Radio communication systems generally provide two-way voice and data communication between remote locations. Examples of such systems are cellular and personal communication system (“PCS”) radio systems, trunked radio systems, dispatch radio networks, and global mobile personal communication systems (“GMPCS”) such as satellite-based systems. Communication in these systems is conducted according to a pre-defined standard. Mobile devices or stations, also known as handsets, portables or radiotelephones, conform to the system standard to communicate with one or more fixed base stations. It is important to determine the location of such a device capable of radio communication especially in an emergency situation. In addition, in 2001 the United States Federal Communications Commission (“FCC”) required that cellular handsets must be geographically locatable. This capability is desirable for emergency systems such as Enhanced 911 (“E-911”). The FCC requires stringent accuracy and availability performance objectives and demands that cellular handsets be locatable within 100 meters 67% of the time for network based solutions and within 50 meters 67% of the time for handset based solutions.
Current generations of radio communication generally possess limited mobile device location determination capability. In one technique, the position of the mobile device is determined by monitoring mobile device transmissions at several base stations. From time of arrival or comparable measurements, the mobile device's position may be calculated. However, the precision of this technique may be limited and, at times, may be insufficient to meet FCC requirements. In another technique, a mobile device may be equipped with a receiver suitable for use with a Global Navigation Satellite System (“GNSS”) such as the Global Positioning System (“GPS”). GPS is a radio positioning system providing subscribers with highly accurate position, velocity, and time (“PVT”) information.
FIG. 1 is a schematic representation of a constellation 100 of GPS satellites 101. With reference to FIG. 1, GPS may include a constellation of GPS satellites 101 in non-geosynchronous orbits around the earth. The GPS satellites 101 travel in six orbital planes 102 with four of the GPS satellites 101 in each plane. Of course, a multitude of on-orbit spare satellites may also exist. Each orbital plane has an inclination of 55 degrees relative to the equator. In addition, each orbital plane has an altitude of approximately 20,200 km (10,900 miles). The time required to travel the entire orbit is just under 12 hours. Thus, at any given location on the surface of the earth with clear view of the sky, at least five GPS satellites are generally visible at any given time.
With GPS, signals from the satellites arrive at a GPS receiver and are conventionally utilized to determine the position of the receiver. GPS position determination is made based on the time of arrival (“TOA”) of various satellite signals. Each of the orbiting GPS satellites 101 broadcasts spread spectrum microwave signals encoded with satellite ephemeris information and other information that allows a position to be calculated by the receiver. Presently, two types of GPS measurements corresponding to each correlator channel with a locked GPS satellite signal are available for GPS receivers. The two carrier signals, L1 and L2, possess frequencies of 1.5754 GHz and 1.2276 GHz, or wavelengths of 0.1903 m and 0.2442 m, respectively. The L1 frequency carries the navigation data as well as the standard positioning code, while the L2 frequency carries the P code and is used for precision positioning code for military applications. The signals are modulated using bi-phase shift keying techniques. The signals are broadcast at precisely known times and at precisely known intervals and each signal is encoded with its precise transmission time. There is also an L2C signal being transmitted by several satellites. The LC2C signal is a second civilian frequency transmitted by GPS satellites. L1 transmits the Coarse Acquisition (“C/A”) code. L2C transmits L2CM (civil-moderate) and L2CL (civil long) codes. These codes allow a device to differentiate between satellites that are all transmitting on the same frequency. The C/A code is 1 milliseconds long, the L2CM is 20 milliseconds long and the L2CL is 1.5 seconds long. The L2C codes provide a more robust cross-correlation performance so that reception of weak GPS signals is less affected by simultaneously received strong GPS signals. The civil navigation message (“CNAV”) is the broadcast model that can be transmitted on the L2C and provides a more accurate and frequent message than the legacy navigation message.
GPS receivers measure and analyze signals from the satellites, and estimate the corresponding coordinates of the receiver position, as well as the instantaneous receiver clock bias. GPS receivers may also measure the velocity of the receiver. The quality of these estimates depends upon the number and the geometry of satellites in view, measurement error and residual biases. Residual biases generally include satellite ephemeris bias, satellite and receiver clock errors, and ionospheric and tropospheric delays. If receiver clocks were perfectly synchronized with the satellite clocks, only three range measurements would be needed to allow a user to compute a three-dimensional position. This process is known as multilateration. However, given the engineering difficulties and the expense of providing a receiver clock whose time is exactly synchronized, conventional systems generally account for the amount by which the receiver clock time differs from the satellite clock time when computing a receiver's position. This clock bias is determined by computing a measurement from a fourth satellite using a processor in the receiver that correlates the ranges measured from each satellite. This process requires four or more satellites from which four or more measurements can be obtained to estimate four unknowns x, y, z, b. The unknowns are latitude, longitude, altitude and receiver clock offset. The amount b, by which the processor has added or subtracted time, is the instantaneous bias between the receiver clock and the satellite clock. It is possible to calculate a location with only three satellites when additional information is available. For example, if the altitude of the handset or mobile device is well known, then an arbitrary satellite measurement may be included that is centered at the center of the earth and possesses a range defined as the distance from the center of the earth to the known altitude of the handset or mobile device. The altitude of the handset may be known from another sensor or from information from the cell location in the case where the handset is in a cellular network.
Downloading broadcasted ephemeris information from one or more of the satellites is slow (i.e., no faster than 18 seconds given that a respective GPS satellite-navigation message is 900 bits in length and broadcast in a 50 bps data stream). When in environments in which GPS signals possess low signal strengths, downloading ephemeris information is frequently difficult and sometimes impossible. Responsive to these obstacles, some prior and current GPS implementations make use of a terrestrial wireless or wired communication medium for transmitting ephemeris information to a GPS. These GPS implementations are commonly known as “Assisted-GPS” or, simply, A-GPS and/or A-GNSS.
A-GPS has gained significant popularity recently in light of stringent time to first fix (“TTFF”), i.e., first position determination and sensitivity, requirements of the FCC E-911 regulations. In A-GPS, a communications network and associated infrastructure may be utilized to assist the mobile GPS receiver, either as a standalone device or integrated with a mobile station or device. The general concept of A-GPS is to establish a GPS reference network (and/or a wide-area D-GPS network or a wide area reference network (“WARN”)) including receivers with clear views of the sky that may operate continuously. This reference network may also be connected with the cellular infrastructure, may continuously monitor the real-time constellation status, and may provide data for each satellite at a particular epoch time. For example, the reference network may provide ephemeris information, UTC model information, ionosphere model information, and other broadcast information to the cellular infrastructure. As one skilled in the art would recognize, the GPS reference receiver and its server (or position determining entity) may be located at any surveyed location with an open view of the sky. Typical A-GPS information may include data for determining a GPS receiver's approximate position, time synchronization mark, satellite ephemerides, various model information and satellite dopplers. Different A-GPS services may omit some of these parameters; however, another component of the supplied information is the identification of the satellites for which a device or GPS receiver should search. From such assistance data, a mobile device will attempt to search for and acquire satellite signals for the satellites included in the assistance data. If, however, satellites are included in the assistance data that are not measurable by the mobile device (e.g., the satellite is no longer visible, etc.), then the mobile device will waste time and considerable power attempting to acquire measurements for the satellite.
Civilian GPS signals are vulnerable to attacks such as blocking, jamming and spoofing. The goal of such attacks generally is to prevent a position lock (e.g., blocking and jamming) or to feed a receiver false information so that the receiver computes an erroneous time or location (e.g., spoofing). GPS receivers are generally aware when blocking or jamming is occurring because the receivers encounter a loss of signal. Spoofing, however, is a surreptitious attack. Currently, no countermeasures are in use for detecting spoofing attacks.
Civilian GPS signals are widely used by government and private industries for important applications, including, but not limited to, public safety services, navigation, geolocation, hiking, surveying, robotics, tracking, etc. Unfortunately, civilian GPS signals are not secure. Since GPS signal strength, measured at the Earth's surface at about −160 dBw (1×10−16 watts), is roughly equivalent to viewing a 25 watt light bulb from a distance of 10,000 miles, GPS signals may be blocked by destroying or shielding a receiver's antenna and may be jammed by a signal of a similar frequency but greater strength. As stated above, however, blocking and jamming are not the greatest security risk. A more pernicious attack involves feeding the receiver fake or forged satellite signals so that the receiver believes it is located somewhere in space and time that it is not. Spoofing may be accomplished by utilizing a GPS satellite simulator. Such simulators are uncontrolled and widely available. To conduct the spoofing attack, an adversary may broadcast a forged satellite signal with a higher signal strength than the true signal, and the GPS receiver believes that the forged signal is actually a true GPS signal. The receiver may then proceed to calculate erroneous position or time information based on this forged signal.
It is also possible for an unscrupulous user or intermediary to alter the software in a wireless device to manipulate satellite measurements thereby causing a location determining system to calculate an incorrect location. This method of spoofing is generally termed as location spoofing. Generally, if satellite measurements are manipulated in a wireless device randomly, it is likely that a resulting position calculation will fail because the position of the respective satellites will be too far away from the actual code phase indicated location; however, a skillful user may calculate code phases that are required to result in the calculation of a spoofed or false location by the location determining system.
When acquiring GNSS measurements for A-GNSS positioning, conventional devices do not utilize information available in the navigation data message provided by satellite signals. The navigation data message, however, contains elements that are dynamic and thus difficult to predict and spoof. Unfortunately, the navigation data message is modulated on the coarse acquisition signal at a rate of 50 bps. GPS uses 1500 bits in each frame, and thus it takes 30 seconds to receive an entire frame, much longer than the typical time allowed for A-GNSS positioning.
Accordingly, there is a need for a method and system for protecting against spoofed A-GNSS measurements that would overcome the deficiencies of the prior art. Therefore, an embodiment of the present subject matter provides a method for detecting one or more forged satellite measurements transmitted from a wireless device. The method may comprise sending information to a wireless device, the information including a request that the wireless device provide a portion of a navigation data message from one or more satellites to a location determining system. One or more satellite measurements and the portion of the navigation data message may be received from the wireless device. The navigation data message may be determined from the one or more satellites as a function of information from a reference network. The determined navigation data message may then be compared with the received navigation data message to thereby determine whether any of the one or more satellite measurements transmitted by the device have been forged.
Another embodiment of the present subject matter provides a method for determining whether a wireless device transmitted a forged satellite measurement. The method may comprise receiving at the wireless device signals from a plurality of satellites and transmitting to a location determining system signals representing measurements from the plurality of satellites, the measurements including one or more portions of a navigation data message. A navigation data message may be determined from the plurality of satellites as a function of information from a reference network, and then the determined navigation data message compared with the received navigation data message portions from the device to thereby determine whether one or more of the received satellite measurements have been forged.
A further embodiment of the present subject matter may provide a method for determining the estimated location of a wireless device when the device transmits one or more forged satellite measurements to a location determining system. The method may include sending a request to a wireless device to provide a portion of a navigation data message from one or more satellites to a location determining system. The one or more satellite measurements and the portion of the navigation data message from the wireless device may be received by a location determining system. The received navigation data message may then be compared to an assembled navigation data message to thereby determine whether any of the one or more satellite measurements have been forged. An estimated location of the wireless device may then be determined without the one or more forged satellite measurements.
One embodiment of the present subject matter provides a system for detecting one or more forged satellite measurements transmitted from a wireless device. The system may include a transmitter for sending information to a wireless device, the information including a request that the wireless device provide a portion of a navigation data message from one or more satellites. The system may further include a receiver for receiving one or more satellite measurements and the portion of the navigation data message from the wireless device, and circuitry for determining the navigation data message from the one or more satellites as a function of information from a reference network. The system may also include circuitry for comparing the determined navigation data message with the received navigation data message to thereby determine whether any of the one or more satellite measurements have been forged.
These embodiments and many other objects and advantages thereof will be readily apparent to one skilled in the art to which the invention pertains from a perusal of the claims, the appended drawings, and the following detailed description of the embodiments.