Time-based GNSS attack detection

TL;DR

This paper presents a multi-layered, time-based detection method for GNSS attacks that cross-checks GNSS time with external trusted sources, effectively identifying various sophisticated attack types without modifying existing receivers.

Contribution

It introduces a novel, largely agnostic approach leveraging multiple external time sources for real-time GNSS attack detection, capable of identifying fine-grained and sophisticated attacks.

Findings

Detection of attack take-over as low as 150 microseconds

Detection of smooth time manipulations as low as 30 nanoseconds

Method is effective against diverse adversaries and compatible with existing GNSS receivers

Abstract

To safeguard Civilian Global Navigation Satellite Systems (GNSS) external information available to the platform encompassing the GNSS receiver can be used to detect attacks. Cross-checking the GNSS-provided time against alternative multiple trusted time sources can lead to attack detection aiming at controlling the GNSS receiver time. Leveraging external, network-connected secure time providers and onboard clock references, we achieve detection even under fine-grained time attacks. We provide an extensive evaluation of our multi-layered defense against adversaries mounting attacks against the GNSS receiver along with controlling the network link. We implement adversaries spanning from simplistic spoofers to advanced ones synchronized with the GNSS constellation. We demonstrate attack detection is possible in all tested cases (sharp discontinuity, smooth take-over, and coordinated network manipulation) without changes to the structure of the GNSS receiver. Leveraging the diversity of the reference time sources, detection of take-over time push as low as 150us is possible. Smooth take-overs forcing variations as low as 30ns are also detected based on on-board precision oscillators. The method (and thus the evaluation) is largely agnostic to the satellite constellation and the attacker type, making time-based data validation of GNSS information compatible with existing receivers and readily deployable.