Coherent (synchronous) spoofing is widely recognized as one of the most dangerous forms of GNSS cyberattack affecting navigation, timing, and critical infrastructure systems worldwide. When precisely executed, such attacks remain largely invisible to conventional receivers because they preserve the normal signal structure and tracking continuity. Detecting coherent spoofing with a single-antenna GNSS receiver is extremely challenging, as it lacks the spatial information required to distinguish authentic satellite signals from synchronized counterfeit ones.
GPSPATRON addresses this cybersecurity challenge using a multi-antenna spatial detection approach. The GP-Probe TGE2, operating in conjunction with GP-Cloud, enables reliable detection of coherent spoofing attacks by analyzing the spatial characteristics of received signals. Equipped with three spatially separated GNSS antennas, the GP-Probe TGE2 measures inter-antenna phase relationships and captures the spatial structure of the navigation field. Based on these measurements, GP-Cloud performs centralized processing and real-time analysis to identify navigation field distortions and phase inconsistencies associated with coherent spoofing.
Why GNSS Has Become a Strategic Target
GNSS technology serves as the invisible backbone of modern critical infrastructure. Telecommunications networks rely on it for 5G synchronization, financial institutions depend on precise timing for transaction timestamping, power grids use it for coordination, and autonomous systems require continuous positioning. This widespread dependency has transformed GNSS into a high-value target for malicious actors.
Two primary attack categories dominate the threat landscape. Jamming disrupts signal availability through radio-frequency interference that overwhelms receivers. While disruptive, jamming is relatively easy to detect because receivers immediately lose their position fix. Spoofing covertly injects counterfeit yet structurally valid signals to manipulate position, velocity, or timing outputs without triggering alarms. Security experts consider spoofing more dangerous because it alters receiver outputs while maintaining apparent signal availability.
Understanding Non-Coherent vs. Coherent GNSS Spoofing
Not all spoofing attacks are created equal. The sophistication, cost, and detectability of spoofing attacks vary dramatically based on whether they employ non-coherent or coherent techniques. Understanding these differences is essential for implementing effective countermeasures.
Non-Coherent Spoofing: Brute Force Approach
In non-coherent (asynchronous) spoofing, counterfeit signals imitate authentic satellite signal structure without precise synchronization in code phase or Doppler frequency. These attacks can be performed using inexpensive signal simulators or software-defined radios (SDRs) combined with open-source software. Because the spoofed signals differ from authentic signals in Doppler and pseudorange, the receiver initially perceives them as noise while remaining locked onto genuine signals.
For success, the attacker must first disrupt authentic signal tracking through preliminary jamming or high-power spoofing (typically 40-50 dB above normal levels). Non-coherent spoofing is relatively easy to detect because it produces abrupt jumps in signal power, position, or time estimates.
Coherent Spoofing: The Invisible Threat
Coherent (synchronous) spoofing attacks represent a fundamentally different and far more sophisticated threat. These attacks are more technically challenging, requiring specialized equipment and deep expertise. The attacker generates counterfeit signals precisely synchronized with authentic satellite signals in time, Doppler frequency, and pseudorange. This synchronization allows the receiver to transition to tracking spoofed signals without losing lock or experiencing any interruption.
Transmit power is maintained only slightly above authentic signals (typically 3-5 dB higher). Once established, the attacker gradually manipulates position or timing. The receiver remains locked without entering search mode, and there are no abrupt changes to trigger alarms. The fundamental difference lies in the attack vector: coherent spoofing targets and captures the receiver’s tracking process itself, rather than overpowering it. The attacker’s objective is typically to slowly bias the position, time, or trajectory estimate while maintaining normal receiver operation.
How Receivers Respond: Two Distinct Signatures
Understanding receiver behavior under different attack types is crucial for developing effective detection strategies. The behavioral signatures of non-coherent and coherent spoofing are fundamentally different.
Under non-coherent spoofing, authentic signals are suppressed, the receiver enters reacquisition mode, and may lock onto counterfeit signals. The position exhibits an abrupt, discontinuous shift that can be detected by monitoring systems.
Under coherent spoofing, the response is fundamentally different. Synchronized signals enable seamless transition without any indication that something has changed. The receiver continues uninterrupted tracking throughout the attack.
After takeover, position or PPS phase drifts smoothly and gradually (approximately 1 m/min for position or 5 ns/min for timing), making it virtually impossible to distinguish from natural drift.
Detection Challenges in Coherent GNSS Spoofing
Coherent GNSS spoofing represents a deliberate and technically sophisticated attack that cannot occur accidentally. It requires specialized equipment capable of precise signal synchronization, as well as knowledge of the victim receiver’s approximate position. The takeover process is typically gradual and proceeds through several stages.
The three phases of a coherent spoofing attack:
| Phase | Duration | Spoofer Action | Receiver Effect |
| Align & Overlay | Sec to Min | Replicates and phase-aligns spoofed signals with authentic satellite signals | Normal tracking continues; spoofed signals remain indistinguishable |
| Power Capture | Sec to Min | Gradually increases transmit power slightly above authentic signals | Seamless transition to spoofed signals without loss of lock |
| Carry-Off | Min to Hours | Slowly biases code phase, carrier phase, or Doppler frequency | Smooth drift in position, velocity, or time outputs |
Detecting a well-executed coherent spoofing attack is particularly difficult due to several factors:
- Low Spoofing Power
Coherent spoofers typically use only a small power advantage over authentic satellite signals. As a result, signal-to-noise ratio (SNR) and preamplifier gain measurements remain within normal ranges, making power-based detection unreliable. - Precise Signal Synchronization
Counterfeit signals are carefully aligned with authentic signals in code phase, carrier phase, and Doppler. This produces normal-looking correlation peaks and allows seamless receiver tracking. - Gradual Parameter Drift
Position or timing biases are introduced slowly (e.g., ~1 m/min position drift or ~5 ns/min timing drift). This results in smooth and physically plausible changes rather than abrupt jumps that would normally trigger detection mechanisms. - Multi-Constellation Control
An attacker may spoof multiple constellations simultaneously or suppress certain signals to avoid cross-constellation inconsistencies that could reveal the attack.
Spatial Signal Analysis: The Key to Detection
Since coherent spoofing replicates the structure and parameters of authentic GNSS signals, detecting such attacks with a receiver equipped with only a single antenna is practically impossible. A single-antenna receiver can monitor parameters such as signal power, code phase, carrier phase, Doppler shift, C/N0, residual errors, and other signal quality metrics. However, these parameters alone are insufficient, because a well-generated coherent spoofing signal can reproduce them with high accuracy and appear indistinguishable from legitimate satellite signals.
Reliable detection therefore requires analysis of the spatial characteristics of the incoming wavefront using multiple antennas. Instead of relying solely on signal strength or receiver-based positioning metrics, the system must verify the spatial integrity of the received navigation signals. This is achieved by examining the spatial phase relationships between signals received at several spatially separated antennas.
Use of Multiple GNSS Antennas for Detection of Coherent Attacks
In a multi-antenna GNSS receiver configuration, the system can compare carrier phase and timing differences across antenna baselines. Authentic satellite signals originate from different positions across the sky and therefore produce predictable spatial signatures at each antenna.
Spoofed signals, in contrast, are typically transmitted from one or several nearby sources. As a result, they generate spatial patterns that are inconsistent with the true satellite geometry. By analyzing inter-antenna phase differences and estimated signal directions, a multi-antenna system can detect distortions in the spatial structure of the received navigation field that coherent spoofing cannot perfectly replicate.
GPSPATRON Solution: GP-Probe TGE2 and GP-Cloud
The GP-Probe TGE2, operating with GP-Cloud, detects sophisticated GNSS threats by analyzing spatial characteristics of received signals rather than relying solely on traditional metrics that attackers can accurately imitate.
A three-channel GNSS interference sensor designed to detect even the most sophisticated spoofing attacks through spatial signal analysis.
A cloud-based platform for centralized monitoring and analysis of GNSS data from GPSPATRON detectors and other GNSS receivers.
The GP-Probe TGE2 operates with three spatially separated GNSS antennas forming an antenna array. This configuration enables continuous measurement of inter-antenna carrier-phase differences and real-time analysis of the spatial structure of the received navigation signals for the detection of coherent spoofing attacks. By verifying the physical spatial consistency of the incoming signals rather than relying solely on signal-level metrics, the system enables reliable identification of sophisticated spoofing attempts.
GP-Cloud provides centralized monitoring of all measurements collected from multiple sources, including GPSPATRON probes and external GNSS receivers. The platform continuously processes incoming data streams using a wide range of anomaly detection and signal classification algorithms.
By analyzing GNSS signal parameters and spatial measurements provided by the three-antenna GP-Probe TGE2 detector, GP-Cloud enables reliable detection and classification of various types of spoofing/jamming attacks.
The system combines multiple independent detection techniques implemented within the platform, providing one of the most comprehensive GNSS interference monitoring solutions currently available.
Conclusion
Coherent spoofing represents one of the most dangerous GNSS threats because it preserves normal signal strength, receiver tracking behavior, and navigation solution continuity while gradually manipulating position or time. As a result, the manipulated signals may appear legitimate to conventional GNSS receivers.
Single-antenna spoofing detection methods cannot reliably identify such attacks because they lack spatial awareness. Detecting coherent spoofing therefore requires spatial signal analysis using multiple antennas, enabling verification of the spatial consistency of the received navigation signals through inter-antenna phase measurements.
By combining three-antenna spatial monitoring with centralized data analysis and visualization, the GPSPATRON system provides a robust and systematic solution capable of detecting even highly sophisticated spoofing attacks.
Have Questions About GNSS Spoofing Detection?
