Spirent’s SimSAFE Fights Signal Vulnerability
By Tracy Cozzens
Spirent Communications now offers SimSAFE, a software solution that simulates legitimate GNSS constellations along with spoofed or hoax signals to evaluate receiver resilience and help develop counter measures.
Hoax or spoofing attacks work by mimicking genuine GNSS signals, which mislead GNSS receivers. The military and critical infrastructure — such as wireless networks, banking, and utilities — are especially interested in being able to detect and reject spoofing attacks.
“GNSS signal vulnerability is becoming a significant issue,” said John Pottle, marketing director of Spirent’s Positioning Division. “The industry is beginning to talk more about vulnerability and how we actually think about categorizing the threat — what approaches are there to evaluate performance in the presence of interference signals? If you’re a developer, what approaches are there to clean up your performance? You’ll see us at Spirent being quite a bit more vocal about these areas in the coming months.”
SimSAFE was developed in conjunction with Qascom, a small organization of half a dozen GNSS signal security and authentication experts headed by Oscar Pozzobon, who served as the chief solutions architect for SimSAFE. Pozzobon contributed his knowledge of GNSS security and vulnerabilities, which were then integrated into the SimSAFE system.
SimSAFE provides a means of emulating a spoofing attack, and then monitoring a receiver under attack to evaluate mitigation strategies and countermeasures.
“SimSAFE really gets into details on how a receiver reacts in the presence of the hoax signals,” Pottle said. “By really understanding that, really getting into how is the receiver is acting and reacting, you can understand better how your receiver is likely to behave, and tune it up.”
The SimSAFE laboratory-based test solution is fully controllable, so that users can evaluate a receiver’s response to a wide range of spoofing attacks. As Pottle put it, when fed both authentic and spoofed signals, “What’s the receiver going to see? It’s going to see the authentic signals, it’s going to see a couple of spoofed signals. And you can play around with the spoofed signals — that’s the controllable bit. While this is happening, the detector module within SimSAFE monitors and reports the receiver’s response to the attacks. At its most simple, that’s the power of SimSAFE.”
SimSAFE is aimed not only at receiver developers, a core audience of Spirent’s, but at anyone trying to build a system that may be subject to intentional interference, such as in the military or critical infrastructure. “Those people are starting to ask questions about what should I be worried about? What kind of an attack might I be open to? How can I be sure, if I’ve got a choice of three or four receivers, that I’m going to choose one that meets my needs in terms of resilience to intentional interference?” Pottle said. “Our belief is that SimSAFE will allow people to evaluate different receivers and strategies for mitigating spoofing attacks, and therefore help them to build the right level of resilience in their systems.”
SimSAFE is available in two variants. SimSAFE Simulated uses the simulator for all signals, both satellite and spoofed, using one or more channels for the spoofed signal.
Instead of a simulator, SimSAFE Live pulls authentic signals from sky with an antenna, so the user has the full power of the simulator to generate a much broader range of spoofing attacks. “The clever bit is aligning the spoofed signal with the real signal, getting the timing and frequency synced up,” Pottle said.
Spirent is also working on other technologies to mitigate spoofing, including work with interference signals from ground-based transmitters, adaptive antenna lab-based tests, and integration with inertial sensors, such as in military jets.
Spectracom Begins Program for Application-Specific Testing
Spectracom has begun a program to develop robust application-specific testing solutions. The program fills what the company calls a technology and expertise gap in providing customers in a variety of industries the tools to perform more comprehensive qualification of their mission-critical systems. Examples of these industries include:
◾ multi-constellation (GPS, GLONASS, Galileo, BeiDou) simulation;
◾ integrated MEMs/INS testing;
◾ Interference detection and mitigation (IDM) verification;
◾ assisted-GNSS (A-GPS) validation,
◾ hardware-in-the-loop (HIL) testing for automotive applications;
◾ high-dynamic platform simulations for aerospace and defense (UAVs, UASs); and
◾ precision agriculture/surveying testing via RTK/differential measurements.
Today’s PNT applications combine data from a variety of receivers, sensors and other sources. Spectracom is designing its solutions to integrate simulated GNSS RF with all other data sources in the test system for true “hardware-in-the-loop” verification, the company said.
For instance, Spectracom’s new assisted-GNSS (A-GNSS) feature is designed to integrate with 3GPP/LTE testers to send “assistance data” directly to the device under test. The company takes a similar approach to testing RTK-enabled receivers with user-settable virtual base-station parameters.
Spectracom aims to ensure its customers have the ability to easily use GNSS simulation as part of a comprehensive PNT testing solution. “More testing in the lab enables faster time to market, at a reduced cost and increased reliability,” said Rohit Braggs, Spectracom director of marketing and strategy. Spectracom offers customers design and delivery of custom configurations and test systems unique to their applications, the company said.
IFEN Contract for Galileo Signal Test Bed
A contract to design and to deliver an advanced multi-GNSS constellation signal simulator and interface environment testbed was awarded by the European Space Agency (ESA) to IFEN GmbH in late 2013. The contract is concluded in the context of the Signal Test Bed activities of the European GNSS Evolution Programme.
In addition to addressing the second generation of Galileo, which is planned to provide higher accuracy and signal robustness, the GNSS Signal Test Bed will include the following capabilities:
◾ Flexible adaptability to all signal and message standards, whatever the future may bring.
◾ Extensive investigation of intentional signal interferences.
◾ Testing of GNSS signal performance in newly evolving standards.
◾ Generation of even more realistic test scenarios that include background and intentional interference.
◾ Refined scenarios of various distortions of GNSS signals.
Nine GNSS Frequencies in JAVAD TR-3
The 864-channel TRE-3 receiver from JAVAD GNSS can simultaneously access all current GNSS signals, with room to spare for multiple-channel tracking of select signals, according to the company. The new product offers:
◾ Three ultra wide-band (100 MHz) fast sampling and processing, programmable digital filters and superior dynamic range. After 12-bit digital conversion, nine separate digital filters are shaped for: GPS L1/Galileo E1, GPS L2, GPS L5/Galileo E5A, GLONASS L1, GLONASS L2, Galileo E5B/BeiDou B2/GLONASS L3, Galileo altBoc, Galilee E6/BeiDouB3/QZSS LEX, and BeiDou B1 bands.
◾ Each band consists of a combination of a digital cascaded integrator-comb (CIC) filter and a digital finite impulse response (FIR) filter (up to 60-th order) for signal selection.
◾ Two types of digital in-band anti-jamming filters (automatic 80th order and “user selectable” 256th order).
◾ Multiple channels to acquire and track each satellite signal. For example, 20 channels can be assigned to acquire the GPS L1 signal, each spaced one millisecond apart. Up to 5 channels can be assigned to track each signal, each with different filter parameters and tracking strategies. This supports acquiring and tracking weaker signals in difficult conditions, especially under trees and canopy — potentially using up to the 864 channels available in the receiver!
◾ 80 dB out-of-band interference rejections: high dynamic range of wide RF bands and highly rectangular digital filters make receiver more resistant to out-of-band jamming.
◾ High-speed high-dynamic automatic gain control (AGC) to respond to interferences and signal variations.
◾ Programmable filter width.
◾ Highly stable digital filters.
◾ Improved GLONASS inter-channel bias performance.
◾ New multipath rejection technique.
◾ 60-MHZ-wide Galileo altBoc band takes full advantage of this signal.
◾ 864 GNSS channels allow tracking all current and future satellite signals.
◾ Three wide-band RF sections enable monitoring spectrums and interferences in three 100-MHz-wide bands.
◾ TRE-3 can track and decode the QZSS LEX signal messages.
◾ Features for time -transfer applications: In time sources where the zero crossing of the input frequency defines the exact moment of the time second, the receiver monitors zero crossings and accurately defines the moment of the time second. An external time interval measurement unit is not required to measure zero crossing and 1-PPS offset.
◾ Embedded calibrator measures phase and code delays of each of the nine bands in timing applications. External calibration is not required.
◾ Form, pin-out, and command compatible with TRE-G3T; uses 8-Watts.
Teleorbit Upgrades Simulation Environment
TeleOrbit’s software-based GNSS multi-system performance simulation environment GIPSIE has recently been upgraded to multi-frequency scenarios including both Galileo and GPS.
GIPSIE consists of two modules: the satellite constellation simulator (SCS) and the intermediate frequency simulator (IFS).
The SCS simulates the satellite orbits by using a sophisticated orbit integrator, including modeling of environmental parameters such as satellite clocks, transmit power, antenna patterns, ionosphere, and troposphere. The IFS generates digital intermediate frequency signals, including the simulation of a user-definable radio frequency front-end.
The addition of the new frequency bands and signals within the framework of GIPSIE allows simulating multi-system, multi-frequency scenarios (GPS L1/L2/L5 and Galileo E1/E5/E6) and real-time kinematic scenarios. Besides the civil/open signals, the added signals include a Galileo PRS-like signal as well as the unencrypted GPS P-Code.
Jamming. Studies have shown the threat of interfering signals to GNSS signals like jamming signals produced by so-called personal privacy devices. By adding a GNSS Interference Analysis Tool (GIAT) to GIPSIE, it is now possible to simulate these jammers on top of the GNSS signals. The jamming signals can be defined by the user and include a continuous wave jammer, a swept continuous wave jammer, and a frequency modulated jammer.
GIPSIE will also soon include the possibility to simulate micro-electro-mechanical sensors (MEMS) with a dedicated noise model and GLONASS and BeiDou constellations and signals.
Spectra Precision Receiver Uses Six GNSS
The new Spectra Precision SP80 GNSS receiver is designed for mainstream surveying and construction applications such as cadastral, topographic, control, stakeout, and network RTK. It features Z-Blade GNSS-centric technology running on a 240-channel 6G chipset and can use all six available GNSS systems (GPS, GLONASS, BeiDou, Galileo, QZSS, and SBAS). It can also be configured to use only selected constellations in an RTK solution (GPS-only, GLONASS-only, or BeiDou-only).The SP80 is compliant with the new RTCM 3.2 standard, including recently approved MSM RTCM messages, supporting all available GNSS corrections.
Its communication capabilities combine a 3.5G GSM/UMTS modem, Wi-Fi, and Bluetooth connectivity, and an optional transmit UHF radio. The receiver’s built-in Wi-Fi and 3.5G modem can provide an Internet connection for RTK corrections and also send SMS or e-mails with system alerts.
The SP80 features anti-theft technology to safeguard the receiver, and can detect if it is has been disturbed while in the field (for example, when operating as a GNSS base).
When the UHF transmit radio module is used, its UHF antenna remains protected inside the rugged rod, extending the radio range performance. It is powered with dual hot-swap batteries for typical all-day operation.
ST Chips Ready for eCall
STMicroelectronics has released its Teseo II single-chip satellite-tracking integrated circuit to the European Space Agency (ESA) and the European Commission Joint Research Center (JRC) for testing for eCall approval. The testing campaign is coordinated by the European GNSS Agency (GSA) as part of its effort to accelerate Galileo adoption.
The testing campaign supports the Galileo early operational services expected to go live at the end of 2014. The tests will also evaluate Teseo II compatibility with the European Geostationary Navigation Overlay Service (EGNOS) and with Galileo for the eCall in-vehicle system that automatically sends notification messages from vehicles involved in an accident. Beside static and dynamic test conditions, the testing plan foresees three different use cases, in systems for single-, dual-, and triple-constellation (GPS/Galileo/GLONASS) systems.
Jackson Offers Timing Reference
Jackson Labs’ new DROR-II is a 10-MHz/5-MHz/1-PPS GPS-disciplined, ruggedized atomic frequency and timing reference. The DROR-II has a cesium vapor atomic oscillator followed by a precision SC-cut crystal double-oven oscillator and an actively vibration-compensated VCXO oscillator, with emphasis on ultra low-phase-noise performance under extreme vibration and acceleration such as in aircraft, tracked vehicles, and wheeled vehicles.
DX-200 Combines GNSS, Optical
Sokkia Corporation has introduced the DX-200 to the North American market. When configured for hybrid positioning, the DX-200 uses both GNSS positioning and optical positioning data simultaneously. The standard system includes the DX, GRX2 GNSS receiver, and MESA large-screen tablet controller.
The DX-200 is designed for professionals looking for a mid-range, auto-pointing total station that can become a full-robotic instrument with a firmware upgrade. Advanced functionality such as hybrid positioning can be added to the robotic unit, making the DX-200 a versatile system for multiple applications. The remote allows for rapid prism search and lock up to 2,000 feet away.