Skip to main content

First Operational, Secured and Trusted galilEo Receiver for ITS

Periodic Reporting for period 2 - FOSTER ITS (First Operational, Secured and Trusted galilEo Receiver for ITS)

Reporting period: 2016-07-01 to 2018-07-31

Increasing trust in positioning and timing (P&T) information is gaining importance in particular with the advent of connected, self-driving vehicle as well as for applications relying on GNSS to charge users. Recent evolution of Software Defined Radio (SDR) technologies and availability of low cost SDR board provide easy and affordable solutions to counterfeit GNSS signal in real-time. Detecting and mitigating GNSS attacks is therefore required to limit and control the impacts of forged GNSS information in many applications.

The FP7 TACOT project, supported by EC/GSA and coordinated by FDC, demonstrated in the frame of a Proof Of Concept, the capacity to use GNSS data as a secure and trustworthy source of Position, Velocity and Time (PVT) information, for one of the most stringent ITS applications: a Digital Tachograph. Leveraging on this momentum, FDC, STMicroelectronics, Novacom Services and Navcert started in 2015 the H2020 FOSTER-ITS project with the aim to develop the first secure GNSS module, resilient to jamming and spoofing attempts with the clear intention to commercialise the solution after the end of the project.
The project activities gave birth to a fully integrated and secure Multi-GNSS module, able to detect GNSS signal spoofing, jamming attempts and interference, protected against cyber-attack and delivering authenticated information to the application. When an inconsistency or anomaly is detected, the application is warned and the module enters into dead reckoning navigation providing an estimate of the true position. Besides, it provides ciphered or digitally signed information ensuring authenticity and integrity of the delivered information.

The module integrates in a single casing a multi-constellation GNSS chipset (TESEO III from STMicroelectronics), a secure MCU (ST33 from STMicroelectronics) and several motion sensors. It offers a set of interfaces such as CAN bus to take advantages of external information depending on the application context.

Module key features include:
- GNSS spoofing, jamming/interference detection,
- GNSS anti-replay protection,
- PVT Level of Confidence (LOC) indicator,
- Estimate of true position under attack (dead reckoning support),
- Firmware and hardware integrity control,
- Secure memory for sensitive data,
- Secure firmware upgrade and module configuration,
- Secure NMEA stream data (digitally signed),
- Fully compliant with Smart DT ISO7816-4 protocol.

The development started with the specification, design and development of a breadboard, representative of the final module but freed from the hardware integration constraints. The breadboard was used to test concurrent technologies, validate the module design and easily test and debug the hardware on a large size board. It was also used to early start the firmware development. 8 breadboards were manufactured in 3 batches, each implementing corrections and/or evolutions according to technology and architectures trade-offs and selection.

Based on the return on experience achieved with the breadboard, the module was specified, designed and developped. 25 module samples were manufactured in 2 generations.

In parallel, a dedicated standalone evaluation board (EVB) was developped. It offers several serial communication interfaces and is designed to ease vehicle field tests. 7 EVBs were manufactured in 2 generations supporting respectivelly the module first and second generation.

The specification, design and development of the firmware (FW) and software (SW) progressed in parallel to the hardware. The module FW includes the GNSS part and the Secure part. The GNSS part manages the detection of attack attempts and characterization, the computation of PVT Level of Confidence (LOC) and the provision of an estimate of true position under attack. The Secure part manages in particular boot sequence, FW integrity protection, crypto operation and the interface with application. In addition, several test tools SW were developped to test the module performances such as jamming and spoofing generation, record and replay of GNSS and CAN data, display of specific module information.

The final development step consisted in merging the validated SW and FW on the module hardware and in performing validation and qualication activities. In addition to laboratory tests, a car was equipped with a module and several thousands km of road field tests were performed in France and Italy. The tests results were used to validate, calibrate and tune the FW algorithms. The module was also tested in collaboration with the EC JRC EMSL in Ispra in February 2017. All attacks launched on the module were detected, even high grade attacks. Besides, Navcert successfully performed Radio Equipment Directive and UNECE Advanced Emergency Call System Regulation type-approval pre-testing activities.

Last but not least, the module was integrated into a geo-location on-board unit (OBU) adapted to Novacom’s business solutions in order to be tested in the field for:
- tranport of critical dangerous goods, increasingly worried about potential threats (terrorism, theft) in which G
FOSTER-ITS module integrates for the first time in a single casing, advanced secure MCU technologies, GNSS chipset and MEMs sensors. It follows state-of-the-art electronic implementation and provides innovative features such as LOC in the GNSS data, digital signature of the computed PVT, advanced dead reckoning function. The module aims to become a design reference for secure GNSS Rx, able to respond to the spoofing / jamming threats but also to secure the whole chain from the PVT computation to the operational usage.
FOSTER-ITS module Eavluation Kit
FOSTER-ITS Module Showcase Event at ITS World Congress 2018