Brussels / 2 & 3 February 2019


Spoofing GPS

is it really the time we think it is, and are we really where we think we are ?

Global Navigation Satellite System (GNSS) positioning has become ubiquitous in many daily activities, with the Global Positioning System (GPS) being the most common source of signals. Having analyzed earlier the reception and decoding of such signals, we now address the issue of signal spoofing, and develop some of the requirements on the emitted signal power and stability to efficiently spoof single frequency GPS receivers, whether in mobile phones, cars or UAV.

Initially designed as a military positioning system (NAVSTAR & GLONASS), Global Navigation Satellite Systems (GNSS) and the Global Positioning System (GPS) in particular have become ubiquitous to mostly everyone's life. Before being a localization system through triangulation of the signals received from the satellite constellation, GNSS is based on time transfer. As such, it is used in multiple industrial applications requiring time-synchronization, whether for communication (mobile phone basestations), trading (stock exchange), or distributed sensor timestamping: a British study [1] estimates at 1 billion pounds (aka euros) per day the cost of GNSS disruption (jamming), not to mention the impact of spoofing in which the user might not even be aware that a false signal is being received. While GNSS spoofing, requiring multi-MHz bandwidth around a carrier frequency of 1575.42 MHz, used to be restricted to well funded organizations, the advent of Software Defined Radio (SDR) emitters opens the opportunity for any motivated developer to create a spoofing device. We here demonstrate the use of Analog Device's PlutoSDR for such a purpose, the need for an accurate local oscillator, the impact of the local oscillator frequency on the short term (phase noise) and long term (Allan deviation) frequency stability of the output signal, the capability to move mobile phones, cars and even high grade (UBlox) receivers to any location assuming a few conditions are met (emitting signals mimicking the same satellites as those seen at a given time by the receiver, meaning not too far in space or time with respect to the real signal). Finally, we demonstrate shifting the timing output of high-grade receivers (1 PPS) by introducing erroneous time offsets in the messages transmitted by the spoofing signal. We conclude with mitigation strategies, excluding multi-constellations approaches which are only a matter of better spoofing capability, but focusing on physical signal characteristics hardly spoofed from a single ground based emitter.



Photo of Jean-Michel Friedt Jean-Michel Friedt