Spoofing a Multi-Band RTK GNSS Receiver with HackRF One and GNSS Jammer

Another boring long-read 🙂
We value your time, so we posted a video about this experiment on youtube:
https://youtu.be/Ya_B7tqA-X8
To learn more details, please enjoy the article.

You might have heard that multi-band multi-constellation GNSS receivers are more secure against spoofing. Indeed, a multi-band spoofer is more expensive than a one-band. And open-source projects on GitHub can simulate only GPS L1.

But, there is one trick. It is possible to generate a counterfeit signal only for GPS L1 and suppress the other signals/bands. In real life, we face such attacks every day. For example, here the GPS is spoofed and Galileo is jammed:

This is a common attack scenario from wildlife.

In this video, we demonstrated that the combination of affordable GPS L1 spoofer and multi-constellation jammer can hack the UBLOX M8T module with embedded spoofing detection and mitigation algorithms.

In this article, we reveal the result of vulnerability testing of multi-band multi-constellation RTK receiver UBLOX ZED-F9T. We use the combination of GPS L1 spoofer based on gps-sdr-sim/HackRF One and multi-band GNSS jammer.

The experiment was conducted under live-sky conditions over-the-air (do not attempt this at home :-).

Why deal with radiated RF signals? To assure our subscribers that multi-band multi-constellation GNSS spoofing is not a theoretical problem from scientific articles, and expensive laboratory-grade equipment is not further required.

Tools were utilized:

• ZED-F9T
• HackRF One
• gps-sdr-sim
• almanac and ephemeris files
• Multi-band GNSS jammer
• U-Center

The GNSS antenna of the receiver was placed on a windowsill two meters to the right.

We used U-Center to configure the GNSS module and set the following settings:

• Used GNSS constellations – GPS, Galileo, GLONASS, Beidou
• Interference monitoring – Enable

The receiver saw 11 GPS, 9 Galileo, 8 GLONASS, and 3 Beidou genuine satellites on two RF bands:

We do not describe in detail how to configure and run the spoofer.. Just google “gps-sdr-sim HackRF One”. In general, you need to conduct two steps. First, IQ data file generations, second IQ data playing on SDR.

Our spoofer’s configuration:

• Coordinates Lat,Lon,Hgt – 120.0, 40.0, 100.0
• Scenario start time YYYY/MM/DD,hh:mm:ss – 2021/01/01,00:00:00

The receiver perceived counterfeit signals after the spoofer was turned on but didn’t use them. Generated signals differed from the genuine one in Doppler, pseudo ranges, and timestamp\ephemeris data. This attack is called non-coherent or asynchronous. A non-coherent attack can be successful only when the receiver loses the original signals.

There are two tasks for the jammer. First, we need to block real and fake signals to force the receiver into the search mode. Second, we need to decrease the jammer’s power for the L1 band. A better way to do that is by using a 10 dB attenuator:

And actually, this is the most challenging. Selecting the suitable power/distance combination between HackRF One, jammer, and target antenna is complicated.

If all done perfectly and the power is aligned, you will see something like this:

The receiver saw only simulated signals but still didn’t use them.

In 45 seconds, the receiver changed the timestamp to simulated:

And at last, in 3 minutes after jammer was activated, coordinates were changed too:

1. The combination of gps-sdr-sim and multi-band GNSS jammer can deceive a multi-band multi-constellation receiver. We proved that under the live-sky conditions.

In this research, we did not attempt to discredit UBLOX’s products. We believe they have terrific products. All GNSS receivers are susceptible to spoofing due to the nature of signals.