A Multi-Antenna Defense: Receiver-Autonomous GPS Spoofing Detection
Although GNSS spoofing — transmitting spurious signals to fool a receiver — has not yet emerged as a major problem for civil users, it represents a growing risk. Certainly the capability exists and, with ever more security-related applications coming online, the motivation for spoofing is increasing, too. In this article, researchers discuss a variety of countermeasures and demonstrate one successful method to detect GPS spoofing with a multiple antenna array.
The issue of intentional or inadvertent interference to GNSS signals is a matter of growing concern throughout the world.
In a study released the day before the terrorist attacks on the Pentagon and the New York World Trade Center in September 2001, the U.S. Department of Transportation assessed the national transportation infrastructure’s vulnerability to civil GPS disruption.
The agency’s investigation and subsequent recommendations, known as the Volpe report, warned that “as GPS further penetrates into civil infrastructure, it becomes a tempting target that could be exploited by individuals, groups or countries hostile to the U.S.”
A few years later, in a 2004 National Security Presidential Directive on space-based positioning, navigation, and timing (PNT), former U.S. President Bush gave the Department of Homeland Security (DHS) responsibility for leading development of a plan to address concerns about interference to GPS.
DHS issued a preliminary interference detection and mitigation (IDM) plan last year.
To date, most actual incidents involving GPS interference — whether intentional or unintentional — have involved in-band or out-of-band harmonic RF transmissions that masked the weak GPS spread spectrum signals.
A good deal of anxiety has been expressed in recent years about inexpensive GPS jammers that, at power levels as low as one watt, could cause wide areas of disruption to GPS service.
Among other types of intentional interference, the Volpe report and the IDM plan mention civil GPS spoofing, a technique by which a GPS receiver is fooled into tracking counterfeit GPS signals.
Spoofing is more sinister than intentional jamming because it is surreptitious: the targeted receiver cannot detect the attack and, consequently, can be fooled into generating erroneous data that may even be hazardously misleading.
Previous work into civil spoofing countermeasures begins with an important internal memorandum from the MITRE Corporation in which the author, Edwin L. Key, appears to have examined spoofing and spoofing countermeasures in detail. (For details, see the “Additional Resources” section near the end of this article.)
The memorandum recommends the following techniques for spoofing detection:
1. amplitude discrimination
Of the proposed techniques, angle-of-arrival discrimination coupled with physical security of the antennas provides significant protection and is relatively easy to implement with inexpensive single-frequency receiver technology.
In this article we demonstrate the use of a dual-antenna receiver that employs a receiver-autonomous angle-of-arrival spoofing countermeasure — essentially an implementation of Key’s fifth technique.
It is based on observation of L1 carrier differences between multiple antennas referenced to a common oscillator. We believe that this defense could be effective against all but the most sophisticated spoofing attempts.
Static Scenario. The target receiver of a static spoofing scenario could be, for example, a timing receiver deployed to synchronize the electrical power grid, global trading, or a communications network.
In all such timing applications, the GPS antenna is situated with a clear view of the sky, typically on top of a building or a communications tower. A receiver-generated pulse per second (PPS) is used as the time reference for synchronization.
. . .
Dynamic Scenario. Since January 2005, in fishing waters controlled by the European Union (EU), Commission Regulation No. 2244/2003 has required that operators of fishing vessels more than 15 meters in length carry a satellite- One can envisage a scenario where the spoofer knows the approximate location of the targeted receiver antenna. Spoofer hardware and a directional antenna could be used to mount an attack at a distance of hundred meters or more.
. . .
GPS signal generator. Spoofers in this category are GPS signal generators readily available from several vendors. For use as a spoofer, the signal generator’s RF output is amplified and transmitted, possibly using a directional antenna.
. . .
GPS Receiver Spoofer. Spoofers in this category are coupled to a GPS receiver. The GPS receiver tracks satellite signals at a location and decodes the navigation data.
. . .
Sophisticated GPS Receiver–Based Spoofer. This kind of design is similar to the equipment described in the previous category but employs multiple transmit antennas. Furthermore, the spoofer is able to vary the carrier phase outputs that are transmitted by each antenna to control the relative carrier phases among these transmit antennas. Creating such a spoofer is possible but technically difficult.
Setting Up the Experiment
. . .
Methodology for Detecting a Spoofing Attack
. . .
Identifying a Spoofed Signal
. . .
. . .
In general, an additional spoofer transmitter is required for each additional GPS antenna. Furthermore, a spoofer would have to locate each transmit antenna in close physical proximity to the appropriate GPS antenna in the array.
If the GPS antennas of static or dynamic installations are further protected by physical security, it is possible to create a robust defense against even a sophisticated spoofing attack. In the case of a complicit user, the presence of multiple antennas makes it difficult to intentionally defeat the system by direct injection of an artificial GPS signal.
In the spoofing defense implemented here, a one-time survey of a fixed antenna array was sufficient to enable receiver autonomous spoofing detection. A practical but slightly less robust defense that does not depend on knowledge of the attitude of the multi-antenna array can also be implemented.
The technology to enable multi-antenna spoofing detection is readily available using any of the numerous GPS receivers that produce L1 carrier phase observables.
The authors would like to thank Novariant for the use of the AutoFarm roof array used for the experiment. Special thanks to Dennis Connor of Novariant for supporting this work. Additional thanks to William J. Bencze for RF hardware development support.
For the complete story, including figures, graphs, and images, please download the PDF of the article, above.
ManufacturersThe dual-antenna array used in the experiments described in this article was the AutoFarm antenna from Novariant, Inc., Fremont, California, USA. The array’s internal GPS receiver is based on the GP2015/GP2021 chipset, Zarlink Semiconductor Inc., Ottawa, Ontario, Canada, and uses Novariant proprietary software. The spoofed handheld receivers were the eTrex from Garmin International, Olathe, Kansas, USA, and the iPhone from Apple Inc., Cupertino, California, USA.
Copyright © 2017 Gibbons Media & Research LLC, all rights reserved.