Summer School on Network and Information Security 2009
Wireless System Security
Panos Papadimitratos
1
Wireless Networked Systems
• Wireless local area networks (WLANs)
Link to the Internet
Wireless
Access
Point
2
Wireless Networked Systems
(cont’d)
• WLANs, Personal Area (PANs), Ad hoc Networks
Illustration: Ericsson, ca. 2000
3
Wireless Networked Systems
(cont’d)
• Radio Frequency Identification (RFID)
Reading
signal
tagged
object
ID
Detailed
object
information
ID
• Wi-Fi and Bluetooth enabled devices
4
Back-end
database
Wireless Networked Systems
• Sensor networks
Node photos: XBow
5
(cont’d)
Wireless Networked Systems
(cont’d)
• Tactical ad hoc networks
– Military
−Search-and-rescue
6
Wireless Networked Systems
(cont’d)
• Vehicular ad hoc networks (VANETs)
Illustration: C2C-CC
7
Wireless Networked Systems
(cont’d)
• Ad hoc networks
– Limited wireless communication range
– Collaborative support of the network operation
– Peer-to-peer interactions
– Transient associations
Nodes
– Openness
Links
8
Wireless Networked Systems
(cont’d)
• Security challenges
– Easy eavesdropping and message injection
– Each and every node can disrupt the network
operation
– No monitoring facility
– Resource constraints
– Error-prone communication
– Hostile environments
– Nodes and applications tightly coupled to the
user and her physical environment
9
Outline
•
•
•
•
Secure
Secure
Secure
Secure
Neighbor Discovery
Route Discovery
Data Communication
Localization
10
Summer School on Network and Information Security 2009
Secure Neighbor Discovery
© 2009 P. Papadimitratos
11
Neighbor Discovery (ND)
C
B
D
A
• Neighbor Discovery (ND)
– A node discovers other nodes it can directly
communicate with
12
Neighbor Discovery (ND)
(cont’d)
B
A
RA
RB
• B is neighbor of A if and only if it can receive
directly from A
• Link (A,B) is up Ù A is neighbor of B
(B,A) is down
• RA≠RB, i.e., (A,B) may be up while
13
Neighbor Discovery (ND)
(cont’d)
“Hello, I’m A”
B
A
B: “A is my neighbor”;
“A is added in my
Neighbor List”
• Simple, widely used solution, but not secure
• Easy to attack
– Mislead B that A is its neighbor, when this is not the case
14
Attacking ND
“Hello, I’m A”
“Hello, I’m C”
M
…
“Hello, I’m Z”
B: Neighbor
List =
{A, C, …, Z}
• Single adversary appears as multiple
neighbors
15
Securing ND
(1) nB, B
A
B
(2) A, nA, nB, B, SigA(A, nA,nB, B), CertCA(KA,A)
• An attempt
– Message authenticity and replay protection
• nA, nB are nonces
– Bob essentially ‘challenges’ Alice to provide a ‘hello’
message
16
Attacking ND
(cont’d)
• “Relay” or “Wormhole” Attack
:
“B
th
er
e?
”
– Simply relay any message, without any modification
B,
A”
I ’m
“H
ell
o
”
B,
e?
o
ell
“H
“B
:
er
th
An
yo
ne
ne
yo
An
A
I ’m
A”
M
17
B:
Neighbor
List = {A}
Attacking ND
(cont’d)
• Long-range relay / wormhole
– The attacker relays messages across large
distances
“Hello, I’m A”
M1
“Hello, I’m A”
out-of-band or
private channel
M2
B
B: Neighbor
List = {A}
“Hello, I’m A”
A
18
Attacking ND: Implications
• Routing in multihop ad hoc networks
19
Attacking ND: Implications (cont’d)
• Routing in multihop ad hoc networks
20
Attacking ND: Implications (cont’d)
• Routing in multihop ad hoc networks
21
Attacking ND: Implications (cont’d)
• RFID-based access control
• Attacker close to the access-granting RFID tag
– Relays signals from and to her accomplice, who
obtains access
Z. Kfir and A. Wool, “Picking virtual pockets using relay attacks on contact-less
smartcard,” SECURECOMM ’05
22
Securing Two-Party ND
• Basic ideas
– Authentication
– Node-to-node distance estimation
y
x
A
B
AP
R
– x>R Î A: AP not neighbor
– Y<R Î B: AP neighbor
23
Securing Two-Party ND
(cont’d)
• Use message time-of-flight to measure
distance
– Distance Bounding [1]
– Temporal Packet Leashes [2]
– SECTOR [3]
• Use node location to measure distance
– Geographical Packet Leashes [2]
[1] S. Brands and D. Chaum, “Distance-bounding protocols,” EUROCRYPT ‘93
[2] Y.-C. Hu, A. Perrig, and D. B. Johnson. “Packet leashes: A defense against
wormhole attacks in wireless networks,” INFOCOM ‘03
[3] S. Capkun, L. Buttyan, and J.-P. Hubaux, “SECTOR: Secure Tracking of Node
Encounters in Multi-hop Wireless Networks,” SASN ‘03
24
Securing Two-Party ND (cont’d)
• Are these protocols [1,2,3] achieving
secure ND?
• Can any protocol, including and similar to
[1,2,3], which can measure time, solve
the secure ND problem?
• Is there any provably secure ND protocol?
• Note: Measurements can be *very*
accurate
None
None of
of the
the above
above protocols
protocols secures
secures ND
ND
No
No (secure)
(secure) ND
ND protocol
protocol that
that relies
relies
on
on time
time measurements
measurements does
does
25
Traces and Events
• Trace
is a set of events
A
B
C
26
Feasible Traces
• System execution: feasible trace
• Traces feasible with respect to:
ΘS
ΘS,P
ΘS,P,A
- Setting S
- Protocol P
- Adversary A
Θ
27
Setting S
…
…
…
F
E
{ A, B, C
C, D, E,
D F, G, H }
A
B
H
G
28
Trace θ Feasible wrt Setting S
• Causal and timely message exchange
A
v – signal propagation speed
B
29
Trace θ Feasible wrt Setting S
(cont’d)
• Causal and timely message exchange
30
Local Trace
A
B
31
Protocol P
• Local view
• Protocol
• Actions
32
Trace θ Feasible wrt Protocol
• Correct nodes follow the protocol
33
Trace θ Feasible wrt Adversary
• Adversarial nodes can only relay messages
with minimum delay
A
• Denote the adversary as:
34
Neighbor Discovery Specification
Protocol P solves Neighbor Discovery for adversary A if
1) Discovered neighbors are actual neighbors
2) It is possible to discover neighbors
35
Neighbor Discovery Specification
(cont’d)
Protocol P solves Two-Party Neighbor Discovery for
adversary A if
1) Discovered neighbors are actual neighbors
2) It is possible to discover neighbors in the ND range R
…
36
T-protocol Impossibility
Theorem: No T‐protocol can solve Neighbor Discovery for adversary if .
Proof (sketch):
Any T‐protocol P that satisfies ND2 cannot satisfy ND1
Observation: Physical proximity does not necessarily imply correct nodes are able to communicate directly
37
Results
• T-protocol ND impossibility (general case)
• T-protocol solving ND (restricted case)
• TL-protocol solving ND (general case)
M. Poturalski, P. P., and J-P. Hubaux, “Secure Neighbor Discovery
in Wireless Networks: A Formal Investigation of Possibility,”
ASIACCS 2008
M. Poturalski, P. P., and J-P. Hubaux, “Secure Neighbor Discovery:
Is it Possible?” LCA-REPORT-2007-004, 2007
38
Protocol P
CR/TL
• Challenge-Response/Time-and-Location
challenge
message
response
message
authenticator
message
39
ND Properties – Revisited
(cont’d)
• Correctness:
• Availability:
TP – protocol specific duration
40
Protocol P
CR/TL (cont’d)
Theorem: Protocol PCR/TL satisfies the
Neighbor Discovery Specification:
• Correctness (ND1)
• Availability (ND2CR/TL)
Under the assumptions:
i. Any processing delay Δrelay > 0
ii. Equality of maximum information propagation
speed and wireless channel propagation speed
vadv = v
M. Poturalski, P. P., and J.-P. Hubaux, “Towards provable secure
neighbor discovery in wireless networks,” CCS FMSE 2008
41
Summary
• Secure Neighbor Discovery
– Prerequisite for secure networking protocols
and various applications, and system security
– Hard problem
– Proven secure solutions
– Implementation is not easy in practice
42
Additional Readings
• Overview
P. P., M. Poturalski, P. Schaller, P. Lafourcade, D. Basin,
S. Capkun, and J-P. Hubaux, "Secure Neighborhood Discovery: A
Fundamental Element for Mobile Ad Hoc Networking," IEEE
Communications Magazine, February 2008
• Implementation
R. Shokri, M. Poturalski, G. Ravot, P. P., and J.-P. Hubaux, “A LowCost Secure Neighbor Verification Protocol for Wireless Sensor
Networks,” ACM WiSec, Zurich, Switzerland, March 2009
• Beyond relay attacks: Early Detect / Late Commit
J. Clulow, G.P. Hancke, M.G. Kuhn, and T. Moore, “So Near and Yet
So Far: Distance-Bounding Attacks in Wireless Networks,” ESAS,
Hambourg, Germany, September 2006
43
Summer School on Network and Information Security 2009
Secure Route Discovery
© 2009 P. Papadimitratos
44
Route Discovery
B
Source
node A
H
D
Intermediate
nodes
Destination
node
C
F
G
E
Route : Sequence of
nodes (and edges);
for simplicity:
(A, G, E)
• Stage 0: Neighbor discovery
• Stage 1: Route discovery
45
Attacking Route Discovery
B
G
RREP: “I am H”
A
RREQ: “A is
looking for H”
C
H
F
D
E
• Impersonation of the destination, for
example, in any reactive routing protocol
46
Attacking Route Discovery
(cont’d)
B
G
RREP: “Hop
count = 2”
A
RREQ: “A is
looking for H”
C
RREP: “Hop count = 3”
H
F
D
E
• Disrupting distance vector routing (for example,
in AODV)
47
Attacking Route Discovery
(cont’d)
• Caution: None of these protocols (DSR,
AODV) was designed with security in mind
• Many possible ways to attack the route
discovery
• Outcome of attacks
– Control communication
• Become part of utilized routes
• Monopolize resources
– Disrupt communication
• Degrade or deny
48
Requirements
• We are interested in protocols that discover routes with
the following two properties:
(1) Loop-freedom: an (S,T)-route is loop-free when it
has no repetitions of nodes
(2) Freshness: an (S,T)-route is fresh with respect to a
(t1,t2) interval if each of the route’s constituent links is
up at some point during the (t1,t2)
• Loop-freedom and freshness are relevant for both
explicit and implicit route discovery
P. P., Z.J. Haas, and J.-P. Hubaux, "How to Specify and How to Prove
Correctness of Secure Routing Protocols for MANET," BroadNets’06
49
Secure Routing Protocol (SRP)
• Explicit basic route discovery
• Observation
– It is hard to ‘know’ all nodes in the network, i.e.,
establish associations with all of them
– Often infeasible and very costly
– Especially in ‘open’ networks
• SRP assumptions
– Secure neighbor discovery
– Hop-by-hop authentication of all control traffic
– End nodes (source, destination) ‘know’ each other
• Can set up security associations
P. P. and Z.J. Haas, "Secure Routing for Mobile Ad Hoc Networks,"
CNDS 2002
50
SRP
(cont’d)
1
S
2
V1
3
V2
4
V3
Route Request (RREQ):
S, T, QSEQ, QID, MAC(KS,T, S, T, QSEQ, QID)
1. S broadcasts RREQ;
2. V1 broadcasts RREQ, {V1};
3. V2 broadcasts RREQ, {V1, V2};
4. V3 broadcasts RREQ, {V1, V2, V3};
51
T
SRP
(cont’d)
1
S
8
2
V1
7
3
V2
6
4
V3
Route Reply (RREP):
QID, {T, V3, V2, V1, S},
MAC(KS,T, QID, QSEQ, T, V3, V2, V1, S)
5.
6.
7.
8.
T → V3 : RREP;
V3 → V2 : RREP;
V2 → V1 : RREP;
V1 → S : RREP;
52
5
T
Additional Readings
• Secure Explicit Routing
– Link State Routing
P. P. and Z.J. Haas, "Secure Link State Routing for Mobile Ad Hoc
Networks," IEEE WSAAN, Orlando, Florida, January 2003
– Reactive Route Discovery
– Ariadne
Y.-C. Hu, A. Perrig, and D. Johnson, ”Ariadne: A secure on-demand
routing protocol for ad hoc networks,” Wireless Networks, 2005
– EndAir
G. Acs, L. Buttyan, and I. Vajda, “Provably secure on-demand
source routing in mobile ad hoc networks,” TMC, 2006
53
Additional Readings
(cont’d)
• Secure Implicit Routing
K. Sanzgiri, D. LaFlamme, B. Dahill, B.N. Levine, C. Shields, E. M.
Belding-Royer, “Authenticated routing for ad hoc networks,” JSAC 2005
Y.-C. Hu, D.B. Johnson, A. Perrig, Secure efficient distance vector
routing in mobile wireless ad hoc networks, IEEE WMCSA 2002
P. P. and Z.J. Haas, "Secure On-Demand Distance Vector Route
Discovery in Ad Hoc Networks,“ IEEE Sarnoff Symposium, 2005
• Secure Augmented Routing
– QoS-aware routing
P. P. and Z.J. Haas, "Secure Route Discovery for QoS-Aware Routing in
Ad Hoc Networks," IEEE Sarnoff Symposium, 2005
• Overview
Chapter 7, L. Buttyan and J.-P. Hubaux, “Security and Cooperation
in Wireless Networks”, Cambridge Press, 2008
54
Attacking Routing - Revisited
• Tunneling Attack
– Two colluding attackers: M1, M2
– M1 encapsulates control traffic and forwards
to M2 and vice versa
– Attackers seemingly follow the protocol with
respect to their neighbors
S
M1
T
M2
P. P. and Z.J. Haas, "Secure Routing for Mobile Ad Hoc Networks,"
CNDS 2002
55
Attacking Routing – Revisited
(cont’d)
• Multiple Colluding Attackers
– M1 and M3 are seemingly correct to their
neighbors, but they ‘omit’ protocol
functionality when handling packets from M2
– Example: M2 relays RREQ and RREP packets
without appearing in the route discovery
S
V
M1
M2
M3
56
V’
T
Summary
• Route discovery is vulnerable
• Secure route discovery specification
– Loop freedom, Freshness
– Accuracy
• Secure basic and augmented route discovery in
open, dynamic networks
• Protocols rely on different trust assumptions
• Colluding adversarial nodes can subvert any
route discovery protocol; ‘tunneling attack’
57
Summer School on Network and Information Security 2009
Secure Data Communication
© 2009 P. Papadimitratos
58
Data Communication
B
Message
for E
A
H
D
C
F
G
59
E
Data Communication
(cont’d)
B
A
D
C
F
H
60
E
Secure Data Communication
• Goal:
– Reliable and low-delay data delivery in
the presence of attackers that disrupt
the data communication
• Solution:
– Detect and avoid compromised and
failing routes
– Tolerate malicious and benign faults
• In general, hard to distinguish in highly
dynamic networking environments
61
Data Communication
(cont’d)
• What is the impact of the adversary
that ‘lies low’ and disrupts only the data
communication?
Reliability
100%
35% message
delivery
Attacker Strength
50% of the network
nodes attacking
62
Securing Data Communication
• Use multiple routes
Route 1
Route 2
Route 3
B
A
H
D
C
F
G
63
E
Securing Data Communication
• Disperse data
1
1
2
2
3
…
…
=
(cont’d)
m-1
n-2
m
n-3
Original message
n
64
Introduce
redundancy
to the original
message
Securing Data Communication
(cont’d)
• Disperse data
1
2
1
3
3
…
…
n-2
n-2
n-3
n
=
Reconstruct
message
if any m-out-of-n
pieces are intact
n
65
Securing Data Communication
(cont’d)
• Transmit simultaneously across the routes
Sending
n=3
E needs
m=2
B
A
H
D
C
F
E
Received
m pieces!
G
66
Securing Data Communication
(cont’d)
• Get feedback
Route 1
Route 2
Route 3
A
H
B
D
C
E
F
G
67
Tell A which
pieces were
intact
Securing Data Communication
(cont’d)
• Secure Message Transmission (SMT) protocol
–
–
–
–
–
Dispersion of the transmitted data
Simultaneous usage of multiple node-disjoint routes
Data integrity and origin authentication
End-to-end secure and robust feedback
Adaptation to the network conditions
• Secure Single Path (SSP) protocol
– Discovery and utilization of a single route
– End–to–end security and feedback
P. P. and Z.J. Haas, "Secure Data Communication in Mobile Ad Hoc
Networks," IEEE JSAC, 2006
P. P. and Z.J. Haas, “Secure Message Transmission in Mobile Ad Hoc
Networks,” ACM WiSe, 2003
P. P. and Z.J. Haas, "Secure Message Transmission in Mobile Ad Hoc
Networks," Ad Hoc Networks, 2003
68
Securing Data Communication
(cont’d)
Nodes
50
Fraction of
Adversaries
10%, 20%, 30%, 40%, or 50% of the network nodes
Measurements
50 randomly seeded runs for each point
Security Bindings
Single destination per source
Simulated time
300 sec
Mobility
Random waypoint; Pause times: 0, 20, 40, 60, 100,
150, 200, 250 seconds
Load
3, 7, 15, 20 CBR flows, Data payload: 512 Bytes
Rates: 4, 10, 15, 20, 25, and 30 packets/sec
Coverage Area
1000m-by-1000m
PHY/MAC
IEEE 802.11, DCF, 2 and 5.5 Mbps, 300m
Transport
UDP / TCP
Tool
OPNET
69
Securing Data Communication
(cont’d)
• Secure Message Transmission (SMT)
protocol
• Secure Single Path (SSP) protocol
• Secure route discovery for both protocols
– Explicit, basic
• Reactive, Proactive
• SRP, SLSP
• Attack pattern
– Full compliance with the route discovery
– Discard in–transit data packets
70
Securing Data Communication
(cont’d)
• Reliable and Real-Time Communication in Hostile
Environments
Secure Routing Only
Secure Routing + Secure Data Communication
Reliability
93% message
delivery
without
retransmissions
35% message
delivery
Attacker Strength
71
50% of the
network
nodes are
attacking
Securing Data Communication
1.2 s
Average
delay for
0.4 s
Delay
Bandwidth
For
Security
(cont’d)
100%
message
delivery
1
Redundancy
3.5
Redundancy
Reliability
93%
82%
1
Message
delivery
without
retransmissions
72
3.5
Redundancy
Performance Evaluation (cont’d)
Throughput – no flow control
Throughput - SMT-RRD with TCP
Impact of Load
and SMT-TCP interaction
73
Performance Evaluation (cont’d)
Message delay – no flow control
Message delay - SMT-RRD with TCP
Impact of Load
and SMT-TCP interaction
74
Summary
• Secure data communication is critical
– Secure routing protocols are vulnerable
– As long as attackers can place themselves on utilized
routes, they can degrade or deny communication
– The only answer is to assess whether data are
delivered, and avoid non-operational routes
• Secure data communication is practical
– Low-delay, low-jitter, and highly reliable; essentially,
real-time
– Flexible
– Low overhead
– End-to-end
– Effective against any data-dropping pattern
75
Additional Readings
• Secure Data Communication
J.-P. Hubaux and P. P., ACM MobiCom 2007 tutorial, slides
• CASTOR (Continuously Adapting Secure TopologyOblivious Routing)
– Integration route discovery and communication
– Localized routing decisions
– Outcome: Scalability and resilience
W. Galuba, P. P., M. Poturalski, K. Aberer, Z. Despotovic,
and W. Kellerer, “Castor: Scalable Secure Routing for Ad hoc
Networks,” EPFL Technical Report, LSIR-REPORT-2009-002, 2009
76
Summer School on Network and Information Security 2009
Secure Localization
© 2009 P. Papadimitratos
77
Localization
• Mobile computing is becoming increasingly
location-based
– Location-aware devices
– Location-based services
• Two main problems
– Determine own location
• With the help of own equipment some infrastructure
– Determine the location of another device
• Could be as simple as asking a location-aware device
to report its location
• Often, some infrastructure performs the task
78
Localization
(cont’d)
Global Navigation
Satellite Systems
Navigation
Sensing
Graphics by Nokia
Context awareness
79
Fleet and
cargo management
Localization
(cont’d)
• Global Navigation Satellite Systems
ρ2
ρ1
Obtain own position,
locV, and clock
correction, tV
ρ3
ρ4
1.
2.
4.
3.
GPS receiver,V
Receive NAVi from satellite
Si at position si
Estimate the NAVi
propagation delays, and
thus V-Si distances
(pseudoranges), ρi
Solve a system of
equations:
80
Attacking Localization
• (For this talk) Mislead devices, and their
users, about their location
– Compromise the device
• Can be hard
– Interfere with the wireless communication
• Jam Î Outage
• Overwrite legitimate transmissions with
synthesized ones Î Control locV and tV
81
Attacking Localization
•
•
•
(cont’d)
Attacker: Record and replay, or forge, GPS signals,
overwriting the legitimate GPS signals
System: GPS receiver locks on spoofed signals
Consequence: User is provided with a false,
attacker-controlled location 82
Attacking Localization
(cont’d)
• GPS Jammers and Simulators
• Meaconing (record and re-broadcast, a.k.a.
replay)
Low-power
jammer (1 W);
it can affect a
35km radius
T.E. Humphreys, B.M. Ledvina, M.L.
Psiaki, B.W. O'Hanlon, and P. M. Kintner,
Jr., “Assessing the Spoofing Threat:
Development of a Portable GPS Civilian
Spoofer,” ION GNSS Conf., 2008
83
Securing Localization
• Authenticate navigation messages (NAV)
– Public key crypto: one private-public key pair per
satellite
– Symmetric key authentication; single system key
• Need tamper-resistant storage at receivers
• Public key authentication delays can be
significant
• Low NAV transmission rate;
~ 40 sec for a signature
• Caution: Need to maintain
the relative NAV arrival
timings
84
Securing Localization
(cont’d)
• Public key authentication / “Hidden markers”
- Si transmit unpredictable sequences below noise; they
release an authenticated spreading code with a delay ρ
- V record the entire bandwidth and “detect” the hidden
marker a posteriori, to calculate the NAV arrival times
(thus the pseudo-ranges)
M. Kuhn, An Asymmetric Security Mechanism for Navigation Signals, 6th
Information Hiding Workshop, 2004
85
Attacking Localization
(cont’d)
• Replay attacks can be effective even against
future systems with authentication (e.g., Galileo)
P. P. and A. Jovanovic, “Protection and Fundamental Vulnerability of
Global Navigation Satellite Systems (GNSS),”IEEE IWSSC, Toulouse,
France, October 2008
86
Attacking Localization
1.
2.
(cont’d)
Jam Î Receiver looses its
“lock” on the satellites
ReplayÎ Receiver locks
on the spoofed signal
• One ms of replay translates into ~300m of position
error
87
Attacking Localization
(cont’d)
(a)
(b)
10000
350
9000
300
250
7000
T im e o ff s e t [ m s ]
D is t a n c e o ff s e t [m ]
8000
6000
200
5000
150
4000
3000
100
2000
50
1000
0
0
50
100
150
Attack duration [s]
200
250
300
0
0
50
100
150
Attack duration [s]
200
• Record NAV messages after the detection of the
preamble at least the first bit
– Minimum replay delay tmin =20ms
– Replay after any tmin + treplay
88
250
300
Securing Localization
(cont’d)
• Assumption: the adversary covers part of the
system: Receivers can operate in an unaffected area
before entering an area under attack
• Objective: Receivers detect the attack onset
– No additional complex equipment
– No system reconfiguration
– Resilience to sophisticated adversaries
• Approach: Rely on own (receiver) measurements
– Predict future values from available ones that are
deemed correct
– Discrepancy between measurements and predicted
values Æ Attack
89
Securing Localization
(cont’d)
1. Normal mode:
Collect [Vk, Vk-1, Vk-2, …, Vk-W ]
Predict [PVk+p, …, PVk+2 , PVk+1 ]
= f (Vk, Vk-1, Vk-2, …, Vk-W)
2. Alert mode:
Collect [Vk+p, …,Vk+2 , Vk+1 ] and
Compare with [PVk+p, …, PVk+2 , PVk+1 ]
3. Attack mode:
If |g([Vk+j]) – h([PVk+i])| > ε,
detect attack
Alert mode Normal mode
90
Securing Localization
(cont’d)
• Inertial sensors
– Location Inertial Test
• Accurate and stable clocks
– Clock Offset Test
• Doppler shift
– Doppler Shift Test
P. P. and A. Jovanovic, “GNSS positioning: Attacks and Countermeasures,”
IEEE MILCOM, San Diego, CA, USA, November 2008
91
Securing Localization
(cont’d)
• Setup
– Observation and navigation data; RINEX format
– GPS functionality implemented in Matlab
– Receiver movement over 300s
– Adversary
• Static
• Mobile with velocities less than 250 km/h
• Without or with control over the transmission
frequency
• Multiple radios
92
Securing Localization
(cont’d)
• Location Inertial Test
5
300
5.38
5.37
250
5.36
200
Y coordinate [m]
Inertia l n aviga tio n erro r [m ]
x 10
150
100
5.35
5.34
5.33
5.32
5.31
50
Attacker-induced trajectory
Actual trajectory
5.3
0
0
10
20
30
40
50
60
70
GNSS unavailability period [s]
80
90
100
5.29
3.456
3.458
3.46
3.462
X coordinate [m]
3.464
• Fast increasing inaccuracy of the inertial
measurement unit
3.466
3.468
6
x 10
– To succeed with replay attack: Jam for < 1 min
93
Securing Localization
(cont’d)
• Clock Offset Test
(b)
-3
-6
x 10
350
300
-6.5
T im e o ffse t [m s ]
T im e o ffs e t [s ]
250
-7
200
-7.5
150
-8
100
-8.5
50
-9
0
5
10
15
Time [30s step]
20
25
30
0
0
50
100
150
Attack duration [s]
200
250
• Commodity receivers: clocks drift fast (see left figure)
–
To succeed with replay attack: Jam for 2 min, to make
tV ~20-30 ms acceptable
• Improve clock; e.g., micro-second accuracy for 6 min
–
To succeed with replay attack: Jam for hours
94
300
Securing Localization
(cont’d)
• Doppler Shift Test
Doppler shift variation SV-04 time period t=300s
2750
Doppler shift [Hz ] vs. time [s] measured
Linear approximation
Pred bnds (Linear approximation)
2700
2650
F re q u e n c y o f f se t [ H z ]
2600
2550
2500
2450
2400
2350
2300
50
100
150
200
250
300
Time [s]
• Doppler Shift (DS) at the receiver depends primarily on the
relative velocity of transmitter and receiver
–
–
–
Satellite velocity, ~ 3km/s, dominant; Smooth DS changes
Easy to detect a simple attacker
Sophisticated attackers need to predict the mobility of the
receiver, thus predict the DS, and adjust their transmission
frequency accordingly
95
(cont’d)
Frequency offset [Hz]
Frequency offset [Hz]
Frequency offset [Hz]
Frequency offset [Hz]
• Doppler Shift Test
SV-1
3000
2000
1000
SV-4
0
-5000
0
-1000
Frequency offset [Hz]
Frequency offset [Hz]Frequency offset [Hz]
Securing Localization
0
50
100
150
200
250
300
Time [s]
SV-7
6000
4000
2000
0
0
50
100
150
200
250
300
Time [s]
SV-20
0
-2000
-4000
0
50
100
150
200
250
300
Time [s]
SV-25
-10000
0
50
100
150
200
250
300
200
250
300
Time [s]
SV-13
3000
2000
1000
0
0
50
100
150
Time [s]
SV-24
3000
2000
1000
0
-1000
0
50
100
150
200
250
300
Time [s]
0
-2000
-4000
–
0
50
100
150
Time [s]
200
250
300
Simple attacker: striking difference between measured and
expected DS
96
2000
0
0
50
100
150
200
250
300
SV-7[s]
Time
10000
5000
0
0
50
100
150
200
250
300
Time
SV-9[s]
0
-2000
Frequency offset [Hz]
-4000
0
50
100
150
200
250
300
Time [s]
SV-13
0
Frequency offset [Hz]
SV-1
4000
SV-21
0
-5000
-10000
Frequency offset [Hz]
Frequency offset [Hz] Frequency offset [Hz] Frequency offset [Hz]
• Doppler Shift Test
(cont’d)
Frequency offset [Hz]
Securing Localization
0
50
150
200
250
300
200
250
300
200
250
300
Time [s]
SV-25
4000
2000
0
0
50
100
150
Time [s]
SV-29
3000
2000
1000
0
0
50
100
150
Time [s]
-2000
-4000
100
0
50
100
150
200
250
300
Time [s]
–
Sophisticated attacker: some uncertainty about the receiver’s
mobility; detectable DS differences ~ 300 Hz
97
Summary
• Vulnerability of GNSS: Long known issue,
could become a major problem
• Upcoming systems are to enhance
availability (against unintentional
interference) and offer security features
• Attacks at the physical layer (e.g., replay
attacks) are possible even when
cryptographic protection is available
• Simple non-cryptographic solutions can be
very effective and raise the bar even for
sophisticated adversaries
98
Additional Readings
J.A. Volpe, “Vulnerability Assessment of the Transportation
Infrastructure Relying on GPS,” NTSC, NAVCEN draft report,
2001
L. Scott, “Anti-Spoofing and Authenticated Signal
Architectures for Civil Navigation Signals,” ION-GNNS,
Portland, Oregon, 2003
B. O’Hanlon, B. Ledvina, M.L. Psiaki, P.M. Kintner Jr., T. E.
Humphreys, “Assessing the GPS Spoofing Threat,” GPS
World, January 2009 (*)
T.K. Adams, “GPS Vulnerabilities,” Military Review, 2001
(*) Source for graphic on slide 83
99
Summer School on Network and Information Security 2009
Wireless System Security
Panos Papadimitratos
panos.papadimitratos@epfl.ch
http://people.epfl.ch/panos.papadimitratos
100
Download PDF
Similar pages