Global Navigation Satellite System GNSS Spoofing
GNSS Spoofing represents a serious threat due to the pervasive use of GNSS information for diverse applications.
In fact, GNSS chips are almost ubiquitous being mounted in many devices starting from common smartphones up to sophisticated avionic receivers and space systems.
It is possible to conceive different methodologies (characterized by different levels of sophistication, hardware/software complexity, and required prior knowledge) to realize a spoofing attack to a GNSS network [1].
Among them, the following are the most well-known:
- Break lock technique.
During a first phase, a jamming signal is radiated in order to “break the lock” within the GNSS receiver which, as a response, demands for a new acquisition procedure.
Then, the fake signal is produced via specific signal simulators exploiting knowledge of almanacs, ephemerides, and PRN codes and is transmitted toward the victim receiver.
The final goal is to determine a new lock of the receiver on the fake navigation signal instead of on the true one. - Drag-off strategy.
An artificial replica of the navigation signal is superimposed to the actual one and progressive misalignments are introduced between the fake and true navigation waveform.
The final goal is to capture the tracking loops and to determine a gradual deviation from the actual position to the false one.
This technique resembles what in the Electronic Attack (EA) literature is known as Range Gate Pull-Off (RGPO) [5] and which is used to jam radar systems for range tracking.
It calls for the availability of a system capable of receiving the signal whose parameters (as for instance delay and power) undergo manipulations, and then retransmitting it toward the GNSS victim receiver.
This technique is more sophisticated than that in a) and is potentially more subtle in that it avoids being detected by the tracking loops as they continue to maintain lock during all the duration of the attack. - Nulling technique.
For each spoofed signal, nulling requires the transmission of two waveforms.
The former is aimed at cancelling a specific satellite signal whereas the latter is the fake component which, together with the other fakes, has to deceive the receiver inducing the desired wrong PVT.
This attack is quite difficult to realize in practice due to the strong synchronization and prior knowledge which is necessary in the cancellation process.
While code-phase alignment between the true signal and the cancellation replica is achievable, the exact carrier phase and amplitude matching are very difficult to accomplish. - Meaconing strategy.
It is based on the interception and rebroadcast of the actual navigation signals with a sufficient gain so to cover up the true signal at the victim receiver.
This could be the preferred choice when the spoofer is not able to synthetize the spreading sequences (for instance encrypted military codes and/or some advanced civilian codes).
Single-antenna and multi-antenna meaconers can be conceived.
In the last case, each antenna can be steered on a different satellite and independent delays can be superimposed on the corresponding signals increasing the degrees of freedom which are available to force false positions.
Spoofing Detection and Mitigation.
A substantial bulk of spoofing detection and mitigation techniques have been proposed in open literature along the years [1],[6],[7],[8],[9]. A brief overview is here provided:
- Techniques based on Power Monitoring.
When a spoofer is active on a GPS receiver, the received carrier to noise ratio (C/N0) may undergo an abrupt change which is indeed and indicator of the spoofer presence.
Otherwise stated, an anti-spoofing logic can measure with continuity the C/N0 level and detect unusual/anomalous variations (for instance via change detection logics, possibly Constant False Alarm Rate (CFAR), exploiting the temporal sequence of C/N0 values for each satellite). Besides, the movement of the receiver relative to the spoofer antenna can determine a considerable change in the C/N0 corresponding to the counterfeit signals.
These sudden variations do not arise with reference to an actual satellite transmission in a weak multipath environment. - Power Level Comparison between L1/L2.
Low-complexity spoofers can only mimic the L1 waveform.
An anti-spoofing logic can continuously monitor the power difference between L1 and L2 carriers; a large difference or the possible absence of the L2 component can indicate a spoofing attack. - Data Bit Latency.
Conventional spoofers, before generating their signals, demand GPS signals acquisition to correctly produce navigation data bits.
This implies the existence of a delay between the spoofing data bit stream and that of the underlying authentic signal.
The receiver can continuously monitor bit lock and can indicate a spoofing attack if a large offset appears suddenly. - L1/L2 Signals Relative Delays.
The L1 and L2 signals produced by a GPS satellite are received with an approximately known relative delay due to the different ionosphere responses.
Therefore, if the spoofer is not capable of generating the appropriate signals also on the L2 carrier, a dual frequency GPS receiver can determine a spoofing attack assessing the correlation between the L1 and L2 waveforms. - Signal Quality Monitoring.
Like multipath impairments, spoofing signals distort the correlator output shape when the receiver in tracking-mode.
Hence, appropriate metrics can be computed to measure the quality of GNSS correlation peaks and thus to establish the presence of anomalous asymmetries and/or flatness that reveal a spoofing attack.
This is a powerful approach for receivers operating in line-of-sight conditions. - Distribution Analysis of the Correlator Output.
Leveraging knowledge on the nominal statistical distribution of GPS receiver outputs, statistical procedures can be implemented to determine deviations from the expected behaviour.
In particular, the correlator output power for a receiver operating in tracking-mode and in line of-of-sight conditions can be approximatively modelled as a Chi-squared random variable. However, the presence of spoofing signals induces abnormal amplitude fluctuations that significantly modify the measured distribution, which represents a valuable feature to detect spoofing signals.
Once again, this strategy proves effective in the absence of multipath. - Code and Phase Rates Consistency Check.
Low-complexity spoofers can generate signals exhibiting inconsistencies between Doppler frequency and code delay rate.
Assessing the outputs of the Phase Locked Loop (PLL) and Delay Locked Loop (DLL) filters allows a GPS receiver to monitor the lack of the expected consistency and to declare a spoofing attack.
Similar strategies are also used in in tracking radar to detect RGPO and Range Gate Pull-In (RGPI) attacks. - Authentication or Cryptographic techniques.
They rely on a specific encryption (either symmetric or asymmetric) applied at the spreading code level or to the bits of the navigation message.
They could involve the introduction of features which preclude the local reproduction of the spreading codes by the attacker.
Alternatively, they could require satellite authentication comparing the outputs of multiple receivers and/or matching signals at different frequencies.
Last but not least the restricted-access GNSS signals such as the P(Y) code in the military GPS can be employed. - Integration of the GNSS measurements with an autonomous Inertial Navigation System (INS).
The idea [8] is to fuse at different levels, characterized by different degrees of coupling and complexity, the information gathered by the GNSS and the INS (velocity and position fusion: loosely coupled GNSS/INS; pseudo-range and pseudo-range rate fusion: tightly coupled GNSS/INS).
The identification of inconsistencies in the observations, via joint monitoring/processing of GNSS and INS data, allows the detection of the spoofing attack.
In this last situation, the system can in principle continue to provide position based on INS measurements only. - Receiver Autonomous Integrity Monitoring (RAIM).
This technique [6] is aimed at excluding fake pseudo-ranges from the receiver measurements via an outlier recognition procedure.
The excised measurements could for instance not be consistent with the others in the fixing process and could eventually lead to unreasonable values (lack of integrity) for the estimated PVT. RAIM is effective when the fake measurements represent only a subset of those available at the receiver; otherwise, the excision procedure could in principle exclude the authentic observations instead of those counterfeits. - Array Processing Countermeasures.
A GNSS receiver equipped with multiple antennas can implement adaptive beam shaping techniques [7], [9], [10] (in GNSS community also referred to as Controlled Reception Pattern Antennas (CRPAs) [7]) so as to minimize the receive gain in correspondence of the jamming directions (ideally forcing a null in the beam pattern).
Spatial processing can be also coupled with temporal filtering yielding Space-Time Adaptive Processing (STAP) [11] which exhibits additional degrees of freedom very useful for interference mitigation and to suppress multipath replicas.
However, there are some practical factors that can limit the performance of the spatial processing and STAP: gain/phase/bandwidth mismatches, calibration issues, and last but not least computational complexity.
Some CRPAs available on the market act as an ant jamming “applique” so as to keep the antenna architecture and the spatial processing independent of the receiver design.