With the introduction of Navigation Message Authentication (NMA), future Global Navigation Satellite Systems (GNSSs) prevent spoofing by simulation, i.e., the generation of forged satellite signals based on publicly known information. However, authentication does not prevent record-and-replay attacks, commonly termed as meaconing. Meaconing attacks are less powerful in terms of adversarial control over the victim receiver location and time, but by acting at the signal level, they are not thwarted by NMA. This makes replaying/relaying attacks a significant threat for current and future GNSS. While there are numerous investigations on meaconing attacks, the vast majority does not rely on actual implementation and experimental evaluation in real-world settings. In this work, we contribute to the improvement of the experimental understanding of meaconing attacks. We design and implement a system capable of real-time, distributed, and mobile meaconing, built with off-the-shelf hardware. We extend from basic distributed meaconing attacks, with signals from different locations relayed over the Internet and replayed within range of the victim receiver(s). This basic attack form has high bandwidth requirements and thus depends on the quality of service of the available network to work. To overcome this limitation, we propose to replay on message level, i.e., to demodulate and re-generate signals before and after the transmission respectively (including the authentication part of the payload). The resultant reduced bandwidth enables the attacker to operate in mobile scenarios, as well as to replay signals from multiple GNSS constellations and/or bands simultaneously. Additionally, the attacker can delay individually selected satellite signals to potentially influence the victim position and time solution in a more fine-grained manner. Our versatile test-bench, enabling different types of replaying/relaying attacks, facilitates testing realistic scenarios towards new and improved replaying/relaying-focused countermeasures in GNSS receivers.

Global navigation satellite systems (GNSS) provide pervasive accurate positioning and timing services for a large gamut of applications, from Time based One-Time Passwords (TOPT), to power grid and cellular systems. However, there can be security concerns for the applications due to the vulnerability of GNSS. It is important to observe that GNSS receivers are components of platforms, in principle having rich connectivity to different network infrastructures. Of particular interest is the access to a variety of timing sources, as those can be used to validate GNSS-provided location and time. Therefore, we consider off-the-shelf platforms and how to detect if the GNSS receiver is attacked or not, by cross-checking the GNSS time and time from other available sources. First, we survey different technologies to analyze their availability, accuracy and trustworthiness for time synchronization. Then, we propose a validation approach for absolute and relative time. Moreover, we design a framework and experimental setup for the evaluation of the results. Attacks can be detected based on WiFi supplied time when the adversary shifts the GNSS provided time, more than 23.942 μs; with Network Time Protocol (NTP) supplied time when the adversary-induced shift is more than 2.046 ms. Consequently, the proposal significantly limits the capability of an adversary to manipulate the victim GNSS receiver.

Information cross-validation can be a powerful tool to detect manipulated, dubious GNSS data. A promising approach is to leverage time obtained over networks a mobile device can connect to, and detect discrepancies between the GNSS-provided time and the network time. The challenge lies in having reliably both accurate and trustworthy network time as the basis for the GNSS attack detection. Here, we provide a concrete proposal that leverages, together with the network time servers, the nearly ubiquitous IEEE 802.11 (Wi-Fi) infrastructure. Our framework supports application-layer, secure and robust real time broadcasting by Wi-Fi Access Points (APs), based on hash chains and infrequent digital signatures verification to minimize computational and communication overhead, allowing mobile nodes to efficiently obtain authenticated and rich time information as they roam. We pair this method with Network Time Security (NTS), for enhanced resilience through multiple sources, available, ideally, simultaneously. We analyze the performance of our scheme in a dedicated setup, gauging the overhead for authenticated time data (Wi-Fi timestamped beacons and NTS). The results show that it is possible to provide security for the external to GNSS time sources, with minimal overhead for authentication and integrity, even when the GNSS-equipped nodes are mobile, and thus have short interactions with the WiFi infrastructure and possibly intermittent Internet connectivity, as well as limited resources.

To mitigate spoofing attacks targeting global navigation satellite systems (GNSS) receivers, one promising method is to rely on alternative time sources, such as network-based synchronization, in order to detect clock offset discrepancies caused by GNSS attacks. However, in case of no network connectivity, such validation references would not be available. A viable option is to rely on a local time reference; in particular, precision hardware clock ensembles of chip-scale thermally stable oscillators with extended holdover capabilities. We present a preliminary design and results towards a custom device capable of providing a stable reference, with smaller footprint and cost compared to traditional precision clocks. The system is fully compatible with existing receiver architecture, making this solution feasible for most industrial scenarios. Further integration with network-based synchronization can provide a complete time assurance system, with high short- and long-term stability. 

A wide gamut of important applications rely on global navigation satellite systems (GNSS) for precise time and positioning. Attackers dictating the GNSS receiver position and time solution are a significant risk, especially due to the inherent vulnerability of GNSS systems. A first line of defense, for a large number of receivers, is to rely on additional information obtained through the rich connectivity of GNSS enabled platforms. Network time can be used for direct validation of the GNSS receiver time; but this depends on network availability. To allow attack detection even when there are prolonged network disconnections, we present a method based on on-board ensemble of reference clocks. This allows the receiver to detect sophisticated attacks affecting the GNSS time solution, independently of the specific attack methodology. Results obtained with Chip-Scale Oven Compensated Oscillators (CS-OCXO) are promising and demonstrate the potential of embedded ensembles of reference clocks, detecting attacks causing modifications of the receiver time offset as low as 0.3 mus, with half the detection latency compared to related literature. 

Civilian Global Navigation Satellite Systems (GNSS)vulnerabilities are a threat to a wide gamut of critical systems.GNSS receivers, as part of the encompassing platform, can leverage external information to detect GNSS attacks. Specifically, cross-checking the time produced by the GNSS receiver against multiple trusted time sources can provide robust and assuredPNT. In this work, we explore the combination of secure remote,network-based time providers and local precision oscillators. This multi-layered defense mechanism detects GNSS attacks that induce even small time offsets, including attacks mounted in cold start. Our system does not require any modification to the current structure of the GNSS receiver, it is agnostic to the satellite constellation and the attacker type. This makes time-based data validation of GNSS information compatible with existing receivers and readily deployable.

To safeguard Civilian Global Navigation Satellite Systems (GNSS) external information available to the platform encompassing the GNSS receiver can be used to detect attacks. Cross-checking the GNSS-provided time against alternative multiple trusted time sources can lead to attack detection aiming at controlling the GNSS receiver time. Leveraging external, network-connected secure time providers and onboard clock references, we achieve detection even under fine-grained time attacks. We provide an extensive evaluation of our multi-layered defense against adversaries mounting attacks against the GNSS receiver along with controlling the network link. We implement adversaries spanning from simplistic spoofers to advanced ones synchronized with the GNSS constellation. We demonstrate attack detection is possible in all tested cases (sharp discontinuity, smooth take-over, and coordinated network manipulation) without changes to the structure of the GNSS receiver. Leveraging the diversity of the reference time sources, detection of take-over time push as low as 150 μs is possible. Smooth take-overs forcing variations as low as 30 ns/s are also detected based on on-board precision oscillators. The method (and thus the evaluation) is largely agnostic to the satellite constellation and the attacker type, making time-based data validation of GNSS information compatible with existing receivers and readily deployable.

Global Navigation Satellite System (GNSS) receivers provide ubiquitous and precise position, navigation, and time (PNT) to a wide gamut of civilian and tactical infrastructures and devices. Due to the low GNSS received signal power, even low-power radiofrequency interference (RFI) sources are a serious threat to the GNSS integrity and availability. Nonetheless, RFI source localization is paramount yet hard, especially over large areas. Methods based on multi-rotor unmanned aerial vehicles (UAV) exist but are often limited by hovering time, and require specific antenna and detectors. In comparison, fixed-wing planes allow longer missions but are more complex to operate and deploy. A vertical take-off and landing (VTOL) UAV combines the positive aspects of both platforms: high maneuverability, and long mission time and, jointly with highly integrated control systems, simple operation and deployment. Building upon the flexibility allowed by such a platform, we propose a method that combines advanced flight dynamics with high-performance consumer receivers to detect interference over large areas, with minimal interaction with the operator. The proposed system can detect multiple interference sources and map their area of influence, gaining situational awareness of poor GNSS quality or denied environments. Furthermore, it can estimate the relative heading and position of the interference source within tens of meters. The proposed method is validated with real-life measurements, successfully mapping two interference-affected areas and exposing radio equipment causing involuntary in-band interference.

Global Navigation Satellite Systems (GNSS) are fundamental in ubiquitously providing position and time to a wide gamut of systems. Jamming remains a realistic threat in many deployment settings, civilian and tactical. Specifically, in Unmanned Aerial Vehicles (UAVs) sustained denial raises safety critical concerns. This work presents a strategy that allows detection, localization, and classification both in the frequency and time domain of interference signals harmful to navigation. A high-performance Vertical Take Off and Landing (VTOL) UAV with a single antenna and a commercial GNSS receiver is used to geolocate and characterize RF emitters at long range, to infer the navigation impairment. Raw IQ baseband snapshots from the GNSS receiver make the application of spectral correlation methods possible without extra software-defined radio payload, paving the way to spectrum identification and monitoring in airborne platforms, aiming at RF situational awareness. Live testing at Jammertest, in Norway, with portable, commercially available GNSS multi-band jammers demonstrates the ability to detect, localize, and characterize harmful interference. Our system pinpointed the position with an error of a few meters of the transmitter and the extent of the affected area at long range, without entering the denied zone. Additionally, further spectral content extraction is used to accurately identify the jammer frequency, bandwidth, and modulation scheme based on spectral correlation techniques.

Global Navigation Satellite Systems enable precise localization and timing even for highly mobile devices, but legacy implementations provide only limited support for the new generation of security-enhanced signals. Inertial Measurement Units have proved successful in augmenting the accuracy and robustness of the GNSS-provided navigation solution, but effective navigation based on inertial techniques in denied contexts requires high-end sensors. However, commercially available mobile devices usually embed a much lower-grade inertial system. To counteract an attacker transmitting all the adversarial signals from a single antenna, we exploit carrier phase-based observations coupled with a low-end inertial sensor to identify spoofing and meaconing. By short-time integration with an inertial platform, which tracks the displacement of the GNSS antenna, the high-frequency movement at the receiver is correlated with the variation in the carrier phase. In this way, we identify legitimate transmitters, based on their geometrical diversity with respect to the antenna system movement. We introduce a platform designed to effectively compare different tiers of commercial INS platforms with a GNSS receiver. By characterizing different inertial sensors, we show that simple MEMS INS perform as well as high-end industrial-grade sensors. Sensors traditionally considered unsuited for navigation purposes offer great performance at the short integration times used to evaluate the carrier phase information consistency against the high-frequency movement. Results from laboratory evaluation and through field tests at Jammertest 2024 show that the detector is up to 90% accurate in correctly identifying spoofing (or the lack of it), without any modification to the receiver structure, and with mass-production grade INS typical for mobile phones.

Global Navigation Satellite Systems (GNSS) provide standalone precise navigation for a wide gamut of applications. Nevertheless, applications or systems such as unmanned vehicles (aerial or ground vehicles and surface vessels) generally require a much higher level of accuracy than those provided by standalone receivers. The most effective and economical way of achieving centimeter-level accuracy is to rely on corrections provided by fixed reference station receivers to improve the satellite ranging measurements. Differential GNSS (DGNSS) and Real Time Kinematics (RTK) provide centimeter-level accuracy by distributing online correction streams to connected nearby mobile receivers typically termed rovers. However, due to their static nature, reference stations are prime targets for GNSS attacks, both simplistic jamming and advanced spoofing, with different levels of adversarial control and complexity. Jamming the reference station would deny corrections and thus accuracy to the rovers. Spoofing the reference station would force it to distribute misleading corrections. As a result, all connected rovers using those corrections will be equally influenced by the adversary independently of their actual trajectory. We evaluate a battery of tests generated with an RF simulator to test the robustness of a common DGNSS/RTK processing library and receivers. We test both jamming and synchronized spoofing to demonstrate that adversarial action on the rover using reference spoofing is both effective and convenient from an adversarial perspective. Additionally, we discuss possible strategies based on existing countermeasures (self-validation of the PNT solution and monitoring of own clock drift) that the rover and the reference station can adopt to avoid using or distributing bogus corrections.