As technological advances make GPS/GNSS* devices more affordable, our lives are becoming increasingly dependent on precise positioning and timing. Industries such as survey, construction and logistics rely on precise positioning for automation, efficiency and safety. GNSS time provides the pulsating heartbeat for the backbone of our industry by synchronizing telecom networks, banks and the power grid.

A single day of GNSS outage is estimated to cost $1 billion dollars alone¹. GNSS is a reliable system and to keep it as such, professional GNSS receivers need to be wary of all possible vulnerabilities which could be exploited. Using GNSS receivers which are robust against jamming and spoofing is key for secure PNT (Positioning, Navigation and Time).

*GNSS refers to the constellations of satellites broadcasting signals from space that transmit positioning and timing information to GNSS receivers on Earth. The receivers then use this information to determine their location. These systems include the American GPS, European Galileo, Russian GLONASS, Chinese BeiDou, Japanese QZSS (Michibiki) and the Indian NAVIC system. “

What is GPS/GNSS Spoofing?
Radio interference can overpower weak GNSS signals, causing satellite signal loss and potentially loss of positioning. Spoofing, is an intelligent form of interference which makes the receiver believe it is at a false location. During a spoofing attack, a radio transmitter located nearby sends fake GPS signals into the target receiver. For example, a cheap SDR (Software Defined Radio) can make a smartphone believe it’s on Mount Everest.

Why GPS Spoofing?
Imagine a combat situation. Clearly, the side which uses GPS/GNSS technology would have an advantage over the side which does not possess the technology.

However, what if one side could manipulate the GPS receivers of their adversary? This could mean taking over control of autonomous vehicles and robotic devices that rely on GPS positioning. For example, in October of 2018, Russia accused the U.S. of spoofing a drone and redirecting it to attack a Russian air base in Syria².

In the last three years, more than 600 incidents of spoofing have been recorded in the seas near the Russian border. These ships appeared to be “transported” to nearby airports³. This type of spoofing might have been introduced as a defense mechanism to ground spy drones. Most semi-professional drones on the market have a built-in geo-fencing mechanism which lands them automatically if they come close to airports or other restricted areas⁴.

Some of the most enthusiastic spoofers are Pokémon GO fans who use cheap SDRs to spoof their GPS position and catch elusive pokémon without having to leave their room.

Types of Spoofing
Spoofers overpower relatively weak GNSS signals with radio signals carrying false positioning information. There are two ways of spoofing:

Figure 1. A cheap SDR can overpower GNSS signals
and spoofs a singlefrequency smartphone GPS into
believing it is on Mount Everest.

• Rebroadcasting GNSS signals recorded at another place or time (so-called meaconing)
• Generating and transmitting modified satellite signals

Spoof-Proofing
In order to combat spoofing, GNSS receivers need to detect spoofed signals out of a mix of authentic and spoofed signals. Once a satellite signal is flagged as spoofed, it can be excluded from positioning calculation.

There are various levels of spoofing protection that a receiver can offer. Let’s compare it to a house intrusion detection system. You can have a simple entry alarm system or a more complex movement detection system. For added security you might install video image recognition, breaking-glass sound detection or a combination of the above.

Similar to a house with an open door, an unprotected GNSS receiver is vulnerable to even the simplest forms of spoofing. Secured receivers, on the other hand, can detect spoofing by looking for signal anomalies, or by using signals designed to prevent spoofing, such as Galileo OS-NMA and E6 or the GPS military code.

Advanced interference mitigation technologies, such as the Septentrio AIM+, use signal-processing algorithms to flag spoofing by detecting various anomalies in the signal. For example, a spoofed signal is usually more powerful than an authentic GNSS signal.

Figure 2. GNSS spoofing could be used
to manipulate movement of aerial drones.

AIM+ won’t even be fooled by an advanced GNSS signal generator: Spirent GSS9000. With realistic power levels and with actual navigation data within the signal, AIM+ can identify it as a “non-authentic” signal.

Other advanced anti-spoofing techniques such as using a dual-polarized antenna are being researched today, read more about this method at this direct infolink: www.septentrio.com/en/advanced-interference-monitoring-mitigation-aim.

Satellite Navigation Data Authentication
Various countries invest in spoofing resilience by building security directly into their GNSS satellites. With OS-NMA (Open Service Navigation Message Authentication), Galileo is the first satellite system to introduce an anti-spoofing service directly on a civil GNSS signal.

Figure 3. European Galileo
satellites provide an open
authentication service on the E1
signal and a commercial
authentication service on the E6
signal. Picture, courtesy of the
European Space Agency.

OS-NMA is a free service on the Galileo E1 frequency. It enables authentication of the navigation data on Galileo and even GPS satellites. Such navigation data carries information about satellite location and if altered will result in wrong receiver positioning computation. While currently in development, OS-NMA is planned to become publicly available in the near future. Also GPS is experimenting with satellite based anti-spoofing for civil users with their recent Chimera authentication system.

Recently, within the scope of the FANTASTIC project led by GSA, OS-NMA anti-spoofing protection was implemented on a Septentrio receiver.

The Strongest Shield
The Galileo system will be offering Commercial Authentication Service (CAS) on the E6 signal with the highest level of security for safety-critical applications such as autonomous vehicles. The signal level encryption will be based on similar techniques as the military GPS signals. Only the receivers who have the secret key are able to track such encrypted signals. The secret key is also needed to generate the signal making it impossible to fake. CAS authentication techniques are currently being prototyped at Septentrio in collaboration with the European Space Agency.

Spoof-resilient GNSS means reliable precise positioning and timing, and a peace of mind for everyone touched by this indispensable technology.
www.septentrio.com

References
¹arstechnica.com/science/2019/06/study-finds-that-a-gps-outage-would-cost-1-billion-per-day
²rntfnd.org/2018/10/26/russia-claims-us-spoofed-drones-to-attack-base/
³gps.gov/governance/advisory/meetings/2018-12/goward.pdf
⁴gpsworld.com/spoofing-in-the-black-sea-what-really-happened/
⁵Technical paper by Septentrio - Authentication by polarization: a powerful anti-spoofing method: https://septentrio-my.sharepoint.com/:b:/p/marketing/EU99N82bWyZPsvd4Dp9g5lwBEwqQLgeT8i7wtW64TEk-tw?e=S0fGFD

⁶https://insidegnss.com/new-report-details-gnss-spoofing-including-denial-of-service-attacks/

Maria Simsky is a Technical Writer at Septentrio, with a degree in engineering and several years of experience working in the high-precision GNSS industry. Maria works closely with GNSS experts at Septentrio to create her articles.

 

---