Title: Spoofing Threats: Reality Check, Impact and Cure
Author(s): Wim De Wilde, Jan Van Hees, Gert Cuypers, Jan Dumon, Jean-Marie Sleewaegen, Bruno Bougard
Published in: Proceedings of the 30th International Technical Meeting of The Satellite Division of the Institute of Navigation (ION GNSS+ 2017)
September 25 - 29, 2017
Oregon Convention Center
Portland, Oregon
Pages: 1289 - 1327
Cite this article: De Wilde, Wim, Van Hees, Jan, Cuypers, Gert, Dumon, Jan, Sleewaegen, Jean-Marie, Bougard, Bruno, "Spoofing Threats: Reality Check, Impact and Cure," Proceedings of the 30th International Technical Meeting of The Satellite Division of the Institute of Navigation (ION GNSS+ 2017), Portland, Oregon, September 2017, pp. 1289-1327.
Full Paper: ION Members/Non-Members: 1 Download Credit
Sign In
Abstract: The last decade GPS was introduced into numerous applications for tracking of persons, vehicles and goods. This came along with the commercial availability of jamming devices. The chirp signals generated by these basic devices could affect GPS reception in large areas. The last few years many publications described effective methods to mitigate chirp jammers and commercial receivers became available which are resilient against this type of interference. While jammers simply block positioning, GPS spoofers attempt to take control of the positioning output, deceiving the end user. This is accomplished by sending counterfeit GPS signals into the GPS antenna. Spoofers can alter the tracks recorded by vehicle monitors and break geofences, which are commonly applied to restrict the area in which devices or people can operate. One example of this is the electronic monitoring of criminals. Spoofers also pose a risk to critical infrastructure, including power centrals, telecommunication networks and transportation systems, as they rely on GPS for precise timing. Counterfeiting GPS signals is a rather complex task. It involves the generation of multiple CDMA-modulated radio signals, which are delayed and Doppler shifted to represent the signal at the desired (artificial) user position. Until just a few years ago, GPS signal simulators were expensive devices designed for rack mounting. Hence, the use of spoofers by individuals or criminal organisations was not a realistic threat. This changed with the advent of compact software defined radio's (SDR), which build on the latest advancements in RF semiconductor technology. These affordable credit-card sized radios generate fully configurable RF signals. They receive digital samples from a laptop over a high-speed USB connection. Many SDR developments are driven by the open source community and since 2015, open source software can be downloaded from the internet for generating digital GPS signals. The software repository includes instructions to use it with the most common SDR's and its compilation is a trivial task for anyone with some programming background. We were able to set up the system in short time, spoofing the location reported by cell phones. The paper will first analyse the GPS signal produced by a common SDR. This includes power measurements and range predictions as well as clock stability and consistency of the imitated code and phase ranges. Subsequently the paper describes the impact of these well-accessible spoofers on various receiver types. We tested the spoofer on cell phones, on automotive grade receiver modules and on several high-accuracy receivers. The PolaRx5 receiver participating in the test offers a wide variety of signal quality outputs and a graphical user interface to display them in real time or during post-processing. This provides full visibility on the spoofer’s behaviour. The tests cover a number of spoofing scenarios. In many vehicle tracking and geofencing attacks, the user has access to the GPS antenna. Authentic GNSS signals can be blocked and replaced with imitated signals. This is a first scenario in which receiver behaviour will be analysed, along with the impact of power levels and time offsets. If the antenna cannot be accessed, the spoofing signal needs to be superimposed on the genuine GNSS signal. As a first, crude approach, this can be achieved by simply connecting a transmit antenna to an SDR and overpowering the signal from space, with only coarse time synchronization. Note that, in principle, this attack could be detected by observing an unusual antenna referenced power spectral density. After analysing the receiver behaviour when affected by this basic spoofing approach, we will study a more sophisticated spoofing attack, in which the spoofer synchronises to GPS and gradually pulls the tracking channels away from the authentic signal. Once a receiver is tracking the spoofer signal, the transmit power could be lowered making the spoofer almost undetectable. This attack will be simulated using a commercial RF constellation simulator, which is capable to simulate this form of spoofing. Spoofing robustness of receivers depend on their ability to discriminate between an authentic signal and a counterfeit signal. This in turn depends on the quality of the counterfeiting. It will be pointed out that the cost and complexity of a spoofer rapidly increases with the number of signal features it is able to simulate. Septentrio receiver modules monitor many parameters, which could be used for authenticity assessment of the signal. They have grip on multiple components of the signal broadcasted by the satellite, clock behaviour and on signal propagation effects like multipath and ionospheric delay. Besides, they can also detect and mitigate complementary jammers. This enables the construction of a spoofing indication flag, which correctly reacts on any spoofing scenario of the earlier tests, including the sophisticated scenario.