All Your GPS Are Belong To Us: Towards Stealthy Manipulation of Road Navigation Systems

Mobile navigation services are used by billions of users around globe today. While GPS spoofing is a known threat, it is not yet clear if spoofing attacks can truly manipulate road navigation systems. Existing works primarily focus on simple attacks by randomly setting user locations, which can easily trigger a routing instruction that contradicts with the physical road condition (i.e., easily noticeable). In this paper, we explore the feasibility of a stealthy manipulation attack against road navigation systems. The goal is to trigger the fake turn-by-turn navigation to guide the victim to a wrong destination without being noticed. Our key idea is to slightly shift the GPS location so that the fake navigation route matches the shape of the actual roads and trigger physically possible instructions. To demonstrate the feasibility, we first perform controlled measurements by implementing a portable GPS spoofer and testing on real cars. Then, we design a searching algorithm to compute the GPS shift and the victim routes in real time. We perform extensive evaluations using a trace-driven simulation (600 taxi traces in Manhattan and Boston), and then validate the complete attack via real-world driving tests (attacking our own car). Finally, we conduct deceptive user studies using a driving simulator in both the US and China. We show that 95% of the participants follow the navigation to the wrong destination without recognizing the attack. We use the results to discuss countermeasures moving forward.

[1]  W. Janes On the Measurement of Angles , 1947 .

[2]  David Chaum,et al.  Distance-Bounding Protocols (Extended Abstract) , 1994, EUROCRYPT.

[3]  John Weston,et al.  Strapdown Inertial Navigation Technology , 1997 .

[4]  J. Farrell,et al.  The global positioning system and inertial navigation , 1999 .

[5]  J. A. Volpe Vulnerability Assessment of the Transportation Infrastructure Relying on the Global Positioning Syst , 2001 .

[6]  J. S. Warner,et al.  GPS Spoofing Countermeasures , 2003 .

[7]  David Evans,et al.  Using Directional Antennas to Prevent Wormhole Attacks , 2004, NDSS.

[8]  James R. Bergen,et al.  Visual odometry , 2004, Proceedings of the 2004 IEEE Computer Society Conference on Computer Vision and Pattern Recognition, 2004. CVPR 2004..

[9]  Markus G. Kuhn,et al.  An Asymmetric Security Mechanism for Navigation Signals , 2004, Information Hiding.

[10]  Srdjan Capkun,et al.  ROPE: robust position estimation in wireless sensor networks , 2005, IPSN 2005. Fourth International Symposium on Information Processing in Sensor Networks, 2005..

[11]  Bernhard Hofmann-Wellenhof,et al.  GNSS - Global Navigation Satellite Systems: GPS, GLONASS, Galileo, and more , 2007 .

[12]  T. Humphreys,et al.  Assessing the Spoofing Threat: Development of a Portable GPS Civilian Spoofer , 2008 .

[13]  Alessandra Lumini,et al.  Fake fingertip generation from a minutiae template , 2008, 2008 19th International Conference on Pattern Recognition.

[14]  Paul A. Zandbergen,et al.  Accuracy of iPhone Locations: A Comparison of Assisted GPS, WiFi and Cellular Positioning , 2009 .

[15]  Nguyen Minh Duc Your face is NOT your password Face Authentication ByPassing Lenovo – Asus – Toshiba , 2009 .

[16]  Srdjan Capkun,et al.  Attacks on public WLAN-based positioning systems , 2009, MobiSys '09.

[17]  Todd E. Humphreys,et al.  Receiver-Autonomous Spoofing Detection: Experimental Results of a Multi-Antenna Receiver Defense against a Portable Civil GPS Spoofer , 2009 .

[18]  Cédric Lauradoux,et al.  Distance Bounding Protocols on TH-UWB Radios , 2010, 2010 IEEE Global Telecommunications Conference GLOBECOM 2010.

[19]  Srdjan Capkun,et al.  Realization of RF Distance Bounding , 2010, USENIX Security Symposium.

[20]  Brent M. Ledvina,et al.  An In-Line Anti-Spoofing Device for Legacy Civil GPS Receivers , 2010 .

[21]  Mubarak Shah,et al.  Accurate Image Localization Based on Google Maps Street View , 2010, ECCV.

[22]  B. Motella,et al.  Performance assessment of low cost GPS receivers under civilian spoofing attacks , 2010, 2010 5th ESA Workshop on Satellite Navigation Technologies and European Workshop on GNSS Signals and Signal Processing (NAVITEC).

[23]  Srdjan Capkun,et al.  On the requirements for successful GPS spoofing attacks , 2011, CCS '11.

[24]  Gérard Lachapelle,et al.  GNSS Spoofing Detection for Single Antenna Handheld Receivers , 2011 .

[25]  Todd E. Humphreys,et al.  Practical cryptographic civil GPS signal authentication , 2011 .

[26]  Todd E. Humphreys,et al.  An Evaluation of the Vestigial Signal Defense for Civil GPS Anti-Spoofing , 2011 .

[27]  Lijun Qian,et al.  Quickest detection of GPS spoofing attack , 2012, MILCOM 2012 - 2012 IEEE Military Communications Conference.

[28]  J. S. Warner,et al.  A Simple Demonstration that the Global Positioning System ( GPS ) is Vulnerable to Spoofing , 2012 .

[29]  Xiang-Yang Li,et al.  SmartLoc: push the limit of the inertial sensor based metropolitan localization using smartphone , 2013, MobiCom.

[30]  Andreas Geiger,et al.  Lost! Leveraging the Crowd for Probabilistic Visual Self-Localization , 2013, 2013 IEEE Conference on Computer Vision and Pattern Recognition.

[31]  Mark L. Psiaki,et al.  GNSS Spoofing Detection using High-Frequency Antenna Motion and Carrier-Phase Data , 2013 .

[32]  Paulo Tabuada,et al.  Non-invasive Spoofing Attacks for Anti-lock Braking Systems , 2013, CHES.

[33]  Wenyuan Xu,et al.  Ghost Talk: Mitigating EMI Signal Injection Attacks against Analog Sensors , 2013, 2013 IEEE Symposium on Security and Privacy.

[34]  Todd E. Humphreys,et al.  Unmanned Aircraft Capture and Control Via GPS Spoofing , 2014, J. Field Robotics.

[35]  Luke Deshotels,et al.  Inaudible Sound as a Covert Channel in Mobile Devices , 2014, WOOT.

[36]  Gabi Nakibly,et al.  Gyrophone: Recognizing Speech from Gyroscope Signals , 2014, USENIX Security Symposium.

[37]  Yongdae Kim,et al.  Rocking Drones with Intentional Sound Noise on Gyroscopic Sensors , 2015, USENIX Security Symposium.

[38]  Bolun Wang Defending against Sybil Devices in Crowdsourced Mapping Services , 2015 .

[39]  Jens B. Schmitt,et al.  Secure Track Verification , 2015, 2015 IEEE Symposium on Security and Privacy.

[40]  Kang Wang Time and Position Spoofing with Open Source Projects , 2015 .

[41]  F. Dovis GNSS Interference Threats and Countermeasures , 2015 .

[42]  Hao Wu,et al.  Controlling UAVs with Sensor Input Spoofing Attacks , 2016, WOOT.

[43]  Yossef Oren,et al.  How to Phone Home with Someone Else's Phone: Information Exfiltration Using Intentional Sound Noise on Gyroscopic Sensors , 2016, WOOT.

[44]  Yanjun Qi,et al.  Automatically Evading Classifiers: A Case Study on PDF Malware Classifiers , 2016, NDSS.

[45]  Chen Yan Can You Trust Autonomous Vehicles : Contactless Attacks against Sensors of Self-driving Vehicle , 2016 .

[46]  Todd E. Humphreys,et al.  Attackers can spoof navigation signals without our knowledge. Here's how to fight back GPS lies , 2016, IEEE Spectrum.

[47]  Srdjan Capkun,et al.  SPREE: a spoofing resistant GPS receiver , 2016, MobiCom.

[48]  Yongdae Kim,et al.  This Ain't Your Dose: Sensor Spoofing Attack on Medical Infusion Pump , 2016, WOOT.

[49]  Srdjan Capkun,et al.  Investigation of multi-device location spoofing attacks on air traffic control and possible countermeasures , 2016, MobiCom.

[50]  Triet Vo Huu,et al.  Inferring User Routes and Locations Using Zero-Permission Mobile Sensors , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[51]  Yongdae Kim,et al.  Sampling Race: Bypassing Timing-Based Analog Active Sensor Spoofing Detection on Analog-Digital Systems , 2016, WOOT.

[52]  Yuanchao Shu,et al.  A Practical GPS Location Spoofing Attack in Road Navigation Scenario , 2017, HotMobile.

[53]  Wenyuan Xu,et al.  WALNUT: Waging Doubt on the Integrity of MEMS Accelerometers with Acoustic Injection Attacks , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[54]  Atul Prakash,et al.  Robust Physical-World Attacks on Machine Learning Models , 2017, ArXiv.

[55]  Wenyuan Xu,et al.  DolphinAttack: Inaudible Voice Commands , 2017, CCS.

[56]  Yongdae Kim,et al.  Illusion and Dazzle: Adversarial Optical Channel Exploits Against Lidars for Automotive Applications , 2017, CHES.

[57]  Dawn Xiaodong Song,et al.  Adversarial Example Defenses: Ensembles of Weak Defenses are not Strong , 2017, ArXiv.

[58]  Dawn Song,et al.  Robust Physical-World Attacks on Deep Learning Models , 2017, 1707.08945.

[59]  Aleksander Madry,et al.  Towards Deep Learning Models Resistant to Adversarial Attacks , 2017, ICLR.

[60]  Yanjun Qi,et al.  Feature Squeezing: Detecting Adversarial Examples in Deep Neural Networks , 2017, NDSS.

[61]  Jens B. Schmitt,et al.  Crowd-GPS-Sec: Leveraging Crowdsourcing to Detect and Localize GPS Spoofing Attacks , 2018, 2018 IEEE Symposium on Security and Privacy (SP).