Stealth Spoofing of the CSSR Open Standard: A First Demonstration with QZSS CLAS

Hayato Shiono, Nobuaki Kubo

Peer Reviewed

Abstract:	High-precision GNSS services utilizing the Compact State Space Representation (CSSR) format, such as QZSS CLAS, have become a de facto standard for scalable augmentation. However, the openness of these correction streams introduces significant security vulnerabilities. This study presents a comprehensive vulnerability analysis of CSSR against stealthy data-layer spoofing attacks. We classify potential attack vectors and evaluate their impact using both post-processing analysis and Hardware-in-the-Loop (HILS) experiments targeting a commercial u-blox ZED-F9P receiver. Our results reveal a critical dichotomy in receiver response: while scalar-based manipulations (clock, phase bias) are largely absorbed by the Kalman filter’s floating ambiguities, exhibiting intrinsic resilience, vector-based attacks (orbit, troposphere) successfully induce controlled position drifts without triggering integrity alarms. HILS validation confirmed that a 1-meter horizontal displacement was achieved while maintaining Fix solution quality, demonstrating the real-world feasibility of these attacks. We conclude that algorithmic defenses alone are insufficient, underscoring the necessity of cryptographic countermeasures such as Navigation Message Authentication (NMA) to secure the open high-precision GNSS ecosystem.
Published in:	Proceedings of the ION 2026 Pacific PNT Meeting April 13 - 16, 2026 Hilton Waikiki Beach Honolulu, Hawaii
Pages:	772 - 785
Cite this article:	Shiono, Hayato, Kubo, Nobuaki, "Stealth Spoofing of the CSSR Open Standard: A First Demonstration with QZSS CLAS," Proceedings of the ION 2026 Pacific PNT Meeting, Honolulu, Hawaii, April 2026, pp. 772-785. https://doi.org/10.33012/2026.20610
Full Paper:	ION Members/Non-Members: 1 Download Credit Sign In