Author : F.Filippi, M.Hunter, G.Buesnel, Spirent Communications
During 2019 and 2020 there was a significant increase in the number of real-world disruptive events affecting GNSS receivers and systems. Whilst a great many of the disruptive events involved RF interference, several occurrences of spoofing or meaconing have been observed such as in the Black Sea, and during 2020 in the region of Shanghai. It was observed that GNSS equipment and systems that were not obviously intended targets of the spoofing were also affected and output false location data which was seen via print outs and displays of AIS (automatic information system). Also, in 2020 a group of researchers working for an organisation active in developing Resilient GNSS products, demonstrated the impact of a spoofing impact on a highly automated motor vehicle’s GNSS equipment.
This paper investigates how susceptible commercial GNSS receivers are to GNSS spoofing events of the kind that have been widely reported in the public domain by conducting simulated spoofing attacks on a number of receivers under laboratory conditions and monitoring a number of performance parameters throughout the testing. A review of some of the recent real-world spoofing events and demonstrations is presented, highlighting the impacts where receivers were known to have been spoofed. From the observed impacts the likely behaviour of the receiver is assessed. A discussion of the likely effects of replica GNSS signals on receivers is included – it is often possible for GNSS receivers to behave in a confusing manner or even to cease working altogether in the presence of counterfeit constellation signals, even though the receiver is not fully spoofed by the signals.
The authors carried out some laboratory tests to further understanding of how commercially available receivers respond to meaconing and spoofing, with the objective of developing useful test methodologies and metrics that can be used to assess the robustness and resilience of receivers to real-world spoofing threats. The tests were undertaken in two major parts – in the first part of the testing, three commercially available receivers (A, B and C) were presented with a very simple meaconing/replay example with a scenario very similar to the event that occurred at Hanover Airport, Germany during 2010.
In the second part of the tests, the three receivers were subject to GPS spoofing at ranges of 10m, 50m and 100m. During the spoofing attacks, the power of the replica (counterfeit) GPS signals was gradually raised and then lowered. During the simulated GPS spoofing scenarios, the Horizontal Position Error (HPE) and Root Mean Square (RMS) of the residuals were closely monitored for each of the receivers. The results from each of the GNSS Receivers (A, B and C) are discussed and the differences in behaviour – at different spoofer ranges and the variability of behaviour based on receiver model – are discussed as are the implications for impact in the real world of similar events.
The terms “resilience” and “robustness” are discussed in detail and the authors argue that the definitions that are widely used in the field of protection of Critical Infrastructure can be applied to GNSS spoofing where a system’s robustness to spoofing attacks is not necessarily equivalent to the resilience of the system. Furthermore, defining these terms separately can lead to some advantages in defining meaningful test metrics. Some examples are shown to illustrate this. The authors then go on to present a generalised approach to defining meaningful, comparable test metrics that can be used to evaluate the performance of GNSS devices to spoofing – A sample set of measurement results obtained with a Spirent benchmarking scheme is presented. The need for responsible and full disclosure of commercial incidents is also highlighted– there is a clear need to understand and mitigate known vulnerabilities in a timely manner in the commercial sector to prevent so called “zero-day exploits”. Finally, the authors discuss how their proposed spoofing test frameworks could be expanded and used to drive significant improvements in the assessment of safety or liability critical systems performance.
GPS Spoofing used to be thought of as an esoteric, largely theoretical GNSS threat that would be exceptionally difficult to carry out in practice. This was due to the cost of equipment needed to transmit replica GPS signals – as well as the level of expertise required to mount an attack. However the cost of the equipment needed to carry out a spoofing attack has fallen significantly over the past few years and new technology – programmable software defined radios – have also become available. The expertise required to carry out a spoofing attack has also decreased with much of the code required to programme a software defined radio to act as a GNSS signal transmitter becoming widely available on the internet.
Nation states have also acquainted themselves with the application of GNSS spoofing – incidents of GPS spoofing have occurred around the world and several high profile incidents have been reported, namely the spoofing of commercial shipping in the Black Sea  and the “circular” spoofing of shipping near the port of Beijing . One of the striking things about the recent high profile spoofing events is the number of users affected collaterally by the spoofing – it is evident that under many of the spoofing threat scenarios it is not just the targeted receiver that is affected by the attack. Whilst we have seen much in the way of anecdotal data on the impact of spoofing on commercial receivers – including many anecdotes from the Institute of Navigation’s GNSS+ 2017 conference in Portland where a significant number of mobile phones were spoofed by signals leaking from a signal generator that was situated in the exhibition hall – quantitative data relating to the impact of spoofing on commercial GNSS receivers is not widely available and as the chances of encountering a spoofing signal are increasing there is a need to understand how receivers will respond to the types of threat they will typically encounter.
Figure 2 is a schematic of an example GNSS spoofing attack on a receiver with the goal of forcing it into generating a false position report. If the target receiver has no protection against spoofing attacks and if the attacker initially manages to align the replica signals accurately with the position of the target receiver, the receiver will lock on to the fake signals and can then be steered by the attacker to appear as if it were in a false position. As well as determining the position of the target receiver, the attacker has to ensure that the transmitted signals will arrive at the target receiver with a reasonable power level. A spoofing attack could also be mounted to disrupt timing services too (without moving the position of the target receiver) so quantitively understanding the impacts of spoofing attacks on commercial receivers with and without protection becomes essential. For this series of tests the spoofed (false) position corresponds with that of the spoofing source.
- Spirent GSS7000 Radio Frequency Constellation Simulator (RFCS)
- Rx under test – three representative commercial GNSS receivers that are widely in use today – they have been anonymised for this study and are named as Receiver A, Receiver B and Receiver C.
- Receiver user interfaces to monitor Receiver response and log NMEA messages
For all “Simulated Spoofing” scenarios the RFCS is used to generate simulated Live Sky GNSS signals as well as the spoofing signal. In “Live Sky” scenarios, the RFCS provides the spoofing signal and authentic Live sky signals from a roof-mounted antenna are combined with the spoofer signals from the RFCS. All testing was carried out as conducted tests in a closed laboratory environment.
The three sample GPS Receivers under test were subject to the following spoofing scenario which simulated a GNSS repeater (Meaconer) at a distance of 10m, 50m and 100m from the truth position.
Figure 3- Test Scenario
The spoofing signal is subject to a power ramp throughout the scenario. For the first 15 minutes the meaconer is not active. This allows the Receiver under test to acquire and track satellites and to settle into a stable operating regime. When the spoofing signal is activated it is slowly increased by 1dB every minute until it reaches a maximum power level of -118.5dBm.There is a 5 minute period with power levels of the spoofer set to maximum. The power level is then reduced back to the starting conditions gradually. Following this the receiver is allowed to settle again for a period of 15 minutes with no spoofing signal before being subject to a second spoofing attack with power ramped up by 1dB every minute up to the same -118.5dBm level – The scenario description is shown in table 1 below.
Table 1 Lab Spoofing Scenario
Timestamps are in hours:minutes:seconds format
GPS authentic level = – 128.5dBm
Figures 4-9 show results for the first spoofing attack – (first power ramp and power reduction). The plots show Horizontal Positioning Error and also the RMS residuals for all three receivers. Data recorded from the second ramp up of spoofer power levels is not included in this paper for reasons of space – the data is in fact very similar to the data recorded from the initial power ramp in the scenario and there is no additional value to be gained from displaying these results.
The main aim of this paper is to examine the suitability of this type of scenario as a benchmarking test, rather than to provide insights into the behaviour of the receivers under test. However it can be seen that even when subject to a simple and non-dynamic spoofing scenario used here, the three sample, representative receivers exhibited markedly different behaviour. It is also worth noting that the test results from this scenario show that the degree to which a receiver can withstand an attack does not necessarily correspond to the degree which a receiver recovers to its original operating state following an attack. Receiver C struggled with the scenarios- often quickly lost lock on the authentic signals and started to report erratic HPE data – also often failed to recover completely on ramp down – not locking onto any transmitted signals regardless of their authenticity.
The two other receivers show correlation between the point at which the HPE transitions from minimum to maximum as the spoofer power is ramped up, or vice-versa when the spoofer power is ramped down.
The peak in RMS residual appears to flag the point where the solution begins to be dominated by spoofing signal.. Note that Receiver B performs significantly better than Receivers A and C at all ranges when it comes to RMS residuals with much lower values consistently although small peaks in the RMS values can be observed on the 50 and 100m distance runs. Also note that when the power of the spoofer is ramped down a peak in RMS residuals is also observed at the point where the truth signal again becomes dominant. Also striking is that at least one of the receivers in these scenarios appear to exhibit hysteresis-like behaviour. Figure 8 shows the HPE response of Receiver B when subject to the ramp up and ramp down in power level of the spoofing signal. Hysteresis is often defined as the dependence of the state of a system on its history e.g., and so this is perhaps suggestive of a software-dependent issue to do with output (position) noise reduction. The lack of any similar evidence of hysteresis in the RMS residual plots probably back that up. Receiver B exhibits similar hysteresis in the scenario at both of the other distances (10m and 50m).
These particular scenarios were performed under ideal benchmarking conditions –– the alignment of simulated “live sky” and spoofed signals is almost perfect and there are no environmental variables to consider – with the spoofer and receiver in fixed locations, for a scenario designed to evaluate the degree of robustness and resilience of a selection of receivers against a spoofing attack, there is much to recommend this approach and some insights into receiver behaviour can also be gained, even though the scenario is not typical of real world conditions where alignment of spoofer signals with the authentic live sky signals in the target receiver correlators does not always occur – and if the spoofing episode is a malicious attack, the attacker will generally find it more difficult to conduct an attack with a high probability of success, especially if there is relative motion between the spoofing source and target system. However it is still important to assess the robustness/resilience of systems against the effects of spoofing, and to understand and document any unexpected system behaviour.
Observing the RMS Residuals of a receiver during a spoofing attack can provide a good indication as to whether a receiver is spoofed or not. All of the three commercial receivers tested here showed consistently that a peak in RMS residuals occurs when the power of the spoofer reaches the point at which the receiver cannot differentiate between authentic and replica signals – if the power of the spoofer is increased still further the RMS residual values are seen to decrease to normal values , but this is a consequence of the receiver tracking the spoofed signals. The monitoring of RMS residual values could be a promising means of detecting spoofing attacks in a receiver.
The scenario used in these tests was a very simple example of meaconing – with spoofer and receiver under test static, zero time delay added to the meaconer, and both the “Live Sky” and spoofer signals generated by a single GNSS Simulator. Three ranges, 10, 50, and 100m were simulated and the power level of the spoofing signal was ramped up and then down. However the responses of the receivers to this scenario shows that very small variations in the parameters of a spoofing attack can induce a large response in the target receiver – the results may be used to help evaluate the robustness and resilience of receivers to a spoofing attack
It is often much harder to spoof a GNSS receiver in real life than it is when carrying out simulated testing- this is due to spoofing signal alignment and other environmental variables such as multipath aid the defender in this regard. These tests evaluated the performance of receivers against a perfectly aligned spoofing attack – a “worst case” attack for the receiver. Whilst this is irrelevant from the point of view of developing a spoofing benchmark test for commercial receivers, more work needs to be undertaken on the spoofing of commercial receivers receiving authentic live sky GNSS signals in order to understand the factors that affect successful spoofing of receivers in real world conditions.
Resilience and Robustness are terms that are often used interchangeably in the PNT community – sometimes with definitions that overlap. The initial studies into spoofing undertaken in this paper highlights that a receiver’s resilience to spoofing may not equate to its robustness – and further work needs to carried out to look at whether there are significant differences and whether a test framework for GNSS receivers should incorporate separate assessments of the resistance to a spoofing scenario and the ability of a receiver to recover to its original state, having been subjected to a successful spoofing scenario.
This work highlights that it is essential that any discovered attacks are reported in the commercial sector so that effective mitigation can be put in place. Responsible disclosure of major vulnerabilities can only help the PNT community to protect users
 M.Jones, Spoofing in the Black Sea: What really happened?, GPS World, 11 Oct 2017
 Sinister Spoofing in Shanghai, Inside GNSS, 10 Dec 2019
 Wikepedia, https://en.wikipedia.org/wiki/Hysteresis
Mark Hunter (BSc(Hons) After gaining his honours degree in ’94 in Electrical and Electronic Engineering from Brunel University, Mark travelled far and wide as a contractor working in several Network Operation Centres and commissioning the fibre optic backbone of the internet.. After cutting his GNSS teeth in the UK as an Applications Engineer, he then relocated to the USA supporting this region. In 2016 the opportunity then arose to return to the UK and head up the new formed Professional Services team a role that he has relished ever since.
Francesca Filippi Full-time student in Electrical and Electronic Engineering (MEng) at Cardiff University. Francesca worked for Spirent Communication as Professional Services Staff member during her university placement year (2019/2020).
Guy Buesnel (BSc(Hons), MSc(Eng), CPhys, FRIN) Awarded MSc (Eng) in Communications Engineering from the University of Birmingham, BSc (Hons) in Physics with Atmospheric Physics from the University of Wales Aberytstwyth.Guy is a Chartered Physicist, a Member of the Institute of Physics, a Fellow of the Royal Institute of Navigation and is a member of the Interntational Advisory Council of the Rseilient Navigation and Timing Foundation. Guy is employed by Spirent Communications as PNT Security Technologist, Robust Position, Navigation and Timing and his research interest is in Positioning Navigation and Timing Systems cyber-security.