For the complete story, including figures, graphs, and images, please download the PDF of the article, above.
Growing dependence on GNSS for positioning, navigation, and timing (PNT) has raised a parallel concern about the potential risks of signal interference. The popular press has recently highlighted accounts of car thieves using GPS jammers, solar flares pumping out L-band radiation, and faulty television sets causing havoc to GPS receivers across an entire harbor.
For the complete story, including figures, graphs, and images, please download the PDF of the article, above.
Growing dependence on GNSS for positioning, navigation, and timing (PNT) has raised a parallel concern about the potential risks of signal interference. The popular press has recently highlighted accounts of car thieves using GPS jammers, solar flares pumping out L-band radiation, and faulty television sets causing havoc to GPS receivers across an entire harbor.
Speculation has suggested such dire scenarios as the collapse of telecom, power, and banking networks, ships colliding, and planes falling out the sky. Responses to these stories can be equally extreme, with some arguing that “GPS is unreliable,” or “We need an alternative PNT system.”
Well, perhaps. But isn’t it better to protect what we have, rather than cast it aside as unsuitable?
When computers were first threatened by viruses and hackers, we didn’t toss them aside complaining that “computers are too vulnerable — we need an alternative system.” No, we didn’t resort to pen and paper for all our work; we simply installed firewalls and virus checkers.
So it is with GNSS — or should be. Instead of simply criticizing the technology’s weaknesses, we need to explore solutions to the interference and jamming problem. And by “solutions,” I’m talking about protecting what we have, rather than simply abandoning GNSS and resorting to less mature alternatives such as enhanced Loran (eLoran).
With this approach in mind, the following discussion will present a few of the ways in which we can make our GNSS receivers more resilient to interference, with a particular focus on the role of receiver antennas in mitigating its effects. But let’s start by briefly considering why GNSS is so vulnerable in the first place.
Why is GNSS Vulnerable?
As most people are aware, the fundamental cause of GNSS vulnerability is the power of transmissions from satellites. GNSS signals are so “quiet” that they are easily swamped by the smallest of interfering signals.
Taking GPS as an example, the signals reaching the Earth’s surface are around -163 dBW (50 x 10-18 watts). Pretty much any other radio frequency phenomenon is going to be larger than that. In fact, even the GPS signal itself is well below the noise floor of the receiver.
The reason that GPS signals survive at all is due to the spread-spectrum nature of the transmission, allowing receivers to correlate the satellite signal out from below the background noise. But each receiver exhibits a limitation to the amount of non-GNSS interference it can cope with, whilst still acquiring or tracking the desired signal. That is, each receiver has a maximum jammer-to-signal ratio (J/S) that it is able to tolerate.
Figure 1 (see inset photo, above right) illustrates the problem: the diagonal lines represent interfering sources of various powers, and the horizontal dashed lines show some typical receiver thresholds.
Theoretically, at least, a 10-milliwatt jammer will prevent a receiver from acquiring the C/A code at a distance of 10 kilometers, and a receiver already tracking the C/A code will lose lock about a kilometer from the jammer.
This is pretty scary stuff, considering that 10 milliwatts is a very tiny jammer indeed. Even a P(Y)-code receiver will stop tracking when a few hundred metres from the jammer. Once the jammers get larger, it’s pretty much “game over” for unprotected GNSS signals. In any case, higher power jammers aren’t really necessary at ground level anyway, because once a receiver gets past 10 kilometers or so from the jammer, it’s likely to be below the horizon and no longer in the jammer’s line-of-sight.
Of course, jamming is not the only form of GNSS interference. Spoofing is a more recent, and perhaps more frightening, threat.
GNSS Spoofing
While jamming is concerned with denying the availability of a service, spoofing fools the receiver into thinking it is still happily tracking satellites, when in reality it is processing fake GNSS signals. Broadly speaking, we face two main types of spoofing: simulation and record-replay.
Simulation involves equipment that generates and transmits valid GNSS signals into which the spoofer can inject any information desired. Probably the easiest way to do this is with a GPS simulator as shown in
Figure 2 (see inset photo, above right). Stories have been reported where such a setup has been used to hijack a truck in an experimental demonstration (See, for example, the article by S. Davidoff listed in the Additional Resource section near the end of this article.)
The second spoofing method involves simply recording a real GNSS signal, and replaying it at a later time. Although this method cannot be used to impose a user-defined scenario on a receiver, it is enough to wreak havoc in unwary receivers by making real satellite signals appear at a different time and from different locations, and this form of attack can also be used against encrypted GNSS services.
Spoofing can be considered a more dangerous form of interference than jamming, because it is not always obvious that you are being spoofed, while jamming constitutes a denial-of-service and is easily detected.
Having said that, performing a spoofing attack is not altogether straightforward: in order to spoof a receiver that is already tracking, it would typically need to first be jammed and then re-acquire tracking on the spoofed satellites.
We can use various mechanisms to detect spoofing, such as monitoring absolute and relative signal strengths, monitoring satellite ID codes, performing time comparisons, and generally keeping an eye out for unusual or unlikely signal scenarios. But the problem remains, because even if you know you are being spoofed, you still have to deal with the spoofing!
Now that we’ve looked at the fundamental issue, let’s take a whirlwind tour through some of the possible solutions to the problem.
Receiver versus Antenna Solutions
Broadly speaking, two general elements comprise a GNSS receiver, the antenna and the receiver itself (RFIC, downconverter, tracking channels, digital signal processor, and so forth). We can choose to enhance either or both of these elements in order to improve resilience to interference.
. . .
Receiver Solutions
In our arsenal of receiver enhancements is adaptive notch filtering. Here we are simply trying to filter out the jammers from the received signal and is a straightforward approach requiring minimal modifications to an existing system.
. . .
Switching Frequencies
The second obvious thing to attempt when encountering a jammer in a GNSS frequency is to switch to a different GNSS band. Military users of GPS have the luxury of being able to choose between L1 and L2, and in the near future aviation receivers will have access to L5. Most mass-market civilian C/A users, however, are stuck with only L1, although GPS/GLONASS-capable cell phones and other mobile devices are beginning to reach the market.
. . .
Integrating GNSS with INS
Combining GNSS with an inertial navigation system (INS) offers well-known benefits. The two systems are highly complementary. Although inertial technology typically provides very good short-term accuracy, it drifts and loses accuracy over time as errors accumulate. Conversely, GNSS may exhibit relatively poor short-term accuracy, but it makes up for it with exceptional long-term accuracy because a receiver generates independent, absolute position fixes with rapid update rates.
. . .
Antenna Solutions
Arguably the single most powerful antenna-based technique for mitigating interference is to exploit spatial diversity — that is, to make use of the fact that satellite signals and jamming signals usually come from different directions.
. . .
The next question, then, is how do we make the antenna steer nulls in the directions we want?
An Optimal Solution
Continuing our reference to the antenna of Figure 5c, we can denote the signal received by the antenna as the vector x(t), and the summed antenna output as e(t). The leftmost element is designated as the primary element, p, while the others have variable weights, w. So, the antenna output is given by
e(t) = p(t) – wTx(t)
Given that GNSS signals are below the noise floor, the objective is to minimize the output power of the antenna, which will have the effect of canceling the interfering signals.
. . .
Digital Jammer Cancellation
The best anti-jam performance is achieved when digital techniques are employed to directly solve the Wiener equation, wopt = R-1xx rxp, where R is an n by n data covariance matrix and r is a vector of cross-correlations between the primary and auxiliary antenna elements.
. . .
Anti-Spoofing
The digital anti-jam architecture, just described, is also capable of protecting against spoofing attacks. However, anti-spoofing requires a somewhat different approach. Because spoofer signals look just like GNSS signals, we can’t get rid of them by power minimization techniques alone.
. . .
Adaptive Beamforming
Although jammer and spoofer cancellation techniques are extremely powerful, we achieve the ultimate protection with a further step: beamforming the receiver antenna toward GPS satellites and their signals.
In addition to enabling an adaptive antenna array to steer minimal antenna gain towards jammers, beamforming simultaneously ensures that the antenna steers maximum gain towards satellites. Put another way, instead of minimizing the interference-to-noise ratio (INR), the aim is to maximize the signal-to-interference-plus-noise ratio (SINR).
. . .
Conclusion
Threats to GNSS receivers are real, and the wider community is gradually awakening to the idea that something needs to be done. GPS jammers are widely available, and the threat from spoofing is growing. Despite our enormous and ever-growing dependence on GNSS, little has been done to truly address the problem, and yet there are answers to the problem.
This brief article has attempted to highlight some of the many possible solutions, each of which has its own advantages and disadvantages. Adaptive antennas offer excellent protection from both jamming and spoofing sources, and with modern technology they can be also be made inexpensively.
Risk assessment is fundamentally important, however. Conducting a threat analysis for one’s own GNSS application is crucial in order to decide what method of protection — if any is needed — is best.
Just as any computer can be compromised if a hacker tries hard enough, so can any GNSS receiver. Accordingly, a hacker will try harder to interfere with an application where the consequences are more severe, in which case suitable countermeasures are called for.
As our dependence on GNSS grows, protection technology that was once only available to the military is now becoming available to the commercial world. If we embrace the options available, to protect our receivers, we can continue to rely on the wonderful systems that we call GNSS.
For the complete story, including figures, graphs, and images, please download the PDF of the article, above.
Acknowledgment
This article was adapted from a presentation given by the author at the GNSS-10 conference on April 29, 2010, hosted by the Institute of Engineering and Technology at Savoy Place, London.
Additional Resources
[1] Davidoff, S. “GPS Spoofing,” Philosecurity, 2008
[2] Last, D., “GPS: The Present Imperfect,” Inside GNSS, vol. 5, no. 3, May 2010
[3] Schmidt, G., “INS/GPS Technology Trends”, The Draper Technology Digest, vol. 2, pp. 143-154, 1998