Spoofing and jamming over GNSS
Position and time variables are increasingly used in processes and systems requiring automation, real-time execution, asset tracking, operations synchronisation or remote control. Its precision and accuracy are not sufficient if its integrity, availability and, in certain cases, confidentiality are not also guaranteed.
These needs have led to the evolution of global satellite navigation systems (GNSS, Global Navigation Satellite System) alongside the internet of things (IoT), the industrial internet of things (IIoT) or 5G technology; hybrid projects are executed between the satellite, mobile phone and Internet networks, such as the GINTO5G (GNSS + 5G) ) project or the NTRIP (GNSS + Internet) system.
Wi-Fi networks or GSM (Gobal System for Mobile) towers are technologies that can be used in geolocation and time measurement tasks. However, the technology par excellence is GNSS systems, the best known, with worldwide coverage: Galileo (European), GLONASS (Russian), BeiDou (Chinese) y GPS (American).
The GNSS system and its signal
Each GNSS works with a characteristic set of frequency bands in which the information is transmitted by being broadcast. Each RF (Radio Frequency) signal, an information carrier, travels from the spatial segment to the user segment. Both segments, together with another control segment, represent the segmentation of all GNSS:
- Spatial segment: consisting of the constellation of satellites of each system, generating the data to be processed by the receivers.
- Control segment: made up of a network of ground stations, responsible for monitoring and correcting the data transmitted from the spatial segment.
- User segment: made up of the receiving devices in charge of calculating the position and time variables from the received data. It is the segment that makes compatibility between the different GNSS possible.
BeiDou, GPS, Galileo and GLONASS frequency bands. Source: Rohde&Schwarz.
The GNSS signal, which the receiving device’s hardware or software must process, consists of:
- A carrier, analogue, and UHF (Ultra High Frequency) frequency signal, with which the receiver must be in tune and synchronised to receive and process data correctly.
- A digital PRN (PseudoRandom Noise) code, which identifies each satellite and determines whether the positioning service is for civilian or military use. This is the case of the GPS C/A (civil) and P (military) codes.
- A digital browsing message, which contains two types of data packets, known as an almanac and an ephemeris. The almanac includes, among other things, orbital parameters and the instant at which the signal is sent by the satellite, and ephemerides contains data regarding the precise position of the satellite.
Both the sending of the signals from the satellites and the process of signal acquisition by the active receivers are done periodically. The synchronisation of the transmission is achieved due to the constructive nature of the clocks in satellites and receivers. When the signal is tuned by the receiver, it measures the time it took for the wave to arrive and, knowing as it does the speed of propagation in a vacuum, it calculates its distance to the satellite. The receiver calculates its 3D position (latitude, longitude and altitude) by trilateration with the data from four satellites.
GNSS trilateration. Source: O'Reilly.
GNSS vulnerabilities and threats
All signals transmitted by a GNSS satellite are vulnerable in itself, since it is an RF wave, which may also be attenuated when it reaches the Earth’s surface, which makes it more vulnerable to multiple threats, whether intentional or unintentional, such as:
- Environmental conditions: this means the composition of the atmosphere, the refraction and reflection phenomena, the multipath spread ot the line of sight between satellite and receiver. All of them affect the RF wave’s direction and spread time and its characteristics, preventing the receiver from tuning the signal correctly.
- Emitting system errors: they are related to faults in the clocks on the satellites or sending incorrect data.
- Receiving system errors: they may be due to a malfunction or the poor quality of the machine’s hardware, which introduces noise in the signal to be processed. It can also be due to a clock fault, which causes poor synchronisation.
- Human factor. Dependence on a single GNSS, lack of training in how to use it and failure to recognise a malfunction also lead to processing incorrect information.
- Interferences: this term includes all the unwanted RF transmissions that superimpose their frequency band onto a GNSS’s band. Ultra-Broadband Wireless Communications (UWB), Mobile Satellite Service (MSS) or even different GNSS may be considered unintentional; and jamming and spoofing may be considered intentional techniques.
Jamming is an intentional interference technique consisting of emitting RF signals with specific properties and higher power than the target signal, in order to totally or partially block the reception of the latter.
There is also a type of jamming, called meaconing, in which you need only to tune into the real GNSS signals, record them, and then retransmit them after a certain delay and more power to confuse the receiver. There is no control over the variables, time and position, which it calculates, though there is a certain chance that the opposite will happen, as will be seen in the spoofing section.
It should be noted that the inhibitor device or jammer does not work selectively and has side effects on other systems, such as air traffic control (ATC). They are devices whose use is forbidden unless authorised, but they may be marketed, since there is a great variety of prices and sizes.
Jammers with less than 100W of power are the most dangerous, because they are difficult to detect. A small, cheap 1W inhibitor can cover 20 km2. An example of them are PPD (Personal Privacy Devices) or SDR (Software Defined Radio) transmitter devices.
Block diagram for jamming and spoofing operations using SDR blocks as Front-End.
Spoofing is another intentional interference technique, in which a device transmits a signal analogous to the satellite signal, but which has higher power, in such a way that the GNSS receiver tunes the false signal instead of the real one, and thus calculates an incorrect position or an erroneous time variable.
Like a jammer, a spoofer, as the device responsible for impersonating authentic GNSS signals is known, is illegal to use. There are several techniques to achieve the aim of this cyberattack:
- Simulate a GNSS signal. To do this, online databases related to almanacs, ephemerides and PRN codes are used to create the false GNSS signal in simulator software. This technique works if, when emitting the false signal, it is the first one that the target receiver tunes to, after activating its acquisition period. Otherwise, they can be ignored, so sometimes jamming is used as a preliminary step.
- Generate an analogue GNSS signal that is synchronised with the real one. It consists of a process of gradual alignment and misalignment between the real and the false signal in terms of time, shape and power; that is, the false information is not imposed directly as in the previous case. To do this, one needs to know the shape of the real signal, hence the spoofer must have reception and emission capabilities.
- Nulling. In this technique, the spoofer emits two signals for each real GNSS signal to be supplanted. One of them is the real one but 180º out of phase, which cancels the one emitted by the satellite; the other is the more powerful false signal.
- Meaconing. As mentioned in the jamming section, there is a certain likelihood that when meaconing the signal is processed correctly by the receiver, even if it is military-type, and the receiver thus calculates a false position.
For both threats, it is common to increase the power of the real signal using repeaters to make it strong; however, this solution does not suffice.
As solutions to jamming the following are proposed:
- Jamming detectors: they are devices that detect a nearby active jammer using signal-processing algorithms, which identify alterations in the received wave, such as frequency peaks.
- Anti-jamming antennae: they are known as CRPA (Control Reception Pattern Antennae) and they are basically matrices receiving antennae with the ability to modify their reception patterns and thus to reduce them in the direction in which the interference is received, creating a null space to avoid jamming. Therefore, it makes it possible to detect the source direction of the interference and to provide an additional reception gain for the real signals.
- Inertial devices: This solution consists of coupling an inertial IMU (Inertial Measurement Unit) to a GNSS receiver. Thus, in the event of signal loss, the receiver will make its calculations based on the latest calculated data and those provided by the IMU.
- Notch filters or adaptive band-rejection filters to eliminate the region of the frequency spectrum affected by the interference. They must be implemented before the receiver’s ADC (Analogue-to-Digital Converter).
Solutions to spoofing include:
- Signal-processing algorithms: they look for sudden changes in the characteristics of the received signal, such as amplitude, phase or power, or they also check its autocorrelation function. With this technique it is only possible to detect spoofing at the time of the initial attack: after that, it is useless.
- Radio spectrum monitoring: to detect duplicate signals.
- Matrix of receiving antennae: it detects the false signal due to its angle of arrival.
- Encryption: this solution is used for military services or with authorisation and is forbidden for civilian use. The encryption can be symmetric or asymmetric and may be done at the signal level or at the data level. The encryption codes and algorithms used are secret and without them it is impossible to spoof. Moreover, receivers compatible with this solution must include the classified algorithms, have the relevant key repository and be certified for military use.
- At the signal level, only the PRN code is encrypted. This is true of the GPS P (Y) code, which results from encrypting the P code with a W code.
- At the data level, only the message is encrypted, not the PRN. The receiver will thus be able to track the signal, but will never know what the message says and, therefore, it will not calculate the falsified position. This is true of Galileo’s OS-NMA.
- Using a PRN data server: this method makes it possible to verify the transmission from historical PRN data stored without the receiver having them in its internal memory, which offers security to simple receivers.
The use of GNSS receivers has become widespread, and jamming and spoofing techniques pose an ever-evolving threat, as does technology, resulting in low-cost and small-size equipment with extensive attack capabilities and more sophisticated strategies.
This is on top of the fact that, to date, GNSS transmissions for civilian use lack anti-jamming and anti-spoofing protection, compared to those for military use, which do; and for those that require authorisation to use, there is not yet a regulatory policy.
Jamming and spoofing techniques, depending on the purpose of the person using them, can be used as attack techniques or as defensive techniques, such as in the protection of restricted airspace against drones.
New strategies are currently being developed to address these cyber threats and to make GNSS less vulnerable; they include: the new generations of systems, such as GPS III; the use of complementary systems, such as Augmentation Systems (SBAS), or the development of new receivers, such as GUARD (GNSS Universal Anti-spoofing Receiver Design).