Global Navigation Satellite Systems (GNSS) provide ubiquitous precise localization and synchronization for a wide gamut of applications, spanning from location-based service to core industrial functionalities in communications and large infrastructure. Civilian use of GNSS relies on publicly available signals and infrastructure designed to operate at a high level of interoperability. Nevertheless, such systems proved to be vulnerable to voluntary and involuntary interference aiming to deny, modify, and falsify the GNSS-provided solution. This poses a significant threat to the robustness of satellite-based timing and localization. A decreasing entry threshold from the knowledge and tools accessibility perspective makes mounting such attacks feasible and effective even against low-value targets. In this work, this issue is targeted, with a practical approach, from three directions, by cross-checking the navigation solution with alternative providers of time, by localizing the interference source and characterizing it, and by relying on specific receiver dynamics to eliminate falsified signals. We discuss protection mechanisms targeting the consumer market based on available infrastructure or on sensing supported by sensors embedded in the GNSS-enabled platform itself. These efforts collectively aim to improve the robustness of consumer GNSS solutions, without modifying the GNSS receiver or the signal structure, to provide secure and reliable navigation and timing in an increasingly adversarial environment.

Globala system för satellitnavigering (eng. global navigation satellite systems, GNSS) tillhandahåller allestädes närvarande precis platsbestämning och synkronisering för ett brett spann av tillämpningar, från platsbaserade tjänster till industriella kärnfunktioner i kommunikation och stora infrastrukturer. Civil användning av GNSS förlitar sig på allmänt tillgängliga signaler och infrastruktur som är designad att användas på en hög nivå av interoperabilitet. Dessa system har visat sig sårbara för störningar som söker att neka, modifiera och falsifiera GNSS-lösningar. Detta utgör ett allvarligt hot mot tillförlitligheten av satellitbaserad tids- och platsbestämning. En sänkning av tröskeln för tillgängligheten av kunskap och verktyg gör det möjligt och effektivt att inleda sådana attacker, även mot lågvärdesmål. I detta verk angrips problemet praktiskt via tre tillvägagångssätt: genom dubbelkontroll av navigationslösningen med alternativa internettidsleverantörer, genom lokalisering av störningskällan och karaktärisera den, och genom att förlita sig på specifik mottagardynamik för att eliminera falsifierade signaler. Vi diskuterar skyddsmekanismer ämnade för konsumentmarknaden baserat på tillgänglig infrastruktur eller m.h.a. mätningar från inbyggda sensorer i GNSS-plattformen i sig. Dessa ansträngningar söker att gemensamt förbättra tillförlitligheten hos konsument GNSS-lösningar, utan att modifiera GNSS-mottagaren eller signalstrukturen, för att erbjuda säker ochpålitlig navigation och tid i en alltmer fientlig miljö

Global Navigation Satellite Systems (GNSS) are fundamental in ubiquitously providing position and time to a wide gamut of systems. Jamming remains a realistic threat in many deployment settings, civilian and tactical. Specifically, in Unmanned Aerial Vehicles (UAVs) sustained denial raises safety critical concerns. This work presents a strategy that allows detection, localization, and classification both in the frequency and time domain of interference signals harmful to navigation. A high-performance Vertical Take Off and Landing (VTOL) UAV with a single antenna and a commercial GNSS receiver is used to geolocate and characterize RF emitters at long range, to infer the navigation impairment. Raw IQ baseband snapshots from the GNSS receiver make the application of spectral correlation methods possible without extra software-defined radio payload, paving the way to spectrum identification and monitoring in airborne platforms, aiming at RF situational awareness. Live testing at Jammertest, in Norway, with portable, commercially available GNSS multi-band jammers demonstrates the ability to detect, localize, and characterize harmful interference. Our system pinpointed the position with an error of a few meters of the transmitter and the extent of the affected area at long range, without entering the denied zone. Additionally, further spectral content extraction is used to accurately identify the jammer frequency, bandwidth, and modulation scheme based on spectral correlation techniques.

Global Navigation Satellite Systems (GNSS) provide standalone precise navigation for a wide gamut of applications. Nevertheless, applications or systems such as unmanned vehicles (aerial or ground vehicles and surface vessels) generally require a much higher level of accuracy than those provided by standalone receivers. The most effective and economical way of achieving centimeter-level accuracy is to rely on corrections provided by fixed reference station receivers to improve the satellite ranging measurements. Differential GNSS (DGNSS) and Real Time Kinematics (RTK) provide centimeter-level accuracy by distributing online correction streams to connected nearby mobile receivers typically termed rovers. However, due to their static nature, reference stations are prime targets for GNSS attacks, both simplistic jamming and advanced spoofing, with different levels of adversarial control and complexity. Jamming the reference station would deny corrections and thus accuracy to the rovers. Spoofing the reference station would force it to distribute misleading corrections. As a result, all connected rovers using those corrections will be equally influenced by the adversary independently of their actual trajectory. We evaluate a battery of tests generated with an RF simulator to test the robustness of a common DGNSS/RTK processing library and receivers. We test both jamming and synchronized spoofing to demonstrate that adversarial action on the rover using reference spoofing is both effective and convenient from an adversarial perspective. Additionally, we discuss possible strategies based on existing countermeasures (self-validation of the PNT solution and monitoring of own clock drift) that the rover and the reference station can adopt to avoid using or distributing bogus corrections.

To safeguard Civilian Global Navigation Satellite Systems (GNSS) external information available to the platform encompassing the GNSS receiver can be used to detect attacks. Cross-checking the GNSS-provided time against alternative multiple trusted time sources can lead to attack detection aiming at controlling the GNSS receiver time. Leveraging external, network-connected secure time providers and onboard clock references, we achieve detection even under fine-grained time attacks. We provide an extensive evaluation of our multi-layered defense against adversaries mounting attacks against the GNSS receiver along with controlling the network link. We implement adversaries spanning from simplistic spoofers to advanced ones synchronized with the GNSS constellation. We demonstrate attack detection is possible in all tested cases (sharp discontinuity, smooth take-over, and coordinated network manipulation) without changes to the structure of the GNSS receiver. Leveraging the diversity of the reference time sources, detection of take-over time push as low as 150 μs is possible. Smooth take-overs forcing variations as low as 30 ns/s are also detected based on on-board precision oscillators. The method (and thus the evaluation) is largely agnostic to the satellite constellation and the attacker type, making time-based data validation of GNSS information compatible with existing receivers and readily deployable.

Global Navigation Satellite System (GNSS) receivers provide ubiquitous and precise position, navigation, and time (PNT) to a wide gamut of civilian and tactical infrastructures and devices. Due to the low GNSS received signal power, even low-power radiofrequency interference (RFI) sources are a serious threat to the GNSS integrity and availability. Nonetheless, RFI source localization is paramount yet hard, especially over large areas. Methods based on multi-rotor unmanned aerial vehicles (UAV) exist but are often limited by hovering time, and require specific antenna and detectors. In comparison, fixed-wing planes allow longer missions but are more complex to operate and deploy. A vertical take-off and landing (VTOL) UAV combines the positive aspects of both platforms: high maneuverability, and long mission time and, jointly with highly integrated control systems, simple operation and deployment. Building upon the flexibility allowed by such a platform, we propose a method that combines advanced flight dynamics with high-performance consumer receivers to detect interference over large areas, with minimal interaction with the operator. The proposed system can detect multiple interference sources and map their area of influence, gaining situational awareness of poor GNSS quality or denied environments. Furthermore, it can estimate the relative heading and position of the interference source within tens of meters. The proposed method is validated with real-life measurements, successfully mapping two interference-affected areas and exposing radio equipment causing involuntary in-band interference.

Civilian Global Navigation Satellite Systems (GNSS)vulnerabilities are a threat to a wide gamut of critical systems.GNSS receivers, as part of the encompassing platform, can leverage external information to detect GNSS attacks. Specifically, cross-checking the time produced by the GNSS receiver against multiple trusted time sources can provide robust and assuredPNT. In this work, we explore the combination of secure remote,network-based time providers and local precision oscillators. This multi-layered defense mechanism detects GNSS attacks that induce even small time offsets, including attacks mounted in cold start. Our system does not require any modification to the current structure of the GNSS receiver, it is agnostic to the satellite constellation and the attacker type. This makes time-based data validation of GNSS information compatible with existing receivers and readily deployable.

With the introduction of Navigation Message Authentication (NMA), future Global Navigation Satellite Systems (GNSSs) prevent spoofing by simulation, i.e., the generation of forged satellite signals based on publicly known information. However, authentication does not prevent record-and-replay attacks, commonly termed as meaconing. Meaconing attacks are less powerful in terms of adversarial control over the victim receiver location and time, but by acting at the signal level, they are not thwarted by NMA. This makes replaying/relaying attacks a significant threat for current and future GNSS. While there are numerous investigations on meaconing attacks, the vast majority does not rely on actual implementation and experimental evaluation in real-world settings. In this work, we contribute to the improvement of the experimental understanding of meaconing attacks. We design and implement a system capable of real-time, distributed, and mobile meaconing, built with off-the-shelf hardware. We extend from basic distributed meaconing attacks, with signals from different locations relayed over the Internet and replayed within range of the victim receiver(s). This basic attack form has high bandwidth requirements and thus depends on the quality of service of the available network to work. To overcome this limitation, we propose to replay on message level, i.e., to demodulate and re-generate signals before and after the transmission respectively (including the authentication part of the payload). The resultant reduced bandwidth enables the attacker to operate in mobile scenarios, as well as to replay signals from multiple GNSS constellations and/or bands simultaneously. Additionally, the attacker can delay individually selected satellite signals to potentially influence the victim position and time solution in a more fine-grained manner. Our versatile test-bench, enabling different types of replaying/relaying attacks, facilitates testing realistic scenarios towards new and improved replaying/relaying-focused countermeasures in GNSS receivers.

A wide gamut of important applications rely on global navigation satellite systems (GNSS) for precise time and positioning. Attackers dictating the GNSS receiver position and time solution are a significant risk, especially due to the inherent vulnerability of GNSS systems. A first line of defense, for a large number of receivers, is to rely on additional information obtained through the rich connectivity of GNSS enabled platforms. Network time can be used for direct validation of the GNSS receiver time; but this depends on network availability. To allow attack detection even when there are prolonged network disconnections, we present a method based on on-board ensemble of reference clocks. This allows the receiver to detect sophisticated attacks affecting the GNSS time solution, independently of the specific attack methodology. Results obtained with Chip-Scale Oven Compensated Oscillators (CS-OCXO) are promising and demonstrate the potential of embedded ensembles of reference clocks, detecting attacks causing modifications of the receiver time offset as low as 0.3 mus, with half the detection latency compared to related literature. 

To mitigate spoofing attacks targeting global navigation satellite systems (GNSS) receivers, one promising method is to rely on alternative time sources, such as network-based synchronization, in order to detect clock offset discrepancies caused by GNSS attacks. However, in case of no network connectivity, such validation references would not be available. A viable option is to rely on a local time reference; in particular, precision hardware clock ensembles of chip-scale thermally stable oscillators with extended holdover capabilities. We present a preliminary design and results towards a custom device capable of providing a stable reference, with smaller footprint and cost compared to traditional precision clocks. The system is fully compatible with existing receiver architecture, making this solution feasible for most industrial scenarios. Further integration with network-based synchronization can provide a complete time assurance system, with high short- and long-term stability. 

Global Navigation Satellite Systems (GNSSs) are ubiquitously relied upon for positioning and timing. Detection and prevention of attacks against GNSS have been researched over the last decades, but many of these attacks and countermeasures were evaluated based on simulation. This work contributes to the experimental investigation of GNSS vulnerabilities, implementing a relay/replay attack with off-the-shelf hardware. Operating at the signal level, this attack type is not hindered by cryptographically protected transmissions, such as Galileo's Open Service Navigation Message Authentication (OS-NMA). The attack we investigate involves two colluding adversaries, relaying signals over large distances, to effectively spoof a GNSS receiver. We demonstrate the attack using off-the-shelf hardware, we investigate the requirements for such successful colluding attacks, and how they can be enhanced, e.g., allowing for finer adversarial control over the victim receiver.