Time Synchronized Signal Generator GNSS Spoofing Attacks against COTS Receivers in over the Air Tests

Ronny Blum, Nikolas Dütsch, Jürgen Dampf, Thomas Pany

Peer Reviewed

Abstract: In this work we present the results of over the air spoofing experiments with common Commercial of the Shelf (COTS) receivers. In the literature only very few over the air transmissions of spoofing signals were treated, most likely because of the missing sending permission. Therefore this paper analyses some successful spoofing experiments with over the air transmission. Signal generator spoofing is the generation and emission of artificial authentic Global Navigation Satellite System (GNSS)-signals with a signal generator, which tries to imitate the real satellite signals as good as possible to induce a wrong time and/or position output on the victim receiver. The artificial signals must have a higher amplitude at the target position than the authentic signals to be tracked from the receiver. We investigated synchronized attacks with a purchasable Jamming and Spoofing generator from [14], which is able to perform a synchronized spoofing attack to real satellite signals and by now Galileo E1B/C and GPS L1 C/A signals can be spoofed. The spoofing device estimates the navigation bits and code phase in real time. The position could be shifted kilometres away from the initial position. The behaviour of several anti-spoofing parameters under the spoofing attack were analyzed, amongst others some tracking parameters like the Code Minus Carrier (CMC), Code rate of the replica (CRR), Doppler, discriminator values, In-Phase (I) and Quadrature (Q) channel power and C/N0 . Additionally several Signal Quality Monitoring (SQM) parameters were tested, the Single Sided Ratio metric (SRM), Ratio Metric (RM), Delta Metric (DM), Double Delta Metric (DDM), Moving Variance of Delta Metric (MV) and the Threshold Fluctuation Metric (TFM), presented in [9]. For this specific spoofing experiment all considered anti-spoofing parameters and metrics showed a significant deviation when the spoofing started, which allows for threshold-based detection methods. One receiver could be spoofed with Galileo E1B/C and GPS L1 C/A signals, even if it tracked in parallel authentic Beidou and GLONASS satellites on the L1 band. This illustrates that a spoofer not necessarily need to spoof all GNSS’s which are supported by the receiver, in order to perform a successful spoofing attack. The position shift of the receivers was in the kilometer range.
Published in: Proceedings of the 2021 International Technical Meeting of The Institute of Navigation
January 25 - 28, 2021
Pages: 125 - 148
Cite this article: Blum, Ronny, Dütsch, Nikolas, Dampf, Jürgen, Pany, Thomas, "Time Synchronized Signal Generator GNSS Spoofing Attacks against COTS Receivers in over the Air Tests," Proceedings of the 2021 International Technical Meeting of The Institute of Navigation, , January 2021, pp. 125-148.
https://doi.org/10.33012/2021.17814
Full Paper: ION Members/Non-Members: 1 Download Credit
Sign In