It is well-understood now that Global Navigation Satellite Systems (GNSS) are vulnerable to radio frequency interference (RFI) due to the very low power of their received signals. RFI can take the form of jamming, in which the GNSS frequencies are overwhelmed with unwanted power or spoofing, in which “fake” GNSS signals are transmitted.
ARGYRIS KRIEZIS, YU-HSUAN CHEN, SHERMAN LO, TODD WALTER, SAM PULLEN, STANFORD UNIVERSITY DENNIS AKOS, UNIVERSITY OF COLORADO AT BOULDER
In the case of jamming, the added signals/noise prevents receivers from locking the GNSS satellite signals, resulting in loss of position and timing information. In the case of spoofing, the fake GNSS signals provide false measurements to a receiver, leading to an incorrect “spoofed” position solution. It is common for jamming and spoofing to be used alongside each other, with jamming preventing real satellite signals from being tracked while fake “spoofed” signals are being transmitted.
As described in a column in the November/December 2024 issue of Inside GNSS, jamming and spoofing attacks have increased in conflict regions in Eastern Europe and the Middle East that also affect nearby civilians [1]. Most RFI effects on civilian users in these regions are “collateral,” meaning RFI was not targeting civilians, but civilians were affected because they were operating in the same region. These events highlight the need for detection and characterization techniques that provide early RFI warnings to users, especially for safety-of-life critical applications such as aviation.
The Stanford GPS Lab has developed a low-cost GNSS RFI monitoring system, shown in Figure 1. It uses a commercial off-the-shelf (COTS) receiver and processor to detect and characterize interference events. We previously investigated using different monitoring test statistics in this receiver in response to jamming in both a lab-based environment and from open-sky data collected around the world [2]. In this column, which summarizes the details presented in [3], low-cost COTS receivers are used to analyze a real-world spoofing event to evaluate the effectiveness of various metrics in detecting and characterizing spoofing.
RFI in the Eastern Mediterranean Sea
In the summer of 2024, a ship equipped with the low-cost monitor shown in Figure 1 experienced both jamming and spoofing during a voyage in the Eastern Mediterranean Sea from the Aegean Sea to the port of Haifa in Israel. The low-cost monitor fielded on this ship included two u-blox F9P receivers, one providing L1/L2 frequency measurements and the second providing L1/L5 frequency measurements. Thus, information reflecting this RFI event was available across all of the GNSS frequencies in L-band.
Figure 2 shows the actual route of the ship as established by the L5 measurements provided by the second u-blox receiver. L5 was unaffected by the jamming and spoofing experienced on this voyage and thus represents the source of ground “truth.” The curve showing the ship’s route is color-coded in three levels based on the received power and satellite availability on L1 (L2 was similarly affected). Green represents no interference, yellow represents some effect of jamming based on received signal power, and red represents the loss of multiple GNSS satellites such that a position fix was no longer possible. Figure 3 shows how these alerting flags are determined based on the received information [4].
In the event shown in Figure 2, jamming was experienced in intervals throughout the ship’s route (especially after traveling southeast of about 35o N. 28.5o E), and it intensified as the Israeli coast was reached. About 10 km from the Israeli coast, spoofing was first observed, with the reported L1-based position jumping to the Beirut-Rafic Hariri International Airport in Lebanon at 33.8º N. 35.5º E.
Spoofing Techniques
GNSS spoofing techniques can be divided into three categories: meaconing/re-broadcast of live signals, broadcast of signals from a GNSS simulator, and a combination of a simulator and the use of live signals. Meaconing/rebroadcasting, in which GNSS signals are received and re-transmitted without any additions or changes, is the simplest form of spoofing. The main limitation of this technique is that the spoofed location is fixed and corresponds to the location of the receiving antenna of the system retransmitting the observed signals. In contrast, simulators can transmit fake signals corresponding to any location on Earth. However, the differences between the fake signals from the true GNSS signals and broadcast data make such spoofers easier to detect. Combining the two previous techniques gives spoofers the ability to incorporate signal updates such as the true ephemeris and any navigation message authentication information. Because spoofing takes different forms, no single detection methodology can cover all possible scenarios.
Detection by Position Monitoring
Spoofing detection methodologies for a single-receiver system can be classified into four categories based on the metrics they rely on. The first is position solution monitoring, which looks for unrealistic movements of a particular receiver. For a stationary receiver in a surveyed location, knowledge of the true position allows for detection of any significant deviations. For moving platforms, position estimation and filtering techniques can be employed to track abnormal movement. This technique can be effective when there is a large difference between the spoofed and true positions, but in scenarios where spoofing is targeted at specific users, the spoofed position can slowly deviate while staying within the expected movement envelope.
In the event examined here, spoofing is widespread and results in large deviations between real and spoofed positions. Thus, spoofing can be easily detected by observing the position shifting by kilometers in a matter of seconds. Figure 4 shows the latitude of the position solution from the L1/L2 receiver as a function of time, with 7 a.m. (UT) being the point at which spoofing causes a dramatic position shift from close to the actual ship position to the vicinity of Beirut Airport. Meanwhile, the L1/L5 receiver produces an unaffected position solution due to the lack of interference in the L5 band. Figure 5 compares the position solutions from the L1/L2 and L1/L5 receiver and makes this discrepancy very evident. It is unlikely that meaconing is being used because the distance between spoofed and real locations is quite large, and it would be unlikely for a spoofing transmitter to be sited at a commercial airport. Instead, simulator-generated spoofing at another location (perhaps modifying and retransmitting received GNSS signals) is more likely to cause this sudden shift in the position solution.
Detection by Signal Power Monitoring
A second means of detecting spoofing looks for unusual behavior in the received GNSS signal power. GNSS signals are emitted at a constant power level, but the received power changes due to the location of the satellite in the sky. Spoofing signals cannot easily match the expected power pattern of satellites received by users, especially when a wide area is targeted for spoofing. This leads to detectable power anomalies. Receiver Automatic Gain Control (AGC) outputs and estimated carrier-to-noise ratios (C/N0) of satellite signals have been used in past studies as detection metrics [5,6].
In the event examined here, spoofing is detectable through power monitoring. AGC is not useful for detecting the onset of spoofing, as jamming saturates it before spoofing starts. C/N0 values, on the other hand, provide useful information. L1/L2 receiver C/N0 values for SVN 50 (PRN 5) during this event are shown in Figure 6. Before spoofing begins at about 7 a.m., the GPS L1 and L2 signals have similar C/N0 values, while after it starts, there is a clear difference between them. This could represent normal behavior if only GPS L2 signals were affected. However, in this case both bands experience similar levels of jamming. Also note that, before spoofing begins, the C/N0 values change based on the satellite elevation angle (plotted in red with respect to the right-hand y-axis),while after it starts, these values are nearly constant except for the effects of measurement noise.
A similar strategy can be employed with the outputs of the L1/L5 receiver. On the left side of Figure 7, the L1 and L5 C/N0 estimates for SVN 66 (PRN 27) can be seen at the time jamming intensifies. The L5 value remains unchanged, as no interference is observed in that band. However, the L1 value drops significantly as the vessel moves closer to the RFI source. When the two signals are re-acquired after the satellite rises into view again, the C/N0 values are more alike.
Detection by Navigation Data Monitoring
GNSS signals include navigation data containing ephemeris information with the orbital elements of each transmitting satellite along with clock corrections for that satellite. This information is essential for computing use locations and typically changes every two hours (for GPS satellites) to account for orbital drift. One spoofing strategy is to modify the ephemeris information to represent satellites at different orbital locations. The Issue of Data Ephemeris (IODE) acts as a version stamp for the ephemeris navigation data. In the case of simple simulator spoofing, ephemeris updates and their IODE values would in general be different from those of the real signals, resulting in IODE being a useful spoofing detection metric.
For the event examined here, navigation data files decoded from both u-blox receivers were compared with the true navigation files determined from external data downloaded from the IGS website at https://igs.org. The ephemeris information from both the L1/L2 and L1/L5 receivers were found to be identical, with the exception of one satellite: SVN 59 (PRN 19). The difference for this satellite existed for only a few hours and occurred hours after the spoofing began, indicating it was not related to the spoofing event. In addition, both the IODE values and the times at which the navigation data updates occurred in the u-blox receivers were compared with the true values from the IGS data. The IODEs were correct, and most of the updates were observed within 18 seconds of the actual updates. This consistency of ephemeris, IODE and update times suggests that the spoofing technique observed in this event has a real-time GNSS feed and the ability to make real-time updates to its transmitted navigation data. This relatively advanced degree of spoofing capability should be taken into account when GNSS receivers are tested against simulated spoofing in controlled environments.
Detection by Signal Consistency Monitoring
Signal consistency over time is a fourth means of spoofing detection and can be evaluated using signal characteristics such as Doppler shift, pseudorange (and pseudorange residual), and receiver clock drift [7, 8, 9]. These characteristics have predictable behavior under normal conditions, thus observing them over time can reveal potential anomalies. Doppler shift decreases as a satellite moves closer to the user until it passes overhead (closest to zenith), after which it starts increasing. Similarly, the pseudorange of a satellite is the smallest overhead and increases as it moves toward the horizon.
Figure 8 presents the Doppler measurements for SVN 66 (PRN 27) from the L1/L5 receiver during the period in which spoofing takes place. These measurements are compared between the GPS L1 signal (spoofed) and the GPS L5 signal (true) to determine if any discrepancies exist. At the scale shown in Figure 8, the two curves match, and their inflection points are in the same time epoch. Therefore, we infer that the spoofing technique affecting the L1 measurements does not change the Doppler shift. However, small variations are observed in the (unspoofed) GPS L5 Doppler shift that require further examination.
Pseudorange approximately represents the distances between satellite and user. It includes errors in both the satellite and user clocks as well as atmospheric delays. While the user-to-satellite distance changes as satellites move in their orbits, the pattern is predictable. Figure 9 shows the pseudoranges from the L1/L5 receiver for GPS SVN 66 (PRN 27) at the time spoofing begins. The pseudoranges of both GPS L1 and GPS L5 jump by 2,267 km in a matter of seconds, indicating the presence of spoofing. Changes in pseudoranges can be attributed to multiple factors, including signal, satellite or user clock tampering, and changes in the ephemeris (satellite faults are also possible but are much less likely). The presence of a pseudorange anomaly in L5 (which does not experience spoofing) that matches the one in L1 indicates a change in the receiver clock bias.
The detailed description of spoofing detection calculations in [3] shows how the receiver clock bias can be estimated and used to help detect spoofing. Figure 10 shows the clock bias term of the GPS L5 signal over the 24-hour period that included the spoofing on L1. This term normally has a constant drift rate. However, at the time spoofing is introduced on L1 at 7 a.m., it shows anomalous behavior by jumping the equivalent of 2,400 km, which is similar to the pseudorange changes shown in Figure 9.
Conclusion
In this article, an actual jamming and spoofing event in the Eastern Mediterranean in the summer of 2024 has been analyzed using multiple outputs of a low-cost RFI monitor. The ability of these monitors to detect and diagnose the type of RFI being experienced has been demonstrated. These results suggest requirements and design features for RFI monitor equipment to be fielded by future users with demanding integrity requirements. They also supplement the offline analyses made possible by crowdsourced ADS-B measurements as described in this column in the November/December 2024 issue of Inside GNSS and as continually updated at https://rfi.stanford.edu and other websites. As shown there, RFI detection from ADS-B data is limited to the regions occupied by aircraft transmitting ADS-B signals and received by public ground stations. Monitors carried by individual users and networks of low-cost monitors reporting alerts in near-real-time would greatly enhance our ability to diagnose and react to RFI threats affecting civil users.
Acknowledgments
The authors would like to acknowledge our industry and academic partners for hosting our GNSS receivers in their locations for data collection. They would also like to acknowledge the support of The Aerospace Corporation under their University Partnership Program and the FAA for supporting this effort.
References
(1) S. Gebrekidan, “Electronic Warfare Confounds Civilian Pilots, Far From Any Battlefield,” The New York Times, Nov. 21, 2023.
(2) A. Kriezis, et al., “Identifying Low Cost GNSS Monitor Metrics for Robust RFI detection,” Proc. of ION ITM 2024, Long Beach, CA, Jan. 2024, pp. 426-440.
(3) A. Kriezis, et al., “Real-World Spoofing Detection and Characterization Using Low-Cost Receivers” Proc. of ION ITM 2025, Long Beach, CA, Jan. 2025, pp. 414-424.
(4) A. Kriezis, et al., “GNSS RFI Detection and Impact Characterization in Various Interference Environments Using Low-Cost Receivers,” Proc. of ION GNSS+ 2024, Baltimore, MD, Sept. 2024, pp. 3348-3360.
(5) D. Akos, “Who’s Afraid of the Spoofer? GPS/GNSS Spoofing Detection via Automatic Gain Control (AGC),” Navigation: J. of the Inst. of Navigation, 59(4):281–290 (2012).
(6) J. Nielsen, et al., “Effectiveness of GNSS Spoofing Countermeasure Based on Receiver CNR Measurements,” Int’l. J. of Navigation and Observation, 2012(1).
(7) J. Tu, et al., “Low-Complexity GNSS Anti-Spoofing Technique Based on Doppler Frequency Difference Monitoring,” IET Radar, Sonar and Navigation J., 12(9):1058–1065 (2018).
(8) P. Hwang and G. McGraw, “Receiver Autonomous Signal Authentication (RASA) Based on Clock Stability Analysis,” Proc. of IEEE/ION PLANS 2014, Monterey, CA, May 2014, pp. 270-281.
(9) K. Liu, et al., “Spoofing Detection Algorithm Based on Pseudorange Differences,” Sensors, 18(10) (2018).
Authors
Argyris Kriezis is a Ph.D. candidate at Stanford’s Aeronautics and Astronautics Department and works on GPS interference monitoring research at the Stanford GPS Laboratory. He received his BS degree in mechanical engineering from Olin College of Engineering.
Yu-Hsuan Chen is a research engineer at the Stanford GPS Laboratory. He received his Ph.D. in electrical engineering from National Cheng Kung University, Taiwan, in 2011.
Sherman Lo is a senior research engineer at the Stanford GPS Laboratory. He received his Ph.D. in aeronautics and astronautics from Stanford University in 2002. He works on navigation robustness and safety, often supporting the FAA. He has conducted research on Loran, alternative navigation, SBAS, ARAIM, GNSS for railways and automobiles. He also works on spoofing and interference mitigation for navigation. He has published more than 100 research papers and articles.
Todd Walter received his Ph.D. in applied physics from Stanford University in 1993. He is a research professor in the Department of Aeronautics and Astronautics at Stanford University. His research focuses on implementing high-integrity air navigation systems. He has received the ION Thurlow and Kepler awards. He is also a fellow of ION and has served as its president.
Dennis Akos completed a Ph.D. degree in electrical engineering at Ohio University in the Avionics Engineering Center with a focus on GPS/GNSS radio design and signal processing. Since 2005, he has been on the faculty with the Aerospace Engineering Science Department at the University of Colorado at Boulder with a visiting appointment at the GPS Laboratory at Stanford University.
