GNSS spoofing via SDR (Criptored Talks 2024)

JavierJunqueraSnchez 266 views 32 slides Jun 16, 2024
Slide 1
Slide 1 of 32
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22
Slide 23
23
Slide 24
24
Slide 25
25
Slide 26
26
Slide 27
27
Slide 28
28
Slide 29
29
Slide 30
30
Slide 31
31
Slide 32
32

About This Presentation

In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weakn...

Size: 5.26 MB
Language: en
Added: Jun 16, 2024
Slides: 32 pages

Slide Content

Spanish Ministry of Defence
National Institute for Aerospace Technology (INTA)
Space Security Centre (SSC)
Javier JUNQUERA SÁNCHEZ
<[email protected]>
GNSS spoofing vía SDR
Criptored Talks 2024

Spanish Ministry of Defence
National Institute for Aerospace Technology (INTA)
Space Security Centre (SSC)
GNSS spoofing vía SDR - Criptored Talks 2024
PUBLIC RELEASE
2 / 32
whoami
Formación
●BSc Computer Sciences @ UAH
●MSc Information Security @ UEM
●PhD Informatics Engineering @ UAH
Experiencia
●InfoSec @ SSC INTA
●Director técnico @ Cátedra ISDEFE-UAH
Javier JUNQUERA SÁNCHEZ
<[email protected]> | /in/junquera

Spanish Ministry of Defence
National Institute for Aerospace Technology (INTA)
Space Security Centre (SSC)
GNSS spoofing vía SDR - Criptored Talks 2024
PUBLIC RELEASE
3 / 32
GNSS
v = d / t → d = v * t
v = c ~ 3 * 10
8
m/s
Trilateration (Source: Gong, Pu & Chen, et al. (2022). 10.3390/network2010007)
PVT

Spanish Ministry of Defence
National Institute for Aerospace Technology (INTA)
Space Security Centre (SSC)
GNSS spoofing vía SDR - Criptored Talks 2024
PUBLIC RELEASE
4 / 32
Galileo (EU GNSS)
●Operational since 2016
●100M supported devices
●Unique PVT services
○OS/NMA
○HAS
○PRS
●Open reference documents
○https://gsc-europa.eu

Spanish Ministry of Defence
National Institute for Aerospace Technology (INTA)
Space Security Centre (SSC)
GNSS spoofing vía SDR - Criptored Talks 2024
PUBLIC RELEASE
5 / 32
GNSS attacks
●Jamming
●Meaconing
●Spoofing
○Pseudorange
○Nav message
○Doppler
https://www.washingtonpost.c
om/world/2024/05/24/russia-j
amming-us-weapons-ukraine/
https://gpsjam.org/

Spanish Ministry of Defence
National Institute for Aerospace Technology (INTA)
Space Security Centre (SSC)
GNSS spoofing vía SDR - Criptored Talks 2024
PUBLIC RELEASE
6 / 32
Why do we need
GAL-SDR-SIM?
Testing receivers following an
offensive security approach:
●Analyzing protocols
○Finding issues
■Fixing them
https://github.com/osqzss/gps-sdr-sim

Spanish Ministry of Defence
National Institute for Aerospace Technology (INTA)
Space Security Centre (SSC)
GNSS spoofing vía SDR - Criptored Talks 2024
PUBLIC RELEASE
7 / 32
→ https://www.gsc-europa.eu/sites/default/files/sites/all/files/Galileo_OS_SIS_ICD_v2.1.pdf
Galileo OS SIS ICD

Spanish Ministry of Defence
National Institute for Aerospace Technology (INTA)
Space Security Centre (SSC)
GNSS spoofing vía SDR - Criptored Talks 2024
PUBLIC RELEASE
8 / 32
Galileo OS I/NAV
Almanac
Status Time Ephemeris

Spanish Ministry of Defence
National Institute for Aerospace Technology (INTA)
Space Security Centre (SSC)
GNSS spoofing vía SDR - Criptored Talks 2024
PUBLIC RELEASE
9 / 32
Galileo OS I/NAV

Spanish Ministry of Defence
National Institute for Aerospace Technology (INTA)
Space Security Centre (SSC)
GNSS spoofing vía SDR - Criptored Talks 2024
PUBLIC RELEASE
10 / 32
Galileo OS SiS
Source: GALILEO OPEN SERVICE SIGNAL-IN-SPACE
INTERFACE CONTROL DOCUMENT (OS SIS ICD)
Issue 2.1 | November 2023

Spanish Ministry of Defence
National Institute for Aerospace Technology (INTA)
Space Security Centre (SSC)
GNSS spoofing vía SDR - Criptored Talks 2024
PUBLIC RELEASE
11 / 32
Galileo OS SiS
# Carrier frequency (Hz)
f = {
"E1": 1575.42e6
}

# Receiver reference bandwidth (Hz)
bw = {
"E1": 24.552e6
}
# Sub-carrier rate (Hz)
R_S = {
"E1": {
# CBOC, in-phase
"B": {
"a": 1.023e6,
"b": 6.138e6
},
# CBOC, anti-phase
"C": {
"a": 1.023e6,
"b": 6.138e6
}
}
}
# Ranging code chip rate (cps,
chips-per-second)
R_C = {
"E1": {
"B": 1.023e6,
"C": 1.023e6
}
}

Spanish Ministry of Defence
National Institute for Aerospace Technology (INTA)
Space Security Centre (SSC)
GNSS spoofing vía SDR - Criptored Talks 2024
PUBLIC RELEASE
12 / 32
Galileo OS SiS

Spanish Ministry of Defence
National Institute for Aerospace Technology (INTA)
Space Security Centre (SSC)
GNSS spoofing vía SDR - Criptored Talks 2024
PUBLIC RELEASE
13 / 32
Galileo OS SiS - Modulation

Spanish Ministry of Defence
National Institute for Aerospace Technology (INTA)
Space Security Centre (SSC)
GNSS spoofing vía SDR - Criptored Talks 2024
PUBLIC RELEASE
14 / 32
CDMA
Accesos Múltiples - FDMA/TDMA/CDMA/OFDMA - Fundamentos de 4G (LTE).
https://www.youtube.com/watch?v=oYRMYSIVj1o
PRN

Spanish Ministry of Defence
National Institute for Aerospace Technology (INTA)
Space Security Centre (SSC)
GNSS spoofing vía SDR - Criptored Talks 2024
PUBLIC RELEASE
15 / 32
CBOC
Subcarrier
Resilient modulation. See https://gssc.esa.int/navipedia/index.php/Composite_BOC_(CBOC)

Spanish Ministry of Defence
National Institute for Aerospace Technology (INTA)
Space Security Centre (SSC)
GNSS spoofing vía SDR - Criptored Talks 2024
PUBLIC RELEASE
16 / 32
Galileo OS SiS - C
E1-B
(aka PRN)
def c_E1_B(sat):

sat_primary_code = codes.primary_codes["E1"]["B"][sat]

primary_code_bytes = bytes.fromhex(sat_primary_code + '0')

pc_buffer = np.frombuffer(primary_code_bytes, dtype = 'uint8')
pclength = codes.prn_rep_characteristics[ "E1"]["C"]["primary_code_length" ]

c_E1_B = np.unpackbits(pc_buffer)[:pclength].astype( 'int')

return c_E1_B

Spanish Ministry of Defence
National Institute for Aerospace Technology (INTA)
Space Security Centre (SSC)
GNSS spoofing vía SDR - Criptored Talks 2024
PUBLIC RELEASE
17 / 32
Galileo OS SiS - e
E1-B
def e_E1_B(D, sat="01"):

c_E1_B = gen_c_E1_B(sat=sat)

return l2s(c_E1_B) * l2s(D)

Spanish Ministry of Defence
National Institute for Aerospace Technology (INTA)
Space Security Centre (SSC)
GNSS spoofing vía SDR - Criptored Talks 2024
PUBLIC RELEASE
18 / 32
Galileo OS SiS - sc
E1-B

def get_subcarrier_B_at(t, time_step, samples=1):

time_marks= np.arange(samples)*time_step + t

sin_sample_B_a = np.sin(2*PI*gm.R_S["E1"]["B"]["a"]*time_marks)
sin_sample_B_b = np.sin(2*PI*gm.R_S["E1"]["B"]["b"]*time_marks)

subcarrier_B_a = sgn(sin_sample_B_a)
subcarrier_B_b = sgn(sin_sample_B_b)

return (subcarrier_B_a, subcarrier_B_b)
@np.vectorize
def sgn(i):
if i > 0:
return 1
elif i < 0:
return -1
else:
return 0

Spanish Ministry of Defence
National Institute for Aerospace Technology (INTA)
Space Security Centre (SSC)
GNSS spoofing vía SDR - Criptored Talks 2024
PUBLIC RELEASE
19 / 32
Galileo OS SiS - CBOC ✅

def get_s_E1_B_at(t, D, time_step, samples=1, sat="01"):

PRN_B = get_e_E1_B_at(t, D, time_step, samples, sat=sat)

subcarrier_a, subcarrier_b = get_subcarrier_B_at(t, time_step, samples)

s_E1_B = PRN_B * (gm.alpha*subcarrier_a + gm.beta*subcarrier_b)

return s_E1_B


def get_s_E1_at(t, D, time_step, samples=1, sat="01"):

s_E1_B = get_s_E1_B_at(t, D, time_step=time_step, samples=samples, sat=sat)
s_E1_C = get_s_E1_C_at(t, time_step=time_step, samples=samples, sat=sat)

s_E1 = (1/np.sqrt(2)) * (s_E1_B - s_E1_C)

return s_E1

Spanish Ministry of Defence
National Institute for Aerospace Technology (INTA)
Space Security Centre (SSC)
GNSS spoofing vía SDR - Criptored Talks 2024
PUBLIC RELEASE
20 / 32
Modulation + SDR
●Sampling
○IQ
●SW
●HW
def get_E1_carrier_at(t, time_step, samples=1):

time_marks = np.arange(samples)*time_step + t

return np.cos(tau * gm.f["E1"] * time_marks)


def get_E1_at(t, D, time_step, samples=1, sat="01"):

e1_carrier = get_E1_carrier_at(t, time_step, samples)
s_E1 = get_s_E1_at(t, D, time_step, samples=samples, sat=sat)

# 2.3 Eq. 1 @ OS-ICD-2.0
return 2 * ( e1_carrier * s_E1 )

Spanish Ministry of Defence
National Institute for Aerospace Technology (INTA)
Space Security Centre (SSC)
GNSS spoofing vía SDR - Criptored Talks 2024
PUBLIC RELEASE
21 / 32
Source: https://visual-dsp.switchb.org/
Source: https://pysdr.org

Spanish Ministry of Defence
National Institute for Aerospace Technology (INTA)
Space Security Centre (SSC)
GNSS spoofing vía SDR - Criptored Talks 2024
PUBLIC RELEASE
22 / 32

Spanish Ministry of Defence
National Institute for Aerospace Technology (INTA)
Space Security Centre (SSC)
GNSS spoofing vía SDR - Criptored Talks 2024
PUBLIC RELEASE
23 / 32

Spanish Ministry of Defence
National Institute for Aerospace Technology (INTA)
Space Security Centre (SSC)
GNSS spoofing vía SDR - Criptored Talks 2024
PUBLIC RELEASE
24 / 32

Spanish Ministry of Defence
National Institute for Aerospace Technology (INTA)
Space Security Centre (SSC)
GNSS spoofing vía SDR - Criptored Talks 2024
PUBLIC RELEASE
25 / 32
Issues
●Sampling
Different sampling rates per discrete stream
Fit 1.6 GHZ in my 20 MHz SDR? (Niquist et al.)
●Read Interpret TFM
rect(), CBOC chirps formulas, etc.

Spanish Ministry of Defence
National Institute for Aerospace Technology (INTA)
Space Security Centre (SSC)
GNSS spoofing vía SDR - Criptored Talks 2024
PUBLIC RELEASE
26 / 32
And… Navigation data?
●Genuine navigation data
○Shifted respect to PRN
→ Pseudorange attack
○Shifted carrier frequency
→ Doppler attack
●Crafted navigation data

SDR Software Demo
https://gnss-sdr.org/

Spanish Ministry of Defence
National Institute for Aerospace Technology (INTA)
Space Security Centre (SSC)
GNSS spoofing vía SDR - Criptored Talks 2024
PUBLIC RELEASE
28 / 32

SDR Hardware Demo

Spanish Ministry of Defence
National Institute for Aerospace Technology (INTA)
Space Security Centre (SSC)
GNSS spoofing vía SDR - Criptored Talks 2024
PUBLIC RELEASE
30 / 32

Spanish Ministry of Defence
National Institute for Aerospace Technology (INTA)
Space Security Centre (SSC)
GNSS spoofing vía SDR - Criptored Talks 2024
PUBLIC RELEASE
31 / 32
Countermeasures
●Signal authentication
○OSNMA
○Chimera
●Power and direction
○CRPA antennas

Spanish Ministry of Defence
National Institute for Aerospace Technology (INTA)
Space Security Centre (SSC)
Thanks!
Javier JUNQUERA SÁNCHEZ – Space Security Centre
<[email protected]>| /in/junquera
Tags
galileo cybersecurity information security radio cryptography gps critical infrastructures space europe jamming hacking
Categories
Technology
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 266
  • Slides 32
  • Age 532 days
Related Slideshows
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx 11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx 10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
44 views
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx 13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx 11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
Know for Certain 21
Know for Certain
DaveSinNM
19 views
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx 17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views
View More in This Category