Stars Can Tell
A Robust Method to Defend against GPS Spoofing Attacks using Off-the-shelf Chipset
Shinan Liu*, Xiang Cheng*, Hanchao Yang, Yuanchao Shu, Xiaoran Weng, Ping Guo, Kexiong (Curtis) Zeng, Gang Wang, Yaling Yang
Paper accepted at USENIX Security'21
[PDF Paper][APK Release][Data][Video][Bibtex]
Spoofing GPS signals is easy, cheap, and dangerous
It is possible to spoof a GPS receiver to arbitrary location and time.
Existing works have demonstrated GPS spoofing attacks in various applications, including diverting a luxury yacht from Monaco to Greece, attacking the road navigation system (also check our previous work published at USENIX Security'18!), and manipulating self-driving cars.
An example of low-cost GPS spoofer
(cheapest can be as low as $40 in total!)
Here, GPS receiver = smartphone, blockage = human body
NonSpoofing VS Spoofing
(Signals spread, angles different VS Signals align, angles same)
GPS Receiver + Blockage + Rotation = Spoofing Detector !
Our novel anti-spoofing techniques aim to achieve both high robustness and low cost.
The key idea is to measure and analyze GPS signals to derive the angle-of-arrival (AoA), because attackers cannot (easily) emulate the physical AoA of GPS signals from tens of GPS satellites around Earth simultaneously.
Unlike traditional methods that requires expensive hardware such as large antenna-arrays (thousands of dollars), our idea is to place a signal-blocking shield on one side of the GPS receiver while rotating the GPS receiver with the shield.
In this way, we are able to get AoA by synthesizing a directional antenna-array using omnidirectional antennas on commercial devices like smartphones.
FIVE different algorithms
on TWO attacker models
We propose five software-based methods (check our paper for technical details!) to detect spoofing attacks that work for off-the-shelf GPS chipsets.
We evaluate our defense against a real spoofer in various field experiments (in both open air and urban canyon environments). Our method achieves a high accuracy (95%~100%) in 5 seconds.
Then we implement an adaptive attack, assuming the attacker becomes aware of our defense method. We study this adaptive attack and use enhancement methods (taking the rotation speed as the "secret key") to fortify the defense.
ROC curve for different methods on spoofing and adaptive spoofing attacks
Yes, we Open Sourced the analysis pipeline!
MATLAB Analysis pipeline
We implemented 5 defense methods and the whole analysis pipeline (including plots and metrics). Please contact the authors for code.
It also contains 10 NonSpoofing data samples as a motivating example.
GNSS Logger
We customized the GNSS Logger from Google to better support the logging process.
Future development is also planned, which might support real-time analysis and defense.
Click here to download the released apk.
Dataset
To facilitate further investigation, we also open source the collected dataset (using blockage and rotation) in various settings: open air / urban canyon, human body / metal blockage.
Click here to download the dataset.
BIBTEX
@inproceedings{liu2021stars,
title = {Stars Can Tell: A Robust Method to Defend against GPS Spoofing using Off-the-shelf Chipset },
author = {Liu, Shinan and Cheng, Xiang and Yang, Hanchao and Shu, Yuanchao and Weng, Xiaoran and Guo, Ping and Zeng, Kexiong (Curtis) and Wang, Gang and Yang, Yaling},
booktitle = {Proceedings of the 30th USENIX Security Symposium (USENIX Security 21)},
year = {2021}
}