GPS World

Tag: spoofing

  • Spoofing in the Black Sea: What really happened?

    Spoofing in the Black Sea: What really happened?

    We’ve heard a lot in the news recently about GPS spoofing, mostly centred on the story of ship spoofing in the Black Sea. Between June 22-24, a number of ships in the Black Sea reported anomalies with their GPS-derived position, and found themselves apparently located at an airport.

    What happened is open to educated conjecture. In this column, I’ll briefly cover the history of spoofing, its basic techniques, some spoofing tests that we conducted, and then return to the infamous Black Sea incident.

    As part of my day-to-day work in navigation warfare, I do a fair amount of work in defensive anti-spoofing. Naturally, in order to test anti-spoof technology, it is necessary to also perform spoofing. It’s a delicate subject and, as with any topic involving defense or national security or critical infrastructure, there’s a balance to strike between responsible disclosure, how much information is released into the public domain, and so on.

    In this article, I will stick firmly to information available in the public domain, lest I be accused of proliferating the threat, but this still gives us enough material to tiptoe around the subject for the benefit of our readers. I could have included more details about the spoofing attacks, but was advised to hold some back — it makes governments nervous. You can read some of the background in an excellent article by Norwegian broadcaster NRK and a Resilient Navigation and Timing Foundation press release. Similar GPS anomalies still continue to occur at various locations.

    Let’s start with basic spoofing background, and we’ll return to the Black Sea incident at the end of the article.

    A brief history of spoofing

    Spoofing isn’t a new threat — it’s been around for decades. But only in recent years has it received so much public attention. As with jamming and anti-jamming technology, and most other topics in the GPS domain, spoofing finds its roots back in the days of Cold War radar. In those times, it was often known as “deception jamming,” where you would transmit fake radar returns to paint an incorrect picture on your adversary’s radar screen.

    When GPS came along, it was understood at the time that the C/A code would be vulnerable to spoofing. It’s an open code, so anyone is free to reproduce it. That is, after all, what a GPS simulator is: a GPS spoofer. We legitimately test our GPS receivers by fooling them with fake signals from a GPS simulator.

    Of course, this is precisely why legacy GPS satellites also transmit the military P(Y)-code, and continue to do so. The P-code offers improved accuracy, and some other benefits, but more importantly, it is modulated with the W encryption sequence to give us the encrypted P(Y)-code. Ever since the anti-spoofing module was set to the “on” state, unless you have the key, you are unable to directly spoof the P(Y)-code. (You can still perform a meaconing attack, though, where you simply record the transmitted satellite signals and retransmit them again. Although this kind of attack can’t be used to impose a particular scenario on a GPS receiver, it might still cause havoc in unwary receivers).

    So. in the early days it can be argued that the spoofing threat was solved. It wasn’t until GPS became ubiquitous in the commercial and civilian domain that spoofing really raised its head again. The fact that the vast majority of GPS receivers in the world relied solely on the unencrypted C/A code became a cause for concern — especially where those GPS receivers were essential to critical infrastructure.

    The threat of GPS spoofing was discussed at many conferences and behind many closed doors and, although most people agreed that spoofing was a theoretical threat, some people argued that in reality it was “simply too hard” to conduct a realistic spoofing attack. And therefore we should not worry ourselves about it.

    It wasn’t until a couple of high-profile demonstrations were carried out by the University of Texas Radionavigation Laboratory that spoofing became front-page news once again. In 2012, the lab staff carried out an exercise at White Sands Missile Range where a GPS-guided drone was spoofed from a distance. The drone was fooled into thinking its altitude was increasing, causing it to compensate by dropping straight down. Then in 2013, the same team demonstrated how an $80 million yacht could be steered off course by means of a spoofing attack.

    These exercises publicly demonstrated that spoofing was indeed a real threat, and could be done. But many people still believed that it was very hard to build the complex equipment necessary to perform the attack, and thus spoofing was out of reach for most potential criminals or terrorists.

    Fast forward another two or three years, to when a new mobile phone game appeared. Pokemon GO became the game craze of the moment, where players would travel around the country with their phones, getting points by collecting creatures in an augmented reality world. It didn’t take long for people to dream up new ways of earning points in the game, without having to go to the effort of traveling around the world.

    What if you could make your phone think it was somewhere else, without ever having to leave your bedroom? And thus, bizarrely, it was a mobile phone game that brought GPS spoofing into the mainstream.

    The rise of the low-cost software-defined radio (SDR) has enabled “spoofing for everyone.” Today, the tool of choice for the casual user is often the HackRF or bladeRF. Couple small SDRs that cost around $200 with open-source GPS simulation software, and you have a basic spoofer. Plenty of websites detail how to perform basic spoofing, and at hacker gatherings, people can present how they spoofed a drone. These may not be the most sophisticated setups, but it’s good enough to do the job in many cases. With a better setup, which I won’t describe here, it’s possible to achieve a much more realistic attack, which will fool even the most shrewd and wary GPS receivers.

    Spoofing basics

    Let’s take a quick look at what it means to spoof GPS. A receiver searches for a satellite over a two-dimensional surface to find a correlation peak, and it must examine a range of Doppler frequencies and code offsets. An example is shown in Figure 1. Once the receiver finds the peak, the satellite is acquired, and it will then track the satellite as it moves and can demodulate the navigation data message.

    When a spoofer comes along, it tries to recreate this peak. By doing so, and usually with little more power than the real satellites, the receiver will begin to track the spoofed signal. Once the spoofed signal is being tracked, the spoofer can begin to manipulate reality by slowly modifying the properties of the signal.

    Figure 1. GPS correlation surface. (Image: Michael Jones)

    A poor spoofer doesn’t always align itself very well with reality, which essentially creates a second peak on the correlation surface. But a gullible receiver can still be fooled by this, and may lock on to false peaks.

    The reality of spoofing and anti-spoofing

    To understand the reality of spoofing and anti-spoofing, we carried out outdoor experiments at one of the Roke Manor trials areas (thanks go to my colleague Mike Wells for letting me use some of his results here).

    In the first experiment (Figure 2), we spoof a commercially available mass-market receiver. The receiver is outside, reporting its correct location at Roke Manor. When we commence the spoofing attack, we are able to take control of the receiver. Once captured, we can then make the receiver appear to follow an arbitrary course. Here we make it wander off into the forest, spelling the word “roke” as it goes.

    Figure 2. Spoofed GPS receiver appears to follow a course, whilst in reality being stationary. (Image: Michael Jones)

    In the next experiment (Figure 3), we place a conventional anti-jam antenna (a CRPA) on the receiver. What we observe, as you might expect, is that the basic CRPA offers no protection against the spoofing attack.

    Figure 3. A GPS receiver is still successfully spoofed when protected by a conventional CRPA. (Image: Michael Jones)

    Now let’s make the experiment more interesting. We’ll move away from the basic commercial receiver, and replace it with a unit that contains not only a GPS receiver, but also a 3-axis accelerometer, 3-axis gyro, 3-axis magnetometer and a barometric sensor. An Extended Kalman Filter (EKF) performs an optimal fusion of the various sensors to yield the position solution.

    The result, when we again try our spoofing attack, is shown in Figure 4. In short, the receiver is still successfully spoofed, despite the additional sensor inputs it offers.

    Figure 4. A GPS receiver with integrated inertial sensors is still spoofed. (Image: Michael Jones)

    Before everyone gets too depressed by the ease at which GNSS, and even GNSS fused with other sensors, can be spoofed, there are answers to this problem. Some decent, modern GNSS receivers contain a whole host of algorithms for detecting and ignoring spoof signals. The issue is that many legacy receivers are still in the field, and these can be extremely vulnerable indeed.

    Another option is to use a more advanced CRPA, which offers anti-spoof capabilities. These adaptive antennas are able to correlate on the spoof signals, and then remove them based on direction of arrival. So, in our final experiment here, we use our commercial mass-market receiver again, and protect it with an anti-spoofing CRPA.

    The result is shown in Figure 5. You can see that the receiver is briefly spoofed, and starts to wander off course. When the anti-spoof is enabled and kicks in, the position quickly drifts back to the true location and stays there. Good job.

    Figure 5. With an anti-spoof CRPA, the GPS receiver detects the spoofer and quickly returns to its true location. (Image: Michael Jones)

    Back to the Black Sea

    Let’s finish by returning to the hot topic of the day. Did spoofing occur in the Black Sea back in June? Or was it a different form of interference? Could it have been a low-level jamming incident, causing the GPS receivers to report misleading information?

    Without resorting to SIGINT (signals intelligence) data, and basing this discussion solely on public domain information and anecdotal evidence, I would say this was almost certainly a spoofing incident. A number of factors lead to this conclusion, and I’ll share some of them.

    • Firstly, it didn’t happen to one ship – it happened to over 20 separate vessels. So it wasn’t a malfunctioning GPS unit; it was an external incident of some kind.
    • Secondly, a large number of ships in the area reported identical or very close locations. This is a symptom of a large-scale spoofing attack. If it was a low-level jamming attack, then any misleading positions reported by vessels would typically have some randomness to them.
    • Thirdly, ships reported that their positions would periodically “jump” from the true location to the incorrect location. Again, this is very typical behavior in some spoofing experiments: For various reasons, GPS receivers may temporarily lose lock on a spoof set of satellites, and then reacquire  the real ones, and vice versa. This causes the characteristic random flipping between two well-defined locations.

    If we accept that a GPS spoofing attack did occur, it brings us to the million-dollar question.

    Who did the spoofing, and why?

    What I’ll do here is a bit of a lightweight analysis exercise using public information and basic physics, and you can formulate your own conclusions.

    Let’s start by placing a ship, located in the Black Sea at 44°14.0’N 037°43.1E, which is the actual position of one of the reported spoofed vessels. For this example, I have placed a representative GPS antenna on the ship’s mast, with its antenna pattern shown.

    Figure 6. Victim ship in the Black Sea, with GPS antenna pattern shown. (Image: Michael Jones)

    To get a rough handle on the scenario, consider the possible propagation of the spoofing signal. As a first-order approximation, let’s assume a standard 4/3 Earth refraction model, with obstruction by terrain. That’s a reasonable assumption at this frequency: Any obscuration by terrain will block the spoof signal. Let’s also initially assume that our GPS antenna on the ship is mounted 38 meters above sea level, and our spoofing equipment is mounted on a mast 20 meters aboveground. From this information, we can plot a map of possible spoofer locations for this particular incident (Figure 7).

    Figure 7. Possible spoofing source locations. (Image: Michael Jones)

    The first thing we might conclude from this is that the spoofing indeed originates from Russian territory, close to the Black Sea coast. To spoof the ship from further afield would require a much higher antenna, or even an airborne antenna. Which, of course, is possible, but then we would also expect vessels over a much wider area to report interference.

    To me, it’s fairly conclusive that spoof GPS signals are being transmitted from this area, to make GPS receivers in the area think they are at an airport. The final question is: “Why would someone do this?” To answer this question, we must resort to educated speculation. Why would you want to spoof GPS receivers into thinking they are at an airport?

    There’s one explanation that fits very nicely: drone defense. Many drones, especially those operated by casual users, have geofencing rules that prevent flights over airports and other restricted areas. So, if you were trying to perform aerial surveillance of the Russian border, your drone may suddenly think it was over an airport, and take action accordingly. The action taken depends, of course, on how the drone is programmed, but often includes “land immediately” or “return to launch point.” Certainly some of the drones we operate will immediately attempt to land if they find themselves in restricted airspace.

    So if your drones are falling into the sea, you now have one idea why.

  • Microsemi’s BlueSky GPS Firewall protects critical infrastructure

    Microsemi’s BlueSky GPS Firewall protects critical infrastructure

    Microsemi Corporation, a provider of semiconductor solutions, today announced its new approach to protecting critical infrastructure against GPS spoofing and jamming threats.

    The BlueSky GPS Firewall is designed to provide security protection for GPS-delivered position, navigation and timing (PNT) data. It can be deployed in-line between any standard GPS antenna and stationary GPS receiver to provide protection against GPS signal incidents, both intentional or accidental, before they enter a GPS receiver system.

    Microsemi is making BlueSky GPS Firewall Evaluation kits available in advance of its full production release, both in response to the growing number of GPS incidents and their potential threat to critical infrastructure, and to assist customers in rapid adoption.

    BlueSky GPS Firewall filters the GPS signal in real time, removing anomalies before the signal is consumed by the downstream GPS receiver. This creates an intelligent and secure barrier against jamming and spoofing, and prevents the GPS receiver from being impacted by such incidents.

    Deployment of the BlueSky GPS Firewall does not require any new cabling or alteration of the pre-existing antenna installation and is interoperable with standard GPS receivers. Additionally, the BlueSky GPS Firewall incorporates an Ethernet interface for remote management and monitoring and includes a secure web interface that any browser can use for configuration and set-up of the device.

    The BlueSky GPS Firewall includes a broad range of data validation rules based on real, live-sky GPS threats, both intentional and unintentional. Similar to network security threats, new GPS vulnerabilities are on the rise and Microsemi is continuously tracking GPS signal manipulation including spoofing threats, jamming attacks, multipath signal interference, atmospheric activity and many other issues that can create GPS signal anomalies, disruptions and outages.

    These advancements are incorporated into the software platform of the BlueSky GPS Firewall, which can be updated remotely using Microsemi’s TimePictra management system.

    GPS Dependency

    The dependency on PNT is increasingly important to critical infrastructure sectors such as telecommunications, energy, transportation, emergency services, financial services and enterprise infrastructure, and is mainly provided through GPS.

    “Worldwide critical infrastructure dependency on unprotected GPS receivers is a serious security risk. These receivers are susceptible to jamming and spoofing incidents and the industry recognizes this as an increasing threat,” said Randy Brudzinski, vice president and business unit manager of Microsemi’s Frequency and Time division. “The vast number of GPS systems already in operation means a significant investment would be required if every system was to be replaced. Microsemi’s BlueSky GPS Firewall is a cost-effective and easy-to-deploy solution to protect GPS without requiring replacement of deployed GPS systems.”

    Published best-practice documents by the Department of Homeland Security (DHS) Science and Technology Directorate (S&T) describe steps that can be taken to mitigate outages and disruptions with GPS reception. In alignment with these documents, Microsemi’s new BlueSky GPS Firewall provides critical infrastructure sectors with a first line of defense against GPS threats to help build out a secure, robust and resilient PNT platform for their infrastructures.

    According to the 2017 GNSS Market Report, Issue 5, by the European GNSS Agency, professional market segments such as maritime, rail, telecom/utility/enterprise, surveying, aviation, agriculture and drones which use GNSS devices to operate their infrastructures, enable billions of people globally to benefit from them on a day-to-day basis—whether by enjoying the produce of sustainable and cost-effective agriculture, by using efficiently coordinated transport networks, or by leveraging on GNSS-synchronized telecommunications networks. The total installed base of GNSS devices in these professional segments was estimated at 14.4 million units in 2015 and is expected to grow to 97.8 million units by 2025.

  • Expert Opinion: Spoofing attack reveals GPS vulnerability

    Expert Opinion: Spoofing attack reveals GPS vulnerability

    Dana Goward
    President, Resilient Navigation and Timing (RNT) Foundation

    An apparent mass GPS spoofing attack in June involved more than 20 vessels in the Black Sea and suggests that Russia may be aggressively experimenting with signal disruption and spurious substitution.

    On June 22, a vessel reported to the U.S. Coast Guard Navigation Center:

    “GPS equipment unable to obtain GPS signal intermittently since nearing coast of Novorossiysk, Russia. Now displays HDOP 0.8 accuracy within 100m, but given location is actually 25 nautical miles off…”

    Subsequent dialog with the ship’s master and examination of various documents and screen grabs he furnished enabled navigation experts to conclude this was a fairly clear case of spoofing: sending false signals to cause a receiver to provide false information. Other vessels in the vicinity experienced the same problem.

    The RNT Foundation has received numerous anecdotal reports of maritime problems with the automatic identification system (AIS), a tracking system used for collision avoidance on ships, and with GPS in Russian waters, though this is the first well-documented public account.

    Russia has very advanced capabilities to disrupt GPS. More than 250,000 cell towers in Russia have been equipped with GPS jamming devices as a defense against attack by U.S. missiles. And there have been press reports of Russian GPS jamming in both Moscow and the Ukraine. In fact, Russia has boasted that its capabilities “make aircraft carriers useless.”

    The U.S. director of National Intelligence issued a report on May 11 that states that Russia and other actors are focusing on improving their capability to jam U.S. satellite systems.

    Assuming Russia is behind this, why would they do such a thing? Possibly to encourage use of GLONASS or their terrestrial loran system, Chayka, instead of GPS. Possibly for some security reason known only to them.

    Whatever the reason, it reminds us of the vulnerability of GPS signals, and of the plethora of motives that “bad actors” — governmental or private criminal interests — may have to disrupt and deceive GNSS users.

    And of the U.S. Coast Guard’s advice about GPS and all satnav: “Trust But Verify.”

    Dana Goward is president of the Resilient Navigation and Timing Foundation. He is the proprietor at Maritime Governance LLC. In August 2013, he retired from the federal Senior Executive Service, having served as the maritime navigation authority for the United States. As director of Marine Transportation Systems for the U.S. Coast Guard, he led 12 different navigation-related business lines budgeted at more than $1.3 billion per year. He has represented the U.S. at IMO, IALA, the UN anti-piracy working group and other international forums. A licensed helicopter and fixed-wing pilot, he has also served as a navigator at sea and is a retired Coast Guard Captain.

  • Spirent helps civil aviation industry respond to GNSS interference threats

    Spirent Communications plc is offering a solution that enables the civil aviation industry to evaluate the growing threat of GNSS interference, jamming and spoofing.

    The new GSS200D Interference Detector was developed as part of Spirent’s partnership with Nottingham Scientific Limited.

    Spirent’s GSS200D interference detector.

    As skies and airports become more congested, there is increasing pressure on airports to be safely accessible at all times — which cannot be achieved by relying solely on non-precision approaches with high minimums or on today’s expensive and rigid ground-based infra­structure such as ILS (Instrument Landing Systems).

    Ground-Based Augmentation System (GBAS) and instrument approach procedures based on Satellite Based Augmentation Systems (SBAS), such as Localizer Performance with Vertical Guidance (LPV) and Required Navigation Performance (RNP), provide Air Traffic Management with flexible, cost-effective alternatives while providing equivalent operational performance.

    For example, the European Geostationary Navigation Overlay Service (EGNOS) launched the LPV-200 service in Europe that enables aircraft approaches without the need for visual contact with the ground until a height of only 200ft. above the runway.

    With this service, accessibility, sustainability, efficiency and safety of the landing are greatly improved, especially in bad weather conditions.

    Spirent’s new GSS200D solution monitors the radio bands used by EGNOS, as well as other GNSS augmentation systems such as the Wide Area Augmentation System (WAAS) or the GPS Aided Geo Augmented Navigation system (GAGAN), to ensure awareness of interference that could compromise positioning information.

    Since local interference near the runway in the GNSS bands could degrade position accuracy or lead to a total loss of the navigation service, it is critical to continuously monitor and understand the RF environment and level of interference around airports.

    The GSS200D collects quantitative data on interference allowing assessment of the risks, so that robust mitigation plans can be created. The new Spirent solution has been trialed at a number of European airports, and has collected numerous interference signatures from both unintentional man-made interference and intentional jamming.

    “As more airports begin to use GNSS-based instrument approach procedures, they need to know what could be affecting their GNSS signals,” said Martin Foulger, general manager of Spirent’s positioning business. “With this latest solution we can detect interference in the key radio bands, based on levels defined by the United Nations International Civil Aviation Organization and European Organisation for Civil Aviation Equipment. This enables the aviation industry to gain a much better understanding of the electronic environment, helping to avoid dangerous situations going forward.”

    For more information on Spirent’s GNSS testing solutions, visit the website. To learn how to test receivers of GPS, Galileo and other GNSS, download Spirent’s latest eBook.

  • Continental Electronics patents new eLoran transmit method, system

    Continental Electronics patents new eLoran transmit method, system

    Photo: Continental Electronics
    Photo: Continental Electronics

    Texas company Continental Electronics has patented a transmitter system and method for construction of low-frequency antenna towers significantly lower in height than previously needed for identical coverage.

    “One obstacle to deploying eLoran systems has been the sheer height needed for the transmission towers, each of which requires significant acreage,” said Mike Rosso, vice president of Dallas-based Continental Electronics. “Tower height and land required not only represent serious financial costs, but in some cases adequate space is simply not available. Our technology can reduce tower height and real-estate requirements. With this, reducing antenna tower height by half would reduce required land area to one quarter.”

    The method uses digital adaptive correction, solid-state amplifiers, envelope modulation and a wideband matching network. Any linear distortions within usable bandwidth are removed by digital adaptive correction, according to the company. Envelope modulation is required to achieve linearization for any signal type including Loran. A wideband matching network tunes out capacitive reactance from electrically short antennas, transforms impedance to a value suitable for the transmitter, increases usable bandwidth and suppresses harmonics and out-of-band emissions.

    “We hope this will aid moving forward eLoran deployments around the world,” Rosso added. “Widely used satellite-based navigation and timing services are vulnerable to jamming, spoofing and other forms of interference. The world needs a more resilient solution as afforded by ground-based solutions such as eLoran.”

  • Friday is deadline for GPS OEMs to join live-sky spoofing event

    Friday is the deadline for GPS manufacturers to apply to test their equipment at a special event with live-sky test scenarios focused on spoofed GPS signals.

    The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) is offering an opportunity for manufacturers of GPS equipment used in critical infrastructure to test their products against GPS jamming and spoofing.

    The GPS Testing for Critical Infrastructure (GET-CI) event, set for April 17-21 at the Muscatatuck Urban Training Center in Butlerville, Indiana, is the first in a series of test opportunities.

    “Accurate and precise position, navigation, and timing (PNT) information is vital to the nation’s critical infrastructure,” said Robert Griffin, acting DHS under secretary for Science and Technology. “S&T has established this program to assess GPS vulnerabilities, advance research and development, and to enhance outreach and engagement with industry. The objective is to improve the security and resiliency of critical infrastructure.”

    The GET-CI events provide industry an opportunity to test GPS equipment in unique live-sky environments. For the April event, DHS S&T will be creating live-sky test scenarios focused on spoofed GPS signals.

    DHS S&T invites manufacturers of commercial GPS receivers and equipment used in critical infrastructure to submit applications for participation. For submission instructions and further information, see the Request for Information for Participation (RFIP) announcement on FedBizOpps.

    Interested organizations should submit their applications for participation by March 3.

    Email [email protected] with questions about the event and how to participate.

  • Research Online: Narrowband interference mitigation, spoofing interference classification

    Research Online: Narrowband interference mitigation, spoofing interference classification

    Spectrum of the Adaptive Notch Filter output signal for various interference levels
    Spectrum of the Adaptive Notch Filter output signal for various interference levels Photo: Adaptive Notch Filter

    Limits of narrowband interference mitigation using adaptive notch filters

    By J. Wendel, Frank M. Schubert, Airbus DS GmbH, and A. Rügamer and S. Taschke, Fraunhofer IIS.
    Presented at ION GNSS+, September 2016.

    The robustness of a GNSS receiver against interferences can be increased significantly by using an adaptive notch filter, which estimates the instantaneous frequency of the interfering signal and suppresses it. In this paper, the foundations of adaptive notch filtering are described. Then, experiments are performed with an arbitrary waveform generator for jamming signal generation combined with a space segment simulator for GNSS signal generation. The resulting signals are recorded and post-processed in a software GNSS receiver, which implements an adaptive notch filter for interference mitigation. This setup is used to demonstrate mechanisms that limit the interference mitigation capabilities of adaptive notch filters.

    Spoofing, jamming and multipath interference classification using a maximum-likelihood multi-tap multipath estimator

    By Jason N. Gross, West Virginia University and Todd E. Humphreys, University of Texas at Austin.
    Presented at ION ITM, January 2017.

    This paper experimentally evaluates the application of existing multipath mitigation technology in conjunction with in-band power monitoring for the purpose of GNSS interference classification. Interference detection and classification metrics derived from the output of a multiple-correlation tap, maximum-likelihood multipath estimator are jointly used for the alarming the presence of GNSS spoofing, jamming or multipath. This approach is evaluated against a dozen sets of deep urban multipath recordings, several recordings of wideband jammers at several different power levels, and clean static data recordings. Two detection approaches are proposed, and one is shown to be better at discriminating between spoofing and jamming attacks.

  • PNT Roundup: Iridium constellation provides low-Earth orbit satnav service

    PNT Roundup: Iridium constellation provides low-Earth orbit satnav service

    Iridium satellite. (Image: Iridium)
    Iridium satellite. (Image: Iridium)

    A strategic alliance announced on Dec. 15 between Orolia and Satelles includes product development and go-to-market activities of positioning, navigation and timing (PNT) solutions provided by the Iridium satellite constellation, independent of GPS/GNSS signals. The companies intend to provide PNT solutions to military, defense, government and commercial customers worldwide.

    Orolia, the parent of GNSS-active companies Spectracom and Spectratime, among others, has formed a strategic alliance, including an equity investment, with Satelles Inc. to develop, market and sell PNT solutions based on Satelles’ satellite time and location (STL) signal technology.

    STL is a unique space-based PNT technology that provides location and timing data independent from traditional GPS and other GNSS satellite signals. By using STL, Orolia’s Spectracom and McMurdo solutions will, according to the company, be less susceptible to vulnerabilities such as spoofing, interference and jamming that are associated with GPS/GNSS.

    Based on the low-Earth orbit (LEO) Iridium satellite constellation, STL signals are up to 1,000 times stronger than GPS/GNSS; this signal strength, due in part to the constellation’s closer proximity to users, helps to prevent jamming and enables signal reach into buildings and other difficult locations. STL’s additional cryptographic security also ensures performance, productivity and security.

    For further background on Iridium, see GPS World’s June 2016 Defense PNT column, “Iridium and GPS revisited: A new PNT solution on the horizon?” Projected applications and use cases include energy/utility grids, enterprise data networks including financial systems, maritime/aviation navigation, fleet/asset tracking management, search and rescue, and data center management.

    Many highly sensitive military, defense, government and commercial applications and operations require accurate and reliable PNT data. Today, these applications rely on signals from GPS/GNSS satellites. There are instances, however, where GPS/GNSS signal strength and security are not sufficient and prone to signal disruption. For these cases, the companies jointly state, STL can be used as a secure signal of opportunity to complement GPS/GNSS, making the applications more accurate and secure, and less prone to interference and attack.

    “There is a growing need for precise and robust positioning, navigation and timing information especially in business-critical, high-risk and life-saving operations,” said Jean-Yves Courtois, Orolia CEO. “By augmenting Orolia’s GPS/GNSS-based solutions with Satelles’ STL technology, we will have the industry’s first essentially fail-safe, resilient PNT solution. This breakthrough offering will be ideal for mission-critical applications in which the smallest discrepancy in PNT data accuracy, availability and stability can produce a network outage, a system crash or a loss of life.”

    Signal strength, availability

    The technical advantages provided by adding ranging satellites in low-Earth orbit (LEO) to the GNSS satellites in medium-Earth orbit (MEO) were explored in a 2012 Institute of Navigation paper by Per Enge, Bert Ferrell, David Whelan, Greg Gutt and David Lawrence. GPS World plans to publish an updated version of that paper, with key new material on current STL performance statistics, in an upcoming issue.

    Briefly, the paper concluded that “Due to their proximity, signals received from LEO are approximately 30 dB stronger than the signals from MEO. Indeed, we show data collected inside an industrial-strength metal storage container. The power of a LEO signal received inside the container is approximately equal to the power of a GPS signal received under the open sky. On the other hand, LEO proximity also dictates that only a few Iridium satellites are in view of the ground-based user. We show typical examples where six to 11 GPS satellites are joined by one or two LEO satellites.”

    The authors then examine the effect of the swift mean motion of LEO satellites, analyzing the ability to whiten multipath based on the rapid motion of the line-of-sight vectors from the user to the LEO satellites. In sharp contrast to MEO, the LEO satellites attenuate errors due to multipath solely based on satellite motion, and do not require user motion. They also analyze Doppler-based positioningvusing the rapid mean motion of the LEO satellites. The Doppler shift projects onto the line-of-sight vectors from the user to the LEO satellites. Over 100 or 200 seconds, this projection is a sharp function of the user location, and this connection enables Doppler-based positioning similar to the Transit satellite system. The authors’ analysis shows that position accuracies of 5 meters can be based on noncoherent code tracking of the LEO plus GPS signals.

    This paper also discusses the broadcast of UTC time to sites with known locations, describing experimental results with absolute time accuracies of one microsecond. The broadcast of high-accuracy frequency from LEO would enable a high-accuracy hot clock to replace the relatively low-quality oscillator in GNSS receivers, allowing longer coherent and non-coherent averaging times and improving the sensitivity of GNSS receivers by several decibels. Many other navigation applications would benefit from one LEO satellite in view, the authors assert.

    Market view from operator’s CEO

    “We are a manufacturer and integrator of timing equipment,” Orolia CEO Jean-Yves Courtois told GPS World. Orolia is the parent company of GPS/GNSS product and service providers Spectracom, McMurdo and Spectratime. “This new STL service is not fully commercialized yet, but it’s operational and it can be tested. Receivers are available and can be integrated into our equipment.

    “The timing signal is very accurate and close enough to GPS for most timing applications, although the positioning accuracy is lower than what GPS users are accustomed to. It is an augmentation for timing primarily, and secondarily for positioning,” Courtois continued.

    “In terms of timing accuracy, it provides on the order of tenths of microseconds in accuracy, and this covers a lot of timing applications. This is an ideal timing backup or augmentation of GPS. In positioning it’s closer to 50 meters or more, much better for fixed objects than for mobile objects. The faster the vehicle, the lower the positioning accuracy. It’s not directly usable for GPS applications that require a few meters’ accuracy, but it can be associated with inertial navigation for much better results.

    “The STL signal penetrates buildings well, it has unique features, and it performs at a high level. The signal is encrypted, so you have to subscribe to a service to receive a key, allowing access to the signal. Applications are developing based on equipment that will be STL-enabled. For the user it will be transparent. The user will have a different antenna.

    “We are also active in tracking and emergency location devices, where this is also of interest. It has some authentication capability, to guarantee that the person who accesses the signal is in the location that he pretends to be.

    “For customers to be able to use this service, there is some integration work to be done, some dedicated STL receivers to integrate into our current hardware set up, and software modifications. We are ready to work with government and defense organizations and other new clients. Our basic interest is to add some robustness to our equipment for our current customers, and then of course to develop new customers worldwide.”

    Grab It’n’Go Drive-By Shopping

    Four years ago, retail giant Amazon, a leader in the elimination of human interaction, started to explore what shopping would look like if you could walk into a store, grab what you want, and leave. In early December, the company rolled out its new vision: Amazon Go.

    Currently in private beta testing in Seattle and scheduled to open to the public in early 2017, the system employs a fusion of sensor technologies including RFID to detect when a shopper takes an item from the shelf, sync the data to the shopper’s handheld device, sense when the shopper leaves the store area, then charge all collected items to the shopper’s Amazon account. No muss, no fuss.

    The company is keeping a tight lid on exactly how its system works, but earlier patent filings give some description of the confluence of sensor data.

    “In some implementations, data from other input devices may be used to assist in determining the identity of items picked and/or placed in inventory locations. For example, if it is determined that an item is placed into an inventory location, in addition to image analysis, a weight of the item may be determined based on data received from a scale, pressure sensor, load cell, etc., located at the inventory location. … By combining multiple inputs, a higher confidence score can be generated increasing the probability that the identified item matches the item actually picked from the inventory location and/or placed at the inventory location.”

  • GNSS spoofing will attain virus status, warns expert

    Figure 6. Performance of a typical spoofed case with live data: spoofing detection statistic, threshold, and related probability density functions.

    As manufacturers convert machines and appliances into remotely controllable objects (the Internet of Things), the potential for spoofing expands, perhaps exponentially. Hackers could interfere with the data supplied to autonomous cars or tracks, remotely forcing them to crash.

    Although the dangers of GPS spoofing have been pointedly discussed in may technical papers and articles in GPS World since the early 2000s, manufacturers have not devoted much attention to them because there weren’t many devices making use of location-based technologies, according to associate professor Dinesh Manandhar of the University of Tokyo.

    With the proliferation of GPS-capable smartphones and other networked devices, “anyone can become a target of the attack,”  Manandhar told the Japan Times in a recent interview.

    “Too many things today use GPS as a reliable source of location information,” Manandhar said.  “People trust the location information from GPS satellites like God. When PCs became common for many people, the sudden outbreak of computer viruses became an issue around the world, and anti-virus software become an essential tool for everyone to protect their data,” he added. “The same thing is now happening around GPS. We need a system to fight back against the risk.”

    Manandhar cited some possible examples of spoofing, both by consumers — “You can falsify your smartphone’s information and make it look like you are going back and forth between Tokyo and Hawaii within just three minutes,”  and by sophisticated criminals. “Let’s say I were a top manager of a major bank. I could access all the information while sitting at my desk, but I wouldn’t be able to access it from the room next to it. But people could get access to such information if they disguised the location information received by computer.”

    Manandhar and many other researchers around the world are developing and testing anti-spoofing techniques, but it is a long step from demonstrated results to integration into products reaching market. “The products we are designing today are ones that we will use five years later. So we must assume the possible risks and prepare for the threats that might jeopardize our society in the future.”

    Manandhar co-authored the article “Opening Up Indoors: Japan’s Indoor Messaging System, IMES” in the May 2011 issue of GPS World. The graphic heading this news story is drawn from “GNSS Spoofing Detection: Correlating Carrier Phase with Rapid Antenna Motion,” the Innovation column in the June 2013 issue.

  • Poll: Experiences with jamming, spoofing and RF interference

    Poll: Experiences with jamming, spoofing and RF interference

    jimi-purple-hazeNot with Purple Haze, but with signal interference — although, come to think of it, the two may be not unalike, phenomenologically.

    The October reader’s poll asked “Have you directly experienced any of the following? Check all that apply.

    • GPS/GNSS jamming.
    • GPS/GNSS spoofing.
    • Unintentional RF interference.
    • RF interference from unknown source; unknown whether intentional or not.
    • None of the above.
    • Other, please specify.

    The answers rather stunned me in their magnitude. To be sure, respondents were self-selected and thus not totally representative of the electorate (you) out there. People who have undergone jamming or spoofing would be much more likely to step forward and say “Yeah, here,” than those who had not would be to fill out an online form, however brief, simply to say “Nah, not me.”

    At any rate, the answers came back:

    • Jamming: 70 percent (70 percent!)
    • Spoofing: 25 percent
    • Unintentional RF interference: 55 percent
    • Unknown RF interference: 65 percent
    • None of the above: 5 percent

    Among the “other” answers we received were these:

    I’ve participated in official test activities; Incidents caused by GPS booster (low-cost repeater); We regularly see our vehicle tracking systems jammed or providing incorrect positions believed to be via organised theft using sophisticated jammers; Every time I drive past Newark, NJ on I-95; Badly installed GPS antennas, RF interference from old GPS antennas.

    Scanning the affiliations of those answering, the names of organizations actively involved in monitoring or countering jamming and spoofing rise to the top. Still, to get such overwhelming response — only one in 20 was not experienced in this realm — suggests time and energy invested in protections and countermeasures should be doubled, quadrupled or more. Disasters of many kinds loom.

    Speaking of disasters, and of our fondness for placing our finger on the pulse of the GNSS/PNT community, we held a mock presidential plebiscite at ION GNSS+ in September. “Who will be the best GPS president?” That is, who would be the best president for GPS, in terms of funding and support? The answers: Clinton 60 percent, Trump 34 percent. The real results may already be known by the time you read this. And, to paraphrase Gerald Ford (something I never thought I’d find myself doing), our long national nightmare may be over.

    Is it tomorrow, or just the end of time?

  • Expert Opinions: Testing and simulating against GNSS jamming, spoofing

    Q: What special considerations should be taken into account for testing and simulating against GNSS jamming and spoofing?

     

    Lou, Pelosi, VP, Customer Support, Cast Navigation
    Lou, Pelosi, VP, Customer Support, Cast Navigation

    A: Current integrations of GPS include a controlled reception pattern antenna (CRPA). Testing with a standard interference or jamming source will not provide accurate results. Wavefront generator simulators are capable of outputting signals that correctly stimulate the GPS receiver’s antenna electronics. All of the signals are correctly displaced according to the antenna’s reception pattern with a jamming source that is coherent.

    Said Jackson, President, Jackson Labs Technologies
    Said Jackson, President, Jackson Labs Technologies

    A: Testing GNSS receiver spoofing and jamming resilience under real-life scenarios requires mixing live-sky GNSS signals with synthesized spoofed signals. This requires the spoofing signal generator to be time- and position-locked to the live-sky signal to within nanoseconds. GNSS simulators that allow nanosecond-level synchronization to live-sky signals can enable such testing. Low-cost simulators can enable testing with multiple simultaneous spoofers/jammers.

    Iurie Ilie, CTO & Co-Founder, Skydel
    Iurie Ilie, CTO & Co-Founder, Skydel

    A: With the sophistication of GNSS threats, simulators should be able to generate a variety of interferences and jammers that users can easily control. Also, the jammers’ characteristics (Doppler, power level, and so on) should reflect the dynamic of the vehicle and jammers. Such characteristics are almost impossible to simulate when the jamming source is not integrated with the simulator.

    Lisa Perdue, Applications Engineer, Spectracom
    Lisa Perdue, Applications
    Engineer, Spectracom

    A: For jamming, test for multi-frequency/constellation, accurately controlling jamming-to-signal ratios and strength levels, and simulate several types of jammers: carrier-wave, sweep, noise, FM chirp and so on. For spoofing, two synchronized simulators are best: one for the live sky and one for the spoofer. Tightly control the sync accuracy, the relative power between the two signals, and the spoofer’s estimation accuracy of the target’s position.

    Paul Crampton, Senior Systems Engineer, Spirent Federal
    Paul Crampton, Senior Systems Engineer, Spirent Federal

    A: Antenna technology, directionality and filtering have a large part to play in mitigating the impact of jamming and spoofing. Conventional laboratory receiver testing often overlooks the effect of the antenna. New approaches need to be developed to allow antenna effects be incorporated into testing either by including the antenna to be part of the test setup or by accurately simulating the directionality/filtering capability of the antenna.

    Cyrille Gernot, GNSS Expert, Syntony GNSS
    Cyrille Gernot, GNSS Expert, Syntony GNSS

    A: Most jamming occurs due to RFI used to keep positioning unavailable. As such, typical jammers are CW or sweep-CW. Testing is then mostly a matter of proper jamming-to-signal simulation. On the contrary, spoofing aims at luring the receiver from its true position. Simulations are difficult as slowly power increasing spoofing signals must be synchronized with true received signals to take over the locked tracking loops.

  • Make it real: Developing a test framework for PNT systems and devices

    Make it real: Developing a test framework for PNT systems and devices

    Tests of the robustness of commercial GNSS devices against threats show that different receivers behave differently in the presence of the same threat vectors. A risk-assessment framework for PNT systems can gauge real-world threat vectors, then the most appropriate and cost-effective mitigation can be selected.

    Vulnerabilities of GNSS positioning, navigation and timing are a consequence of the signals’ very low received power. These vulnerabilities include RF interference, atmospheric effects, jamming and spoofing. All cases should be tested for all GNSS equipment, not solely those whose applications or cargoes might draw criminal or terrorist attention, because jamming or spoofing directed at another target can still affect any receiver in the vicinity.

    GNSS Jamming. Potential severe disruptions can be encountered by critical infrastructure in many scenarios, highlighting the need to understand the behavior of multiple systems that rely on positioning, and/or timing aspects of GNSS systems, when subject to real-world GNSS threat vectors.

    GNSS Spoofing. This can no longer be regarded as difficult to conduct or requiring a high degree of expertise and GNSS knowledge. In 2015, two engineers with no expertise in GNSS found it easy to construct a low-cost signal emulator using commercial off-the-shelf software–defined radio and RF transmission equipment, successfully spoofing a car’s built-in GPS receiver, two well-known brands of smartphone and a drone so that it would fly in a restricted area.

    In December 2015 the Department of Homeland Security revealed that drug traffickers have been attempting to spoof (as well as jam) border drones. This demonstrates that GNSS spoofing is now accessible enough that it should begin to be considered seriously as a valid attack vector in any GNSS vulnerability risk assessment.

    More recently, the release of the Pokémon Go game triggered a rapid development of spoofing techniques. This has led to spoofing at the application layer: jailbreaking the smartphone and installing an application designed to feed faked location information to other applications. It has also led to the use of spoofers at the RF level (record and playback or “meaconing”) and even the use of a programmed SDR to generate replica GPS signals — and all of this was accomplished in a matter of weeks.

    GNSS Segment Errors. Whilst not common, GNSS segment errors can create severe problems for users. Events affecting GLONASS during April 2014 are well known: corrupted ephemeris information was uploaded to the satellite vehicles and caused problems to many worldwide GLONASS users for almost 12 hours. Recently GPS was affected. On January 26, 2016, a glitch in the GPS ground software led to the wrong UTC correction value being broadcast. This bug started to cause problems when satellite SVN23 was withdrawn from service. A number of GPS satellites, while declaring themselves “healthy,” broadcast a wrong UTC correction parameter.

    Atmospheric Effects. Single frequency PNT systems generally compensate for the normal behavior of the ionosphere through the implementation of a model such as the Klobuchar Ionospheric Model.

    Space weather disturbs the ionosphere to an extent where the model no longer works and large pseudorange errors, which can affect position and timing, are generated. This typically happens when a severe solar storm causes the Total Electron Count (TEC) to increase to significantly higher than normal levels.

    Dual-frequency GNSS receivers can provide much higher levels of mitigation against solar weather effects. However, this is not always the case; during scintillation events dual frequency diversity is more likely to only partially mitigate the effects of scintillation.

    Solar weather events occur on an 11-year cycle; the sun has just peaked at solar maximum, so we will find solar activity decreasing to a minimum during the next 5 years of the cycle. However that does not mean that the effects of solar weather on PNT systems should be ignored for the next few years where safety or critical infrastructure systems are involved.

    TEST FRAMEWORK

    Characterization of receiver performance, to specific segments within the real world, can save either development time and cost or prevent poor performance in real deployments. Figure 1 shows the concept of a robust PNT test framework that uses real-world threat vectors to test GNSS-dependent systems and devices.

    We have deployed detectors — some on a permanent basis, some temporary — and have collected extensive information on real-world RFI that affects GNSS receivers, systems and applications.

    For example, all of the detected interference waveforms in Figure 2 have potential to cause unexpected behavior of any receiver that was picking up the repeated signal. A spectrogram is included with the first detected waveform for reference as it is quite an unusual looking waveform, which is most likely to have originated from a badly tuned, cheap jammer. The events in the figure, captured at the same European sports event, are thought to have been caused by a GPS repeater or a deliberate jammer. A repeater could be being used to rebroadcast GPS signals inside an enclosure to allow testing of a GPS system located indoors where it does not have a view of the sky.

    The greatest problem with GPS repeaters is that the signal can “spill” outside of the test location and interfere with another receiver. This could cause the receiver to report the static position of the repeater, rather than its true position. The problem is how to reliably and repeatedly assess the resilience of GPS equipment to these kinds of interference waveforms. The key to this is the design of test cases, or scenarios, that are able to extract benchmark information from equipment. To complement the benchmarking test scenarios, it is also advisable to set up application specific scenarios to assess the likely impact of interference in specific environmental settings and use cases.

    TEST METHODOLOGY

    A benchmarking scenario was set up in the laboratory using a simulator to generate L1 GPS signals against some generic interference waveforms with the objective of developing a candidate benchmark scenario that could form part of a standard methodology for the assessment of receiver performance when subject to interference.

    Considering the requirements for a benchmark test, it was decided to implement a scenario where a GPS receiver tracking GPS L1 signals is moved slowly toward a fixed interference source as shown in Figure 3.

    The simulation is first run for 60 seconds with the “vehicle” static, and the receiver is cold started at the same time to let the receiver initialise properly. The static position is 1000m south of where the jammer will be. At t = 60s the “vehicle” starts driving due north at 5 m/s. At the same time a jamming source is turned on, located at 0.00 N 0.00 E. The “vehicle” drives straight through the jamming source, and then continues 1000m north of 0.00N 0.00E, for a total distance covered of 2000m. This method is used for all tests except the interference type comparison where there is no initialization period, the vehicle starts moving north as the receiver is turned on.

    The advantages of this simple and very repeatable scenario are that it shows how close a receiver could approach a fixed jammer without any ill effects, and measures the receiver’s recovery time after it has passed the interference source. We have anonymized the receivers used in the study, but they are representative user receivers that are in wide use today across a variety of applications. Isotropic antenna patterns were used for receivers and jammers in the test. The test system automatically models the power level changes as the vehicle moves relative to the jammer, based on a free-space path loss model.

    RESULTS

    Figure 4 shows a comparison of GPS receiver accuracy performance when subject to L1 CHIRP interference. This is representative of many PPD (personal protection device)-type jammers.
    Figure 5 shows the relative performance of Receiver A when subject to different jammer types — in this case AM, coherent CW and swept CW.

    Finally in Figure 6 the accuracy performance of Receiver A is tested to examine the change that a 10dB increase in signal power could make to the behavior of the receiver against jamming — a swept CW signal was used in this instance.

    Discussion. In the first set of results (the comparison of receivers against L1 CHIRP interference), it is interesting to note that all receivers tested lost lock at a very similar distance away from this particular interference source but all exhibited different recovery performance.

    The second test focused on the performance of Receiver A against various types of jammers — the aim of this experiment was to determine how much the receiver response against interference could be expected to vary with jammer type. It can be seen that for Receiver A there were marked differences in response to jammer type. Finally, the third test concentrated on determining how much a 10dB alteration in jammer power might change receiver responses. Receiver A was used again and a swept CW signal was used as the interferer. It can be seen that the increase of 10dB in the signal power does have the noticeable effect one would expect to see on the receiver response in this scenario with this receiver.

    Having developed a benchmark test bed for the evaluation of GNSS interference on receiver behavior, there is a great deal of opportunity to conduct further experimental work to assess the behavior of GNSS receivers subject to interference. Examples of areas for further work include:

    • Evaluation of other performance metrics important for assessing resilience to interference
    • Automation of test scenarios used for benchmarking
    • Evaluation of the effectiveness of different mitigation approaches, including improved antenna performance, RAIM, multi-frequency, multi-constellation
    • Performance of systems that include GNSS plus augmentation systems such as intertial, SBAS, GBAS

    CONCLUSIONS

    A simple candidate benchmark test for assessing receiver accuracy when subjected to RF interference has been presented by the authors.

    Different receivers perform quite differently when subjected to the same GNSS + RFI test conditions. Understanding how a receiver performs, and how this performance affects the PNT system or application performance, is an important element in system design and should be considered as part of a GNSS robustness risk assessment.

    Other GNSS threats are also important to consider: solar weather, scintillation, spoofing and segment errors.

    One of the biggest advantages of the automated test bench set-up used here is that it allows a system or device response to be tested against a wide range of of real world GNSS threats in a matter of hours, whereas previously it could have taken many weeks or months (or not even been possible) to test against such a wide range of threats.

    Whilst there is (rightly) a lot of material in which the potential impacts of GNSS threat vectors are debated, it should also be remembered that there are many mitigation actions that can be taken today which enable protection against current and some predictable future scenarios.

    Carrying out risk assessments including testing against the latest real-world threat baseline is the first vital step towards improving the security of GNSS dependent systems and devices.

    ACKNOWLEDGMENTS

    The authors would like to thank all of the staff at Spirent Communications, Nottingham Scientific Ltd and Qascom who have contributed to this paper. In particular, thanks are due to Kimon Voutsis and Joshua Stubbs from Spirent’s Professional Services team for their expert contributions to the interference benchmark tests.

    MANUFACTURERS

    The benchmarking scenario described here was set up in the laboratory using a Spirent GSS6700 GNSS simulator.