GNSS Spoofing Scenarios with SDRs

In the previous article, we described some of the open-source projects for GPS signal simulation which exist. In this article, we explain possible attack scenarios with SDR, a server response to spoofing, and how to detect spoofing and mitigate the effects. We are not using expensive GNSS signal simulators (Spirent, Orolia, Rohde & Schwarz) or electronic warfare. We are reviewing what attack scenarios can be run with just a $1,000!

GPS Spoofing with HackRF One

GPS Spoofing with HackRF One 2

This setup generates GPS signals only. If your receiver supports GLONASS and BeiDou, such spoofing is not a problem. Galileo signal reception will not save you because Galileo and the GPS share the same radio band. And a fake GPS signal will block reception of Galileo signals.

But sometimes the fake GPS signal power is so high that it overloads the input channel of the GNSS receiver, and it can no longer perceive GLONASS and Beidou.

Attack cost Depends on the SDR being used:
Attack time From 15 seconds to 5 minutes.

It depends on the embedded algorithms of LO tuning. We have repeatedly observed cases where an LO was realigned to a fake GPS signal in just 15 seconds after an attack started.

Check out this video:

Time server behavior If the spoofer signal is strong enough, the time server GNSS receiver loses the original signals, stops providing a navigation solution, and goes into search mode. The time server indicates an error and goes into holdover mode. In about 10-30 seconds, the GNSS receiver finds the fake signals and indicates the erroneous data. The time server aligns the built-in reference oscillator according to fake GNSS signals.
Attack distance 50 meters (approximate figure).

It strongly depends on signal propagation conditions.

HackRF One RMS output power level for GNSS signals is about -10 dBm. This is enough to overpower the real signals within a radius of 5 km in line of sight.

So why did we specify only 50 meters?

In this scenario, the SDR generates an asynchronous signal, which the GNSS receiver perceives as noise/interference because the GNSS receiver is locked only to real signals. The high power of the spoofer here is needed to completely block the reception of the original signals to force the receiver into search mode. At a distance of 50 meters, the spoofer signal power is 40 dB higher than the original signals. This overloads the first preamplifier of the GNSS receiver, making the genuine signal become lost.

Therefore, high power is needed only in the first seconds of the attack.

Protection Protecting a time server is easy. You can use any modern GNSS receiver that supports Glonass, Galileo, Beidou. The GNSS receiver will automatically exclude false GPS signals from the calculation of the navigation solution due to large pseudorange/doppler errors compared to other systems.

GNSS Spoofing with HackRF One and Jammer

GNSS Spoofing with HackRF One and Jammer 2

For a guaranteed spoofing of multi-constellation GNSS receivers, it is only necessary to add a GNSS jammer. Which reliably jams the reception of GLONASS and BeiDou signals. You just need to adjust the power of the GNSS jammer and the GPS spoofer. So that only real signals are jammed, and the fake GPS signal is received.

Attack cost 320 USD for HackRF One and 150 USD for GNSS jammer
Attack time same as in the first case
Time server behavior same as in the first case
Attack distance 100 meters.

The attack range can be slightly greater than in the first case, as a GNSS jammer can be used to disrupt the tracking of the original signals.

This attack is more challenging to perform since it is necessary to adjust the output power of the spoofer and jammer so that the original signals would be suppressed and the fake GPS would not.

Check out this video:

Protection Protecting a time server is not easy. Almost all GNSS receivers available on the market cannot resist this attack. What algorithms for protection can be implemented at the time server level?

1. SNR Monitoring

It is very easy to monitor the average SNR value and disable the GNSS receiver if the value has become unrealistically high.

Nevertheless, according to our observations, in most real cases of spoofing, the SNR value decreases in the case of non-coherent attacks. In addition, there is no problem in lowering the SNR when generating a fake signal.

2. Coordinates Monitoring

You can disable the GNSS receiver if there is a significant shift in coordinates.
A lousy method, since an attacker can easily simulate the coordinates of your antenna with reasonable accuracy to avoid a significant drift.

The top two methods are really bad in the case of time servers, and by the time you notice a change in coordinates or SNR, it will be too late. The time server’s reference generator would already start adjusting to the fake signal and ultimately provide you with the wrong time.

3. PPS Phase Monitoring

Since each time server has a perfect local oscillator, it is possible to compare the PPS phases from the GNSS receiver and the LO every second. In the case of a spike, you can instantly disable the sync signal.

Implementation Problems

  • It is not clear what threshold to set because the phase of the PPS fluctuates within 100 ns in good reception conditions and up to 500 ns in poor conditions.
  • When the PPS phase jumps due to spoofing and you switch the time server to holdover mode, the time server will gain an error. It is not clear how to know that spoofing is finished. Because after some time, the difference between the internal clock and the GNSS will be significant.
  • A phase shift can occur due to a reference oscillator.
  • The method is unreliable because it can lead to problems under normal operating conditions without spoofing due to incorrectly set thresholds. Spoofing start and end detection thresholds must be carefully adjusted for each specific time server installation point.

System-level Protection

The best protection method can be implemented when you have several time servers distributed in space. If one of the time servers starts producing an invalid timestamp, you can easily disable it.

The method’s performance depends on the quality of the network (the accuracy of synchronization through the PTP) and the number of time servers. But there are also disadvantages. In the first seconds of spoofing, when the time server just begins generating the wrong time, the critical infrastructure that uses that particular time server may be affected. In the case of a bank, some transactions can go to the database with the wrong timestamp.

GNSS Spoofing with HackRF One, Jammer, and RF Amplifier

What is needed to extend the range of the attack?

Just a 10 Watts RF amplifier on AliExpress and a directional antenna:

RF amplifier for GPS spoofing
directional antenna for GPS spoofing
GNSS Spoofing with HackRF One, Jammer, and RF Amplifier 2
Attack cost
  • 320 USD for HackRF One,
  • 150 USD for GNSS jammer
  • 2 * 300 USD for RF amplifiers
  • 2 * 200 USD for a directional antenna.

1470 USD total.

Attack time same as in the first case
Time server behavior same as in the first case
Attack distance 30 km if you install the spoofer on the roof of a building 40 meters high.

Just imagine that a fifteen hundred dollars set-up can spoof everything in a major city!

Many will argue that such a powerful signal will immediately be tracked by the agencies responsible for monitoring the radio spectrum. But this is not precisely true because high power is needed only during the first seconds, which would force GNSS receivers to lose track of the original signals and go into search mode. Then, the power of the spoofer can be made negligible. And source localization will not be such an easy task anymore.

And how quickly will the radio frequency agencies respond to this threat? In an hour, two hours, half a day? Imagine the scale of the financial loss to the entire economy of the region.

Protection System-level protection will not help because all time servers in the synchronization system may be affected.

Without specialized anti-spoofing systems, there is nothing you can do.

GNSS Spoofing with Synchronization. Deliberate Coherent Attack

The scenarios above correspond to non-coherent attacks. In the first phase of the attack, the GNSS receiver loses track of real satellites and switches to fake ones after a while. Such attacks are characterized by sharp jumps in power, PPS phase, and coordinates, and they can be relatively easily detected.  But what happens if we synchronize with the real signals. And in the first phase of the attack, we will generate a signal that perfectly matches the real one in time, coordinates, pseudorange, Doppler, data stream, and SNR.

GNSS Spoofing with Synchronization - Deliberate Coherent Attack 2

There is no way to download software from GitHub for such an attack. You can either modify one of the GPS-SDR-SIM forks yourself or buy commercially available solutions.

Attack cost 1470 USD in case you modify the source code of GPS-SDR-SIM yourself

50k USD for commercially available solutions

Attack time Instantly
Time server behavior A receiver instantly switches to the fake signal! The time server does not issue any errors or warnings and does not go into holdover mode.

After a successful takeover of the receiver, a smooth and controlled shift of time and/or coordinates is possible.

Watch this video to see how the receiver responds to coherent attacks:

Attack distance Limited by the radio horizon only
Protection Let’s think about what the purpose of such an attack could be.
  • For example, it is possible to smoothly and unnoticeably shift the time by 10 µs in one of the data centers where high-frequency trading occurs. And someone can get an advantage since their transactions can be marked with a past timestamp.
  • Deliberate time shifts can disrupt the power transmission system, leading to crashes and outages. Learn more here:
  • A slight correction of coordinates can mislead a bank’s truck driver, and he will turn a few blocks earlier than necessary and get ambushed.

By the way, an ideal case of synchronous attack can be executed using a GNSS repeater. If your time server antenna happens to be hit by a GNSS repeater signal from the nearest store, you will constantly have a slight time shift.

There is only one method of protecting the time server from such an attack. This is a combination of spoofing detection systems with spatial signal analysis (antenna array) + alternative source of PNT.

In this article, we are not trying to advertise our solution by finding the disadvantages of the listed anti-spoofing methods. Our extensive experience in real spoofing environments shows that these simple, elementary methods do not work.

Contact us and learn how to defend against all types of spoofing attacks.

Previous Post
680 Forks on GitHub for GPS Signal Simulation
Next Post
Basic Introduction to GNSS Spoofing. Animation

Get Our Newsletter

Enter your email address below to receive announcements from GPSPATRON.
We will also send you the latest published articles.