Relay/replay attacks on GNSS signals

Lenhart, Malte; Spanghero, Marco; Papadimitratos, Panagiotis

doi:10.1145/3448300.3468256

Cited by 11 publications

(8 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, cryptographic signatures prevent the attacker from generating navigation messages, limiting its spoofing capabilities. Prior work [30] showed the feasibility of relaying signals over long distances and spoofing the victim's location to where the signals were originally received. First, we evaluate the furthest distance an adversary can spoof a victim, assuming proximity between the attacker and the victim receiver.…”

Section: Evaluation Resultsmentioning

confidence: 99%

“…Several researchers in the past have demonstrated the ineffectiveness of cryptographic solutions. The works that comes closest to our proposed attack are [27,30]. [30] demonstrated the feasibility of the relay attack on large distances.…”

Section: Related Workmentioning

confidence: 98%

“…The works that comes closest to our proposed attack are [27,30]. [30] demonstrated the feasibility of the relay attack on large distances. In [27], the authors introduced the spreading code estimation replay (SCER) attacks where they statistically estimate the current bit at the time of transmission based on the previously received samples.…”

Section: Related Workmentioning

confidence: 98%

See 2 more Smart Citations

Cryptography Is Not Enough: Relay Attacks on Authenticated GNSS Signals

Motallebighomi¹,

Sathaye²,

Singh³

et al. 2022

Preprint

View full text Add to dashboard Cite

Civilian-GNSS is vulnerable to signal spoofing attacks, and countermeasures based on cryptographic authentication are being proposed to protect against these attacks. Both Galileo and GPS are currently testing broadcast authentication techniques based on the delayed key disclosure to validate the integrity of navigation messages. These authentication mechanisms have proven secure against record now and replay later attacks, as navigation messages become invalid after keys are released. This work analyzes the security guarantees of cryptographically protected GNSS signals and shows the possibility of spoofing a receiver to an arbitrary location without breaking any cryptographic operation. In contrast to prior work, we demonstrate the ability of an attacker to receive signals close to the victim receiver and generate spoofing signals for a different target location without modifying the navigation message contents. Our strategy exploits the essential common reception and transmission time method used to estimate pseudorange in GNSS receivers, thereby rendering any cryptographic authentication useless. We evaluate our attack on a commercial receiver (ublox M9N) and a software-defined GNSS receiver (GNSS-SDR) using a combination of open-source tools, commercial GNSS signal generators, and software-defined radio hardware platforms. Our results show that it is possible to spoof a victim receiver to locations around 4000 km away from the true location without requiring any high-speed communication networks or modifying the message contents. Through this work, we further highlight the fundamental limitations in securing a broadcast signaling-based localization system even if all communications are cryptographically protected.

show abstract

Section: Evaluation Resultsmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 98%

Section: Related Workmentioning

confidence: 98%

See 1 more Smart Citation

Cryptography Is Not Enough: Relay Attacks on Authenticated GNSS Signals

Motallebighomi¹,

Sathaye²,

Singh³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Sampling frequencies as low as 1 MS/s, however, suffice for successful Record-and-Replay attacks, when combined with brief jamming intervals [21]. Also, storage requirements can be lifted if the recordings are streamed and replayed in real-time between inter-networked attacker nodes [21]. Such a setup can be used to replay GNSS signals over long distances, but is in practice limited by the available network bandwidth.…”

Section: Related Workmentioning

confidence: 99%

Distributed and Mobile Message Level Relaying/Replaying of GNSS Signals

Lenhart¹,

Spanghero²,

Papadimitratos³

2022

The International Technical Meeting of the the Institute of Navigation

Self Cite

View full text Add to dashboard Cite

show abstract

“…This means that it is indeed possible for the attacker to ignore the legitimate signals and use a so-called signal generation attacks, generating new GNSS signals with correct modulation formats and spreading code but fake phase and frequency. Additionally, several works have reported successful attacks even using off-the-shelf hardware [6], [7].…”

Section: Introductionmentioning

confidence: 99%

On Mixing Authenticated and Non-Authenticated Signals Against GNSS Spoofing

Ardizzon,

Crosara,

Tomasin

et al. 2024

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

Anti-spoofing techniques for current global navigation satellite systems (GNSS) authenticate signals on a single band and from a single system. However, nowadays commercial GNSS receivers commonly calculate the position, velocity, and time (PVT) solution by simultaneously utilizing signals from multiple constellations and bands, with a substantial enhancement in both accuracy and availability. Therefore, anti-spoofing techniques have recently been proposed that mix authenticated and nonauthenticated signals to increase performance without sacrificing security.In this paper, we formalize the models of such signal mixturebased authentication checks. We propose a spoofing attack generating a fake signal that leads the victim to a target PVT solution, undetected. We analytically relate the degrees of freedom of the attacker in manipulating the victim's solution to both the employed security checks and the number of open nonauthenticated signals that can be tampered with by the attacker. The performance of the considered attack strategies are tested on an experimental dataset. Finally, we assess the limits of PVTbased GNSS authentication checks where both authenticated and non-authenticated signals are used.

show abstract

Relay/replay attacks on GNSS signals

Cited by 11 publications

References 6 publications

Cryptography Is Not Enough: Relay Attacks on Authenticated GNSS Signals

Cryptography Is Not Enough: Relay Attacks on Authenticated GNSS Signals

Distributed and Mobile Message Level Relaying/Replaying of GNSS Signals

On Mixing Authenticated and Non-Authenticated Signals Against GNSS Spoofing

Contact Info

Product

Resources

About