TADA! MITRE Puts Spoofing Attacks Back in the Hat with the Time Anomaly Detection AppliquéJuly 2014
Topics: Geographic Information Systems, Information Security Risk Management, Information Security Technologies, Remote Sensing
Navigational systems haywire, airplanes are grounded nationwide. Buying and selling orders hopelessly jumbled, the stock market is shut down. Circuit breakers stumbling over themselves, the power grid flickers, freezes, and goes dark.
Although this sounds like a scene from a Hollywood disaster movie, it's a real possibility. Some modern infrastructure systems rely on an accurate time source for their operations—as do most of our modern defense systems. Experts predict that should that timing source be compromised, the systems that allow us all to communicate, conduct business, and protect the nation may fail.
All in the Timing
These days, infrastructure and defense systems may rely on the Global Positioning System (GPS), a space-based satellite navigation system, as their source of accurate time. GPS is best known for providing the location data that serves as the backbone of mapping and navigation systems. It is also the source of a highly accurate and encrypted position, navigation, and time (PNT) signal that is reserved for the use of the U.S. military.
However, GPS also broadcasts an unencrypted PNT signal, accurate to about 14 nanoseconds, that's used by civilian and some military systems. Should our adversaries puzzle out a method for degrading the accuracy of the GPS signal, they might be able to throw a wrench into the workings of our nation's infrastructure and other activities around the world.
For years, MITRE has been raising awareness concerning GPS threats and assisting its sponsors in developing and acquiring more robust and accurate timing solutions. As an example, MITRE recently designed and prototyped a system to detect and, for certain users, mitigate a class of GPS threats: the Time Anomaly Detection Appliqué (TADA).
"Almost every system has a need for precise and accurate time," says Darrow Leibner, the MITRE TADA Project Lead. "Because GPS is accurate and ubiquitous, users have gotten away from implementing other time-keeping methods. That's where the potential vulnerability comes in."
Sniffing Out a Spoofing Attack
Recently, industry and academic experts have demonstrated an attack technique that adversaries could use to fool a civilian GPS receiver into latching onto a false signal. This attack, known as a "spoofing attack," is simple and cheap to launch, but difficult to detect. Until this demonstration, GPS spoofing attacks and spoofing detection had been a relatively abstract topic, discussion of which was limited to academic and industry white papers. Now protecting timing systems has become a high-priority concern for MITRE's sponsors.
Leibner explains why GPS time signal spoofing has emerged as a security concern. "Five to ten years ago, it was difficult to obtain the equipment that you'd need to cheaply and effectively launch a spoofing attack, even if you had the requisite technical skill to do so. But with software-defined radios and GPS simulation software now more widely available for lower costs, spoofing attacks can be carried out even by adversaries without advanced technical knowledge."
Certain spoofing attacks work by producing and broadcasting a falsified version of the GPS signal, but at a slightly greater power, which tricks a GPS receiver into locking onto the spoofed signal. Once the receiver has locked onto the spoofed signal, the false signal gradually phases out of sync with the GPS signal, causing the GPS receiver to report a false PNT, one dictated by the spoofer. The incremental phase out makes the spoofing attack very difficult to detect.
"GPS receivers are not dumb," says Leibner. "They will raise an alarm when they see a signal that's significantly off from what they expect. The insidious nature of GPS spoofing is that it can manipulate the GPS signal without causing the GPS receiver to alarm."
TADA is designed to provide a cost-effective, reliable, and easy-to-use method for protecting GPS receivers against spoofing attacks. The system defends against spoofing by continuously comparing a trusted input, such as a known frequency or location, with those provided by the GPS receiver. When a difference between these two inputs is detected, TADA alerts the user to the suspected PNT anomaly.
Trusted Time, Dependable Distance
For a trusted input, TADA uses an atomic clock frequency. In simple terms, for each second measured by the incoming GPS timing signal, TADA counts the number of frequency cycles generated by a cesium clock. If the incoming GPS signal is valid, TADA will count exactly the expected number of Cesium frequency cycles. But if TADA measures a higher or lower number of timing signals than expected, it will display the difference. A difference outside the acceptable margin of error will prompt TADA to alert its users that the GPS timing signal is possibly being spoofed.
In the same way it uses a trusted time source, TADA can also use a known location to detect a spoofing attack. To do this, the user inputs the location of a GPS receiver antenna into TADA. TADA monitors the reported position for any changes. Any reported change of the stationary location would most likely be due to spoofing attack and prompt an alert to the user. Once alerted by TADA to a spoofing attack, users can quickly switch to existing backup systems.
Simple and Effective
"This is not the invention of the light bulb," Leibner explains. "Rather it's a clever use of existing technologies packaged in such a way that users obtain a greatly increased level of protection for a minimum of investment. None of the TADA components on their own are brilliant. But as one manufacturer said after seeing a detailed description of TADA, 'It's brilliantly simplistic.'"
The next stage in TADA's development is to provide it with the capability to not only detect spoofing attacks, but to mitigate its effects and pinpoint their origin. With this capability, our sponsors and many other organizations can seamlessly switch from detecting spoofing attacks to responding to them. MITRE will also continue to advocate that to bolster the nation's infrastructure defenses against spoofing, TADA-like monitoring techniques be included within commercial product design.
—by Christopher Lockheardt