A Multi-Antenna Defense: Receiver-Autonomous GPS Spoofing Detection

The issue of intentional or inadvertent interference to GNSS signals is a matter of growing concern throughout the world.

In a study released the day before the terrorist attacks on the Pentagon and the New York World Trade Center in September 2001, the U.S. Department of Transportation assessed the national transportation infrastructure’s vulnerability to civil GPS disruption.

The issue of intentional or inadvertent interference to GNSS signals is a matter of growing concern throughout the world.

In a study released the day before the terrorist attacks on the Pentagon and the New York World Trade Center in September 2001, the U.S. Department of Transportation assessed the national transportation infrastructure’s vulnerability to civil GPS disruption.

The agency’s investigation and subsequent recommendations, known as the Volpe report, warned that “as GPS further penetrates into civil infrastructure, it becomes a tempting target that could be exploited by individuals, groups or countries hostile to the U.S.”

A few years later, in a 2004 National Security Presidential Directive on space-based positioning, navigation, and timing (PNT), former U.S. President Bush gave the Department of Homeland Security (DHS) responsibility for leading development of a plan to address concerns about interference to GPS.

DHS issued a preliminary interference detection and mitigation (IDM) plan last year.

To date, most actual incidents involving GPS interference — whether intentional or unintentional — have involved in-band or out-of-band harmonic RF transmissions that masked the weak GPS spread spectrum signals.

A good deal of anxiety has been expressed in recent years about inexpensive GPS jammers that, at power levels as low as one watt, could cause wide areas of disruption to GPS service.

Among other types of intentional interference, the Volpe report and the IDM plan mention civil GPS spoofing, a technique by which a GPS receiver is fooled into tracking counterfeit GPS signals.

Spoofing is more sinister than intentional jamming because it is surreptitious: the targeted receiver cannot detect the attack and, consequently, can be fooled into generating erroneous data that may even be hazardously misleading.

Previous work into civil spoofing countermeasures begins with an important internal memorandum from the MITRE Corporation in which the author, Edwin L. Key, appears to have examined spoofing and spoofing countermeasures in detail. (For details, see the “Additional Resources” section near the end of this article.)

The memorandum recommends the following techniques for spoofing detection:

1.     amplitude discrimination
2.     time-of-arrival discrimination
3.     consistency of navigation and inertial measurement unit (IMU) cross check
4.     polarization discrimination
5.     angle-of-arrival discrimination
6.     cryptographic authentication

Of the proposed techniques, angle-of-arrival discrimination coupled with physical security of the antennas provides significant protection and is relatively easy to implement with inexpensive single-frequency receiver technology.

In this article we demonstrate the use of a dual-antenna receiver that employs a receiver-autonomous angle-of-arrival spoofing countermeasure — essentially an implementation of Key’s fifth technique.

It is based on observation of L1 carrier differences between multiple antennas referenced to a common oscillator. We believe that this defense could be effective against all but the most sophisticated spoofing attempts.

Spoofing Scenarios
Spoofing scenarios can be broadly divided into static (fixed target receiver) and dynamic (moving target receiver) cases.

Static Scenario. The target receiver of a static spoofing scenario could be, for example, a timing receiver deployed to synchronize the electrical power grid, global trading, or a communications network.

In all such timing applications, the GPS antenna is situated with a clear view of the sky, typically on top of a building or a communications tower. A receiver-generated pulse per second (PPS) is used as the time reference for synchronization.

. . .

Dynamic Scenario. Since January 2005, in fishing waters controlled by the European Union (EU), Commission Regulation No. 2244/2003 has required that operators of fishing vessels more than 15 meters in length carry a satellite- One can envisage a scenario where the spoofer knows the approximate location of the targeted receiver antenna. Spoofer hardware and a directional antenna could be used to mount an attack at a distance of hundred meters or more.

. . .

Spoofer Categories
The JRC MENTORE paper cited earlier mentioned a couple of categories of GPS spoofers. In this article we identify three main types of spoofers.

GPS signal generator. Spoofers in this category are GPS signal generators readily available from several vendors. For use as a spoofer, the signal generator’s RF output is amplified and transmitted, possibly using a directional antenna.

. . .

GPS Receiver Spoofer. Spoofers in this category are coupled to a GPS receiver. The GPS receiver tracks satellite signals at a location and decodes the navigation data.

. . .

Sophisticated GPS Receiver–Based Spoofer. This kind of design is similar to the equipment described in the previous category but employs multiple transmit antennas. Furthermore, the spoofer is able to vary the carrier phase outputs that are transmitted by each antenna to control the relative carrier phases among these transmit antennas. Creating such a spoofer is possible but technically difficult.

Setting Up the Experiment
To help investigate our spoofing detection technique, we used a dual-antenna array mounted on a rooftop as shown in the accompanying photograph. This assembly includes a pair of L1 GPS antennas separated by 1.46 meters. Between the antennas is the GPS receiver itself.

. . .

Methodology for Detecting a Spoofing Attack
Exploiting the equipment configuration that we have described, we developed a technique for detecting spoofing signals based on their deviation from the characteristics of signals received from actual GPS satellite transmissions.

. . .

Identifying a Spoofed Signal
. . . the basic idea for spoofing detection using multiple antennas . . . if the i measurements do not agree with the expected phase profiles within bounds set by the expected noise and attitude uncertainty, then a spoofing signal is identified.

. . .

Indoor Experiment
After developing the receiver autonomous spoofing detection (RASD) software, we mounted the antenna array depicted earlier on the roof and enabled the software. The algorithm was tested for several days in an “unspoofed” setting to validate that spurious (false) detections were not flagged.

. . .

Conclusions
Antenna diversity — employing either multiple separate receivers or a multi-antenna single-oscillator receiver — can be used to defend against intentional GPS spoofing by greatly increasing the technical difficulty required to mount a successful attack.

In general, an additional spoofer transmitter is required for each additional GPS antenna. Furthermore, a spoofer would have to locate each transmit antenna in close physical proximity to the appropriate GPS antenna in the array.

If the GPS antennas of static or dynamic installations are further protected by physical security, it is possible to create a robust defense against even a sophisticated spoofing attack. In the case of a complicit user, the presence of multiple antennas makes it difficult to intentionally defeat the system by direct injection of an artificial GPS signal.

In the spoofing defense implemented here, a one-time survey of a fixed antenna array was sufficient to enable receiver autonomous spoofing detection. A practical but slightly less robust defense that does not depend on knowledge of the attitude of the multi-antenna array can also be implemented.

The technology to enable multi-antenna spoofing detection is readily available using any of the numerous GPS receivers that produce L1 carrier phase observables.

Acknowledgments
This article is based substantially on material in a paper first presented January 26, 2009, in Anaheim, California, at the International Technical Conference of the Institute of Navigation.

The authors would like to thank Novariant for the use of the AutoFarm roof array used for the experiment. Special thanks to Dennis Connor of Novariant for supporting this work. Additional thanks to William J. Bencze for RF hardware development support.

For the complete story, including figures, graphs, and images, please download the PDF of the article, above.

Additional Resources
[1] Baldini, G., and J. Hofherr, “IPSC Projects based on Satellite Navigation Systems,” 1st MENTORE Event, Institute for the Protection and Security of the Citizen, European Commission Joint Research Center, Ispra, Italy, November 25, 2008
[2] Commission Regulation (EC) No 2244/2003, “Laying down detailed provisions regarding satellite-based Vessel Monitoring Systems,” Official Journal of the European Union, L 333/17, December 12, 2003, Brussels, Belgium
[3] Humphreys, T. E., and B. M. Ledvina, M. L. Psiaki, B. W. O’ Hanlon, and P. M. Kintner, Jr., “Assessing the Spoofing Threat: Development of a Portable GPS Civilian Spoofer,” Proceedings of ION GNSS 2008, Institute of Navigation, Savanna, Georgia, USA, 2008
[4] Key, E. L., “Techniques to Counter GPS Spoofing,” internal memorandum, The MITRE Corporation, Bedord, Massachusetts, USA, February 1995
[5] “United States Positioning, Navigation, and Timing Interference Detection and Mitigation Plan Summary,” U.S. Department of Homeland Security, Washington, D.C., USA, April 2008
[6] “Vulnerability Assessment Of the Transportation Infrastructure Relying on the Global Positioning System,” Technical Report, U.S. Department of Transportation, John A. Volpe National Transportation Systems Center, Cambridge, Massachusetts, USA, 2001

IGM_e-news_subscribe