Numerous works have investigated the vulnerability of Global Navigation Satellite Systems (GNSS) against attacks. Upcoming systems make provisions for cryptographic civilian signal protection. However, this alone does not fully protect GNSS-based localization. In this paper, we show that attacks at the physical layer, without modification of navigation messages, can be severely effective. We analyze the influence of the, so called distance decreasing attacks, and we investigate their feasibility and we find that they can be practical and effective. Finally, we consider signal quality monitoring, but it can not readily serve as a countermeasure.

Because of the limited satellite visibility, reduced signal reception reliability and constraining spatial geometry, e.g., in urban areas, the development of multi-constellation global navigation satellite systems (GNSS) has gained traction rapidly. GNSS-based applications are expected to handle observations from different navigation systems, e.g., GPS, GLONASS, Bei-Dou and Galileo, in order to improve positioning accuracy and reliability. Furthermore, multi-constellation receivers present an opportunity to better counter spoofing and replaying attacks, leveraging approaches take advantage of the redundant measurements. In particular, cluster-based solution separation algorithm (CSSA) proposes to detect and identify faulty/malicious signals in a single GPS constellation by checking the consistency of receiver positions calculated with different number of satellites. Intuitively, the algorithm targets directly the consequence of spoofing/replaying attacks: the victim receiver position error estimation. It works independently of how the attacks are launched, either through modifying pseudorange measurements or manipulating the navigation messages, without changing the receiver hardware. Multi-constellation GNSS receivers utilize all observations from different navigation systems, there are more than 30 available satellites at each epoch after Galileo and BeiDou systems become fully operational; in other words using abundant redundancy. Therefore, we introduce such a CSSA to a multi-constellation receiver. The work shows that a multi-constellation GNSS receiver equipped with our algorithm works effectively against a strong spoofing/replaying attacker that can manipulate a large number of signals, or even an entire constellation. The results show that CSSA with multi-constellation significantly improves the performance of detecting and identifying the malicious signals; particularly, when the adversary cannot control all the constellations, a multi-constellation receiver can identify the faults even the adversary induces very small errors to pseudorange measurements, comparing with a single constellation receiver. Moreover, when the attacker is powerful to manipulate most of signals of all the constellations, a multi-constellation receiver with CSSA can still detect and identify the faulty signals with high probability when the attacker tries to mislead the victim more than a couple of hundred meters from its true location.

The security of global navigation satellite systems draws attention increasingly, and authentication mechanisms for civilian services seem very effective in thwarting malicious behavior. For example, the Galileo E1 Open Service introduces navigation message authentication. Authentication, as well as encryption at navigation message or spreading code level, can prevent spoofing attacks, but do not preclude replay attacks. In this work, we consider a type of strong replay attacks, distance-decreasing attacks, against cryptographically protected GNSS signals. Distance-decreasing attack enhance an attacker’s capability of allowing it to mislead the victim receiver that the GNSS signals arrive earlier than true signals. We analyze the instantiation and the effects of the distance-decreasing attacks on unprotected GNSS signals, on navigation message authenticated signals, and on spreading-code encrypted signals. We discuss different strategies that the attacker can adopt to introduce the least bit errors to the re-transmitted signals and avoid being detected at the victim receiver. We provide evaluation results of distance-decreasing attacks on unprotected signals and authenticated navigation message signals, based on different strategies and configurations, and we sketch countermeasures to the different strategies.

Increased use of global satellite navigation systems (GNSS), for applications such as autonomous vehicles, intelligent transportationsystems and drones, heightens security concerns. Civil GNSS signals are vulnerable to notably spoofing and replayattacks. To counter such attacks, cryptographic methods are developed: Navigation Message Authentication (NMA) is onesuch scheme, about to be deployed for Galileo E1 Open Service (OS); it allows receivers to verify the signal origin andprotects navigation message integrity. However, NMA signals cannot fully thwart replay attacks, which do not require forgingnavigation messages. Classic replay attacks, e.g, meaconing, retransmit previously recorded signals without any modification,thus highly limiting the capacity of the adversary. Distance-decreasing (DD) attacks are a strong type of replay attack,allowing fine-grained individual pseudorange manipulation in real time. Moreover, DD attacks counterbalance processing andtransmission delays induced by adversary, by virtue of shifting earlier in time the perceived (relayed) signal arrival; thusshortening the pseudorange measurements. In this paper, we first analyze how DD attacks can harm the Galileo E1 OSNMAservice assuming the adversary has no prior information on the navigation message. Moreover,we propose a DD attackdetection method based on a Goodness of Fit test on the prompt correlator outputs of the victim. The results show that themethod can detect the DD attacks even when the receiver has locked to the DD signals.

Global navigation satellite systems (GNSS) provide pervasive accurate positioning and timing services for a large gamut of applications, from Time based One-Time Passwords (TOPT), to power grid and cellular systems. However, there can be security concerns for the applications due to the vulnerability of GNSS. It is important to observe that GNSS receivers are components of platforms, in principle having rich connectivity to different network infrastructures. Of particular interest is the access to a variety of timing sources, as those can be used to validate GNSS-provided location and time. Therefore, we consider off-the-shelf platforms and how to detect if the GNSS receiver is attacked or not, by cross-checking the GNSS time and time from other available sources. First, we survey different technologies to analyze their availability, accuracy and trustworthiness for time synchronization. Then, we propose a validation approach for absolute and relative time. Moreover, we design a framework and experimental setup for the evaluation of the results. Attacks can be detected based on WiFi supplied time when the adversary shifts the GNSS provided time, more than 23.942 μs; with Network Time Protocol (NTP) supplied time when the adversary-induced shift is more than 2.046 ms. Consequently, the proposal significantly limits the capability of an adversary to manipulate the victim GNSS receiver.

As the security of global navigation satellite systems(GNSS) for civilian usage is becoming increasingly important,navigation message authentication is to significantly improveresilience to spoofing attacks. However, not all attacks can beeffectively countered: a strong variant of replay/relay attacks,distance-decreasing (DD) attacks, can shorten pseudorange mea-surements, without manipulating the cryptographically protectednavigation message, thus manipulating the positiion, velocity, andtime solution undetected. First, we discuss how DD attacks cantamper with GNSS signals, demonstrating the attack effectivenesson a recorded Galileo signal. DD attacks might introduce biterrors to the forged signals, but the adversary can keep this errorrate very low with proper attack parameter settings. Then, basedon our mathematical model of the prompt correlator outputof the tracking phase at the victim receiver, we find that thecorrelator output distribution changes in presence of DD attacks.This leads us to apply hypothesis testing to detect the DD attacks,notably a Goodness of Fit (GoF) test and a generalized likelihoodratio test (GLRT), depending on the victim’s knowledge on theDD attacks. Monte Carlo simulations are used to evaluate thedetection probability and the receiver operating characteristic(ROC) curves for two tests, for different adversary configurationand noise settings. Then, we evaluate the effectiveness of the twotests with a synthesized DD signal. The results show that bothtests can detect DD attacks with similar performance in highsignal-to-noise ratio (SNR) environments. The GLRT detectionprobability is approximately20%higher than that of the GoFtest in low SNR environments

Numerous applications and devices use Global Navigation Satellite System (GNSS)-provided position, velocity and time (PVT)information. However, unintentional interference and intentional attacks render GNSS-provided information unreliable. ReceiverAutonomous Integrity Monitoring (RAIM) is considered an effective and lightweight protection method when a subset of the availablesatellite measurements is affected. However, the conventional RAIM Fault Detection and Exclusion (FDE), exhaustive iterative searchto exclude faulty signals, can be expensive when there are many potential faults, especially so for multi-constellation GNSS receiversoperating in the presence of several faulty signals. Therefore, we propose a fast multiple fault detection and exclusion (FM-FDE)algorithm, to detect and exclude multiple faults for both single and multi-constellation receivers. The novelty is FM-FDE caneffectively exclude faults withouta lengthy iterative search on candidate fault signals. FM-FDE calculates position distances of anysubset pairs with (3+P) measurements, where P is the number of constellations. Then, the algorithm utilizes statistical testing toexamine the distances, identifies faulty measurements and further excludes them from the computation of the final PVT solution. Weevaluate FM-FDE with synthesized faulty measurements added to a collected data set; the results show that FM-FDE is faster thanconventional Solution Separation (SS) FDE when the number of faults is larger than 3 in a single constellation receiver. Moreover,FM-FDE is much faster when the number of faults is larger than 2 in a GPS-Galileo receiver, when both constellation contains faultymeasurements. The trade-off is that FM-FDE slightly degrades performance in terms of misdetection and false alarm probabilities,compared to the conventional SS FDE.