Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Time-based GNSS attack detection

Marco Spanghero, Panos Papadimitratos

TL;DR

This paper tackles the vulnerability of GNSS time solutions to spoofing and network-based time manipulation by introducing a multi-layer time validation framework. It fuses onboard clock data with diverse external time references, notably Google Roughtime and NTP/NTS, and uses hypothesis testing and a Marzullo-style fusion approach to determine trust in GNSS time. The approach is implemented on an FPGA-based testbed with live spoofing and network manipulation, and evaluated across coarse and synchronized attacks, network latency scenarios, and adaptive sampling strategies. The results show reliable detection in all tested cases and demonstrate that time-based cross-checks can be deployed without modifying GNSS receivers, offering substantial practical impact for securing PNT in connected devices.

Abstract

To safeguard Civilian Global Navigation Satellite Systems (GNSS) external information available to the platform encompassing the GNSS receiver can be used to detect attacks. Cross-checking the GNSS-provided time against alternative multiple trusted time sources can lead to attack detection aiming at controlling the GNSS receiver time. Leveraging external, network-connected secure time providers and onboard clock references, we achieve detection even under fine-grained time attacks. We provide an extensive evaluation of our multi-layered defense against adversaries mounting attacks against the GNSS receiver along with controlling the network link. We implement adversaries spanning from simplistic spoofers to advanced ones synchronized with the GNSS constellation. We demonstrate attack detection is possible in all tested cases (sharp discontinuity, smooth take-over, and coordinated network manipulation) without changes to the structure of the GNSS receiver. Leveraging the diversity of the reference time sources, detection of take-over time push as low as 150us is possible. Smooth take-overs forcing variations as low as 30ns are also detected based on on-board precision oscillators. The method (and thus the evaluation) is largely agnostic to the satellite constellation and the attacker type, making time-based data validation of GNSS information compatible with existing receivers and readily deployable.

Time-based GNSS attack detection

TL;DR

This paper tackles the vulnerability of GNSS time solutions to spoofing and network-based time manipulation by introducing a multi-layer time validation framework. It fuses onboard clock data with diverse external time references, notably Google Roughtime and NTP/NTS, and uses hypothesis testing and a Marzullo-style fusion approach to determine trust in GNSS time. The approach is implemented on an FPGA-based testbed with live spoofing and network manipulation, and evaluated across coarse and synchronized attacks, network latency scenarios, and adaptive sampling strategies. The results show reliable detection in all tested cases and demonstrate that time-based cross-checks can be deployed without modifying GNSS receivers, offering substantial practical impact for securing PNT in connected devices.

Abstract

To safeguard Civilian Global Navigation Satellite Systems (GNSS) external information available to the platform encompassing the GNSS receiver can be used to detect attacks. Cross-checking the GNSS-provided time against alternative multiple trusted time sources can lead to attack detection aiming at controlling the GNSS receiver time. Leveraging external, network-connected secure time providers and onboard clock references, we achieve detection even under fine-grained time attacks. We provide an extensive evaluation of our multi-layered defense against adversaries mounting attacks against the GNSS receiver along with controlling the network link. We implement adversaries spanning from simplistic spoofers to advanced ones synchronized with the GNSS constellation. We demonstrate attack detection is possible in all tested cases (sharp discontinuity, smooth take-over, and coordinated network manipulation) without changes to the structure of the GNSS receiver. Leveraging the diversity of the reference time sources, detection of take-over time push as low as 150us is possible. Smooth take-overs forcing variations as low as 30ns are also detected based on on-board precision oscillators. The method (and thus the evaluation) is largely agnostic to the satellite constellation and the attacker type, making time-based data validation of GNSS information compatible with existing receivers and readily deployable.

Paper Structure

This paper contains 17 sections, 11 equations, 19 figures.

Table of Contents

  1. Introduction
  2. Related Work
  3. System and Adversary model
  4. Methodology
  5. External time reference providers
  6. Internal time reference providers
  7. Extracting remote clock properties using Allan variance
  8. Solution testing based on multiple references
  9. Implementation
  10. Results and Analysis
  11. Remote time providers classification and performance
  12. Performance under simplistic attack
  13. Performance under synchronous attack
  14. Latency attacks on the network link
  15. Adaptive sampling of remote time sources
  16. ...and 2 more sections

Figures (19)

  • Figure 1: An adversary capable of targeting the GNSS receiver and the network-based time reference.
  • Figure 2: Logical test progression
  • Figure 3: Solution testing based on multiple references.
  • Figure 4: Experimental testbed for time-based GNSS validation.
  • Figure 5: Spoofing system with live sky synchronization.
  • ...and 14 more figures