Secure Navigation and Timing for Autonomous Systems
The next few decades will see pervasive autonomous control systems become critical to the world economy---from autonomous cars and aircraft to smart homes, smart cities, and vast energy, communication, and financial networks controlled at multiple scales. Protecting these systems from malicious attacks is a matter of urgent societal interest. The study of secure control has made important advances over the past few years, but these constitute not solutions so much as problem framing and an emerging consensus that traditional fault detection and mitigation fails when confronted with a deliberate attacker: outlaws are different from outliers; fraud is different from faults. Moreover, the vast majority of this early literature focuses only on cyber attacks---infiltration of the communications networks over which sensor measurements y and control commands u are conveyed.
Our work on secure navigation and timing focuses on a new category of attack models that has not been previously treated in the secure control literature. Like cyber attacks, these attacks are hard to detect and can be executed from a distance, but unlike cyber attacks, they are effective even against control systems whose communications networks are secure, and so can be considered a more menacing long-term threat. Moreover, this category is subject to realistic physical (as opposed to questionable artificial) constraints on how sensor measurements can be manipulated, which offers hope for substantial theoretical progress toward effective attack detection and survival. These are field attacks: attacks on the physical fields---electromagnetic, acoustic, pressure, etc.---measured by system sensors. We emphasize field attacks against control systems performing precise navigation and timing functions, as these are of special importance to the rise of autonomous vehicles.
Self-driving cars, self-flying aircraft, self-piloting marine craft---these are all insatiable consumers of ever-more-precise geolocation and time whose failure poses serious safety and economic risks. Our work has demonstrated the surprising potency of a field attack targeting the GPS sensor of an autonomous helicopter: in a live demonstration the target helicopter became remotely controllable almost as if caught in a tractor beam. More recently, we launched a field attack against the semi-autonomous navigation system of an $80M superyacht, driving it several kilometers off course without raising alarms. A similar coordinated field attack against the GPS and acoustic sensors of a dynamically-positioned deepwater oil rig could lead to economic and ecological disaster. So far as we are aware, no modern autonomous vehicles are safe from field attacks against their GPS, radar, acoustic, lidar, or magnetic field sensors.
Microsecond-accurate timing underpins smooth operation of the smart grid, communications networks, and global high-frequency trading. But very few technologies can deliver this accuracy, among which the most popular---GPS, CDMA cellular, and two-way satellite time transfer---are susceptible to field attacks. Our research exposed an alarming smart grid phasor measurement vulnerability to a field attack.
Fixing the Problem
Practical anti-spoofing is more challenging than one might expect. Current and proposed techniques are far from foolproof. In the WNCG Radionavigation Laboratory, we design techniques to counter field attacks at the sensor level and at the estimator level, employing a mix of cryptographic and non-cryptographic defenses.
A collection of media reports on the Radionavigation Lab's navigation security experiments can be found here and here.
A Game Changers episode featuring Todd Humphreys and the WNCG Radionavigation Laboratory students.
An explanation of the hacking attack on the White Rose of Drachs superyacht.
An explanation of the hacking attack at White Sands against a drone.
Secure perception for autonomous systems.
A.J. Kerns, K.D. Wesson, and T.E. Humphreys, "A Blueprint for Civil GPS Navigation Message Authentication," IEEE/ION PLANS, Monterey, CA, May 2014.
A.J. Kerns, D.P. Shepard, J.A. Bhatti, T.E. Humphreys, "Unmanned Aircraft Capture and Control via GPS Spoofing," Journal of Field Robotics, to be published.
K. Wesson and T. Humphreys, "Unhackable Drones: The Challenges of Securely Integrating Unmanned Aircraft into the National Airspace," April 2013, Scientific American.
B.W. O'Hanlon, M.L. Psiaki, J.A. Bhatti, D.P. Shepard, T.E. Humphreys, "Real-Time GPS Spoofing Detection via Correlation of Encrypted Signals," NAVIGATION, Vol 60, Issue 4, 267-278, 2013.
K. Wesson, B. L. Evans, and T. Humphreys, "A Combined Symmetric Difference and Power Monitoring GNSS Anti-Spoofing Technique," 1st IEEE Global Conference on Signal and Information Processing, Austin, TX, 2013.
K. Wesson, B.L. Evans, and T. Humphreys, "A Probabilistic Framework for Global Navigation Satellite System Signal Timing Assurance," Preprint of paper submitted to Asilomar Conference on Signals, Systems, and Computers.
Psiaki, M.L., B.W. O'Hanlon, J.A. Bhatti, D.P. Shepard, and T.E. Humphreys, "GPS Spoofing Detection via Dual-Receiver Correlation of Military Signals," IEEE Transactions on Aerospace and Electronic Systems.
Wesson, K., M. Rothlisberger, and T. E. Humphreys, “Practical cryptographic civil GPS signal authentication,” NAVIGATION, Journal of the Institute of Navigation, Vol 59, Num 3, 2012, pp 177-193
Humphreys, T.E, "Detection Strategy for Cryptographic GNSS Anti-Spoofing," IEEE Transactions on Aerospace and Electronic Systems, 49(2):1073-1090, 2013.