Testing susceptibility to GPS spoofing

Spoofing as it applies to GPS is an attempt to deceive a GPS receiver by broadcasting signals that the receiver will use instead of the live sky signals.

Spoofing is different from jamming. Jamming is easier for a receiver to detect, and while it can disrupt the receiver, it cannot relocate it. Spoofing can be used as an attack on systems that use GPS for navigation, or even for precise time transfer, to misguide a valuable asset for malicious intent.

We all would like to think that receivers should always indicate when something out of the ordinary is happening such as what would happen during a spoofing attack, but if the overall system using the receiver does not monitor or attempt to use any available indications, a spoofing attack may go undetected.

Understanding how a GPS application will respond in a spoofing attack is the key to detecting and mitigating the effects of spoofing. For example, it could be assumed by a navigation system designer that using multiple GNSS systems will prevent a spoofing attack consisting of only GPS. But how do you know, and before a potentially catastrophic event?

The Vulnerability Test System.

Vulnerability Test System

A vulnerability test system (VTS) can be used to understand how a system using a GPS receiver, and the overall system integration, will react to spoofing in order to develop mitigation techniques and countermeasures.

Understanding the behavior of the receiver when faced with a spoofing attack is key to hardening applications for resilient position, navigation and timing (PNT). Spectracom has developed a GPS/GNSS VTS, based on its GNSS RF simulator platform, to help understand the effects of intentional disruption of GPS signals.

In the case of a GPS spoofing scenario, the VTS allows full control over the synchronization between the spoofer and “virtual live sky,” their power levels and position variation in a completely closed system that won’t interfere with actual GNSS signals. The VTS consists of two GPS simulators, one simulating live sky and one representing the attempt of the spoofer. It also uses a synchronization unit, an RF combiner and a PC controller.

Architecture of the VTS.

Critical Test Parameters

Several parameters can be varied in the test system to help understand how vulnerable a specific receiver system is to a spoofing threat. Each of the most critical parameters — time, position and power level — can be manipulated independently, allowing the design of a comprehensive test plan.

Time. The timing accuracy of the spoofing signals to the live signals is the first critical parameter. Utilizing separate outputs from the VTS synchronization unit, the on-time point between the GPS RF generation can be varied. Two pulse-per-second signals are used as triggers to the GPS simulators, therefore creating the offset in time between the two RF signals. This offset is controllable to the nanosecond. Another time-related parameter to consider is the capture time — how long the spoofing signal is applied before attempting to redirect the receiver.

Position. We expect that for spoofing to be successful, the GPS position generated by the spoofer must be accurate to that of the receiver to be spoofed. But exactly how close does the spoofer need to be relative to the receiver’s position? The effect of position in the spoofing scenario is a parameter that can be adjusted to understand the extent of the vulnerability to spoofing.

Using two simulators instead of spoofing live sky makes it much easier to design and execute various test cases to understand the receiver’s susceptibility. The tests can be performed under varying motion trajectories of the receiver under test. For example, we can test if or when the spoofer can anticipate motion or changes in direction. Practically, spoofers are required to be positionally accurate to successfully take control over a receiver, which means spoofing is even harder when in motion.

But to what extent? Testing is the only way to answer the question.

Critical parameters for testing vulnerabilities to spoofing.

Power. The spoofing signal needs to be slightly greater than the live signal to capture the receiver. The test system allows full control of the power levels to determine how much greater the power should be. Too much power will jam the receiver. The test system can determine if there are any indicators given by the receiver when a signal only a few decibels higher than the transmitted signal is received.

Testing Multi-GNSS

Adding multi-GNSS constellations to the GPS application is a valuable tool in hardening systems. The VTS can test GPS with various combinations of other GNSS systems (GPS, QZSS, BeiDou, Galileo, GLONASS) to understand if multi-GNSS is an effective method to overcome spoofing attacks. As attackers get more sophisticated, spoofing will probably not be limited to GPS.

Many other signals and references have been used as a complement to GPS in navigation applications. It is expected that these can also be used to harden receiver systems. However, the complexities of these systems can be difficult to test in a laboratory. For those with the proper safeguards and approvals to emit GPS-like signals in a test-range setting, the VTS can add features to synchronize to live sky and accept input from a vehicle-detection and tracking system.

In the United States, the consideration of such testing would only occur after significant coordination between the Department of Defense, the Coast Guard, the Federal Communications Commission, the Federal Aviation Administration, and others.

Conclusion

A GNSS VTS allows for comprehensive characterization through systematic, repeatable tests of receiver performance in the presence of a spoofer. By designing detection and mitigation actions into a navigation application, it may be possible to identify and even overcome risks of a spoofing attack.

Monitoring loss of lock, receiver noise, using an inertial navigation system, and estimated position error are possible parameters to observe, but each receiver may report different indications. More test cases can be created and performed using a VTS to fully characterize a receiver and how it will respond to a spoofing attack.