Ronny Blum, Nikolas Dütsch, Institute of Space Technology and Space Applications, Universität der Bundeswehr München, Germany; Carsten Stoeber, Rohde & Schwarz GmbH & Co. KG, Germany; Jürgen Dampf, Thomas Pany, Institute of Space Technology and Space Applications, Universität der Bundeswehr München, Germany

View Abstract Sign in for premium content


In this work we present the behavior of new and existing Signal Quality Monitoring (SQM) metrics under the influence of signal generator spoofing. Signal generator spoofing is the generation and emission of artificial authentic GNSS-signals, which tries to imitate the real satellite signals as good as possible to induce a wrong time and/or position output. The artificial signals must have a higher amplitude at the target position than the authentic signals to be tracked from the receiver. One at our institute investigated field of application, is GNSS based mobile networks, which are vulnerable to spoofing [1]. SQM metrics generally investigate the shape change of the correlation function (CF), which can occur due to multipath, spoofing or satellite payload hardware errors. We investigated synchronized attacks with the purchasable LOKI- Jamming and Spoofing generator from IGASPIN GmbH [2] and with MATLAB based simulations. Synchronized means that the spoofing signal synchronizes the code phase, the Doppler and the navigation data to the real satellite signal, fitting the incoming authentic signal at the target receiver location. The location of the target has to be estimated as good as possible to get the best results. Since synchronized attacks nowadays cannot be detected or mitigated by typical COTS (commercial of the shelf) receivers and many but not all receivers also acquire and track unsynchronized spoofing signals, spoofing protection in the receiver is needed. One way is to look for anti-spoofing-parameters in the receiver, including SQM-methods. The LOKI-Spoofer is able to perform a synchronized spoofing attack to real satellite signals and by now Galileo E1B/C and GPS L1 C/A signals can be spoofed. We implemented a new metric for spoofing detection for Galileo E1B and GPS L1 C/A signals in our software receiver MuSNAT [3], which we call Threshold Fluctuation Metric (TFM). It is a slight modification of the fluctuation metric in [4]. We compared the results of the proposed metric with the results for the well-known metrics Single Sided Ratio metric, the Double-Delta metric and the Delta metric and tested the metrics against the signal generator attacks and MATLAB based simulated spoofing attacks. Furthermore, the paper presents also a fully synchronized position spoofing attack with three well known receiver. For the simulations the TFM showed better results when the C/N0 was changing significantly. In this case the Double-Delta, the Single Sided Ratio and the Delta metric gave false alarms. Also during the spoofing attack, the new metric showed a more continuous detection rate and can therefore be considered as more reliable and stable. For a certain speed range with low speeds and a not too high spoofer gain the TFM could also detect the movement of the spoofer without a start delay to the target. We therefore recommend to use the TFM instead of the other investigated metrics. The LOKI spoofer experiments were made over cable. Since the delay can only be set in 100 ns steps, we could not test a perfect alignment of the code phase from the spoofer signal to the authentic signal. The smallest achievable code delay was about 15 m, where the TFM and the Single Sided Ratio metric could detect the attack in contrary to the Delta and Double-Delta metric. The position could be successfully shifted away for all investigated receivers (Septentrio PolaRx5TR, U-Blox M8T and IFEN SX3). Even with RAIM (Receiver Autonomous Integrity Monitoring) mode on, the Septentrio PolaRx5TR receiver could be spoofed. The anti-spoofing flag of the U-Blox M8T did not detect the spoofing attack. In order to distinguish a spoofing attack from normal multipath for the TFM we analyzed the results of many satellites, since multipath in contrast to spoofing transmission from one spot generally does not affect all satellites in the same way. This paper also shows how multipath affects the TFM on real signals captured with a roof antenna. The TFM can also be used for multipath detection. At the beginning of the LOKI spoofing attack, the TFM of all satellites were affected at the same time, which lead to a spoofing alert in our receiver.