Let’s begin by saying we think the ZED-F9P is a fantastic device. We’re starting to see more and more multiband multi-constellation receivers such as the ZED-F9P. u-blox is a global provider of leading positioning and wireless communication technologies for the automotive, industrial, and consumer markets. However, what we want is to discuss and demonstrate how the “unjammable” u-blox F9P is, in-fact, subject to jamming from off-the-shelf handheld jammers if you know what to jam and how this jamming attack could be countered by infiniDome’s comprehensive anti-jamming detection and mitigation technologies.
Unmanned Arial Services (UAS) dependency on GPS
Through GPS satellite signals, highly accurate position, navigation, and timing (PNT) information is distributed globally for use by, among others, the UAS market. Here, GPS is considered to be a ubiquitous utility supporting military and law enforcement activities as well as multiple civil and commercial trades such as perimeter security, border patrol, police surveillance, convoy protection, aerial imagery, agricultural to surveying activities and so many more. Unmanned Aerial System use GPS data not only to get from point A to point B on their own; but require GPS for lifting off the ground and for all their autonomous or semi- autonomous modes. Critical Pixhawk modes like “Position”, “Altitude”, “Hold” and “Mission” don’t work. When GPS is denied, drones abort their mission, they drift away in seconds, not able to maintain stable altitude and with their “Return Home” mode disabled, they crash to the ground at some point (which is exactly what happened to a UK construction drone in August 2020).
Multi-Constellation Multi-Band is the New Golden Standard
The U.S. owned GPS constellation is the world’s most utilized satellite navigation system. But most critical applications nowadays do not want to put “all their eggs in the same basket” and rightfully so. Therefore, we see most systems adopt receivers which support not only different constellations like GLONASS, Galileo and Beidou but also different bands beside the 1575MHz L1 band like the 1227MHz L2C band and even the 1176MHz L5 band. Undoubtedly, this makes their systems much more robust to any types of attacks as they have very diverse sources for their PNT data.
The Vulnerability of GNSS is Well-known
Orbiting at 20,000km, the GNSS satellites emit a signal which is incredibly weak when received by GNSS receivers (~-125dBm). Jamming this signal is simply a matter of overpowering it. This can be done with an inexpensive jammer bought online for as low as $30 which floods its signal with white noise and simply creates the easiest to perform Denial Of Service attack on the drone’s GPS.
Implications of Jamming
Criminals, terrorists, and other adversaries create havoc and mayhem by jamming GNSS signals. Overcoming interference and ensuring continued operations during jamming disruptions is critical to multiple industries. Both Europe and the United States have undertaken initiatives to collect information of these invisible potentially catastrophic attacks and try to assess their damage. The EU’s program, Strike3 had found more than 50,000 high- powered GPS attacks across the EU in 2018 and the problem is only getting worse. A recent study by the UK Space Agency and the Royal Institute of Navigation shows that a 5 day outage of GNSS in the UK will result in a whopping $5B loss to the UK economy.
u-blox F9P
One of the most popular and relied upon GNSS receivers in the market is the u-blox series 8. The all new ZED-F9P is a significant improvement over the 8 series harnessing the multi- constellation multi-band approach with integrated RTK (Real Time Kinematics) capabilities for centimeter-level accuracy, also known as carrier-phase enhancement. The module enables precise navigation and was built to enable autonomous applications by providing unmatched positioning and timing accuracy while boasting advanced jamming and spoofing detection technologies.
Setting up the Test Bed
To test the actual resiliency of the ZED-F9P module, we will test how susceptible a ZED-F9P module connected directly to a standard GNSS Taoglas antenna is compared to a ZED-F9P, protected by our GPSdome 1.03 with two of the same standard GNSS Taoglas antennas. Immediately after connecting the u-blox, we can see in the u-center (u-blox’s great UI which allows for full insights of the data received and processed by the u-blox) the great multi constellation multi band capabilities of both modules – receiving GPS, GLONASS, Galileo and even BeiDou satellites while receiving both L1CA and L2C bands.
Jamming the Unprotected F9P
Now let’s begin to talk about jamming the unprotected u-blox F9P receiver. As we mentioned earlier, this is a fantastic device but, it can be jammed if you know what to jam. To begin, with we started with a tiny little device simply tuned to jam GLONASS G1 center frequency (1602MHz). Although this small signal generator that we have set its power to the maximum is not strong in its emitted power, it is close enough in proximity to our antenna to impact our reception – specifically the GLONASS G1 band. Immediately after turning it on we see a sudden dip in all satellites signals but all other signals bounce immediately back, except for the G1 satellites which are very attenuated and even lost. However, GPS L1, L2C, Galileo and BeiDou are still strongly received.
Now, we turn to jamming the L1 + L2 signals.
Basically, we bundled two jammers* together. The first one transmits a very wide signal, essentially killing the other L1 signals (GPS L1 + Galileo E1 and BeiDou B1); and the second one is a jammer that kills precisely the L1 and L2 GPS transmissions (making sure the L2 is affected as well). *note: These jammers are commercial, off- the-shelf, devices that can be easily purchased online for $30 – $40.
Immediately, after turning all jammers on, the SNR, the (Signal-to-Noise Ratio), also sometimes called the C-to-N (Carrier-to-Noise Ratio), drops drastically. Because u-blox’s processing gain and algorithms are fantastic, the receiver is able to maintain lock for almost 1 full minute, , but finally, even it surrenders to the attack and loses its lock, stopping to transmit all positioning and timing information.
Introducing the infiniDome GPSdome
Now, with a small change to our system, we are going to try to protect this receiver from such a jamming attack. To counteract the jamming signals, we installed one of infiniDome’s GPS protection solutions, the new generation GPSdome 1.03 which protects GPS L1 but passes through both GLONASS G1 and GPS L2. Instead of using a single GPS antenna, GPSdome uses a pair of exactly the same commercial off-the-shelf antennas. The rest of our test environment remained exactly the same.
GPSdome 1.03, like all infiniDome products, offers resilient GNSS data through our proprietary interference detection and mitigation technologies that both protect GNSS transmissions and alert of when the interference is detected. When triggered, an alert is either outputted directly from a wire output from the device that could be integrated into a customer system (GPIO) or it could be optionally sent via infiniDome’s CommModule over a cellular data link to the secure infiniCloud monitoring system (infiniDome’s GPS Security Cloud) which is accessible only to registered users.
While keeping all of the jammers still active (both the GLONASS jammer and the coupled wide + narrow GPS L1 + GPS L2 jammers), after adding the GPSdome’s protection to the receiver, we see more and more satellites being received with constantly improving SNR until position fix and a 3D fix is reestablished. And this, is exactly what we wanted to show, a protected system, start up in a hostile jammed environment, being able to overcome the interference and lock well to the very weak GNSS signal. This demonstrates how infiniDome’s solutions make every GNSS receiver, whether it be a u-blox or any other manufacturer, about 50 times more robust than an unprotected system.
For more details, please visit www.infinidome.com
