovered. For example, we have been talking about deception jammers (also known as intelligent, PRN, or gold code jammers) only in the last few years, as an emerging threat. We will see certification and standards for security in GNSS, and we expect them to come in the next five years. Tools for GNSS security testing are already available commercially, for example the Qascom GNSS Security testbed (GST). As ICT has CERT for notification of threat, we will also see the raising of a GNSS emergency response team — possibly called a GERT.
In conclusion, whether my predictions turn out to be correct or not, the good news is that GNSS security also has a history in Hollywood’s annals: the 1997 James Bond movie Tomorrow Never Dies narrates a spoofing attack on the GPS navigation system of a submarine, performed via a GPS encoder that modifies the time.
Again, 007 anticipated the future, and he did it 15 years before a handful of world renowned GNSS security experts.
I have not yet seen the 2012 James Bond film Skyfall. I wonder what it portends?
Oscar Pozzobon is the director and co-founder of Qascom S.r.l., based in Bassano del Grappa, Italy. He received a Masters degree in telecommunication engineering from the University of Queensland, Australia, and is the Italian contact for the Civil Global Positioning System Service Interface Committee (CGSIC).