Security Analysis of a Software-Defined Radar

Designers frequently select Software-Defined Radios (SDRs) as their platform to implement their Radio Frequency (RF) systems. SDRs combine the flexible nature of software along with reconfigurable RF hardware to offer designers an expanded toolbox in which to develop, evaluate, and deploy their systems in a rapidly evolving spectral landscape. As is often the case, having a flexible system introduces possible security flaws. These security flaws become relevant when SDRs are embedded into real systems. Software-defined radars have been developed by defense contractors and may be poised to become the standard in a wide array of applications related to autonomous land, water, and air vehicles. However, no current work explores the security of a software-defined radar architecture. In this work, we examine example cyber attacks on small scale software-defined radar. The radar is composed of GNU Radio, a Linux framework for interacting with SDR hardware, and the Universal Software Radio Peripheral (USRP) N210, a reconfigurable RF frontend developed by Ettus Research. First we describe the operation of system from the GNU Radio software down to the packet format. This system analysis reveals that the communication channel within the radar is vulnerable to cyber attack. Specifically, it is possible to conduct Man-In-the-Middle (MITM) attacks between GNU Radio and the USRP to alter the operation of the radar. The MITM attacks alter the hardware configuration and data used by the USRP, creating measurable effects in the distance estimates produced by the radar. We quantify these attacks by comparing the radar position estimates before and during an attack. The first MITM attack modifies hardware settings on the USRP. We observe up to a 76% error in the distance estimate by modifying the hardware configuration commands. We then create a targeted attack by modifying the RF data packets GNU Radio sends to the USRP. We show that intelligently altering the RF packet data introduces a targeted arbitrary distance offset into the radar range estimation with less than 10% error. We conclude with suggestions on how to secure a software-defined radar system assuming a similar structure to the test bed architecture.