GNSS / GPS spoofing is a form of cyber attack
GNSS or GPS spoofing is a form of cyber attack in which an attacker uses false navigation messages that are so similar to the original that the navigation receiver trusts the information and its origin.
In a spoofing attack on a navigation system, the receiver is supplied with false GPS/GNSS signals in addition to the real ones.
Depending on the strength of the spoofed signals, the receiver either continues to use the real GPS/GNSS signals or some or all of the spoofed signals to determine its position or calculate the time. This can be used to change the routes of vehicles, ships or aeroplanes. False time information in data networks opens up attack opportunities for hackers.
GNSS spoofing attacks used to be very rare, but have become increasingly common in recent years with the advent of software defined radios (SDR). So far, most receivers are not protected. Therefore, most navigation systems will not recognise a spoofing attack and will navigate with the spoofed signals as if they were real.
What is Spoofing?
Spoofing (imitation, forgery, fraud) refers to an attack by criminals who feign a (false) trustworthy identity in order to persuade their victim to take actions that give them an advantage.
Examples include forged email senders, the grandchild trick by phone or WhatsApp, but also hacking into computers or networks by faking trustworthy IPs.
What types of GNSS spoofing are there?
Meaconing
Meaconing involves the re-transmission of genuine GPS/GNSS signals, resulting in the calculation of a false position. Meaconing is the only type of spoofing that can occur accidentally and without intention, for example when a GPS repeater is used to test navigation equipment without adequate shielding from the environment. This happened at Hanover Airport in 2010 when a hangar door was left open and a GPS repeater was active inside, emitting GPS signals at a high power of -60 dB. Aircraft on the runway were warned of ground proximity during take-off and landing, and some reported positions in the hangar.
Code Carrier Attack
In a code carrier attack, false GPS/GNSS signals are generated using a simulator or software-defined radio and matched as closely as possible to the real signals. In a second step, their signal strength is increased to make the receiver adjust to the false signals. In a third step, the fake signals are altered so that they differ from the real ones, and this is where the deception begins.
Spoofing the navigation message
Spoofing the navigation message involves changing the satellite signal data. This can be done with a software-defined radio, at a different point in the transmission or directly at message level.
This attack can cause gross errors or a total failure of the receiver's PVT (Position Velocity Timing calculation) and provide a point of attack for a Denial of Service (DoS) attack.
Multi-method attacks
Last but not least, there is the possibility of multi-method attacks.
What are the targets of GNSS spoofing?
For some years now, spoofing and jamming have been recognised as a serious threat to reliable GPS/GNSS (Global Navigation Satellite Systems) positioning, navigation and timing (PNT). Robust PNT is essential for a number of critical infrastructures.
GNSS spoofing attacks can have a variety of targets, including:
influencing the navigation of ships and boats
the control of aircraft and drones
the control of civilian or industrially deployed semi-autonomous or autonomous vehicles
the control and navigation of vehicles in emergency services and disaster control
Hacking financial institutions or data centres
Causing blackouts in power grids
Disrupting the operation of government and military facilities
How can you protect yourself from GPS spoofing attacks?
Monitoring the GNSS receiver environment
A GNSS interference detection system monitors critical environments such as airports or banks, and can detect, report and analyse interference to the GNSS signal. This makes it possible to switch to alternative navigation services or time sources if interference signals occur.
Some of these capabilities can also be integrated into GNSS receivers.
Upgrading the GNSS receiver
Multi GNSS use
A GNSS receiver becomes more resistant to attacks if the satellite signals of several systems can be received and analysed, for example not only GPS but also Galileo. Simultaneous spoofing of both satellite systems is less likely.
Verification of GNSS signals - Galileo PRS and OSNMA
The American GPS system transmits more precise encrypted signals, which are reserved for the US military. There are also additional encrypted signals for the European Galileo system that cannot be falsified. Government-authorised users are given the opportunity to decrypt the Galileo PRS signals. Galileo OSNMA is available to all users. It embeds several encrypted sequences (keys) and signatures in the Galileo signals. This makes it easier for the receiver to recognise forgeries by the absence of the correct signature and by comparing different keys.
Use of CRPA antennas
CRPA stands for Controlled Reception Pattern Antenna. This type of antenna is used in GNSS (Global Navigation Satellite System) receivers to improve the reception quality and reliability of satellite signals, especially in environments where signal interference can occur.
Testing the GNSS receiver
Extensive testing is required to develop a robust GNSS receiver. A GNSS simulator enables repeatable and well-documented laboratory tests. The simulator sends a real route with the actual GNSS signals to the receiver at a specific time and location. The scenarios are provided with intentional interference - for example spoofing attacks. This makes it possible to test whether the GNSS receiver recognises the attack.