Practical Spoofing Attacks on Galileo Open Service Navigation Message Authentication

• URL: http://arxiv.org/abs/2501.09246v1
• Date: Thu, 16 Jan 2025 02:16:53 GMT
• Title: Practical Spoofing Attacks on Galileo Open Service Navigation Message Authentication
• Authors: Haiyang Wang, Yuanyu Zhang, Xinghui Zhu, Ji He, Shuangtrui Zhao, Yulong Shen, Xiaohong Jiang,
• Abstract summary: This paper examines the Galileo Open Service Navigation Message Authentication (OSNMA)<n>It discovers two critical vulnerabilities, namely artificially-manipulated time synchronization (ATS) and interruptible message authentication (IMA)
• Score: 22.4706805281638
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: This paper examines the Galileo Open Service Navigation Message Authentication (OSNMA) and, for the first time, discovers two critical vulnerabilities, namely artificially-manipulated time synchronization (ATS) and interruptible message authentication (IMA). ATS allows attackers falsify a receiver's signals and/or local reference time (LRT) while still fulfilling the time synchronization (TS) requirement. IMA allows temporary interruption of the navigation data authentication process due to the reception of a broken message (probably caused by spoofing attacks) and restores the authentication later. By exploiting the ATS vulnerability, we propose a TS-comply replay (TSR) attack with two variants (real-time and non-real-time), where attackers replay signals to a victim receiver while strictly complying with the TS rule. We further propose a TS-comply forgery (TSF) attack, where attackers first use a previously-disclosed key to forge a message based on the OSNMA protocol, then tamper with the vitcim receiver's LRT correspondingly to comply with the TS rule and finally transmit the forged message to the receiver. Finally, we propose a concatenating replay (CR) attack based on the IMA vulnerability, where attackers concatenate replayed signals to the victim receiver's signals in a way that still enables correct verification of the navigation data in the replayed signals. To validate the effectiveness of the proposed attacks, we conduct real-world experiments with a commercial Galileo receiver manufactured by Septentrio, two software-defined radio (SDR) devices, open-source Galileo-SDR-SIM and OSNMAlib software. The results showed that all the attacks can successfully pass the OSNMA scheme and the TSF attack can spoof receivers to arbitrary locations.

Related papers

• Open Sky, Open Threats: Replay Attacks in Space Launch and Re-entry Phases [1.4911092205861824]
  We study the effects of replay attacks on the integrity of uplink and downlink communications during critical phases of spacecraft communication.<n>Under replay attacks, the attacker's signal can overpower legitimate transmissions, leading to a Signal to Noise Ratio (SNR) difference of up to -7.8 dB during reentry and -6.5 dB during launch.<n>We propose a more secure receiver design incorporating a phase-coherency-dependent decision-directed equalizer with a narrowed phase-locked loop (PLL) bandwidth.
  arXiv  Detail & Related papers  (2025-06-20T19:27:16Z)
• SATversary: Adversarial Attacks on Satellite Fingerprinting [14.683336638975762]
  transmitter fingerprinting provides mechanisms by which communication can be authenticated.<n>We show that an optimized jamming signal can cause a 50% error rate with attacker-to-victim ratios as low as -30dB.<n>We also present a data poisoning attack, enabling persistent message spoofing by altering the data used to authenticate incoming messages to include the attacker's transmitter.
  arXiv  Detail & Related papers  (2025-06-06T14:27:19Z)
• Accountable, Scalable and DoS-resilient Secure Vehicular Communication [0.27624021966289597]
  broadcasted Cooperative Awareness Messages (CAMs) and Decentralized Environmental Notification Messages (DENMs) are pseudonymous authenticated for security and privacy protection.<n>This creates an asymmetry that can be easily exploited by external adversaries to launch a clogging Denial of Service (DoS) attack.<n>We propose efficient cryptographic constructs, which we term message verification facilitators, to prioritize processing resources for verification of potentially valid messages.
  arXiv  Detail & Related papers  (2025-05-28T09:25:34Z)
• CANTXSec: A Deterministic Intrusion Detection and Prevention System for CAN Bus Monitoring ECU Activations [53.036288487863786]
  We propose CANTXSec, the first deterministic Intrusion Detection and Prevention system based on physical ECU activations.<n>It detects and prevents classical attacks in the CAN bus, while detecting advanced attacks that have been less investigated in the literature.<n>We prove the effectiveness of our solution on a physical testbed, where we achieve 100% detection accuracy in both classes of attacks while preventing 100% of FIAs.
  arXiv  Detail & Related papers  (2025-05-14T13:37:07Z)
• CAIBA: Multicast Source Authentication for CAN Through Reactive Bit Flipping [5.997426999817119]
  Controller Area Networks (CANs) are the backbone for reliable intra-vehicular communication. Recent cyberattacks have exposed the weaknesses of CAN, which was designed without any security considerations in the 1980s. We present CAIBA, a novel multicast source authentication scheme specifically designed for communication buses like CAN.
  arXiv  Detail & Related papers  (2025-04-23T13:27:30Z)
• Securing 5G Bootstrapping: A Two-Layer IBS Authentication Protocol [4.087348638056961]
  Lack of authentication during the initial bootstrapping phase between cellular devices and base stations allows attackers to send malicious messages to the devices. We propose E2IBS, a novel and efficient two-layer identity-based signature scheme for seamless integration with existing cellular protocols. Compared to the state-of-the-art Schnorr-HIBS, E2IBS reduces attack surfaces, enables fine-grained lawful interception, and achieves 2x speed in verification.
  arXiv  Detail & Related papers  (2025-02-07T13:32:48Z)
• Secure Semantic Communication via Paired Adversarial Residual Networks [59.468221305630784]
  This letter explores the positive side of the adversarial attack for the security-aware semantic communication system. A pair of matching pluggable modules is installed: one after the semantic transmitter and the other before the semantic receiver. The proposed scheme is capable of fooling the eavesdropper while maintaining the high-quality semantic communication.
  arXiv  Detail & Related papers  (2024-07-02T08:32:20Z)
• Physical Layer Deception with Non-Orthogonal Multiplexing [52.11755709248891]
  We propose a novel framework of physical layer deception (PLD) to actively counteract wiretapping attempts. PLD combines PLS with deception technologies to actively counteract wiretapping attempts. We prove the validity of the PLD framework with in-depth analyses and demonstrate its superiority over conventional PLS approaches.
  arXiv  Detail & Related papers  (2024-06-30T16:17:39Z)
• The Model Inversion Eavesdropping Attack in Semantic Communication Systems [19.385375706864334]
  We introduce the model inversion eavesdropping attack (MIEA) to reveal the risk of privacy leaks in the semantic communication system. MIEA reconstructs the raw message, where both the white-box and black-box settings are considered. We propose a defense method based on random permutation and substitution to defend against MIEA.
  arXiv  Detail & Related papers  (2023-08-08T14:50:05Z)
• Vulnerabilities of Deep Learning-Driven Semantic Communications to Backdoor (Trojan) Attacks [70.51799606279883]
  This paper highlights vulnerabilities of deep learning-driven semantic communications to backdoor (Trojan) attacks. Backdoor attack can effectively change the semantic information transferred for poisoned input samples to a target meaning. Design guidelines are presented to preserve the meaning of transferred information in the presence of backdoor attacks.
  arXiv  Detail & Related papers  (2022-12-21T17:22:27Z)
• Is Semantic Communications Secure? A Tale of Multi-Domain Adversarial Attacks [70.51799606279883]
  We introduce test-time adversarial attacks on deep neural networks (DNNs) for semantic communications. We show that it is possible to change the semantics of the transferred information even when the reconstruction loss remains low.
  arXiv  Detail & Related papers  (2022-12-20T17:13:22Z)
• Task-Oriented Communications for NextG: End-to-End Deep Learning and AI Security Aspects [78.84264189471936]
  NextG communication systems are beginning to explore shifting this design paradigm to reliably executing a given task such as in task-oriented communications. Wireless signal classification is considered as the task for the NextG Radio Access Network (RAN), where edge devices collect wireless signals for spectrum awareness and communicate with the NextG base station (gNodeB) that needs to identify the signal label. Task-oriented communications is considered by jointly training the transmitter, receiver and classifier functionalities as an encoder-decoder pair for the edge device and the gNodeB.
  arXiv  Detail & Related papers  (2022-12-19T17:54:36Z)
• Spoofing Attack Detection in the Physical Layer with Commutative Neural Networks [21.6399273864521]
  In a spoofing attack, an attacker impersonates a legitimate user to access or tamper with data intended for or produced by the legitimate user. Existing schemes rely on long-term estimates, which makes it difficult to distinguish spoofing from movement of a legitimate user. This limitation is here addressed by means of a deep neural network that implicitly learns the distribution of pairs of short-term RSS vector estimates.
  arXiv  Detail & Related papers  (2022-11-08T14:20:58Z)
• Early Detection of Network Attacks Using Deep Learning [0.0]
  A network intrusion detection system (IDS) is a tool used for identifying unauthorized and malicious behavior by observing the network traffic. We propose an end-to-end early intrusion detection system to prevent network attacks before they could cause any more damage to the system under attack.
  arXiv  Detail & Related papers  (2022-01-27T16:35:37Z)
• Mind the GAP: Security & Privacy Risks of Contact Tracing Apps [75.7995398006171]
  Google and Apple have jointly provided an API for exposure notification in order to implement decentralized contract tracing apps using Bluetooth Low Energy. We demonstrate that in real-world scenarios the GAP design is vulnerable to (i) profiling and possibly de-anonymizing persons, and (ii) relay-based wormhole attacks that basically can generate fake contacts.
  arXiv  Detail & Related papers  (2020-06-10T16:05:05Z)
• Over-the-Air Adversarial Attacks on Deep Learning Based Modulation Classifier over Wireless Channels [43.156901821548935]
  We consider a wireless communication system that consists of a transmitter, a receiver, and an adversary. In the meantime, the adversary makes over-the-air transmissions that are received as superimposed with the transmitter's signals. We present how to launch a realistic evasion attack by considering channels from the adversary to the receiver.
  arXiv  Detail & Related papers  (2020-02-05T18:45:43Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.