Investigation of multi-device location spoofing attacks on air traffic control and possible countermeasures

Multilateration techniques have been proposed to verify the integrity of unprotected location claims in wireless localization systems. A common assumption is that the adversary is equipped with only a single device from which it transmits location spoofing signals. In this paper, we consider a more advanced model where the attacker is equipped with multiple devices and performs a geographically distributed coordinated attack on the multilateration system. The feasibility of a distributed multi-device attack is demonstrated experimentally with a self-developed attack implementation based on multiple COTS software-defined radio (SDR) devices. We launch an attack against the OpenSky Network, an air traffic surveillance system that implements a time-difference-of-arrival (TDoA) multi-lateration method for aircraft localization based on ADS-B signals. Our experiments show that the timing errors for distributed spoofed signals are indistinguishable from the multilateration errors of legitimate aircraft signals, indicating that the threat of multi-device spoofing attacks is real in this and other similar systems. In the second part of this work, we investigate physical-layer features that could be used to detect multi-device attacks. We show that the frequency offset and transient phase noise of the attacker's radio devices can be exploited to discriminate between a received signal that has been transmitted by a single (legitimate) transponder or by multiple (malicious) spoofing sources. Based on that, we devise a multi-device spoofing detection system that achieves zero false positives and a false negative rate below 1%.

[1]  Srdjan Capkun,et al.  On the requirements for successful GPS spoofing attacks , 2011, CCS '11.

[2]  Robert F. Mills,et al.  Using Spectral Fingerprints to Improve Wireless Network Security , 2008, IEEE GLOBECOM 2008 - 2008 IEEE Global Telecommunications Conference.

[3]  N. Serinken,et al.  Characteristics of radio transmitter fingerprints , 2001 .

[4]  Todd E. Humphreys,et al.  Can Cryptography Secure Next Generation Air Traffic Surveillance? , 2014 .

[5]  Vaibhav Joshi,et al.  Detection and Localization of Multiple Spoofing Attackers , 2014 .

[6]  SrivastavaMani,et al.  Secure Location Verification with Hidden and Mobile Base Stations , 2008 .

[7]  Duminda Wijesekera,et al.  Detecting malicious ADS-B broadcasts using wide area multilateration , 2015, 2015 IEEE/AIAA 34th Digital Avionics Systems Conference (DASC).

[8]  Duminda Wijesekera,et al.  Integrity and authenticity of ADS-B broadcasts , 2015, 2015 IEEE Aerospace Conference.

[9]  Peng Ning,et al.  LAD: localization anomaly detection for wireless sensor networks , 2005, 19th IEEE International Parallel and Distributed Processing Symposium.

[10]  Jens B. Schmitt,et al.  Secure Track Verification , 2015, 2015 IEEE Symposium on Security and Privacy.

[11]  Richard P. Martin,et al.  Attack Detection in Wireless Localization , 2007, IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications.

[12]  Andrei Costin,et al.  Ghost in the Air(Traffic): On insecurity of ADS-B protocol and practical attacks on ADS-B devices , 2012 .

[13]  Witold Kinsner,et al.  A radio transmitter fingerprinting system ODO-1 , 1996, Proceedings of 1996 Canadian Conference on Electrical and Computer Engineering.

[14]  Witold Kinsner,et al.  Transient analysis and genetic algorithms for classification , 1995, IEEE WESCANEX 95. Communications, Power, and Computing. Conference Proceedings.

[15]  R. Schmidt A New Approach to Geometry of Range Difference Location , 1972, IEEE Transactions on Aerospace and Electronic Systems.

[16]  Brian M. Sadler,et al.  Wireless physical layer authentication via fingerprint embedding , 2015, IEEE Communications Magazine.

[17]  Krishna Sampigethaya,et al.  Visualization & assessment of ADS-B security for green ATM , 2010, 29th Digital Avionics Systems Conference.

[18]  Jie Xiong,et al.  SecureAngle: improving wireless security using angle-of-arrival information , 2010, Hotnets-IX.

[19]  J. Sobana,et al.  Detection and Localization of Multiple Spoofing Attackers in Wireless Networks , 2014 .

[20]  Tim Leinmüller,et al.  POSITION VERIFICATION APPROACHES FOR VEHICULAR AD HOC NETWORKS , 2006, IEEE Wireless Communications.

[21]  Markus Breitenbach,et al.  The Directional Attack on Wireless Localization -or- How to Spoof Your Location with a Tin Can , 2009, GLOBECOM 2009 - 2009 IEEE Global Telecommunications Conference.

[22]  Ting Wang,et al.  Analysis on perfect location spoofing attacks using beamforming , 2013, 2013 Proceedings IEEE INFOCOM.

[23]  Srdjan Capkun,et al.  Secure Location Verification with Hidden and Mobile Base Stations , 2008, IEEE Transactions on Mobile Computing.

[24]  Michel Barbeau,et al.  DETECTION OF TRANSIENT IN RADIO FREQUENCY FINGERPRINTING USING SIGNAL PHASE , 2003 .

[25]  Marco Gruteser,et al.  Wireless device identification with radiometric signatures , 2008, MobiCom '08.

[26]  Rui Pinheiro,et al.  On Perception and Reality in Wireless Air Traffic Communication Security , 2016, IEEE Transactions on Intelligent Transportation Systems.

[27]  Srdjan Capkun,et al.  Secure positioning of wireless devices with application to sensor networks , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[28]  Thomas Kunz,et al.  Secure Authentication in Wireless Sensor Networks Using RF Fingerprints , 2008, 2008 IEEE/IFIP International Conference on Embedded and Ubiquitous Computing.

[29]  Andrei Costin,et al.  Ghost is in the Air(Traffic) , 2012 .

[30]  Srdjan Capkun,et al.  Attacks on physical-layer identification , 2010, WiSec '10.

[31]  Ivan Martinovic,et al.  Bringing up OpenSky: A large-scale ADS-B sensor network for research , 2014, IPSN-14 Proceedings of the 13th International Symposium on Information Processing in Sensor Networks.

[32]  Ralf Heidger,et al.  Secure ADS-B usage in ATC tracking , 2014, 2014 Tyrrhenian International Workshop on Digital Communications - Enhanced Surveillance of Aircraft and Vehicles (TIWDC/ESAV).

[33]  Michel Barbeau,et al.  Enhancing intrusion detection in wireless networks using radio frequency fingerprinting , 2004, Communications, Internet, and Information Technology.

[34]  Ivan Martinovic,et al.  Realities and challenges of nextgen air traffic management: the case of ADS-B , 2014, IEEE Communications Magazine.

[35]  Jihyuk Choi,et al.  Secure Location Verification Using Simultaneous Multilateration , 2012, IEEE Transactions on Wireless Communications.

[36]  Wenyuan Xu,et al.  Securing wireless systems via lower layer enforcements , 2006, WiSe '06.

[37]  Ivan Martinovic,et al.  Experimental Analysis of Attacks on Next Generation Air Traffic Communication , 2013, ACNS.

[38]  Srdjan Capkun,et al.  Physical-Layer Identification of Wireless Devices , 2011 .

[39]  Mantilla Gaviria,et al.  New Strategies to Improve Multilateration Systems in the Air Traffic Control , 2013 .

[40]  S.R. Bussolari,et al.  Mode S data link applications for general aviation , 1995, Proceedings of 14th Digital Avionics Systems Conference.

[41]  Sneha Kumar Kasera,et al.  Robust location distinction using temporal link signatures , 2007, MobiCom '07.