An Assessment of GNSS Receiver Behaviour in Laboratory Conditions When Subject to GPS Meaconing or Spoofing Scenarios

Abstract

During 2019 and 2020 there was a significant increase in the number of real- world disruptive events affecting GNSS receivers and systems. Whilst a great many of the disruptive events involved RF interference, several occurrences of spoofing or meaconing have been observed such as in the Black Sea, and during 2020 in the region of Shanghai. It was observed that GNSS equipment and systems that were not obviously intended targets of the spoofing were also affected and output false location data which was seen via print outs and displays of AIS information. Also, in 2020 a group of researchers working for an organisation active in developing Resilient GNSS products, demonstrated the impact of a spoofing impact on a highly automated motor vehicle’s GNSS equipment This paper investigates how susceptible commercial GNSS receiver are to crude GNSS spoofing events of the kind that have been reported in the real world by conducting simulated spoofing attacks on a number of receivers under laboratory conditions and monitoring a number of performance parameters throughout the testing. A review of some of the recent real-world spoofing events and demonstrations is presented, highlighting the impacts where receivers were known to have been affected by the spoofing. From the observed impacts the likely behaviour of the receiver is assessed. A discussion of the likely effects of replica GNSS signals on receivers is included – it is often possible for GNSS receivers to behave in a confusing manner or even to cease working altogether in the presence of counterfeit constellation signals, even though the receiver is not fully spoofed by the signals. The authors carried out some laboratory tests to further understanding of how commercially available receivers respond to meaconing and spoofing, with the objective of developing useful test methodologies and metrics that can be used to assess the robustness and resilience of receivers to real-world spoofing threats. The tests were undertaken in two major parts – in the first part of the testing, three commercially available receivers (A, B and C) were presented with a very simple meaconing/replay example with a scenario very similar to the event that occurred at Hanover Airport, Germany during 2010. In the second part of the tests, the three receivers were subject to GPS spoofing at ranges of 10m, 50m and 100m. During the spoofing attacks, the power of the replica (counterfeit) GPS signals was gradually raised and then lowered. During the simulated GPS spoofing scenarios, the Horizontal Position Error (HPE) and Root Mean Square (RMS) of the residuals were closely monitored for each of the receivers The results from each of the GNSS Receivers (A, B and C) are discussed and the differences in behaviour – at different spoofer ranges and the variability of behaviour based on receiver model – are discussed as are the implications for impact in the real world of similar events. The terms “resilience” and “robustness” are discussed in detail and the authors argue that the definitions that are widely used in the field of protection of Critical Infrastructure can be applied to GNSS spoofing where a system’s robustness to spoofing attacks is not necessarily equivalent to the resilience of the system. Furthermore, defining these terms separately can lead to some advantages in defining meaningful test metrics. Some examples are shown to illustrate this. The authors then go on to present a generalised approach to defining meaningful, comparable test metrics that can be used to evaluate the performance of GNSS devices to spoofing – A sample set of measurement results obtained with a Spirent benchmarking scheme is presented. The need for responsible and full disclosure of commercial incidents is also highlighted– there is a clear need to understand and mitigate known vulnerabilities in a timely manner in the commercial sector to prevent so called “zero-day exploits”. Finally, the authors discuss how their proposed spoofing test frameworks could be expanded and used to drive significant improvements in the assessment of safety or liability critical systems performance.