Tag: GNSS spoofing

AS CAT STEVENS (yes, he’s back to using his old name) famously sang on “Wild World”:

“… take good care
Hope you make a lot of nice friends out there
But just remember there’s a lot of bad and beware
Beware.”

While he was talking about a girlfriend leaving him, the warning can just as well apply to GNSS users — especially those relying on GNSS for safety-of-life navigation and the maintenance of critical public infrastructure systems.

GNSS signals are relatively weak and they are susceptible to unintentional and intentional jamming that can make reception of the signals difficult or impossible. The jamming of radio signals to hinder reception is nothing new. It’s been used by those wanting to interfere with the use of the radio spectrum ever since radio became an important tool for communication and navigation in the early 20th century. Jamming has been used in hot wars to try to defeat military communication as well as in cold wars to try to prevent a perceived enemy from broadcasting to a particular country’s citizens. Notably, the shortwave radio broadcasts from Western countries were jammed by the former Soviet Union. And even today, broadcasts directed at China, Cuba and some other countries are regularly jammed.

GNSS is also being intentionally jammed on a regular basis in some parts of the world for various purposes including the protection of politicians and civilian infrastructure and to foil GNSS-guided munitions. But while directed at supposed threats, the jamming affects all GNSS receivers in a certain radius of the jammer. Such jamming activities are being reported in the popular press with an increasing frequency.

While GNSS jamming is receiving increased attention in our troubled world, even more pernicious is GNSS spoofing. Spoofing is the attempt to mimic GNSS signals to try to trick a receiver into tracking them and thereby compute a wrong position and/or time at the receiver. This can have disastrous consequences if not detected immediately and the use of GNSS deactivated.

So, how do you detect GNSS signal jamming and spoofing? We have discussed this issue in several columns over the years, but in this month’s column, a team of researchers from Stanford University and the University of Colorado describe how they are using relatively inexpensive equipment and sophisticated software and analyses to detect and warn of GNSS jamming and spoofing. Clearly, they are heeding Cat Stevens’ warning.

---

By Leila Taleghani, Fabian Rothmaier, Yu-Hsuan Chen, Sherman Lo, Todd Walter, Dennis Akos and Benon Granite Gattis

GNSS signals are extremely low power by the time they reach users on Earth and are easily overwhelmed by nearby terrestrial signals. Such signals can interfere with a user’s ability to receive the desired GNSS signals or, even worse, replace them with simulated signals that cause the user to obtain the wrong position or time estimate. Two major types of radio-frequency interference (RFI) threats have been identified: jamming and spoofing. Jamming results from emissions that do not mimic GNSS signals, but interfere with the receiver’s ability to acquire and track GNSS signals. Spoofing is the emission of GNSS-like signals that may be acquired and tracked in combination with, or instead of, the intended signals.

Both threats have been studied at length by researchers, and their presence around the globe has been reported even in the popular press. Some research has been done into the prevalence of spoofing. Even so, there is no well-developed understanding of how widespread these threats are.

Terrestrial interfering signals may be fairly weak and only effective in a limited area. Complex environments with buildings or terrain may further limit their effective area of influence and hinder the ability of external interference detection. To create a better understanding of the presence and characteristics of jamming and even spoofing, we are developing a low-cost RFI detector based on a commercial, off-the-shelf GNSS receiver: the u-blox F9. We are pairing this receiver with a Raspberry Pi computer and are developing custom software to monitor the receiver outputs and store data surrounding interesting events.

We are developing a toolset in MATLAB and C/C++ with the intention of processing and analyzing the u-blox data. The toolset includes functionality to decode selected u-blox messages that contain parameters of interest. These metrics include automatic gain control (AGC), carrier-to-noise-density ratio (C/N₀) and spectral power. They also include raw pseudoranges from multiple constellations and internal u-blox interference metrics. With the volume of data that can be gathered from continuous monitoring, we have begun characterizing nominal performance and developing approaches to spoofing and jamming detection. The publicly available code can be accessed through our Git Repository at https://github.com/stanford-gps-lab/navsu.

With the raw pseudoranges and downloaded broadcast ephemeris data, we compute navigation solutions using different combinations of constellations and frequencies. When the individual and multi-constellation position solutions are compared to each other, discrepancies can be flagged and investigated for possible interference. We have begun characterizing nominal power metrics such as AGC and C/N₀. With the quantity of data that we can get from the RFI monitor, we are working to characterize other receiver-specific parameters such as the u-blox continuous wave (CW) jamming indicator. We leverage data collected under nominal and jammed conditions to understand and identify a threshold for what can be considered interference.

Many different methods have been proposed for GNSS interference detection and mitigation with large-scale data at multiple locations. In this article, we present our data-selection process, our development of thresholds for determining interference, and results from three u-blox receivers set up at different locations in the United States to glean information about nominal (non-spoofed) conditions. We inform our thresholds and analysis tools using datasets from nominal conditions, and then compare their performance to a dataset containing RFI events from a government-sanctioned jamming and spoofing test. Our results display how we leverage simple and powerful metrics informed by a low-cost receiver to understand nominal noise environments and successfully identify jamming and spoofing events.

Data and Metrics

We collect and analyze a variety of data types and metrics to help identify and characterize jamming and spoofing occurrences. The receiver model we started with, u-blox ZED-F9P-02B, can monitor two different RF bands and many signals, including GPS L1C/A, L2C; GLONASS L1OF, L2OF; Galileo E1B/C, E5b; BeiDou B1I, B2I; QZSS L1C/A, L1S, L2C; and SBAS L1C/A. It has 184 channels, which can be configured to sweep through an array of signals to be monitored. We are also developing monitors based on the recently released ZED-F9T-10B, which is capable of L1 and L5 signal reception. TABLE 1 describes which version of the u-blox receivers each dataset comes from.

L1 and L5 are the primary frequencies used for aviation, hence a monitor for these frequencies would be more useful for protecting aviation than the F9P, which is only capable of L1 and L2 reception. The available data includes raw measurements such as code and carrier phase, position estimates, power level estimates including C/N₀, AGC and spectral power. It also has active CW interference detection. These metrics are all necessary for the consistency checks and power monitoring methods we summarize in this article. Consult our conference proceedings paper for details (see Acknowledgments). By examining all of these signals and measurements, we can observe changes in the RF environment and detect inconsistencies in the received signals.

Data Logging. The u-blox receiver logs messages in a specific format. The message types important to log are selected based on the desired data. Due to limited bandwidth, we prioritized messages that efficiently include all desired parameters for the interference detection methods we describe in this article. We have used both the u-blox F9P and the u-blox F9T. 

To characterize nominal noise environments, u-blox receivers were set up at three locations: Stanford University, the University of Colorado (CU) in Boulder, and at the Colorado Springs airport. All measurements from satellites below an elevation angle of 5 degrees were ignored. The results from these locations are summarized below. Results from a jamming/spoofing test sanctioned by the U.S. Department of Homeland Security are presented and labeled with the acronym “GET-CI” (GPS Testing for Critical Infrastructures) in the subsequent discussion. Table 1 describes the parameters of the u-blox receiver at each location.

Positioning Metrics Development. The nominal error of the single- and multi-constellation position solutions is made by noting the difference between the computed position and the known truth. The inter-constellation consistency check is defined as the difference between the positions computed from two constellations, with no reference to a known truth position. To analyze the nominal differences in the north, east and down (NED) directions, we use the position covariance matrix, R, computed in the least-squares solver, to set a covariance-bound threshold. The covariance for each constellation is assumed independent. We present our results using this threshold in our results sections. 

Our results in FIGURE 1 show that the Galileo position solution variance is higher than the dual-constellation and GPS-only solution. This is attributed in part to the fact that Galileo, while operational, has not filled out all planned satellite slots and therefore has fewer satellites and worse geometry than GPS. 

Nominal Noise Results

Here are some of our positioning and power monitoring results under nominal reception conditions.

Positioning. Based on the methods described earlier, we present a selection of our results from the positioning consistency checks. We present several informative visualizations of the error between the computed position solution and the known truth of each u-blox receiver and use the covariance threshold to bound the raw error. The error for dual-constellation, single-constellation and inter-constellation consistency checks are all displayed and compared to one another. The pseudorange residuals and their accompanying chi-squared (χ²) statistic are also evaluated and compared for the GPS and Galileo single-constellation position solutions.

Positioning Consistency Comparison Maps. From the maps in Figure 1, we observe that Galileo has the highest error, followed by GPS, and then the dual-constellation solution. The map also serves as a method to spatially visualize the tails of the error distribution.

NED Time Histories. We compare the time history of the dual-constellation, GPS and Galileo position solution error to the three sigma (3σ) covariance bound computed at each epoch (see FIGURE 2). We also compare the GPS vs. Galileo inter-constellation difference to the 3σ covariance bound. The covariance bound is never crossed, indicating that 3σ threshold is conservative for both the error and the inter-constellation difference between GPS and Galileo.

Pseudorange Residuals and χ² Statistic Threshold. Pseudorange residuals have a long history of being used as a consistency check between range measurements. As an example, the pseudorange residuals for the GPS position solutions are shown in FIGURE 3, and their corresponding χ² statistic is shown in FIGURE 4.

The χ² statistic is computed using the finite pseudorange residuals at each epoch, where the degrees of freedom are n − 4, where n is the number of satellites used at that epoch and 4 is the number of variables solved for (x, y, z, and the receiver time offset) when using a single constellation. A p-value is computed using the cumulative distribution function (CDF) of the χ² statistic, and indicates the probability that the χ² statistic at each epoch would be greater than the observed value. The statistic is compared to a theoretical 10⁻⁹ probability of false alert (P_FA) based on the theoretical χ² and the actual degrees of freedom of each epoch. Very low values for the χ² statistic, such as those obtained with Galileo, are attributed to regions where very few satellites are in view, thus decreasing the degrees of freedom. Any spikes in the pseudorange residuals are also reflected with a higher χ² statistic and low p-value, though those residuals are de-weighted in the position solution and ultimately do not trigger the 10⁻⁹ P_FA threshold or the 3σ threshold, thus indicating that a 10⁻⁹ P_FA is a conservative threshold. 

Power Monitoring. For each nominal location with a u-blox receiver, we analyze results from the power-monitoring metrics mentioned earlier. We also observe results from the internal u-blox jamming indicators in a region where a possible RFI event was observed.

For power monitoring, we analyze spectral power and programmable gain amplifier (PGA) results. 

For the nominal noise environments, the spectral power, PGA and corresponding C/N₀ results indicated no significant anomalies.

Threshold and Metric Validation Results

An examination of thresholds and other metrics are important for characterizing RFI.

GPS Testing for Critical Infrastructure. From a DHS-sanctioned RFI testing event, we identify five regions of interference or spoofing. To identify the interference, we use a combination of the power and positioning metrics as well as the thresholds we developed through the characterization of the nominal noise environments described in the previous sections of this article.

We use the thresholds and tests we’ve developed to identify regions of spoofing and RFI events (labeled C I1–C I5) in the GET-CI dataset. For ease of comparison, all regions are labeled on plots that display the full 5.5 hours of data collection. All details as to the truth location and time of the test have been removed. C I1 is identified through the power metrics. C I2–C I5 are identified as regions that the NED difference between GPS and Galileo clearly crossed the 3σ threshold in all three directions, as visualized in FIGURE 5.

From our pseudorange residuals, it appears as though the most significant interference events happened on the GPS constellation, as indicated by the high pseudorange residuals that fall into the C I2 and C I5 regions. Using the GPS χ² statistic and p-value computations, we determined that the regions that crossed the 10⁻⁹ P_FA threshold line are consistent with the regions of interference identified in Figure 5. The Galileo χ² statistic, p-values and pseudorange residuals all show signs of possible interference. These regions are explored more in the power monitoring discussion below. 

Since the GPS pseudorange residuals and χ² statistic results show more signs of spoofing than the Galileo ones, we explore the Galileo-only position solution. Because the truth position is unknown, we take a point during the non-C I regions and define this as the “truth,” that is, a point in the position solution we believe has not been subject to spoofing. Any references to a truth position are from a position recognized as “truth” through post-processing rather than from a pre-determined and known location.

The p-values dip in each of the C I regions, but are lowest in regions C I5. Combined with the fact that the pseudorange residuals and NED error are the highest in C I5, we identify this as the region that likely experienced a significant spoofing event. We determined from an outlier at the beginning of the C I5 region (see Figure 5) that even the Galileo constellation is not immune to the spoofing in this scenario.

To further check the accuracy of our determination that GPS was spoofed, we evaluated the histograms of the Galileo error. With the biggest outlier in C I5 removed, we saw that the error appears relatively Gaussian, with some outliers and possible multi-modal behavior that were also seen in the nominal locations. The variance was higher than was observed at nominal locations, which could be attributed both to the presence of known RFI events, the fact that the nominal noise environment at the RFI event test has not been characterized (that is, it is possible there is a noisier nominal environment at this location), and that the “truth” position was not a known truth but obtained through post-processing of a dataset with increased RFI. Normalized error indicates that the error does not cross the 3σ threshold in any NED direction, further supporting the assertion that 3σ is a conservative threshold.

Important to note is that the major outlier around T+3.5 hours is visible in the NED plot (Figure 5), but the corresponding histograms do not contain that outlier. This indicates that the covariance also increases at that point. It dictates a need to monitor the covariance bound itself, as well as the positioning error. The NED time history plot and the raw error histograms serve this purpose, since it is clear that if we were to be only looking at the error normalized by 3σ, we would not have found significant evidence of the outlier, since the normalized error barely passes the 3σ threshold. This further supports our methods of combining multiple metrics, thresholds and visualizations rather than relying on a single metric to identify jamming and spoofing.

From the Galileo solution analysis, we increase our confidence that we have identified the regions with interference. We removed those areas and looked at the GPS vs. Galileo inter-constellation consistency difference. The normalized differences were now mostly within the 3σ threshold, and the raw error displayed some Gaussian behavior and is no longer on the order of the 10⁵-meter error we were seeing in Figure 5. While these regions still have a higher error than nominal conditions and thus still display signs of interference, we are able to use our spoofing analysis to identify epochs in which we should not trust the GNSS. Using times outside those regions, we are able to figure out a reasonable truth position within 20 meters rather than 200 kilometers.

Positioning analysis using the inter-constellation consistency check is a powerful tool for determining the reliability of a position solution, even when the truth location is unknown. With the power metrics, we can further corroborate the positioning results, as well as find events indicating interference that the positioning metrics were unable to track. 

Next Steps and Summary

Leveraging the raw data collected by u-blox receivers in multiple locations with different nominal noise environments, we have developed the toolsets to do inter- and intra-constellation consistency checks to monitor for jamming and spoofing. Many further observables usable for RFI detection are being recorded by the u-blox receivers. Several power monitoring metrics have been evaluated in a preliminary analysis. The next step is to further characterize metrics such as C/N₀, AGC and u-blox internal jamming metrics under nominal conditions. 

In summary, the tools we have developed so far show that the u-blox receiver will allow for many different consistency checks on a variety of parameters to be running simultaneously. It would be difficult for a spoofer to interfere with all the dimensions we have covered in our detector. Continuously monitoring a wide variety of parameters will increase the chance that we are able to detect interference, thus lowering the chance that a spoofer is able to evade detection.

Acknowledgments

We gratefully acknowledge the support of both the FAA Satellite Navigation Team and The Aerospace Corporation under their university partnership program. We especially wish to thank Steve Lewis of Aerospace for his support and guidance throughout the development of this project. This article is based on the paper “Low Cost RFI Monitor for Continuous Observation and Characterization of Localized Interference Sources” presented at ION ITM 2022, the 2022 International Technical Meeting of the Institute of Navigation, Jan. 25–27, 2022. 

---

LEILA TALEGHANI recently graduated with her MS degree from Stanford University in aeronautics and astronautics and is now a navigation engineer at Trimble.

FABIAN ROTHMAIER is a navigation research and development engineer at Airbus Defence and Space in Munich, Germany, and a former a Ph.D. student at the Stanford GPS Laboratory. 

YU-HSUAN CHEN is a research associate at the Stanford GPS Laboratory. 

SHERMAN LO is a senior research engineer at the Stanford GPS Laboratory.

TODD WALTER is a research professor in the Department of Aeronautics and Astronautics at Stanford University. 

DENNIS AKOS is a professor with the Aerospace Engineering Sciences Department at the University of Colorado, Boulder.

BENON GRANITE GATTIS is a laboratory assistant and undergraduate student in the Aerospace Engineering Sciences Department at the University of Colorado, Boulder.