>"We've learned how to perceive anomalies between legitimate GNSS signals and spoofed signals by researching the variations in the satellite signals protocol and recognizing the inter-relationships between signal parameters,"
Sounds like a cat and mouse game. It only works because current spoofers are doing it sloppily. It's only a matter of time before the bad guys get their hands on this and use it to eliminate any discrepancies that the spoofers have. It doesn't sound like they found something that can't be spoofed.
It seems that the GPS protocol is just too simple, and lacks proper security elements.
An article linked by the article contains an informative section "How GNSS spoofing works", [1]. Excerpt:
> Effectively, if you can transmit to a GPS receiver, you can speak GPS to it and it will trust you. There's no authentication process involved, and you might even be able to MacGyver together a working spoofing device out of a hacked $15 USB-to-VGA adapter. Granted, you could easily wind up with thousands of dollars in fines or even prison time for trying it—but in strictly technical terms, there's very little stopping you.
Yeah the civilian signal has no cipher / integrity-checking. The military signals do have those (and it chirps at 10x the rate of the civilian signal).
Oh absolutely they do. That's why they reserve the right to turn off the civilian signals in an extreme time of war.
In reality would that happen? Probably not. There are multiple GNSS constellations these days, so just denying GPS is probably not a safe bet (you can buy civilian uBlox chips for $<50 that are tri-band...)
I love reading about the military aspect of GPS. It is really fascinating the use-cases they plan for. Hopefully they never actually are used in such an extreme scenario.
Dead reckoning and sensor fusion are the real answer. Over 20 year old Etak patent:
"Based on the previous position of the object, the GPS derived position, the velocity, the DOP(dilution of precision) and the continuity of satellites for which data is received, the system determines whether the GPS data is reliable."
Wouldn't this be as simple as cross validating the almanac and noticing that the new satellite is not in the majority vote result?
You can even mark a safe set of ephemeris and almanac or just download it from internet, like many kinds of GPS software do.
You would have to spoof a whole constellation to break such measure. And it could be strengthened by discarding signal from satellites that are too close, preventing the equivalent of Sybil attack. So if you see doubled SATs, you can mark one or both of them as invalid.
Then you can also check ionosphere map and validate that signal distortion roughly matches the satellite reported location.
You can also limit the attack by hard capping relative orbital velocity and instantly rejecting that satellite which is unexpectedly too fast.
(You would have to again spoof a whole constellation, and if you're target has correct ephemeris data it's all for nothing.)
Maybe I have guessed their solution in a few minutes...
You're generally not wrong, but the things you mentioned make assumptions about having a data connection (not typically the case for receivers of interest - power grid, military trying to operate without RF signature, etc), and there is also an engineering aspect to it: with a big power/data/computational/financial budget most problems can already be solved. Solutions that are practical for you phone or a budget receiver are lacking. Losely organized to your points:
It depends on how the attack is carried out - there are data attacks and timing attacks (the article is generally terrible and has no info). In a data attack the navigation message is altered. Like you suggest this is easy to validate. Note though that most phones (and all new Android phones afaik - don't know about Apple) use assisted GPS, so they download navigation data anyways and a data attack would generally be ineffective. Timing attacks use authentic nav messages, but simulate signal arrival in an altered order, or replay previously recorded signals.
Whole constellation spoofing is not difficult anymore, especially for state actors whole can carry out full-sky attacks. You have no real way beyond correlation/signal strength (which can be attenuated by an attacker) to tell how far away a signal source is, and if you only have a single (stationary) antenna you cannot tell the geometry either (i.e. if signals are coming from multiple sources as expected, or a single antenna).
Multipath is a huge problem, especially in receivers which have linearly polarized antennas like smartphones. Usually when a receiver tracks GPS signals it looks for the signal arriving first (because later signals would be multipath reflections). It is an expensive operation to track multiple occurences of signals, high end receivers do though.
Ionospheric delay can fluctuate, so I don't think this would be very reliable. Also you seem to have a hidden assumtion that you should know the true geometric range to the satellite, which is true for timing receivers.
Wrt velocity, you're not wrong, but it would take a "dumb" attacker to simulate something unrealistic.
Here is one way to find out if GPS is spoofed (can handle jammed as well): https://patents.google.com/patent/US20170090006A1/en - They show it using FM, but the method can be generalized to any terrestrial transmission system. Uses the beloved RTL-SDR.
I was involved in some GPS SDR research in university, and this is one of those conversations where I have reservations about participating both because of potential exporting of technology (hey guys, here are some GPS jamming tips!) and simply making doing nefarious things easier for people who found my comment. On another level it is unfortunate to feel and act suspicious and mistrusting.
I use a crappy antenna and I get a few meters, without any amplification. If it was going further I would use attenuators or a cage.
I have the SDR streaming satellite data for 5min and it then restarts and retransmitts again. That allows units on the assembly table to get a sat lock and pass the factory test.
Does it see the SDR as one satellite, or multiple? I guess you can just spoof as many satellites as you want, but wouldn't it be rather hard to spoof a position?
Not the OP, but it'd see it as multiple SVs. Basically you figure out what the range would be from the SVs to whatever location you want the things to think they're at, and put out all the signals to make that happen. Spoofing a single SV is pretty useless, you have to spoof at least enough of them to give you a position solution.
Cat and mouse indeed, but here we see that a GPS spoof can be detected and spoofs can be made more and more difficult to accomplish.
It will get down to a game of knowing the satellites better and better, in terms of their clocks, orbits, and drifts in those parameters. With the increasing precision of augmentation, spoofers will be hard pressed to keep up and precisely mimic more parameters.
Sounds like a cat and mouse game. It only works because current spoofers are doing it sloppily. It's only a matter of time before the bad guys get their hands on this and use it to eliminate any discrepancies that the spoofers have. It doesn't sound like they found something that can't be spoofed.