Jamming and spoofing of GNSS signals to prevent use of GNSS or to alter user position solutions has become a significant concern over the last decade, as discussed in many recent papers and articles.
These events can now be visualized within a day or two of occurrence at websites that use ADS-B transmissions to infer the locations and types of jamming and spoofing, such as [2]. Real-time detection, mitigation and avoidance of these events is now one of the most active areas of GNSS research.
Users with the most demanding accuracy and integrity requirements, such as civil aviation, typically rely on differential corrections and integrity information provided by services such as Satellite and Ground-based Augmentation Systems (SBAS and GBAS, respectively). Corruption of the transmissions providing this information (“message spoofing”) is another means of generating misleading information (large, unbounded errors) and is a particularly concerning threat, as it can be done using a single PRN and need not overpower any existing signals. Further, it can introduce a bias on the position without affecting the GNSS-derived velocity or acceleration, making comparisons against other sensors for these elements ineffective.
The best way to prevent malicious alternation of GNSS corrections is to provide a means to authenticate the information in these messages so users can be assured the received data comes from the intended source. A simple message authentication protocol is included in the GBAS VHF Data Broadcast (VDB) between ground systems and users [3] but is limited to indicating which message slots should contain information from a given ground station. A more advanced cryptographic authentication technique is being developed for SBAS that is backward-compatible with legacy signals and should prevent any receiver from accepting SBAS information from anyone aside from the actual SBAS provider [4,5], but the work needed to standardize and implement it is expected to take several more years.
To provide some level of SBAS message spoofing mitigation before cryptographic authentication is available, simple methods have been proposed in [1] to limit the magnitude of errors that could be generated by message spoofing. This column explains one of these methods, the background behind it, and its projected effectiveness in limiting worst-case errors from SBAS spoofing.
SBAS Correction Magnitudes and Spoofing Potential
When GBAS and SBAS were first conceived, GPS implemented a deliberate range-domain degradation called Selective Availability (SA). To counter the effects of SA, SBAS correction limits were made quite large: more than 250 m for clock errors and over 128 m in each of three orbital axes. However, in 2001, GPS eliminated SA and has subsequently committed to maintain significantly smaller errors [6]. But the L1 SBAS and GBAS standards were set prior to SA’s removal, and the potential to introduce large errors through erroneous corrections remains a part of the legacy L1 standards.
SBAS corrections can be used to create pseudorange errors that are up to about 160 m on L5 [7] or over 600 m on L1 [8]. L5 corrections only contain satellite clock and orbit values that are limited to ~64 m on adjustments to the clock and the three cartesian orbital coordinates. Cartesian (XYZ) orbital adjustments can be mapped into radial, along-track, and cross-track (RAX) adjustments whose upper values are dependent on satellite location. At least 97% of the radial error maps into user pseudorange error, while no more than 24% of the along-track and cross-track errors map into user pseudorange error. L1 corrections are larger, as they were designed to handle selective availability and ionospheric corrections. Fast Correction (FC) clock corrections can be as large as 256 m, while Long-Term Corrections (LTC) include orbital XYZ terms that can reach 128 m along with a clock term that can be as large as 143 m. Depending on satellite location and elevation angle, the projected pseudorange errors can range from 530 m to 675 m if using only FCs and LTCs.
In addition, the SBAS rate correction terms could make these correction errors more than an order of magnitude larger by making the time of applicability hours in the past. This undesirable property was recently recognized, and the SBAS Minimum Operational Performance Standards (MOPS) [7,8] are being changed to have the receiver limit the time period over which the rate terms could apply. Rather than potentially creating kilometers of error, they will be limited to roughly half the magnitude of the above correction terms. Altogether, the pseudorange errors from the satellite clock and orbit correction and correction rates can be of the order of 250 m on L5 and 650 m on L1.
An SBAS spoofer would also have control over which satellites the receiver uses and what their confidence values are, so they could create geometries with worse properties than commonly experienced. Typically, pseudorange error will be multiplied by a value less than three when mapped into position error. However, the spoofer can significantly increase this factor by controlling which satellites are used in the position solution and how much weight is assigned to each.
Figure 1 shows the results of a GPS satellite geometry simulation using the default 24 satellite constellation [6] and users located around North America over 24 hours. The spoofer can control the magnitude and sign of each satellite measurement as well as maximize the projection along any position axis. By maximizing the error magnitudes for each satellite and the sum of the absolute values of the projection matrix (S) elements corresponding to a particular direction, the spoofer would maximize the error it can create along that direction [1]. For each user location and time step, every subset geometry that could support a 50 m Vertical Alert Limit (VAL) and 40 m Horizontal Alert Limit (HAL) were evaluated. This simulation can choose User Differential Range Errors (UDREs) and Grid Ionospheric Vertical Errors (GIVEs) for L1 or Dual Frequency Range Errors (DFREs) for L5. Low values for these parameters allow the alert limits to be made quite small for geometries ordinarily not available for use.
Figure 1 shows histograms of the sum of the absolute value of the vertical-axis (Up) projection matrix values across all satellites in view for L1 users (left) and L5 users (right) (the histograms for East and North directions look nearly identical). Note that pseudorange errors could be multiplied by factors of order 10 to 50 for L1 or from 5 to 25 for L5 in the position domain depending on the underlying GPS satellite geometry. This means a spoofer could create position errors as large as 32 km for L1 and up to 6 km for L5. This clearly shows the need for some level of mitigation of SBAS message spoofing.

Correction Magnitude Limits and GNSS Commitments
SBAS and GBAS messages include corrections for errors highly correlated between reference stations and users that are the primary means of improving accuracy beyond uncorrected (“standalone”) GNSS. The corrections computed by SBAS and GBAS must be checked in real time to confirm they fall within the limits of their message fields (i.e., the largest values that can be accommodated). To avoid failing this check, these message fields were designed to allow for correction magnitudes as large as could be envisioned during early system design in the early-to-mid 1990s. However, during subsequent development, it was realized that setting tighter limits helped detect and exclude system anomalies that were difficult to detect otherwise. For example, tighter limits on pseudorange correction and correction rate message parameters were shown in [9] to detect certain types of ephemeris anomalies arising from unannounced satellite maneuvers that are difficult to detect with other monitors.
In the last few years, each GNSS Constellation Service Provider (CSP) has made certain commitments about their constellation performance to enable their use by the aviation community [6,10,11,13]. Table 1 contains the commitments for four core constellations: GPS, GLONASS, Galileo and BeiDou (BDS). The most relevant parameters are σURA, a zero mean Gaussian overbound of nominal signal in space ranging errors; Psat, the probability that a satellite has a fault, defined here as an error not overbounded by σURA independently of all other satellites; Pconst, the probability that a single fault will affect more than one satellite within the constellation; and MFD, the mean fault duration.
GPS satellites broadcast their own σURA values, which can change over time, particularly if the satellite ephemeris has not been refreshed for many hours. It is most often set to 2.4 m. Figure 2 shows a histogram of the frequency of occurrence of the broadcast URA values from 2008 through 2025. A value of 2.4 meters was sent 91.8% of the time, while a value larger than 4.85 m was sent slightly more than 0.1% of the time. Note that GPS has set Pconst to be 10-8 or less. Thus, it is extremely unlikely GPS will have two or more faulty satellites at any given time. The definition of a fault for GPS is that the satellite clock and ephemeris errors together project to an error greater than 4.42 times σURA for any user. This corresponds to a 10.6 m upper limit most of the time (when σURA is 2.4 m). Unfortunately, none of the other constellations have made such a strong commitment.


Observed Constellation Performance
The left side of Figure 3 shows observed GPS constellation performance from 2008 through 2025. It shows the maximum projected clock and ephemeris errors for the satellite with the largest absolute errors at each time epoch in blue and the satellite with the second largest concurrent error in red. On June 17, 2012, the maximum error grew to 448 m, which is off the top of the plot. All other maximum projected errors over this period have been below 50 m. The second largest concurrent error observed in that time frame was 5.64 m. Note that in early 2024, GPS operational changes significantly improved its overall accuracy.
The right side of Figure 3 shows the same data normalized (divided) by the broadcast value of σURA. Only rarely are the blue values greater than 4.42, which is the value that, when exceeded, is declared a GPS fault. All data is shown except for the June 17, 2012, fault, which corresponded to 187 times σURA. These instances correspond to the nine fault events that have occurred over this 18-year period. No simultaneous faults have been observed, confirming the extreme rarity of simultaneous faults, and the number of independent faults is well below the expected number corresponding to the GPS commitment for Psat in Table 1 (10-5).
Figure 4 shows the same results for Galileo. The left side of Figure 4 shows observed Galileo constellation performance from 2020 through 2025. It shows the largest and second largest projected errors in blue and red, respectively. There were five errors over this period that were larger than 18 m. They occurred on January 21, 2021; September 5, 2021; April 29, 2022; August 31, 2022; and July 21, 2024. All other projected errors have been below 18 m. The second largest concurrent error observed in that time frame was 1.85 m.
The right side of Figure 3 shows the same data normalized (divided) by the broadcast value of σURA. Only rarely are the blue values greater than 4.42, which is the value that, when exceeded, is declared a GPS fault. All data is shown except for the June 17, 2012, fault, which corresponded to 187 times σURA. These instances correspond to the nine fault events that have occurred over this 18-year period. No simultaneous faults have been observed, confirming the extreme rarity of simultaneous faults, and the number of independent faults is well below the expected number corresponding to the GPS commitment for Psat in Table 1 (10-5).
Figure 4 shows the same results for Galileo. The left side of Figure 4 shows observed Galileo constellation performance from 2020 through 2025. It shows the largest and second largest projected errors in blue and red, respectively. There were five errors over this period that were larger than 18 m. They occurred on January 21, 2021; September 5, 2021; April 29, 2022; August 31, 2022; and July 21, 2024. All other projected errors have been below 18 m. The second largest concurrent error observed in that time frame was 1.85 m.
The right side of side of Figure 4 shows the same data but now divided by the fixed Galileo σURA value of 6 meters from Table 1. The largest fault occurred in September 2021 and corresponded to a 540 m fault, or 90 times σURA. There were five fault events observed in this five-year period. No simultaneous faults have been observed, and the number of independent faults is well below the expected number corresponding to the committed value of Psat.


SBAS Correction Limitation Algorithm
These results show that both GPS and Galileo meet their respective performance commitments with margin. Based on this, [1] proposes monitoring for large SBAS corrections on multiple GPS satellites to serve as an indication of a potentially spoofed signal. In the inequality in Equation 1, the projected clock and ephemeris correction for satellite j to the user receiver is labeled as ∆yj. A common SBAS time offset component is removed by differencing each projected correction with the median value from all such projected corrections. The median is chosen as it is robust to a small number of outliers. This difference is compared against the expected uncertainty in the GPS error magnitude according to σURA and the uncertainty in the SBAS correction accuracy according to σUDRE. For dual frequency evaluations σUDRE is replaced by σDFRE.

Because σURA and σUDRE represent conservative overbounds on the expected errors, it is exceedingly rare for 4.42 multiplied by either term to fail to bound their respective errors. Therefore, it is unlikely that more than one GPS satellite exceeds the inequality in Equation 1 at any given time (indeed, it will be very uncommon for even one to do so). Thus, if two or more projected GPS corrections exceed this threshold, the user should deselect this SBAS signal and use a different one or, if another SBAS is unavailable, conclude that SBAS corrections can no longer be trusted.
When σURA and σUDRE are small, this constraint places much tighter limits on the correction magnitudes than the existing message structure allows. Assuming the GPS signals are genuine, Figure 2 shows that the GPS σURA is below 4.85 m nearly 99.9% of the time. The σUDRE can be much larger, but if it is made larger than 4.6 m, it cannot be used for vertical guidance per requirement [R229-227] of [8]. Further, increases in σUDRE will be reflected in increased protection levels and decreased availability. Therefore, Equation 1 effectively limits the correction error magnitude to

This approach still leaves one satellite vulnerable to the possibility of a much larger spoofing error. This motivates a further condition: if a GPS satellite has a correction value that satisfies Equation 1, and its correction magnitude is greater than 30 m, that GPS satellite should be excluded from the SBAS position solution. This additional constraint can be expressed as:

Based on the data in Figure 3, there have only been four events in the last 18 years where a GPS satellite could have met the conditions of Equations 1 and 2 and was then excluded. It is very likely that the affected satellite would have also been set unusable by SBAS during these events due to the sudden large changes in the clock or orbital behavior. Thus, excluding a GPS satellite based on Equations 1 and 2 would not have any noticeable effect on availability.
Given a 30 m upper bound on GPS correction error, this method would place an upper limit on the position error due to erroneous corrections caused by spoofing ranging from roughly 300 to 1,500 m for L1 and 150 to 750 m for L5. A limitation of this approach is that it does not address the risk erroneous ionospheric corrections may pose for the L1 service nor the risk erroneous Galileo corrections may pose for the L5 service. Further, the spoofer may still introduce arbitrarily large errors if it exploits GEO/SBAS satellite ranging. Still, the algorithm is very simple and does usefully limit the potential impact of SBAS spoofing despite not providing complete protection.

Observed SBAS Behavior
This section examines the observed behavior of the existing SBAS services to ensure the risk of false alarms (when spoofing is not present) would be sufficiently low. The left side of Figure 5 shows the largest (blue) and second largest (red) normalized projected corrections for WAAS on a typical day (May 31, 2025). The right side of Figure 5 shows the second largest normalized projected corrections for other SBAS (EGNOS, MSAS, GAGAN, KASS and SouthPAN). The plotted data is described by the ratio of the left and right-hand sides of the inequality in Equation 1 without the 4.42 multiplier. These values are across all possible users that can see a given satellite above 5°, whether the user is within the visibility footprint of the SBAS GEO satellite or not. Further, the two data points for the same time step in the left plot are not necessarily at the same location (i.e., the user location that sees the maximum second largest value likely sees a smaller largest value).
In the left-hand plot in Figure 5, both the largest and the second largest terms are well below the suggested threshold of 4.42. The second largest value is below 1.3 for WAAS. In the right-hand plot, GAGAN’s second largest value was just above 2.0, while the others are all below 1.5.
Other days, including the rare days with GPS faults, have been examined and show very similar upper limits on the observed second largest normalized projected error. The possibility of false alarms from unnecessarily large SBAS corrections appears to be very small, with all SBAS having values less than half of the 4.42 threshold required to violate the inequality in Equation 1. Note that, for the purposes of this monitor, there is nothing sacrosanct about the 4.42 multiplier in Equation 1 or the constellation commitments shown in Table 1. Taken together, Figures 3, 4 and 5 suggest the commitments for GPS and Galileo are conservative, as expected. Therefore, while these commitments should be the basis of an algorithm standardized in the SBAS MOPS, a multiplier significantly smaller than 4.42 could be used by receiver manufacturers to further limit the magnitude of undetected SBAS spoofing errors.
Position Domain Algorithm Using ARAIM
This simple correction-domain monitor algorithm seeks to avoid the user receiver calculating two separate position solutions, as doing so had been identified as computationally undesirable. However, should the receiver have the capability to calculate both SBAS and RAIM/ARAIM solutions at once, a direct comparison between the two can be very effective. RAIM/ARAIM (based on standalone GNSS without differential corrections [12]) is suggested as the basis for comparison because it also produces a trusted position estimate and associated protection levels.
A detailed algorithm using ARAIM is defined in [1]. Results show it produces lower limits on undetected SBAS message spoofing errors than the correction-domain algorithm, particularly if dual-frequency ARAIM is applied.
Conclusion
This article reviews the key results in [1] regarding simple techniques to detect and limit the potential errors caused by SBAS message spoofing. The correction-domain monitor proposed is very simple and can be easily added to existing user receivers with a very low likelihood of false alerts. The ARAIM-based position-domain monitor proposed in more detail in [1] further limits the potential errors but requires significantly more calculations in user receivers. While imperfect, one or both of these monitors should be implemented in current receivers to mitigate SBAS message spoofing risk prior to the introduction of cryptographic authentication in SBAS in the coming years.
Acknowledgements
The authors gratefully acknowledge the support by the U.S. Federal Aviation Administration (FAA) for this work under MOA 693KA8-22-N-00015.
References
(1) T. Walter, et al., “Limiting the Potential Impact of SBAS Spoofing,” Proc. ION Pacific PNT 2026, Honolulu, HI, April 2026. http://web.stanford.edu/group/scpnt/gpslab/pubs/papers/Walter_ION_PPNT_2026_Limiting_SBAS_Spoofing.pdf.
(2) “GNSS Interference Detection Using ADS-B” (website). https://rfi.stanford.edu/.
(3) GNSS-Based Precision Approach Local Area Augmentation System (LAAS) Signal-in-Space Interface Control Document (ICD), RTCA SC-159, DO-246E, July 2017.
(4) J. Dennis, et al. (2024). “SBAS Authentication Standards,” Proc. ION GPS/GNSS 2024, Baltimore, MD, Sept. 2024. http://web.stanford.edu/group/scpnt/gpslab/pubs/papers/Dennis_ION_GNSS_2024_SBAS_Authentication_Standards.pdf.
(5) J. Anderson, Designing Cryptography Systems for GNSS Data and Ranging Authentication, Ph.D. Dissertation, Stanford University, Dec. 2024. http://web.stanford.edu/group/scpnt/gpslab/pubs/theses/JasonAndersonThesis2024.pdf.
(6) Global Positioning System Standard Positioning Service Performance Standard. U.S. Dept. of Defense, 5th Ed 2020. https://www.gps.gov/sites/default/files/2025-07/2020-SPS-performance-standard.pdf.
(7) Minimum Operational Performance Standard for Galileo/Global Positioning System / Satellite-Based Augmentation System Airborne Equipment. EUROCAE WG-62, ED-259A, June 2023.
(8) Minimum Operational Performance Standards (MOPS) for Global Positioning System/Satellite-Based Augmentation System Airborne Equipment. RTCA SC-159, DO-229F, June 2020.
(9) H. Tang, et al., “Ephemeris Type A Fault Analysis and Mitigation for LAAS,” Proc. IEEE/ION PLANS 2012. Indian Wells, CA, April 2010. http://web.stanford.edu/group/scpnt/gpslab/pubs/papers/Tang_IEEEIONPLANS_2010_EphemerisTypeAFaultMitigationforLAAS.pdf.
(10) Galileo Open Service—Service Definition Document (OS SDD) (Issue 1.3). European GNSS Service Centre, Nov. 2023. https://www.gsc-europa.eu/sites/default/files/sites/all/files/Galileo-OS-SDD_v1.3.pdf.
(11) ICAO Standards and Recommended Practices, Annex 10—Aeronautical Communications, Vol. 1. International Civil Aviation Organization, 8th Ed., July 2023.
(12) J. Blanch, et al., “Baseline Advanced RAIM User Algorithm: Proposed Updates,” Proc. ION ITM 2022, Long Beach, CA, Jan. 2022. http://web.stanford.edu/group/scpnt/gpslab/pubs/papers/blanch_ION_ITM_2022_ARAIM.pdf.
(13) J. Dennis, et al., “Draft Vertical ARAIM Standards,” International Civil Aviation Organization, Navigation Systems Panel (NSP) JWGs/12, WP 12, May 2024.
Authors
Todd Walter received his Ph.D. in applied physics from Stanford University in 1993. He is a research professor in the Department of Aeronautics and Astronautics at Stanford University. His research focuses on implementing high-integrity air navigation systems. He has received the ION Thurlow and Kepler awards. He is also a fellow of ION and has served as its president.
Rebecca Wang is a graduate student in the GPS Research Laboratory working under the guidance of Professor Todd Walter in the Department of Aeronautics and Astronautics at Stanford University. Prior to joining the lab, Rebecca received her B.S. in Aerospace Engineering at the University of Texas at Austin. Her research interests include multi-GNSS integrity for aviation and high-accuracy navigation.
Juan Blanch is a senior research engineer at Stanford University, where he works on integrity algorithms for Satellite-based Augmentation Systems and on Receiver Autonomous Integrity Monitoring. A graduate of Ecole Polytechnique in France, he holds an MS in Electrical Engineering and a Ph.D. in Aeronautics and Astronautics from Stanford University. He received the 2004 ION Parkinson Award for his Ph.D. dissertation and the 2010 ION Early Achievement Award.






