Tag: Todd Humphreys

Todd Humphreys: Russian satellites a cause of GNSS jamming across Europe

Russian satellites have caused GPS outages of as long as 10 seconds across Europe, according to a new research paper, authored in part by GNSS expert Todd Humphreys.

Humphreys is head of the Radionavigation Laboratory at the University of Texas at Austin. Separate research by Richard Bowden at Spanish company GMV supports the findings, according to The New York Times.

In at least three of 75 instances identified since 2019, the interference originated from as many as three Russian satellites. The other cases implicate the same Russian early-warning network; though data is insufficient to pinpoint the source, the same type of signal was identified.

Whether Russia knows of the interference — and its motives — is unknown, but the signals disrupt GPS, Galileo and BeiDou, and not Russia’s own GLONASS. The press office for the Russian Embassy in Washington, D.C. told The Times it had no comment.

The paper, “Chasing Lightning: Detecting, Characterizing, and Identifying a Powerful Space-Based GNSS Interference Source” by Zachary L. Clements, Argyris Kriezis and Todd E. Humphreys, can be accessed here.

The paper provides a comprehensive analysis of the GNSS interference phenomenon: wide-area transient interference from a space-based source causing up to 10-dB GNSS degradation across Europe since 2019 in the L1 band. The interference’s spatial, temporal and spectral properties are detailed. The researchers designed a framework to detect events using 1-Hz carrier-to-noise ratio observables from a network of 165 reference stations.

The three satellites implicated in the interference are part of Russia’s Edinaya Kosmicheskaya Sistema (EKS) constellation, which detects missile launches and nuclear explosions around the world. The first instance of this widespread jamming was recorded in October 2019, a month after the first EKS satellite was launched.

These cases are among the first known examples of GPS interference originating from space. Two historic cases of satellite interference were caused by technical glitches.

June 5, 2026
Starlink signals can be reverse-engineered to work like GPS

Photo: Official SpaceX Photos

A team of researchers from the University of Texas Austin (UTA) have shown the Starlink broadband constellation’s potential to serve as a backup for GPS.

Todd E. Humphreys

The researchers, led by Todd Humphreys and funded by the U.S. Army, examined the downlink signal structure of the SpaceX Starlink constellation of ultrafast broadband satellites in low-Earth-orbit (LEO), reported MIT Technology Review. The team showed that Starlink could serve as a useful backup to GPS.

For the past two years, Humphreys’ team at UT Austin’s Radionavigation Lab has been reverse-engineering signals sent from thousands of Starlink internet satellites to ground-based receivers. Humphreys told the review that regular beacon signals from the constellation, designed to help receivers connect with the satellites, could form the basis of a useful navigation system.

SpaceX opted not to participate in the research.

Read the research paper here.

Title: Signal Structure of the Starlink Ku-Band Downlink

Authors: Todd E. Humphreys, Peter A. Iannucci, Zacharias Komodromos, Andrew M. Graff

Abstract: We develop a technique for blind signal identification of the Starlink downlink signal in the 10.7 to 12.7 GHz band and present a detailed picture of
the signal’s structure. Importantly, the signal characterization offered herein includes the exact values of synchronization sequences embedded in the
signal that can be exploited to produce pseudorange measurements. Such an understanding of the signal is essential to emerging efforts that seek to dual-purpose Starlink signals for positioning, navigation, and timing, despite their being designed solely for broadband internet provision.

October 31, 2022
GPS circle spoofing discovered in Iran

In March, the U.S. government received an unusual inquiry about GPS disruptions. It was from a user in Iran reporting what appeared to be “circle spoofing” — a phenomenon that had only previously been observed in China.

“Some of GPS devices received fake signal and show the fake valid location. Yesterday I test a device, it can get signal and give real position. After 10 minutes the device show moving around a big circle in tehran by 35 km/h speed. I can’t fix this problem by restarting the device.

“The GPS module time is correct but the location is not. I attach Excel file of data and map of the track. I can’t get any response from Communications Regulatory Authority (CRA) of The I.R. of Iran. Do you know about this?”

Here is one of the images provided by the reporting source:

GPS spoofing device in operation at Iran’s Army Command and Staff College. (Screenshot courtesy of Dana Goward)

A little internet research showed that the spoofing was taking place at or near Iran’s “AJA University of Command and Staff,” formerly called the “War University.” It is the staff college for Iran’s Army.

Reports to the U.S. government about GPS disruption are normally listed on the U.S. Coast Guard’s Navigation Center website. This one has not been posted. Coast Guard officials said that it is because the report was received by another agency and did not contain sufficient information. Attempts by Coast Guard personnel to contact the reporting source for more information to enable the report to be posted were unsuccessful.

GPS spoofing is often easiest to detect in maritime areas. Ship automatic identification system (AIS) transmissions include location data and are detected by satellite. The data is then aggregated and used by various companies for a number of applications. Viewing ship location reports over time has revealed thousands of ship receivers spoofed to airports in Russia, and hundreds spoofed into circles (presumably around the spoofing device) in China.

Clearly, though, any system that aggregates and displays GPS location data can help detect wide area spoofing activity.

Strava is a mobile app for runners and cyclists. The company aggregates location data and displays it on a heat map to highlight athletes’ favorite routes.

The Strava heat map for Tehran shows that circle spoofing has also been employed in at least one other location. The below screenshot shows GPS-enabled fitness trackers circling a government complex that houses offices for several defense and technology-related organizations.

This heat map shows GPS spoofing at a government complex in Tehran,which houses the Ministry of Defense, Communication Regulatory Authority, Telecommunications Infrastructure Company, and Ministry of Telecommunications and Technology. (Screenshot: courtesy of Dana Goward)

Iran was the first nation to publicly announce it had the ability to spoof GPS signals and seems to have used it to great advantage.

In 2011, a CIA drone that had been operating across the border in Afghanistan landed at an Iranian airfield. Iran’s government claimed that its forces had sent false signals to the drone’s GPS receiver in order to capture it.

At first, U.S. government officials said that this kind of spoofing was not possible. Several months later, Prof. Todd Humphreys demonstrated how it could be done to a drone at the University of Texas football stadium.

U.S. officials then admitted that spoofing was possible, but said it wasn’t what happened to the CIA drone. At the same time, they offered no alternate explanation of how the drone was captured.

In 2016 Iranian forces captured two U.S. Navy boats that had strayed into Iran’s territorial waters. This was just after President Obama had succeeded in pressing that nation to give up nuclear weapons research, and was on the same day as Obama’s last State of the Union address. There was little reason for the U.S. Navy boats to have veered so far off course, and it was clear that the Iranian Navy was waiting for them.

Many speculated that Iran had spoofed GPS signals to lure the U.S. Navy boats into Iranian waters. U.S. officials have denied that this was the cause of the incident, but have not publicly offered an alternate explanation other than “mis-navigation.”

During heightened tensions in the Persian Gulf in 2019, Iran shot down a U.S. surveillance drone and President Trump seemed ready to launch a retaliatory strike. This was called off at the last minute. According to some reports, the strike was canceled because of the likelihood the drone was in Iranian airspace at the time.

At about the same time British intelligence was warning merchant vessels in the area that Iran was attempting to use GPS spoofing to lure them into Iranian waters as a pretext for seizing the ships.

While the Middle East has been a hotbed of jamming and conventional spoofing for years, these recent circle-spoofing incidents are the first of the kind we know of in the region. It may well be that Iranian forces have recently received equipment from China and are experimenting with it. They could also be using it to deter GPS guided drones and disrupt other surveillance systems in the vicinity of sensitive government facilities.

Dana A. Goward is president of the Resilient Navigation and Timing Foundation. The non-profits C4ADS and Skytruth contributed to this article.

April 21, 2020
Chinese GPS spoofing circles could hide Iran oil shipments

“GPS spoofing circles” have been discovered at 20 locations along the Chinese coast, according to the non-profit environmental group Skytruth. Of the locations observed, 16 were oil terminals; the others were corporate and government offices.

GPS spoofing in Shanghai that resulted in reported positions from ships, fitness trackers and other GPS enabled devices forming circles some distance from the shore was first observed by the non-profit C4ADS. Subsequently, Professor Todd Humphreys briefed the phenomena at an Institute of Navigation conference in September. The MIT Technology Review published an article about it in November.

This caught the interest of an analyst at the environmental non-profit Skytruth.

Evaluating a larger data set of ship AIS (Automatic Identification System) data, analyst Bjorn Bergman discovered at least 20 locations near the Chinese coast where similar spoofing had taken place in the last two years.

Sixteen of these “spoofing circle” locations were oil terminals. The most frequent occurrences by far were at the port of Dalian in northern China, close to the border with North Korea. Based upon the timing of the spoofing, imposition of sanctions on purchase of Iranian oil by the United States, and observations by others of Iranian oil being received by China, Bergman suggests that much of the spoofing is designed to help conceal these transactions.

Of the four locations not associated with oil terminals, three were government offices and one was the headquarters of the Qingjian industrial group, a huge engineering and construction conglomerate. These infrequent and irregular events may be related to visits by important government officials. A C4ADS report earlier this year demonstrated Russia uses GPS spoofing extensively for government VIP protection.

Bergman suggests that the actual spoofing device is located at the center of each of the rings formed by false GPS reports. He has also observed that not all AIS/GPS receivers in the impacted area are affected, the spoofing circles tend to be about 200 meters in diameter, many false vessel positions orbit the circle counterclockwise at 21 knots or 31 knots, and some receivers are spoofed to locations other than the circle.

Mass GPS spoofing is most easily detected and analyzed in coastal areas because of the availability of large data sets from AIS transmissions. AIS is a maritime safety system that uses GPS for location and movement information. This data is broadcast to other ships and shore stations to help prevent collisions and improve traffic management.

The U.S. Coast Guard first experimented with receiving AIS signals by satellite in 2008. Since that time, numerous governments and commercial entities have established AIS data services using both space-based and terrestrial receivers.

It is likely that the kinds of disruptions seen in Russian and Chinese maritime regions are occurring elsewhere. The lack of easily accessible data from non-maritime areas, though, makes this more difficult to detect.

Confounding this problem is an apparent reluctance of many users to report disruptions. The U.S. Coast Guard Navigation Center has had only one official report a GPS problem from a user in Russian waters and one from Chinese waters, for example. Yet it is clear that thousands of vessels have been impacted in ways that must have been quite evident to their captains and crews.

Image: Skytruth

December 17, 2019
U.S. Army partners with UT Austin, Texas A&M System for advanced PNT
This month, the University of Texas at Austin became a major research hub for the U.S. Army Futures Command.

On Oct. 12, the Futures Command broke ground on a $130 million research facility at the Texas A&M University System’s RELLIS Campus in Bryan, Texas. Efforts at both locations will include research on advanced and assured positioning, navigation and timing (PNT) systems.

The Army Futures Command was established in Austin during the summer of 2018. It has been working to build long-standing partnerships with University of Texas at Austin, Texas A&M University System and others in central Texas.

Groundbreaking ceremony for the Bush Combat Development Complex at the Texas A&M University System RELLIS Campus, named in honor of former President George H.W. Bush. (Photo: Texas A&M University)

“The Army designated UT Austin as a strategic partner,” said Professor Todd Humphreys, faculty lead for the Radionavigation Laboratory at the University of Texas, Austin. “UT will focus on two key areas: assured PNT and robotics.” Humphreys has a background in both.

Humphreys says his organization is eager to begin working with the Army. The main focus of his PNT efforts will be “… leveraging the tens of thousands of communications satellites projected to be in low earth orbit in the next few years for PNT services,” he said. “We are working with a major provider and already have some interesting results we can share.”

A member of Humphreys’s team is expected to discuss this work at a meeting of the National PNT Advisory Board next month.

A secondary focus for Humphreys’s lab will be development of integrated sensing equipment with GNSS, low-earth-orbit PNT, radar, vision, inertial, and communications that can deliver assured PNT for the Army’s mounted platforms.

“Assured PNT is one of the principal platforms we are working on,” said Greg Winfree, agency director of the Texas A&M Transportation Institute, a state agency and member of the A&M System. Winfree is also a board member for the RNT Foundation. “Our efforts will be complementary and collaborative with UT’s lead role.”

Winfree sees new PNT sources and their intersection with automated vehicle technologies, drones and robotics as an ideal area for his organization’s contributions. “Our core themes include four application areas that the A&M System could credibly bring forward: RF testing and analysis, vehicle communications and connectivity, unmanned aerial systems, and precision agriculture.”

This could generate a number of spinoffs for civilian agriculture. “Precision Agriculture is a key consideration since reliance upon GPS is a core technological underpinning. Texas A&M has the premier agricultural science program in the country.”

He sees specific areas ripe for investigation by A&M as including:
- Creating software defined chips/modules and developing miniaturized antennae for new signal sources
- Addressing the potential for degraded sensitivity posed by antenna miniaturization
- Developing multi-frequency radios and sensors to allow automated vehicles, drones and robotics to seamlessly utilize GPS along with signals from sources such as ELoran, DSRC, C-V2X, and 5G
- Developing AI equipped aerial and underwater drones to test functionality and reliability of signals in challenging environments.
The A&M System has a strong team to bring to bear on such issues, according to Winfree. It includes Dr. Stephen Cambone, associate vice chancellor for research security for the A&M System and the first DoD undersecretary for cybersecurity, and Dr. Byul Hur, assistant professor of engineering technology and industrial distribution and head of the A&M Radio Frequency Test Group.

Dana A. Goward is the president of the Resilient Navigation and Timing Foundation.
October 30, 2019
Russia practices widespread spoofing

Analysis of Satellite Data Exposes Threats to Civil Aviation

The Russian Federation is growing and actively nurturing a comparative advantage in the targeted use and development of GNSS spoofing capabilities to achieve tactical and strategic objectives at home and abroad.

Cover: C4ADS

A new report titled “Above Us Only Stars: Exposing GPS Spoofing in Russia and Syria,” presents findings from a year-long investigation ending in November 2018 on an emerging subset of electronic warfare (EW) activity: the ability to mimic, or spoof, legitimate GNSS signals to manipulate PNT data.

Using publicly available data and commercial technologies, the authors detect and analyze patterns of GNSS spoofing in the Russian Federation, Crimea and Syria. They profile different use cases of current Russian state activity to trace the activity back to basing locations and systems in use.

The report is issued by C4ADS, a Washington, D.C.-based nonprofit organization dedicated to providing data-driven analysis and evidence-based reporting on global conflict and transnational security issues. Its website, c4ads.org, lists transnational organized crime, proliferation networks (rogue nations and non-state actors), threat finance and supply-chain security as areas of focus.

Pinpointing interference. Todd Humphreys, a University of Texas at Austin associate professor and head of the university’s Radionavigation Laboratory, collaborated on the research underpinning the report.

Humphreys stated that, as far as he knew, the study constitutes the first characterization of GNSS interference from space, and cited “some interesting findings:

“Using Automatic Identification System (AIS) data captured by overhead satellites, we monitored spoofing in the Black Sea, around St. Petersburg, Archangelsk, etc., and built a picture of interference activity that spans two years. All such activities occur near Russian coastal waters.

“Correlating this activity with the travel schedule of the Russian head of state, we have strong evidence that the spoofing is a protective measure used to thwart drone attacks on Vladimir Putin.

“By exploiting a software-defined GNSS receiver my lab is operating on the International Space Station, we were able to pinpoint a powerful source of interference, which we found to be coming from the northwest quadrant of a Russian-operated airbase in Syria. This explains the many reports of GNSS interference in the eastern Mediterranean during the past year.”

Global Threat. The tools and methodologies for perpetrating GNSS interference are proliferating at a rapid rate, and the frequency of such incidents around the world increases steadily. GNSS attacks, and GPS attacks specifically, now constitute an active, present, disruptive strategic threat in every theater of operation.

The C4ADS website, in announcing the report, states that “The Russian Federation has a comparative advantage in the targeted use and development of GNSS spoofing capabilities. However, the low cost, commercial availability and ease of deployment of these technologies will empower not only states, but also insurgents, terrorists and criminals in a wide range of destabilizing state-sponsored and non-state illicit networks. GNSS spoofing activities endanger everything from global navigational safety to civilian finance, logistics and communication systems.”

Examining GNSS spoofing events across the entire Russian Federation, its occupied territories and overseas military facilities, the report identifies 9,883 suspected instances across 10 locations that affected 1,311 civilian vessel navigation systems since February 2016. It demonstrates that these activities are much larger in scope, more diverse in geography, and longer in duration than any public reporting suggests to date.

C4ADS believes the Russian Federal Protective Service (FSO) operates mobile systems to support this activity. It chronicles the use of GPS spoofing in active Russian combat zones, particularly Syria, for airspace-denial purposes. This capability is scarcely reported in the public domain. C4ADS identified ongoing activity that poses significant threats to civilian airline GPS systems in the region.

The 66-page interactive report can be viewed at www.c4reports.org/aboveusonlystars, or downloaded as a PDF.

April 2, 2019
How worried are you hackers will discover our locations?

For consumer navigation and location-based services, how worried should we be about hackers discovering or corrupting our locations?

Three industry experts gave their opinions on this issue — now it’s your turn!

Go to env-gpsworld-integration.kinsta.cloud/july poll and register your vote. Do so by July 20 and you’ll be entered into a drawing for a $50 Visa gift card.

For the record, here’s how the experts weighed in.

Headshot: Janice Partyka

Janice Partyka, Contributing editor, GPS World; Principal, JGP Services

A: Very worried. Just about any connected device can be hacked, including iPhones or Android phones, regardless of fingerprint recognition technology or complex passwords. Hackers can listen to conversations or access the location positioning via flaws in a portion of mobile networks called Signaling System 7. Hackers using common software-defined radio tools have discovered a cheap way to make a GPS emulator to falsify the GPS location of smartphones and in-car navigation systems.

Headshot: Paul McBurney

Paul McBurney, Founder, CEO, Gopherhush Corp.

A: Mobile phone users will share location-based information of business travel mileage, driving
behavior for usage-based car insurance, toll-road usage, or even time cards. The best way for the receiving party to protect against location hacking or even errant fix data is to require cross-checking of the location data with multiple location sources based on GNSS, OS network location, Wi-Fi and Bluetooth reference points, and even the phones sensors. It’s RAIM against hacking.

Headshot: Todd Humphreys

Todd Humphreys, Professor, Director, Radionavigation Lab, University of Texas

A: We usually don’t mind some people knowing our position some of the time, but it’s uncomfortable to think that a hacker or a government could accurately track our position whenever they want. Your credit card number is a lot more valuable to the average hacker than your location, so the danger of location theft is low, unless you’re the special target of someone’s profiling or blackmail scheme. As for a hacker corrupting a location, this is a serious problem that needs addressing if connected cars are ever to trust one another’s data.

June 28, 2016
ION Announces 2015 Award Winners, Fellows
The Institute of Navigation (ION) presented its Annual Awards during the ION International Technical Meeting in Dana Point, Calif., Jan. 26-28. The annual awards recognize individuals making significant contributions or demonstrating outstanding performance relating to the art and science of navigation. ION also announced its elected Fellow members.

Award Winners
- Mathieu Joerger received the Early Achievement Award for outstanding contributions to the integrity of multi-constellation and multi-sensor navigation systems. The award is presented in recognition of outstanding contributions made early in one’s career.
- Captain Samantha Ekwall received the Superior Achievement Award for her heroic actions as the lead navigator for a five-ship formation during the refueling of the battle damaged CV-22 Ospreys during a U.S. embassy evacuation attempt in South Sudan. The Superior Achievement Award is presented to an individual demonstrating outstanding accomplishments as a practicing navigator.
- Hamid Mokhtarzadeh and Demoz Gebre-Egziabher received the Dr. Samuel M. Burka Award for their paper “Cooperative Inertial Navigation” published in the Summer 2014 issue of NAVIGATION: Journal of the Institute of Navigation, Vol. 61, No. 2,pp.77-94. The award recognizes outstanding achievement in the preparation of a paper contributing to the advancement of the art and science of positioning, navigation and timing.
- Patricia Doherty received the Captain P. V. H. Weems Award for her contributions to the management and encouragement of advanced navigation research and for her service to ION. The award is presented to individuals for continuing contributions to the art and science of navigation.
- Bruce Haines received the Tycho Brahe Award for notable achievements in astrodynamics-navigation, precise orbit determination and satellite applications to geophysics and oceanography. The Tycho Brahe Award is presented to recognize outstanding contributions to the science of space navigation, guidance and control.
- Neeraj Pujara received the Norman P. Hays Award for his inspired leadership, outstanding encouragement, inspiration and dedicated support contributing to the advancement of navigation. The award is given in recognition of outstanding encouragement, inspiration and support contributing to the advancement of navigation.
- Todd Humphreys received the Thomas L. Thurlow Award for contributions that enhance radionavigation security and robustness in the face of intentional spoofing and natural interference. The award recognizes outstanding contributions to the science of navigation. Humphreys has written several articles for GPS World, the latest being the February cover story, “Accuracy in the Palm of Your Hand.”
- Patricia Doherty received the Distinguished Service Award, presented for extraordinary service to ION.
ION’s new Fellows: (from left) Attila Komjathy, Yu (Jade) Morton, and Frank van Digglen.

Fellows

ION also announced recipients of 2015 Fellow memberships. Election to Fellow membership recognizes the distinguished contributions of ION members to the advancement of the technology, management, practice and teaching the arts and science of navigation; and/or lifetime contributions to ION.
- Attila Komjathy has been elected for contributions to remote sensing of Earth’s ionosphere using GNSS signals.
- Yu (Jade) Morton has been elected for contributions to GNSS software receivers and the development of a worldwide network of space weather monitoring stations.
- Frank van Digglen has been elected for contributions to satellite-based navigation for consumer applications, especially mobile handheld devices. van Diggelen joined the GPS World Advisory Board in 2014.
February 2, 2015
Accuracy in the Palm of Your Hand
Centimeter Positioning with a Smartphone-Quality GNSS Antenna

By Kenneth M. Pesyna, Jr., Robert W. Heath, Jr. and Todd E. Humphreys, the University of Texas at Austin

The smartphone antenna’s poor multipath suppression and irregular gain pattern result in large time-correlated phase errors that significantly increase the time to integer ambiguity resolution as compared to even a low-quality stand-alone patch antenna. The time to integer resolution — and to a centimeter-accurate fix — is significantly reduced when more GNSS signals are tracked or when the smartphone experiences gentle wavelength-scale random motion.

GNSS chipsets are now ubiquitous in smartphones and tablets. Yet the underlying positioning accuracy of these consumer-grade GNSS receivers has stagnated over the past decade. The latest clock, orbit, and atmospheric models have improved ranging accuracy to a meter or so, leaving receiver-dependent multipath and front-end-noise-induced variations as the dominant sources of error in current consumer devices. Under good multipath conditions, 2-to-3-meter-accurate positioning is typical; under adverse multipath, accuracy degrades to 10 meters or worse.

Yet outside the mainstream of consumer GNSS receivers, centimeter — even millimeter — accurate GNSS receivers can be found. These high-precision receivers are used routinely in geodesy, agriculture, and surveying. Their exquisite accuracy results from replacing standard code-phase positioning techniques with carrier phase differential GNSS (CDGNSS) techniques. Currently, the primary impediment to performing CDGNSS positioning on smartphones lies not in the commodity GNSS chipset, which actually outperforms survey-grade chipsets in some respects, but in the antenna, whose chief failing is its poor multipath suppression. Multipath, caused by direct signals reflecting off the ground and nearby objects, induces centimeter-level phase measurement errors, which, for static receivers, have decorrelation times of hundreds of seconds. The large size and strong time correlation of these errors significantly increases the initialization period — the so-called time-to-ambiguity-resolution (TAR) — of GNSS receivers employing CDGNSS to obtain centimeter-level positioning accuracy.

Prior work on centimeter-accurate positioning with low-cost mobile devices has focused on external devices, or “pucks,” which contain a GNSS antenna and chipset. These devices interface with the smartphone via Bluetooth or a wired connection. Such solutions, which enjoy the better sensitivity and multipath suppression offered by their comparatively large, high-quality GNSS antennas, do not provide insight into the feasibility of CDGNSS on a stand-alone smartphone platform.

This article demonstrates that centimeter-accurate CDGNSS positioning is indeed possible based on data sampled from a smartphone-quality GNSS antenna. This result has far-reaching significance for precise mass-market positioning. We offer an empirical analysis of the average gain and carrier phase multipath error susceptibility of smartphone-grade GNSS antennas. We also demonstrate that, for low-quality GNSS antennas such as those in smartphones, wavelength-scale random antenna motion substantially improves the time to integer ambiguity resolution.

This article focuses on single-frequency CDGNSS rather than multiple-frequency CDGNSS or other carrier-phase-based techniques, such as precise-point positioning (PPP), for three reasons. First, virtually all smartphones are equipped with single-frequency GNSS antennas tuned to the L1 band centered at 1575.42 MHz, and single-frequency CDGNSS will likely forever remain the cheapest option. Second, as compared to PPP, CDGNSS converges much faster to centimeter accuracy, which will be important for impatient smartphone users.

Finally, as centimeter-accurate GNSS moves into the mass market, GNSS reference stations will proliferate so that the vast majority of users can expect to be within a few kilometers of one. In this so-called short baseline regime, the differential ionospheric delay between the reference and mobile receivers becomes insignificant, obviating differential delay estimation via multi-frequency measurements. Of course, the additional signal measurements produced by multiple-frequency receivers would lead to faster convergence times and improved robustness, but for many applications, single-frequency measurements will be adequate.

Test Architecture

We used the test architecture shown in Figure 1 to collect data from a smartphone-grade antenna and higher quality antennas, process these data through a software-defined GNSS receiver, and compute a CDGNSS solution on the basis of the carrier phase measurements output by the GNSS receiver.

Figure 1. Test architecture designed for an in-situ study of a smartphone-grade GNSS antenna. The analog GNSS signal is tapped off after the phone’s internal bandpass filter and low-noise amplifier and is directed to a dedicated RF front-end for downconversion and digitization. Data are stored to file for subsequent post-processing by a software GNSS receiver and CDGNSS filter.

The architecture has been designed such that the antenna is left undisturbed within the phone; data are collected by tapping off the analog signal immediately after the phone’s internal bandpass filter and low-noise amplifier. This analog signal is directed to an external radio frequency (RF) front-end and GNSS receiver. Use of an external receiver permits well-defined GNSS signal processing unencumbered by the limitations of the phone’s internal chipset and clock.

The clock attached to the external front-end was an oven-controlled crystal oscillator (OCXO), which has much greater stability than the low-cost oscillators used to drive GNSS signal sampling within smartphones. However, it was found that reliable cycle-slip-free GNSS carrier tracking only required a 40-ms coherent integration (pre-detection) interval, which is within the coherence time of a low-cost temperature-compensated crystal oscillator (TCXO) at the GPS L1 frequency.

Although only a single model of smartphone was tested using this architecture — a popular mass-market phone — the results are assumed representative of all smartphones from the same manufacturer.

Using this architecture, many hours of raw high-rate (∼6 MHz) digitized intermediate frequency samples were collected and stored to disk for post processing. Also stored to disk were high-rate data from a survey-grade antenna, which served as the reference antenna for CDGNSS processing. An in-house software-defined GNSS receiver, known as GRID, was used to generate, from these samples, high-quality carrier phase measurements. GRID is a flexible receiver that can be easily adapted to maintain carrier lock despite severe fading. Complex baseband accumulations output from GRID allowed detailed analysis of the signal and tracking loop behavior to ensure that no cycle slips occurred. The generated carrier phase measurements were subsequently passed to a CDGNSS filter, a model for which is described in the next section.

CDGNSS Processing

The CDGNSS filter described in this section ingests double-differenced carrier phase measurements output from GRID and processes them to produce (1) the centimeter-accurate trajectory estimate of the mobile antenna, (2) a time history of phase residuals, (3) carrier phase integer ambiguity estimates, (4) theoretical integer ambiguity resolution success bounds, and (5) empirical integer ambiguity resolution success rates. These outputs are used to analyze the performance of the smartphone-grade antenna and compare its performance to higher-quality antennas.

CDGNSS Filter Model. The filter’s state has a real-valued component x_k that models the mobile antenna’s relative center of motion, its instantaneous offset from this center of motion, and its velocity at each time epoch k:

. (1)

The filter’s state also has an integer-valued component that models the CDGNSS phase ambiguities:

(2)

where N_SV is the total number of satellites tracked. Such integer ambiguities are inherent to carrier phase differential positioning techniques; their resolution has been the topic of much past research and is required to produce a CDGNSS positioning solution.

Dynamics and Measurement Models. The real-valued state component x_k is assumed to evolve as a mean-reverting second-order Gauss-Markov process. This process models the time-correlated and mean-reverting motion a smartphone experiences when held or moved gently in the extended hand of an otherwise stationary user. The integer-valued state component n_k is modeled as constant, since the phase ambiguities remain fixed so long as the receiver retains phase lock on each signal.

The filter ingests measurement vectors y_k for k = 1, …, K, each populated with a single epoch of double-differenced carrier phase measurements for i = 1, 2, . . . , N_SV–1. The filter’s measurement model relates y_k to the real- and integer-valued state components through the following linearized GNSS carrier phase measurement model:

(3)

where r_xk is a vector of double-differenced modeled ranges based on the filter’s real-valued state prior , H_xk and H_n are the measurement sensitivity matrices for the real- and integer-valued state components, and v_k is the double-differenced measurement noise vector, all at time k.

Phase Residuals. After processing data through the CDGNSS filter, the filter outputs, in addition to a time history of centimeter-accurate position estimates, a time history of phase residuals , which can be thought of as departures of each double-differenced phase measurement from phase alignment at the phase center of the antenna. These residuals can be modeled as

(4)
where r_xk is now based on the filter’s real-valued state estimate at time k and represents the filter’s estimate of the integer ambiguities at time K.

Phase residuals have been produced for batches of data collected from four different grades of antennas, as described next. These residuals will be used to analyze the suitability of each antenna for CDGNSS positioning.

Antenna Performance Analysis

This section describes four antennas from which data were captured and processed using the test architecture and CDGNSS filter described previously. It also quantifies the characteristics that make low-quality smartphone-grade antennas poorly suited to CDGNSS.

Table 1 describes a range of antenna grades of decreasing quality, noting properties relevant to CDGNSS. The loss numbers in the far-right column represent the average loss in gain relative to a survey-grade antenna, where the average is taken over elevation angles above 15 degrees.

Table 1. Antenna properties.

Survey-grade antennas, whose properties are described in the first row of Table 1, have a uniform quasi-hemispherical gain pattern, right-hand circular polarization, a stable phase center, and a low axial ratio. These are all desirable properties for CDGNSS. Unfortunately, these properties inhere in the antennas’ large size; the laws of physics dictate that smaller antennas will typically be worse in each property.

The last row of Table 1 lists the properties for a smartphone-grade antenna. As shown subsequently, this antenna loses between 5 and 15 dB in sensitivity as compared to the survey-grade antenna. Such a loss makes it difficult to retain lock on GNSS signals. In addition, this antenna’s linear polarization leads to extremely poor multipath suppression.

Antenna Gain Analysis. Figure 2 quantifies one of the obvious drawbacks of a smartphone-grade antenna, namely, its low gain.

Figure 2, Drop in carrier-to noise ratio, from 2 hours of data and 9 tracked satellites. Antennas remained stationary.

The rightmost histogram, in green, shows that the decrease in carrier to noise ratio as compared to a survey-grade antenna is on average 11 dB, such that the smartphone-grade antenna only captures approximately 8 percent of the signal power as compared its survey-grade counterpart. For comparison, shown on the left, in blue, is a histogram of the decrease in carrier-to-noise ratio for the low-quality patch antenna. This antenna only suffers about a 0.6-dB drop in power on average relative to the survey-grade antenna. Each histogram was generated from 2 hours of data with nine tracked satellites ranging in elevation from 15 to 90 degrees. The antennas remained stationary. The variation in signal power around the means is due to the multipath-induced power variations in the signal as well as to the different gain patterns between each antenna and the survey-grade antenna.

Phase Residual Analysis. Shown in Figures 3, 4, and 5 are 2,000-second segments of double-differenced phase residual time histories for data collected from a survey-grade, a low-quality patch, and a smartphone-grade antenna, respectively.

Figure 3. Survey-grade antenna. Each trace represents a residual for a different satellite pair. Ensemble average standard deviation 3.4 millimeters.

Figure 4. Low-quality patch antenna. Ensemble average deviation 5.5 mm.

Figure 5. Smartphone-grade antenna.Ensemble average deviation 11.4 mm.

To produce these residuals, the antenna position was locked to its estimated value within the CDGNSS filter. The residuals represent departures of the carrier phase measurements from perfect alignment at the average phase center of the antenna. Each different colored trace corresponds to a different satellite pair. While the data segments were not captured at the same time of day, they were captured at the same location, and thus the multipath environment was similar.

The ensemble average residual standard deviations increase with decreasing antenna quality. The residuals for the survey-grade, low-quality patch, and smartphone-grade antennas have ensemble average standard deviations of 3.4, 5.5 and 11.4 millimeters, respectively. This increase is due to the lower gain and less effective multipath suppression of the lower quality antennas.

Figure 5 shows the presence of outlier residuals in the data collected from the smartphone-grade antenna. These outliers, one of which persists for over 1,000 seconds, are likely caused by either large and irregular azimuth- and elevation-dependent antenna phase center variations or a combination of poor antenna gain in the direction of the non-reference satellite coupled with ample gain in the direction of a multipath signal such that the multipath signal is received with more power than the direct-path signal. Obvious outliers such as these can be automatically excluded by the CDGNSS filter via an innovations test. However, the standard deviation of the remaining residuals still remains large compared to that of the other antennas; the ensemble average standard deviation decreases from 11.4 to 8.6 millimeters upon exclusion of the two large outliers.

For antennas with a large ensemble average standard deviation in their double-differenced phase errors, the time correlation in the phase errors becomes more important. This time correlation, which persists for 100–200 seconds, is a well-studied phenomenon caused by slowly varying carrier phase multipath. While correlation is present in the residuals of all antenna types, and manifests approximately the same decorrelation time, its effect is more of a problem for low-quality antennas because the phase errors are larger. Such correlation, coupled with a large deviation, ultimately leads to a longer time to ambiguity resolution, shown later.

Given a smartphone antenna’s extremely poor gain and multipath suppression as compared to even a low-quality stand-alone patch antenna, one might question the wisdom of attempting a CDGNSS solution using such an antenna. However, the next section reveals that it is indeed possible to achieve a centimeter-accurate positioning solution using a smartphone GNSS antenna despite its poor properties.

CDGNSS with Smartphone Antenna

Figure 6 shows the result of an attempt to compute a CDGNSS solution using data collected from the GNSS antenna of a smartphone. The cluster of red near the top of the phone represents 400 CDGNSS position estimates over a 5-minute interval, superimposed on the photo and properly scaled. This cluster is referenced to a marker immediately under the phone whose position was surveyed to approximately 1-centimeter accuracy using a high-quality patch antenna. The mean of the cluster’s horizontal coordinates is approximately 2 centimeters from the phone’s internal GNSS antenna. Figure 6 shows the absolute horizontal accuracy of a CDGNSS solution through the smartphone’s antenna is approximately 2 centimeters.

Figure 6 . Successful CDGNSS solution using data collected from smartphone antenna. The red cluster represents 400 CDGNSS solutions over 5 minutes, superimposed and properly scaled.

The data in Figure 6 were collected with a large conductive backplane below the smartphone. However, the backplane is unnecessary. The opening photo shows the result of a CDGNSS positioning solution computed using data collected from the smartphone antenna while the device was held in the extended hand of the author. The cluster of red represents the computed 3-dimensional position of the phone over a 300-second interval, superimposed on the photo and properly scaled. The author’s hand moved slightly during the interval, as reflected in the figure.

The opening photo also shows the residuals corresponding to the handheld CDGNSS solution. This shows how the residuals look in practice for a scenario in which the phone is held by a user. The residuals look fairly clean, that is, they have a small variance and their mean is approximately zero. It is not uncommon for the residuals to look this good; however, cases do arise in which the residuals are considerably worse due to a combination of poor antenna gain in the direction of the non-reference satellite, coupled with ample gain in the direction of a multipath signal.

The possibility of CDGNSS-enabled centimeter positioning using a smartphone antenna has been previously conjectured, but — to our knowledge — Figure 6 and the opening photo represent the first published demonstrations that this is indeed possible. This significant result portends a vast expansion of centimeter-accurate positioning into the mass market. However, serious challenges must be overcome before mass-market CDGNSS can become practical. Some of these challenges will be studied in the next few sections.

Static Scenario. Figure 7 shows the empirical probability of successful ambiguity resolution for data collected from four antennas, one of each of the different grades discussed earlier. For each antenna, seven satellites were tracked at approximately the same location and time of day. Each trace was computed from 12 batches of double-differenced carrier phase data.

Each trace represents an empirically-derived success rate computed from 12 batches of phase data as follows:
- For a given batch, at each epoch the filter outputs its best estimate of the integer ambiguities on the basis of the data ingested thus far.
- The estimate from step 1 is compared against the true set of integer ambiguities which were acquired in advance by processing a much longer batch of data. If correct, a flag is set at that epoch to “1”; if incorrect, the flag is set to 0.
- For each epoch, the flags produced in step 2 are averaged across all 12 batches to generate each trace.
Figure 7. Residuals for CDGNSS solution depicted in the opening photo.

As shown by the green trace in Figure 7, the smartphone-grade antenna required 400 seconds to achieve a 90% ambiguity resolution success rate; in other words, it manifested a 400-second TAR at 90%. This would surely exceed the patience of most smartphone users. Also shown are traces for the other three antenna grades. The higher-quality antennas yield shorter TARs for a given success rate, primarily due to their superior multipath suppression.

Note that the loss in received signal power due to the smartphone antenna’s poor gain turns out to be tolerable — the signals arriving from the smartphone-grade antenna can be tracked without cycle slipping. Therefore, the outstanding challenge preventing fast ambiguity resolution for data collected from smartphone-grade antennas is the severe time-correlated multipath errors in the double-differenced carrier phase data.

Decreasing TAR via More Signals. There are ways to mitigate the impact of multipath on the CDGNSS TAR, even the severe multipath experienced by low-quality antennas. It has been shown that the volume of the integer ambiguity search space, and thus TAR, decreases as a function of the number of double-differenced phase time histories available, which, for single-frequency CDGNSS, is one less than the number of satellites tracked. Consequently, an acceptable TAR can always be achieved with enough satellites tracked.

Figure 8 shows the reduction in TAR for an increasing number of satellites. Each trace was computed from 720 non-overlapping 2-minute batches of data taken from a survey-grade antenna over a 24-hour interval. A decreasing elevation mask angle was used to allow an increasing number of SVs to participate in the CDGNSS solution. For a given 2-minute batch of data, an elevation mask was first applied to all but the highest five satellites. Double-difference phase data from these satellites were then processed by the CDGNSS filter to compute an empirical probability of successful integer ambiguity resolution. Next, the elevation mask was reduced until one additional satellite was in view, and the process repeated to produce all traces shown.

Figure 8 makes clear that each additional double-differenced phase time history, although corrupted by its own multipath-induced phase errors, significantly decreases the overall TAR. Note that although Figure 8 was produced from data collected via a survey-grade antenna, a similar trend would apply for the smartphone-grade antenna. One implication of Figure 8 is that smartphone-based CDGNSS would benefit greatly from the additional double-differenced measurements that a multi-frequency GNSS receiver could provide. For example, at the time of writing there are 14 operational GPS satellites broadcasting unencrypted civil signals at the GPS L2 frequency (1227.6 MHz), and 7 broadcasting civil signals at the GPS L5 frequency (1176.45 MHz). With some modification of the smartphone GNSS antenna and chipset, these modernized GPS signals could be exploited to reduce TAR. However, the narrow profit margins on mass-market GNSS antennas and chipsets militate against multi-frequency architectures.

Figure 8. Probability of successful ambiguity resolution vs. time as a function of the number of satellite vehicles (SVs) tracked.

Decreasing TAR via Random Motion. There is a second way to reduce TAR under severe multipath conditions. Unlike TAR reduction via additional signals, the theory and practice of this second technique have not been previously treated in the literature. Moreover, the technique is well-suited for smartphones, which are typically hand-held and mobile. This simple technique consists of gently moving the smartphone in a quasi-random manner within a wavelength-scale volume. The key to this technique’s effectiveness is that, whereas multipath-induced phase measurement errors are typically time-correlated on the order of hundreds of seconds for a static receiving antenna, their spatial correlation is on the order of one wavelength, or approximately 19 centimeters at the GPS L1 frequency. As a result, random wavelength-scale antenna motion transforms the phase residuals from slowly-varying when the antenna is static, as shown in Figure 9, to quickly-varying when the antenna is dynamic, as shown in Figure 10.

Figure 9. Residuals for data captured from smartphone-grade antenna while static.

Figure 10. Data from smartphone-grade antenna as it experienced wavelength-scale random motion, 2–5 cm/second.

Put another way, autocorrelation time of the phase residuals decreases from hundreds of seconds when the antenna is static, as shown in Figure 11, to less than a second when the antenna is moved even slowly (a few centimeters per second), as shown in Figure 12. More vigorous antenna motion would be possible if the phone’s inertial devices were used to aid the phase tracking loops.

Figure 11. Autocorrelation functions corresponding to the phase residuals in Figure 9.

Figure 12. Autocorrelation functions corresponding to phase residuals in
Figure 10.

The shorter phase error decorrelation time resulting from random antenna motion effectively increases the information content per unit time that each double-differenced phase measurement provides to the CDGNSS filter, thus decreasing the time to ambiguity resolution.

Figure 13 compares empirical success rates for three different antennas under static and dynamic scenarios. As expected, motion reduces the time-to-ambiguity resolution for the smartphone-grade and low-quality patch antenna. But, somewhat counterintuitively, motion increases the TAR for the survey-grade antenna. This discrepancy reflects a tradeoff within the CDGNSS filter. While it is true that the phase measurement errors decorrelate much faster when the antenna is moving — increasing the per-epoch information provided to the filter — it is also the case that the filter can no longer employ a hard motion constraint. For the high-quality antennas, the increased information per epoch due to faster phase error decorrelation is completely counteracted by a loss in information per epoch due to uncertainty (lack of constraint) in the motion model. Also, for the high-quality antennas, multipath in the reference antenna’s phase measurements is not insignificant compared to multipath in the mobile antenna, and this reference multipath exhibits the usual 100–200 second correlation time for a static antenna. On the other hand, phase error decorrelation via random antenna motion offers the lower-quality antennas a larger net information gain because their multipath-induced phase errors are so large. Consequently, for the smartphone-grade antenna, motion substantially reduces the 90 percent success TAR, which drops from 400 to 215 seconds.

Figure 13. Probability of successful ambiguity resolution versus time for three different antennas under static and dynamic scenarios.

Conclusions and Future Work

Centimeter-accurate positioning was demonstrated based on data sampled from a smartphone-quality GNSS antenna. An empirical analysis revealed that the extremely poor multipath suppression of these antennas is the primary impediment to fast resolution of the integer ambiguities that arise in the carrier phase differential processing used to obtain centimeter accuracy. It was shown that, for low-quality smartphone-grade GNSS antennas, wavelength-scale random antenna motion substantially reduces the ambiguity resolution time.

Future work will study the effectiveness of combining antenna motion with a motion trajectory estimate derived from non-GNSS smartphone sensors to further reduce the integer ambiguity resolution time. This technique, which is a type of synthetic aperture processing applied to the double-differenced GNSS phase measurements, effectively points antenna gain enhancements in the direction of the overhead GNSS satellites, thereby suppressing multipath arriving from other directions. Preliminary results show that this technique offers modest benefit beyond the unaided random motion technique discussed herein.

Acknowledgment

The material in this article was first presented at ION GNSS+ 2014 in the paper “Centimeter Positioning with a Smartphone-Quality GNSS Antenna.”

Kenneth M. Pesyna, Jr. is a Ph.D. candidate in the Department of Electrical and Computer Engineering at the University of Texas at Austin. He is a member of the University of Texas Radionavigation Laboratory and the Wireless Networking and Communications Group.

Robert W. Heath, Jr. is a Cullen Trust Endowed Professor in Electrical and Computer Engineering at UT-Austin, and director of the Wireless Networking and Communications Group. He received his Ph.D. in electrical engineering from Stanford.

Todd E. Humphreys is an assistant professor in the department of Aerospace Engineering and Engineering Mechanics at UT-Austin, and director of the UT Radionavigation Laboratory. He received a Ph.D. in aerospace engineering from Cornell University.
February 2, 2015
Directions 2013: The Future of GNSS Security

Threat Development Parallels Information/Communication Technology

Headshot: Oscar Pozzobon

By Oscar Pozzobon

The GNSS interference session this year at the ION-GNSS conference in Nashville was one of the most crowded, confirming the need of all sectors of the community to understand the threats in GNSS and how they can be mitigated. In that context I received one of the most challenging questions of my career: “Can we predict the future of GNSS security?” What is the status of civil and commercial GNSS security today? Which are the threats and risks and how they are mitigated? Where are we going and what shall we expect from the future?

I decided to tackle this topic carefully, using as a basis and inspiration the history of information and communication technology (ICT) security: from the first threats and attacks of the 1980s to a glance at what technology offers today.

Secondly, to obtain different perspectives — and shift the blame to someone else if one day these predictions should prove to be wrong — I solicited the opinions of three other experts and colleagues in the domain of GNSS and security: Logan Scott, Todd Humphreys, and David Last.

Snapshots from History

The Internet was officially born in 1969 when the U.S. Defense Advanced Research Projects Agency (DARPA) crated the Advanced Research Projects Agency Network (ARPANET). A short 11 years later, the 414 Gang, a computer-hacking organization (the term hacking was coined at the Massachusetts Institute of Technology as early as the 1960s) performed one of the first attacks and frauds upon computer systems. In 1983 the first computer virus was discovered. In 1988 the Computer Emergency Response Team (CERT) was created to report and disseminate information on the threats, and AT&T Bell Labs created the first concept of firewalls. Some readers may recall the 1983 movie War Games, which found Hollywood hard at work on cyber-attacks, denial, and deception to computer systems at a time when we had only six GPS satellites in orbit. One year later, Steven M. Bellovin published a paper on the possibility of performing a transmission control protocol/internet protocol (TCP/IP) Spoofing attack.

Six years after that paper, in 1995, the Computer Incident Advisory Committee (CIAC) reported the first TCP/IP spoofing attack to a system. In another four years, the first denial of service (DoS) attack to computer networks was reported by the CERT. A DoS attack consists of several computer systems sending unsolicited requests to the target, causing a saturation of network and computer resources. In terms of objectives, it could be compared to what jamming causes in GNSS systems.

Between 1984 and 1986, Dorothy Denning and Peter Neumann researched and developed the first model of a real-time intrusion detection system (IDS). This prototype was initially a rule-based expert system trained to detect known malicious activity. I like to think that this could be compared to today’s jamming detection and localization systems.

In the 1990s, the need for guidelines to provide general outlines as well as specific techniques for implementing security became a pressing one for all organizations. The first standard, originally published by the British Standards Institution (BSI) in 1995 was the BS 7799, was later adopted by the International Organization for Standardization (ISO) as the ISO/International Electrotechnical Commission (IEC) 27000 series.

Information technology today can be security-evaluated via the Common Criteria (CC) standard (ISO/IEC 15408), which allows computer-systems certification. CC is a framework in which computer system users can specify their security functional and assurance requirements. The Federal Information Processing Standard (FIPS) 140 is an alternative standard for cryptographic modules, developed by the U.S. Federal Information Processing Standards.

The Nessus Project, started by Renaud Deraison in 1998, set as its objective the provision of an open-source vulnerability-assessment tool. Since 2000, Nessus has become one of most popular tools for computer-network security and vulnerability assessment, used by more than 75,000 organizations worldwide.

ICT security today is assured in a lifecycle composed by CERT managing the threats notifications, ISO/IEC 27000 managing the processes, and CC/FIPS 140 defining the security requirements for the system and vulnerability assessment tools to certify the robustness.

Now, Where Are We in GNSS?

Radio-frequency interferences (RFI) or jamming cases can hardly be tracked, as they are difficult to detect and have a long history in the military domain. Recent incidents such the one at Newark International Airport show that the threat is increasing and demonstrate the need for mitigation strategies. GNSS signal falsification frauds, or spoofing, seems to as yet have no evident cases in the civil domain.

The Volpe Report of September 10, 2001 is one of the first government public announcements of GNSS threats, including jamming and spoofing. More than 10 years, later the unmanned aerial vehicle (UAV) experiment coordinated by Todd Humphreys at the University of Texas proved that such attacks are feasible.

In GNSS, jamming detection (and sometime mitigation) are nowadays commercial options for some professional and mass-market GNSS receivers. Spoofing detection has been available in commercial prototype receivers since 2008 (among others, the Trusted GNSS Receiver (TIGER) funded by the European GNSS Agency. In 2012 we have seen the presentation of the first civil GNSS security testbed. For examples of the latter, see the University of Texas TEXBAT initiative, mentioned on page 37, and the GNSS Authentication and User Protection System Simulator (GAUPSS) project, which involved the development of software and algorithms that were integrated and tested in the radio navigation laboratory of the European Space Agency/ European Space Research and Technology Centre (ESA/ESTEC) in Noordwijk, the Netherlands.

I will make the assertion that compared to ICT security, civil GNSS security seems to be reliving the early days of the 1980s: first publication of attack concepts, first publicly known attacks, no standards, and only prototype mitigation strategies. With a gap of almost 30 years, at least four mid-Earth orbit GNSS systems becoming operational in the next few years, and an annual 10 percent growth rate of GNSS applications, the era of civil GNSS security begins now.

The Question Why

Logan Scott is a consultant specializing in radio-frequency signal processing and waveform design for communications, navigation, radar, and emitter location. His opinion on the future threat leaves no doubts:

“In assessing security threats, an important starting question is ‘Why would someone do that?’ If there is no motivation, chances are, there won’t be an attack. Over the last five years or so, the combination of ubiquitous, low-cost communications systems and satellite navigation has moved civil GNSS positioning and timing into use domains where there are stronger motivations for an attack. Specifically, widespread use in asset monitoring and tracking encourages jamming attacks and so, we are seeing more such attack. As GNSS becomes more deeply embedded into societal infrastructure, we can expect to see more attacks of increasing sophistication. Motivation will be there.”

David Last is a consultant engineer and expert witness specializing in radio-navigation and communications systems. He operates in the domain of covert tracking and law enforcement,, an area where interference can be tempting. As expert in the field, and to the best of his knowledge, he believes that “although there are some cases of jamming, we have seen no events of spoofing — so far. To date, all we have seen from criminals are crude jamming attacks. Attacks by technically sophisticated aggressors who understand GNSS vulnerability have yet to start. They will be much more serious.

“Furthermore, when the receiver stops receiving data in a court case, we can’t say it’s jamming: we can mention that is one of the things that stops the signal. Law enforcement is now beginning to use receivers that can perform jamming detection.”

David Last’s opinion on the issue of potential low-cost spoofers appearing in the near future was also provocative: “Criminals don’t buy things, they steal them.”

The Time is Right, Now

An ICT security standard arrived about 10 years after the first publication and case reports of attacks. Are we at the right time, now, to consider security certification of GNSS receivers?

Logan Scott’s opinion is that receivers should be certified in order to provide awareness of the attacks:

“Today, essentially all houses and buildings have smoke alarms. Smoke alarms don’t put out fires but they do alert the occupants to the probability that there is a problem. Similarly, GNSS receiver situation awareness regarding jamming and spoofing is a first step towards militating against attacks on GNSS components. As civil receivers stand today, many don’t discriminate between loss of lock due to signal attenuation and loss of lock due to jamming. This needs to change.

“Fairly simple algorithms can detect most types of jamming and spoofing. Jammers and simple spoofers almost invariably affect automatic gain control gain settings. They are easy to detect. More sophisticated spoofers have difficulty covering apparent direction of arrival and can be detected using some simple antenna techniques.

“The problem for the user community at large is in knowing whether or not a receiver maintains adequate situational awareness. This is where test-based receiver certification can play a role.”

Awareness is indeed needed to notify to the application the security and authentication state. GNSS authentication integrated in the system still lies far off.

Not only is implementing authentication without compromising user cost and simplicity challenging, but the impact on the ground and space segment in GNSS to maintain legacy signals compatibility is also considerable.

We believe that user-based authentication will be the Plan B for the next 5–10 years. This requires the development of receiver techniques and the use of security testbeds as the baseline for vulnerability assessment, in the same way the Nessus tool was used in the 1990s for computer network assessment.
On the test approach, Logan Scott stresses that “Using a series of canned scenarios, GNSS receivers can be tested to determine how well they maintain situational awareness. Do well enough, and the receiver can be stamped as certified, much like an Underwriters Laboratory (UL) label. The test process can be automated and conducted by an independent third party, similar to the way cellular equipment is certified.

“Additional certifications might include cyber security aspects such as accepting only digitally-signed software updates and maps, providing attestation capabilities, and use of authenticatable GNSS signals.

“The benefit for the non-expert user community is that they have a basis for selecting GNSS receivers, secure in the knowledge that they meet minimum performance standards.”

Testing, Testing

Ringing in my third fellow expert, I asked Todd Humphreys, assistant professor in the Department of Aerospace Engineering at the University of Texas at Austin, for his opinion regarding the future of GNSS security testing.

“A testbed capable of simulating realistic spooﬁng attacks is needed so that the efficacy of proposed civil GPS signal authentication techniques can be experimentally evaluated. A generic testbed capable of evaluating all known authentication techniques would be prohibitively expensive; for example, it would require a large anechoic chamber for evaluating receiver-autonomous antenna-oriented techniques. But if the scope of evaluation is limited to receiver-autonomous signal-processing-oriented techniques and networked techniques, then it is possible not only to develop an inexpensive testbed but to share the testbed’s data component so that the tests can be replicated in laboratories across the globe.

“In October, we released the Texas Spooﬁng Test Battery (TEXBAT), a set of six high-ﬁdelity digital recordings of live static and dynamic GPS L1 C/A spooﬁng tests conducted by the Radionavigation Laboratory of the University of Texas at Austin. National Instruments is hosting TEXBAT on cloud servers so that anyone can download it.

“The battery can be considered the data component of an evolving standard meant to deﬁne the notion of spoof resistance for civil GPS receivers. According to this standard, successful detection of or imperviousness to all spooﬁng attacks in TEXBAT, or a future version thereof, could be considered sufficient to certify a civil GPS receiver as spoof-resistant.

“This is a spoofing-specific version of the ‘not stupid’ certification that Logan Scott has suggested for GNSS receivers. In my July congressional testimony, I advocated requiring a ‘spoof resistance’ certification for GNSS devices that are used in critical infrastructure.”

Looking into the Future

Now I turn and attempt to answer the final question: Can we predict the future of civil GNSS security?

I believe that we can predict that, unfortunately, attacks will increase, and new attacks will be discovered. For example, we have been talking about deception jammers (also known as intelligent, PRN, or gold code jammers) only in the last few years, as an emerging threat. We will see certification and standards for security in GNSS, and we expect them to come in the next five years. Tools for GNSS security testing are already available commercially, for example the Qascom GNSS Security testbed (GST). As ICT has CERT for notification of threat, we will also see the raising of a GNSS emergency response team — possibly called a GERT.

In conclusion, whether my predictions turn out to be correct or not, the good news is that GNSS security also has a history in Hollywood’s annals: the 1997 James Bond movie Tomorrow Never Dies narrates a spoofing attack on the GPS navigation system of a submarine, performed via a GPS encoder that modifies the time.

Again, 007 anticipated the future, and he did it 15 years before a handful of world renowned GNSS security experts.

I have not yet seen the 2012 James Bond film Skyfall. I wonder what it portends?

Oscar Pozzobon is the director and co-founder of Qascom S.r.l., based in Bassano del Grappa, Italy. He received a Masters degree in telecommunication engineering from the University of Queensland, Australia, and is the Italian contact for the Civil Global Positioning System Service Interface Committee (CGSIC).

December 1, 2012
Future Visions from the GNSS Oscar Winners
Headshot: Alan Cameron

At the magazine’s annual Leadership Dinner, held during the ION-GNSS Conference, we gave the first GNSS Leadership Awards to four individuals for their respective work in the four fields of satellites, signals, services, and products. We asked each recipient to give us a vision of the future: upcoming work, whether that’s something they plan to undertake or they think someone else should get going on, new directions for the industry, and so on. I asked them to ruminate as speculatively and as far into the future as they wished to go. Here’s what they told us.

These are not lifetime or career achievement awards, but recognition of significant contribution in the last year or two. Think of them as the Oscars, the Academy Awards of GNSS, if you will, for significant recent achievement.

Several people were nominated in each category by a small group, then voted on by a larger group of about 40, including the magazine’s Editorial Advisory Board, the contributing editors, and a dozen industry executives.

Here are the award recipients, followed by their remarks to an audience of 200 GNSS international VIPs attending the GPS World dinner.

In the Satellitescategory: Martin Unwin and the Surrey Satellite Technology Team
Principal engineer, SSTL.
For work on the GIOVE-A and Galileo IOV satellites, and on space-borne receivers

In the Signalscategory: Todd Humphreys
Director, Radionavigation Laboratory, and assistant professor, University of Texas at Austin.
Leader of several seminal studies on spoofing and jamming; testified this summer before Congress on the subject.

In the Servicescategory: Waldemar Kunysz
Senior staff engineer, NextNav LLC.
Forwork on Wide Area Positioning System (WAPS) design and implementation in the continental United States.

In the Products category: Robert Lutwak
Chief scientist, Symmetricom.
For practical advances to overcome the intrinsic physical barriers to affordable chip-scale atomic clocks, enabling precision time and time transfer in mobile GNSS and communications systems.

Now, their remarks.

Martin Unwin, honoree in the Satellites category.

Martin Unwin
Principal Engineer, Surrey Satellite Technology Team

“I feel privileged and honoured to receive this award from GPS World.

“With respect to the achievements in GIOVE-A and Galileo, I cannot claim this award on behalf of myself, but I will claim it on behalf of the people in SSTL who made the projects possible, and to those in the team here who have been working tirelessly to make the payloads and satellites happen. We are of course partnered with others in Europe that have been labouring equally hard, so it has been a true team effort.

“With respect to the spaceborne GPS and GNSS activities, my achievements have only been possible thanks to the top class staff we have in the receivers team, and thanks are also due to the support we have had from the rest of SSTL.

“In the 20 years I have been in the company, Surrey Satellite Technology Ltd has grown from a small University-based department to a major player in the international space scene, and I am immensely proud to have been part of this story.

“A few words for the future:

“Whilst it cannot quite match the early heady days of GPS, I still think nevertheless we are entering an exciting time in the GNSS world. We have two operational systems, and within a few years, we will be seeing two more reaching operational capability. Dual-, even triple-frequency civil signals will soon become operationally available, and some very wide bandwidth signals will be sent down, in particular, by Galileo. There is bound to be a steep learning curve in understanding how to exploit these new signals, with a few crevasses to be negotiated during the climb. But these new signals are bound to lead to an expanded vista of increased accuracy and robustness, and undoubtedly some unexpected destinations.

“Taking perhaps the highest perspective, spaceborne remote sensing is a good example that has surprising relevance to the rest of us still on the ground. In this case, GNSS satellites are used as radar sources, and all that is required on a low Earth orbiting satellite to change the world is a GNSS receiver. GPS Radio-Occultation measurements from low Earth orbit are now already the third most important data source for our global weather forecasts, thanks to the like of the COSMIC and MetOp satellites. Furthermore a new constellation of satellites called CYGNSS has recently announced by NASA that will be using ocean-reflected GPS signals to probe inside hurricanes and typhoons, and for the first time will enable the sensing of the wide-scale ocean roughness, leading to improved global wind and wave knowledge.

“By adding to this spaceborne receiver the ability to accommodate signals from Glonass, Galileo and Compass, plus any other available GNSS-type signals, the number of measurements is instantly quadrupled, and a new capability in sensing the atmosphere, waves and even ice and land is likely to be seen. Meteorologists already view GPS as an emerging utility for weather and climate sensing, but I think this new role for GNSS will be reinforced and expanded into yet another area where GNSS incontrovertibly, if indirectly, makes such a significant difference to our daily lives.

“As with many other applications where GNSS has become important or even critical to our modern world, this is, at the same time, both a blessing and a matter for some caution.”

Todd Humphreys, honoree in the Signals category. (credit: Mark Cowart)

Todd Humphreys
Director, Radionavigation Laboratory,
and Assistant Professor, University of Texas at Austin

“It’s a genuine honor to receive this award. I’d like to thank Alan Cameron and all the contributors to GPS World. GPS World plays an essential role in building our GNSS community and keeping it together, providing GNSS news, instruction, and, indispensably, gossip!

“I’d also like to thank my students at the University of Texas Radionavigation Lab. Much of the credit for this award goes to them

“The futurist Ray Kurzweil spoke at a conference I attended back in 2001. Maybe some of you have heard of Ray. He’s regarded variously as a prophet, or a crackpot. He’s taking hundreds of vitamins every day to keep himself alive until the singularity arrives, at which point he’ll download himself onto a robot and live forever, or at least he’ll have his head cryogenically frozen so that he can be downloaded and live forever later on.

“In that 2001 talk Ray made some bold predictions. One, in particular, I remember well. “Within the decade,” Ray assured us, “we’ll all be wearing special contact lenses that give us a permanent Internet feed directly to our eyeballs.” Nonsense, I thought, and indeed it was nonsense. Here we are in 2012 and no such contact lenses exist, never mind their being in widespread use.

“I resolved back then that if I were ever called on to peer into the future and tell what I see, as Alan has asked me to do tonight, I’d be more modest about it.

“So tonight I’m going to make a modest prediction, and only one of them. I predict that by the GPS World dinner in 2020 carrier-phase differential GNSS, or, if you prefer an adjective for what should be a noun, Real-Time Kinematic, will be cheap and pervasive. We’ll have it on our cell phones and our tablets. There will be app families devoted to decimeter- and centimeter-level accuracy. The consequences will be fantastic. And this will be enormously disruptive to the current precision navigation industry. This will be the commoditization of centimeter-level GNSS.

“Now you may very well object to this prediction. You might point out that integer ambiguities will be difficult to resolve in the face of the near-field effects around and poor placement of the GNSS antenna in handheld units. You might also argue that the increased power requirements of carrier-phase techniques will be a dealbreaker for mobile devices. That’s all fine. I agree that those are hard problems. My students and I are looking into them, trying to overcome them.

“But please don’t make as one of your objections the one that I’ve heard so many times: “Why would anyone ever want cm-accurate positioning in their cell phone?” Because I’ll object that your objection lacks imagination.

“To see one example of what could be done with commoditized centimeter-accurate GNSS, I invite you all to a presentation by my students Daniel Shepard, Ken Pesyna, and Jahshan Bhatti tomorrow in the F5 Session (Millimeter-accurate Augmented Reality Enabled by Carrier-Phase Differential GPS). They’ll show off a crude box that we’ve built, through which, if you peer, you can see a sandcastle that’s not really there. And you can walk around the sandcastle and see it from all sides with centimeter accuracy.

“Imagine when this technology is in our tablets! Or, better yet, when it’s in our glasses — or, I suppose, our contact lenses. Not that I’m making any predictions about contact lenses…”

Waldemar Kunysz, honoree in the Services category. (credit: Mark Cowart)

Waldemar Kunysz
Senior Staff Engineer, NextNav LLC

“Ladies and gentlemen: I am much honored to receive this award and recognition. It means a lot to me.

“I would like to thank people that made difference in my career, without them it would not be possible to be here.

“First I am grateful to Dr. Maurice Meyer, former MIT professor. He taught me the black magic of antenna engineering.

“I am quite sure that his spirit guided me when I invented GPS/GNSS “Pinwheel” antenna when working at Novatel for which I received 6 patents. I also would like to thank Prof. Gerard Lachappelle and Dr. AJ Van Dierendock for teaching me GPS technology and to Dr. Phillip Ward to provide very useful insight to subject of interference. That knowledge saved me countless hours when troubleshooting some system level issues when designing the current and past GPS/GNSS products.

“Currently I am working at, LLC developing a new terrestrial based Wide Area Positioning System (WAPS). NextNav is a start-up company based in Silicon Valley that already, in its short life, has designed a new system that is being deployed in 40 major urban cities in the continental USA. This system will allow receiving a GPS look like signal in the areas where the coverage is weak or non-existent like indoors and dense urban developments (i.e. downtowns, urban canyons, etc.). We have already over 50 beacons installed in the San Francisco area that allows indoor and outdoor positioning anywhere from San Francisco to San Jose.

“As we know all major terrestrial systems have been shut down in the past several years such as Loran, Omega, Decca, etc. We became very dependent on satellite based services such as GPS and Glonass without any terrestrially based back-up. Any major solar storm in future could be very disruptive to this service so having a terrestrial based system that is in sync with satellite based system will fill that void.

“The future looks very bright for the positioning service industry. In my opinion, by 2020 it will become another utility such as phone or power. I’d like to agree with my other awardee and predict that in 2020 we will be able to have a carrier-based positioning accuracy anywhere and anytime available from any devices including handheld units. You will know where all your assets are and you won’t need to post a question to your wife: “ Honey, did you see where my tie is?”, your personal digital assistant will locate it for you.

“Thanks again everyone for being here.”

Robert Lutwak, honoree in the Products category. (credit: Mark Cowart)

Robert Lutwak
Chief Scientist, Symmetricom

“Thank you, Alan, for the introduction. Thank you also to the awards committee and especially to the individual who nominated me.

“Alan requested, repeatedly and forcefully, that we keep the sentimentality to a minimum, but I would be remiss if anyone left here with the impression that the development of the Chip-Scale Atomic Clock was in any way a solo effort.

“On the contrary, while I have had the privilege of being the “front man,” the success of this program can be attributed entirely to the fantastic collaboration between three highly disparate groups, from very different industries and cultures, including our Research Group at Symmetricom’s Technology Realization, in Beverly, Massachusetts, the MEMS group at The Charles Stark Draper Laboratory, led by Mark Mescher and Matt Varghese, and the optoelectronics group at Sandia National Laboratories, led by Darwin Serkland. If any of these groups and people had been anything less than extraordinary, both technically and personally, I would not be standing here this evening.

“With this introduction I can say, with little loss of humility, that the Chip-Scale Atomic Clock is a really cool device. Depending on where you’re coming from, it’s either 100X lower size, weight, and power (SWAP) than traditional atomic clocks or it’s 100X more accurate than quartz oscillators with comparable SWAP. Regardless of your perspective, it clearly represents a disruptive technology and paradigm shift for portable battery-powered navigation, communication, and timing applications. For comparison, the CSAC can run for a day on a full cellphone battery charge whereas the next lowest power clock of comparable performance will run down a car battery in an hour. The CSAC is not an evolutionary improvement in SWAP, it is revolutionary in that it enables previously untenable system architectures, mission scenarios, and network topologies.

“Since Symmetricom introduced the first commercial CSAC, roughly 2 years ago, the market response has been overwhelming. Despite having done our due diligence to predict the market demand and despite having nearly doubled our manufacturing output every quarter, our shipment backlog remains strong and I am frequently surprised by innovative customer applications that we had not envisioned at the product launch. We have to date shipped many thousands of CSACs to over a hundred different customers, representing vastly different markets and applications. While many of the novel applications are still in the early stages of prototype development and evaluation, it is clear that CSACs will be ubiquitous across diverse applications within the decade.

“I am fortunate, in my position, to interact directly with the technical integrators of the CSAC and learn the details of many of the applications. My general impression is that the timing and frequency stability performance of the CSAC is adequate for most of the emerging applications. The most common requests that I hear from customers are for reduced cost, power consumption, and size, in that order. It is not surprising that size is at the bottom of the list — in most applications, the batteries are still larger and heavier than the CSAC, so small improvements in power consumption are generally more valuable to reducing system SWAP than size reduction of the CSAC itself. As in any new technology, the cost will come down naturally with increased volume and improved manufacturing efficiencies, both at Symmetricom and at our vendors. While it is unlikely that you will get a CSAC in your next free cellphone, I do expect that the cost will progressively decrease over the next several years and the technology will become cost-viable to an exponentially increasing spectrum of applications. Similarly, we continue to evolve our electronics and algorithms for improved power consumption, aided by external advancements in microwave and microprocessor electronics driven by the smart-phone industry. It is my expectation that a factor of 2X improvement in power consumption is likely within the next three- to five-years.

“To date, most of the commercial products that have emerged, based on CSAC technology, have been in the timing and frequency calibration space. It is not surprising to me that the time and frequency community was the first to adopt and exploit the technology as many of them have been closely monitoring the development program and had the internal expertise and experience to rapidly exploit it.

“I admit, though, that I am a bit disappointed to see that there are no papers with “CSAC” in their titles at the 2012 ION-GNSS, but I am confident that this will change in the years to come. Adoption of CSAC by the navigation community has lagged behind the timing community in large part, I believe, because the technology has caught the community somewhat off-guard and the benefits of the CSAC to INS and GNSS are just now beginning to be realized.

“The most obvious and straightforward application of CSAC to GNSS is rapid P(Y) acquisition and we have demonstrated 15s time-to-subsequent-fix (TTSF) after two hours of GPS denial. This was a fairly simple demonstration that simply consisted of jamming time into an unmodified GPS receiver, but I believe that this is just the tip of the iceberg. With access to the core navigation algorithms within the receiver, precise knowledge of time could improve the receiver performance and reliability on other levels, including (at least):
1. Improved uncertainty of the navigation solution
2. Navigation with less than four (or less than three) satellites
3. Anti-spoof and anti-jam detection
4. Seamless co-integration of GNSS and INS systems
“Another navigation area that I believe is ripe to benefit from CSAC technology is in self-assembling navigation systems, e.g. a local ad hoc GNSS-like network which self-assembles from handheld timing beacons/receivers. Such a system would have value for safety-of-life applications in GPS-denied environments, such as indoor firefighting and mine safety.

“Thank you again for the recognition and opportunity of this award.”
October 3, 2012
Drone Hack: Spoofing Attack Demonstration on a Civilian Unmanned Aerial Vehicle
By Daniel Shepard, Jahshan A. Bhatti, and Todd E. Humphreys

Unmanned aerial vehicle (uav) used in the spoofing tests; owned by the University of Texas.

A radio signal sent from a half-mile away deceived the GPS receiver of a UAV into thinking that it was rising straight up. In this way, the UAV’s dependence on civil GPS allowed the spoofer operator to force the UAV vertically downward in dramatic fashion as part of multiple capture demonstrations.

In December 2011, Iran captured a U.S. Central Intelligence Agency (CIA) surveillance drone with only minor damage to the undercarriage of the drone, likely due to a rough landing when captured. An Iranian engineer claimed in an interview that “Iran managed to jam the drone’s communication links to American operators” causing the drone to shift into an autopilot mode that relies solely on GPS to guide itself back to its home base in Afghanistan. With the drone in this state, the Iranian engineer claimed that “Iran spoofed the drone’s GPS system with false coordinates, fooling it into thinking it was close to home and landing into Iran’s clutches.”

Although the Iranian claims are highly questionable, this incident left many unanswered questions as to the security of GPS systems on unmanned aerial vehicles (UAVs). The CIA drone should have been guiding itself based on the encrypted military GPS signals, which would be incredibly difficult to spoof. However, some experts have conjectured that simultaneous jamming of the military signals and spoofing of the civilian signals might have worked if the drone had been programmed to fall back on the civilian GPS signals in the event that the military signals were jammed. This raises the question: How difficult would it be to spoof a UAV guiding itself based on civilian GPS signals?

FAA Modernization Act

In February of this year, Congress passed the FAA Modernization and Reform Act of 2012. According to the Library of Congress summary, this act “requires the Secretary [of Transportation] to develop a plan to accelerate safely the integration by September 30, 2015, of civil unmanned aircraft systems (UASes, or drones) into the national airspace system … [and] determine if certain drones may operate safely in the national airspace system before completion of the plan.”

Such civilian UAVs would be primarily guided by civil GPS, which has been shown to be readily spoofable in the lab. This would create a significant potential hazard in the national airspace if the problem of civil GPS spoofing is not fixed. Thousands of civilian UAVs (operated by postal services, police departments, research institutions, and others) could populate the skies in only a few years while still being vulnerable to remote hijacking via GPS spoofing. The passing of the FAA Modernization Act further emphasizes the need to examine the vulnerability of UAVs to GPS spoofing.

Test

On invitation of the Department of Homeland Security (DHS), unclassified spoofing tests against a UAV were performed at White Sands Missile Range (WSMR) on June 19, 2012 during the DHS GYPSY test exercise. These tests demonstrated the capability of a spoofer, built by the University of Texas (UT) Radionavigation Lab, to commandeer a civilian UAV by influencing the position-velocity-time (PVT) solution of the UAV’s GPS receiver.

The Spoofer. The civil GPS spoofer used for these tests is an advanced version of the spoofer reported in “Assessing the Spoofing Threat,” GPS World, January 2009. A schematic representation of the spoofer is shown in Figure 1. It is the only spoofer reported in open literature to date that is capable of precisely aligning the spreading codes and navigation data of its counterfeit signals with those of the authentic GPS signals. Such alignment capability allows the spoofer to carry out a sophisticated spoofing attack in which no obvious clues remain to suggest that an attack is underway.

Figure 1. This spooler is capable of precisely aligning the spreading code and navigation data of its counterfeit signals with GPS signals.

The spoofer is implemented on a portable software-defined radio platform with a digital signal processor (DSP) at its core. This platform comprises:
- A radio frequency (RF) front-end that down-mixes and digitizes GPS L1 and L2 frequencies
- A DSP board that performs acquisition and tracking of GPS L1 C/A, calculates a navigation solution, predicts the L1 C/A databits, and produces a consistent set of up to 14 spoofed GPS L1 C/A signals with a user-controlled fictitious implied navigation and timing solution.
- An RF back-end with a digital attenuator that converts the digital samples of the spoofed signals from the DSP to analog output at the GPS L1 frequency with a user-controlled broadcast power.
- A single-board computer that handles communication between the spoofer and a remote computer over the Internet.
The spoofer works by first acquiring and tracking GPS L1 C/A and L2C signals to obtain a navigation solution. It then enters its “feedback” mode, in which it produces a counterfeit, data-free feedback GPS signal that is summed with its own antenna input. The feedback signal is tracked by the spoofer and used to calibrate the delay between production of the digitized spoofed signal and output of the analog spoofed signal. This is necessary because the delay is non-deterministic on start-up of the receiver, although it stays constant thereafter.

After feedback calibration is complete and enough time has elapsed to build up a navigation data bit library, the spoofer is ready to begin an attack. Initially, it produces signals that are aligned to within a few meters with the authentic signals at the location of the target antenna but have low enough power that they remain far below the target receiver’s noise floor. The spoofer then raises the power of the spoofed signals slightly above that of the authentic signals. At this point, the spoofer has taken control of the victim receiver’s tracking loops and can slowly lead the spoofed signals away from the authentic signals, carrying the receiver’s tracking loops with it. The target receiver can be considered completely captured when either of the following are true:
- each spoofed signal has shifted by 2 µs relative to the authentic signals, or
- each spoofed signal is at least 10 dB more powerful than the corresponding authentic signal.
The latter option ensures that there is no significant interaction between authentic and spoofed signals by simultaneously jamming and spoofing.
The UT spoofer and attack strategy have been tested against a wide variety of civil GPS receivers and have always been successful in commandeering the target receiver.

Test UAV. The spoofing tests targeted a University-of-Texas-owned Hornet Mini UAV supplied by Adaptive Flight, which is shown in the opening photo. The Hornet Mini is roughly five feet long and weighs about 10 pounds when fully loaded. The Mini’s sophisticated avionics package loosely couples an altimeter, magnetometer, and a MEMS IMU package to a GPS receiver via an extended Kalman filter.

The Hornet Mini is representative of UAVs used by law enforcement. Thus, the results of the spoofing tests with the Mini also apply to other similarly-designed UAVs, including those used in most civil applications, whose navigation systems are centered on civil GPS. It should be noted that no special alterations were made to the Hornet Mini for this test – it was in its “as sold” or “stock” configuration.

Setup. A schematic of the setup used for the spoofing tests against the civil UAV at WSMR appears in Figure 2. The spoofer was located on a hilltop with the receive antenna on the far side of the hilltop from the transmit antenna as shown in Figure 3. The UAV site was located in a sandy basin approximately 620 meters from the transmit antenna.

Figure 2. Schematic of the test setup.

Figure 3. Aerial view of the test site showing the spoofer location on a hilltop and the UAV site 0.62 kilometers away.

Procedure. The UAV was commanded by its ground controller to hover approximately 60 feet above ground level at the UAV site. After the initial ground control command was sent, the UAV maintained its hovering position automatically based on the navigation solution of its extended Kalman filter, which is based in part on GPS. At this point in the test procedure, the spoofed signals were not being broadcast: the UAV was only under the influence of the authentic GPS signals.

The spoofer was then commanded to begin transmitting spoofed signals. To ensure seamless capture of the UAV’s GPS unit, the code phases of the spoofed signals were aligned to within meters of the authentic signals at the location of the UAV’s GPS antenna. The spoofed signals overpowered their authentic counterparts and instantly captured the tracking loops within the UAV’s GPS receiver.

Immediately after capture, the spoofer induced a false velocity and corresponding position change in the UAV’s GPS receiver, drawing the position reported by the UAV’s extended Kalman filter away from the UAV’s commanded hover position. To compensate, the UAV’s flight controller responded by moving in the opposite direction. A safety pilot was on hand to prevent the UAV from drifting out of control. This was necessary because by commandeering the UAV’s GPS receiver, the spoofer operator effectively breaks the UAV autopilot’s feedback control loop. The spoofer operator must now act as an operator-in-the-loop, which requires real-time, meter-level knowledge of the UAV’s true location.

Results. Between tests WSMR and UT, the spoofer demonstrated short-term 3-dimensional control of the UAV. Thus, we conclude that it is indeed possible to hijack a civil UAV — in this case, a fairly sophisticated one — by civil GPS spoofing.

Interestingly, the Hornet Mini relies only on its altimeter for direct measurements of its vertical position; the GPS-measured vertical position is ignored. This can be done with reasonable accuracy because of the Hornet Mini’s short flight endurance (~20 minutes). However, the GPS vertical velocity does affect the extended Kalman filter’s vertical coordinate estimate because the filter propagates GPS velocity measurements through a UAV dynamics model to form an a priori vertical estimate that gets updated with the altimeter measurements. This dependence on GPS velocity allowed the spoofer operator to force the UAV vertically downward in dramatic fashion in the final three capture demonstrations.

Developing a full spoofer-based control system for a UAV is a difficult problem that, in addition to the requirement for real-time true position feedback, requires the spoofer to model the UAV’s feedback control behavior and to estimate the UAV’s desired path. Causing a UAV to spin out of control and crash is not difficult with a spoofer, but fine-grained control certainly is.

Implications

These tests have demonstrated that civilian UAVs will be vulnerable to control by malefactors with a civil GPS spoofer looking to hijack or crash these UAVs unless their vulnerability to GPS spoofing is addressed. There are several reasons why someone may want to spoof a drone including fear over drones invading people’s privacy. This poses a significant safety concern that could result in mid-air collisions with other aerial vehicles or buildings, not to mention loss of property.

Constructing from scratch a sophisticated GPS spoofer like the one developed by UT is not easy, nor is it within the capability of the average anonymous hacker. It is orders of magnitude harder than developing a GNSS jammer. Nonetheless, the trend toward software-defined GNSS receivers for research and development, where receiver functionality is defined entirely in software downstream of the A/D converter, has significantly lowered the bar to spoofer development in recent years.

As a point of reference, we estimate that there are more than 100 researchers in universities around the globe who are well-enough versed in software-defined GPS that they could develop a sophisticated spoofer from scratch with a year of dedicated effort. More worrisome is the fact that one does not have to build a sophisticated spoofer like ours, capable of aligning its signals precisely with authentic signals at the location of a chosen target, to spoof a civil GPS receiver. A low-cost off-the-shelf GPS signal simulator would not permit the kind of seamless attack we carried out, but would be adequate to confuse and disrupt the navigation system of a commercial UAV.

Fixing the Problem

There is no quick, easy, and cheap fix for the civil GPS spoofing problem. Moreover, not even the most effective GPS spoofing defenses are foolproof. Nonetheless, there are many possible remedies to the spoofing problem that, while not foolproof, would vastly improve civil GPS security. These defenses can be broken up into two categories: cryptographic and non-cryptographic defenses.

Cryptographic defenses come primarily in two forms, spread-spectrum security codes (SSSC) and navigation message authentication (NMA), depending on whether the unpredictable digital signature is placed on the spread-spectrum code or the navigation data. These cryptographic signatures could be placed on WAAS signals or existing or future GPS signals to provide authentication of the source of the WAAS or GPS signals. A cryptographic defense implemented with appropriate checks to protect against certain variants of spoofing attacks, described in “Straight Talk on Anti-Spoofing,” GPS World, January 2012, would significantly raise the bar for a would-be spoofer. Several proposals for cryptographic methods are currently on the table including a proposal by Logan Scott to place SSSC signatures on GPS L1C signals that will be broadcast by GPS Block III satellites. However, the current proposals for civil GPS cryptographic authentication schemes are still at least several years away from implementation and have a 5-minute window between authentications of each individual GPS signal. These proposals have currently gained no ground in being implemented because of a lack of dedicated funds for development and implementation.

There are also a number of promising non-cryptographic techniques for civil GPS spoofing detection that include jamming-to-noise power detectors (J/N meters), correlation profile anomaly defenses, and antenna-based defenses. J/N meters are simple and easily-implementable and would prevent a spoofer from simultaneous jamming and spoofing. However, a J/N sensor will not typically detect a spoofing attack in which the spoofed signals are only slightly more powerful than their authentic counterparts. The inclusion of a J/N meter does ensure that the authentic signals will also be visible as a corruption to the correlation curve during a spoofing attack, due to the difficulty of nulling out the authentic signal. This allows correlation profile anomaly defenses to be viable. However, these methods suffer from the difficulty of distinguishing multipath effects from a spoofing attack, particularly in mobile receivers. Antenna-based defenses also present an attractive option for anti-spoofing, but most of these methods require additional hardware (multiple antennas) and cost. One promising new antenna-based defense is currently under development at Cornell University that does not require multiple antennas. This defense involves an extension of the signal spatial correlation technque developed by the University of Calgary PLAN group. However, this technique is still under development, and receivers implementing this technique would likely be several times more expensive than current receivers.

For details on potential spoofing defenses, see Todd Humphrey’s congressional testimony in “The System.”

Recommendations

We recommend that for non-recreational operation in the national airspace, civil UAVs exceeding 18 pounds be required to employ navigation systems that are spoof-resistant. Spoof resistance will be defined through a series of four canned attack scenarios that can be recreated in a laboratory setting. A navigation system is declared spoof-resistant if, for each attack scenario, the system is either unaffected by or able to detect the spoofing attack. Spoofing detection combined with an appropriate GPS-denied mode for the UAV to fall back on will significantly increase the difficulty of mounting a successful spoofing attack.

Additionally, civil GPS receivers in many critical infrastructures (communications networks, financial trade centers, and the power grid) are also vulnerable to civil GPS spoofing. These critical infrastructures primarily rely on GPS for timing, which is also susceptible to manipulation with varying consequences depending on the application. A discussion of power grid vulnerabilities to GPS spoofing is given in “Going Up Against Time” in this issue of the magazine on page 34. We also recommend that GPS-based timing or navigation systems having a non-trivial role in systems designated by DHS as national critical infrastructure be required to be spoof-resistant.

Finally, we recommend that funding be committed for development and implementation of a cryptographic authentication signature in one of the existing or forthcoming civil GPS signals. The signature should at minimum take the form of a digital signature interleaved into the navigation message stream of the WAAS signals. A better plan would be to interleave the signature into the CNAV or CNAV2 GPS navigation message stream. The best plan for implementing a cryptographic authentication signature would be to implement the signature as an SSSC interleaved into the spreading code of the L1C data channel. Inclusion of a cryptographic signature would greatly aid manufacturers in developing receivers that are spoof-resistant.

Manufacturers

The Hornet Mini UAV carries a µ-blox GPS receiver.

Daniel P. Shepard is pursuing M.S. and Ph.D. degrees in aerospace engineering at the University of Texas (UT) at Austin. He is a member of the Radionavigation Laboratory.

Jahshan A. Bhatti is pursuing a Ph.D. in aerospace engineering and engineering mechanics at UT and is a member of the Radionavigation Laboratory.

Todd E. Humphreys is an assistant professor of aerospace engineering and engineering mechanics at UT and director of the Radionavigation Laboratory. He received a Ph.D. in aerospace engineering from Cornell University.
August 1, 2012