"A common type of GNSS spoofing is called a “carry-off attack” - which is done by broadcasting signals that are synchronized with legitimate signals observed by the targeted receiver."
GNSS systems are everywhere. They power nearly every aspect of our day-to-day lives, from navigation to communications, and we rely more on the technology every day. The problem is that while these systems are highly effective in powering processes, they are vulnerable to different types of interference, which can be used in a manner that threatens public safety and even national security.
While you've likely heard about the more common type of GNSS interference (jamming), one specific type of interference is being considered the new threat to civilian industries and the military... GNSS Spoofing.
Can GNSS be spoofed? We cover that question and more below to give you a well-rounded understanding of how it works and why it's a threat to people, processes, and more.
What is GNSS Spoofing?
GNSS spoofing (GNSS/GPS spoofing) is carried out by transmitting local RF signals that are coded to trick a GNSS receiver into thinking that it's somewhere it is not (false position fix), at a different point in time (false clock offset), or both.
It's also possible to rebroadcast genuine GNSS signals from other locations or times and pass them along to a target receiver.
There are numerous applications for GNSS spoofing. Spoofing a GNSS signal could lead a cargo vessel into pirated waters or make a military drone run a course in the wrong direction, for example.
How Does GNSS Spoofing Work?
Different methods are used to spoof GNSS signals, but two of the most common are modifying existing GNSS signals (Carry-Off) or intercepting and rebroadcasting signals (Meaconing).
Even a cheap Software Defined Radio (SDR) can make a smartphone using GNSS believe that it's in the middle of the ocean, for example, when, in fact, it is in landlocked Nebraska.
Carry-Off Attacks
A common type of GNSS spoofing is called a “carry-off attack” - which is done by broadcasting fake signals that are synchronized with legitimate signals seen by the targeted GNSS receiver.
Once tracked by the targeted receiver, the false signal can be amplified to a higher power level, which is then preferred by the receiver.
After the receiver picks up the spoofed signal, the timing location can be slowly dragged into a false range based on the objective of the spoofing attack. The image below illustrates the sequence of steps that make it possible for a receiver to capture a false signal and then slowly drag it into a false position.
The spoofer is represented by the black dash-dotted curve.
The sum of the spoofer and the true tracking points are represented with the blue solid line.
The receiver tracking points are represented by the red dots.
Source: Radio Navigation Lab (University of Texas at Austin)
Meaconing
Meaconing, on the other hand, describes a spoofing attack with re-transmitted GNSS signals, which does not require costly or advanced technology.
To execute this, a navigation signal is intercepted and rebroadcasted on the received frequency using a higher power than the initial signal.
A GNSS repeater can be another source of a meaconing attack.
GNSS repeaters are found in places like airport hangars so that GNSS signals can be received indoors, and when the power level of a repeater is increased intentionally or unintentionally, it could lead to a false position.
Indicators of GNSS Spoofing
There are some pretty clear indicators of GNSS spoofing, and by knowing what they are and when they pose a threat, it's easier to mitigate spoofing incidences or even locate the spoofing source.
Value Jumps
Both spoofed and valid GNSS signals can be received by a GNSS receiver at the same time. When the receiver is tricked by false GNSS signals, range measurements will change rapidly to the new false values.
It is not possible to have these changes with legitimate GNSS signals, so the rapid value changes are almost always an indication of interference.
Time Stamp Anomalies
Satellite data streams can also show discontinuities when the GNSS receiver switches from tracking the legitimate signal to the fake one, and equally so for time indication.
Discontinuities are easily detected during a playback or meaconing attack, as the time stamp jumps backward when the replay begins.
Doppler Shifts
A Doppler shift describes a change in the wavelength of radio waves in relation to the observer (the receiver, in this case), who is in motion relative to the source of the radio waves.
Radio waves and sound waves both experience Doppler shifts in the same way, depending on how the GNSS satellites and receivers are moving. So, a Doppler shift from an object’s motion is the same for all GNSS satellite signals, as they all come from the same direction.
The uniformity of these shifts provides a method for indication of GNSS spoofing, as anomalies in Doppler shifts can often indicate a spoofing attack.
Receiver Autonomous Integrity Monitoring (RAIM)
GNSS receivers equipped with RAIM at the pseudo range level have a built-in defense against spoofing attacks. These receivers are able to detect spoofing from basic spoofing devices when a set of five or more inconsistent pseudoranges are observed.
*The pseudorange is the distance between a satellite at the time of GNSS signal transmission and the GNSS receiver at the time of reception.
Real-World Instances of GNSS Spoofing
Here are a few examples of how GNSS spoofing can affect both maritime and aviation operations and put both the crews and the public in danger.
Trading Sanctioned Venezuelan Oil
In 2022, Spire Global used its small-satellite constellation in LEO to help uncover an instance of GNSS spoofing at sea.
In this scenario, the Symphony Freedom, an oil tanker tracking navigational data around the horn of South Africa, was suspected of spoofing its position. Since the ship was suspected of spoofing its position, Spire decided to use Radio Frequency (RF) emissions data to see if the AIS tracks were valid.
Upon inspection of the data, Spire determined that the ship was not moving in the route plotted by AIS but, instead, had transited from the horn of South Africa to an oil terminal in Venezuela. The ship was, in fact, later identified at a port loading sanctioned Venezuelan crude via satellite imagery.
Using Spire's historical database of AIS and RF emissions data, Spire also determined that around 250 other vessels had taken the same route over the past week - all of which were likely attempting to disguise their navigational routes to load and trade sanctioned oil from Venezuela.
Aircraft Spoofing Near Turkey and Iraq
In another instance of known GNSS spoofing in September 2023, a flight operating from Europe to Qatar experienced severe interference.
The flight, traveling through airspace in both Turkey and Iraq, first experienced minor jamming in Turkish airspace. As the flight got closer to the border of Iraq, it lost both of its GPS sensors - continuing on its route using backup navigational inputs in the Inertia Reference System (IRS).
Once the aircraft was north of Baghdad, the crew lost all aspects of the navigational systems, and the IRS indicated that the aircraft had drifted approximately 80 miles off track. Further, the avionics were showing a ground speed of 0MPH - which simply wasn't possible.
In the end, the flight had to complete its route without reliable navigation. While this particular flight arrived without incident, it is a great example of how spoofing attacks can completely interrupt navigation and put an operation at risk.