Secure Perception for
Autonomous Vehicles
Todd Humphreys, Aerospace Engineering
CTR Symposium, April 23, 2014
Autonomous Control System Security
The general secure control problem envisions arbitrary
manipulation of y and u (e.g, de...
Example: Autonomous Ground Vehicles
(1) V2V and V2I security is fairly good, but CRL may be stale
(2) Navigation and timin...
Example: Autonomous Aircraft
Wesson and Humphreys, Scientific American, Nov. 2013
Example: Autonomous Aircraft
Shepard, Bhatti, Humphreys, Fansler, “Evaluation of smart grid and civilian UAV vulnerability to GPS spoofing attacks,” Pr...
Covert post-capture UAV control is possible provided the
spoofer can learn the target’s flight pattern
Covert Post-Capture...
Result of GPS hacking attack
V2V and V2I Security
(1) How will unauthenticated messages be handled?
(2) How to deal with latency in certificate revocat...
Cautionary Tale: FAA’s ADS-B is Insecure
It may be too late for ADS-B, but V2V and V2I still have a
chance to get security...
radionavlab.ae.utexas.edu
Secure Communications for Autonomous Vehicles
Secure Communications for Autonomous Vehicles
Secure Communications for Autonomous Vehicles
Secure Communications for Autonomous Vehicles
Secure Communications for Autonomous Vehicles
Secure Communications for Autonomous Vehicles
Secure Communications for Autonomous Vehicles
Secure Communications for Autonomous Vehicles
Secure Communications for Autonomous Vehicles
Secure Communications for Autonomous Vehicles
Upcoming SlideShare
Loading in …5
×

Secure Communications for Autonomous Vehicles

965 views

Published on

Todd Humphreys recently presented at the CTR Symposium on the vulnerabilities of wireless communications, and the future of how it applies to autonomous vehicles.

Published in: Engineering, Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
965
On SlideShare
0
From Embeds
0
Number of Embeds
397
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • The general secure control problem, in which we wish to detect and survive an attack that can arbitrarily manipulate y and u is insoluble: under these conditions, it’s game over. To see why, consider just half the problem – that of secure state estimation ...
  • By contrast to the so-called proximity spoofing attacks treated in (Humphreys et al., 2008) and (Shepard
    et al., 2012b), where the spoofer is effectively co-located with the target receiver, the current presentation considers
    spoofing from a distance, as illustrated in Fig. 1. Through its receive antenna, marked RX, the spoofer receives authentic signals from all visible GPS satellites. The vectors rTX and rt represent, respectively,
    the 3-dimensional coordinates of the spoofer’s transmit antenna, marked TX, and the target aircraft’s GPS
    antenna relative to the spoofer’s receive antenna. The spoofer and target antennas are assumed to be located
    at respective distances rsi and rti from the ith GPS satellite.

    The spoofer generates a counterfeit signal for each authentic signal received. In the case of an initially-aligned
    attack, the spoofer’s counterfeit signal ensemble arrives at the target antenna in such a way that each signal
    is approximately spreading-code-phase aligned (within a few meters) with its authentic counterpart. After
    capture of the target receiver’s carrier- and code-phase tracking loops, the spoofer adjusts the relative code
    phases of its spoofing signals to induce the target receiver to report the simulated (false) location r relative
    to its true location; the target receiver’s apparent time offset from true time can also be adjusted by a common
    displacement of the counterfeit code phases.

    An aligned attack is only possible if the spoofer (1) measures all relevant system delays to within a few
    nanoseconds, and (2) compensates for these delays by generating a slightly advanced (predicted) version of
    the signals it receives. For civil GPS signals, reliable prediction is trivial because the spreading codes are
    unencrypted and openly documented, the satellites follow regular orbits, and the modulating navigation data
    follow regular patterns. Military GPS signals, by contrast, enjoy strong encryption of the spreading code;
    indeed spreading code unpredictability is the very basis of their security.
    For the ith GPS satellite, the total distance-equivalent system delay that must be compensated is given by the equation above.
  • By contrast to the so-called proximity spoofing attacks treated in (Humphreys et al., 2008) and (Shepard
    et al., 2012b), where the spoofer is effectively co-located with the target receiver, the current presentation considers
    spoofing from a distance, as illustrated in Fig. 1. Through its receive antenna, marked RX, the spoofer receives authentic signals from all visible GPS satellites. The vectors rTX and rt represent, respectively,
    the 3-dimensional coordinates of the spoofer’s transmit antenna, marked TX, and the target aircraft’s GPS
    antenna relative to the spoofer’s receive antenna. The spoofer and target antennas are assumed to be located
    at respective distances rsi and rti from the ith GPS satellite.

    The spoofer generates a counterfeit signal for each authentic signal received. In the case of an initially-aligned
    attack, the spoofer’s counterfeit signal ensemble arrives at the target antenna in such a way that each signal
    is approximately spreading-code-phase aligned (within a few meters) with its authentic counterpart. After
    capture of the target receiver’s carrier- and code-phase tracking loops, the spoofer adjusts the relative code
    phases of its spoofing signals to induce the target receiver to report the simulated (false) location r relative
    to its true location; the target receiver’s apparent time offset from true time can also be adjusted by a common
    displacement of the counterfeit code phases.

    An aligned attack is only possible if the spoofer (1) measures all relevant system delays to within a few
    nanoseconds, and (2) compensates for these delays by generating a slightly advanced (predicted) version of
    the signals it receives. For civil GPS signals, reliable prediction is trivial because the spreading codes are
    unencrypted and openly documented, the satellites follow regular orbits, and the modulating navigation data
    follow regular patterns. Military GPS signals, by contrast, enjoy strong encryption of the spreading code;
    indeed spreading code unpredictability is the very basis of their security.
    For the ith GPS satellite, the total distance-equivalent system delay that must be compensated is given by the equation above.
  • The 213-foot, $80M White Rose of Drachs motoryacht.
  • WROD experiment team (from left): Kenneth Himschoot, Master Andrew Schofield, Prof. Todd Humphreys, graduate studen Jahshan Bhatti.
  • WROD navigation and surveillance equipment: 2 independent GPS units, magnetic compass, 2 independent gyrocompasses, dual-band radar, down-facing sonar, Doppler speed log, electronic chart display
  • Secure Communications for Autonomous Vehicles

    1. 1. Secure Perception for Autonomous Vehicles Todd Humphreys, Aerospace Engineering CTR Symposium, April 23, 2014
    2. 2. Autonomous Control System Security The general secure control problem envisions arbitrary manipulation of y and u (e.g, deception and DoS attacks) 2008
    3. 3. Example: Autonomous Ground Vehicles (1) V2V and V2I security is fairly good, but CRL may be stale (2) Navigation and timing security is poor due to GPS vulnerability (3) High-level “autonomy protocol” may be fragile, hackable
    4. 4. Example: Autonomous Aircraft Wesson and Humphreys, Scientific American, Nov. 2013
    5. 5. Example: Autonomous Aircraft
    6. 6. Shepard, Bhatti, Humphreys, Fansler, “Evaluation of smart grid and civilian UAV vulnerability to GPS spoofing attacks,” Proc. ION GNSS, Nashville, TN, 2012
    7. 7. Covert post-capture UAV control is possible provided the spoofer can learn the target’s flight pattern Covert Post-Capture UAV Control A.J. Kerns, D.P. Shepard, J.A. Bhatti, T.E. Humphreys, "Unmanned Aircraft Capture and Control via GPS Spoofing,“ Journal of Field Robotics, 2014.
    8. 8. Result of GPS hacking attack
    9. 9. V2V and V2I Security (1) How will unauthenticated messages be handled? (2) How to deal with latency in certificate revocation? (3) Are proposed local ad-hoc cross-checks good enough? (4) Should we give up on privacy?
    10. 10. Cautionary Tale: FAA’s ADS-B is Insecure It may be too late for ADS-B, but V2V and V2I still have a chance to get security right
    11. 11. radionavlab.ae.utexas.edu

    ×