Introduction
In this video, we proved that GPS spoofing has become simple and inexpensive. We were successful in spoofing the UBLOX M8T module with embedded spoofing detection and mitigation algorithms. The spoofing detection flag did not function during our experiment and we decided to discover why.
Following is an extract from the module’s documentation:
The GNSS spoofing flag is available in UBX-NAV-STATUS packet:
In this article, we styled an experiment in which we attempted to create module conditions to detect spoofing without error.
Setup
The experiments were conducted under live-sky conditions with the GP-Simulator Test Kit. The kit components are as follows:
- Ettus Research USRP Bus Series with GPSDO;
- Ublox M8T GNSS receiver for live sky synchronization (We utilized it as a reference to check PPS offset);
- GPSPATRON software.
Setup Photo:
Detailed photo:
- UBLOX EVK-M8 Evaluation Kit – Device Under Test.
- UBLOX EVK-M8 Evaluation Kit – Reference PPS source, the part of GP-Simulator Test Kit.
- The GNSS jammer is used to block an ariginal sattelites’ signals.
- Three active GNSS antennas.
- RF coupler, attenuators.
- Oscilloscope to measure offset between PPS phases.
GP-Simulator Power Level Calibration
We adjusted the USRP output power level and set the RF path attenuation:
In conclusion, the power level error on M8T module antenna port did not exceed 0.5 dB:
UBLOX M8T Configuration
We utilized U-Center to configure the GNSS module and made the following settings:
- Used GNSS constellations – GPS, Galileo, and GLONASS
- Interference monitoring – Enable
The receiver detected about 10 GPS, 8 Galileo, and 10 GLONASS genuine satellites:
Experiment #1 - Asynchronous Spoofing Attack
The purpose of this experiment is to discover the conditions the embedded spoofing detection flag would trigger. We simulated a GPS signal with a large power level and improper correlation peak position. Learn more about spoofing attack scenarios in our article.
We utilized current ephemeris and almanac data from:
Run the generation with output power level -80 dBm:
The receiver detected the counterfeit satellite signals but did not use it. Spoofing detection flag showed OK:
Increase output power level to -50 dBm:
Although the signal power was anomalously high, the spoofing detection flag was not functioning. Nevertheless, the good news is that the receiver did not use false signals.
Let’s turn on the jammer to suppress the signals from the authentic Galileo and GLONASS satellites:
One minute later the receiver switched to the fake signals. The spoofing detection flag is still not working. We are observing a degradation in coordinate accuracy due to USRP’s GPSDO drift.
The PPS phase has been shifted:
To show that the receiver was locked to the counterfeit signal, we set the relative power of the satellites to minus 10 dB in steps:
Switch the jammer off.
The receiver recognized the original satellites but did not use it. The genuine signals were perceived as counterfeit!
Set the spoofer output level to -120 dBm:
The receiver still did not utilize genuine GLONASS and Galileo signals:
15 seconds after the spoofer was turned off, the receiver switched to the authentic signals. The PPS phase has taken its place.
Experiment #2 - Synchronous Spoofing Attack
In this experiment, we wanted to understand how the receiver would perform under a synchronous attack. In the first step, we generated a signal that mimics a genuine one with overpowering in 20 dB. Then we added 500 ns offset.
The receiver was configured the same way as in the previous experiment.
When a synchronous attack was launched, the receiver switched to a bogus signal at once. This transpired because of the increased SNR of the GPS satellites. On the oscilloscope, we observed the PPS phase shift by 250 ns due to low USRP GPSDO time accuracy.
500 ns offset
After thirty seconds, the signal phase began to move at a sluggish pace. Although the module reveals that it uses satellites from three navigation systems, the PPS phase only follows the GPS. Three minutes later after offset adding, the PPS offset was about 900 ns. This overjump might be related to the transients in the Kalman filter due to a severe time shift.
Conclusion
1. During the experiments, we could not realize conditions to trigger an embedded spoofing detection flag. A UBLOX support team provided the following explanation:
-The spoofing detection feature monitors the GNSS signals for suspicious patterns indicating that the receiver is being spoofed.
-A flag in UBX-NAV-STATUS message (flags2 – spoofDetState) alerts the user to potential spoofing.
-The spoofing detection feature monitors suspicious changes in the GNSS signal indicating external manipulation.
-Therefore the detection is only successful when the signal is genuine first and when the transition to the spoofed signal is being observed directly.
-When a receiver is started up to a spoofed signal the detection algorithms will be unable to recognize the spoofing.
-Also, the algorithms rely on availability of signals from multiple GNSS.
-In general the receiver will look for inconsistencies in signal strength and SV positioning across all the received constellations to make a judgement on spoofing.An additional point is that M8 products are not our latest generation of products. 9th generation products are already on the market.
Therefore, I consider we have met all the necessary conditions for the success of the embedded spoofing detection algorithms. However, for some reason, we did not see it working successfully. In the next experiment, we will try to test the 9th generation module.
2. Under a synchronous attack, the receiver was following the shifted counterfeit GPS signal. It appear as if the M8T module uses GPS constellation as a reference and does not take into account other systems!
Disclaimer
In this study, we made no attempt to discredit UBLOX’s products. Some vendors of time servers’ rely on spoofing detection aptitude of the M8T module. We only wanted to discover how it performs.
Although we have not been able to create conditions for the effective triggering of the spoofing detection flag, we are not claiming that the algorithms do not work. We hope to get detailed comments from the UBLOX’s support team or the professional community.
