Localization Techniques for Urban Sensing

1
Localization Techniques for Urban Sensing

• Anil Kapur, Rafael Laufer, Thomas Schmid, Ian Yap
• CS219 Urban Sensing
• Prof. Deborah Estrin

2
Trilateration

• Relative positions of objects using the geometry
  of triangles
• Known locations of two or more reference points
• Measured distance between the subject and
  reference points

3
Trilateration

• Distance can be measured by different means
• Time of Arrival (ToA)
• Delay between the sender and receiver
• One-way time requires synchronization
• No synchronization for round-trip time
• GPS, usual radars or sonars
• Received Signal Strength Indication (RSSI)
• Map of signal distribution
• Model or measurements
• RADAR, Ad hoc Positioning System (APS)

4
Multilateration

• Measures Time Difference Of Arrival (TDOA)
• Signal from the object to the receivers
• Signal from the synchronized transmitters to the
  object

(t1 - t2)
5
Triangulation

• Relative positions of objects using the geometry
  of triangles
• Known distance between two or more reference
  points
• Measured angles between the subject and reference
  points
• Law of sines and cosines

6
Triangulation

• Angles can be measured by the Angle of Arrival
  (AoA)
• Direction of propagation of a RF wave incident on
  an antenna array
• Phase shift at individual elements of the array

?
2
7
Global Positioning System

• A worldwide radio-navigation system
• Every square meter has a unique address
• A constellation of 24 satellites and their ground
  stations
• 6 orbital planes, 12-hour orbits at approximately
  20,000 km

8
How does GPS work?

• aa

9
How does GPS work?

• Trilateration from the satellites
• Satellites as references points for all locations
  on Earth
• Distance measured using the travel time of radio
  signals
• Very accurate timing
• Location of satellites in space
• Error corrections

10
Trilateration from the Satellites
11
Measuring Distance

• Receivers measure the travel time of signals from
  the satellites
• Satellite and receivers have synchronized clocks
• Transmitted signal is well-known
• Satellites and receivers generate the signal
  simultaneously
• Measurement of how late the signal arrives
• Travel time multiplied by the speed of light
  equals distance

12
Pseudo-Random Code

• Sequence of digits which can be easily replicated
• Receiver knows the bit pattern to expect
• Each satellite has its own unique pseudo-random
  code
• Satellites and receiver simultaneously generate
  the code
• Receivers shifts its own code to match the
  satellites one

receiver
satellite
?t
13
Perfect Timing

• Satellites have atomic clocks
• Receivers cannot afford them
• Correction factors are applied

14
Location of Satellites

• High orbits used (? 11,000 miles)
• Atmosphere does not interfere
• Satellites orbit according to simple math
• Receivers have an almanac of satellites
  positions
• Ground stations (namely DoD) control GPS
  satellites
• Precise radars to check satellites altitude,
  position, and speed
• Correction of errors
• Gravitational pulls from the moon and sun
• Pressure of solar radiation

15
Location of Satellites

• Accurate position relayed to the satellites
• Corrected position included in satellites signal

16
Error Correction

• Speed of light only constant in vacuum
• Charged particles of ionosphere
• Water vapor in troposphere
• Multi-path error
• Temporary errors
• Solutions
• Modeling
• Dual frequency
• Rejection techniques

Ionosphere
Troposphere
17
Error Correction

• Selective Availability
• Intentional signal degradation
• Enemies cannot use GPS to make accurate weapons
• Noise introduced into the satellites clock data
• Military receivers use a special decoder
• Turned off in 1996
• Make GPS more responsive to civil and commercial
  use
• Differential GPS could be used to improve
  accuracy anyway

18
Error Correction

• Summary of GPS Error Sources (from Trimble)

Typical Error (m) Standard GPS Differential GPS
Satellite Clocks 1.5 0.0
Orbit Errors 2.5 0.0
Ionosphere 5.0 0.4
Troposphere 0.5 0.2
Receiver Noise 0.3 0.3
Multipath 0.6 0.6
19
Assisted GPS (A-GPS) and Cellular

• What is A-GPS?
• Utilize terrestrial wireless systems to augment
  GPS
• Reduces convergence time and increases precision
  sometimes
• Enhanced 911 (E911) mandate required wireless
  carriers to pinpoint the location of callers by
  October 2001
• Phase 1 required reporting of phone number and
  antennae location
• Phase 2 required phone number and 50 to 300 meter
  precision
• Two main providers of cellular location services
• Snaptrack and Global Locate
• Focus on Snaptrack
• Technology deployed in all Sprint and Verizon
  cell phones
• IS-801 Standard Position Determination Service
  for Dual Mode Spread Spectrum Systems

20
How Snaptracks WorksSystem Overview
21
How Snaptracks WorksSequence of Events

• Phone (ms) sends server (through IP) the base
  station ids(BSSID)
• Server returns satellites overhead based upon
  BSSID.
• Phone switches radio to GPS mode and searches for
  satellites (also keeps data connection up)
• Measures distances to satellites and either
• Reports values to server for calculation(network
  based)
• Calculates location on MS (MS-based)

22
Snaptracks Notes

• Hybrid mode
• Uses cell towers to coarsely locate
• Uses a combination of cell towers and values from
  lt 3 satellites to determine location (heuristics)
• Cant use the phone while youre doing a location
  fix
• High-rate position fixes can drain the battery
  quickly.

23
What is Galileo?

• European Global Navigation Satellite System
  (GNSS)
• 30 satellites 27 sats and 3 spares
• Guaranteed service to civilians (GPS has no
  guarantee)
• Various levels of service
• Interoperable with US
• EGNOS differential corrections
• Even spacing of satellites (unlike GPS)

24
Why Galileo?GPS Shortfalls

• Political statement by Europe, etc signaling
  independence
• Funded by China, Israel, India, etc.
• Brings jobs and to Europe
• Independence from unreliable US military system
• Better performance
• Poorer performance at extreme latitudes
  (airplanes)
• Better coverage in cities (more satellites with
  even spacing)
• Better reliability
• 2.5 GNSS systems
• GPS has no service commitments
• Integrity (Health warnings are quick)

25
Five Levels of Service

• Open Access
• This will be free to air and for use by the
  mass market Simple timing and positioning down
  to 1 meter.
• Commercial
• Encrypted High accuracy at the 1 cm scale
  Guaranteed service for which providers will
  charge a fee
• Safety of Life
• Open Service Applications where guaranteed
  service required Integrity messages warn of
  errors
• Public Regulated
• Encrypted Always available Government users
• Search and Rescue
• System will pick up distress beacons

http//news.bbc.co.uk/1/hi/sci/tech/4555276.stm
26
EGNOSEuropean Navigation Overlay Service

• 34 reference stations on the ground to monitor
  satellites
• 4 Mission control centers process reference
  station information
• Satellite uplinks send corrections to 3
  geostationary satellites which then send signals
  to terrestrial EGNOS receivers
• Receivers also get info from internet or radio
• Failures reported in 6 secs

27
EGNOS Performance
28
Galileo Interoperability

• Shares some of the same frequencies with Galileo
• E2-L1-E1 and L5
• Use different signaling structures and code
  sequences
• Interference between systems less than
  Intrasystem
• Does not share 1227.6 MHz frequency which is a
  US military frequency
• Data sent contains
• Ranging messages
• Satellite clock
• Ephemeris
• Space Vehicle Identity
• Status Flag
• Constellation Almanac
• Accuracy
• Integrity Information (gathered from ground)

29
GPS vs GPS/Galileo Precision

• GPS alone HDOP is 2.5 meters while GPS/Galileo
  HDOP is 1.5 meters.
• Incremental but significant improvement
• Also showed faster time to first fix numbers

http//www.gpsworld.com/gpsworld/article/articleDe
tail.jsp?id30689pageID2
30
GPS Inaccuracies
Ionospheric effects /- 5 meters
Shifts in the satellites in orbit /- 2.5 meters
Clock errors of the satellites clock /- 2 meters
Multipath effect /- 1 meter
Tropospheric effects /- 0.5 meters
Calculation rounding errors /- 1 meter
Total Error /- 15 meters
http//www.kowoma.de/en/gps/errors.htm
31
Why SA Was Turned Off

• US military relies on commercial devices
• C/A provides good enough accuracy for missiles
• Improve SCUDs by 20-25 (according to RAND)
• DGPS(WAAS) already solves for discrepancy within
  the US

http//www.afa.org/magazine/April1996/0496gpsin.as
p
32
A survey on some Security Issues in Localization

• Three Types of positioning systems
• How these systems can be attacked
• How to fight the attacks for each system
• Special Case Study Verifiable Multilateration

33
Two major types of positioning

• Node-centric
• The node figures out is own position by observing
  signals received from public base-stations with
  known locations.
• Infrastructure-centric
• A node needs to figure out its position based on
  mutual communications with other nodes and also
  based on what other nodes think its location is.

34
Types of attacks

• Two basic forms of attacks
• Internal attacks
• One of the nodes in your network is or becomes
  dishonest and cheats on everyone else about its
  position. This is easy to implement on
  node-centric positioning systems.
• External attacks
• An external malicious machine manages to convey
  false info on an honest nodes position to the
  network

35
Attacks in specific areas

• GPS (Global Positioning System)
• US Positioning (Ultrasound)
• RF Positioning (Radio Frequency)

36
Attacks in specific areas

• GPS (Global Positioning System)
• US Positioning (Ultrasound)
• RF Positioning (Radio Frequency)

37
Screwing with GPS

• Satellite signals inherently not encrypted
• Your GPS satellite broadcasts two types of
  signals the civilian unencrypted signal and the
  military(coded) signal
• All private companies and most of the federal
  government use the civilian signals
• Military signals are reserved for, well, military
  uses only

38
Screwing with GPS

• A typical GPS radio signal has a strength of
  about 0.0000000000000001 (1x10-16) Watts at the
  Earths surface
• Easily jammed or blocked by attackers (
  Instructions available for free online )
• A worse kind of attack is using a GPS Satellite
  Simulator to spoof positions. Each one costs only
  10k to 50k or can be rented for 1k per month
  like your apartment
• Your typical GPS device by default will happily
  accept these fake stronger signals than the real
  ones coming from outer space
• Coming up, algorithm for stealing cargo based on
  a real experiment by Los Alamos National Labs

39
Cargo-Stealing 101

• Tactical Scenario 1
• Knock the driver and any passengers out so they
  dont start yelling, steal truck
• Put fake GPS satellite simulators on truck
• Drive off the authorized route while pretending
  to still be on-course thanks to the simulators
• When authorities find out, it is too late

Courtesy of Los Alamos National Labs Report 2003
40
Cargo-Stealing 101

• Tactical Scenario 2
• Sneakily, first feed the GPS tracking system of
  the authorities with fake data of where the truck
  is with your trusty simulator.
• Knock the driver and any passengers out so they
  dont start yelling, steal truck
• Authorities will descend upon the wrong location
  to find the truck and be very disappointed

Courtesy of Los Alamos National Labs Report 2003
41
Dealing with GPS issues

• Military GPS protected from position spoofing by
  codes unbreakable by attackers
• Not true for civilian GPS systems
• Your typical GPS device by default will happily
  accept these fake stronger signals than the real
  ones coming from outer space
• It is important to at least phase out crude form
  of GPS signal spoofing attacks
• This can be done by software modifications
• More often than not, your GPS device is also
  vulnerable to physical attacks

42
Attacks in specific areas

• GPS (Global Positioning System)
• US Positioning (Ultrasound)
• RF Positioning (Radio Frequency)

43
Screwing with Ultrasound

• Mainly used for indoors tracking
• Distance between nodes measured by time of
  propagation of sound signals ( i.e. ToF Time of
  Flight )
• Vulnerable to distance reduction or enlargement
• This is because you can go slower/faster than the
  speed of sound

44
Dealing with Ultrasound issues

• The Echo protocol by Sastry from Berkeley
  proposes an Ultrasound distance bounding
  technique that can prevent distance reduction
  from internal attacks
• The protocol requires that all verifiers must be
  inside the region of interest and basically
  focuses on whether an internal node is lying
  about is position
• External attackers can still screw with the system

45
Attacks in specific areas

• GPS (Global Positioning System)
• US Positioning (Ultrasound)
• RF Positioning (Radio Frequency)

46
Screwing with Radio Frequency

• Problems with using RSS for distance measurements
• Distance calculation based on transmitting a
  signal and measuring the received signal
  strength(RSS).
• Internal attacker can report a false power level
  to an honest node to cheat on its position
• External attackers can jam nodes mutual
  communication and replay the messages with higher
  or lower strength

47
Screwing with Radio Frequency

• RF Time-of-flight measurement is more accurate,
  because the signal is sent at the speed of light
• This means external attackers can only increase
  the distance measured and not ever decrease it
• However, internal attackers can still lie about
  the distance

48
Dealing with Radio Frequency issues

• Brands and Chaum described a more secure
  distance-bounding protocol that can prevent an
  internal attacker from reducing the measured
  distance
• This is because the nodes can set lower bounds on
  the measured distance
• Originally a protocol to deal with Mafia fraud
  attacks

49
Special TopicVerifiable Multilateration(VM)

• Proposed by Srdjan Capkun
• Position verification algorithm/protocol using RF
  distance-bounding
• Designed for cases when positioning of untrusted
  devices has to be done in the vicinity of
  external attackers
• Basic idea is that a point in this scenario can
  securely measure its position by measuring its
  distances to three other trusted nodes(called
  verifiers) in 2-D space(triangle), or 4 others in
  3-D space(pyramid)

50
Special TopicVerifiable Multilateration(VM)

• The point you are measuring from needs to be
  entirely enclosed by at least three
  verifiers(trusted nodes) in a triangle

51
Guarantees of Verifiable Multilateration(VM) with
distance-bounding

• 1. A node located at a certain position within a
  triangle/pyramid formed by verifiers cannot prove
  to be in another position within the same
  triangle/pyramid
• 2. A node outside the triangle/pyramid cannot
  prove to be inside the triangle/pyramid
• 3. An external attacker performing
  distance-enlargement attack cannot trick
  verifiers into believing that a device located
  inside the triangle/pyramid is outside of the
  triangle/pyramid. Same for vice versa.

52
Threats to VM (device cloning)

• Cloned devices seem the same to the base stations
  (they have the same authentication material).
• Attacks
• An attacker can show to be at any position at
  which it placed a cloned device
• An attacker can place one cloned device next to
  each of the base stations and pretend to be at
  any position by enlarging the distances

BS2
BS3
MN
MN

• Possible solutions
• making parts of the devices tamper-resistant
• device fingerprinting

MN
BS1
53
Differential GPS

• Main error sources
• Ionosphere 4m
• Clock 2.1m
• Ephemeris 2.1m
• Troposphere 0.7m
• Receiver 0.5m
• Multipath 1.0m
• Total 10.4m
• Why inaccuracy of 80-100m? Selective Availability

54
DGPS with Beacon

• At known locations collect satellite errors
• Send errors to mobile receivers
• Accuracy 1-5 meters
• This lead the US military to turn off SA
  (selective availability), i.e., the error
  introduced into the timing of GPS signals

55
WAAS, EGNOS, MTSAT

• WAAS Wide Area Augmentation System (US)
• EGNOS European WAAS
• MTSAT Japanese WAAS
• They are all compatible and called WADGPS (Wide
  Area Differential GPS)

56
WADGPS

• Specific locations measure inaccuracy
• Master control compiles the data and uploads to
  satellite
• New satellites with IDs gt 32 send WADGPS data to
  GPS receivers
• All new Garmin and Magellan support WADGPS

57
Some Details on WADGPS

• Clock errors change every minute
• Ephemeris and ionosphere errors change every 2min
  (considered valid up to 6 times)
• Ionosphere error depends on location
• Ephemeris and clock depend on satellite
• Country divided into grid for location data
• More details at http//www.gpsinformation.org/dal
  e/dgps.htm

58
Future Work

• Radio Interferometric Positioning
• Distributed Localization of Networked Cameras

59
Radio Interferometric Ranging

• Transmitter send on slightly different
  frequencies (100-800Hz difference)
• Equation system for multiple carrier frequencies

fCD (dAD-dBDdBC-dAC) mod ?
60
Performance

• Without multipath, 35m average distance 4cm
  average, 12cm max
• With moderate multipath, 9m neighbor distance
  average 5cm, 68 lt 10cm

61
Distributed Localization of Networked Cameras

• Area of networked cameras
• A lot of work to exactly localize each camera (x,
  y, z, orientation)
• Cameras can collaborate and probabilistically
  reason on which camera positions are consistent
  with the observed images
• Only minimal camera overlap is necessary

62
(No Transcript)
63
(No Transcript)