For Norway, frequent GNSS jamming and spoofing is affecting a wide range of civilian operations, including air traffic. Interference is increasingly being detected deeper inside Norwegian airspace, reports the Barents Observer.
Three dedicated monitoring stations for detecting GNSS disturbances have already been established in the region bordering Russia. Now, the Norwegian Communications Authority (Nkom) plans to install two additional stations this year.
The new sensors will provide improved continuous monitoring, covering key new areas, including large parts of the Varanger Peninsula and the Barents Sea.
The M.2 card GW16160 is the first Septentrio-based product from Gateworks, a U.S.-based manufacturer of single-board computers. The GW16160 provides reliable high-accuracy positioning powered by the mosaic-X5 GNSS module, a high-quality positioning solution for autonomous robots, UAVs and industrial mission-critical applications. The GW16160 allows engineers to integrate high-accuracy GNSS into edge systems without bulky external receivers or complex RF design. This ultra-low power card features an M.2 A/E-Key interface with USB 2.0 connectivity for plug-and-play integration.
The Trimble RTX-NMA (Navigation Message Authentication) mitigates spoofing attacks on GPS and BeiDou signals. RTX-NMA leverages the Trimble RTX correction service and enhances the security and integrity of GNSS navigation messages for all Trimble ProPoint receivers. Used in conjunction with Galileo OSNMA, users now have three constellations protected from spoofing attacks. Trimble RTX-NMA seeks to detect both fake GNSS signals and faulty ephemeris data through real-time authentication that ensures navigation messages from multiple RTX reference station receivers are genuine and trustworthy. It also encompasses faulty ephemeris detection, preventing unreliable data from being included in the correction stream. Enhanced security through advanced cryptographic techniques like AES encryption, and stream authentication, take it a step further. Trimble RTX-NMA is compatible with various Trimble GNSS receivers using firmware version 6.40 or greater.
Hexagon | NovAtel’s GAJT-710ML installed on a U.S. Army vehicle. Photo: U.S. Army Futures Command
We asked Dean Kemp, Ph.D., director of Marketing, Aerospace and Defense for Hexagon’s Autonomy & Positioning division, a few questions.
How do jamming and spoofing threats change?
Jamming and spoofing methods change as new interference-causing technologies become available. As such, it’s vital for us to continuously evaluate potential sources of threats and provide the highest possible level of resiliency to interference in our solutions.
Have new threats emerged in the past six weeks in connection with Russia’s invasion of Ukraine?
Evidence is emerging that electronic-warfare systems capable of high-power jamming and spoofing across wide areas are being used within Ukraine. Fortunately, there have been no known impacts on allied forces. However, knowing that the technology is in place and in use highlights the importance of assured positioning, navigation and timing (APNT) and our contribution to building resiliency in allied forces’ equipment against the potentially destabilizing effects of jamming and spoofing.
How do you define APNT?
We use APNT to describe measurements that are always accurate, available and reliable. Our anti-jamming, anti-spoofing and other resilience-building capabilities provide trusted and available PNT information at the level of accuracy requested.
When did you introduce GPS Anti-Jam Technology (GAJT)? How do you define it?
GAJT was introduced in 2011 and is our leading APNT solution. GAJT units are utilized worldwide across land, sea and air, with rapid deployment supported by commercial off-the-shelf solutions and short lead times. GAJT provides jamming protection of satellite-based navigation and precise timing receivers from intentional jamming and unintentional interference whatever your application. Product variants provide features to best support anti-jamming capabilities for the warfighter, national infrastructure, low-SWaP platforms and other mission-critical applications.
What are the key differences between the GAJT-710ML, the GAJT-710MS and the GAJT-410MS?
The GAJT-710 is designed for land vehicles (ML variant) and marine vessel platforms (MS variant) with up to six simultaneous nulls to protect against jamming signals and interference. The next generation of GAJT-710 includes jammer direction-finding and a silent mode to reduce its thermal signature. The GAJT-410 maintains the high levels of interference-rejection performance in the 710 but in a lower size, weight and power (SWaP) design, with three simultaneous nulls, for both land and marine variants. It also utilizes a single RF cable to provide clean power, data and protected GPS signal. The GAJT-410 enables APNT while also reducing the need for platform modifications or armor penetration.
The GAJT-AE extends jamming and interference protection to unmanned and autonomous applications. Using an external CRPA antenna, the GAJT-AE offers flexibility of integration into space-constrained platforms.
Is the GAJT-AE-N Anti-Jam Antenna receiver-agnostic?
We designed our GAJT product line to be receiver-agnostic and compatible with legacy and modern GNSS receivers. This flexibility results in GAJT being ideal for civil and military applications, including SAASM and M-code systems.
How does your GNSS Resilience and Integrity Technology (GRIT, launched in 2020 November) relate to your GAJT antennas?
GRIT is a firmware suite for our OEM7 receivers that expands their situational awareness and interference mitigation tools. GRIT includes our Interference Toolkit (ITK) along with spoofing detection to identify when your GNSS signal may be under threat. It also empowers the user to develop interference location algorithms through time-tagged snapshots of data samples to characterize the RF environment around your operations. GRIT, alongside GAJT, forms the foundation of our APNT strategy in providing accurate and always-available PNT.
Do you have any recent contracts with the U.S. Department of Defense or the militaries of other NATO countries to supply GAJT antennas?
Our GAJT product portfolio has been sold in large quantities to military and civil organizations for many years, successfully proving itself in the field. In 2020, we achieved a milestone of more than several thousand units shipped worldwide, making it one of Hexagon | NovAtel’s more successful years.
Continuous accurate navigation in all environments with sensor-based spoofing detection
Photo: U-blox
U-blox is introducing a series of automotive-grade positioning modules that are operational up to 105° C (221° F). The NEO-M9L modules and the M9140-KA-DR chip are built on the robust u-blox M9 GNSS platform and use dead-reckoning techniques to provide accurate position data when satellite signals are compromised or unavailable.
The u-blox NEO-M9L-20A and NEO-M9L-01A modules, as well as the M9140-KA-DR chip, are specially designed for first-mount automotive solutions. The modules and the chip are all automotive-grade, with the NEO-M9L-01A variant offering an extended operational temperature range up to 105 °C, making it suitable for integration on the roof, behind the windscreen, or inside hot electronics control units.
Applications include integrated navigation systems such as in-vehicle infotainment (IVI) and head units, integrated telematics control units and V2X.
The modules include new-generation 6-axis inertial measurement units (IMUs) that deliver low-latency 100-Hz RAW data output. The modules offer a low-latency 50-Hz position update rate, making it suitable for use in real-time applications. The automotive dead-reckoning (ADR) output combines the GNSS fix with IMU data to deliver accurate positioning output for various scenarios.
Additional GNSS-only output enables seamless integration into a variety of third-party applications. The receiver also supports wake-on-motion, which enables smart features such as theft protection and power-efficient designs.
The modules offer innovative sensor-based spoofing detection for advanced security and robustness. The chip offers protection against possible GNSS signal spoofing, which can cause navigation systems to report faulty position data or time.
“The u-blox M9 sensor-fusion products address the latest automotive market demands for quality, reliability and robustness. Availability and trustworthiness of position output are increased by using concurrent reception of four GNSS constellations,” said Aravinthan Athmanathan, product manager, Product Center Positioning at u-blox. “In addition, the spoofing-detection feature is brought to a new level compared to the predecessor. Paired with low-latency position output, attitude, and sensor data, the u-blox NEO-M9L is ready to meet current and future challenges facing the automotive market.”
All the module variants are compliant with AEC-Q104, the latest standard for ensuring the reliability of modules used in automotive applications. Engineering samples and evaluation kits will be available by the end of September.
Hexagon | NovAtel has debuted its GNSS Resilience and Integrity Technology (GRIT), a suite of firmware features enabling situational awareness and interference mitigation tools across applications and environments.
Available as a firmware option with NovAtel’s latest 7.08.00 release, GRIT combines NovAtel’s successful Interference Toolkit with the power of spoofing detection. Users can also choose an optional functionality enabling time-tagged snapshots of analog to digital samples through GRIT. The time-tagged digitized RF data allows users to characterize the RF environment and develop their own interference location algorithms, Hexagon | NovAtel said.
Through situational awareness techniques like spoofing detection, time-tagged data and interference mitigation such as anti-jam technology and digital filters, GRIT builds GNSS resiliency and integrity to better protect position, navigation and timing measurements, the company added.
“We’ve combined our world-class Interference Toolkit with new functionalities like time-tagged snapshots and spoofing detection to provide users with a comprehensive suite of mitigation tools,” said Sandy Kennedy, vice president of innovation at Hexagon’s Autonomy & Positioning Division. “Expanding our protection portfolio through this firmware suite to prioritize situational awareness and mitigation for anti-jam and anti-spoofing techniques makes it easier than ever for users across any industry to achieve assured PNT.”
GRIT, a non-controlled firmware-only solution, is available as a firmware upgrade for all NovAtel OEM7 receivers.
An international survey and analysis on GNSS interference detection and localization systems reveal the path forward for transportation and other critical infrastructure.
By José Luis Madrid-Cobos and Ana Bodero-Alonso, ENAIRE
Ignacio Fernández-Hernández and Eric Châtre, EC
Andriy Konovaltsev, DLR, and Christopher Hegarty, MITRE
An ENAIRE GNSS RFI monitor close to the Madrid-Barajas Airport in Madrid, Spain. (Photo: ENAIRE)
The received power of GPS and Galileo navigation signals at the antenna output of a user receiver is typically extremely small, from approximately –165 up to –150 dBW, which makes them inherently vulnerable to radio-frequency interference (RFI) caused by the emissions of other radio systems. This interference is often unintentional, such as from malfunctioning or spurious emission from a transmitter in the vicinity of the GNSS receiver.
However, we have seen numerous reports about the deliberate jamming of GNSS signals. The most frequent examples of such interference reports are caused by so-called personal privacy devices (PPDs) — low-power GNSS jammers used to locally disable the operation of GNSS receivers. Although the use of PPDs is illegal, they can be easily acquired on the internet. A $10 jammer with 100 mW of transmitter power is enough to degrade performance or disrupt GNSS receivers in a range of 10–100 meters. In the past decade, more complex and powerful jammers have also become available, along with spoofers — devices that create GNSS-like signals that fool receivers to provide false location or time solutions. A $100 software-defined radio bought online can be used as a spoofer.
ENAIRE (the Spanish air navigation service provider) conducted an international survey and associated analysis of GNSS RFI detection and localization systems. The survey was part of the EU–U.S. Working Group C Sept. 2017–Sept. 2019 Work Plan, with contributions of the European Commission (DG DEFIS), the German Aerospace Center (DLR), the U.S. Federal Aviation Administration (FAA), Eurocontrol, the MITRE Corporation and Stanford University. Working Group C promotes cooperation between the U.S. and EU on design and development of the next generation of civil satellite-based navigation and timing systems. The survey was conducted within the Resilience Subgroup focused on counteractions required in view of growing concerns over jamming and spoofing threats.
Manufacturers and Users
The survey was provided in two versions: one targeted to manufacturers and another to the users of interference detection systems. The two surveys were implemented online July 12–Oct. 26, 2018. There were 23 responses: 11 from manufacturers and 12 from users (see Acknowledgments below for companies that participated). Regarding the manufacturers’ responses, the nine surveyed companies represent about 50% of the market of RFI monitoring products available in 2018.
RFI Equipment Used
We present here the aggregated results of the RFI equipment manufactured and used by the participating entities.
Frequency Bands and Signals. The L1/E1 band is covered by all of the manufacturers’ and users’ surveyed products. L5/E5a and other bands are monitored in only 42% of the cases, or even less. Most RFI systems demodulate or analyze the GPS L1 C/A signal. Only 8% and 17% of users analyze GPS L5 and Galileo E5a, respectively.
Capabilities. 55% of the industry, and 25% of the users’ surveyed products, provide RFI localization capabilities, while 45% of the industry, and only 33% of the users’ surveyed products, detect some type of spoofing.
Power and Antenna Gain. Most of the systems achieve a sensitivity better than or equal to –120 dBm, meeting the International Civil Aviation Organization requirement for GPS and SBAS L1 airborne receivers to withstand interference (–120.5 dBm CW, in-band) after steady-state navigation has been established. The gain of antennas used in RFI detection systems ranges from 2 dBi up to 45 dBi.
Real-Time Bandwidth. The maximum real-time monitored bandwidth of the surveyed products ranges from 16 MHz up to 60 MHz in L1. Most of the products monitor a 20-MHz bandwidth (similar to the GPS L1 C/A reference bandwidth for pre-GPS III satellites, which is 20.46 MHz).
Spectrum Refresh Time. The time needed by the RFI detector to capture and process a plot of the RF spectrum in a specific band to look for interference signals ranges from 1 microsecond to 2 seconds.
Jamming Detection Techniques. The most widespread jamming detection technique is RF power monitoring (45% industry, 92% users), followed by digital beamforming (CRPAs), carrier-to-noise-density ratio (C/N0) monitoring and spectral analysis/transforms (see Figure 1). Note that RF power monitoring and automatic gain control (AGC) monitoring are in essence the same detection technique: AGC voltage levels — after calibration with a reference RF generator — can be converted into RF input power levels.
Figure 1a. Jamming detection techniques used by industry. (Chart: RFI survey)
Figure 1b. Jamming detection techniques of users. (Chart: RFI survey)
Spoofing Detection Techniques. The most widespread spoofing detection techniques are PVTF consistency monitoring (industry products, 27%) and correlation peak monitoring (users, 25%), followed by digital beamforming (CRPAs), C/N0 monitoring and spectral analysis/transforms (see Figure 2).
Figure 2a. Spoofing detection techniques used by industry. (Chart: RFI survey)
Figure 2b. Spoofing detection techniques of users.(Chart: RFI survey)
Localization. The most widespread RFI localization technique is direction/angle of arrival (DOA/AOA): 55% in industry products and 25% in users’ systems. AOA techniques used are correlative interferometer (phase-difference), Watson-Watt (amplitude-difference) and array signal processing. The AOA accuracy of surveyed products ranges from ±3° to ±10°.
Event Recording. For an interference event, most products record the time stamp, received power, central frequency, frequency spectrum, the spectrogram (frequency versus time plot) and the jammer type. Only 8% of surveyed users perform spoofing event recording (see Figure 3). 92% of users record RFI/spoofing events; half also report them to their national spectrum administration. Users have from one to 11 jammer detectors. Only four users have been registered with spoofing detectors, each using one.
Figure 3a. RFI events recording/database used by industry. Jammer classifications: Class I — continuous wave signal; Class II — chirp signal with one saw-tooth function; Class III — chirp signal with multi saw-tooth functions; Class IV — chirp signal with frequency bursts. (Chart: RFI survey)
Figure 3b. RFI events recording/database of users. Jammer classifications: Class I — continuous wave signal; Class II — chirp signal with one saw-tooth function; Class III — chirp signal with multi saw-tooth functions; Class IV — chirp signal with frequency bursts. (Chart: RFI survey)
Event Sharing. 75% of surveyed users are willing to collaborate in the creation of an international RFI and spoofing events common database, but the remaining 25% explicitly do not want to share their databases.
Future RFI Monitoring Equipment
Based on the analysis of the aggregated results from the survey, we identified some recommendations for improving RFI monitoring:
L5/E5a band. To be ready for introduction of the L5/E5a band into aviation operational use (expected by 2025), it is suggested that aviation organizations increase efforts to monitor and analyze the RFI situation in the L5/E5a band.
Spoofing detection. National organizations in charge of critical infrastructures should increase their efforts to detect spoofing (at least at the same level as jamming detection). Multi-constellation and dual-frequency spoofing detection should be promoted (not only L1/E1 spoofing).
GNSS RFI monitoring with enough bandwidth: The maximum real-time monitored bandwidth of the surveyed products ranges from 16 MHz to 60 MHz, while most of the products monitor only a 20-MHz bandwidth. The receiver reference bandwidth for E1 is 24.552 MHz, while for L1 GPS III it is 30.69 MHz. U.S.-EU GNSS RFI detection systems for critical infrastructures should be designed to monitor at least 31 MHz of bandwidth in the L1/E1 band, with 50 MHz recommended to cope with typical –3 dB bandwidth of pre-low-noise-amplifier (LNA) GNSS L1/E1 receiver filter. The same rule should be applied to other GNSS bands. Even more bandwidth for monitoring could be needed to cope with rare interferers, such as a high-power source, whether intentional or unintentional, radiating in near-band L1/E1 but not in the passband frequencies, bypassing the rejection of the receiver’s filters and degrading the GNSS signal reception.
Air Navigation
In the EU, performance-based navigation (PBN) will become the norm in all flight phases, and GNSS (with or without SBAS) will be the main position source, by June 2030. A similar scenario is being developed in the U.S. Conventional procedures and ground-based navigation aids will be used only in contingency situations. GNSS RFI can degrade the current GBAS CAT I (GAST-C) service in airports and could jeopardize safe operation of upcoming GBAS CAT II-III (GAST-D) service. GNSS also is the key enabler for ADS-B.
Therefore, it is critical for air transportation to improve its capability to detect radio frequency interference to GNSS and mitigate its harmful effects, both on the ground and in the air.
Ground Detection and Localization. These systems should be installed at and around all airports. ENAIRE has recently deployed an AOA RFI detection and localization system around the Madrid airport called DYLEMA. It consists of nine AOA RFI and spoofing detectors, two spoofing-only detectors, an IP communication network and a GNSS monitoring center operated 24/7. From this center, ENAIRE will report RFI events to the Spanish spectrum agency. Similar systems will be deployed in other large Spanish airports in the next years. In small airports, ENAIRE is deploying single-unit RFI detectors (one detector per airport, currently without the AOA feature). These systems are complemented by handheld and airborne spectrum analyzers equipped with directional antennas and RFI AOA features, used if an RFI event of high power or duration takes place.
Airborne Detection and Localization. Several initiatives are under study or initial design for airborne detection and localization systems, using current avionics receivers with no hardware modification or new hardware such as additional antennas in the aircraft. Future airborne RFI detection systems should include indoor coverage to detect jammers and spoofers in the airplane itself. EUROCONTROL is leading one of these initiatives using ADS-B. Given a reliable ADS-B data feed with suitable coverage information, a search algorithm could scan for outages. If the data is dense enough, it is possible to locate the source, even if the GNSS airborne antenna is omnidirectional with no AOA features. Another commercial initiative, GATEMAN, uses new GNSS antennas and components to provide AOA detection and localization features.
UAV-Embedded Detection and Localization. Detection and localization systems embedded in UAVs are not widely commercially available, but they will be useful to complement fixed or ground RFI monitoring systems, especially to detect fast moving mobile jammers and spoofers. A jammer moving at high speed could be found by a fixed detector, trigger the UAV take-off (collocated with the detector or close to it), and start tracking the target. If equipped with a camera, it could identify the vehicle carrying the jammer or spoofer. Such a system has to function in GNSS-denied scenarios, and needs to use sensors other than GNSS. Stanford University has recently developed a prototype of such a system.
Other Sectors
Shipping. RFI detection systems should be installed at and around harbors, where positioning requirements are the most stringent. Mobile AOA detectors can be installed in vessels. A DLR experiment integrated its GALANT GNSS RFI detector on a ship sailing from Spain to South Korea and back.
Railroads. Detection and localization systems should be installed at train stations and main railway junctions or switches. It is possible to install mobile detectors in trains to detect jammers inside the train apart from outdoor coverage to detect jammers outside the train.
Roads. Most PPD jammers in use are on roadways. Jammers not only jeopardize aviation and timing systems; they can jeopardize the safety of the coming autonomous road vehicles. We strongly recommend that police and road surveillance systems include jammers and spoofers as a daily target, to detect, localize and punish their users.
Supporting proposals include installing fixed detectors at tollbooths, road gantries or other points near roads; and using mobile detectors — for example, on police vehicles for locating a car that carries a jammer. Public transport services with enough vehicles (such as taxis or busses) could also detect RFI.
Smartphone Platforms. Initiatives are using smartphone crowdsourcing platforms to detect interference based on C/N0 or AGC measurements. At this time, only prototype apps for Android phones are available. The Apple iOS does not allow access to GNSS raw data. Android applications can include localization capabilities based on Time Difference Of Arrival (TDOA) or Power Difference Of Arrival (PDOA). Having a detection system in a mass-market product would create millions of detectors around the world. Reward programs by national or local administrations would encourage use of the app. User consent to obtain the data will be needed.
Space-Based Detection. Space-based detection is feasible to find medium- to high-power jammers and spoofers. Several projects have performed simulations, such as the ground to space threat simulator from Qascom and Spirent Communications. In this project, simulations achieved an error of less than 1.5 km using a medium-Earth-orbit (MEO) satellite as the RFI sensor and a 20-dBm static jammer on Earth, with 15 minutes of observation time. Also, an experimental program from the International Space Station has demonstrated that RFI can be detected from low Earth orbit.
The main issue of such detection systems is the cost to deploy all the satellites needed to have a global coverage with a low response time (2 hours or less to detect RFI). The performance of a space-based RFI system is better when using a LEO constellation (as, compared to an MEO system, it detects RFI with a lower transmitted power). One such system by HawkEye 360 was deployed in 2019. The company plans to operate a fleet of 30 satellites in LEO orbit, enabling it to gather new signals from any point on the planet within 30 to 45 minutes.
General Recommendations
Increased Effort Needed. Public administrations and transport service providers should increase their efforts to deploy GNSS RFI detection and localization systems. In parallel, governments should punish individuals or organizations using jammers or other types of illegal transmitters or emissions. Jamming and spoofing is illegal in the EU and the U.S. An increased RFI monitoring effort should be coordinated at the national or regional level to find synergies and avoid duplications.
Planned Interference. Government agencies, including national radiofrequency spectrum agencies, should coordinate nationally and internationally with air, rail, road, maritime and other critical infrastructure entities before any planned intentional interference is conducted, such as military exercises or protection of special events from potential terrorist attack. This coordination includes an analysis of the estimated area and airspace volume affected by the RFI, the associated notification to the GNSS users before and during the RFI radiation period (such as a NOTAM, Notice to Airmen), as well as the indication to use established alternative procedures (non-GNSS).
A Common Database. The creation of an international common database of GNSS RFI events could boost the fight against GNSS RFI. A specific action could define a standard of the RFI data format to be registered and shared in an international database, including a possible RFI classification (also defined and agreed to as part of the standard). One initiative related to the creation of an international GNSS RFI threats database was proposed by the EU-funded STRIKE 3 project in 2017.
Acknowledgments
The work presented in this report has been performed under the U.S.-EU Agreement on GPS-Galileo Cooperation, Working Group C, Resiliency Subgroup. The authors thank the participants of the Working Group and the Resiliency Subgroup — in particular, Eurocontrol and the FAA for distribution of the survey in the EU and the U.S., respectively. The authors also thank the organizations that participated in the survey: Spirent Communications, GMV, Centum Solutions, THALES, IDS AirNav, Chronos Technology, Innovationszentrum für Telekommunikationstechnik (IZT), Collins Aerospace, German Aerospace Center (DLR), Netherlands Aerospace Centre (NLR), Deutsche Flugsicherung (DFS), Direction des Services de la Navigation Aérienne (DSNA), Polish Air Navigation Services Agency (PANSA), Belgocontrol, ENAV and ENAIRE.
José Luis Madrid-Cobos is the technical manager of GNSS interference detection and localization systems at ENAIRE, the Air Navigation Service Provider in Spain. Ana Bodero-Alonso is the head of the Satellite Navigation Department at ENAIRE. Ignacio Fernández-Hernández is responsible for Galileo high accuracy and authentication at the European Commission. Eric Châtre is the head of the GNSS Exploitation and Evolutions Sector at the European Commission. Andriy Konovaltsev is a research assistant at Institute of Communications and Navigation of the German Aerospace Center (DLR). Christopher Hegarty is a technical fellow with The MITRE Corporation.
Hexagon | NovAtel launched the GAJT-410ML GPS anti-jam system in 2019. The compact design of the new, smaller version of NovAtel’s GPS Anti-Jam Technology (GAJT) can be rapidly integrated into space-constrained military vehicles (see photo). The system is easy to use while protecting GPS-based navigation and precise timing receivers (including M-code) from intentional jamming and accidental interference, according to NovAtel.
Spoofing, or the ability to give false data to a receiver, is a different challenge from jamming, with potentially even graver consequences. The GAJT portfolio provides protection from both jamming and spoofing to best defend military systems.
Spoofing Detection. As a trusted partner for guidance, navigation and control, NovAtel is developing robust spoofing detection technology that will be available in the company’s product portfolio soon. The additional spoofing information empowers users to make informed decisions about the radio frequency environment they are operating in, alerting them if malicious actors are present. This provides actionable intelligence as part of a layered approach to defend against jamming and spoofing.
NAVWAR Support. NovAtel OEM components and military off-the-shelf items are engineered to deliver precise, assured positioning and timing. Deep GNSS expertise and lean manufacturing capabilities enable the effective delivery of high-performance products in large volumes with minimal production and delivery times. This approach is combined with a high level of support to achieve low product return rates.
Orolia has taken the next integration steps with its Spectracom line of resilient PNT products, which will enable clients to take full advantage of Talen-X’s BroadShield Interference and Spoofing Detection technology.
The announcement follows up on news of the recent Talen-X strategic alliance.
Orolia’s Spectracom and Talen-X have aligned hardware and software development efforts to jointly develop, market and sell an advanced PNT solution. The goal is to combine the strengths of Spectracom’s resilient PNT products with Talen-X’s interference and spoofing detection suite (BroadShield).
In addition, under the alliance, Orolia will manufacture SecureSync precise time and frequency references with BroadShield integrated for Talen-X in its Rochester, New York, facility.
Logo: Orolia Spectracom
Many mission critical defense, government and commercial operations require highly accurate and reliable PNT data but often rely on signals from GPS/GNSS satellites that are increasingly susceptible to interference or jamming. The Talen-X BroadShield technology is a fully integrated software option available within Spectracom SecureSync.
Working with standard SecureSync GPS/GNSS receivers, BroadShield uses its unique software algorithms to detect anomalies in the GPS signal, including unintentional interference and malicious attacks. Armed with feedback from BroadShield detected anomalies, the integrated solution provides notification, alarming and automatic disabling of GPS/GNSS synchronization.
At the same time, BroadShield interference and spoofing detection technology enhances the resilient PNT capabilities of the best-selling Spectracom SecureSync line of time and frequency reference systems. BroadShield achieves this by ensuring mission critical applications receive reliable, accurate and precise time and frequency information in a variety of challenging environments.
In addition, Spectracom SecureSync will take full advantage of Talen-X’s BroadShield algorithms, which are known for meeting the requirements for critical infrastructure published by the U.S. Department of Homeland Security (DHS).
Beyond complying with DHS best practices, Talen-X has further enhanced the BroadShield algorithms to go beyond detecting threats. With this enhancement, Spectracom SecureSync operators have detailed threat characteristics, real-time situational awareness and recorded data for pos-event forensic analysis.
“This synchronized solution is designed to meet both government and commercial requirements by improving the protection of GPS/GNSS based critical infrastructure systems against emerging GPS/GNSS threats,” said Greg Gerten, Talen-X CEO. “Talen-X’s interference and spoofing detection algorithms have been successfully supporting the U.S. Department of Defense (DoD) in Navigation Warfare (NAVWAR) testing for over six years, and are ready to be leveraged to protect civil communities as well.”
“Orolia is focused on providing Resilient PNT solutions, combining and layering technology in innovative ways that help our customers meet their mission goals,” said John Fischer, Orolia’s V.P. of Advanced R&D. “This new capability from Talen-X augments our systems with a unique ability to detect and mitigate emerging GPS and GNSS threats more effectively.”
As manufacturers convert machines and appliances into remotely controllable objects (the Internet of Things), the potential for spoofing expands, perhaps exponentially. Hackers could interfere with the data supplied to autonomous cars or tracks, remotely forcing them to crash.
Although the dangers of GPS spoofing have been pointedly discussed in may technical papers and articles in GPS World since the early 2000s, manufacturers have not devoted much attention to them because there weren’t many devices making use of location-based technologies, according to associate professor Dinesh Manandhar of the University of Tokyo.
With the proliferation of GPS-capable smartphones and other networked devices, “anyone can become a target of the attack,” Manandhar told the Japan Times in a recent interview.
“Too many things today use GPS as a reliable source of location information,” Manandhar said. “People trust the location information from GPS satellites like God. When PCs became common for many people, the sudden outbreak of computer viruses became an issue around the world, and anti-virus software become an essential tool for everyone to protect their data,” he added. “The same thing is now happening around GPS. We need a system to fight back against the risk.”
Manandhar cited some possible examples of spoofing, both by consumers — “You can falsify your smartphone’s information and make it look like you are going back and forth between Tokyo and Hawaii within just three minutes,” and by sophisticated criminals. “Let’s say I were a top manager of a major bank. I could access all the information while sitting at my desk, but I wouldn’t be able to access it from the room next to it. But people could get access to such information if they disguised the location information received by computer.”
Manandhar and many other researchers around the world are developing and testing anti-spoofing techniques, but it is a long step from demonstrated results to integration into products reaching market. “The products we are designing today are ones that we will use five years later. So we must assume the possible risks and prepare for the threats that might jeopardize our society in the future.”
Photo: Mark L. Psiaki, Brady W. O’Hanlon, Steven P. Powell, Jahshan A. Bhatti, Todd E. Humphreys, and Andrew Schofield
Spoofing Detection with Two-Antenna Differential Carrier Phase
By Mark L. Psiaki, Brady W. O’Hanlon, Steven P. Powell, Jahshan A. Bhatti, Todd E. Humphreys, and Andrew Schofield
A new method detects spoofing attacks that are resistant to standard RAIM technique and can sense an attack in a fraction of a second without external aiding. The signal-in-space properties used to detect spoofing are the relationships of the signal arrival directions to the vector that points from one antenna to the other. A real-time implementation succeeded against live-signal spoofing attacks aboard a superyacht, the White Rose of Drachs shown above, cruising in international waters.
Concerns about spoofing of open-service GNSS signals inspired early work on simple receiver-autonomous integrity monitoring (RAIM) methods based on the consistency of the navigation solution. Work on new classes of defense techniques began in earnest after the demonstration of a powerful spoofer that is undetectfable by simple pseudorange-based RAIM methods. There has been a sense of urgency to solve the spoofing problem since the Iranians captured a classified U.S. drone in 2011 and made unsubstantiated claims to have spoofed its GPS. Two dramatic field demonstrations of the spoofer developed by author Humphreys and colleagues at the University of Texas, Austin, heightened interest in spoofing detection: one involved deception of a small airborne unmanned autonomous vehicle (UAV), causing it to dive towards the ground; another sent a superyacht off course without raising any alarms on its bridge.
One class of spoofing detection methods uses encrypted signals, their known relationships to the open-service signals, and after-the-fact availability of encryption information. Such techniques require a high-bandwidth communication link between the potential victim of a spoofing attack and a trusted source of after-the-fact encryption information, and may involve significant latency between attack and detection.
Another class of methods uses advanced RAIM-type techniques. Instead of considering only pseudorange consistency, these RAIM techniques examine additional signal characteristics such as absolute power levels, distortion of the PRN code correlation function along the early/late axis, the possible existence of multiple distinct correlation peaks in signal-acquisition-type calculations, and other signal or receiver characteristics. Such methods are relatively simple to implement because they do not require much additional hardware, if any, but some of these strategies can have trouble distinguishing between multipath and spoofing or between jamming and spoofing.
A third class proposes the addition of Navigation Message Authentication bits. These are encrypted parts of the low-rate navigation data message. Such techniques require modification of the navigation data message and can allow long latencies between the onset of a spoofing attack and its detection.
A fourth class exploits the differing signal-in-space geometry of spoofed signals in comparison to true GNSS signals. All spoofed signals typically arrive from the same direction, but true signals arrive from a multiplicity of directions. Some of these methods use receiver antenna motion to achieve direction-of-arrival sensitivity. Others use an array of two or more receiver antennas.
The most powerful of these detection strategies exploit models of the effects on carrier-phase data of antenna motion or antenna-array geometry. This knowledge may be partial because an unknown antenna-array attitude may need to be determined as part of the detection calculation. Their power derives from the high degree of accuracy with which a typical GNSS receiver can measure beat carrier phase.
Goals. This research follows on moving-antenna/carrier-phase-based spoofing detection work. One of our goals has been to remove the necessity for moving parts by using two antennas and processing their carrier-phase data.
A second goal has been to achieve real-time operation. An earlier prototype moving-antenna system (see “GNSS Spoofing Detection,” GPS World, June 2013) used post-processing and completed its spoofing detection calculations days or weeks after the recording of wide-band RF data during live-signal attacks.
A third goal has been to test this system against actual live-signal spoofing attacks to prove its real-time capabilities and evaluate its performance during the two phases of an attack: the initial signal capture and the post-capture drag-off to erroneous position and timing fixes.
Two-Antenna System Architecture
The system consists of two GNSS patch antennas, GPS receiver hardware and software, and spoofing detection signal-processing hardware and software. Figure 1 shows two versions. The left-hand version connects its two patch antennas to an RF switch. The single analog RF output of the switch is input to a GNSS receiver that is standard in all respects, except for two features. First, it controls the RF switch or, at least, has access to the switching times. Second, it employs a specialized phase-locked loop (PLL) that can track the beat carrier phase of a given signal through the phase jumps that occur at the switching times. The right-hand version connects each antenna to an independent GPS receiver, likely connected to a common reference oscillator.
Figure 1. Two configurations:, the RF-switched-signal/single-receiver configuration (left) and the two-receiver configuration (right).
The last element of each system is a spoofing detection signal-processing unit. Its inputs are the single-differenced beat carrier phases of all tracked signals, with differences taken between the two antennas. In the switched antenna system, each difference is deduced by the specialized PLL. In the two-receiver system, the single-differences are calculated explicitly from each receiver’s beat carrier-phase observables.
Except for the final spoofing detection unit, the two-receiver system on the right-hand side of Figure 1 is already available commercially. Typical applications are CDGPS-based attitude/heading determination. Thus, this is the easiest version to implement.
This system could include more than two antennas. A multi-antenna system could have a dedicated RF front-end and a dedicated set of receiver channels for each antenna, as on the right of Figure 1. Alternatively, a multi-antenna system could include an RF switch between any one of the multiple antennas at the command of the receiver. The latter design would entail a slight modification to the specialized PLL to track multiple independent phase jumps for the independent antenna switches.
Principles. The principles used to detect spoofing can be understood by considering and comparing the signal-in-space and antenna geometries shown in Figure 2, the two-antenna system and three GNSS satellites for a typical non-spoofed case, and Figure 3, a spoofed case. The salient difference is that the different GNSS signals arrive from different directions for the non-spoofed case, namely and . They all arrive from the same direction, the direction of the spoofer , for the spoofed case. For detection purposes, the important geometric feature is the projection of each direction of arrival onto the known separation vector between the two antennas, bBA. This projection has a direct effect on the beat carrier-phase difference between the two antennas. In the non-spoofed case, this effect will vary between the different received signals in ways consistent with the attitude of the vector. In the spoofed case, all of these carrier-phase differences will be identical. The spoofing detection algorithm decides between two hypotheses about the carrier-phase differences, one conjecturing a diversity consistent with authentic signals and the other conjecturing the sameness that is characteristic of spoofed signals.
Figure 2. Geometry of two-antenna spoofing detection system and GNSS satellites for non-spoofed case.
Figure 3. Spoofed-case geometry of two-antenna spoofing detection system and GNSS spoofer.
Hypothesis Test
The PDF paper on which this article is based presents the non-spoofed and spoofed signal models that form the basis of a hypothesis test, develops optimal estimation algorithms that fit the observed differential beat carrier phases to the two models, and shows how these estimates and their associated fit error costs can be used to develop a sensible spoofing detection hypothesis test. Download the PDF here.
Offline and Live-Signal Testing
We tested a prototype version of the two-antenna system as depicted on the righthand side of Figure 1. The antennas connect to two independent RF front-ends that run off of the same reference oscillator. These RF front-ends provide input to two independent receivers that track each signal using a delay-lock loop (DLL) and a PLL. Figures 4 and 5 show system elements: two GPS patch antennas mounted on a single ground plane with a spacing of 0.14 meters, two RF front-ends — universal software radio peripherals (USRPs) — with a common ovenized crystal oscillator. Digital signal-processing functions are implemented in real-time software radio receivers (SWRX) running in parallel on a Linux laptop, written in C++. Spoofing detection calculations are performed on the same laptop using algorithms encoded in Matlab.
Figure 4. The two antennas of the prototype spoofing detection system mounted on a common ground plane.
Figure 5. Signal processing hardware of the prototype spoofing detection system.
A key feature of this architecture is the ability of its real-time software radios’ C++ code to call the spoofing detector’s Matlab tic function and to pass carrier-phase and other relevant data to the tic function. This feature served to shorten the implementation and test cycle for the prototype system by eliminating the need to translate the original Matlab versions of the spoofing detection algorithms into C++. This enabled rapid re-tuning and redesign of the spoofing detection calculations, exploited during the course of live-signal testing.
The Matlab package displays real-time signal authentication information. Figure 6 shows the version of the display used for this study’s culminating live-signal tests. All displays are updated in real time. The upper left, upper right, and lower left plots scroll along their horizontal time axes to keep the most recent 4.5 minutes of data available. The lower right compass updates each time a new spoofing detection calculation is performed. The green dots in the upper left plot indicate that the time between spoofing detections, Δtspf , is nominally 1 second, though sometimes the gap is longer due to lack of a sufficient number of validated single-differenced carrier phases to carry out the calculation. Thus, the nominal update time for all of the plots in this display is 1 second. Faster updates are possible with the Matlab software, but Δtspf was deemed sufficiently fast for this study’s experiments.
The most important panel in Figure 6 is the upper left spoofing detection statistic time history. The magenta plus signs on the plot show the spoofing detection threshold chosen for this case, γth. The computed γ values are plotted as green o’s if they lie above γth and as red asterisks if they lie below. If γ is above γth, the message “GPS Signals Authenticated” is displayed on the plot; if below, the message switches to the spoofing alert: “GPS SPOOFING ATTACK DETECTED!”
Figure 6. Spoofing detector real-time display. Clockwise from top left: the spoofing detection statistic time history γ(t); four diagnostic time histories that include time histories of the number of satellites used for spoofing detection L(t) (blue asterisks), their corresponding GDOP(t) values (magenta o’s), the time increment between spoofing detection tests Δtspf(t) (green dots), and the compass heading ψ(t) as determined from the two-antenna non-spoofed-case solution (black dots); Compass display; and time history of GPS PRN number availability.
The other three panels proved helpful in diagnosing system performance. A low L value (near 4) or a high GDOP value in the upper right panel indicated poorer reliability of the spoofing detection calculations. A correct compass heading in the absence of spoofing provided a check on the system. During spoofing attacks, the compass heading became jumpy, thereby providing another possible indicator of inauthentic signals.
The vertical scale of the lower left panel lists the possible GPS PRN numbers. The presence of a green or red dot at the level corresponding to a given PRN number indicates that one or both receivers is seeing something from that satellite at the corresponding time. If the dot is red, then the returned data are incomplete or are deemed to be insufficiently validated for use in the spoofing detection calculation. If the dot is green, then the data from that PRN have been used in the detection that has been carried out at that time.
Another feature of the prototype spoofing detection system is its ability to record the wide-band RF data from its two antennas. For each spoofing scenario, the raw samples from both USRPs were recorded while the real-time software receiver was performing its signal-processing operations and while the real-time spoofing detector was doing its calculations. These recorded data streams will allow off-line analysis and testing of a re-tuned or completely redesigned spoofing detection system.
Red Team Receiver/Spoofer. The UT Austin spoofer’s attack strategy overlays the spoofed signal on top of the true signals, ramps up the power to capture the receiver tracking loops, and finally drags the pseudorange, beat carrier phase, and carrier Doppler shift off from their true values to spoofed values. Figure 7 shows the pseudorange part of a spoofing attack: cross-correlation of the receiver’s PRN code replica with the total received signal (blue solid curve); the receiver’s early, prompt, and late correlations (red dots); and the spoofer signal (black dash-dotted curve). In the top plot, the spoofer has zero power, and the receiver sees only the true signal. The second and third plots show the spoofer ramping up its power while maintaining its false signal in alignment with the true signal. The spoofer power in the middle/third plot is sufficient to capture control of the three red dots of the receiver’s DLL. In the fourth and fifth plots, the spoofer initiates and continues a pseudorange drag-off, an intentional falsification of the pseudorange as measured by the victim receiver’s DLL.
Figure 7. Receiver/spoofer attack sequence as viewed from a channel’s code offset cross-correlation function. Spoofer signal: black dash-dotted curve; sum of spoofer and true signals: blue solid curve; receiver early, prompt, and late correlation points: red dots.
The spoofer performs drag-off simultaneously on all spoofed channels in a vector spoofing attack that maintains consistency of all spoofed pseudoranges. After the initiation of drag-off, the victim receiver computes a wrong position, a wrong true time, or both, but the residual pseudorange errors in its navigation solution remain small. Therefore, this type of attack is not detectable by traditional pseudorange-based RAIM calculations.
The receiver spoofer hardware consists of a GNSS reception antenna, the receiver spoofer signal-processing unit, and the spoofer transmission antenna (Figure 8).
Figure 8b. Receiver/spoofer hardware: directional transmission antenna pointed at the ship’s GPS antenna and the detector antenna pair near the defended ship’s antenna. The orientation of the spoofing transmission antenna, combined with its remote location from the receiver/spoofer’s reception antenna, ensured that the spoofer did not self-spoof.
Figure 8c. Receiver/spoofer hardware: spoofer electronics, located amidships.
The receiver/spoofer requires tuning of its transmission power levels. If the power is too high, its spoofing attacks will be too obvious. A very high transmitted power could also saturate the front-end electronics of the intended victim, causing it to jam the system rather than spoof it. If transmitted power is too low, it will not capture the victim’s tracking loops, and its spoofing attack will fail. The proper power level depends on the gain patterns of the spoofer transmission antenna and the victim receiver antenna and on their relative geometry.
Attack Test Scenarios. Three sets of tests were conducted to develop and evaluate the spoofing detection system. The first tests started by recording wideband RF GPS L1 data using USRPs. These data were post-processed in two software receivers that recorded the outputs of their signal tracking loops. Afterwards, the Matlab spoofing detection calculations were run using the recorded tracking loop data as inputs. These preliminary tests at Cornell and Austin proved the efficacy of the spoofing detection algorithms. They did not, however, test system performance during the transition from non-spoofed to spoofed signals that takes place at the initiation of a spoofing attack.
The second set of tests was carried out using the first real-time version of the system, after the Matlab spoofing detection calculations were repackaged into a tic function and linked to the C++ real-time software receivers. This set of tests also was unable to probe the system’s performance at the onset of a spoofing attack, before the signal drag-off.
The final set of tests was conducted aboard the White Rose of Drachs in the Mediterranean’s international waters.
The power adjustment tests on June 27 needed a means to decide whether a given attack had captured the tracking loops of the ship’s GPS receiver. The strategy for confirming capture was to perform a noticeable drag-off after the initial attack. We settled on a vertical drag-off as providing the most obvious indication of a successful capture. Successful attacks dragged the receiver’s reported altitude as high as 5,000 meters.
The tests that evaluated spoofer and spoofing detector antenna placements relative to the ship’s GPS antenna were also important to achieving sensible results. Various placements were tried. The most successful relative geometry is depicted in Figure 8.
The placement of the detector antennas relative to the defended antenna is atypical of likely real-world detection scenarios. It is expected that a real-world spoofing detector will be integral with the defended GNSS receiver.
The culminating live-signal attack involved a 50-minute spoofing scenario in which the attacker took the ship — apparently — from the Adriatic to the coast off of Libya. The scenario’s long distance and short duration required a mid-course speed in excess of 900 knots. This spoofing scenario was designed in the simplest possible way, by taking a straight-line course in WGS-84 Cartesian coordinates from the true location to the spoofed location off of Libya. This course took the spoofed yacht position across the Italian and Sicilian land masses and below the Earth’s surface to a maximum depth of more than 23 kilometers.
Obviously, the White Rose was physically unable to execute this maneuver. Its crew would not have needed spoofing detection to realize that its GPS receiver was returning false readings. The main points of this last test were to dramatize the potential errors that can be caused by a spoofer and to check whether the spoofing detector could continue to function under these drastic conditions.
Figure 9 highlights this unusual scenario with two displays from the ship’s bridge, photographed during the attack. The GPS display shows the speed, 621 kn (knots), and the altitude, 7376 m. The chart display shows the yacht on (or rather, below) dry land and halfway across the “insole” of Italy’s boot. It also shows a tremendously long velocity vector, extending beyond the chart.
Figure 9a. The ship’s bridge GPS receiver display during the Libya spoofing scenario.
Figure 9b. The GPS-driven chart during the Libya spoofing scenario.
Spoofing Detection Test Results
Various signal output time histories (Figure 10) illustrate the attack sequence and suggest means to evaluate the spoofing detection system. The upper panel plots the fractional portions of the two-antenna spoofing detector’s single-differenced beat carrier-phase time histories, Δϕ1BA, …, ΔϕLBA for the L = 7 tracked PRN numbers 16, 18, 21, 22, 27, 29, and 31. The middle panel plots the amplitude time history of the 100 Hz prompt [I;Q] accumulation vector for PRN 16, as received at Antenna A of the detection system. The bottom panel plots the PRN 16 carrier Doppler shift time history.
Figure 10. Indicators of initial capture and drag-off during Libya spoofing attack, as measured by the spoofing detection receiver.
This was a strong attack in which the spoofer power was 10.7 dB higher than the power of the real signal for PRN 16. The other spoofed signals had power advantages over their corresponding true signals that ranged from 3.3 dB to 13.6 dB, and the spoofer’s mean power advantage was 10.4 dB. Therefore, the onset of the spoofing attack at 196.1 sec is clearly indicated by the sudden jump in (I2+Q2)0.5 on the middle panel. The upper panel shows a corresponding sudden coalescing of the single-differenced beat carrier phases, which implies that the spoofing detection algorithm should have been able to detect this attack.
The spoofer drag-off started at 321.5 sec, as evidenced by the sudden change in the slope of the carrier Doppler shift time history on the lower panel. The period after the initial attack and before the drag-off is delimited by the vertical magenta and cyan dash-dotted lines. During this interval the spoofer waited to capture the receiver’s tracking loops.
The single-differenced phase time histories in the upper plot appear somewhat noisier during the interim pre-drag-off period of the attack than after the start of the drag-off at 321.5 sec. The grey dotted curve for PRN 27 is an exception because it becomes noisy again starting at about 450 sec due to decreased signal power. The increased noisiness of the differential phase time histories during the interim period is probably the result of interference between the true and spoofed signals, which are likely beating slowly against each other. The response of the spoofing detection algorithm during this phase is uncertain because this multipath-like beating between the two signals is not modeled.
Figure 11 demonstrates performance of the spoofing detection algorithm for the Libya attack scenario. The upper panel of the figures is a repeat of the upper panel of the single-differenced beat carrier-phase time histories from Figure 10, except that they are plotted for a longer duration. The lower panel shows the γ(t) spoofing detection statistic time history. It plots the same information that appeared in the upper left panel of Figure 6 during the corresponding real-time detection tests. At 196 sec γ(t) is clearly above the blue dash-dotted spoofing detection threshold γth. At 196.4 sec it is clearly below γth , which indicates a spoofing detection. It remains below γth for the duration of the attack. In this reprocessed version of the detection calculations, γ(t) has been updated at 5 Hz. Therefore, the earliest possible detection point would have been 196.2 sec, which is 0.1 sec after the onset of the attack. This point corresponds to the green dot in the lower panel of Figure 11 that lies slightly above the blue dash-dotted γth line. Theoretically, the system might have detected the attack at this time, but the finite bandwidth of the two receivers’ PLLs caused lags in the transitions of the single-differenced phases in the top plot, which led to the 0.3 sec lag in the detection of the attack. It is encouraging, however, that the spoofing detector worked well during the initial pre-drag-off phase of the attack, from 196.1 to 321.5 sec, despite the added noisiness of the single-differenced carrier phases in the top plot, likely caused by beating between the true and spoofed signals.
Figure 11. Single-differenced carrier-phase time histories (top plot) and corresponding spoofing detection statistic time history (bottom plot) for Libya spoofing attack scenario.
Figure 12 plots the same quantities as in Figure 11, but for a different spoofing attack, a little less overt than the Libya attack. The power advantage of the spoofer ranged from 3.0 to 14.0 dB for the different channels with a mean power advantage = 9.2 dB. It was detected by the system, as evidenced by the convergence of the single-differenced carrier phases at the onset of the attack at 397.5 sec. The spoofing detection statistic in the bottom panel dives near to the γth detection threshold at the onset of the attack and sometimes passes below it, but it does not stay permanently below the threshold until after the time of drag-off, after 531 sec.
Figure 12. Single-differenced carrier phase time histories (top plot) and spoofing detection statistic time history (bottom plot) for a spoofing attack with a slightly lower power advantage than the Libya attack.
The large oscillations of the single-differenced carrier phases during the pre-drag-off initial capture interval from 397.5 to 531 seconds is likely due to beating between the true and spoofed signals. The largest variations occur for PRNs 12 and 31, which are the ones with the lowest spoofer power advantages, 3.2 and 3.0 dB, respectively. Apparently these oscillations cause γ(t) sometimes to take on values slightly above γth during the interval 397.5 sec < t < 531 sec. Thus, the spoofing detector can experience problems in the initial phases of an attack.
Note that the spoofer failed to capture the tracking loops of the ship’s GPS receiver. This is surprising, given the average spoofer power advantage of 9.2 dB above the true signals. We conjecture that the ship’s GPS antenna had lower gain in the low-elevation direction toward the spoofer transmission antenna than did the detector’s antennas. A lower gain would reduce the spoofer power advantage in the ship’s receiver and could explain why the spoofer failed to deceive it.
Many additional spoofing attacks were carried out aboard the ship. The spoofing detector proved finicky. It took quite some time to get the spoofing detection two-antenna system positioned in a sensible place relative to the ship’s GPS antenna so as to be sensitive to nearly the same spoofing signals. In addition, the spoofing detector’s GPS receiver tended to lose lock at the initiation of an attack, prior to signal drag-off. This was likely caused by the large power swings of the received signals due to beating of the true signals against the spoofed signals. This problem went away at higher spoofer power levels. When lock was lost, the software receiver would attempt to re-acquire the signal. Often a reacquisition would succeed only after signal drag-off by the spoofer. Typically, the spoofing detector immediately detected the attack once it had reacquired the spoofed signals that were no longer beating against the true signals due to having been dragged sufficiently far away from them, as in Figure 7. Re-analysis of the recorded data indicated that poor PLL tuning may have caused the losses of lock during the initial attacks. Spoofing detection calculations carried out on the reprocessed data have proved more reliable when implemented with a better PLL tuning.
Two attacks were carried out with only a subset of the visible GPS satellites being spoofed. The first involved spoofing 7 of 9 visible satellites, and the second test spoofed only 4 of 9. The spoofing detection system had trouble maintaining signal lock during the initial part of the first attack. It subsequently reacquired signals and was able to detect the attack successfully after reacquisition. The first attack also succeeded in capturing the ship receiver’s tracking loops as evidenced by spoofing of the yacht to climb off the sea surface. The second attack, with only four spoofed satellites, was not detected by the prototype system, but it succeeded in deceiving the ship’s GPS receiver about its altitude. This latter result indicates a need to modify the detection calculations to allow for the possibility of partial spoofing. In their current form, they assume that all signals are either spoofed or authentic. Of course, in the partial spoofing case it may also be possible to use traditional pseudorange-based RAIM techniques to detect an attack.
Improved detection during pre-drag-off initial phase of attack;
Detection when only a subset of signals are spoofed;
Advanced RAIM techniques;
A real-time prototype of the switched-antenna version;
Detection of a spoofer that uses multiple transmission antennas;
Reacquisition of true signals to recover from a spoofing attack.
Conclusions
A new prototype GNSS spoofing detection system has been developed and tested using live-signal spoofing attacks. The system detects spoofing by using differences in signal direction-of-arrival characteristics between the spoofed and non-spoofed cases as sensed by a pair of GNSS antennas. A spoofing detection statistic has been developed that equals the difference between the optimized values of the negative-log-likelihood cost functions for two data-fitting problems. One problem fits the single-differenced beat carrier phases of multiple received signals to a spoofed model in which the fractional parts of these differences are identical -— in the absence of receiver noise — because the spoofed signals all arrive from the same direction. The other problem fits the single-differenced carrier phases to a non-spoofed model. This second optimal data-fitting problem is closely related to CDGPS attitude determination. The simple difference of the two optimized cost functions equals a large positive number if there is no spoofing, but it equals a negative number if the signals are being spoofed. Monte Carlo analysis of the probability distributions of this difference under the spoofed and non-spoofed assumptions indicates that it provides a powerful spoofing detection test with a low probability of false alarm.
A real-time version of this system has been implemented using USRPs and real-time software radio receivers, and it has been tested against live-signal spoofing attacks aboard a yacht that was cruising around Italy. Successful detections have been achieved in many spoofing attack scenarios, and detections can occur in as little as 0.4 seconds or less. One scenario spoofed the yacht’s GPS receiver into believing that it had veered off of a northwesterly course towards Venice in the Adriatic to a southwesterly course towards the coast of Libya, and at the incredible speed of 900 knots. The spoofing detector, however, warned the crew on the bridge about the attack before the yacht’s spoofed position was 50 meters away from its true position.
The live-signal tests revealed some challenges for this spoofing detection strategy. They occur primarily during the initial attack phase, before the spoofer has dragged the victim receiver to a wrong position or timing fix. If the spoofer power is not much larger than that of the true signals, then beating occurs between the spoofed and true signals during this initial period. This beating can cause difficulties for the receiver tracking loops, making single-differenced carrier phase unavailable. Even when single-differenced phase is available, both the spoofed and non-spoofed models of this quantity can be inadequate for purposes of designing a reliable spoofing detection test.
This article’s new two-antenna spoofing detection system has generated promising real-time results against live-signal spoofing attacks, but further developments are needed to produce a sufficiently reliable detection system for all anticipated attack scenarios. The best defense will likely employ a multi-layered approach that uses the techniques described in this paper along with advanced RAIM techniques that detect additional signal anomalies that are characteristic of spoofing.
Acknowledgments
The authors (brief bios given in online version) thank the owner of the White Rose of Drachs for the loan of his vessel to conduct the live-signal GNSS spoofing detection tests reported here. The crew of the White Rose aided and supported this project in many ways.
Red Team, White Team, Blue Team
Background
Before March 2013, members of the UT Radionavigation Lab and the Cornell GPS Lab didn’t know about gold-plated sinks and spiral staircases at sea. They did know something about spoofing navigation systems and detecting spoofer attacks. The UT group had hacked a helicopter drone at White Sands Missile Range in June 2012, coaxing it to dive towards the ground. The Cornell group had developed a prototype system that could reliably detect all UT Austin attacks, but it was clumsy, having an oscillating antenna and requiring hours of post-processing.
Andrew Schofield, master of the White Rose of Drachs, attended Todd Humphreys’ 2013 South-by-Southwest conference talk on the drone hack and challenged him to go big — bigger than a 1.3-meter drone helicopter. How about a 65-meter superyacht? The result: a summer 2013 Mediterranean cruise that produced intriguing, provocative results.
The UT team had implemented a feedback controller for their spoofer, but they were unable to control the spoofed drone in a smooth, reliable manner. The White Rose cruise offered a chance to test a next level of sophistication: a controlled sequence of lies leading the victim on a precise course selected by the spoofer, different from the one intended by the captain.
The UT team was able to induce inadvertent turns while the ship’s bridge thought it was steering a straight course. They could nudge the yacht onto a wrong course paralleling the desired course. The crew remained unaware of the yacht’s true course because its GPS receiver and GPS-driven charts indicated that she was on her intended route.
The Push for Protection
Andrew Schofield quickly began advocating for a follow-up experiment: a UT Red Team attack against the White Rose GPS and a simultaneous Cornell Blue Team demonstration of real-time spoofing detection.
The Cornell Team, however, faced challenges in transitioning from its initial prototype to a more sophisticated system, one that eliminated the moving parts and that operated in real time. Team members thought they could produce the next system, but had never been quite sure they could make good on their boast.
Development of a second prototype system began with implementation of a new Cornell detection algorithm in Matlab. The first tests of this algorithm involved UT recording and pre-processing of transmissions in an RF chamber that housed the two antennas of Cornell’s second prototype. Cornell applied its new Matlab algorithm to these data and demonstrated off-line spoofing detection.
The remaining hurdle was real-time operation. The original development plan called for translation of the Matlab algorithm to C++ followed by integration with a UT Austin/Cornell real-time software radio. It would be understatement to say that this was an ambitious task for the two-month window that remained until the White Rose cruise.
UT Ph.D. student Jahshan Bhatti steered the team around this hurdle by proposing the direct use of Cornell’s Matlab code in the real-time system. Prior to this, no one had realized that it could be practical to call Matlab from C++ in real time. Mark Psiaki packaged the Matlab spoofing detection software into a single tic function, Jahshan coded the calling C++/Matlab interface, and the team was on track to test spoofing detection in late June 2014.
Spoofer, Detector Clash at Sea
The White Rose would sail from southern France on June 26, setting a course around Italy to Venice. The Cornell Blue Team would have three full days in international waters to demonstrate and evaluate their real-time spoofng detection system. A Ph.D. graduate from UT’s Radionavigation Laboratory would operate the Red Team spoofer, aka the Texas Lying Machine.
In preparation for the voyage, the two teams converged in the White Roses’s home port of Cap-d’Ail. They performed initial shake-down tests of their systems in port. They could not do full live-signal tests in Cap d’Ail because they were still in French territorial waters. Transmission of live spoofing signals in the GPS L1 band is permitted only in international waters, and only if conducted for scientific purposes.
The spoofing and detection tests started in earnest on the morning of June 27 off the southern coast of Italy. The White Rose had passed through the Strait of Messina between Italy and Sicily earlier that day. The initial tests were concerned with antenna geometries and spoofer power levels. Later tests concentrated on serious deception of the White Rose regarding its true course and location.
During the tests, the UT Red team and its spoofer were situated on the White Rose Sun Deck, above and behind the bridge. The Cornell Blue team and its electronics were on the bridge with its two antennas on the roof. A walkie-talkie link between the teams provided coordination of detector operation with spoofing attacks along with feedback about spoofer and detector performance.
Hijacked to Libya!
For the final day of tests, Andrew Schofield suggested sending the spoofed White Rose to Libya as she cruised the Adriatic from Montenegro to Venice — a difference of 600 nautical miles. The target trip time of 50 minutes necessitated a peak speed over 900 knots (1,667 kilometers/hour) after factoring the need to limit initial acceleration and final deceleration; if too large, they might cause the victim receiver’s tracking loops to lose lock and, therefore, the spoofed signals.
The Cornell and UT Austin teams programmed the spoofer for a trip to Libya, and they initiated the attack. The White Rose bridge soon became a scene of excitement. The ship started veering sharply to port, and its velocity vector lengthened until it literally went off the charts. The GPS receiver showed the ship hurrying towards Libya on a collision course with the back of Italy’s boot. The bridge’s GPS receiver displayed speeds that increased through 100 knots, 200 knots, 300 knots — for a yacht with a speed capability of about 15 knots.
The Cornell detector issued a spoofing alert at the onset of the attack, long before the White Rose veered off course. After a few minutes, the detector’s continued successful operation became boring. Of course, boring success is better than exciting failure.
The Cornell system had not been as successful during some of the preceding attacks, and the results from the June voyage suggested avenues for improvement. If new live-signal tests become necessary to evaluate planned improvements, the Red and Blue teams stand ready for a future superyacht cruise.
Mark L. Psiaki is a Professor of Mechanical and Aerospace Engineering. He received a B.A. in Physics and M.A. and Ph.D. degrees in Mechanical and Aerospace Engineering from Princeton University. His research interests are in the areas of GNSS technology and applications, spacecraft attitude and orbit determination, and general estimation, filtering, and detection.
Brady W. O’Hanlon is a graduate student in the School of Electrical and Computer Engineering. He received a B.S. in Electrical and Computer Engineering from Cornell University. His interests are in the areas of GNSS technology and applications, GNSS security, and space weather.
Steven P. Powell is a Senior Engineer with the GPS and Ionospheric Studies Research Group in the Department of Electrical and Computer Engineering at Cornell University. He has M.S. and B.S. degrees in Electrical Engineering from Cornell University. He has been involved with the design, fabrication, testing, and launch activities of many scientific experiments that have flown on high altitude balloons, sounding rockets, and small satellites. He has designed ground-based and space-based custom GPS receiving systems primarily for scientific applications.
Jahshan A. Bhatti is pursuing a Ph.D. in the Department of Aerospace Engineering and Engineering Mechanics at the University of Texas at Austin, where he also received his M.S. and B.S. He is a member of the UT Radionavigation Laboratory. His research interests are in the development of small satellites, software-defined radio applications, space weather, and GNSS security and integrity.
Todd E. Humphreys is an assistant professor in the department of Aerospace Engineering and Engineering Mechanics at the University of Texas at Austin, and Director of the UT Radionavigation Laboratory. He received a B.S. and M.S. in Electrical and Computer Engineering from Utah State University and a Ph.D. in Aerospace Engineering from Cornell University. He specializes in applying optimal estimation and signal processing techniques to problems in radionavigation. His recent focus is on radionavigation robustness and security.
Andrew Schofield is a career Yacht Captain. After completing his degree in Applied Biology and working in the bio-science industry for a year, he left all that behind in 1991 and found a deck hand’s job on a sailing yacht in the Caribbean. Since then he has worked on various yachts in various locations. He has been Captain of the White Rose of Drachs since launch in June 2004. He is President of the Professional Yachting Association, the large yacht professional body, and focuses on the training and certification of crew. In his time at sea GPS has transformed navigation. He feels that the relevance of the work done to detect GPS spoofing cannot be overstated with regard to the safety of life at sea, and he is delighted to have facilitated the voyage during which spoofing detection was proven.
