Register    Attendee Sign In Sign in to access papers, presentations, photos and videos
Previous Abstract Return to Session A3a Next Abstract

Session A3a: GNSS Security: Interference, Jamming, and Spoofing 2

Consumer INS Coupled with Carrier Phase Measurements for GNSS Spoofing Detection
Tore Johansson, Marco Spanghero, and Panos Papadimitratos, KTH Royal Institute of Technology
Location: Beacon A

Global Navigation Satellite Systems (GNSS) enable precise localization and timing ubiquitously for a wide gamut of applications. Recent developments and several incidents make it clear that GNSS is vulnerable to a range of attacks. While solutions such as cryptographic protection of GNSS messages/signals emerge, legacy implementations provide only limited support.
Modern tools such as software-defined radios (SDRs) enable GNSS attacks, notably spoofing or meaconing i.e., crafting adversarial signals/messages or relaying/replaying GNSS to control the victim location/time. More so, sophisticated attacks can be subtle, not requiring jamming the victim receivers to cause a loss of lock on the actual satellites, but forge multiple satellites synchronized and code-phase aligned with the legitimate constellation and gradually lifting-off the receiver's solution. A key observation is that such sophisticated attacks are mounted with one transmitting SDR; the complexity of operating multiple synchronized transmitters in the field is high, especially in a highly distributed setting.
For this reason, we take these as basic realistic assumptions in this work, considering a sophisticated, powerful yet not omnipotent adversary: the attacker transmits all adversarial signals from a single antenna, and it is limited in its ability to track the victim. The latter means it is unfeasible to achieve centimeter-level resolution of the position of the target (victim), needed to achieve carrier phase lock, when the target is moving rapidly and unpredictably.
Inertial Measurement Units (IMU) have been successfully used in augmenting the accuracy and robustness of the GNSS PVT solution by, for example, detecting discrepancies between the GNSS-provided and the IMU-predicted positions, On the other hand, effective navigation based on inertial techniques in denied contexts requires high-end sensors, several orders of magnitude more expensive than mass-market consumer-grade, lower end IMUs usually embedded in mobile devices.
We build on previous work [1] that only considers the carrier phase measurements from a single high-frequency moving antenna and [2] that combines carrier and IMU measurements within a differential GNSS setup, requiring multiple receivers. We extend and augment the antenna displacement measurement by coupling the INS measurements with the carrier phase information, in a single antenna receiver. We demonstrate that this is possible to do even in commercially available GNSS receivers providing RAW measurements, even with the limitation imposed by the unknown structure of the tracking loops and the relatively limited carrier phase sampling rate.
This approach leverages short-time tracking of the GNSS antenna displacement with an inertial platform, to correlate the high-frequency movement at the receiver with the variation in the carrier phase; and this way, to identify legitimate transmitters based on their geometrical diversity. A statistical test based on the coupled measurements is then used to distinguish which time window is affected by the spoofer. By forcing specific movement patterns (predictable oscillations in the antenna) that can be excluded from a navigation perspective, we raise the bar for the attacker and make our detection method stronger.
While low grade IMUs are not suitable for long time integration, they perform extremely well in the short periods of time, allowing for fast integration to correlate the local displacement of the receiving antenna and in turn correlate it with the carrier phase measurements. For this reason we, we exploit carrier phase-based observations coupled with a low-end inertial sensor to identify spoofing and meaconing.
We implement a platform designed to effectively compare different tiers of INS platforms and GNSS receivers, based on commercial consumer devices. By characterizing the different sensors, we show that simple MEMS INS perform as well as high end industrial grade sensors, showing that sensors that are traditionally considered unsuited for navigation purposes offer great performance at the short integration times used in the presented method. Results from benign and adversarial control cases, in a controlled environment and through field testing (Jammertest 2024) show that the detector achieves a best-case scenario of 90% accuracy in correctly identifying spoofing, without any modification to the receiver structure with mass-production grade INS commonly used in mobile phones.

[1] Psiaki, Mark L., Steven P. Powell, and Brady W. O'Hanlon. "GNSS spoofing detection using high-frequency antenna motion and carrier-phase data." proceedings of the 26th international technical meeting of the satellite division of the Institute of Navigation (ION GNSS+ 2013). 2013.
[2] Clements, Zachary, James E. Yoder, and Todd E. Humphreys. "Carrier-phase and IMU based GNSS spoofing detection for ground vehicles." Proceedings of the ION International Technical Meeting, Long Beach, CA. 2022.



Previous Abstract Return to Session A3a Next Abstract