On the Limits of Cross-Authentication Checks for GNSS Signals

TL;DR

This paper analyzes the effectiveness and limitations of cross-authentication checks in GNSS signals, demonstrating how attackers can manipulate PVT solutions and highlighting the inherent vulnerabilities when combining authenticated and non-authenticated signals.

Contribution

It formalizes models for cross-authentication checks, introduces spoofing attack strategies, and evaluates their impact on the security of multi-band GNSS PVT solutions.

Findings

Attacker's manipulation degrees depend on security checks and open signals.

Spoofing attacks can deceive PVT solutions without detection.

Limits of cross-authentication checks are identified when using both authenticated and non-authenticated signals.

Abstract

Global navigation satellite systems (GNSSs) are implementing security mechanisms: examples are Galileo open service navigation message authentication (OS-NMA) and GPS chips-message robust authentication (CHIMERA). Each of these mechanisms operates in a single band. However, nowadays, even commercial GNSS receivers typically compute the position, velocity, and time (PVT) solution using multiple constellations and signals from multiple bands at once, significantly improving both accuracy and availability. Hence, cross-authentication checks have been proposed, based on the PVT obtained from the mixture of authenticated and non-authenticated signals. In this paper, first, we formalize the models for the cross-authentication checks. Next, we describe, for each check, a spoofing attack to generate a fake signal leading the victim to a target PVT without notice. We analytically relate the degrees of the freedom of the attacker in manipulating the victim's solution to both the employed security checks and the number of open signals that can be tampered with by the attacker. We test the performance of the considered attack strategies on an experimental dataset. Lastly, we show the limits of the PVT-based GNSS cross-authentication checks, where both authenticated and non-authenticated signals are used.