Inside GNSS: Engineering Solutions from the Global Navigation Satellite System Community
GPS Galileo Glonass BeiDou Regional/Augmentation
Inside Unmanned Systems
Inside Unmanned Systems
Thought Leadership Series

The GPS Assimilator

Upgrading Receivers via Benign Spoofing

Interference, jamming, and spoofing are increasing the GNSS user community’s concerns about the security and reliability of their receivers. Although solutions are being proposed for future equipment designs that can process multiple signals from multiple GNSS systems, this article introduces a method for upgrading existing GPS user equipment to improve accuracy, robustness, and resistance to spoofing.

Share via: SlashdotSlashdot   TechnoratiTechnorati   The GPS Assimilator (Inside GNSS)TwitterTwitter   FacebookFacebook

For the complete story, including figures, graphs, and images, please download the PDF of the article, above.

What will GNSS receivers look like five years from now? 

The answer, of course, depends on the application. Mass-market receivers used in applications that do not require precision positioning and timing (hand-held units for hikers, for example) will likely remain simple, single-frequency L1 C/A-code–based GPS devices.

On the other hand, a growing segment of military and civilian GNSS users will demand greater accuracy and reliability from their receivers than can be offered by single-frequency GPS. They will want multi-frequency GNSS devices to combat ranging errors due to ionospheric delay, and multi-system receivers to improve satellite availability and robustness against signal interference.

Major commercial GNSS receiver manufacturers already have product roadmaps in place that anticipate these demands. Manufacturers realize that they will be at a competitive disadvantage relative to their peers if they only offer a subset of available GNSS signals to sophisticated users. “Why should I have to choose between signals? ” their customers will complain, “I’d like all of them!”

Then there is the issue of GNSS security. At one time, perhaps 20 years ago or more, computer users were largely unconcerned with the security of their personal computers. That time has passed. As any victim of a computer virus knows, firewalls, anti-virus software, and protocols for secure data transfer are no longer optional, but required.

Likewise, the deepening dependence of the civil infrastructure on GNSS — especially for timing synchronization — and the potential for financial gain or causing high-profile mischief make civil GNSS jamming and spoofing a gathering threat. Since the publication of the U.S. Department of Transportation’s Volpe Report on GPS dependence nearly a decade ago, GNSS security researchers have repeatedly warned that civil GPS is not yet secure, and that users trust its signals at their peril.

As Professor David Last commented at a recent conference on GNSS security, “Navigation is no longer about how to measure where you are accurately. That’s easy. Now it’s how to do so reliably, safely, robustly.”

Secure positioning, navigation, and timing (PNT) will require use of all available means: inertial navigation systems, stable frequency sources, multiple antennas, and cryptographic authentication. Product designers and system integrators will also want to exploit all radio frequency signals from which PNT information can be extracted — including non-GNSS signals and signals never intended to be used for PNT.

In short, PNT devices in critical applications five years from now will likely be remarkably capable and secure devices that adhere to an all-signals-in-view, all-available-means philosophy.

Meanwhile, however, the overwhelming majority of GNSS receivers — even those in critical applications — are simple L1 C/A-based devices that fail when signals are blocked or jammed, complaining, “Need clear view of sky.” Moreover, no commercially available civil GNSS receiver, as far as we are aware, incorporates even rudimentary defenses against spoofing.

Will these receivers be considered obsolete in the near future as new equipment that incorporates multiple signals, GNSS systems, and security measures reaches the market?  Perhaps. And perhaps the prudent course of action is to replace them with secure and reliable modern devices.

A decision to replace existing receivers, however, cannot be made lightly. The millions of deployed GNSS receivers in operation around the globe today represent an enormous investment in equipment and training. Moreover, in many cases the GNSS receiver is only an embedded subcomponent of a larger PNT-reliant system. It may be inconvenient, unsafe, or expensive to replace these embedded devices with modern counterparts.

Nonetheless, the vulnerability of existing receivers, embedded and otherwise, to signal obstruction, jamming, and spoofing, and their inability to make use of modernized GNSS signals and other signals of opportunity, leaves much to be desired.

As an alternative to replacement of existing equipment, we propose augmentation. We have developed a technique for upgrading existing GNSS user equipment to address their shortcomings without requiring hardware or software modifications to the equipment.

This technique re-purposes a portable civil GPS spoofer to generate “friendly” spoofing signals whose implied navigation solution is derived from a fusion of GPS and other observables. The spoofer is described in a paper by T. E. Humphreys et alia (2008) listed in Additional Resources near the end of this article.

Our benign spoofing technique is embodied in a device, called the GPS Assimilator, whose output is injected directly into the radio frequency (RF) input of existing GPS equipment to immediately “robustify” the equipment against GPS outages and interference. This article describes the GPS Assimilator’s design and operation and reports the preliminary performance results of a prototype model.

Documenting the Need
Consider three examples of existing devices for which Assimilator augmentation is potentially preferable to replacement.

Time Reference Receivers. These devices, which typically cost several thousand dollars apiece, couple a GPS receiver to a stable oven-controlled crystal oscillator (OCXO) or atomic frequency reference. Timing receivers are used extensively in telecom networks; in particular, the IS-95 CDMA-based digital cellular standard and its progeny require each base station to be synchronized with a GPS receiver so that the timing of transmissions can be controlled to better than 10 microseconds.

. . .

Phasor Measurement Units (PMUs). Also known as synchrophasors, these devices couple a GPS receiver to power measurement equipment in order to simultaneously obtain the phasor values of voltages and currents at particular instants of time. Although now used primarily for monitoring, these devices are expected to see widespread future application in closed-loop control systems designed to increase the carrying capacity of the power distribution grid.

. . .

Embedded Military GPS Receivers. Unsurprisingly, GPS receivers find widespread use in armed forces worldwide. Several hundred thousand devices have been procured by the U.S. Department of Defense and foreign military sales customers over the last five years — a substantial collective investment. A large fraction of military-grade GPS receivers are used as embedded receivers, being coupled to targeting, tracking, and communications equipment via well-defined and field-tested interfaces.

. . .

Conceptual Assimilator
The Assimilator concept is based on the principle that from virtually any modern environment one can extract a wealth of navigation and timing-related information. Thus, the Assimilator behaves opportunistically, scanning ambient radio waves for PNT information while also accepting baseband data from an inertial navigation system (INS), an external time source, or directly from the user.

. . .

Assimilator Components

. . .

Front-End Bank. A bank of RF front ends digitizes segments of the RF spectrum containing signals that potentially bear PNT information.

. . .

Multi-System Receiver Module. The digitized data exiting the RF front-end bank are routed to a software-defined multi-system receiver module implemented on a digital signal processor (DSP). Here, each target signal is tracked, either independently or as part of a vector tracking loop.

. . .

Navigation and Timing Fusion Module. The observables are sent to a central navigation and timing fusion module, which also accepts baseband PNT inputs.

. . .

Anti-Spoofing Module. Both the multi-system receiver module and the navigation and timing fusion module are equipped with anti-spoofing software. Module A, which resides within the multi-system receiver module, continuously scans the RF data streams entering the Assimilator for spoofing signatures. Module B, which resides within the navigation and timing fusion module, watches for inconsistencies between observables in the centralized solution.

. . .

Embedded GPS Signal Simulator. The output of the navigation and timing fusion module feeds an embedded GPS signal simulator . . .

Several options are possible for signal simulation:
Impaired GPS L1 C/A . . .
Unimpaired GPS L1 C/A . . .

. . .

Inside the Signal Simulator

. . .

Control Module. The control module coordinates generation of the synthesized GPS signals by directing the carrier phase, carrier frequency, and code phase in each of n simulator channels.

. . .

Simulator Channels. Each of the n simulator channels can be configured to generate a unique GPS C/A signal…

. . .

Local Replica Generator. . . . A command and data bus conveys phase and frequency information from the simulator channels to the local replica generator, and returns local carrier and code replicas from the local replica generator to the simulator channels.

Navigation Data Generator. The navigation data bit sequence, {dn,j,dn,j+1,...} required by the nth simulator channel, is generated in one of two ways. When GPS L1 C/A signals are available, a steady stream of navigation data bits is taken from the GPS L1 C/A channels of the multi-system receiver module. Data bits extracted from the authentic signals are fed to the navigation data generator and compiled into a signal-specific data bit library.

. . .

Sample-wise Combiner. Combination of the signals generated in each of the simulator channels is performed digitally sample-by-sample in the sample-wise combiner. For typical Assimilator operation, all output signal are weighted equally so that the target GNSS receiver sees a set of received signals with equal carrier-to-noise (C/N0) ratios.

. . .

RF Upconversion Module. The output bitstream of the sample-wise combiner is routed to an RF upconversion module comprising a digital-to-analog converter, frequency mixers, filters, and a signal attenuator. The upconversion module converts the digital signal into a set of synthesized GPS signals at RF. The reference oscillator that drives the RF upconversion module must be the same oscillator that drives the Assimilator’s RF front-end bank.

Capabilities and Limitations
As with any system’s functionality, the Assimilator has capabilities with finite limits. In this section, we describe these in terms of accuracy, robustness, and security.

Accuracy. For maximum compatibility with legacy GNSS receivers, the Assimilator outputs only GPS L1 C/A signals. The narrow bandwidth (~2 MHz) of the C/A ranging code limits the accuracy of the pseudorange-based position and time solution that the Assimilator can deliver to the target receiver. The Assimilator compensates for this limitation by generating synthetic signals with high C/N0 and by selecting a constellation geometry that minimizes the geometric dilution of precision (GDOP).

. . .

Robustness. The Assimilator’s PNT solution is, by virtue of the diverse navigation and timing data that feed it, inherently robust against GNSS signal obstruction and jamming. Signals from cell phone base stations, Iridium satellites, and LORAN transmitters are 10s of decibels stronger than those from GNSS satellites. Thus, not only is the Assimilator robust to GNSS outages, it can also withstand substantial blockage, jamming, or other interference in the cell phone (1.9 GHz), Iridium (1.6 GHz), and LORAN (100 kHz) frequency bands.

. . .

Security. As with robustness, the Assimilator is inherently more secure against signal spoofing than legacy civil GNSS receivers because of the diverse data from which its PNT solution is derived.

. . .

Prototype Assimilator
We have built a prototype Assimilator to prove the basic feasibility of the conceptual Assimilator introduced previously. The prototype is an extension of the GRID software-defined GNSS receiver introduced in the papers by T. E. Humphreys et alia (2006) and B. W. O’Hanlon and of the GPS spoofer discussed earlier.

The following sections will describe the prototype and offer initial experimental results.

The prototype Assimilator is a dual-frequency device with a rudimentary spoofing defense. Its embedded signal simulator generates output signals in the code-aligned, unimpaired GPS L1 C/A simulation mode. The device receives L1 C/A and L2C GPS signals and outputs L1 C/A signals with code phases corrected for ionospheric delay.

. . .

Multi-System Receiver Module. Though it currently only tracks GPS L1 C/A and L2C signals, the prototype Assimilator’s multi-system receiver module is designed for expansion. Written in object-oriented C++, the module’s principal feature is an extensible array of so-called Bank objects, each of which acts as an independent software receiver. Class polymorphism is exploited so that all Bank objects share a common structure.

. . .

Navigation and Timing Fusion Module.
The prototype Assimilator fuses dual-frequency GPS measurements into a single-frequency simulated GPS RF output by re-generating clean versions of the C/A signals that it tracks and by compensating for ionospheric delay on each of the simulated signals.

. . .

Anti-Spoofing. For anti-spoofing, the prototype Assimilator implements a data bit latency defense. This simple defense is premised on the difficulty of (1) predicting or synthesizing a consistent stream of navigation data bits for each signal, and (2) re-transmitting the broadcast GPS data bits with an undetectable latency.

. . .

Embedded Signal Simulator. The prototype Assimilator’s embedded signal simulator functions just as described earlier for the conceptual Assimilator except that the prototype makes no attempt to choose the best possible combination of signals to simulate; it simply selects the strongest n tracked C/A signals (usually six) for simulation.

Preliminary Performance Results
When tuned for efficiency, the prototype Assimilator meets real-time deadlines with computational resources to spare. The processing power of the prototype’s DSP is such that it can run the equivalent of 135 parallel GPS C/A channels. Because their longer ranging codes cannot be stored in on-chip memory, L2C channels require the equivalent processing of four C/A channels.

. . .

We have presented a technique for upgrading existing GNSS user equipment, without requiring hardware or software modifications to the equipment, to improve its accuracy, to increase its robustness in weak-signal or jammed environments, and to secure it against counterfeit GNSS signals.

The technique is embodied in a device called the GPS Assimilator that acts opportunistically to extract navigation and timing information from its environment. The Assimilator encodes this information into a set of standard GPS L1 C/A signals with which all legacy GNSS receivers are natively compatible.

A dual-frequency prototype Assimilator with a rudimentary spoofing defense has been presented. Initial experimental results show the prototype successfully correcting ionospheric errors in a single-frequency target receiver.

Efforts are underway to develop the next-generation Assimilator prototype: a compact device equipped with a robust cryptographic defense against spoofing and capable of tracking dual-frequency GPS and CDMA cell telephone signals. Eventually, as board sizes are reduced, the Assimilator’s processing core can be housed within its antenna enclosure, offering GNSS users the possibility of upgrading their current receivers with a simple change of antenna.

For the complete story, including figures, graphs, and images, please download the PDF of the article, above.

End Notes
The assimilator concept and early hardware were developed at Coherent Navigation, Inc., a startup company of which Drs. Ledvina and Humphreys are co-founders, along with four others. Coherent Navigation Inc. has filed a patent covering the Assimilator concept and related technologies.

Additional Resources
[1] Hein, G., and F. Kneissl, J.-A. Avila-Rodriguez,  and S. Wallner, “Authenticating GNSS: Proofs against Spoofs, Part 2,” Inside GNSS, September/October 2007, pp. 71–78
[2] Humphreys, T. E., and B. M. Ledvina, M. L. Psiaki,  B. W. O’Hanlon, , and P. M. Kintner, Jr.,  “Assessing the Spoofing Threat: Development of a Portable GPS Civilian Spoofer,” Proceedings of ION GNSS 2008, Institute of Navigation, Savannah, Georgia USA, 2008
[3] Humphreys, T. E., and B. M. Ledvina, M. L. Psiaki, , and P. M. Kintner, Jr.,  “GNSS Receiver Implementation on a DSP: Status, Challenges, and Prospects,” Proceedings of ION GNSS 2006, Institute of Navigation, Fort Worth, Texas USA, 2006
[4] Humphreys, T. E., and M. L. Psiaki and P. M. Kintner, Jr., , “Modeling the effects of Ionospheric Scintillation on GPS Carrier Phase Tracking,” IEEE Transactions on Aerospace and Electronic Systems, 2010, to be published
[5] Klobuchar, J. A., Global Positioning System: Theory and Applications, chap. 12: Ionospheric Effects on GPS, American Institute of Aeronautics and Astronautics, Washington, D.C., 1996, pp. 485–515
[6] Ledvina, B., “Real-Time Generation of Bit-Wise Parallel Carrier Replicas Applied to a GPS/GNSS Software Receiver,” IEEE Transactions on Aerospace and Electronic Systems, 2010, to be published.
[7] Ledvina, B. M., and W. J. Bencze, B. Galusha, and I. Miller, “An In-Line Anti-Spoofing Module for Legacy Civil GPS Receivers,” Proceedings of the ION ITM, Institute of Navigation, San Diego, CA, January 2010
[8] Lo, S., and D. DeLorenzo, P. Enge, D. Akos, and P. Bradley, “Signal Authentication: A Secure Civil GNSS for Today,” Inside GNSS, Vol. 4, No. 5, September/October 2009, pp. 30–39
[9] Montgomery, P. Y., and T. E. Humphreys, and B. M. Ledvina, “A Multi-Antenna Defense: Receiver-Autonomous GPS Spoofing Detection,” Inside GNSS, Vol. 4, No. 2, March/April 2009, pp. 40–46
[10] O’Hanlon, B. W., and M. L. Psiaki, P. M. Kintner, Jr., and T. E. Humphreys, “Development and Field Testing of a DSP-Based Dual-Frequency Software GPS Receiver,” Proceedings of ION GNSS 2009, Institute of Navigation, Savannah, Georgia USA, 2009
[11] Phadke, A., B. and Pickett,  M. Adamiak,  M. Begovic,  G. Benmouyal, , R. Burnett Jr.,  T. Cease,  J. Goossens,  D. Hansen,  M. Kezunovic, , et al., “Synchronized Sampling and Phasor Measurements for Relaying and Control,” IEEE Transactions on Power Delivery, Vol. 9, No. 1, 1994, pp. 442–452
[12] Scott, L., “Anti-spoofing and authenticated signal architectures for civil navigation systems,” Proceedings of ION GPS/GNSS 2003, Institute of Navigation, Portland, Oregon USA, 2003, pp. 1542–1552

Copyright © 2017 Gibbons Media & Research LLC, all rights reserved.

China Satellite Navigation Conference
globe Copyright © Inside GNSS Media & Research LLC. All rights reserved.
157 Broad Street, Suite 318 | Red Bank, New Jersey USA 07701
Telephone (732) 741-1964

Problems viewing this page? Contact our webmaster.