Litcius/Paper detail

Distributed and Mobile Message Level Relaying/Replaying of GNSS Signals

Malte Lenhart, Marco Spanghero, Panos Papadimitratos

2022Proceedings of the Institute of Navigation ... International Technical Meeting/Proceedings of the ... International Technical Meeting of The Institute of Navigation18 citationsDOIOpen Access PDF

Abstract

With the introduction of Navigation Message Authentication (NMA), future Global Navigation Satellite Systems (GNSSs) prevent spoofing by simulation, i.e., the generation of forged satellite signals based on publicly known information. However, authentication does not prevent record-and-replay attacks, commonly termed as meaconing. Meaconing attacks are less powerful in terms of adversarial control over the victim receiver location and time, but by acting at the signal level, they are not thwarted by NMA. This makes replaying/relaying attacks a significant threat for current and future GNSS. While there are numerous investigations on meaconing attacks, the vast majority does not rely on actual implementation and experimental evaluation in real-world settings. In this work, we contribute to the improvement of the experimental understanding of meaconing attacks. We design and implement a system capable of real-time, distributed, and mobile meaconing, built with off-the-shelf hardware. We extend from basic distributed meaconing attacks, with signals from different locations relayed over the Internet and replayed within range of the victim receiver(s). This basic attack form has high bandwidth requirements and thus depends on the quality of service of the available network to work. To overcome this limitation, we propose to replay on message level, i.e., to demodulate and re-generate signals before and after the transmission respectively (including the authentication part of the payload). The resultant reduced bandwidth enables the attacker to operate in mobile scenarios, as well as to replay signals from multiple GNSS constellations and/or bands simultaneously. Additionally, the attacker can delay individually selected satellite signals to potentially influence the victim position and time solution in a more fine-grained manner. Our versatile test-bench, enabling different types of replaying/relaying attacks, facilitates testing realistic scenarios towards new and improved replaying/relaying-focused countermeasures in GNSS receivers.

Topics & Concepts

Computer scienceGNSS applicationsReplay attackSpoofing attackAuthentication (law)Bandwidth (computing)Computer networkPayload (computing)Transmission (telecommunications)Satellite systemReal-time computingComputer securityGlobal Positioning SystemTelecommunicationsNetwork packetCryptographic Implementations and SecurityAdvanced Authentication Protocols SecurityMobile Agent-Based Network Management
Distributed and Mobile Message Level Relaying/Replaying of GNSS Signals | Litcius