DetectingGNSSAttackson Smartphones

(1)

Detecting GNSS Attacks on Smartphones

A method for detecting attack on GPS signals in Android phones

JALIL SHOKOUH

Master’s Degree Project Stockholm, Sweden July 2013

XR-EE-LCN 2013:013

(2)

(3)

A B S T R A C T

There has been a significant growth in Location-Based Services (LBS) on mobile applications. These applications provide service to users based on their geographical locations. Emergency services, tracking, navigation, advertising and social networking are examples of them. As the majority of today’s mobile phones are equipped with GPS receivers, GPS positioning has become one of the primary methods for obtaining users’ location. Moreover, GPS provides accurate time service and many applications specially for time synchronization are relying on GPS. Despite the good accuracy it provides, security is not considered from scratch in civilian GPS and its signals are weak, vulnerable to spoofing and prone to jamming. As it has become a more and more valuable resource, malicious agents have also become keener to identify and abuse the weaknesses in order to interrupt users or commit fraud. That is why there have been continuous alerts about insecurity in civilian GPS in scholarly and academic publications. A considerable amount of research has been conducted to tackle the problem of insecurity in GPS, but proposed solutions need either fundamental changes in GPS signal structure or more sophisticated types of receivers. As changes in GPS signal structure need time, money and political will, this work works on a method to detect spoofing of GPS signals based on the current GPS signal structure and receivers on mobile phones. We cross- check positioning and time information by comparing it with other sources of information. GPS positioning data are compared with the user’s position derived from Wi-Fi positioning and cell positioning and the distance between those is shown to the user. The system also keeps the recent distances and if those positions are moving away from each other, it notifies the user about this suspicious behaviour. Regarding verification of the GPS time, it is compared with a time server on the internet. An Android application was designed and developed to implement this method. Then experimental evaluations were performed in the urban area of the city of Stockholm. Results show that the system can perform positioning with mean value of 50 meter accuracy and detect simulated spoofing attack. Moreover, it detects the suspicious behaviour if the calculated position and GPS position are gradually moving away from each other.

Keywords: GNSS, GPS security, Wi-Fi positioning, Cell positioning, Android

i

(4)

(5)

A C K N O W L E D G E M E N T S

This is a master’s thesis work that has been conducted in the period of autumn 2012 till spring of 2013 under the supervision of professor Panos Papadimitratos in Lab of Communication Networks at KTH, school of Electrical Engineering. I want to thank my supervisor for all his support during all the phases of this work from the very beginning until the conclusion of the project.

iii

(6)

C O N T E N T S

1 Introduction 1

1.1 Problem Definition . . . 2

1.2 Contribution . . . 3

1.3 Method . . . 3

1.3.1 Research strategy . . . 4

1.4 Equipment . . . 4

1.5 Limitations . . . 5

1.6 Thesis Outline . . . 5

2 Background 7 2.1 History of positioning . . . 7

2.2 Global Navigation Satellite System (GNSS) . . . 7

2.3 Global Positioning System (GPS) . . . 10

2.4 Differential GPS (DGPS) . . . 11

2.5 Assisted GPS (AGPS) . . . 11

3 Related work 13 3.1 GPS security . . . 13

3.2 Positioning . . . 14

4 Implementation 17 4.1 Overview of android applications . . . 17

4.1.1 Android platform . . . 17

4.1.2 Android Application Architecture . . . 19

4.1.3 Preparing development environment . . . 20

4.1.4 Database in Android . . . 21

4.2 System components . . . 21

4.2.1 Positioning resource . . . 22

4.2.2 LocationAPI . . . 22

4.2.3 Positioning Manager . . . 27

4.3 Perform Positioning . . . 27

4.4 Reporting to the user . . . 32

4.5 Checking GPS time . . . 35

4.6 Preparing for test and evaluation . . . 36

iv

(7)

5 Evaluation 37

5.1 Evaluation Methodology . . . 37

5.2 Positioning subsystem evaluation . . . 38

5.2.1 Offline provider . . . 38

5.2.2 OpenCellID . . . 40

5.2.3 Combain . . . 41

5.2.4 Combination of providers . . . 41

5.3 GPS position verification subsystem . . . 43

5.4 GPS time check subsystem . . . 46

6 Conclusion and Discussion 51 6.1 Future Work . . . 51

Bibliography 53

A Appendix 57

B Appendix 61

C Appendix 63

v

(8)

L I S T O F F I G U R E S

2.1 Galileo infrastructure. Illustration from [33] . . . 9

4.1 Android software stack. Picture from android.com . . . 18

4.2 “com.secureGPS.providers.LocationProviders” package . . . 22

4.3 “cellPositions” table . . . 24

4.4 Application in learning mode . . . 25

4.5 “WifiMeasure” table . . . 25

4.6 “CellMeasure” table . . . 26

4.7 Detecting measures by the system . . . 26

4.8 classes in “come.secureGPS.database” package . . . 27

4.9 System architecture . . . 28

4.10 Main activity (UI) . . . 29

4.11 Positioning process for one round . . . 30

4.12 Google map activity . . . 31

4.13 Scatter plot and correlation value . . . 33

4.14 Validating the GPS time . . . 36

5.1 Distances to GPS position for offline provider . . . 39

5.2 Distances to GPS position for OpenCellID provider . . . 40

5.3 Distances to GPS position for combain provider . . . 41

5.4 Distances to GPS position for offline and combain providers . . . 42

5.5 Correlation coefficient value calculated by system and MATLAB 44 5.6 Least Square Regression Line before detecting deviation . . . 46

5.7 Least Square Regression Line in time of detecting deviation . . . 47

5.8 Least Square Regression Line when the system returns to normal state . . . 48

5.9 Difference between GPS time and server time . . . 49

C.1 The path that the experiment was carried out . . . 64

C.2 Positioning elements for every 15 cycles of checking . . . 65

C.3 System positioning near T-Centralen metro station. . . 66

C.4 System positioning near Bantorget park, Stockholm . . . 67

C.5 System positioning near Odenplan T-bana, Stockholm . . . 67

C.6 System positioning near Vasaparken, Stockholm . . . 68

vi

(9)

L I S T O F T A B L E S

5.1 Evaluation of location providers . . . 43

vii

(10)

(11)

A C R O N Y M S

GPS Global Positioning System . . . .1

LBS Location-Based Service . . . .1

VC Vehicular Communication . . . .1

DoT Department of Transportation . . . .1

NMA Navigation Message Authentication . . . .2

CNAV Civil Navigation . . . .2

AP Access Point . . . .3

IS Information Systems . . . .3

SDK Software Development Kit . . . .4

ADT Android Development Tool . . . .4

IDE Integerated Development Environment . . . .4

GNSS Global Navigation Satellite Systems . . . .5

DoD Department of Defense . . . .7

QZSS Quasi-Zenith Satellite System . . . .9

IRNSS Indian Regional Navigational Satellite System .9 GEO Geostationary Earth Orbit . . . .9

ToT Time of Transmission . . . .10

DGPS Differential GPS . . . .11

SPS Standard Positioning Service . . . .10

PPS Precise Positioning Service . . . .10

C/A Coarse Acquisition . . . .10

SA Selective Availability . . . .10

SD Selective Denial . . . .10

TTFF Time to First Fix . . . .11

AGPS Assisted GPS . . . .11

VSD Vestigial Signal Defence . . . .13

TDoA Time Difference of Arrival . . . .14

ToA Time of Arrival . . . .14 ix

(12)

AoA Angle of Arrival . . . .14

GUI Graphical User Interface . . . 19

ANR Application Not Responding . . . .19

MNC Mobile Network Code . . . .24

MCC Mobile Country Code . . . .24

LAC Location Area Code . . . .24

MNC Mobile Network Code . . . .24

SSID Service Set Identification . . . .25

BSSID Basic Service Set Identification . . . .25

RSSI Received Signal Strength Indicator . . . .25

DAO Data Access Object . . . .27

IQR Interquartile Range . . . .29

NTP Network Time Protocol . . . .35

x

(13)

1

1 I N T R O D U C T I O N

There has been a significant growth in using mobile applications in recent years [31,32]. Some of them use Location-Based Service (LBS) as a basis for their functionality to provide service to the user based on mobile phone geographical location. Emergency services, advertising, fleet management systems and social networking are examples of such applications. Moreover, mobile embedded units in Vehicular Communication (VC) systems provide service to the users based on positioning information. Global Positioning System (GPS) is one of the methods to acquire location of mobile device. Receiver on the mobile phone receives data from the GPS satellites and it finds the current position of the user.

The GPS signals provide a positioning service with relatively good accuracy, but security is not considered from scratch in civilian GPS [20]. As we have the experience of personal computers and the internet, at the beginning of such technologies the majority of users were not concerned about security. PCs were used without antivirus and firewall and internet communications were mostly in plain text format. As the computers and internet have become inseparable from everyday life, having antivirus and firewall on computers and using secure forms of communications over the internet is no longer an option but a necessity. Similarly, nowadays, many activities ranging from leisure and cultural activities to businesses and telecommunications, particularly in terms of time synchronization, are becoming profoundly dependent on GPS. We have seen from the internet experience, the more valuable a resource becomes for people, the keener the malicious agents will be to identify and abuse the weaknesses of that resource, aiming to interrupt users or commit fraud. Having a look at the research in the field of GPS security, one can recognize the continuous alerts about insecurity in civilian GPS. The report published by US Department of Transportation (DoT) in 2001 confirms the weaknesses of civil GPS and its vulnerability to spoofing [40,42]. Much research has been conducted to address this vulnerability. While some of them need changes in GPS signals structure, there are some methods that strive to do so without need for such changes[25–

27]. Nevertheless, GNSSs still do not provide a ready to use civilian protection service. Therefore, finding the vulnerabilities of GPS and mitigating them is a must. It goes without saying that secure positioning is one of the challenges in mobile applications as people increasingly rely on it.

(14)

2 PROBLEM DEFINITION 1.1

1.1 PROBLEM DEFINITION

Due to the long distance of GPS satellites to the earth and the system design, GPS signals have low power when they reach the receivers. They are weak, vulnerable to spoofing and prone to jamming [25,27, 40]. Abusing these weaknesses by adversaries can impact on the functionality of the systems that use positioning data. For example, in VC systems or fleet management systems such attacks can have negative impact on efficiency and safety of the transportation systems [24, 28, 29]. To address the spoofing vulnerability, researchers have taken cryptographic and non-cryptographic approaches and have devised some mitigation techniques [14,42]. Multi antenna receiver is considered to be the strongest non-cryptographic technique. In this method, GPS receiver utilizes more than one antenna to capture GPS signals. But it has two basic shortcomings. Firstly, such receivers are larger, heavier and more expensive than one antenna receivers. Secondly, this method is still vulnerable to coordinated attack [11, 42]. With respect to cryptographic approaches, much research has been conducted to find a cryptographic solution for spoofing of GPS signals. Implementing some of those solutions need time, money and political will since significant changes in GPS space segment and its signal architecture are necessary. Among the cryptographic solutions, Navigation Message Authentication (NMA) has been recommended by most research as a foundation for addressing civilian GPS vulnerabilities [7, 21,35,42]. It can be implemented using the capabilities of modern GPS Civil Navigation (CNAV) and does not need such basic changes [10]. The basic idea in NMA is that the GPS’s control segment¹ encrypts or signs the navigation message it generates. In this way the receivers can verify the authenticity of navigation message [30,42]. This method has also been suggested for Galileo and may be implemented [30, 44]. NMA can verify that the navigation message in generated by GPS control segment, but it cannot verify that the GPS signals come from satellite or a simulator. Therefore, it is vulnerable to re-play attack [7, 27, 35]. The method that is proposed in [25] and is patented in [26] does not require such changes in the GPS signal architecture or using more sophisticated types of receivers and can be used as complimentary method to the cryptographic approaches. This method also can be used in the other GNSSs. The idea in this method is to predict GNSS’s location and time data and compare it with the actual data it receives from GNSS. Moreover, it predicts the GNSS signal Doppler shift and compare it with the actual one and based on this comparison determine whether the the GNSS signal is under attack or not. This idea has not implemented in the realm of smart phones and as the number of smart phone users and location-based

1 The ground-based segment of Global Positioning System that is responsible for sending com- mands and data, monitoring and analysis of satellites in space.

(15)

1.2 CONTRIBUTION 3

applications are increasing, this gap has to be bridged.

1.2 CONTRIBUTION

This work is going to work out a method to detect attacks on GPS signals, without any change in GPS signal structure or GPS receiver on mobile phones, based on the works of [25,27]. GPS signals are mainly used for two purposes.

Firstly, to determine the location of user, and secondly, to obtain the current time. One way to verify the correctness of positioning and time information is to compare it with other sources of information. In mobile phones, positioning data can be compared to the location of the nearby base stations and Wi-Fi Access Point (AP). Based on the location of base stations and Wi-Fi APs, it is possible to perform positioning and calculate the user’s location. Then, the user can verify the correctness of GPS positioning data by comparing this calculated position and the GPS position. The other issue is verifying GPS time data. To address this issue, time servers on the internet is utilized to obtain precise time. Comparing it with the time received from the GPS signals, one can verify the correctness of time information. This work is going to determine the feasibility of this method, and also, develop an android application to perform this verification. This platform was chosen because of its popularity as it has 50% of market share [15].

1.3 METHOD

This is a study in the realm of Information Systems (IS) and undertakes to develop a method to detect spoofing attack on GPS signals in a mobile phone.

With respect to research paradigms in this field, this work follows the design- science paradigm. Most of the research that follows this paradigm is going to meet people’s needs and expand their capabilities by developing a new artefact [8,13]. It is a problem solving approach that firstly identifies the problem and then develops and evaluates an artefact to solve this problem [8]. As mentioned in section 1.1 the problem here is that the proposed methods for addressing GPS signals vulnerabilities are not applicable to current GPS signals structure.

Moreover, if the required changes applied to GPS signal architecture and GPS receivers; those methods are still vulnerable to other forms of attacks. Therefore, the current methods do not solve the problem of insecurity in GPS.

(16)

4 EQUIPMENT 1.4

1.3.1 Research strategy

Johannesson and Perjons in their book A Design Science Primer propose a five-step method to accomplish design science projects. The first step is to explicate the problem be able to precisely understand it. The next step is to outline artefact and define its requirements based on the understanding achieved in the previous step. The artefact in this work is a system that detects spoofing attack on GPS signals received on mobile phone. Regarding the requirements, it has to calculate user’s position based on nearby base stations and Wi-Fi access points and compute the distance between user’s position and GPS position.

Moreover, it has to detect if this distance gradually increases in the recent movements of the user. Checking the authenticity of GPS time is another requirement. The third step is to design and develop the artefact. In this step based on the defined requirements, the system is designed and implemented as an Android application. Part of the system design has a mathematical basis.

This type of system design facilitates performing quantitative analysis in the evaluation part [8]. Chapter 4provides detailed explanation of the design and implementation of the system. Artefact demonstration is the forth step in this method. Having the system designed and developed, the author prepared a stable version of system and demonstrated it to the supervisor. The fifth and last step is evaluating the artefact. There are several methodologies available for evaluating the artefact, namely: observational, analytical, experimental, testing and descriptive [8]. Among them, experimental evaluation suits this research.

In this methodology the artefact is evaluated in a controlled environment or using simulation with artificial data [8]. The author conducts several real-world experiments which were designed based on the requirements defined in step 2. The artefact was evaluated with respect to base-station positioning and Wi-Fi positioning, detecting suspicious behaviour and checking the authenticity of GPS time. During these experiments the system states are logged. Then quantitative analysis was performed on the gathered data. The positioning part is evaluated in terms of functionality and accuracy. In addition, functionality of other two requirements is evaluated.

1.4 EQUIPMENT

The application was developed for Android platform and Android Software Development Kit (SDK) for Android 4.0.x was used. Regarding the development environment Juno version of Eclipse Integerated Development Environment (IDE) in combination with Eclipse Android Development Tool (ADT) plug in was utilized. In addition, to accomplish this work some online resources were used.

Combain and OpenCellID databases of base stations position and Wi-Fi access

(17)

1.5 LIMITATIONS 5

points were used since this application needs the position of base stations and Wi-Fi AP that the mobile phone connects to. Moreover, to accomplish this work some hardware were utilized including a GPS-enabled HTC Desire S smart phone for testing and evaluating the application.

1.5 LIMITATIONS

As this work sought to detect spoofing attacks, there is a need to perform this attack in the test and evaluation phase. This needs GPS spoofing hardware and software, but such device is not available for test and evaluation.The outcome of spoofing attack is that the GPS receiver returns a position that is not the actual position of user. Therefore, turning off GPS receiver on the mobile phone was the method I chose to emulate spoofing attack. In this way, it shows the last position it calculated before turning off the GPS which is different from the actual position if the user moves. The other limitation is processing power and memory capacity of smart phones. In this way, the performance of the design and algorithms must be taken into account in system design and implementation.

1.6 THESIS OUTLINE

The rest of this paper comes as following. The background chapter provides the history of positioning systems. Then evolution of Global Navigation Satellite Systems (GNSS) will be reviewed. Since this work focus on security in GPS, a detail review of GPS architecture and security issues will come. Then, in separate chapters, the implementation of the system and evaluation of it will come. At the end, conclusion and discussion will be provided.

(18)

(19)

7

2 B A C K G R O U N D 2.1 HISTORY OF POSITIONING

From the dawn of civilization people have been trying to somehow determine their geographical position. The pioneer surveyors in ancient cultures were astronomers. The stars’ placement was used by them as the foundation for position calculations. Growth in knowledge of mathematics had a significant contribution to surveying and triangulation technique became one of most crucial means of finding coordinates in distances of thousands of kilometres [9].

Progress in technology and launching satellites to the space in mid-twentieth century was a turning point in surveying. The idea of satellite navigation emerged as a result of these developments. This method of navigation is obtaining position and velocity which are the required parameters for navigation from the signals broadcasted by satellites [17]. Guier and Weiffenbachstate in their article [6] explain the evolution of Transit navigation system which was the foundation of current navigation systems. This system consisted of multiple polar orbiting satellites that propagate signals in two ultra-stable frequencies.

These signals carry the orbit parameters of the satellite, and a receiver decodes these parameters and calculates the position [6].

2.2 GLOBAL NAVIGATION SATELLITE SYSTEM (GNSS)

GNSS is a navigation satellite system that globally gives navigation service to its users. In general these systems are composed of three segments. The first one is the space segment which is a constellation of satellites in the space that transmit radio-signals to earth. The difference among navigation systems is the number of signals that they transmit and the frequency of those signals. The second segment is ground control center which is responsible for management and maintaining satellites in space, and the third one is the user segment which uses a receiver to receive the signal and determine his location [17].

There are only two operational GNSSs in the world which are GPS and GLONASS. Both systems provide round the clock service to infinite number of users everywhere in the world [17]. GPS is a US own satellite navigation system, and the US Department of Defense (DoD) in cooperation with some

(20)

8 GLOBAL NAVIGATION SATELLITE SYSTEM (GNSS) 2.2

other state entities are responsible for its maintenance. The space segment was launched in 1980s and it became operational in 1990s [37]. More information about the GPS is coming in section 2.3. GLONASS is the Russian version of global navigation satellite system. The project is from the Soviet era but collapse of Soviet Union on the one hand and economic problems of Russian federation on the other hand postponed the full operation of the project. Finally, it became fully operational with the orbital constellation of 24 satellites in 2011.

Regarding the type of signals they transmit, GPS uses only one pair of signals for all satellites and therefore the signal frequencies that all satellites radiate are identical, but in GLONASS system each satellite transmits one pair of signals with frequencies that are unique to that satellite. Therefore, the satellite separation principle is different. In GPS case each satellite is assigned with a unique code while in GLONASS the signal sender is identified using signal frequency. As a result the, the signal receiving section in GLONASS receivers is more complicated than GPS one [17]. Primarily, both systems were developed for military purposes, but both governments opened part of the signals with lower accuracy for civilian and commercial applications.

Apart from these operational systems, there are other ongoing attempts for developing and implementing other GNSSs despite the availability of service for unlimited number of users around the globe. Part of the reason is dependency on foreign nations’ military infrastructure [18]. Therefore European Union decided to develop its own GNSS for only civilian applications. The project is named Galileo and it consists of four phases. Definition and development phases have been done and it is in the beginning of deployment phase. Based on the information on European Commission official website, until the time of writing this article, four satellites have been launched [34]. The exploitation phase is planned to be accomplished by 2020 [33]. Galileo is going to provide better precision and availability to its users due to higher number of satellites in view (six to eight in most places) compared to GPS. Moreover, it is going to provide better coverage of northern Europe and in general in higher latitude due to satellites’ placement and inclination [33]. As shown in figure 2.1, the whole system will consist of a constellation of 30 satellites, 30-40 sensor station, three ground control centers, nine mission uplink station and five telemetry, tracking and command (TT&C) stations [34].

The Chinese have also planned to enter the realm of Global Navigation Satellite Systems and build their own GNSS. The project is called COMPASS and it is expansion of former Chinese regional navigation system, BeiDou [39].

The project is in phase II and covering the area of Asia-Pacific and expected to have global coverage at the end of phase III in 2020 [2, 38]. COMPASS is not only a navigation system, but it also provides communication and timing service to its users [23]. The system is designed to provide both open service and authorized service. Open service includes free positioning, timing and velocity

(21)

2.2 GLOBAL NAVIGATION SATELLITE SYSTEM (GNSS) 9

Figure 2.1: Galileo infrastructure. Illustration from [33]

service to users, and the authorized service includes wide-area differential service with the accuracy of better than 1 meter and short message service with size of 120 Chinese characters per message [2]. Its space segment in contrast with other versions of GNSS, consists of 5 Geostationary Earth Orbit (GEO)¹ satellites in addition to 30 Non-GEO satellites [2, 38]. Japan and India also have their own regional satellite navigation systems which are respectively named Quasi-Zenith Satellite System (QZSS) and Indian Regional Navigational Satellite System (IRNSS).

As we have seen there are several global navigation satellite systems that are fully or partially operating. As a result, tens of navigations satellites with different frequencies are operating now and their number will be increased in future. According to [45], taking advantage of this multi-constellation and multi frequency signals significantly improves availability, robustness, reliability and accuracy in positioning, navigation and timing services. So far the most popular navigation system is GPS and majority of available receivers are designed for it.

1 The orbit in the distance of 35,786 kilometers from the earth. The orbital period of the satellites in this orbit is equal to earth rotation period. As a result, the satellite has a is fixed position to viewer in the earth.

(22)

10 GLOBAL POSITIONING SYSTEM (GPS) 2.3

The next section provides a brief overview of GPS.

2.3 GLOBAL POSITIONING SYSTEM (GPS)

As mentioned in previous section, GPS is owned by the United States and initially designed and developed for military use. In early 1960s the idea of having an accurate navigation system with pinpoint accuracy emerged. Before that, the US Navy had designed and developed transit system for submarine and ship navigation but the system was very slow. US Air force has also designed its own navigation system which was faster and more accurate and able to determine altitude in addition to latitude and longitude. To decrease the military spending, US Department of Defense decided to concentrate on design and development of a navigation system for all military branches. The result of these efforts was NAVSTAR Global Positioning System which then named GPS. The system uses atomic clock that provides very good time accuracy to the users. Launch of constellation of GPS satellites was finished in 1989 [37]. A year later, there was a real test for GPS in Persian Gulf War and it showed the capabilities and performance of the system[23].

Each GPS signal has a Time of Transmission (ToT) from GPS satellite to GPS receiver. The receiver measures this time and then calculates its distance from the satellite since the signals propagates in speed of light. GPS satellites encode navigation data such as orbital parameters, time stamp, correction data and other related information into signals which is decoded by the receiver using mathematical algorithms [16,20]. GPS signals are encoded in two types of codes namely Standard Positioning Service (SPS) code and Precise Positioning Service (PPS) or P code. The first type is also known as Coarse Acquisition (C/A) code which is available signal for GPS civilian use [9,17]. Having this information in combination with distance from at least three satellites, GPS receiver can determine two-dimensional position [17]. Moreover, signal from four satellites is required for three-dimensional position determination [17]. GPS had the feature of Selective Availability (SA) which artificially reduces the accuracy of C/A signals for civilian users [9,23]. The accuracy can be increased to 5-10 meters if this feature is turned off. In May 2000, the US government announced turning off the SA, and from the day after civilian GPS users have had access to signal without artificial accuracy degrading. The US military started to use Selective Denial (SD) instead. This option restricts the GPS availability for unauthorized access in a specific region using ground jammers [9].

In the current design, GPS satellites orbit around the earth in 6 orbital planes with 4 satellites in each plane. Therefore, GPS has a constellation of 24 satellites in space. In addition, there are some spare satellites that can be activated in

(23)

2.4 DIFFERENTIAL GPS (DGPS) 11

case of operational satellite failure. There are underway programs for launching new generations of satellites that provide one more civilian signal in addition to current signals [23].

2.4 DIFFERENTIAL GPS (DGPS)

Degrading of GPS accuracy using SA resulted in development of Differential GPS (DGPS) solutions to improve positioning accuracy. Despite the SA turning off in early 2000, evolution of such systems continued to eliminate GPS inherent errors and consequently achieve a better positioning and navigation accuracy.

The principles of DGPS are based on utilizing more than one receiver. The system consists of four components. First component is a set of one or more fixed reference receiver(s) with their accurate position(s) being known. The second one is the rover receiver whose position is going to be calculated accurately. The third component is monitoring and control system, and the fourth one is the dedicated data link between the control system and the rover receiver. Each reference receiver has a GPS receiver and calculates its position using GPS signals and sends it to monitoring and control system. Control system receives the calculated position from reference receivers and compares them with the known positions of reference receivers. Based on this comparison, it determines the correction vector. Then depending on the system architecture, it either sends the correction vector to the rover receiver through dedicated data link or receives calculated position from the rover receiver. In the first scenario, the position correction is done by the rover receiver itself while in the second scenario, monitoring and control system does that. There are several methods for differential position correction, but their explanation is beyond the scope of this work.

2.5 ASSISTED GPS (AGPS)

Assisted GPS (AGPS) is one of the technologies that improves GPS usability especially in the realm of mobile phone networks [46]. AGPS helps receivers to find the accurate position faster by using the data received from mobile network. Providing ephemeris data to the phone by base stations is one of the techniques in this method since the mobile network link is faster than the satellite link. Using this information, AGPS no longer performs the signal search space section of positioning procedures. In this way the number of frequencies that the GPS receiver must search to determine the satellites in view is reduced.

Therefore, this method results in a shorter Time to First Fix (TTFF).There is a

(24)

12 ASSISTED GPS (AGPS) 2.5

closer integration between mobile phones and some CDMA networks since time reference is obtained from GPS in their wireless communications. There are two types of positioning in these networks. The first type is called mobile station based positioning since the final position is calculated on the mobile device while in the second type, the mobile station sends data to a server on the network and this server calculates the final positions and sends back the final position to mobile station. The second type is called mobile station assisted positioning [46]. Another benefit of using AGPS is positional accuracy. Users who use stand-alone GPS can determine the position with errors up to several meters even under open sky conditions [12]. On the other hand, AGPS provides an accuracy of less than one meter.

(25)

13

3 R E L A T E D W O R K

There has been research in the field of detecting spoofing attack on GPS signals.

These works can be classified in two categories: cryptographic methods and non-cryptographic ones. Moreover, as performing positioning is the basis for this method, part of the related works falls into these areas. In this chapter positioning techniques using Wi-Fi, mobile base stations and other wireless signals such as Bluetooth and Infrared will be briefly reviewed.

3.1 GPS SECURITY

With regard to non-cryptographic approach several methods have been proposed. Vestigial Signal Defence (VSD) is one of the methods for detecting spoofing attack with a non-cryptographic approach. In each spoofing attempt the authentic GPS signal must be somehow suppressed by the spoofing device.

In this technique a software program tries to distinguish the authentic GPS signal from the spoofed one and in this way detect the spoofing attack [43].

Another non-cryptographic method is multi antenna receivers. In this method, GPS receiver uses several antennas to capture GPS signals from different direc- tions since spoofing devices sends signals normally in one direction. While it is considered to be the strongest non-cryptographic approach, it has two major shortcomings. Firstly, such receivers are large, heavy and relatively expensive, and secondly, this technique is vulnerable to coordinated spoofing attacks [11, 42].

While non-cryptographic solutions mostly focus on the receiver’s side, cryptographic solutions focus on the satellite’s side. One of those is Spread Spectrum Security Codes [35] which is going to be deployed on GPS Block III satellites, but since the design has been adapting GPS Block III satellites this technique takes several years [43]. Another method isNMA. Signing the navigation message by the control segment is the basis for this technique. In this way the receiver can verify that this message is generated by the Control segment. The drawback of this technique is that the receiver cannot determine whether the signal comes from the satellite or the spoofing device. Therefore, it is vulnerable to replay attack [7, 35].

There is a complimentary method to the cryptographic methods. It is

(26)

14 POSITIONING 3.2

proposed in [25] and [26]. In this method, the term normal mode is defined as the period of time in which there is no attack on GNSS signals. The receiver gathers specific data in this normal mode, and then, it predicts the value of the data in the future. These values are location information, receiver’s clock and Doppler shift of received GNSS signals. Detecting attack on GNSS signals is achieved by comparing the predicted values and the values received from GNSS. If the difference is greater than a threshold then the GNSS signal is under attack.

Predicting the location is done using Kalman filtering as well as inertial sensors like altimeters, speedometer and odometer. This location is independent from the location obtained from GNSS. Regarding the clock reading, it is obtained from receiver device internal clock. It should be note that the clock is not resynchronized with any other external sources like GNSS signals. In this way, the predicted time based on this clock is compared to the time received from GNSS. With respect to the Doppler shift, as the GNSS satellites are moving in the space in their orbital plane, they have a relative motion to the receiver. It is the source of GNSS signal Doppler shift. The frequency of receiving signals changes depends on the movement direction of the satellite. As the receiver can calculates the satellite’s velocity and it has the orbital model, the receiving frequency can be calculated. It is done using Doppler equation. Similar to the two other parameter, the predicted Doppler shift and the receiving one is compared and if the difference exceeds a threshold, the receiving signal counted as a fake signal.

3.2 POSITIONING

Much research has been conducted aiming to utilize wireless signals for positioning purposes. The Active Badge was one of the earliest systems of this category using Infrared signals. It provides service for indoor areas. Individuals carried a badge that sends IR signals periodically every 10 seconds. Receivers installed in known locations in the building receive this signal, and in this way, the system locates the person who has this badge [41]. RADAR is another effort aiming at indoor positioning by installing access points in defined locations in a building [1]. While these methods provide indoor positioning services, several methods have been proposed for outdoor positioning.

While an indoor positioning system includes installing some access points in predefined locations, the outdoor one utilizes the access points that were installed by others. It includes Wi-Fi access points and mobile base stations.

Therefore, more accurate positioning can be achieved in urban areas that have a higher density of those access points. Proposed methods in these fields use different techniques; for base station based localization, Angle of Arrival (AoA),

(27)

3.2 POSITIONING 15

Time of Arrival (ToA) and Time Difference of Arrival (TDoA). Moreover, having known the position of neighbouring base stations, one can perform triangulation or trilateration (or multilateration) to calculate the position of the mobile phone.

While triangulation requires installing directional antennas to determine the angle between North and the line that connects the locations of mobile phone and the base station, trilateration seems to be a more feasible technique since it does not need that kind of antennas [3]. For Wi-Fi positioning, if the location of Wi-Fi access points is not available, saving the fingerprints of nearby Wi-Fi access points is one of the techniques that can be used. This fingerprint includes the available APs and their signal strength in given position [3]. The number of saved fingerprints and its structure depends on the level of accuracy that is going to be achieved.

(28)

(29)

17

4 I M P L E M E N T A T I O N

Our implemention is an Android application. Android is an operating system for mobile devices and its design is based on Linux operating system [19].

4.1 OVERVIEW OF ANDROID APPLICATIONS

Since the last decade applications on mobile platform have emerged and became ubiquitous. In 2010 the number of smartphones that were purchased exceeded the number of PCs [32]. Some factors have contributed to this popularity. One of those is improvement in network coverage and bandwidth services by telecom companies. Another contributing factor is the emergence of new generation mobile platforms. Among these platforms, Android has become widely popular and has 50% of market share [15]. As a result, a large number of application developers working on developing Android applications and have developed nearly five million applications [15]. This section gives an understanding of the Android platform in general as well as the features that were used in this project in detail.

4.1.1 Android platform

Android is an operating system based on Linux kernel for mobile devices such as smartphones, tablets, E-reader devices, etc. [19]. Android was the entry of Google in the realm of mobile devices. This operating system was not developed from scratch by Google, but it was firstly owned by Android Inc. a company in the US. Google bought Android Inc. and it took two years until the first stable version of Android released in 2008. The operating system is open source and was released under Apache License [19]. Its source code is freely available and every one can download it. Hence, vendors can customize it and add some features. But regardless of these customizations, developers develop their own applications for Android and it runs on all Android devices. That is one of the main advantages of Android.

Android utilizes a Linux kernel as the base of the operating system. Its architecture is in the form of a software stack in which different layers together provide functionality for the mobile device. Figure4.1 shows this stack and

(30)

18 OVERVIEW OF ANDROID APPLICATIONS 4.1

Figure 4.1: Android software stack. Picture from android.com

the different layers inside it. As shown in this figure, Linux kernel is located at the very bottom of this stack. This layer is in contact with the device hardware.

In this way any access to hardware components such as GPS, camera, Blue- tooth, etc. is handled through this layer. Above the Linux kernel, Middleware layers are located which include Libraries, Android Runtime and Application Framework. These layers provide the main features of Android. Ordinary An- droid applications are mostly written in Java programming language and run on a specialized virtual machine. Android Runtime contains the components needed for running these applications. It comprises core Java libraries that is used in time of running the applications. Moreover, the specialized virtual machine which is called Dalvik is included in Android Runtime. This virtual machine has a special design to be used in Android OS and runs the apps with consideration of mobile devices’ limitations such as low CPU and Memory capability. In addition to Java core libraries, Android provides a set of libraries that is used in application development. For example, SQLite library helps developers to implement applications that utilize relational databases. Storing and retrieving the data from the database is one of the features of this project and this library was used for the implementation of this part. There is a layer

(31)

4.1 OVERVIEW OF ANDROID APPLICATIONS 19

on top of these libraries that consists of some higher level components aiming to expose Androids’ features to programmers. This layer is called Application Framework. The applications layer is located on top of this layer and includes user installed applications as well as some pre-installed applications on the device such as the browser, contacts, voice dial, etc. Developers use the components in middleware layers to develop their applications. The next two sections provides an explanation of an Android application’s architecture as well as preparing development environment for developing Android applications.

4.1.2 Android Application Architecture

Each Android application consists of several components that together form an application. These components are activity, service, content providers and broadcast receivers. Depending on the requirements, developers use some or all of these components in their applications. As with many applications in other operations systems, Android applications have to have a user interface to interact with users. The application’s Graphical User Interface (GUI) in Android is called Activity. The responsibility of an activity is to show the system status to the user as well as getting input data from him. An application can have one or more activities. An example of an activity in Android OS is the contact page that shows contacts’ information to the user or allows the user to edit a specific contact.

It is possible that part of an application does not need interaction with the user. Android provides the capability for developers to use a component which is called service and to run that part of application as a service. Services also give developers the ability to provide functionality for other applications. Each service is run on the application’s main process. In every application there may be some time-consuming operations. This happens as result of I/O or network communications or performing the tasks that need huge computations. The Android platform prevents running the applications that are not adequately responsive. In such cases Android stops the application and shows Application Not Responding (ANR) dialog. To avoid such situations, developers can use Android services but they have to spawn a new thread and run the service on this newly created thread. Android provides a fruitful solution using AsyncTask class which not only runs the task in a separate thread but it also provides easy access to the application’s main thread for performing any UI update as the background thread finishes its work. Moreover, Android also provides a more sophisticated mechanism for background processes called IntentService. Depending on the system design that such a service is going to serve one activity or multiple activities or even other applications, developers choose between these solutions. Developers also can utilize Java concurrent

(32)

20 OVERVIEW OF ANDROID APPLICATIONS 4.1

programming facilities and run those time-consuming tasks on separate threads using Java Thread class and Runnable interface, but Android recommends using its solutions.

As an operation system, Android has to notify running applications about important changes in system status. These conditions can be a change in the time zone or entering a low-battery state. To do that, it uses a broadcasting mechanism and propagates this message in the system. Applications have to register broadcast receiver components to be able to receive such messages.

Moreover, this mechanism can be used by developers to broadcast messages and communicate with other applications. User defined services also can send messages and light weight results of their operations to other applications or the activities in the application using this mechanism. Despite fruitfulness of broadcasting mechanism, there are some efficiency and security concerns regarding this capability. Firstly, managing broadcast operations puts overhead on the system especially if the number of them increases. Secondly, the ability of receiving other applications’ broadcasts may raise security issues. To improve the efficiency and alleviate security concerns, Android has defined a type of broadcast that is only reachable within the application.

Content provider is the standard way of providing and transmitting data from one process or application to other processes or applications. The data can be on file system or can be retrieved from SQLite database. Each content provider acts like a server, encapsulates the data and sends it to receiving requests. Developers are able to have security in the data using the mechanisms that content providers provide. The receiving application acts as a client and opens the data to use it. A good example of content providers in Android is contacts’ information. Other applications can request the contacts stored on the phone and show them to the user. Voice over IP applications use this feature to load the contact from the phone to the application.

It is necessary for every Android application to declare the components it uses in a manifestation file called AndroidManifest.xml. This information is necessary for Android OS to be able to run the application and Developers declare this information in XML format. In addition to the components, application declares the required permissions for running the application. Some of the APIs that Android provides is protected and needs permission for access. Examples of those API are system storages, network connections, Internet access, etc. This information tells the user that which kinds of actions this application may do prior to installing. Users based on these permissions and the application vendor decides whether to install the application or not.

(33)

4.1 OVERVIEW OF ANDROID APPLICATIONS 21

4.1.3 Preparing development environment

For the implementation part, Eclipse IDE together with Android SDK under Ubuntu, Linux platform was used. The easiest way to make the development environment ready is to download Android ADT bundle and extract it to a custom location. This bundle is an Eclipse IDE integrated with Android SDK. After that all the necessary packages can be installed using Android SDK manager. This work uses Android 4.2 and Google API (API 17) as the base library for development. The applications run on a physical HTC phone instead of an emulator since testing the application needs scanning neighbouring base stations and wireless access points. In order to do that in the Android manifest file the application is declared as “debuggable”. Moreover, USB debugging on the phone is enabled.

The next step is to make the phone detectable on Eclipse. In order to make it so, USB configuration rules for HTC phones are added to the file 51-android.rules in the /etc/udev/rules.d path. This rule for HTC device is:

SUBSYSTEM=="usb", ATTRidVendor=="0bb4", MODE="0666", GROUP="plugdev"

As we can see "0bb4" is the vendor ID for HTC devices, the MODE value designates permissions in accessing the device. In the end, permission for this file is changed using the command below:

chmod a+r /etc/udev/rules.d/51-android.rules

Now, the development environment is ready to start the implementation.

4.1.4 Database in Android

As discussed in section 4.1.1, Android provides a set of libraries in its software stack that can be used in application development. One of those libraries is SQLite. Developers enjoy the full support of this database by Android and use it to implement applications that interact with relational databases [36]. Simplicity is the main goal of this database and that is why it suits mobile platforms like Android. SQLite do not have a server like other database engines and store all of its data in a file on the disk [4]. Storing and retrieving data from the database is part of this project and SQLite database was utilized for that part. Detailed information about that can be found in section4.2.2.

(34)

22 SYSTEM COMPONENTS 4.2

4.2 SYSTEM COMPONENTS

To accomplish the implementation part, several lower level components were designed and implemented. Prior to the explanation of system design, a description of lower level components is needed. This section provides description of these components.

4.2.1 Positioning resource

As discussed earlier, the basic idea in this work is to check the GPS data with other sources of information. In this work, these sources are called positioning resource which is an entity that helps us to perform positioning. As it is an abstract concept it was defined as a Java interface. In this project there are two implementations for this interface: base stations and Wi-Fi access points. The class Cell represents a base station and the class Wifi represents a Wi-Fi access point and both of them implement the positioning resource interface. The source code of these entities can be found in AppendixA.

4.2.2 LocationAPI

The objects of Cell and Wifi classes are used to perform positioning. The location of each positioning resource object is found using another component. This component in this work is called LocationAPI. As it is an abstract concept it is defined as a Java interface (See AppendixA). Every implementation of this interface returns the position of a given positioning resource. In this interface, getLocation method receives a positioning resource as the argument and returns the location of that. Every implementation of this interface acts as a positioning provider. Three different implementations for this interface have been done namely Combain, OpenCellID and the offline database. Each of them may support both types of positioning resources or just one of them. For each positioning resource which can be a Wi-Fi AP or a mobile base station, the system sends it to the LocationAPI and receives its location. If the API does not support the type of positioning resource or does not have its location in its database, it sends back null as return value. All the classes that are related to the LocationAPI are located in the package com.secureGPS.providers.LocationProviders (figure4.2).

The user can enable/disable providers and work only with preferred ones.

The class LocationAPIManager is responsible for keeping information about available providers, their keys and enabling/disabling them. The following is the description of the location providers I used in this project.

(35)

4.2 SYSTEM COMPONENTS 23

Figure 4.2: “com.secureGPS.providers.LocationProviders” package

Combain

Combain is a Swedish company based in Lund and provides positioning service to customers. The company has a rich database of base stations and Wi-Fi APs locations, but since it is a commercial database, using the service is not free of charge. As it supports both base stations and Wi-Fi APs, I asked them if I can use their database for this research project and they accepted to give me access to their database with limited number of queries and one query per second.

The LocationAPI interface for this provider is implemented as a Java class named Combain which includes all the required methods to send a request and retrieve the results as well as the methods that must be overridden as it implements the LocationAPI interface. More information about the company and its services can be found on their web site http://www.combain.com.

OpencellID

It is an open source project aiming to create a comprehensive database of base stations’ locations around the world. People can use the database for free and also contribute to it. OpencellID supports only base stations and its database is not as rich as Combain’s. It is also online and the system interacts with them using internet connection. Moreover, OpencellID releases its database with the latest update every day in the form of a text file. These data are used in the next location provider. The LocationAPI interface for this provider is implemented as a Java class named OpencellID. All the necessary methods to send a request and retrieve the results as well as the methods that must be overridden as it implements LocationAPI interface are defined in this class. More information about OpenCellId and its services can be found on the project web site http://www.opencellid.org.

(36)

Offline provider

Both the location providers that have been described so far are online. This system also utilizes an offline provider using a database that is stored on the mobile device. This provider has the capability of detecting and storing new positioning resources and their positions in the database. As mentioned earlier, OpencellID releases its database in the form of a text file. This information is used in the offline provider. Since the size of the file is too large, the base stations that are located in Sweden were extracted from it. Then, to improve the performance and ease the access to the data, the necessary fields for positioning in the file was converted to a Sqlite database and kept in a table called cellPositions. Figure 4.3 shows the table fields. In this table, the identifications of the base station together with the position of that are recorded. The identifications are Mobile Country Code (MCC), Mobile Network Code (MNC), Location Area Code (LAC) and cellID. The position is inserted in the data base in the form of latitude and longitude.

Figure 4.3: “cellPositions” table

In addition to this table, the offline provider utilizes a method that enables it to expand its database and provide positioning service in places that it could not provide before. It has a learning capability in the way that can detect nearby base stations and Wi-Fi access points and store their location in the database if there are available and trusted GPS signals. Users can enjoy this capability by setting the application to work in the learning mode from the option menu.

Figure4.4shows the application view in the learning mode. In this mode, it shows current GPS position as well as statistics about the collected data. When the user pushes the starts capture button, information about nearby base-stations and Wi-Fi access points is captured and added to database. This information is shown at the bottom of the page. This procedure is repeated periodically in the time intervals that can be set in system setting menu. This mode also provides the capability for the user to contribute to OpenCellID database by uploading the gathered cell data.

(37)

Figure 4.4: Application in learning mode

For each positioning resource that the system detects, a record comprising its identification as well as its position will be created. The position is in the form of latitude and longitude. I term this record measure. Wi-Fi measures and base- stations measures are stored in two different tables in the database respectively WifiMeasure and CellMeasure. The figures 4.5and4.6 are those tables. The fields CellMeasure table is similar to the CellPositions table. The latitude and longitude fields here is the latitude and longitude of the position that the measured is captured. In the WifiMeasure table the identifications of the Wi-Fi AP together with the latitude and longitude of the position that the measured is captured are recirded. The identifications are Service Set Identification (SSID), Basic Service Set Identification (BSSID) and Received Signal Strength Indicator (RSSI).

Figure 4.5: “WifiMeasure” table

(38)

Figure 4.6: “CellMeasure” table

The signals of these positioning resources propagate in an area and available in all the locations in that area. As a result, for each positioning resource several measures can be inserted to the database. The location of a base-station or access point is derived from all the available measures for that positioning resource. When offline provider receives a request of positioning for a positioning resource, it retrieves all the available measures for that positioning resource and calculates the mean value of their latitudes as well as their longitudes.

These mean values become the latitude and longitude of calculated position for that positioning resource. Offline provider returns back to this position as its response to the request. Figures4.7shows how the system detects the measures related to one positioning resource and calculates its position based on those measures. It goes without saying that the more measures the user captures for

Figure 4.7: Detecting measures by the system

a positioning resource, the better positioning service the offline provider can provide. But, unlimited number of measures for a positioning resource results in a bigger database. This will consequently impact the system performance.

Therefore, finding an optimal solution helps to have a good positioning with

(39)

lower load on the database. Since the range of Wi-Fi signals is limited, its position can be identified with few measures. This fact helps to have a policy for storing Wi-Fi measures in database and prevent the size of the database from becoming too large. The system stores maximum three measures for a Wi-Fi AP and with a minimum distance of 20 meters from each other. The minimum distance policy prevents the system from storing redundant measures. With respect to base stations, as their signal range is up to several hundred meters there is no limitation for the number of measures but they cannot be closer than 50 meters.

Figure 4.8: classes in “come.secureGPS.database” package

The offline provider is implemented using Sqlite database which is widely used in Android applications that use the database. Moreover, it uses Data Access Object (DAO) to access the data in the database. The location of API for this provider is implemented as a Java class named OfflineLocationProvider which includes all the required methods for retrieving data from the database as well as the methods that must be overridden as it implements the LocationAPI interface.

In addition, the classes that are used in creating, storing and retrieving data are located in com.secureGPS.database package (Figure4.8). The offline provider uses these classes to perform its tasks.

4.2.3 Positioning Manager

Major positioning tasks are done by this component. After extracting positions from the location providers, the positioning manager takes the responsibility of aggregating these positions, removing outliers and calculating the position.

This component is defined as a Java interface and an implementation for that is provided. Each implementation of the positioning manager has to implement algorithms for aggregating the positions, removing outliers and position calcu- lation based on positioning resources’ positions. The algorithms for performing

(40)

28 PERFORM POSITIONING 4.3

these tasks will be explained in upcoming sections.

4.3 PERFORM POSITIONING

Having known the system components and their functionalities, it is time to understand how the system checks the authenticity of GPS signals. The system architecture is shown in figure4.9. When the user runs the application, the main activity appears in the screen (Figure4.10). The user starts the system operation by clicking the Start checking button. At this time a timer starts and periodically triggers the checking process. The system by default runs this service every 10 seconds and this time can be changed by user in the system settings. The checking process is implemented as an Android IntentService which runs in a separated thread than the application main thread.

Figure 4.9: System architecture

(41)

4.3 PERFORM POSITIONING 29

Figure 4.10: Main activity (UI)

This implementation makes the application UI responsive. This service is implemented in SpoofCheckService class which extends the IntentService class.

In this way each time that timer triggers a cycle of checking, an instance of SpoofCheckService is created and run, and when its operation finishes its thread dies. After the execution, it broadcasts the result of positioning. To use the results of this service, a receiver in the main application UI is registered to receive this data and report it to the user. Therefore, in each cycle a chain of operations is launched. Figure4.11depicts one round of positioning process in the IntentService.

Upon triggering the service, it gathers the data about the nearby base stations and Wi-Fi APs using Android built in APIs. As they are positioning resources, the system extracts their positions from location APIs. The user can select involving location provider(s) in the system setting menu. Since each location of the API may return a different location for a given positioning resource the system keeps the data for each positioning resource in a table and then aggregates them. These tables are shown in red in figure 4.11. Aggregating those positions is the positioning manager’s task. To aggregate the locations, the positioning manager calculates the average of the latitude and longitude of all available locations for a given positioning resource and fixes the location for that positioning resource. The fixed position is kept in another list. Each type of positioning resource has its own list of fixed positions. As the system utilizes two kinds of positioning resources, there are two separate lists of Wi-Fi locations and cells locations. These lists are shown in green in figure4.11.

(42)

30 PERFORM POSITIONING 4.3

Location API API 1 API 2 API 3 Coordinates for Cell 4

Positioning resource ---

Cell 1 Cell 2 Cell 3 Cell 4

….

Positioning resource --- Wi-Fi 1 Wi-Fi 2 Wi-Fi 3 Wi-Fi 4

….

Coordinates for Cell 3 Coordinates for Cell 2

Coordinates for Wi-Fi 4 Coordinates for Wi-Fi 3 Coordinates for Wi-Fi 2 Coordinates for Cells

--- Cell 1: Lat Lon --- Cell 2 : Lat Lon --- Cell 3 : Lat Lon --- Cell 4 : Lat Lon

Coordinate for APs --- Wi-Fi 1 : Lat Lon --- Wi-Fi 2 : Lat Lon --- Wi-Fi 3 : Lat Lon --- Wi-Fi 4 : Lat Lon

Positioning Manager

Remove outlier Aggregate locations

Calculate position

Coordinates for Wi-Fi 1 ---

Lat1 Lon1 ---

Lat2 Lon2 ---

Lat3 Lon3 Positioning for Cells

--- Lat Lon

Positioning for APs --- Lat Lon

Coordinates for Cell 1 --- Lat1 Lon1 ---

Lat2 Lon2 ---

Lat3 Lon3

Figure 4.11: Positioning process for one round

It is possible that a location API returns a wrong position for a given positioning resource. Depending on its distance to other positions, this wrong position can have catastrophic impacts on the result of the positioning because it drags the mean value toward itself. This wrong position is considered to be an outlier. To prevent these outliers’ impact on the positioning results, they have to be removed before performing positioning. There are several methods for eliminating the outliers. In this work, removing the outliers has been implemented using the Interquartile Range (IQR) technique. In this technique, the data set is sorted and is then divided into 4 equal groups. To do this, the sorted data set is divided to two groups by calculating the median of the data set and then the median values of those two groups are calculated. In this way, three median values Q1, Q2 and Q3 have been calculated. While Q2 is the median of the whole data set, Q1 is the median of the lower half and Q3 is the median of the upper half of the data set. IQR is calculated by subtracting Q1 from Q3 (Equation4.1).

(43)

4.3 PERFORM POSITIONING 31

IQR = Q3 − Q1 (4.1)

To determine the outliers an upper bound and a lower bound are set using the interquartile range (Equations4.2 and4.3).

Lowerbound = Q1 − 1.5∗ (IQR) (4.2)

Upperbound = Q3 + 1.5∗ (IQR) (4.3)

For each positioning resource, separate bounds for latitudes and longitudes were calculated and positions that their latitude or longitude or both of them are outside these boundary values were considered to be outlier and removed.

At this stage, two lists of positions that their outliers have been removed are available, one for Wi-Fi APs and one for mobile base-stations. Positioning algorithm applies to these lists.

Wi-Fi access point

Base station

Wi-Fi positioning

Base station positioning

Figure 4.12: Google map activity

Positioning manager performs positioning for each set of the positioning resources and calculates two separate positions for Wi-Fi access points and