Artificial satellites have transformed the world in many ways, not only in terms of relaying communication and for observing the planet in ways previously inconceivable, but also to enable incredibly accurate navigation. A so-called global navigation satellite system (GNSS), or satnav for short, uses the data provided by satellites to pin-point a position on the surface to within a few centimeters.
The US Global Positioning System (GPS) was the first GNSS, with satellites launched in 1978, albeit only available to civilians in a degraded accuracy mode. When full accuracy GPS was released to the public under the 1990s Clinton administration, it caused a surge in the uptake of satnav by the public, from fishing boats and merchant ships, to today’s navigation using nothing but a smartphone with its built-in GPS receiver.
Even so, there is a dark side to GNSS that expands beyond its military usage of guiding cruise missiles and kin to their target. This comes in the form of jamming and spoofing GNSS signals, which can hide illicit activities from monitoring systems and disrupt or disable an enemy’s systems during a war. Along with other forms of electronic warfare (EW), disrupting GNSS signals form a potent weapon that can render the most modern avionics and drone technology useless.
With this in mind, how significant is the threat from GNSS spoofing in particular, and what are the ways that this can be detected or counteracted?
Ephemeral Positioning
GPS autonomous positioning using the satellite navigation solution (Credit: Jan van Sickle, GPS for Land Surveyors)” data-medium-file=”https://hackaday.com/wp-content/uploads/2022/05/AutonomousPositioning.png?w=339″ data-large-file=”https://hackaday.com/wp-content/uploads/2022/05/AutonomousPositioning.png?w=530″ loading=”lazy” class=”size-medium wp-image-536766″ src=”https://hackaday.com/wp-content/uploads/2022/05/AutonomousPositioning.png?w=339″ alt=”GPS autonomous positioning using the satellite navigation solution (Credit: Jan van Sickle, GPS for Land Surveyors)” width=”339″ height=”400″ srcset=”https://hackaday.com/wp-content/uploads/2022/05/AutonomousPositioning.png 750w, https://hackaday.com/wp-content/uploads/2022/05/AutonomousPositioning.png?resize=212,250 212w, https://hackaday.com/wp-content/uploads/2022/05/AutonomousPositioning.png?resize=339,400 339w, https://hackaday.com/wp-content/uploads/2022/05/AutonomousPositioning.png?resize=530,625 530w” sizes=”(max-width: 339px) 100vw, 339px”>
The basic concept of a GNSS is fairly straight-forward: ground-based receivers listen for the signals from the satellites that are part of the specific GNSS constellation. Each GNSS satellite encodes a collection of information into this signal, which includes the position (ephemeris) of the satellite at a given time, as well as the local time on the satellite when the signal was sent.
By taking the signals from at least four of these satellites and applying the satellite navigation solution, the absolute position of the receiver can thus be determined. This uses the principle of trilateration (distance to a known point) rather than triangulation (using angles). As can be surmised, a potential issue here involves clock drift on the side of the receiver and the satellites. Perhaps less expected is that the travel speed of the signal is also heavily affected by the atmosphere, specifically the ionosphere.
This part of the atmosphere changes in thickness and composition over the course of a day, and is heavily affected by exposure to the Sun’s radiation. As a result, part of the GNSS satellite’s message contains the required atmospheric correction parameters. Because of clock-drift and the constant changes to the Earth’s atmospheric composition, each GNSS constellation has its own augmentation system. These generally consist out of a combination of ground- and satellite-based systems that provide additional information that a receiver can use to adjust the GNSS information it has received.
For use with airplane navigation, for example, it is very common to have a ground-based augmentation system (GBAS) installed using fixed receivers. These GNSS receivers then broadcast correction parameters via the airport’s VHF communication system to the airplane, helping them navigate when they approach or depart the airport.
In addition to the GNSS satellites themselves, each GNSS constellation also has its own ground-based master controller station, from which updated information on atmospheric conditions is regularly uploaded to the satellites, along with time adjustments to compensate for the satellite’s onboard clock drift. This demonstrates that a GNSS constellation is a highly dynamic system which requires constant updates in order to function properly.
Where things get interesting, however, is when attempts are made to circumvent this system, either by jamming or actively spoofing the GNSS signals.
Jam Warfare
GNSS spoofing illustrated. (Credit: C4ADS)” data-medium-file=”https://hackaday.com/wp-content/uploads/2022/05/gnss_spoofing.png?w=400″ data-large-file=”https://hackaday.com/wp-content/uploads/2022/05/gnss_spoofing.png?w=800″ loading=”lazy” class=”size-medium wp-image-536767″ src=”https://hackaday.com/wp-content/uploads/2022/05/gnss_spoofing.png?w=400″ alt width=”400″ height=”253″ srcset=”https://hackaday.com/wp-content/uploads/2022/05/gnss_spoofing.png 1920w, https://hackaday.com/wp-content/uploads/2022/05/gnss_spoofing.png?resize=250,158 250w, https://hackaday.com/wp-content/uploads/2022/05/gnss_spoofing.png?resize=400,253 400w, https://hackaday.com/wp-content/uploads/2022/05/gnss_spoofing.png?resize=800,507 800w, https://hackaday.com/wp-content/uploads/2022/05/gnss_spoofing.png?resize=1536,973 1536w” sizes=”(max-width: 400px) 100vw, 400px”>
The concept of jamming radio frequency communications is quite straight-forward: simply broadcast on the frequencies you wish to jam with more power than the original transmitter is capable of. Since the GNSS signal is relatively faint, this makes it easy for a ground-based system to jam this signal. Of course, since loss of a GNSS satellite fix is a known issue, backup strategies for this scenario are common, and it’s also very noticeable due to the loss of communication from a satellite.
Spoofing is a lot more subtle than jamming, as well as more versatile. Instead of merely blasting the airwaves with raw power, GNSS spoofing still involves overpowering the original signal, but instead of a denial of service (DoS) attack, spoofing is closer to a man-in-the-middle (MitM) attack, where fake satellite signals are presented to the receiver as being the genuine signals, with of course spoofed parameters that will cause the receiver to calculate a position that’s far away from where it actually is.
In a 2019 report by C4ADS (Center for Advanced Defense Studies) titled Above Us Only Stars – Exposing GPS spoofing in Russia and Syria, a number of observations are reported on where Russia has used GNSS spoofing, for a variety of reasons. An interesting and common use appears to be the spoofing of GNSS signals so that receivers think that they are located at a nearby airport. Presumably this would trigger the geofencing limitations in drones and similar, which would then refuse to take off. This could be useful during VIP visits as an anti-drone strategy, for example.
Less harmless is the military use, where during recent Russian and NATO exercises Norway and Finland reported severe GPS outages. This affected the public by limiting the navigation capacity of commercial airliners, and also disrupted the use of cellphone networks. Supposedly, in 2011 Iran used GPS spoofing to trick a Lockheed Martin RQ-170 drone to land on one of its airfields, where it was subsequently captured. Similarly, there have been multiple occasions now where marine traffic has been disrupted due to faulty GPS data being fed to the automatic identification system (AIS).
As the 2019 C4ADS report notes, this has been reported by ships in the Black Sea on multiple occasions, and also in 2019 it was reported that an American container ship – the MV Manukai – noticed very strange behavior while at the port in Shanghai, China. According to its AIS screen, one ship was shown as moving in the same channel as the Manukai, before vanishing from the screen, then appearing at the dock, before appearing in the channel and so on. When the mystified captain picked up the binoculars and scanned for this ship, it was clearly stationary at the dock that entire time.
GNSS Hunting
GPS interference can be pinpointed based on this ring of false AIS positions. Approximately 200 meters in diameter, many of the positions in the ring had reported speeds near 31 knots (much faster than a normal vessel speed) and a course going counterclockwise around the circle. AIS data courtesy Global Fishing Watch / Orbcomm / Spire.” data-medium-file=”https://hackaday.com/wp-content/uploads/2022/05/Shanghai-AIS-ring-logo-1030×728-1.jpg?w=400″ data-large-file=”https://hackaday.com/wp-content/uploads/2022/05/Shanghai-AIS-ring-logo-1030×728-1.jpg?w=800″ loading=”lazy” class=”size-medium wp-image-536769″ src=”https://hackaday.com/wp-content/uploads/2022/05/Shanghai-AIS-ring-logo-1030×728-1.jpg?w=400″ alt=”GPS interference can be pinpointed based on this ring of false AIS positions. Approximately 200 meters in diameter, many of the positions in the ring had reported speeds near 31 knots (much faster than a normal vessel speed) and a course going counterclockwise around the circle. AIS data courtesy Global Fishing Watch / Orbcomm / Spire.” width=”400″ height=”283″ srcset=”https://hackaday.com/wp-content/uploads/2022/05/Shanghai-AIS-ring-logo-1030×728-1.jpg 1030w, https://hackaday.com/wp-content/uploads/2022/05/Shanghai-AIS-ring-logo-1030×728-1.jpg?resize=250,177 250w, https://hackaday.com/wp-content/uploads/2022/05/Shanghai-AIS-ring-logo-1030×728-1.jpg?resize=400,283 400w, https://hackaday.com/wp-content/uploads/2022/05/Shanghai-AIS-ring-logo-1030×728-1.jpg?resize=800,565 800w” sizes=”(max-width: 400px) 100vw, 400px”>
What’s mystifying about the GNSS spoofing as detected in Shanghai is that instead of it merely moving the calculated position to a nearby fixed point, what we see when we collate the wrong AIS data onto a map is that they form near-perfect circles. This is noted by both the MIT Technology Review article, as well as a later article by SkyTruth.
What is interesting is that when using the anonymized route information from Strava in Shanghai, this same ‘circle spoofing’ could be observed, independent from the AIS information. Somehow it would seem that the spoofed data is constantly updated, to make it appear that the affected receiver is in motion, and travelling in this large circle.
Exactly how this is done, or why, is still unknown, with no major updates since the initial reporting in 2019. Whether the intent is to hide illicit activity, or whether it’s due to some kind of cyberhacks or a glitch, nobody is entirely sure. Even independent from Iran, China and Russia, GPS-related location glitches keep happening.
Yet as a team from the University of Texas at Austin demonstrated in 2013 already using $2,000 worth of equipment and an $80 million yacht, spoofing GPS signals is relatively easy and straightforward. It doesn’t take a lot of imagination to picture what is possible today, since since that demonstration nine years ago using a university-budget, especially when upgraded to a nation-sized budget.
According to current reports, Russia is actively spoofing GPS data during the war in Ukraine, which would affect mostly private and commercial users. Whether the US military has additional backups in the case of spoofing and jamming attempts is naturally unknown, due to national security reasons. Even so, with the importance of GNSS today with navigation and so much more, it would seem pertinent to wonder whether spoofing can be detected or circumvented.
Knowing Is Half The Battle
In an analysis by Guy Buesnel, he notes that there are quite a few risks in the GNSS chain, not the least of which is faulty equipment, and sources of interference. Perhaps the most important lesson of the past years has been that solely relying on GNSS is risky, and that adding additional ways to determine one’s position is essential, as well as the ability to detect the act of spoofing.
This aspect of detecting and possibly circumventing spoofing is currently the topic of active research, as noted by e.g. Mark L. Psiaki, et al. in a recent paper. While there’s unlikely to be a silver bullet that will fix all ills and return GNSS to the infallible system that was promised to us by glossy flyers years ago, what we are likely to see the coming time are better, more robust GNSS receivers. We’re already seeing that GNSS receivers built into smartphones can use multiple GNSS constellations, with the ability to use local WiFi networks and so on as augmentation.
Using fairly low-tech improvements it would be easy to detect many spoofing attacks, such as when one’s calculated location suddenly and dramatically changes, or when one’s calculated course does not match with the data provided by the augmentation system, cell towers, or other sources of location information.
Even if GNSS isn’t the effortless panacea that many had assumed it to be, it is still a major navigational marvel, and a cornerstone of modern civilization that will continue to see improvements as it has since the first GPS satellite was launched. It just takes staying one step ahead of the meddling hackers.
