Car Jammers: Interference Analysis

By Roland Bauernfeind, Thomas Kraus, Dominik Dötterböck, Bernd Eissfeller, Erwin Loehnert, and Elmar Wittmann

Open-field tests of jamming signals from widely available in-car jammers, measured with an experimental software receiver that records the intermediate frequency (IF) samples, enable a detailed analysis of interference effects from these looming threats.

In-car GNSS jammers, openly advertised online as personal protection devices, constitute the most serious threat of all the GNSS interference sources. Such jammers are relatively easy to purchase from abroad over the Internet and to operate by plugging into the cigarette lighter of a vehicle.

Their usage may be motivated by criminal intention such as disabling a vehicle theft-protection system, a fraud attempt against a distance-based road-user charging system or distance-based vehicle insurance, or by privacy concerns, to escape monitoring by a fleet-management or other tracking system. Since most current GNSS receivers carry a communication link, it is difficult to keep full control of the data flow. Further concerns arise from reports of companies storing user location data, as was the case with Apple. Concerns about privacy issues will grow with the widespread introduction of intelligent transport systems (ITSs), vehicles and transport infrastructure that apply information and communications technology to improve transportation efficiency, sustainability, and safety. The primary information source is GNSS for location enabled applications like eCall, a pan-European location based emergency call, which shall be in place and installed in every new car from 2015 on.

Cooperative ITSs, which are currently undergoing standardization, are transport systems that communicate their positions such that each vehicle has a virtual picture of the real world in its vicinity. The cooperative ITS network connects the vehicles with the transportation infrastructure. Vehicles establish a wireless vehicular ad-hoc network (VANET), based on their geographical position. In a VANET the position is communicated to be used at the application layer but is also required at the physical layer to enable geographical routing and addressing. This emerging vehicular communication is an enabling technology many novel and innovative driver assistance systems and location-based services. The result of using an in-car jammer is the complete destruction of GNSS signals not only in the vehicle it is operated in, but also within vehicles in the vicinity. This creates a serious threat to ITS’ future.

To counter the interference threat by in-car jammers, the University of Federal Armed Forces (FAF) Munich purchased some jammers offered online, for analysis in a laboratory environment and in open-field tests in the GAlileo TEst range (GATE). Measurements were taken with an experimental software receiver developed at the Institute of Space Technology and Space Applications. This receiver enables recording of intermediate frequency (IF) samples and detailed analysis of the interference effects on the receiver.

Jammer Interference Signals

First, we analyzed the purchased jammers shown in the Opening Photo. It is always better to understand the signal structure of undesired signals well, before starting development of applicable countermeasures and mitigation technologies. Therefore, the jammers were analyzed in the frequency domain with a spectrum analyzer, and the analyses were extended by a time-domain analysis by recording the signal with a software radio-defined card.

The first results showed that the majority of low-cost in-car jammers transmit a chirp signal with a bandwidth between 9.4 to 44.9 MHz in the E1/L1 band (other frequency bands haven’t been considered yet). The others are sine-wave oscillators with a 3-dB bandwidth of around 0.92 kHz and have a temperature-dependent center frequency around the Galileo/GPS center frequency, but they are not considered further in this article. Both jammer types belong to the category of narrowband interference, however the chirp jammers are much more effective in jamming the signal within the GNSS receivers.

The construction of an in-car jammer chirp signal is usually done by a voltage controlled oscillator (VCO) with an input voltage of a saw-tooth function. In general, it is a sine function with a frequency change over time, which can be described by

 (1)

For a unidirectional linear chirp signal the instantaneous frequency f(t) varies linearly over time as

 (2)

where f₀ is the starting frequency and k is the chirp rate. The amplitude a(t) is usually constant. The corresponding time domain function for a sinusoidal unidirectional linear chirp is

. (3)

All in-car chirp jammers are linear with a positive uni- or bidirectional sweep. The negative slope is so high that we can neglect them for modeling and can describe jammer 1 with the equation (3)

. (4)

T_sw = sweep time.

The frequency spectrum of jammer 1 and jammer 3 is given in Figure 1 and Figure 4, respectively, where we can extract the bandwidth and the peak power from the graph. For measuring the peak power of the jammer it is important to take the max-function mode of the spectrum analyzer, because the internal sweep of the jammer and the spectrum analyzer is never synchronized. Table 1 shows the important parameters of the jammers.

Table 1. Chirp jammer parameters.

Figure 1. Power spectrum of jammer No. 1.

To get the timing information of the signal, the analysis must be done in the time-domain. Therefore, we converted the jammer signal into an intermediate frequency and recorded the signal with a SDR card. The further processing has been done with Matlab, where we could extract the frequency change over time for jammers 1, 2, and 3, given in Figure 2, Figure 3, and Figure 5, respectively. Finally, these functions are exactly the same, which were generated for the VCO within the jammers.

Figure 2. Frequency over time at jammer No. 1.

Figure 3. Frequency over time at jammer No. 2.

Figure 4. Power spectrum of jammer No. 3.

Figure 5. Frequency over time at jammer No. 3.

If we compare the jammers, we can see how the complexity increases from one to the other. For jammer 1, a standard saw-tooth generator with a rising slope has been used only for the input of the VCO. Jammer 2 uses two generators. Compared to jammer 1, a second saw-tooth generator with a falling slope and a four-times longer sweep time is added. In the most complex case, jammer 3, we find four generators in total. Jammer 3 causes a frequency burst every 1.12, 1.35, or 2.28 milliseconds. These frequency bursts can be seen also in the power spectrum in Figure 6.

Interference Tests in GATE

Various static and dynamic interference tests were performed in the Galileo Test Range (GATE) in Berchtes-gaden, Germany, where the impact of the jammer signals on both GPS and Galileo RF signals could be evaluated in a realistic manner. GATE is a unique outdoor test and development environment for Galileo and GPS satellite navigation. Consisting of eight virtual Galileo satellites located atop several mountains around the test area in Berchtesgaden, GATE provides a topology to support different testing scenarios. The Galileo signals are transmitted simultaneously on all three frequencies. E1, E5ab, and E6, compliant to the Galileo OS ICD specification. GATE’s virtual-satellite mode simulates a realistic moving Galileo satellite constellation and supports commercial Galileo receivers without any modification. Two monitoring stations within the test area receive and process these signals. A central processing facility steers and controls the signals transmitted.

Figure 6 gives an overview of the test range with its transmit and monitoring stations as well as the GATE central point. The interference tests with the GNSS jammers were performed in the area close to this central point.

With respect to the testing of RF jamming scenarios including GPS as well as real over-the-air Galileo signals in the GATE test area, some requirements have to be taken into account.

Transmission of any interference signals on the GPS and Galileo frequency bands requires an official license from the responsible authority in Germany (Bundesnetzagentur). An appropriate permission for trial radio transmission was available in the framework of the jamming tests. The disturbance of other GPS receivers in the vicinity has to be minimized in any case. Therefore the transmission power of the jammers must be limited so that a distinct impact on the GPS L1 signal reception is restricted to a radius of a few hundred meters at the most. Furthermore, the interference signal source must be placed at an adequate distance from the GATE monitoring station antennas in order not to affect the processing and steering process for the GATE signals.

Finally, in the case of performing GATE tests with a dynamic test user receiver, a severe degradation of the user reference position must be avoided. As the steering of GATE signals in the virtual-satellite mode is based on accurate and reliable user position information transferred in near-real-time to the GATE processing facility. a combined GPS-RTK and inertial measurement unit (IMU) solution is applied. Thanks to the use of the IMU, a GPS signal outage can be well compensated for a certain time period. In order to meet the GATE accuracy requirements, the jammer transmission was restricted to time intervals of about 30 seconds.

Ipex Software Receiver

The Institute of Space Technology and Applications PC-based Experimental Software Receiver (ipexSR) is a multi-frequency GNSS receiver realized completely in software (Visual C++/assembler), capable of tracking GPS and other GNSS signals in real time or post-processing.

For signal analysis, IF samples were recorded and analyzed in post-processing, using two front ends that can be operated in different modes depending on required frequency bands. For the interference analysis, only L1 was recorded with the front end parameters summarized in Table 2.

Table 2. Front-end parameters.

The front-end gain is set once for the measurement in the receiver’s configuration menu. The front end uses no automatic gain control. All the tracking loops settings can be set in the receiver’s configuration menu. For the phase lock loop (PLL), we used a non-coherent (Costas) dot-product discriminator and for the delay lock loop (DLL) an early-minus-late discriminator with the settings in Table 3.

Table 3. Tracking loop settings.

Jammer Effect on Receiver

To analyze the interference effect on the receiver, we took measurements with static receivers and different jammers approaching the receivers, starting from a distance of 1,200 meters. Both commercial receivers, capable of recording the carrier-to-noise density ratio, and the Ipex software receiver, capable of recording IF samples, were set up. Receiver antennas were mounted on the car roof. For jammer reference trajectory, we used an odometer with a GPS receiver providing initial position and reference time.

A measurement for the degradation in the receiver is the carrier-to-noise density ratio. The theoretical effective carrier-to-noise density ratio  is defined as

where Q is the spectral separation gain adjustment factor. While moving the jammer towards the receivers, the received interference power P_received(r) increases relative the distance according to the free-space loss as

where P_jammer is the jammer transmission power. Figures 7 to 10 give the C/N₀ degradation for the four different receivers interfered with by the three different jammers in respect to the distance. The measurements have been taken at different times so the undisturbed C/N₀ is varying.

Figure 7. Carrier-to-noise ratio for IpexSR.

Figure 8. Carrier-to-noise density ratio for BeeLine receiver.

Figure 9.Carrier-to-noise density ratio for NAVILoc receiver.

Figure 10. Carrier-to-noise density ratio for Garmin receiver.

Comparing the professional receivers with professional antenna to the mass-market receivers with patch antenna, it is evident that the professional receivers are interfered with at a later point but lose lock on the signal earlier.

The degradation of the C/N₀ for ipexSR compared with the theoretical curve as introduced before is given in Figure 11. The measured curves follow the theoretical one as long as the front end is not saturated. As soon as the front-end analog-to-digital converter (ADC) is saturated, it causes severe degradation of the signal which exceeds the pure degradation caused by the increased interference power until loss of lock on the signal.

Figure 11. Carrier-to-noise ratio for IpexSR (Jammer 1).

Saturation is caused because the amplitude of the received interference power exceeds the range of the ADC. The comparison between the theoretical and actual received signal strength in respect of distance for the measurements of jammer 1 is shown in Figure 12. With an effective jammer transmission power of –40 dBW, the curves show good alignment for the interval where the received interference power is noticeable above the noise floor, until the front
end goes into saturation and the received signal strength converges to an upper limit.

Figure 12. Received signal strength (Jammer 1).

Figure 13. Sample distribution over 8-bit ADC (Jammer 1).

The rising received interference power drives the IF samples to the outer limit of the ADC and changes the distribution of the IF samples over the bins of the ADC as shown in Figure 13. For these measurements, the gain of the front end was set to have the samples without interference distributed over all the ADC bins. This setting with low remaining dynamic range is optimal when no interference is present, whereas with interference the ADC goes immediately into saturation. The red line shows the distribution of the samples where 0.2 percent of the samples are at the outer boundary.

Figure 14. Punctual correlator output (Jammer 1).

Until saturation of the front end, the interference degrades the correlation process by raising the noise floor. When the dynamic range of the front end can no longer occupy the received interference power, the degradation by saturation dominates. For the undisturbed signal, all the signal power is in the I-channel as seen at the punctual correlator output in Figure 14. The correlation is degraded until loss of lock on the PLL occurs.

Degradation of the correlator output has a direct effect on the performance of the tracking loops and their discriminator outputs, as shown in Figure 15. The discriminator error rises until it is out of the discriminator function’s pull-in range. When the PLL error is outside the pull-in range, the tracking loop loses lock on the signal.

Figure 15. DLL and PLL discriminator outputs (Jammer 1).

The degradation of DLL performance causes a position error as shown in Figure 16.

The measurements show that currently available in-car jammers degrade the receiver performance in an radius of about 1 kilometer around the interference source and disable position determination within a radius of about 200 meters.

Interference Detection

Jammers constitute a serious threat to the future of intelligent transport systems. Their use is forbidden by law, and their illegal use must be prosecuted. To have awareness of the actual number of jammers in use requires deploying jammer detectors at dedicated points and recording interference events. Promising points for initial measurements would be highway interchanges or highly frequented border crossings. Reliable numbers on the actual use of GNSS jammers would be required to support government decision-making regarding further actions, and to support the final goal of an comprehensive GNSS interference monitoring network.

For the interference detection test, we recorded were recorded with five static receivers deployed in the GATE core area as shown in Figure 17, with jammer trajectory in red.

Detection of the interference source is based on monitoring the jammer-signal-to-noise ratio (JNR). To prosecute malicious intentional jamming, it is necessary to assign the detected interference signal to the jamming device. Therefore, the signal was analyzed in the time-frequency domain for the characteristic chirp signal of a jammer. The gain of the front end was set to the minimum so that the front end could cover high interference power levels

First, signals were recorded with the chirp jammer located at the central point. The jammer is located outside the car, with line-of-sight to position 1. The measurements at position 1 at about 200 meters from the jammer are shown in Figure 18. Short-time Fourier transformations of the signals in Figure 19 and Figure 20 clearly show the presence of the chirp signal.

Figure 18. JNR at Position 1.

Figure 19. STFT of Jammer 1 at Position 1.

Figure 20. STFT of Jammer 3 at Position 1.

For the second measurement, the jammer was used inside a car. The car started at position 1, where it switched on the jammer and drove along the main street, passing position 3. The car then turned and drove back the same way. The measured JNR at the five positions is illustrated in Figure 21.

Figure 21. JNR with jammer 1 moving.The resulting degradation in C/N₀ is presented for GPS PRN 9 in Figure 22 and for GATE PRN 46 in Figure 23. The measurements show that the jammer can be detected and identified within the distributed receiver network.

Figure 22. C/N0 of GPS PRN9 with jammer 1 moving.

Figure 23. C/N0 of GATE PRN46 with jammer 1 moving.

The next step in developing a comprehensive interference-monitoring network would be to have automotive GNSS receivers enabled to detect and report interference events. For this scenario, a jammer was operated in a moving car and measurements with the ipexSR driving in another car on the same road were made.

Both cars started at the same position. The pattern in Figure 24 corresponds to the following events. The jammer started first, followed by the receiver with a random car in between. After 170 seconds, the jammer parked at the roadside, and the receiver passed by, indicated by the single spike. At about 240 seconds, the receiver turned and passed by the parked jammer again, as indicated by the second spike at 310 seconds. After the receiver passed by the jammer, the jammer started again, approached the receiver from behind and overtook the receiver at 450 seconds.

During this measurement, neither of the two cars could track or re-acquire a signal. Reporting of the loss of lock on all satellites could therfore be used for a coarse localization of jammers.

Figure 24. JNR in a traffic environment with jammer 1.

Conclusion

The analysis has shown that the interference range of a jammer is very dependent on the receiver architecture. In every scenario, the jammers had severe effects. After detecting interference events, the next step is to mitigate their effect within the receiver. Mitigation techniques based on time-frequency transformations like short-time Fourier transform or wavelet packets are envisaged. With the ipexSR IF Sample API, Figure 25, it is possible to implement and test these algorithms in real time.

Figure 25. IF sample API.

Also the possibility of localizing the interference source based on the JNR and C/N₀ measurements will be e
valuated.

Steps against the use of in-car jammers must be taken. To prosecute the use of jammers, detector units must be deployed. This would also help to gather reliable numbers on the use of jammers and would support and justify future actions. Clearly, degrading the integrity of GNSS positioning is a threat for all safety-relevant ITS applications. Therefore, avoidance and mitigation of interference signals should be subject of safety-related vehicular communication, and its standards should be able to handle this in the same way as other safety-related issues. We propose discussion of the GNSS jammer threat within the working groups for cooperative ITS standardization: GNSS interference should be handled in the same way as any other road hazard.

Acknowledgments

These results were developed during the InCarITS Project (Analysis, Detection and Mitigation of In-car GNSS Jammer Interference in Intelligent Transport Systems), founded by the Bundesministerium für Wirtschaft und Technologie and administered by the Project Management Agency for Aeronautics Research of the DLR in Bonn (FKZ 50 NA 1001).

Manufacturers

Jammers were analyzed with a Will’tek 9102B spectrum analyzer and signals recorded with a GE ICS-572B software-defined radio card. The two front ends were developed by Fraunhofer Gesellschaft (FhG). Receivers used for jamming testing were ipexSR with NovAtel GPS-704-X antenna and FhGIII front end, a NovAtel BEELINE with the same antenna, a NAVILock NL-302U Sirf3, and a Garmin GPSMap 76, the latter two both with patch antennae. Only the IpexSR was used for tests to locate jammers, using an FHGIII front end and NovAtel GPS 511 antenna (Position 1, 5), the same antenna with an FHGII front end (Position 2, 3), and an FHGIII front end with SensorSystems S67-1575-96 antenna (Position 4). The two-car driving test used the IpexSR with Novatel GPS-704-X antenna and FHGII front end. IFEN GmbH developed and installed the test range and is GATE operator at least until end of 2013.

Roland Bauernfeind works at the Institute of Space Technology and Space Applications at the University FAF Munich. He received a diploma in aerospace engineering from University of Stuttgart.

Thomas Kraus is a research associate of the Institute of Space Technology and Space Applications at University FAF Munich.

Dominik Dötterböck is a research associate of the Institute. He received his diploma in electrical engineering and information technology from Technical University Munich.

Bernd Eisfeller is director of the Institute of Space Technology and Space Applications at the University FAF Munich. He is responsible for teaching and research in the field of navigation and signal processing.

Erwin Loehnert received a diploma in aerospace engineering in from the Munich University of Technology. He is head of the Mobile Solutions department at IFEN GmbH, and GATE manager.

Elmar Wittman received a Dipl.-Ing. degree in geodesy from the Munich University of Technology. He works as a systems engineer in the field of GPS/Galileo satellite navigation for IFEN GmbH.