Image: Shutterstock

Blog Editor’s Note: GPSPatron wants to help protect you from GNSS spoofing.

But many folks are still skeptical. They think spoofing must be pretty difficult and/or expensive. Not something they need to be concerned about.

Kinda like ransomware. Not really a problem. Until it is.

Thanks to GPSPatron for an interesting set of tutorials describing the low cost and ease of different spoofing equipment and attacks. 

A great resource for technologists, and a wakeup call for policy makers.


GNSS Spoofing Scenarios with SDRs

In the previous article, we described some of the open-source projects for GPS signal simulation which exist. In this article, we explain possible attack scenarios with SDR, a server response to spoofing, and how to detect spoofing and mitigate the effects. We are not using expensive GNSS signal simulators (Spirent, Orolia, Rohde & Schwarz) or electronic warfare. We are reviewing what attack scenarios can be run with just a $1,000!

GPS Spoofing with HackRF One

GPS Spoofing with HackRF One 2

This setup generates GPS signals only. If your receiver supports GLONASS and BeiDou, such spoofing is not a problem. Galileo signal reception will not save you because Galileo and the GPS share the same radio band. And a fake GPS signal will block reception of Galileo signals.

But sometimes the fake GPS signal power is so high that it overloads the input channel of the GNSS receiver, and it can no longer perceive GLONASS and Beidou.

Attack cost Depends on the SDR being used:

Attack time From 15 seconds to 5 minutes.

It depends on the embedded algorithms of LO tuning. We have repeatedly observed cases where an LO was realigned to a fake GPS signal in just 15 seconds after an attack started.

Check out this video:

Time server behavior If the spoofer signal is strong enough, the time server GNSS receiver loses the original signals, stops providing a navigation solution, and goes into search mode. The time server indicates an error and goes into holdover mode. In about 10-30 seconds, the GNSS receiver finds the fake signals and indicates the erroneous data. The time server aligns the built-in reference oscillator according to fake GNSS signals.
Attack distance 50 meters (approximate figure).

It strongly depends on signal propagation conditions.

HackRF One RMS output power level for GNSS signals is about -10 dBm. This is enough to overpower the real signals within a radius of 5 km in line of sight.

So why did we specify only 50 meters?

In this scenario, the SDR generates an asynchronous signal, which the GNSS receiver perceives as noise/interference because the GNSS receiver is locked only to real signals. The high power of the spoofer here is needed to completely block the reception of the original signals to force the receiver into search mode. At a distance of 50 meters, the spoofer signal power is 40 dB higher than the original signals. This overloads the first preamplifier of the GNSS receiver, making the genuine signal become lost.

Therefore, high power is needed only in the first seconds of the attack.

Protection Protecting a time server is easy. You can use any modern GNSS receiver that supports Glonass, Galileo, Beidou. The GNSS receiver will automatically exclude false GPS signals from the calculation of the navigation solution due to large pseudorange/doppler errors compared to other systems.