Spoofing a Multi-Band RTK GNSS Receiver with HackRF One and GNSS Jammer

, ,

Another boring long-read 🙂
We value your time, so we posted a video about this experiment on youtube:
https://youtu.be/Ya_B7tqA-X8
To learn more details, please enjoy the article.

Introduction

You might have heard that multi-band multi-constellation GNSS receivers are more secure against spoofing. Indeed, a multi-band spoofer is more expensive than a one-band. And open-source projects on GitHub can simulate only GPS L1.

But, there is one trick. It is possible to generate a counterfeit signal only for GPS L1 and suppress the other signals/bands. In real life, we face such attacks every day. For example, here the GPS is spoofed and Galileo is jammed:

GPS Spoofing and Galileo Jamming

This is a common attack scenario from wildlife.

In this video, we demonstrated that the combination of affordable GPS L1 spoofer and multi-constellation jammer can hack the UBLOX M8T module with embedded spoofing detection and mitigation algorithms.

In this article, we reveal the result of vulnerability testing of multi-band multi-constellation RTK receiver UBLOX ZED-F9T. We use the combination of GPS L1 spoofer based on gps-sdr-sim/HackRF One and multi-band GNSS jammer.

Setup

The experiment was conducted under live-sky conditions over-the-air (do not attempt this at home :-).

Why deal with radiated RF signals? To assure our subscribers that multi-band multi-constellation GNSS spoofing is not a theoretical problem from scientific articles, and expensive laboratory-grade equipment is not further required.

Tools were utilized:

  • ZED-F9T
  • HackRF One
  • gps-sdr-sim
  • almanac and ephemeris files
  • Multi-band GNSS jammer
  • U-Center
GNSS spoofing test setup

The GNSS antenna of the receiver was placed on a windowsill two meters to the right.

UBLOX ZED-F9T Configuration

We used U-Center to configure the GNSS module and set the following settings:

  • Used GNSS constellations – GPS, Galileo, GLONASS, Beidou
  • Interference monitoring – Enable

The receiver saw 11 GPS, 9 Galileo, 8 GLONASS, and 3 Beidou genuine satellites on two RF bands:

UBLOX Initial Config

Spoofer’s Configuration

We do not describe in detail how to configure and run the spoofer.. Just google “gps-sdr-sim HackRF One”. In general, you need to conduct two steps. First, IQ data file generations, second IQ data playing on SDR.

Our spoofer’s configuration:

  • Coordinates Lat,Lon,Hgt – 120.0, 40.0, 100.0
  • Scenario start time YYYY/MM/DD,hh:mm:ss – 2021/01/01,00:00:00
gps-sdr-sim configuration

Spoofing

The receiver perceived counterfeit signals after the spoofer was turned on but didn’t use them. Generated signals differed from the genuine one in Doppler, pseudo ranges, and timestamp\ephemeris data. This attack is called non-coherent or asynchronous. A non-coherent attack can be successful only when the receiver loses the original signals.

U-Center after launching GPS spoofer

Add Multi-Band Jamming

There are two tasks for the jammer. First, we need to block real and fake signals to force the receiver into the search mode. Second, we need to decrease the jammer’s power for the L1 band. A better way to do that is by using a 10 dB attenuator:

GNSS jammer with attenuator

And actually, this is the most challenging. Selecting the suitable power/distance combination between HackRF One, jammer, and target antenna is complicated.

If all done perfectly and the power is aligned, you will see something like this:

GPS spoofer and GNSS jammer in action

The receiver saw only simulated signals but still didn’t use them.

In 45 seconds, the receiver changed the timestamp to simulated:

GPS spoofer and GNSS jammer timestamp is changed

And at last, in 3 minutes after jammer was activated, coordinates were changed too:

GPS spoofer and GNSS jammer sucsess

Conclusion

  1. The combination of gps-sdr-sim and multi-band GNSS jammer can deceive a multi-band multi-constellation receiver. We proved that under the live-sky conditions.

Disclaimer

In this research, we did not attempt to discredit UBLOX’s products. We believe they have terrific products. All GNSS receivers are susceptible to spoofing due to the nature of signals.

Print Friendly, PDF & Email
Previous Post
GP-Blocker is Available
Next Post
Bizarre Consequences of GPS Satellite PRN 20 Outage

Get Our Newsletter

Enter your email address below to receive announcements from GPSPATRON.
We will also send you the latest published articles.
Menu