all your gps are belong to us: towards stealthy
TRANSCRIPT
![Page 1: All Your GPS Are Belong To Us: Towards Stealthy](https://reader035.vdocuments.us/reader035/viewer/2022081405/62946cb65a0ee9294230cecf/html5/thumbnails/1.jpg)
All Your GPS Are Belong To Us: Towards Stealthy Manipulation of Road Navigation Systems
Curtis Zeng1, Shinan Liu2, Yuanchao Shu3, Dong Wang1 Haoyu li1, Yanzhi Dou1, Gang Wang1, Yaling Yang1
1Virginia Tech; 2UESTC; 3Microsoft Research
1
![Page 2: All Your GPS Are Belong To Us: Towards Stealthy](https://reader035.vdocuments.us/reader035/viewer/2022081405/62946cb65a0ee9294230cecf/html5/thumbnails/2.jpg)
GPS Navigation: Billion Users • GPS navigation is widely used around the world
• Self-driving cars use GPS for navigation & critical on-road decisions
2
GPS malfunction can really lead to real-world consequences
![Page 3: All Your GPS Are Belong To Us: Towards Stealthy](https://reader035.vdocuments.us/reader035/viewer/2022081405/62946cb65a0ee9294230cecf/html5/thumbnails/3.jpg)
Known Threat: GPS Spoofing
3
True location False location
• Civilian GPS is vulnerable to spoofing attacks due to the lack of authentication mechanisms
![Page 4: All Your GPS Are Belong To Us: Towards Stealthy](https://reader035.vdocuments.us/reader035/viewer/2022081405/62946cb65a0ee9294230cecf/html5/thumbnails/4.jpg)
GPS Spoofing in Free Space In 2012, a drone was diverted in White Sands, New Mexico
In 2013, a yacht was diverted on the way from Monaco to Greece
4
Successfully diverted in open air/on open water
![Page 5: All Your GPS Are Belong To Us: Towards Stealthy](https://reader035.vdocuments.us/reader035/viewer/2022081405/62946cb65a0ee9294230cecf/html5/thumbnails/5.jpg)
Spoofing Road Navi: Challenging Real world Navigation map
5
“Turn left” - physically impossible instruction!
![Page 6: All Your GPS Are Belong To Us: Towards Stealthy](https://reader035.vdocuments.us/reader035/viewer/2022081405/62946cb65a0ee9294230cecf/html5/thumbnails/6.jpg)
Challenges
• Random/naïve manipulations do not work
– Cannot cope with road constraints, e.g., road shape, speed limit
– Create physically impossible routes
• Human driver in the loop
– Need to avoid alerting human drivers (stealthy)
6
First to explore the feasibility of such attack
![Page 7: All Your GPS Are Belong To Us: Towards Stealthy](https://reader035.vdocuments.us/reader035/viewer/2022081405/62946cb65a0ee9294230cecf/html5/thumbnails/7.jpg)
What is the stealthy attack ?
7
![Page 8: All Your GPS Are Belong To Us: Towards Stealthy](https://reader035.vdocuments.us/reader035/viewer/2022081405/62946cb65a0ee9294230cecf/html5/thumbnails/8.jpg)
Stealthy Attack Real world Navigation map
8
Navigation instructions lead to attacker’s pre-defined location
![Page 9: All Your GPS Are Belong To Us: Towards Stealthy](https://reader035.vdocuments.us/reader035/viewer/2022081405/62946cb65a0ee9294230cecf/html5/thumbnails/9.jpg)
Concepts & Core Idea Real world Navigation map
9
Ghost location
Original destination
Actual location
Ghost route Victim route
Original route Assumption: know rough destination area or checkpoint
Goal: find ghost route to mimic the shape of victim route
![Page 10: All Your GPS Are Belong To Us: Towards Stealthy](https://reader035.vdocuments.us/reader035/viewer/2022081405/62946cb65a0ee9294230cecf/html5/thumbnails/10.jpg)
Segment length matching Concatenate victim routes
Route Searching Algorithm
Map Directed
Graph Exhaustive
BFS Iterative
searching
Search ends whenever the attack goal is met
Turn pattern matching
10
Goal: find ghost route to mimic the shape of victim route
![Page 11: All Your GPS Are Belong To Us: Towards Stealthy](https://reader035.vdocuments.us/reader035/viewer/2022081405/62946cb65a0ee9294230cecf/html5/thumbnails/11.jpg)
• Deviating: detour the victim with no specific target destination
• Targeted deviating: divert the victim to bypass a pre-defined location
• Endangering: divert the victim to dangerous situations like wrong-way driving on a highway
Attack Consequences
11
![Page 12: All Your GPS Are Belong To Us: Towards Stealthy](https://reader035.vdocuments.us/reader035/viewer/2022081405/62946cb65a0ee9294230cecf/html5/thumbnails/12.jpg)
Trace-driven Simulation Results • 600 real-world trips randomly selected from New York
City and Boston taxi datasets – Run basic attack and iterative attack (two iterations)
• Deviating: on average, 335 and 3507 qualified victim routes per trip
• Endangering: 599 out of 600 (99.8%) contains wrong-way road segments
12
A wide range of attack opportunities & real danger
![Page 13: All Your GPS Are Belong To Us: Towards Stealthy](https://reader035.vdocuments.us/reader035/viewer/2022081405/62946cb65a0ee9294230cecf/html5/thumbnails/13.jpg)
• Evaluation metric: hit rate
– How likely a pre-defined location is feasible
– # diverted / # candidate
• Results: 70% median hit rate with 500m radius in Manhattan
Targeted Deviating Results
13
Original route
✔ ✔
✔
✔ ✔
✔
✔
✔
✔
✔
✔
Diverted grid Candidate grid Sweeping radius r Even random pre-defined locations are highly reachable
![Page 14: All Your GPS Are Belong To Us: Towards Stealthy](https://reader035.vdocuments.us/reader035/viewer/2022081405/62946cb65a0ee9294230cecf/html5/thumbnails/14.jpg)
Is the attack feasible in real world?
14
![Page 15: All Your GPS Are Belong To Us: Towards Stealthy](https://reader035.vdocuments.us/reader035/viewer/2022081405/62946cb65a0ee9294230cecf/html5/thumbnails/15.jpg)
Low-cost Portable GPS Spoofer ($223)
15
Open-source hardware & software
![Page 16: All Your GPS Are Belong To Us: Towards Stealthy](https://reader035.vdocuments.us/reader035/viewer/2022081405/62946cb65a0ee9294230cecf/html5/thumbnails/16.jpg)
Legal Permission & Ethics • Experiments exclusively done in China with temporary legal
permission from local authority and local IRB approval (#17-936)
• Controlled measurements at outdoor parking lot – After midnight with no one around
– Spoofing signals do not affect outside
• Real-world driving – After midnight with minimum traffic
– Min tx power (-40 dBm) + attenuators (-30 dBm) + car body shielding (-15 dBm) + two-meter propagation loss (-42.41 dBm) = not affected (-127.41 dBm)
16
![Page 17: All Your GPS Are Belong To Us: Towards Stealthy](https://reader035.vdocuments.us/reader035/viewer/2022081405/62946cb65a0ee9294230cecf/html5/thumbnails/17.jpg)
Controlled Measurements
17
• Average takeover time: around 40 seconds
• Takeover distance: 40-50 meters • Consistent signal lock-on while driving
Hide spoofer on the victim car Carry spoofer and tailgate the victim car
![Page 18: All Your GPS Are Belong To Us: Towards Stealthy](https://reader035.vdocuments.us/reader035/viewer/2022081405/62946cb65a0ee9294230cecf/html5/thumbnails/18.jpg)
• Attack setup: same-car (no real users involved)
– One author drives a Ford Escape and strictly follows navigation instructions from Google Maps
– The other author attacks from the backseat
Real-world Driving
18
Trigger instructions in time and divert to 2.1 & 2.5 km away
![Page 19: All Your GPS Are Belong To Us: Towards Stealthy](https://reader035.vdocuments.us/reader035/viewer/2022081405/62946cb65a0ee9294230cecf/html5/thumbnails/19.jpg)
Can human user detect it?
19
![Page 20: All Your GPS Are Belong To Us: Towards Stealthy](https://reader035.vdocuments.us/reader035/viewer/2022081405/62946cb65a0ee9294230cecf/html5/thumbnails/20.jpg)
• Let users drive in a simulator – They play truck drivers to “deliver packages” from location A to B
– See if they can be diverted without noticing the attack
– Users think this is for software usability testing
• Use software to spoof locations in real time – End it whenever the user recognizes the attack
• Complementary survey & interview to know why they can/cannot detect the attack – Tell our real purpose and obtain their consent
Realistic driving scenario
User Study with Driving Simulator
20
More details and demo video link in the paper
Experiment setup Simulator view Google Street View
![Page 21: All Your GPS Are Belong To Us: Towards Stealthy](https://reader035.vdocuments.us/reader035/viewer/2022081405/62946cb65a0ee9294230cecf/html5/thumbnails/21.jpg)
Key Results
• Attack success rate: 95% (38 out of 40)
– Two users detect it by cross-checking surrounding environment and navigation map to find inconsistency • Highway vs. local way
• Users are more likely to use GPS in unfamiliar areas
– Not enough pre-knowledge/time to check the inconsistency
• Most users experienced GPS malfunction in real life
– Unstable GPS signal does not alert users
21
![Page 22: All Your GPS Are Belong To Us: Towards Stealthy](https://reader035.vdocuments.us/reader035/viewer/2022081405/62946cb65a0ee9294230cecf/html5/thumbnails/22.jpg)
• We explore the feasibility of stealthy manipulation of road navigation systems in three steps – Route searching algorithm, capability measurements & real-
world driving, human-in-the-loop user study
• A potential defense inspired by the user study results – Using sensor fusion for cross-checking
– Encryption, ground infrastructures, modifications for GPS receiver hardware/software have much higher cost and longer deployment cycle
Discussions
22
![Page 23: All Your GPS Are Belong To Us: Towards Stealthy](https://reader035.vdocuments.us/reader035/viewer/2022081405/62946cb65a0ee9294230cecf/html5/thumbnails/23.jpg)
Questions
23