PREVENTION OF LOCATION-SPOOFING

A Survey on Different Methods to Prevent the Manipulation

of Locating-Technologies

Michael Decker

Institute AIFB, University of Karlsruhe (TH), Kaiserstr. 89, 76 128 Karlsruhe, Germany

Keywords:

Location-based Services (LBS), Location-Spooﬁng, Mobile Computing Security, Positioning.

Abstract:

There are many different locating technologies to determine a mobile device’s current position. Examples

for such technologies are the satellite-based Global Positioning System (GPS), the cell-ID method in mobile

phone networks or WLAN-based approaches. These technologies are the enabler of so called Location-based

Services (LBS): LBS are services to be used with mobile handheld-computers like PDAs or smartphones that

evaluate a mobile user’s position. When locating-technologies are discussed in the LBS community, the focus

is often on the accuracy of the calculated location whereas the resistance to manipulation attempts by the

possessor of the mobile device or by third-parties is almost never considered. But there are examples of LBS

where users or external attackers might have an incentive to manipulate the locating system. This is termed

as location spooﬁng. This article presents a survey of different technical approaches to prevent or at least to

detect location spooﬁng.

1 INTRODUCTION

Location-based Services (LBS) are services for mo-

bile handheld-computers which evaluate the loca-

tion of at least one mobile device during execution.

The standard example for LBS is that of a Point-of-

Interest-Finder (POI-Finder): such a service guides a

user to certain type of facility (e.g. restaurants, petrol

stations, ATM) in his nearer surrounding.

LBS are enabled by the possibility to determine

the location of a mobile device. This is called locat-

ing. Nowadays many descriptions for locating meth-

ods can be found in literature, see Küpper (2007) for

an overview. While in the common considered sce-

narios for LBS like the above mentioned POI-ﬁnder

it seems to be quite unlikely that someone has an in-

centive to manipulate the employed locating system

there are several evident examples of LBS for which

this isn’t the case, e.g. location-aware access control,

navigation of military vehicles, location-based billing

or geo-fencing.

The term location spooﬁng in literature can re-

fer to the manipulation of a locating system by the

possessor of the device

(internal attack, e.g. Mundt

the possessor of the device isn’t necessarily the legal

owner, e.g. if the device was stolen or lost

(2005)) or by an third-party attacker, who is tech-

nically not involved in the provisioning of the LBS

(external attack, e.g. Warner & Johnston (2003)).

In the domain of computer science the term spoof-

ing usually refers to faking ones identity, e.g. DNS-

or IP-spooﬁng. Spooﬁng doesn’t include the case of

a denial-of-service-attack where the determination of

the location is just inhibited or jammed; such attacks

are noticed by the mobile user or the LBS provider

as failure of the locating system. During a spooﬁng

attack the mobile user or service provider obtains a

faked location statement but isn’t aware that the lo-

cation was faked, so spooﬁng is more dangerous than

just jamming.

The purpose of this article is to give a system-

atic overview of various approaches to prevent lo-

cation spooﬁng that are described in literature. De-

spite extensive literature research we couldn’t ﬁnd a

survey article which covers anti-spooﬁng techniques

from the viewpoint of LBS. To facilitate this presenta-

tion of all the anti-spooﬁng-approaches we developed

an appropriate classiﬁcation scheme.

The remainder of the article at hand is organized

as follows: Section 2 is devoted to an explanation

of basic terms and the introduction of a classiﬁca-

tion scheme for anti-spooﬁng-methods. According to

this scheme — we call it the Anti-Spooﬁng-Tree —

109

Decker M. (2009).

PREVENTION OF LOCATION-SPOOFING - A Survey on Different Methods to Prevent the Manipulation of Locating-Technologies.

In Proceedings of the International Conference on e-Business, pages 109-114

DOI: 10.5220/0002232601090114

 SciTePress

the discussion of the identiﬁed basic methods to pre-

vent spooﬁng from section 3 to section 7 is organized.

Since GPS is the most popular used locating system

we devote section 8 to discuss how GPS is secured

against spooﬁng. The article ends with the obligatory

summary and outlook in section 9.

2 CLASSIFICATION SCHEME

AND BASICS TERMS

During our literature research we identiﬁed ﬁve basic

methods for the preventionof location spooﬁng which

can be found at the second level of the classiﬁcation

tree depicted in ﬁgure 1: Plausibility checks, tam-

perproof hardware, location keys, request-response-

protocols and radio technology methods. The further

subclassiﬁcations shown in the ﬁgure are covered in

the corresponding sections in this paper.

One kind of attack that is relevant for several lo-

cating systems is the so called rerouting attack (also

called wormhole attack): the principle is that a signal

or message is received at a particular location and then

transmitted (maybe using another medium) to another

location, where it is emitted. A perfect rerouting at-

tack can only be detected by the latency (time lag)

it induces. Another similar attack is the replay at-

tack: for such an attack the signal is recorded and re-

played (maybe several times) with a deliberate time

lag, maybe at a different location.

3 PLAUSIBILITY CHECKS

When performing a plausibility check on the level of

the raw messages (e.g. radio signals) of the locating

system we have the possibility to check the absolute

or the relative signal strength (Warner and Johnston,

2003). The signals emitted by the GPS satellites reach

the earth’s surface with a strength of just −160dBW.

An obvious way to perform an external spooﬁng at-

tack is to employ earthbound artiﬁcial satellites (so

called pseudolites) which broadcast faked GPS sig-

nals with a much higher signal level and thus over-

cast the genuine signals from the satellites. This at-

tacks can be detected by checking the absolute signal

strength of the received signals. More sophisticated

attacks can only be detected by paying attention to rel-

atively weak increase of the received signal strength.

There is another plausibility check method based on

the speciﬁc features of GPS: for GPS the approximate

trajectories of the satellites for the next few months

are published in advance over the internet (so called

almanac). So the GPS receiver should check if the

satellites he currently receives at his alleged location

conforms to those listed in the almanac.

A plausibility check can also be performed when

the locating system already calculated the position of

the mobile device based on the received raw mes-

sages: In many scenarios there will be several lo-

cation determinations at different time points so it

can be checked if the mobile device moves with a

reasonable velocity. The route of the mobile device

should also be plausible, e.g. there should be no

alleged movements through obstacles like walls or

buildings. If available the measurements of appro-

priate sensors designed for dead reckoning (e.g. ac-

celerometer, odometer, barometer, (gyro)compass or

speedometer) can be evaluated and checked for con-

cordance with the alleged movement pattern as re-

ported by the primary locating system.

Plausibility checks at the level of the raw mes-

sages are primarily applicable for scenarios where the

plausibility check should be performed on the mobile

device since the raw signals are usually not forwarded

to the backend. Checks of the calculated position can

be done on the device and on the backend.

It is also possible to have dedicated stations in a lo-

cating system for performing plausibility checks, so

called reference stations. Reference stations are an

optional extension of the locating system. For GPS

there are several stations all over the world (e.g. in

Colorado Springs (USA) or on Ascension Island).

These stations know their own position and calculate

their location according to the received locating sig-

nals. If a signiﬁcant deviation is detected, this implies

a malfunction of the locating system or a spooﬁng at-

tack. In this case the operator of the locating system

and/or the mobile user have to be warned.

However, an external attacker could emit his

spooﬁng signals in a way that they only affect the mo-

bile device but not the reference station. Therefore in

literature the suggestion of hidden reference stations

can be found (Capkun et al., 2006), i.e. the locations

of the reference stations are kept secret. Since the se-

cret concerning the location of the reference stations

might be revealed sooner or later there is further the

idea to have mobile reference stations, e.g. motor ve-

hicles equipped with the necessary technical equip-

ment.

4 TAMPERPROOF HARDWARE

From the domain of location-aware digital rights

management (DRM) comes the requirement that an

end user device should only be able to playback mul-

ICE-B 2009 - International Conference on E-business

110

Anti-Location-Spoofing-Methods

Tamperproof

Hardware

Location

Keys

Request-

Response-

Protocols

Plausibility

Checks

On Device

On Backend

Raw

Signals

Calcuated

Location

Reference Stations

HiddenKnown

Moving

Reference

Monitor

on Device

Reference

Monitor

on Backend

Artificial

Natural

Multiple

Singular

Runtime

Proximity

Symmetric

Asymmetric

Methods

Based on

Radio

Technology

Dedicated Non-dedicated

Stationary

Figure 1: “Anti-Spooﬁng-Tree”: Classiﬁcation scheme for Anti-Spooﬁng-Methods.

timedia content (e.g. movies) at particular places

(Mundt, 2005). For set-top-boxes for television sets

there is even the requirementthat the decryption of the

broadcasted content should only be possible within

the subscriber’s private residence but not at public

places like restaurants (Gabber and Wool, 1998). In

this case the owner of the mobile device is also the

potential attacker, so this requires methods for the

prevention of internal attacks. This can only be im-

plemented by using a special hardware module that

is secured against physical manipulation attempts, so

called tamperproof hardware. The tamperproof hard-

ware module has to encapsulate the functionalities for

locating, for making the decision if at the current lo-

cation the content should be playbacked or not (the so

called reference monitor) and the function to decrypt

the content.

The system described by Mundt (2005) is based

on GPS and also includes a clock that is implemented

as tamperproof hardware. He assumes that the signals

emitted by the satellites have a time stamp and are

digitally signed so the locating module would be able

to detect rerouting attacks since rerouting of radio

waves leads to an unavoidable time lag. But to detect

the time lag caused by rerouting a highly precise clock

is necessary, because radio waves travel with light

speed so even rerouting over large distances causes

a time lag in the order of several milliseconds (e.g.

100 km in ≈ 0,3 milliseconds). Such highly precise

time measurements can only be provided by atomic

clocks, but they are too heavy and too expensive so

they cannot be integrated into mobile consumer de-

vices. Mundt’s system therefore uses a quartz clock

that is synchronized with an external time source ev-

ery couple of hours so it isn’t necessary to have a per-

manent internet connection. For this time synchro-

nization a special cryptographic protocol is used.

For the case that the location information is cal-

culated on the mobile device and then forwarded to

the stationary backend of a service provider it can be

reasonable to employ tamperproof hardware on the

mobile client, too: the tamperproof module in this

case not only performs the calculation of the location

but also signs the determined location with a private

key. With the corresponding public key the service

provider then is able to verify the authenticity of the

received location information. The private key has to

be stored inside the tamperproof module because if an

attacker would be able to obtain it he could generate

faked location messages with a valid digital signature.

5 LOCATION KEYS

As location key we regard information that is only

available at particular locations. The mobile user has

to forward this information to some backend system

as proof that he is actually at the location where he

claims to be. This principle is especially suited for

cases where the mobile device calculates its location

and provides this to the LBS provider but the provider

wants to be sure that this calculation wasn’t faked.

We distinguish at the ﬁrst level whether a location

key is of either natural or artiﬁcial origin. “Natural”

means that the key isn’t emitted as result of human

activity. For artiﬁcial keys we can further distinguish

if it is a dedicated or a non-dedicate key: dedicated

keys are generated only for the purpose of the preven-

tion of spooﬁng while non-dedicated keys are emitted

for other purposes and their employment as mean to

prevent spooﬁng is a spin-off effect.

One anti-spooﬁng system that works with non-

dedicated location keys is the so called CyberLoca-

tor (Denning and MacDoran, 1996). The system was

designed to supplement GPS. Using this system the

mobile device is equipped with a GPS receiver and

thus can determine the position by itself, but it has

also to forward the raw signals (radio ﬁngerprint) re-

ceived from the GPS satellites at the backend. It is

not possible to predict the pattern of the raw signals

PREVENTION OF LOCATION-SPOOFING - A Survey on Different Methods to Prevent the Manipulation of

Locating-Technologies

111

receivedat a particular spot on earth’s surface at a par-

ticular time instant because the signals are affected by

many different inﬂuences, e.g. by the ionosphere or

the weather conditions. The trajectory of the satel-

lites is deﬁned in advance and this information is pub-

lished in the GPS signals in form of the so called

ephemeris and almanac data; however, the actual tra-

jectory of the satellites isn’t exactly the one deﬁned

in advance and subject to random inﬂuences. At the

backend the raw signal reported from the mobile de-

vice will be compared to those reported by trusted

reference stations in the proximity of the alleged lo-

cation of the mobile device. The authors of the Cy-

berLocator paper state that the distance between ref-

erence station and mobile device shouldn’t be larger

than 3.000 kilometres; unfortunately the authors of

CyberLocator don’t explain how they calculated this

maximum distance between mobile device and refer-

ence station. Also rerouting attacks (see section 2) are

considered, i.e. a colluding user that actually stays

at the alleged location forwards the received raw sig-

nals to the attacker. However, for the CyberLoca-

tor system it is demanded that the radio ﬁngerprint

is forwarded within 5 milliseconds because it is as-

sumed that rerouting would cause additional latency

beyond that threshold. It seems quite demanding to

meet the maximum latency time of 5 ms even when

not performinga rerouting attack, since UMTS-HSPA

causes a latency of 150 ms, and even wire-bound in-

ternet connections over DSL have a latency of at least

20 ms.

Another system to prevent spooﬁng is called Lo-

cation Aware Access Control (LAAC) and was de-

vised by Cho and colleagues (2006) . Unlike the Cy-

berLocator this system is based on dedicated location

keys that are emitted by the base stations of a wire-

less local area network (WLAN). The location keys

are randomlychosen bit sequences which are renewed

periodically (e.g. every ﬁve seconds). These location

keys are reported to the backend system. The mobile

device has to combine all the location keys it receives

from different base stations within a given timeframe

and combine them by using the XOR-function. Af-

terwards the result of this calculation is then the input

for a hash function whose output is the actual location

key that has to be transmitted to the backend. Since

the backend knows all the current location keys used

by the base stations it is able to calculate the hash val-

ues like the mobile device to verify the correctness of

the received location keys. A further feature of the

system is that the radiation angle of the base stations

can be controlled by using special antennas. If we

have two base stations with a radiation angle of 90° it

is possible to arrange these base stations in a way so

that the area where the waves of both stations can be

received has a rectangular shape. This is an interest-

ing feature to obtain regions that cover the premises

of a business like a restaurant, a hotel or a theme park

where the currently present customers should be able

to access a particular wireless service (e.g. free in-

ternet access, special information services). The au-

thors of LAACs don’t describe arrangements to pre-

vent rerouting attacks but this has to be interpreted by

considering the application scenario that is primarily

addressed, namely to restrict free wireless internet ac-

cess to users staying in a particular area. For rerouting

the colluding attackers usually need a fast data trans-

mission connection; however, if this connection is al-

ready available there is no need to perform a spooﬁng

attack to gain internet access.

Malaney (2007) proposes a system based for in-

door WLANs. The aim of this system is that mobile

devices should be able to prove that they are within

a building. It is assumed that only authorized people

can enter the building (e.g. because there is a gate-

keeper) and should have access to the WLAN. The

mobile devices have to calculate their position (e.g.

based on GPS or a special indoor locating-system)

and measure the signal strength of all the WLAN ac-

cess points they can receive at the current location.

These values have to be reported to a central server

that makes the decision if the mobile device should

get access or not: it is checked if the reported position

lies within the building and then if the reported signal

strength pattern matches the signal strength pattern

for that location. In this scenario the signal strength

pattern of the WLAN access points at a particular lo-

cation can be considered as non-dedicated location

key because unauthorized people cannot get into the

building to measure the signal strength. There are

simulation models to calculate an estimation of a sig-

nal strength pattern at a given location; however, to

work with these models it is necessary to know the

building plan, the locations of the access points and

the speciﬁc attenuation characteristics of the walls

and furniture in the building.

In literature so far no anti-spooﬁng-approach can

be found that is based on natural location keys. How-

ever, the cosmic background radiation could act as

one because it is receivable at each point of the earth’s

surface for a given time instant with a speciﬁc pat-

tern. A further dimension for the discrimination of

location-key methods would be to differentiate be-

tween singular and multiple keys. For singular keys

(e.g. CyberLocator) each location key stands for one

area while for multiple keys (e.g. Malaney’s system)

the location keys may overlap for some regions.

ICE-B 2009 - International Conference on E-business

112

6 REQUEST-RESPONSE-

PROTOCOLS

The basic principle of request-response-protocols is

as follows: the mobile device (prover) receives a re-

quest message from a trusted base station (veriﬁer);

the message contains a non-predictablerandom bit se-

quence (called nonce) and the prover has to send a

response message that is based on this bit sequence.

We distinguish two cases: In runtime-based proto-

cols the prover’s response message won’t arrive in

time at the veriﬁer’s position if the prover is further

away from the prover than alleged because longer

distances lead to longer runtimes. If request and re-

sponse are sent over radio waves it isn’t possible to

sent a message over a larger distance in the same pe-

riod of time because radio waves travel at the speed of

light (≈ 3× 10

m/s), which constitutes the maximum

speed that is possible according to today’s knowledge.

However, measuring the runtime of radio waves re-

quires extreme precise clocks because the travel time

of radio waves for typical application scenarios of

locating technologies are very short. In proximity-

based protocols a prover too far away won’t be able

to receive the veriﬁer’s message because of signal at-

tenuation.

A nice example for a anti-spooﬁng-system em-

ploying a runtime-based request-response-protocol is

the one described by Sastry & colleagues (2003): The

prover can start the protocol by sending a radio mes-

sage with his alleged location to the veriﬁer. If the

veriﬁer receives this messages and deems itself as re-

sponsible for the alleged location he generates a nonce

and sends a request message containing this nonce

over radio back to the prover; the veriﬁer also starts

a precise clock at the time instants he begins to send

the request message. When the prover receives the

request message he sends back the nonce as response

as soon as possible; however, for this way back ul-

trasonic waves are used instead of radio waves. The

veriﬁer will stop the clock when he received the com-

plete response. He veriﬁes that the response indeed

contains the nonce and tests if the calculated runtime

is small enough for the distance between his location

and the alleged location of the prover. The special fea-

ture of this protocol is that it uses two different kinds

of waves for the transmission of the messages, namely

radio waves and ultrasonic waves. This stems from

the requirement that the protocol should be robust

with regard to particular measurement errors of the

messages’ roundtrip time, especially the processing

time required by the prover to produce the response

message. If all the messages would be transmitted

over radio these measurement errors would lead to

distance inaccuracies that would render the protocol

useless for the purpose of prevention location spoof-

ing. That’s why ultrasonic waves are used for the

transmission of the response message. Ultrasonic

waves travel at a velocity that is six orders of magni-

tude smaller than lightspeed (331m/s), so a measure-

ment error of 0.1 seconds results only in a distance er-

ror of ≈ 33 meters, while for radio waves the distance

error would be ≈ 30.000 km for the same time span.

A distance error of 33 meters should be acceptable

even for most indoor locating scenarios. Since the

speed of ultrasonic waves is relatively low the return

way of the nonce is prone to a rerouting attack with

an out-of-band-transmission over radio waves; this is

why the authors of this protocol opted to use the ultra-

sonic waves for the response message and not for the

request message because in their opinion it requires

much more effort to perform a rerouting attack for the

response message than for the request message.

Waters & Felten (2003) describe another request-

response-protocol for the prevention of location

spooﬁng that is based on runtime measurements.

However, in their protocol radio waves are used for

all message exchanges. To discern protocols that use

one kind of wireless waves from protocols that use

different kind of waves we further introduce two fur-

ther sub-classes of request-response protocols that are

mutual exclusive, namely symmetric respective asym-

metric protocols.

An example of a request-response-protocol based

on proximity (i.e. without measuring the runtime of

signals) can be found in Vora et al. (2006). In their

system several veriﬁers are installed within a partic-

ular target region. The system’s purpose is to detect

mobile clients who falsely claim they are within that

target region. To make the system more secure there

are so called rejection veriﬁers outside the target re-

gion; if one of them receives a signal from a prover

the veriﬁer is considered as spoofer.

7 RADIO TECHNOLOGY

There are special approaches concerning the radio

technology employed for locating systems that can

help to prevent spooﬁng attacks:

Spreading of Frequence Spectrum. The basic prin-

ciple of spread spectrum techniques is to transform

a narrow-banded signal into a signal with a broader

bandwidth. It requires more effort to jam or forward a

broadbanded radio signal than a narrow-banded one.

Examples for spread spectrum methods are Frequence

Hopping Spread Spectrum (FHSS) and Direct Se-

PREVENTION OF LOCATION-SPOOFING - A Survey on Different Methods to Prevent the Manipulation of

Locating-Technologies

113

quence Spread Spectrum (DSSS). A simple form to

spread signals is to assign a different frequency to

each sender like for GLONASS: in this system each

satellite broadcasts on his own frequency.

Manchester-Coding. For an attacker it is usually

harder to eliminate a set bit in a radio message than

to set an unset bit. Therefore the idea of the so called

Manchester-Coding is to replace each bit of the origi-

nal message by two bits. This coding is done in a way

that also unset bits are mapped to codewords with set

bits, so an attacker who cannot “delete” bits isn’t able

to alter the navigation message in a consistent way.

Another approach in this class is to use multiple

antennas at a station or device to detect if signals are

arriving from the wrong direction.

8 ANTI-SPOOFING FOR GPS

All of the nominal 24 satellites of the GPS-system

emit signals carrying navigation messages on the

same two radio frequencies called L1 and L2. The

navigation messages contain amongst other things the

identiﬁcation number of the satellite that produced the

message and parameters to describe the trajectories of

the individual satellites. The code division multiple

access (CDMA) method is used to encode the mes-

sages so a receiver is able to obtain the message of a

single receiver. For CDMA the messages are encoded

using a spread code sequence. The GPS has two types

of such code sequences (Küpper, 2007): The Coarse

Acquisition Code (C/A-code) is for the Standard Po-

sitioning Service (SPS), which can be used by civilian

users; it is only broadcasted on the L1 frequency. The

Precise Code (P-code) is for the Precise Positioning

Service (PPS) that should only be accessible by mili-

tary users. It is possible to use a secret Y-key to obtain

the P(Y)-code. The P-code is broadcasted on both fre-

quencies and can be considered as symmetric key be-

cause for encryption and decryption the same key is

used. If someone wants to perform a GPS-spooﬁng-

attack including the PPS he has to know the secret Y-

key. This means that the secret key has to be stored in

all military GPS receivers that are intended to use the

PPS. If only one of this receivers is compromised (e.g.

gets lost or is stolen) the whole systems gets prone to

spooﬁng attacks. To prevent this the Y-key is replaced

every 24 hours (rekeying). Nowadays techniques are

available to beneﬁt from the higher locating accuracy

provided by the PPS messages even if the secret Y is

not known, e.g. so called kinematic or codeless re-

ceivers.

9 CONCLUSIONS: SUMMARY

AND OUTLOOK

In the article we gave a survey on different meth-

ods to prevent the manipulation of location-methods

which was based on a classiﬁcation schema. Since

there is a large variety of different attack methods

as well as anti-spooﬁng-methods it is not possible to

recommend a single approach for the prevention of

location-spooﬁng; rather the decision for one or more

spooﬁng-prevention-techniques has to be made after

an analysis of the respective application scenario and

its speciﬁc security threats and requirements.

REFERENCES

Capkun, S., Cagalj, M., and Srivastava, M. (2006). Secure

localization with hidden and mobile base stations. In

Proceedings of IEEE INFOCOM 2006, pages 1–10.

Cho, Y., Bao, L., and Goodrich, M. T. (2006). LAAC: A

Location-Aware Access Control Protocol. In Mobile

and Ubiquitous Systems, pages 1–7.

Denning, D. E. and MacDoran, P. F. (1996). Location-

Based Authentication. Computer Fraud & Security,

1996(2):12–16.

Gabber, E. and Wool, A. (1998). How to prove where you

are. In ACM Conference on Computer and Communi-

cations Security, pages 142–149.

Küpper, A. (2007). Location-based Services. John Wiley &

Sons, Chichester, U.K.

Malaney, R. A. (2007). Securing Wi-Fi Networks with Po-

sition Veriﬁcation (Extended Version). International

Journal of Security Networks, 2(1-2):27–36.

Mundt, T. (2005). Location Dependent Digital Rights Man-

agement. In ISCC 2005, pages 617–622.

Sastry, N., Shankar, U., and Wagner, D. (2003). Secure Ver-

iﬁcation of Location Claims. In 2nd ACM Workshop

on Wireless Security, pages 1–10, San Diego, USA.

Vora, A. and Nesterenko, M. (2006). Secure Location Veri-

ﬁcation using Radio Broadcast. IEEE Transactions on

Dependable and Secure Computing, 3(4):377–385.

Warner, J. S. and Johnston, R. G. (2003). GPS Spooﬁng

Countermeasures. Technical Report LAUR-03-6163,

Los Alamos National Laboratory (USA).

Waters, B. R. and Felten, E. W. (2003). Secure, pri-

vate proofs of location. Technical Report TR-667-03,

Princeton University.

ICE-B 2009 - International Conference on E-business

114