Smartphone Behaviour under Sophisticated Time Synchronized and Record and Replay Spoofing Attacks

Abstract

With more than 70 percent of the world population being the Smartphone user and 77 percent of the smartphone users still rely on the Smartphone positioning for navigation [1], there is no doubt that the Smartphones are amongst the largest Global Navigation Satellite System (GNSS) receiver installed device in the GNSS market, 90 percent of the GNSS receivers in the price segment of less than 5 € are used for smartphones and wearables, which is set to be almost 1.8 billion Smartphones by 2029 [2]. With such a high share in the GNSS market, the threat of GNSS spoofing is no longer limited to the critical infrastructure only. Till date GNSS chip inside the smartphone is a black box providing positioning solution with no access to the baseband processing technique. But, with the availability of GNSS raw measurements through Android API [3], the researcher get access to wide range of measurements, which not only are important for the development of improved positioning algorithms but can also be vital for integrity check. The vulnerability of smartphones to the spoofing attack and the usage of GNSS raw measurements to counter such attack has been presented in [4] [5]. But, with the availability of newer generation smartphone supporting dual frequency and multi-constellation, it is extremely important to analyze their behaviour under such attack. In this work it was tested if an additional L5 frequency protects against an GPS L1 and Galileo E1 attack. Other GNSS raw measurements like the Carrier to Noise ratio (C/N0) are also a good candidates to examine the influence of a spoofing attack. In this work we present the results of over the air smartphone spoofing experiments with a repeater in a shielded box. The experiment was conducted with the wide range of smartphones with different manufactures, Operating Systems and different GNSS chipsets to examine their behaviour under the attack. We tested the behaviour under two different types of spoofing, the Record and Replay attack and the more sophisticated approach of a time synchronized signal generator attack. Record and Replay is just the recording of a Global Navigation Satellite System (GNSS) file with a certain bandwidth and retransmitting the recorded file later on with a high power. Signal generator spoofing is the generation and emission of artificial authentic GNSS-signals with a signal generator, which tries to imitate the real satellite signals in terms of code phase, Doppler and navigation bit as good as possible to induce a wrong time and/or position output on the victim receiver. The artificial signals should have ideally a slightly higher amplitude at the target position than the authentic signals in order to get tracked from the receiver. We investigated synchronized attacks with a purchasable Jamming and Spoofing generator from [6], which is able to perform a synchronized spoofing attack to real satellite signals and by now Galileo E1B/C and GPS L1 C/A signals are generated from the spoofing device. Beside the position, the C/N0 was analyzed, which changed for all satellite signals when the spoofing attack started. This parameter was also analyzed for common receivers and proposed as anti-spoofing parameter in [7]. For the sophisticated attack, all smartphones could be spoofed, meaning the position could be shifted kilometres away from the starting position, which was also the case when the internet was set on in the smartphones. Some smartphones were also set to track L1 and L5 signals, but could still be spoofed, which was unexpected since the spoofing signal only included GPS L1 and Galileo E1 signals. The Record and Replay attack, which is relatively easy to perform and the equipment is also relatively cheap, lead in the most smartphones to a jamming behaviour, meaning that the authentic signals were just overpowered and the spoofing signals were not tracked. But still some could be spoofed as well. The analysis showed that even in the presence of A-GPS (Wi-Fi), it was possible to spoof the smartphones. Also the fact that the spoofer did not need to include L5 signals for a successful spoofing, showed the severe vulnerability against spoofing.