Author: GPS World Staff

Assessing the Spoofing Threat
A portable spoofer implemented on a digital signal processor mounts a spoofing attack, characterizes spoofing effects, and suggests possible defense tactics. GNSS users and receiver manufacturers should explore and implement authentication methods against sophisticated spoofing attacks.

By Todd E. Humphreys, University of Texas, Brent A. Ledvina, Virginia Tech, Mark L. Psiaki, Brady W. O’Hanlon, and Paul M. Kitner, Jr., Cornell University

Seven years after the Volpe Report warned that “[a]s GPS further penetrates into the civil infrastructure, it becomes a tempting target that could be exploited by individuals, groups, or countries hostile to the U.S.,” civil GPS receivers remain as vulnerable as ever to this threat. Among other types of interference, the Volpe report considers civil GPS spoofing, a pernicious type of intentional interference whereby a GPS receiver is fooled into tracking counterfeit GPS signals. More sinister than intentional jamming, spoofing deceives the targeted receiver, which cannot detect a spoofing attack and so cannot warn users that its navigation solution is untrustworthy. The Volpe report noted the absence of any off-the-shelf defense against civilian spoofing and lamented that “[t]here also is no open information on . . . the expected capabilities of spoofing systems made from commercial components.” It recommended studies to characterize the spoofing threat: “Information on the capabilities, limitations, and operational procedures [of spoofers] would help identify vulnerable areas and detection strategies.”

We recently canvassed four manufacturers of high-quality GPS receivers. They revealed that they were aware of the spoofing vulnerability but had not taken steps to equip their receivers with even rudimentary spoofing countermeasures. The manufacturers expressed skepticism about the seriousness of the threat and noted that countermeasures, if required, had better not be too expensive. Such attitudes propel further examination of the threat and practical countermeasures.

Important research into spoofing countermeasures during the last decade begins with an internal memorandum from the MITRE Corporation recommending these techniques to counter spoofing:
1. Amplitude discrimination
2. Time-of-arrival discrimination
3. Consistency of navigation inertial measurement unit (IMU) cross-check
4. Polarization discrimination
5. Angle-of-arrival discrimination
6. Cryptographic authentication
The first two techniques could be implemented in software on GPS receivers, but would be effective against only the most simplistic attacks. The next three tactics would be effective against some — but not all — more sophisticated attacks. In particular, angle-of-arrival discrimination, which exploits differential carrier-phase measurements taken between multiple antennas, could only be spoofed by a sophisticated coordinated spoofing attack (discussed later). However, they require additional hardware: multiple antennas or a high-grade IMU, whose cost militates against widespread adoption.

Cryptographic authentication, the last technique on the list, has received detailed study since 2001. Logan Scott offered several levels of authentication in a 2003 ION GPS/GNSS paper and urged their prompt adoption in a GPS World op-ed column in July 2007. His methods are backward-compatible with non-compliant GPS receivers. Spreading-code authentication, the basis for his Level 2 and 3 authentication, entails embedding messages in the GPS ranging codes and periodically authenticating these messages. Because this method effectively binds a digital signature to the ranging codes, it would render a compliant receiver practically impervious to a spoofing attack except during the short interval between reception and authentication of the embedded messages.

These cryptographic techniques all require modification of the civil GPS signal structure. Such changes appear extremely unlikely in the short term because, as one experienced observer noted, “signal definition inertia is enormous.” A less effective but more practical approach over the United States would be to authenticate only the WAAS signal managed by the U.S. Department of Transportation and the Federal Aviation Administration. Since the WAAS signal is constructed on the ground and transmitted via bent-pipe communication spacecraft, it is more amenable to immediate modification. Even so, efforts to persuade WAAS officials to adopt spreading code authentication have so far proven fruitless.

The Homeland Security Institute, a research arm of the U.S. Department of Homeland Security, has also considered the threat of civil GPS spoofing. On its website it has posted a report listing seven spoofing countermeasures. The proposed countermeasures include the first three techniques from the list here. Some of the remaining four countermeasures would be trivial to spoof. None of the seven would adequately defend against a sophisticated attack. Nonetheless, the posting claims that its proposed techniques “should allow suspicious GPS signal activity to be detected.” We worry that such optimistic language in such a prominent posting will mislead many readers into believing that the spoofing threat has been adequately addressed.

Our goals here are to assess the spoofing threat and develop and test practical and effective countermeasures. To advance these goals we found it necessary to go through the exercise of building a civil GPS spoofer. The process of developing a complete portable spoofer allows one to explore the range of practical spoofing techniques. Thus one discovers which aspects of spoofing are hard and which are easy to implement in practice. With this information, we can more accurately assess the difficulty of mounting an attack, and receiver developers can prioritize their defenses by choosing countermeasures that are effective against easily implementable spoofing techniques.

Software-defined GPS receivers furnish a natural platform for the study of civil spoofing and its effects. In a software receiver, real-time correlators, tracking loops, and navigation solver are all implemented in software on a programmable processor.

Initial Threat Assesment

Consider the spoofing threat continuum in FIGURE 1, roughly divided into simplistic, intermediate, and sophisticated spoofing attacks for threat analysis.

FIGURE 1. The spoofing threat continuum: simplistic, intermediate, and sophisticated spoofing attacks.

Simplistic Attack via Simulator. As far as we know, all stand-alone commercial civilian GPS receivers available today are trivial to spoof. One simply attaches a power amplifier and an antenna to a GPS signal simulator and radiates the RF signal toward the target receiver. A successful attack along these lines was demonstrated by researchers at Argonne National Laboratories in 2002.

Despite the ease of such an attack, it has some drawbacks. One is cost: the price of modern simulators can reach $400,000. Simulators can be rented for less than $1,000 per week, making them accessible for short-term mischief, but long-term use remains costly. Size is another drawback. Most GPS signal simulators are heavy and cumbersome. If used in the simplest attack mode, situated close to a target receiver’s antenna, a signal simulator would be challenging to plant and visually conspicuous. Of course, if the custodian of the target receiver is complicit in the spoofing attack — as is the case, for example, with the fishing vessel skipper who spoofs the onboard monitoring unit to fish undetected in forbidden waters — the conspicuousness of the signal spoofer is irrelevant.

The menace posed by such an attack is diminished by the fact that it is likely easy to detect, because of the difficulty of synchronizing a simulator’s output with the GPS signals in its vicinity. An unsynchronized attack effectively acts like signal jamming, and may cause the victim receiver to lose lock and have to undergo a partial or complete reacquisition. Such a forced re-acquisition would raise suspicion of a spoofing attack. If the unsynchronized attack somehow avoids causing loss-of-lock, it will nonetheless cause an abrupt change in the victim receiver’s GPS time estimate. The victim receiver could flag jumps of more than 100 nanoseconds as evidence of possible spoofing. The spoofer can attempt to counter this defense by intentionally jamming first and then spoofing, but an extended jamming is itself telltale evidence of interference.

Of course, the fact that a simulator-type attack is easy to defend does not increase security. A gaping vulnerability will remain until civil GPS receivers at least are equipped with the rudimentary spoofing countermeasures required to detect a simulator-type attack.

Intermediate Attack. One of the challenges that must be overcome to carry out a successful spoofing attack is to gain accurate knowledge of the target receiver antenna’s position and velocity. This knowledge is required to precisely position the counterfeit signals relative to the genuine signals at the target antenna. Without such precise positioning, a spoofing attack is easily detected.

An attack via portable receiver-spoofer, portrayed in FIGURE 2, overcomes this difficulty by construction. The receiver-spoofer can be made small enough for inconspicuous placement near the target receiver’s antenna. The receiver component draws in genuine GPS signals to estimate its own position, velocity, and time. Due to proximity, these apply approximately to the target antenna. Based on these estimates, the receiver-spoofer then generates counterfeit signals and generally orchestrates the spoofing attack. The portable receiver-spoofer could even be placed somewhat distant from the target receiver if the target were static and its position relative to the receiver-spoofer had been pre-surveyed.

FIGURE 2. Illustration of a spoofing attack via portable receiver-spoofer.

Each channel of the target receiver is brought under control of the receiver-spoofer as illustrated in the inset at the upper right of Figure 2. The counterfeit correlation peak is aligned with the peak corresponding to the genuine signal. The power of the counterfeit signal is then gradually increased. Eventually, the counterfeit signal gains control of the delay-lock loop tracking points that flank the correlation peak.

As one might imagine, there are no commercially available portable receiver-spoofer devices. This of course decreases the present likelihood of the receiver-spoofer attack mode. Nonetheless, the emergence of software-defined GPS receivers significantly erodes this barrier. As we demonstrate here, the hardware for a receiver-spoofer can be assembled from inexpensive off-the-shelf components. The software remains fairly sophisticated, but it would be unwise to assume it was beyond the capabilities of clever malefactors. The civil GPS signal structure is, after all, completely detailed in a publicly available interface control document, and entire books have been written on software-defined GPS receivers. In perhaps the most worrisome scenario, anticipated in Scott’s 2003 paper, the software definition of a receiver-spoofer may someday be available for download from the Internet. The expertise required to download and exercise the code would surely be within the reach of many potential malefactors.

An attack via portable receiver-spoofer could be difficult to detect. The receiver-spoofer can synchronize its signals to GPS time and, by virtue of its proximity to the target antenna, align the counterfeit and genuine signals. A receiver equipped with a stable reference oscillator and a low-drift inertial measurement unit (IMU, for receivers on dynamic platforms) could withstand an attack via receiver-spoofer for several hours. Eventually, however, a patient receiver-spoofer would gain undetected control by keeping its perturbations to time and position within the envelope allowed by the drift rates of the target receiver’s oscillator and IMU.

The only known user-equipment-based countermeasure that would be completely effective against an attack launched from a portable receiver-spoofer with a single transmitting antenna is angle-of-arrival discrimination. With a single transmitting antenna, it would be impossible to continuously replicate the relative carrier phase between two or more antennas of an appropriately equipped target receiver.

While an intermediate attack is not presently likely because the requisite device is not readily available, the emergence of software-defined GPS receivers increases its future likelihood. Furthermore, this mode of attack could defeat most known user-equipment-based spoofing countermeasures.

Sophisticated Attack. The angle-of-arrival defense against a portable receiver-spoofer can be thwarted by a coordinated attack with as many receiver-spoofers as antennas on the target receiver. Imagine a receiver-spoofer the size of a pack of cards, small enough to mount directly atop a target antenna. The receiver-spoofer’s receiving and transmitting antennas are situated respectively on the upper and lower faces of the device and are shielded to avoid self-spoofing. Now imagine several such devices sharing a common reference oscillator and communication link, with each device mounted to one of the target receiver’s antennas. The angle-of-arrival defense fails under this attack scenario.

Naturally, this attack inherits all of the challenges of mounting a single receiver-spoofer attack, with the additional expense of multiple receiver-spoofers and the additional complexity that the perturbations to the incoming signals must be phase-coordinated.

The only known defense against such an attack is cryptographic authentication.

Thus, an attack via multiple phase-locked portable receiver-spoofers is somewhat less likely than an attack via single portable receiver-spoofer, but may be impossible to detect with user-equipment-based spoofing defenses.

Target Spoofer Type. The foregoing discussion of the spoofing threat continuum suggests that a spoofing attack via GPS signal simulator poses the greatest near-term threat. However, there are known effective defenses against such an attack, and these can be implemented in software on commercial GPS receivers. In contrast, an attack launched from one or more portable receiver-spoofer(s) poses the greatest long-term threat. Known user-equipment-based defenses against such attacks are few and of limited effectiveness. Accordingly, we focus here on the portable receiver-spoofer attack mode. To better understand this mode, we built a software-defined portable receiver-spoofer as a research platform.

Architecture

We developed a software-defined receiver-spoofer as an extension of the Cornell GRID receiver, adding a spoofer software module and transmission hardware; see FIGURE 3.

FIGURE 3. Block diagram of the reciever-spoofer architecture.

Receiver Module. The hardware consists of an RF front end, a complex programable logic device (CPLD) for signal multiplexing (not shown), and a digital signal processor (DSP). The receiver software includes a full navigation solution engine. Software is entirely written in natural-language C++ to facilitate code development and maintenance.

The software correlation engine, based on a bit-wise parallel correlation technique, is crucial to meeting real-time deadlines in the receiver-spoofer under the simultaneous burdens of receiver processing and spoofing. Here is an overview.

FIGURE 4 depicts the standard correlation operation that occurs within any GPS receiver. The incoming signal x(t) is mixed by complex multiplication with a complex local signal replica, x l (t). The product is integrated over a short interval (typically 1–20 milliseconds) and sampled to produce the quadrature baseband components I k and Q k , also known as baseband accumulations.

FIGURE 4. Standard correlation operation. The local signal replica xl(t) is complex and ⊗* denotes complex multiplication.

FIGURE 5 depicts a byte-wise software implementation of the standard correlation operation. In this implementation, the individual signal samples are stored in 8-bit bytes.

FIGURE 5. Byte-wise implementation of the correlation operation. Boxes in the signal trains represent bytes, each of which stores an 8-bit signed representation of the signal x or of the complex local replica xl. Grayed boxes represent the operands of one complex multiplication operation.

Because many DSPs and general-purpose CPUs are capable of performing several multiply-and-accumulate operations in parallel (for example, eight in high-performance fixed-point DSPs), the byte-wise implementation can be quite computationally efficient. However, storing the local carrier and code replica samples as bytes makes the tables in which they are packed for efficient table look-up prohibitively large for storage in on-chip (fast) memory. Furthermore, despite its computational efficiency, the byte-wise implementation is still only one-quarter to one-half as fast as the bit-wise parallel implementation when implemented on a high-performance fixed-point DSP.

FIGURE 6 depicts the bit-wise parallel correlation implementation. The operation assumes the incoming signal and the local signal replicas are quantized to two bits — one sign and one magnitude bit. The sign and magnitude bits are packed into 32-bit words. Explicit complex multiplication is replaced by a combination of the bit-wise logical operations AND, NOR, and XOR. In effect, the bitwise parallel method performs 32 multiply-and-accumulate operations in parallel. Importantly, storage of the local carrier replicas as bit-packed sign and magnitude words is also memory-efficient, which makes on-chip storage of the local signal replica look-up tables possible.

FIGURE 6. Bit-wise parallel implementation of the correlation operation. Boxes in the signal trains represent 8-bit bytes. Grayed boxes represent operands of one complex multiplication operation, implemented by bit-wise AND, NOR, and XOR operations. (Click to enlarge).

Spoofer Module. Beyond the hardware required for the GPS receiver, the receiver-spoofer requires only signal transmission hardware: a digital/analog converter, a frequency synthesizer and mixer for mixing to near the GPS L1 frequency, in-line attenuators, and a transmission antenna. For this article, we conducted no over-the-air tests to avoid possible FCC violations; hence, we do not further discuss the transmission hardware.

The heart of the spoofer is the spoofer software module, shown in FIGURE 7.

FIGURE 7. Block diagram of the spoofer module.

Control Module: The spoofer’s control module coordinates a spoofing attack by directing the frequency, code-phase offset, and signal amplitude applied in each of n spoofing channels. Some components of the control module described here remain under development.

The control module accepts the following inputs from the receiver module:
- estimates {t (circumflex) k } 1 n of the start times of the kth C/A code period on receiver channels 1–n;
- the estimates {θ (circumflex) k } 1 n of the beat carrier phase on receiver channels 1–n at times {t (circumflex) k } 1 n ;
- the estimates {f (circumflex) D,k } 1 n of the Doppler frequency shift on receiver channels 1–n at times {t (circumflex) k } 1 n ;
- the estimates {A (circumflex) k } 1 n of the signal amplitudes on receiver channels 1–n at times {t (circumflex) k } 1 n ;
- the receiver-spoofer’s current 3-dimensional position P and velocity V.
The control module orchestrates a spoofing attack in the following way. It begins by commanding n spoofer channels to generate signals with Doppler frequency offsets equal to {f (circumflex) D,k } 1 ⁿ and code phases whose relative alignment is equivalent to that dictated by {t (circumflex) k } 1 ⁿ. It then applies a common-mode code phase advance to compensate for buffering delays within the receiver-spoofer. If this advance is chosen correctly, then each spoofing signal will be code-phase-aligned with its genuine-signal counterpart at the target receiver’s antenna. The control module then commands an increase in the signal amplitude of one or more spoofer channels to effect lift-off of the target receiver’s tracking points. This continues until all target receiver channels are presumed to be under control of the spoofer.

At this point the control module gradually leads the target receiver off its true position and time to an alternate position or time. Let Δx D (t k ) = [Δv x (t k ), Δv y (t k ), Δv z (t k ), Δb ^•(t k )]^T be the perturbation that the control module applies to the target receiver’s observed velocity and clock rate bias at receiver-spoofer time t k . The time rate of change of the perturbation Δb ^•(t k ) must be less than the expected drift rate of the target receiver’s reference oscillator. Likewise, the time rate of change of the velocity perturbations Δv x (t k ), Δv y (t k ), and Δv z (t k ) must be less than the accelerations that the target receiver expects, or, if the target receiver is equipped with an IMU, less than the expected uncertainty in the accelerometer bias.

To enforce Δx D (t k ), the control module linearizes the standard Doppler frequency measurement model about the current receiver time, position, and velocity estimates and computes offsets to the quantities {f (circumflex) D,k } 1 ⁿ that are commensurate with the perturbation Δx D (t k ).

Similarly, let Δx(t k ) = [Δx(t k ), Δy(t k ), Δz(t k ), Δt(t k )]^T be the perturbation that the control module applies to the target receiver’s observed position and time at receiverspoofer time t k . Δx(t k ) is calculated by integrating the time history of Δx D (t k ) values from some initial condition, typically Δx D (t k ) = 0 so that the target receiver’s observed velocity and clock rate bias is initially approximately equal to its true velocity and clock rate bias. To enforce Δx(t k ), the control module linearizes the standard pseudorange measurement model about the current receiver time and position estimates and computes offsets to the quantities {t (circumflex) k } 1 ⁿ that are commensurate with the perturbation Δx(t k ).

Following this strategy, the control module can, as gradually as necessary, misdirect the target receiver’s observed position and time.

The spoofer control module currently makes no attempt to align the beat carrier phases of its output signals with those of the received GPS signals, and so the phase values {θ (circumflex) k } 1 ⁿ are currently discarded. More sophisticated future versions of the receiver-spoofer will likely make use of these phase values.
- Spoofer Channels: Each of the n spoofer channels is configured to correspond to one of the n authentic GPS signals that the receiver module tracks. The signal generated by the nth spoofer channel can be modeled as
(1)

(2)

where x n (τ i ) is the ith sample of the signal, τ i is the time of the ith sample, A n (τ i ) is the control-module-commanded amplitude at τ i , d n (τ i ) is the data bit value that applies at τ i , C n (τ i –t n,k ) is the C/A code chip value that applies at τ i , t n,k is the control-module-commanded start time of the kth C/A code period, Q{•} is a 2-bit quantization function, f IF is the intermediate frequency, θ n (τ i ) is the beat carrier phase at τ i , and f D,n,k is the control-module-commanded Doppler frequency shift at time t n,k . The C/A code function C n (τ) can be further represented as

(3)

and the data bit function d n (τ) as

(4)

where {c n,1 , c n,2 , …, c n,1023 } and {d n,j , d n,j+1 , …} are the unique C/A code chip sequence and navigation data bit sequence corresponding to the GPS satellite whose signal is being emulated on the nth spoofer channel, T c and T d are the duration of one C/A code chip and one navigation data bit, and ∏ T (τ) is the usual rectangular support function equal to unity over 0 ≤ τ< T and zero otherwise.

To generate the C/A code samples {C n (τ i )}, i = 1,2, …, the spoofer channels make use of the same bit-packed C/A code replicas that are employed for signal correlation in the receiver module, which are stored in large look-up tables. However, to generate the samples of the quantized carrier replica

(5)

the spoofer channels cannot exploit the same bit-packed carrier replicas that are used for signal correlation in the receiver. This is because, to minimize on-chip memory requirements, the receiver’s carrier replicas all begin at the same phase value and have only a coarse 175-Hz frequency resolution. The receiver compensates for these factors by performing a rotational “fix-up” on the in-phase and quadrature accumulation values. Unfortunately, such a scheme is unworkable for generating the sampled carrier replicas in the spoofer channels because anything less than precise phase and frequency control over the carrier replicas would potentially alert a target receiver to a spoofing attack. Consequently, it was necessary to develop a carrier-replica generator more capable than that used in the receiver module.
- Carrier-Replica Generator: Two requirements drove the carrier-replica generator design: precision and efficiency. Regarding precision, to evade detection the generator must be able to set the initial phase of a carrier replica segment to within approximately one degree and the Doppler frequency offset over the segment to within approximately 1 Hz. Regarding efficiency, to meet real-time deadlines the generator would have to be capable of generating a replica segment T S seconds long in less than T S /30 seconds. We developed a generator meeting these requirements.
A quantized sampled carrier replica can be represented in bit-wise parallel format as a block of 32-bit words. In the simplest case, the carrier replicas are one-bit quantized with 0 and 1 respectively representing the values –1 and 1. The carrier replica generator can be configured to generate 1- to 4-bit-quantized samples. Two-bit quantization was chosen for implementation within the spoofer, with one bit representing the sign and the other representing the magnitude of the signal. The choice of 2-bit quantization balanced a tradeoff between efficiency and the amount of quantization noise introduced into the final linear combination of the spoofer channel outputs.

The carrier replicas are sampled at a rate f S > 2f IF Hz as shown for the minimum and maximum Doppler frequency shifts in FIGURE 8. The key observation that makes real-time generation of the carrier replicas possible is the following: There is little diversity in the 32-bit words that result from packing 32 samples of quantized carrier replicas over a ±10-kHz range of Doppler frequency offsets and 2π radians of carrier phase. This is another way of saying that the information content of the quantized sampled carrier replicas is low, which is to be expected.

FIGURE 8. Two-bit quantization of the local carrier replica at the maximum and minimum Doppler frequency shifts.

Figure 8 illustrates this concept by showing a case with a sampling frequency f S = 5.714 MHz, an intermediate frequency f IF = 1.405 MHz, and a Doppler frequency range of ±10kHz. This Doppler frequency range covers the expected range of Doppler shifts seen by a terrestrial GPS receiver, with ~ 5 kHz of margin for receiver clock rate error. The sampling and intermediate frequencies are typical for civil GPS applications. Over the interval shown in Figure 8, the total number of cycles for the two signals, whose initial phases are aligned, differs by less than 1/8 of a cycle. When sampled and 2-bit quantized into the sign (s) and magnitude (m) bits that run along the bottom of each frame, the resultant carrier replicas have the same sign-bit history and only 10 different magnitude bits. This indicates that the sampled carrier replicas covering a reasonable Doppler shift frequency range are primarily a function of the initial phase offset for each 32-bit word. This observation remains true whenever f IF < f S and f D,mabs << f IF , where f D,mabs is the maximum absolute value of the Doppler frequency shift.
The low information content of the sampled carrier replicas makes them amenable to tabular storage and efficient retrieval. Two tables are required, one each for the sign and magnitude bits. Let i f ∈ {0,1, …, N f – 1} and i θ ∈ {0,1, …, N θ – 1} represent the respective indices into the frequency and phase dimensions of the tables. For each carrier replica segment (typically 1-ms long), a single frequency index is calculated as

(6)

where f D is the exact desired frequency and f D,min and f D,max are the minimum and maximum Doppler frequency shifts. The phase index i θ is different for each of the 32-bit words that are strung together to compose the carrier replica segment. Let τ k be the time offset of the midpoint of the kth word in the segment relative to the time of the first sample in the segment. The phase at the midpoint of the kth word is calculated as

(7)
where θ 0 is the phase of the first sample in the segment, and the modulo operation is modulo 2π. Finally, the phase index of the kth word is calculated as

(8)

To meet precision requirements, the number of indices into the frequency and phase dimensions of the tables were set respectively to N f = 32 and N θ = 256. With this table size, the table-generated carrier replicas are not significantly different from carrier replicas generated by applying the exact phase and frequency values using double-precision computations. The sign and magnitude tables occupy a total of 64 kB in on-chip memory.
- Data Bit Predictor: The GPS L1 navigation data bit sequence {d n,j , d n,j+1 , …} required by the nth spoofer channel is most easily generated in one of two ways. The simplest approach is to pass data bits to the spoofer channels as soon as they can be reliably read off the incoming GPS signals. Naturally, this approach produces a delay in the arrival time of the spoofing data bit as compared to that of the true data bit at the target receiver’s antenna. The delay is most conveniently made an integer number of 1-ms C/A code intervals. Clearly, such a delay is undesirable in a spoofer because a target receiver could be designed to watch for such a delay and thereby detect a spoofing attack.
The second approach is to predict the data bits based on knowledge of the bit structure and a recent bit observation interval. This is the function of the receiver-spoofer’s data bit predictor. This method relies on the fact that the GPS navigation message has a 12.5-minute period and remains nearly perfectly predictable for a period of two hours. In fact, the almanac component of the 12.5-minute data block is refreshed by the GPS Control Segment only once per day, and the remaining data — the individual satellite ephemeris data — can be observed in less than one minute. There are data bit segments within the TLM word of the navigation message that are unpredictable on a regular basis. However, these segments are also unpredictable for the target receiver (in the absence of external data bit aiding). Therefore, the spoofer can simply fill the unpredictable data bit segments with arbitrary data bits and adapt the parity bits and HOW word polarity accordingly.

Discrepancies have been observed between the almanac data of Block IIA and later satellites. For example, the least significant bits of particular ephemeris parameters can differ. This is believed to be a rounding error in early satellites. These discrepancies cause problems with data-bit prediction for Block IIA satellites. The GPS control segment has been alerted to this and is taking corrective measures. Meanwhile, the spoofer module’s data-bit predictor keeps two copies of almanac data: one for Block IIA and one for later satellites.

During a spoofing attack, rising GPS satellites pose a challenge for the data-bit predictor; indeed, for the entire receiver-spoofer. The receiver-spoofer must prevent the target receiver from acquiring bit lock on the new signal until the data-bit predictor has a chance to observe the new satellite’s ephemeris data. This could be done by transmitting a spoofing signal with arbitrary data bits whose boundaries change sporadically by an integer number of C/A code periods.
- Sample-Wise Combiner: Summation of the bit-packed signals generated in each of the spoofer channels is performed sample by sample. The ith sample from the nth spoofer channel is weighted by A n (τ i ) and summed with the corresponding samples from the other spoofer channels, each weighted appropriately. While computationally expensive, sample-wise operations are necessary to generate a combined signal that represents a quantized superposition of the individual spoofing signals with correct relative amplitudes. The composite signal is then re-quantized to 1 or 2 bits before being loaded into the output circular buffer. Re-quantization of the composite signal introduces additional signal distortion, which decreases the carrier-to-noise ratio of each component signal. For 1-bit re-quantization, which is the current configuration, the signal distortion is tolerable until more than eight spoofing signals are combined. More precisely, 1-bit requantization can sustain no more than eight equal-amplitude component signals at a carrier-to-noise ratio of C/N 0 = 48 or higher.
Implementation

The software-defined receiver-spoofer has been implemented on the Cornell GRID receiver platform (FIGURE 9). Receiver and spoofer software modules run on the same processor.

FIGURE 9. The Cornell GRID receiver, hardware platform for the receiver-spoofer.

When tuned for efficiency, the receiver-spoofer meets real-time deadlines with computational resources to spare. At full capability, the receiver-spoofer tracks 12 GPS L1 C/A signals and simultaneously generates 12 spoofing signals, in addition to performing a 1-Hz navigation solution and continuous background acquisition. The 1-bit re-quantization of the composite spoofing signal limits the spoofer module practically to eight component signals. Future versions of the receiver-spoofer may trade computational resources for 2-bit re-quantization, permitting more than eight component spoofing signals.

The marginal computational demands of each tracking and spoofing channel are respectively 1.2 percent and 4 percent of the DSP, the latter value reflecting the high computational cost of carrier replica generation and sample-wise signal combination within the spoofer module.

The core Cornell GRID receiver software is the product of hundreds of developer-hours of work. Developing the spoofer module and extending the core GRID receiver software to include it required a team of three experienced developers working approximately 40 hours apiece, or approximately three developer-weeks. The hardware components of the receiver-spoofer platform shown in Figure 9 are all off-the-shelf components whose total cost is approximately $1,500.

Demonstration Attack

We devised a method for demonstrating a spoofing attack without actually transmitting RF signals at the GPS L1 frequency over the air, which would have violated FCC restrictions on transmitting in a protected band. An interval of digitized authentic GPS L1 C/A code data sampled at 5.7 MHz was stored to disk. The data were input to the receiver-spoofer, which tracked the six GPS signals present, generated corresponding spoofing signals, and combined these into a 1-bit quantized output bitstream. The output bitstream was then combined with the original data by interleaving, and the resulting bitstream was input to a Cornell GRID receiver acting as target receiver, as shown in FIGURE 10.

FIGURE 10. The “bit combination” framework for demonstrating a spoofing attack.

The receiver-spoofer accurately reproduced the code phase, frequency, data-bit values, and relative amplitude of all six GPS L1 signals present. The spoofing signals’ carrier phases, while not designed to match those of the genuine signals, were continuous across accumulation intervals as intended.

To enable observation of the spoofing attack, the target receiver was augmented with correlator taps at 81 different 0.2-chip offsets about the prompt tap, which is nominally aligned with the incoming signal. The amplitude time history from each correlator tap can be combined to produce “footage” of the spoofing attack from the perspective of the individual channels.

FIGURE 11 shows a sequence of frames depicting the attack on one of the channels. The attack lasts approximately 30 seconds. Each successive panel represents a snapshot of the 81 taps’ amplitudes at roughly 6-second intervals. The three red dots represent the delay-lock loop’s tracking points, which continuously attempt to align themselves so that the center point is maximized and the flanking points are equalized. The top frame shows the tracking points nicely aligned on the genuine signal’s correlation peak, while the counterfeit signal’s peak approaches furtively from the right. Of course, in a typical spoofing attack, the counterfeit peak would simply be initially aligned with the genuine peak and initially smaller than the counterfeit peak in the top panel; its approach from the right and large size in the present case is merely for clarity of presentation.

FIGURE 11. A sequence of frames (from top to bottom) showing a successful single-channel spoofing attack.

After the spoofed peak aligns with the genuine one, its signal power is gradually increased until it begins to control the tracking points. Eventually, the counterfeit peak drags the tracking points off to the left of the true peak. In the lower two panels of Figure 11, the true peak appears to drift off towards the right because the counterfeit peak has hijacked the 81 taps of the figure’s image zone, which are tied to the victim receiver’s tracking points, and it drags them all leftward relative to the true peak. A sophisticated spoofing attack will attempt right-to-left, or late-to-early, tracking lift-off wherever possible so as to disguise the attack as multipath.

FIGURE 12 illustrates the attack from the perspective of the baseband phasors in the complex plane. In the present version of the receiver-spoofer, no attempt is made to phase-align the authentic and spoofing signals. Consequently, a sign change in the data bit stream is possible as the spoofing phasor’s amplitude gradually increases and the target receiver’s phase-lock loop eventually transitions from tracking the authentic phasor to tracking the spoofing phasor. However, the rotational rates of the two phasors, ωa and ωs in Figure 12, should be nearly equivalent. From Figure 12 it should be apparent that if a receiver-spoofer were capable of phase-aligning with a genuine signal, it could, by transmitting the exact difference between a desired spoofing signal and the true signal at the target antenna, simultaneously produce a spoofing phasor and suppress the authentic phasor. When combined with data-bit prediction, such an attack could be impossible to detect relying solely on user-equipment-based defenses.

FIGURE 12. The authentic and spoofing baseband phasors with respective rotational rates of a and s on the complex I-Q plane.

Countermeasures

Three spoofing countermeasures have been suggested by work to date. Two of these, both software-defined user-equipment-based defenses, are presented here. These can be thought of as additions to the five user-equipment-based countermeasures presented earlier. The third method, a promising low-impact cryptographic technique, will be disclosed in a separate publication. Neither of the user-equipment-based defenses discussed below is spoofproof; however, each is straightforward to implement and increases the difficulty of mounting a successful spoofing attack.

Data-Bit Latency Defense. The data bit-latency defense is premised on the difficulty of re-transmitting the GPS data bits in real time. The alternative, data-bit prediction, is itself somewhat challenging and is vulnerable to detection at the 2-hour ephemeris update boundaries and when a GPS satellite rises above the horizon.

FIGURE 13 illustrates the latency between the spoofing and authentic data bit streams that would arise in the absence of data-bit prediction. To detect this condition, the target receiver has only to continuously monitor bit lock. In other words, the receiver looks for a data-bit sign change between consecutive accumulations at the C/A code-length interval. If a sign change is detected at other than an expected data-bit boundary, then the target receiver raises a flag. Except in unusual circumstances, such as low signal power or ionospheric scintillation, a raised flag betrays a spoofing attack. We have implemented and validated the data-bit latency defense on a modified Cornell GRID receiver.

FIGURE 13. Illustration of the likely latency of the spoofing data bit stream compared to the authentic data bit stream.

Besides by data-bit prediction, a spoofer can attempt to counter the data-bit latency defense by jamming until the target receiver loses bit lock and then spoofing during reacquisition. However, as with the time-discrepancy defense, an extended jamming period may be required to sufficiently widen the target receiver’s window of acceptance, and extended jamming is itself telltale evidence of interference.

Vestigial Signal Defense. This defense is premised on the difficulty of suppressing the authentic signal after successful lift-off of the delay-lock loop tracking points. To suppress the authentic signal, a spoofer must transmit the difference between a desired spoofing signal and the true signal at the target antenna. Construction of an effective suppressor signal requires knowledge to within roughly 1/8 of a cycle of each authentic signal’s carrier phase at the phase center of the target antenna. Such precise knowledge of carrier phase implies centimeter-level knowledge of the 3-dimensional vector between the target antenna and the transmitter phase centers. This would be challenging except in circumstances where the receiver-spoofer could be placed in the immediate proximity of the target antenna phase center.

Absent an effective suppressor signal, a vestige of the authentic GPS signal will remain in the input to the target receiver. Soon after lift-off of the delay-lock loop tracking points, the vestige may be well disguised as multipath, but its persistence and distance from the spoofed correlator peak will eventually distinguish the two effects.

To detect the vestigial authentic signal, the target receiver employs the following software-defined technique. First, the receiver copies the incoming digitized front-end data into a buffer used only for vestigial detection. Next, the receiver selects one of the GPS signals being tracked and removes this signal from the data in the buffer. This is the same technique used to remove strong signals in combating the near/far problem in spread-spectrum multiple-access systems, including GPS. Once the tracked signal has been removed, the receiver performs acquisition for the same signal (same PRN identifier) on the buffered data.

These steps are repeated for the same GPS signal and the results are summed non-coherently until a probability of detection threshold is met for some assumed C/N₀ value and some desired probability of false alarm. If a significant vestigial signal is present in the data, this technique will reveal it.

Conclusions

The deepening dependence of the civil infrastructure on GPS and the potential for financial gain or high-profile mischief makes civil GPS spoofing a gathering threat. The software-defined receiver-spoofer described here demonstrates that it is straightforward to mount a spoofing attack that would defeat most known user-equipment-based spoofing countermeasures. Moreover, it appears that nothing short of cryptographic authentication can guard against a sophisticated spoofing attack.

With the addition of each modernized GNSS signal, the cost of mounting a spoofing attack rises markedly, and would quickly exceed the capabilities of the GPS L1 civil spoofer demonstrated here. Nonetheless, faster DSPs or FPGAs would make multi-signal attacks possible. Moreover, there will remain many single-frequency L1 C/A code receivers in critical applications for years to come.

It is imperative that more research and funds be devoted to developing and testing practical and effective user-equipment-based civil GPS spoofing countermeasures such as the data-bit latency defense and the vestigial signal defense introduced here. Further research into cryptographic authentication methods should also be pursued. Officials in the U.S. Department of Transportation, the Federal Aviation Administration, and the Department of Homeland Security should consider the perils of civil GPS spoofing and oversee development and adoption of effective countermeasures. Commercial manufacturers of GPS user equipment should adopt at least rudimentary spoofing countermeasures.

In conclusion, consider two security maxims advanced by the Vulnerability Assessment Team at Argonne National Laboratory. The first certainly applies to civil GPS spoofing. One can only hope that the second does not.

Yippee Maxim: There are effective, simple, and low-cost countermeasures (at least partial countermeasures) to many vulnerabilities.

Show Me Maxim: No serious security vulnerability, including blatantly obvious ones, will be dealt with until there is overwhelming evidence and widespread recognition that adversaries have already catastrophically exploited it. In other words, “significant psychological (or literal) damage is required before any significant security changes will be made.”

Acknowledgments

The Cornell GRID receiver development has been funded under ONR grant N00014-04-1-0105. A Reference/Further Reading section will be appended to the version of this article appearing online at env-gpsworld-integration.kinsta.cloud. An earlier version of this article was published in the Proceedings of the September 2008 Institute of Navigation GNSS Conference in Savanna, Georgia.

Manufacturers

The receiver-spoofer consists of a Zarlink/Plessey GP2015 RF front end, a CPLD for signal multiplexing, and a Texas Instruments TMS320C6455 DSP.

TODD E. HUMPHREYS is a research assistant professor in the department of Aerospace Engineering and Engineering Mechanics at the University of Texas at Austin. He received a Ph.D. in aerospace engineering from Cornell University; [email protected].

BRENT M. LEDVINA is an assistant professor in the Electrical and Computer Engineering Department at Virginia Tech. He received a Ph.D. in electrical and computer engineering from Cornell University.

MARK L. PSIAKI is a professor in the Sibley School of Mechanical and Aerospace Engineering at Cornell. He received a Ph.D. degree in mechanical and aerospace engineering from Princeton University.

BRADY W. O’HANLON received a B.S. in electrical and computer engineering from Cornell University,where he pursues a M.S./Ph.D degree.

PAUL M. KINTNER, JR. is a professor of electrical and computer engineering at Cornell. He received a Ph.D. in physics from the University of Minnesota.

References

“Vulnerability assessment of the transportation infrastructure relying on the Global Positioning System,” Tech. rep., John A. Volpe National Transportation Systems Center, 2001.

Key, E. L., Techniques to Counter GPS Spoofing,” Internal memorandum, MITRE Corporation, Feb. 1995.

Scott, L., “Anti-spoofing and authenticated signal architectures for civil navigation systems,” Proc. ION GPS/GNSS 2003,Institute of Navigation, Portland, Oregon, 2003, pp. 1542-1552.

Hein, G., Kneissi, F., Avila-Rodriguez, J.-A., and Wallner, S., “Authenticating GNSS: Proofs against spoofs, Part 1,” Inside GNSS, July/August 2007, pp. 58-63.

Hein, G., Kneissi, F., Avila-Rodriguez, J.-A., and Wallner, S., “Authenticating GNSS: Proofs against spoofs, Part 2,”Inside GNSS, September/October 2007, pp. 71-78.

Scott, L., “Location Assurance,”GPS World,Vol. 18, No. 7, 2007, pp. 14-18.

Stansell, T., “Location Assurance Commentary,”GPS World,Vol. 18, No. 7, 2007, pp. 19.

Warner, J. S. and Johnston, R. G., “GPS spoofing countermeasures,” Dec. 2003, http://www.homelandsecurity.org/bulletin/DualBenefi/warner gps spoofing.html.

Ledvina, B. M., Cerruti, A. P., Psiaki, M. L., Powell, S. P., and Kintner, Jr., P. M., “Performance Tests of a 12-Channel Real-Time GPS L1 Software Receiver,” Proceedings of ION GPS 2003, Institute of Navigation, Portland, OR, 2003.

Ledvina, B. M., Psiaki, M. L., Powell, S. P., and Kintner, Jr., P. M., “Real-Time Software Receiver Tracking of GPS L2 Civilian Signals using a Hardware Simulator,”Proceedings of ION GNSS 2005, Institute of Navigation, Long Beach, CA, Sept. 2005.

Ledvina, B. M., Psiaki, M. L., Powell, S. P., and Kintner, Jr., P. M., “Bit-Wise Parallel Algorithms for E±cient Software Correlation Applied to a GPS Software Receiver,”IEEE Transactions on Wireless Communications, Vol. 3, No. 5, Sept. 2004.

Humphreys, T. E., Ledvina, B. M., Psiaki, M. L., and Kintner, Jr., P. M., “GNSS Receiver Implementation on a DSP: Status, Challenges, and Prospects,”Proceedings of ION GNSS 2006, Institute of Navigation, Fort Worth, TX, 2006.

Warner, J. S. and Johnston, R. G., “A simple demonstration that the Global Positioning System (GPS) Is Vulnerable to Spoofing,”Journal of Security Administration, 2003.

Anon., “ICD-GPS-200C: Navstar GPS Space Segment/Navigation User Interfaces,” Tech. rep., ARINC Research Corporation, 2003, http://www.losangeles.af.mil/library /factsheets/factsheet.asp?id=9364

Borre, K., Akos, D., Bertelsen, N., Rinder, P., and Jensen, S.,A Software-defined GPS and Galileo Receiver: A Single-frequency Approach, Birkhauser, 2007.

Ledvina, B. M.,”Real-Time Generation of Bit-Packed OverSampled Carrier Replicas,” 2008, in preparation.

Johannesson, R. J.,Cross-correlation mitigation in GPS signal acquisition for a real-time software receiver, Master’s thesis, Cornell University, 2007.

Johnston, R. G., “Physical security maxims,” http://www.schneier.com/blog/archives/2008/09 /security maxims.html .
January 1, 2009
GNSS Receiver Evaluation
Record-and-Playback Test Methods

This article addresses how best to quantify “which navigation system performs best” in a realistic testing scenario. The methodology focuses on land vehicles navigating in urban environments, but applies equally well to pedestrian navigation and can be adapted for testing assisted-GNSS implementations. During a drive test, the truth-reference system and RF recording system log samples to disk, with no need for the receivers under test to be included during the actual drive.

By Eric Vinande, Brian Weinstein, Tianxing Chu, and Dennis Akos, University of Colorado, Boulder

FIGURE 1. Traditional in-vehicle receiver testing.

Radio frequency record-and-playback systems (RPS) have recently become commercially available. These systems sample the RF environment and store it to disk during a drive test and can replay it through receivers back in the lab environment. Here we explore the improvements in dynamic testing methodology created by these units.

RPS test system installation.

RPS constitute a stark contrast to more traditional signal simulators that use pre-defined trajectories and mathematical models to determine appropriate RF output. Signal simulators attempt to reproduce environmental error factors such as multipath, inertial aiding system errors, and building and vehicle obstructions. They rely on mathematical models to simulate these various error sources. In some cases they do a reasonable job of reproducing these errors, but the dynamic urban environment is so complex (for example, rapidly varying/fading signal strength(s), multiple multipath signals, short/long duration obstructions of multiple layers) that even a sophisticated mathematical model can not replicate all effects completely. Some simulators include software that enables the user to define a trajectory and a limited amount of urban scenario details. Again, only so much realism can be created in a simulation environment. Existing testing standards are simulator-based, and as such, are circumscribed by the signal simulator limitations in representing a dynamic environment.

Positioning performance of a satellite navigation receiver under test (RUT) is coupled with its RF front-end system and local oscillator quality. Because of the variation in RF components between RUTs, some likely have superior RF interference (RFI) immunity. RFI can be a serious issue in certain land vehicles due to on-board electrical systems or because of external interference sources.

This article describes a testing method applicable to all receiver types, and complementary to that described in the December 2009 GPS World article by Mitelman and colleagues, “Testing Software Receivers,” regarding validation testing within a production environment. Added elements include taking into account truth-system uncertainty and a repeatability verification of the RF playback process through non-deterministic hardware receivers.

We present here the dynamic testing approach currently used at the University of Colorado in Boulder for receiver evaluation and comparison in the urban environment. The approach also includes the ability to assess the effect of sensor augmentations (for example, inertial, environmental) on positioning performance.

Truth Reference. Comparison with a truth reference system is essential for evaluation of satellite navigation receivers. For dynamic testing, this typically includes a survey-grade receiver coupled with a tactical-grade (or better) inertial measurement unit (IMU) and associated carrier-phase differential post-processing software. This software is filter-based and provides a positioning-error estimate in various components. Truth reference systems provide a continuous position estimate whose quality can vary depending on factors experienced in the urban environment, including length of full/partial satellite signal outage. In this study, we subtracted the 99th-percentile horizontal positioning error estimate of the truth system from the nominal RUT positioning error at each reporting epoch, as shown in Figure 2.

If the RUT position happens to lie within the truth-system position uncertainty, it is not considered to have any position error.

We focus here on a method to evaluate and compare mass-market, consumer-grade receivers to survey-grade receivers. One difference between these two receiver types is the way they handle the trade-off between accuracy and availability. Consumer receivers strive to provide the user with the highest availability, whereas survey receivers’ goal is to maximize accuracy. As a result, consumer-grade receivers will produce more regular position updates in harsh signal-tracking conditions, but must sacrifice accuracy to do so.

FIGURE 2. RUT position error calculation

Current Testing Standards

Currently accepted A-GPS standards such as those used by the 3rd Generation Partnership Project (3GPP) provide very limited dynamic testing in simulated urban conditions, being mainly designed to evaluate the first position calculation achieved in a particular simulated scenario. High-sensitivity receivers that pass or greatly exceed the 3GPP tests, in our opinion, are not guaranteed to have superior navigation performance in urban areas. Also, local oscillator performance is not specified. The trajectory dynamics imposed can actually be much smaller than the clock dynamics of a very low-cost local oscillator. A GPS receiver cannot tell the difference between the two and must track the effective Doppler variation.

The 3GPP defines five independent tests for A-GPS receiver certification. They include tests in the areas of: sensitivity with coarse/fine time assistance, nominal accuracy, dynamic range, multipath performance, and moving scenario/periodic update performance. The last three tests include elements that ostensibly pertain to the urban environment. These tests specify discrete, constant signal power levels for implementation in a hardware signal simulator. The discrepancy between the 3GPP-prescribed signal levels and those observed during actual drive testing is detailed as follows.

The 3GPP moving scenario/periodic update performance test trajectory is shown in Figure 3.

FIGURE 3. 3GPP dynamic testing
trajectory (van Diggelen, A-GPS: Assisted
GPS, GNSS, and SBAS, Artech House)

This test profile calls for the simulation of five satellites with a constant signal strength of 2130 dBm while the vehicle travels around the racetrack trajectory. In contrast, during an actual drive test in an urban area, a receiver reported the distribution of carrier-to-noise-density values for all tracked satellites as shown in Figure 4. This more accurately shows the range of signal strengths that should be expected in urban conditions.

FIGURE 4. Drive-test C/N₀ distribution

The 3GPP moving test is considered passed if positions are reported regularly, and 95 percent of them are within 100 meters of the true position. This is not a particularly difficult test for a RUT to retain signal lock through, as the linear acceleration is about 0.15 g and the centripetal acceleration is about 0.25 g.

It is difficult for independent third parties to carry out a receiver evaluation following 3GPP guidelines as several of the tests require receiver restarts, which in turn requires testing automation. Depending on the receiver-evaluation hardware availability, restart commands may not be available to to an independent evaluator.

3GPP receiver testing results are quoted as pass or fail over a large number of short evaluations. For the dynamic environment, the system performance over continuous time is required to make a proper comparison between evaluated receivers.

In general, evaluating the GPS engines embedded within cell phones or other devices is difficult. Most are not made to interface with an external antenna, and the mere act of adding an antenna connection can significantly alter performance. The output format is not always documented, if it is even available to an end user. To allow fair across-the-board comparisons, GPS chipset manufacturers should make available development kits that have external antenna connections and well-documented message output formats.

Drive-Test Configuration

Current live dynamic testing requires multiple systems to be operating in a moving vehicle (see opening Figure 1). A truth-reference system, usually a high-grade GPS/INS device along with post-processing, provides the basis to which all other RUT are compared. This system requires a dedicated vehicle rooftop antenna with the best possible sky view, separate from a lower-grade test antenna located within the vehicle. Each RUT is connected to the representative consumer-grade antenna located in the vehicle through a high-isolation splitter that suppresses inter-receiver interference. It is important at this point that the gain be set appropriately for each RUT, depending on the front-end expectations while maintaining an equivalent noise figure across all receivers.

Visualization Methods

In addition to quantitative methods, we have created a qualitative visualization to assist with interpretation of the raw data. The same parsed data sets that provide the statistical script input are fed into a viewer script along with the post-processed truth reference data. With the truth-reference system data plotted in the center of the screen, each RUT is then plotted the correct distance and direction away, based on the distance and direction of error compared to truth. The receiver plots are overlaid onto Google Earth images centered on the truth-reference location. Plots of number of satellites utilized (top right of Figure 5) and elevation (middle right) as reported by each receiver and the sampled RF spectrum (lower right) are also included.

For each reporting epoch, based on the data frequency of the truth-reference system, a frame is generated with the aforementioned characteristics. These frames are gathered and encoded into a movie clip which can then be used as a quick and simple qualitative tool for receiver comparison. Figure 5 shows an individual movie frame. A forward-looking camera capability is also being added to this movie so the test environment can be documented from multiple angles.

FIGURE 5. Movie visualization screenshot

While observing this movie, variations in the sampled RF spectrum from interference or blockages can be associated with the current landscape. Locations of RFI sources can be identified and avoided (or included) in future testing. These RFI and significant blockage locations are of interest for receiver RF component and navigation filter development. The next three figures show spectrum snapshots during various parts of a drive test. In Figure 6, the cumulative GPS spectra rises above the noise floor and is visible during open sky conditions. While below ground level, Figure 7 shows only the front-end filter shape (and relatively minor RFI). Figure 8 shows an example of severe RFI when near a specific parking garage location.

FIGURE 6. Open-sky spectrum (centered
on 1575.42 MHz)

FIGURE 7. Spectrum while below ground
level (centered on 1575.42 MHz).

FIGURE 8. Spectrum near interference
source (centered on 1575.42 MHz).

Record/Playback Concept

To overcome the limitations of hardware signal simulators and repeated vehicle drive testing, the RF record/playback testing method is utilized at the university. Commercially available equipment, capable of recording and playing back an RF signal, has recently become available. Equipment options exist for between $10,000–100,000, with 1–16 bit sampling and 4–25 MHz front-end bandwidth.

Figures 9 and 10 show the concept of “record once, playback many times.” During a drive test, the truth-reference system and RF recording system log samples to disk. There is no need for the RUT to be included during the actual drive test.

FIGURE 9. Recording mode block diagram.

FIGURE 10. Playback
mode block diagram

In the laboratory, the logged RF samples are replayed through a splitter to all RUT. The effect of receiver configuration changes can be evaluated without having to repeat the drive test. At a later time, additional receivers can also be tested using the same stored RF sample file.

During separate record and playback phases, testing considerations and methods discussed previously are implemented.

Since the recording process can only obviously capture current conditions, additional drive-test collections are required if different satellite geometry is desired, or if additional representative antennas need to be evaluated.

Repeatability of RPS Testing

To validate that the playback signal levels were not significantly different from live signals, we conducted an urban, dynamic evaluation. Figure 11 shows that there is typically not more than a 1 dB difference in reported C/N₀ between live and playback modes when testing a receiver that only reported integer values. The two dropout instances were excursions into parking garages.

FIGURE 11. Live and playback C/N₀ values

Figure 12 compares the navigation statistics between replays, using the same five playbacks as in Figure 11. The playbacks show a 1-sigma horizontal position solution spread under 1 meter for approximately 83 percent of the test.

FIGURE 12. Playback Horizontal Position Error Spread.

These two figures verify the repeatability of the RPS testing method and solidify it as an alternative to both signal-simulator testing and live testing of satellite navigation receivers.

Denver Testing Method

To evaluate the RPS concept, we conducted tests in three locations: Boulder, Denver, and Interstate Highway 70, all in Colorado. The Boulder and Denver locations were urban collections, while the Interstate 70 location was a natural canyon with significant elevation change. The collection at each location was repeated with two different representative antennas (patch and cell phone) at nearly the same sidereal time in order to keep the overhead satellite constellation similar.

We examine here the November 11 and 16 Denver tests. The November 11 test used a patch antenna that places nearly all its gain in the upward direction, making it more immune to interfering sources below and to its sides. Figure 13 shows the patch antenn
a location on the van, as well as the truth-system antenna location utilized for testing on both days.

FIGURE 13. Patch antenna (dashboard) and
truth-system antenna (rooftop) locations.

The November 16 test used a cell-phone GPS antenna that does not have a preferential gain direction, making it more susceptible to interfering sources below and to its sides. This antenna type is representative of the typical low-cost antenna (in some cases as simple as a piece of wire) found in consumer cell phones. Figure 14 shows the cell-phone antenna suction-cup mounted to the front window of the testing van. The representative antenna mounting location was chosen to minimize locally-generated RFI effects while also being representative of a typical vehicle-use case.

FIGURE 14. Cell-phone antenna location.

The required equipment and connections are minimal when performing RPS drive testing, as no RUTs are included. The inset to Figure 1 at the beginning of this article shows the RPS unit in the rear of the van, mounted on layers of foam to reduce vibration, which, if not properly addressed, can cause errors in mechanical hard drives writing data at high rates. Also visible are the truth receiver on the center of the van floor, and the car batteries for powering it and the IMU. The IMU is mounted to the vehicle frame and is not shown.

The test drive trajectory through Denver on November 11 and 16 as reported by the truth system is shown in black in Figure 15 and is also repeated in Figures 16 and 17. The test lasted approximately 40 minutes on both days. It started in the upper left part of Figure 15 and continued zig-zagging through downtown to the lower right.

FIGURE 15. Truth trajectory for November 11 and 16 tests.

Figures 16 and 17 show particularly difficult blocks for the four receivers tested under the replay method. These receivers are denoted A (green), B (blue), C (red), and D (yellow).

FIGURE 16. Difficult block #1 during November 11 test and truth
system antenna (rooftop) locations.

The horizontal positioning error statistics for two receivers on the November 11 test are shown in Figures 18 and 19. The left side shows horizontal error in two different zoom levels. The right side shows a histogram and cumulative distribution of errors, and several reporting metrics over the entire test. Even though receiver A in general outperformed receiver B, from the error time histories there are noticeable periods where both receivers simultaneously had positioning difficulties.

FIGURE 17. Difficult block #2 during November 11 test.

Table 1 summarizes the horizontal positioning statistics for all receivers during both tests. Positioning accuracy was severely degraded when replaying samples collected with the cell-phone antenna as compared to the patch antenna. Receiver A was the most accurate across both tests, while receiver B was the least accurate. The uncertainty of the truth system was subtracted out when producing the horizontal positioning results for all receivers.

Table 1

Conclusions

The record-and-playback system testing approach, in our opinion, represents the best way to test hardware receivers. It overcomes the fidelity limits of simulator-based testing, especially when considering the difficult-to-model urban environment. During receiver development, it requires only a single drive test for each location, as sampled RF data can be replayed from disk.

FIGURE 18. Receiver A horizontal positioning error statistics (November 11 test).

FIGURE 19. Receiver B horizontal positioning error statistics (November 11 test).

Having demonstrated that RPS testing is repeatable, we have produced a library of RF sample files representing real-world conditions for continued receiver development and testing purposes.
- Eric Vinande is Ph.D. student at the University of Colorado studying GPS/MEMS inertial sensor integration and urban RFI aspects.
- Brian Weinstein is a BSEE student participating in the Undergraduate Research Opportunity Program for GNSS receiver testing at the University of Colorado.
- Tianxing Chu is a visiting researcher at the University of Colorado from Peking University where he is a Ph.D. student.
- Dennis Akos is an associate professor within the Aerospace Engineering Sciences Department at the University of Colorado with concurrent appointments at Stanford University and Luleå University of Technology.
Manufacturers

Development of the methodology described here used two different RPS systems, one from LabSat (RaceLogic) and one from Averna. The test data come from the Averna system.
January 1, 2009
Letters to the Editor: Election Results Disputed
Editor’s Note: Full transcripts of the pre-election debate are available here: Part 1 and Part 2.

I hereby notify you that I contest your counting of the ballots of the Signal Party versus the Toy Party. Here are some facts:

According to your own admission, there were 123 people at the dinner, and you counted 108 votes. The 15 votes that you did not count were obviously cast for me, which makes my count 46 + 15 = 61. My son-in-law voted absentee which you did not count. He officially registered and was part of the meeting. That makes my votes 62, equal to the Toy Party. If you add my own vote, I am a clear winner.

(I will not bring up the fact that you unfairly did not allow my two grandsons to vote. You cannot use the excuse that they could not write. My daughter could have filled the ballots for them. )

Even if you don’t count my vote, Tom Hunter was the only legitimate vice president at the meeting. According to the rules, the VP casts the final vote when votes are equal. He votes for me! You can ask him directly if you don’t believe me.

Your process was not fair:
- My investigation reveals that many voters had “hanging chads,” some from Florida;
- many people voted twice for Greg
- some dead people voted (I can name them if you want!)
- You even counted votes of Canadians!
- The main moderator (Richard) was bribed by Greg! I have photo of Greg buying Coke for Richard and giving him a free Garmin for his car. I copy to Richard and Greg to admit their guilt! Otherwise I will publish the photo of Richard drinking Coke.
- I may also find your photo drinking Coke.
This is a serious national security concern. I will bring it up at next year’s meeting and am ready to take it all the way to the Supreme Court if you don’t count the votes fairly!

There are lots of questions to be answered to the court: Who had custody of the ballots before, during, and after the count? Who were the people who participated in counting the ballots, and what were their qualifications?

The fact is that the Signal Party won. I demand a re-count!

— Javad Ashjaee

Once again, I can only express my deepest disappointment that my colleague would feel the need to drag such a clear outcome through the mud and unnecessary contortion of the legal arena. We all know that does not serve either of our constituencies, but simply enriches the lawyers. I would have expected Mr. Ashjaee to be one of the people who most clearly understood that the will of the people is not subject to the random decision-

making of the judicial branch. However, as a concilitory gesture to move our great industry forward, I would offer Mr. Ashjaee a seat in the new cabinet as Minister of Accuracy in the Satellite Party government.

— President-elect Greg Turetzky

Editor’s Note: The parties have entered out-of-court discussion to which the magazine is not privy, nor will it entertain any further disputation. Election results stand as announced. However, in the interest of full public disclosure, we wish to allay Minister Ashjaee’s concerns about the identities and qualifications of the ballot guardians and counters.
December 1, 2008
Spain’s GMV Wins Malaysian DGPS Contract

The Marine Department of Malaysia’s Ministry of Transportation has chosen Spain’s GMV and Astronautic Technology Sdn. Bhd. (ATSB) to establish the country’s coastal differential (DGPS) network.

This contract is partly a result of GMV’s close relationship with ATSB, a Malaysian company, forged more than three years ago in a business cooperation forum organized by the Spanish Overseas Trade Institute in Malaysia, according to the companies. The network established by GMV and ATSB will include four transmitting stations, two remote monitoring centers, and a control center. Along with coordinating the installation of the systems, GMV also will set up the necessary communications software, reference stations and integrity monitors at each site and track the specific remote-monitoring and control-center software.

“The system we have developed for this project provides dynamic support and flexibility for markets in the maritime sector,” said Luis Mayo, GMV CEO. The project validates Madrid-based GMV’s international expansion and strengthens its position in Malaysia, where it now boasts a portfolio of signature clients, the company said.

November 26, 2008
LizardTech, Smartronix Provide U.S. Military Imaging Support

LizardTech is partnering with Smartronix to enable the U.S. Air Force to access to imagery in support of U.S. troops in Iraq and Afghanistan, reducing turnaround time from months to weeks.

Smartronix, a consultant to the U.S. Air Force Special Operations Command (AFSOC), was tasked to provide the Air Force a faster means to serve out imagery to support war efforts in the Iraqi and Afghan theaters. Previously, AFSOC employed a process for storing and serving imagery, however the delay time was typically in excess of three months from image acquisition to deployment, according to the companies. After implementing LizardTech’s Express Suite, AFSOC was able to compress their imagery to Multiresolution Seamless Image Database (MrSID), a wavelet-based image encoder, viewer, and file format, reproject it, load it into Oracle, and have it ready to serve to the field in less than three weeks, reportedly four and a half times faster than before.

“Using the LizardTech Express Suite family of products we were able to save the Air Force time and money,” said David Streed, spokesman for Smartronix, Inc. “Our requirements for storage dropped from terabytes to gigabytes, which kept equipment costs down, allowed a significantly smaller footprint, and saved our client in excess of 1,700 man hours – all while providing the imagery they needed in a timely manner.”

November 25, 2008
GAARDIAN Consortium Wins GPS/eLoran Integrity Research Project

A business and academic consortium led by Chronos Technology has received a major grant from the U.K. government sponsored Technology Strategy Board for a £2.2 million (approximately $3.3 million) research project to improve the safety and security of location-based applications such as marine navigation and road transportation.

The consortium has dubbed the project GAARDIAN, or GNSS Availability, Accuracy, Reliability and Integrity Assessment for Timing and Navigation. Over the next 30 months, the consortium will be developing a system for mission and safety critical applications that will certify the accuracy, reliability, and integrity of positioning, navigation and timing systems, namely GPS, enhanced Loran (eLoran), and GLONASS.

“GPS is fast becoming an unseen, embedded and low cost commodity. The challenge to the user community is that it may not appreciate the fact that subtle failures of the GPS signal could have disastrous or expensive consequences in mission or safety critical applications,” said Charles Curry, managing director of Chronos Technology. “The impact on GPS from threats such as jamming, spoofing, space-weather, multipath and other types of interference is likely to increase over the coming years due for example to easier availability of jamming technology or more esoteric phenomena such as increased sun-spot activity. The GAARDIAN project aims to create a data gathering system that will enable any user to monitor the health of the GPS signal in the vicinity of use on a 24-7 basis in real time.”

GAARDIAN will use the Universal Time Coordinate-traceable timing signal from the GLAs’ eLoran station at Anthorn in Cumbria, United Kingdom, along with analysis of the GPS signal data to authenticate GPS reception wherever it is needed for mission and safety critical applications. The challenge is to gather and filter large volumes of GPS and eLoran data continuously in multiple, complex and disparate environments without losing content, according to Chronos.

“This is an exciting project that will exploit the complementary benefits of satellite and terrestrial systems to reduce risk and so improve safety and security at sea and protection of the marine environment,” said Sally Basker, director of research and radionavigation for the General Lighthouse Authorities.

The consortium brings together seven private, public, and academic organizations: Chronos Technology, BT Design, the General Lighthouse Authorities of the United Kingdom and Ireland, the Imperial College London, the (U.K.) National Physical Laboratory, the Ordnance Survey of Great Britain, and the University of Bath

November 17, 2008
AeroScout Debuts GPS/Wi-Fi Tracking at U.S. Air Base

AeroScout Inc. has unveiled a combination GPS and Wi-Fi asset management system that has been selected by the U.S. Air Force 309th Aerospace Maintenance and Regeneration Group (AMARG) for its 110 million-square-foot outdoor facility at the Davis-Monthan Air Force Base in Arizona.

The system includes battery-powered tags that use both GPS to determine location outdoors and Wi-Fi to transport asset location and other information over a customer’s network, according to AeroScout.

The large-scale deployment will initially include 1,000 AeroScout GPS Wi-Fi tags for essential support equipment. The 309th AMARG stores thousands of aircraft and aircraft parts at the outdoor facility at Davis-Monthan outside Tucson, Arizona. In addition to tracking the precise location of essential support equipment, the AerosScout system will provide automated inventory reports, the company said.

The system will leverage the facility’s existing Wi-Fi network and 42 access points with high-gain antennas, which are also used for data communication. Using AeroScout’s MobileView 4.0 software, staff will be able to search for, locate, and manage essential equipment, according to the company.

November 5, 2008
Webinar: Is Dual-Frequency GPS – As We Know It – Becoming Obsolete?
On October 28 GPS World survey and construction Editor Eric Gakstatter will be discussing the U.S. Department of Defense GPS Wing’s proposal to discontinue supporting Civil P(Y) semi-codeless on GPS L1 and L2 after December 31, 2020 — rendering a massive amount of high-precision GPS equipment obsolete. The webinar is hosted by GPS World and sponsored by Magellan GPS.

What You’ll Learn:
- A discussion of the semi-codeless technique they are referring to.
- Who’s affected.
- Which receivers are affected.
- How it might impact your organization.
- What options you have if you own legacy dual-frequency GPS equipment.
Who Should Attend:

The seminar will be targeted to professionals in high-precision positioning:
- Land surveying
- Aerial surveying
- Hydrography
- Exploration
- Geodesy
- Photogrammetry/remote sensing
- Construction
- Mining
- Civil engineering
- Natural resource management
- Cartography/mapmaking
- Utilities/public works
- Environmental management
- High precision guidance in aviation
- Military and government
October 21, 2008
ITC to Review SiRF/Broadcom Patent Imbroglio

The U.S. International Trade Commission (ITC) has said it will review the determination of one of its administrative law judges that previously found that SiRF Technology infringed on patents held by Broadcom subsidiary Global Locate.

The ITC judge ruled in August that certain SiRF products, including SiRFstarIII and SiRFInstant GPS architectures, infringed upon six Global Locate/Broadcom patents; the judge later recommended to the ITC that it issue a ban on the import of related SiRF chips into the United States.

Both SiRF and ITC staff filed appeals independently of one another seeking a review of the ruling. Now, the ITC has said it will review claims on three out of the six patents, according to SiRF.

The commission has requested written submissions from the parties involved to address the form of remedy, if any, that should be ordered. According to the notice, if the commission contemplates some form of remedy, it must consider the effects of that remedy upon public interest, SiRF noted.

The final ITC ruling, slated for December 2008, is further subject to a 60-day presidential review period and can then be appealed to the Federal Circuit Court of Appeals.

SiRF, Qualcomm Play Nice

Apparently SiRF and Qualcomm want to avoid the legal snafu in which SiRF and Broadcom are currently embroiled. SiRF also announced that it and Qualcomm have signed a mutual Patent Non-Assertion Agreement covering each party’s patent portfolio.

“We believe that this agreement between leading innovators of A-GPS enabled location technology will help expand the market for location-enabled products, services and content, while enabling each of us to compete in the marketplace based on product merits,” said Kanwar Chadha, SiRFs founder and vice president of marketing.

It’s been a busy week for SiRF; on Wednesday it took the wraps off its SiRFlinkIII, a single chip that combines a GPS RF front end with a Bluetooth 2.1 + EDR controller.

October 10, 2008
Expert Advice: Turning from Challenge to GNSS Opportunity
Paul Verhoef

Presented here is a lightly abridged version of the plenary address by the European Commission’s Head of Unit for Galileo, Paul Verhoef, at the ION GNSS conference in Savannah, Georgia, September 16.

After a brief Galileo snapshot of current status, I will proceed as requested with predictions of life in a multiple-GNSS world. We have secured an additional budget of €3.4 billion mainly for developing and launching the Galileo constellation, with the key objective of a full operational capability in 2013.

Here let me talk about our second test satellite, GIOVE-B, launched on April 27. This bird is healthy and flying according to its specifications, although I hear there was a small problem that caused the satellite to go into safe mode. The engineers are currently testing the signals and using the flight and mission data to fine-tune the last parameters for the manufacturing of the 30 satellites of the constellation.

In July the European Space Agency (ESA) launched the procurement for the Full Operational Capability (FOC). As of last week, we have a shortlist of eligible bidders for sector primes, and ESA will now start the second phase. The list will be published in the next few days. I would like to add that we have opened up this procurement internationally in accordance with the European Union’s (EU’s) World Trade Organization commitments, and with some exceptions for areas of the system that contain classified technologies. The net results will be that EU prime contractors will be able to ask for authority to use non-EU suppliers and subcontractors.

We foresee Galileo to become operational in 2013. In the mean time, the European Geostationary Navigation Overlay Service (EGNOS) will make up the first element of the European GNSS. Just to recall, EGNOS is the augmentation system improving the accuracy of GPS and warning users of possible outages. EGNOS currently covers Europe, but extensions are being considered.

EGNOS is in its final qualification stage. Its performance is excellent, within 100 percent availability recorded over about nine months now. The European Commission intends to contract a private operator to operate and maintain the system starting next spring. In parallel, certification for aviation use is under way with the target of end of 2009.Let me now turn to market issues that take us through the issue of a multi-constellation world.

In Europe the emphasis has been redirected from focusing on direct revenues for the potential operator toward the possibilities to boost business, research, and the markets for GNSS applications both in Europe and worldwide.

IP and Applications. With this new direction in mind, we are now working on two sectors: intellectual property and application issues.

Intellectual property policy is high on our work plan for later this year and next year, and an analysis advancing on impact of various options in this context. We seek a solution balancing in a fair manner three objectives:
- fair treatment of industries, EU or non-EU,
- reasonable return to taxpayers’ money, and
- ensuring the timely and sufficient availability of Galileo user receivers and downstream services at FOC.
Against the results of a recent stakeholder consultation, we are pursuing a second closely market-related initiative, an Action Plan which spells out Europe’s objectives and plans to develop applications for GNSS.

This will not be a marketing strategy for the European GNSS, but a list of actions that the public sector should take to support the development. For example, promote interoperability of road tolling systems in the EU and facilitate receiver development.In one word, European satellite navigation programs are on track, and we are excited that we have left behind the stormy times, and we hope that we are going to sail in calmer waters in the future.

Spacescape Evolution

This brings me to the GNSS fortune-telling part, as requested.

There will be at least four global systems and at least a half a dozen regional systems in Europe, the Americas, and Asia.

How will this affect GNSS?

The end users have everything to gain. I like to believe those that say that Galileo — even at the paper stage eight years ago — was one of the catalysts for innovation in this sector. We will soon have four for the price of one in your next multi-constellation receiver.

The obvious effect is that new applications will emerge as ever-more robust PNT (positioning, navigation, and timing) data penetrates service packages ranging from logistics to law enforcement.

One cellphone maker summarized the situation for the manufacturers and end users as something between fantastic and awesome. The downstream industries are possibly the big winners, at least in the medium term, until the market reaches a saturation point and consolidation picks up pace.

What about us GNSS providers? What’s in it for us other than footing the bill?

Tougher Customer Requirements. We GNSS providers will need to think hard about things such as backward compatibility, trade-off management of conflicting requirements, manufacturer friendliness and, not least, listening to the users.

We should reduce the time-to-market for new products and ensure a comprehensive and global customer support. At some point soon we need to seriously address the issue of third-party liability.

Regulatory Work. GNSS providers believe that limited and carefully targeted regulation in satellite navigation is actually useful. Examples speak for themselves: public authorities in all four global GNSS nations have taken or plan to take regulatory measures affecting the use of GNSS. Examples: E-911 in the United States, E-112 and livestock transport in Europe, government use in China, and so on.

Competition. Let’s face it: however governmentally, non-commercially, or multilaterally we run our systems, I do believe in the human desire for fame and reward. Each of us will want to be at least that little bit ahead of our neighbor, whatever parameters are used. In that situation the customer will be the king and can shop around — at least if competition is not distorted with system-specific mandates, cartels, or the like.

Trade Policy. From international competition there is usually a short way to trade policy and disputes. While trade discussions are useful, I hope we can stay clear of disputes as much as possible, as they divert resources from “the main thing.” So far that has worked quite well, yet we may need to put more efforts into verifying whether the current trade regime is sufficient and the playing field is actually level.

Spectrum. Linked to all these developments are the various aspects of radio spectrum, some mentioned earlier today already.

There is the increasing compatibility challenge caused by scarce spectrum, shortcomings of the International Telecommunications Union (ITU) mechanism for GNSS, and the desirability of common center frequencies, wider bandwidth, and so on. In short, a lot of work ahead of us.

Cooperation. As you heard in my words, international cooperation will need to underpin this environment in order to ensure proper functioning of the systems.

Evolution of Policies

While the European Commission may be Programme Manager, it is the transport departments of the EU and its 27 member states that actually are behind Galileo. They have done this for specific purposes: they want to use it.

Our research, space, foreign policy, and, believe it or not, finance colleagues tend to push this cart with us — usually in the same direction. As Galileo gets closer to the operational capability, the interest of the other departments, institutions, and stakeholders in Galileo and GNSS in general is likely to increase.

It is here in the United States where you have accumulated the longest experiences in this field. As we have heard, transport and other non-military policies have started to weigh more in the management of GPS over the years.

GLONASS is also diversifying with a higher civilian content. Our colleagues in Asia are moving forward with civil applications of higher density.

I foresee two trends:
- First, whatever the policy mix behind the various systems, we can observe today an element of GNSS patriotism, alive and kicking. We all want our own systems and for quite legitimate reasons. That trend is likely to continue for some time still in the form of states or groups of states deciding to build their own regional or even global systems or integrity networks. In this business, added security or sovereignty qualifies as return on investment just as well as service quality, new jobs, or straight cash.
- This is not the only trend in town. And yes, there is a counter-current hatching in the United Nations International GNSS Committee (IGC). Already the conception years of this new forum have created somewhat the “we are in the same boat” atmosphere among GNSS providers.
The point is that the IGC is becoming the place for all the providers and users to discuss GNSS coordination issues across several sectors (the ITU, International Maritimie Organization [IMO], and International Civil Aviation Organization [ICAO] are sector- or issue-specific). We have already seen signs of reaching the limits of bilateral coordination, for example, regarding compatibility and interoperability in a multi-constellation world. Deliverables from the IGC so far are encouraging, and the forum helps in communication and transparency between the participants.

I would expect to see cooperation emerging among the providers in constellation and ground-segment management from a pure cost point of view. It is like owning a sports car; as the mileage accrues over the years, the talk shifts from tuning options to maintenance bills.

Conclusions

The evolution of GNSS is bound to foster new applications; the quantum leap in available satellites and services will give end users and manufacturers sizeable benefits. The GNSS providers will need to adapt to this new reality and volatility and have a vision of what it is we actually want to achieve. Considerable investments in security will be needed at different levels of the systems.

That said, where policies are concerned, we will probably be witnessing two conflicting trends: GNSS patriotism and multilateral action through the IGC.

In the GNSS provider states, the mix and evolution of the national policies guiding GNSS development varies considerably. The tendency is towards enlarging, however, the group of stakeholders (government or other) involved in policy-making towards more and more user sectors.

In any case, in Europe we finally believe that satellite navigation is facing a fabulous future: technology trends such as personal computing, mobile communications, and the Internet come to mind.

We need to turn this challenge into an opportunity. There are many global issues to which satellite navigation can bring a small but important contribution such as climate change, reduction of CO₂, reduction of fuel consumption, search and rescue, and much more. Ladies and gentlemen, I would like to thank again our hosts for giving me the opportunity to present our intentions with this conference, and I thank you for your attention.
October 1, 2008
Leica Geo, TeeJet Pair Up for Ag Market Efforts

Leica Geosystems and TeeJet Technologies have embarked on a partnership in which TeeJet will distribute Leica’s No-Drift mojoRTK auto-steer system under its own label, adding RTK-accuracy guidance to TeeJet’s suite of precision agriculture products.

Under the same agreement Leica will capitalize on TeeJet Technologies’ range of vehicle-specific assisted steering kits to increase the number of tractors the mojoRTK can steer, the companies said. The list of kits offered by TeeJet currently tops more than 50 individual kits, designed to fit approximately 150 individual vehicle models. Initially, Leica will offer TeeJet vehicle kits through its network of resellers, according to the company.

The companies also plan to work together to develop additional products for the agriculture market.

Leica’s Virtual Wrench technology, which provides remote service and support, will also be expanded to support products for both companies, allowing technicians from both companies to provide customers with on-demand service and support, according to the companies.

August 29, 2008
ITC Upholds Ruling in SiRF/Broadcom Patent Dispute

The U.S. International Trade Commission (ITC) has denied the request of SiRF Technology to review its initial determination that found that Broadcom subsidiary Global Locate Inc. didn’t infringe two SiRF GPS patents.

ITC Administrative Law Judge Paul Luckern had previously ruled that two of SiRF’s GPS patents were not infringed by Global Locate and that the asserted claims of one of the patents were invalid, following a six-day trial last March, according to Broadcom. SiRF had already dismissed two additional patents from the case before trial.

This ITC case is separate from a case in which an ITC judge ruled earlier this month that certain SiRF Technology products, including SiRFstarIII chipsets, infringe six patents related to improving GPS processing and sensitivity held by Global Locate.

Broadcom and SiRF have been battling on multiple fronts over patent infringement claims in federal court, the ITC, and before the U.S. Patent and Trademark Office. The August 8 ITC ruling against SiRF caused the company’s stock to take a pounding on Wall Street.

August 15, 2008