GNSS is a fundamental part of aerospace and defense applications ranging from commercial aircraft to miliary drones. That role makes it an ideal attack vector for hackers, defense organziations, terrorists, and others.
One example is GPS jamming, which has been used for a variety of civilian and military attacks including preventing trans-Atlantic flights from ascending to the right altitude. Another type of attack is GPS spoofing, which can be even more problematic, as Aviation Week explained: “GPS jamming means that one’s aircraft is unable to receive standard GPS signals and the aircraft’s navigation system must rely on other inputs to determine its position. Aircraft equipped with advanced Inertia Reference Systems are able to continue operating sufficiently when GPS signals are jammed, but GPS spoofing is a new threat which found a hidden back-door through the navigation software to completely disable the entire navigation system.”
Read on to learn about the techniques behind jamming and spoofing and how to mitigate those attacks using antennas, authentication, artificial intelligence, and more.
How Spoofing and Jamming Work
Jamming attacks involve overpowering the GNSS receiver with strong RF signals in the same or adjacent frequency bands to the legitimate satellite signal. These tend to be easier to mount, requiring relatively unsophisticated and low-cost equipment, and are consequently easier to detect and mitigate.
Spoofing, on the other hand, can be more sophisticated and difficult to detect. In a spoofing attack, false GNSS signals are generated that deceive the GNSS receiver, making it believe that it is in a different location or at a different point in time. By relying on these false signals, the receiver provides incorrect timing and positioning data, with potentially severe consequences.
There are two ways to spoof:
- In a generative attack, the spoofer generates deceptive signals independently of the GNSS system, using known signal pseudo-code and navigation message parameters.
- A forwarding attack essentially re-transmits a genuine satellite signal, adding a time delay and amplifying the signal strength to overpower the targeted GNSS receiver. While more complex and expensive to implement, generative spoofing can be particularly effective against commercial GNSS receivers, where anti-spoofing measures may be less sophisticated than in military grade systems. Forwarding attacks can be easier to detect by recognizing the stronger signal strength and delay, but sophisticated, multi-antenna systems can be used to apply different delays to different satellite signals, increasing the level of concealment.
Spoofing attacks historically required sophisticated and expensive equipment and were mainly limited to military and government operations. Low-cost spoofing technology, including Software-Defined Radios (SDR), is becoming more available, however, and attacks are increasingly launched by malicious actors, including criminals and hackers, as well as curious researchers and private organizations seeking a competitive advantage.
Traditionally common in active war zones, spoofing attacks against commercial aviation and shipping are on the rise. SkAI Data Services, which maintains a live GPS Spoofing and Jamming Tracker Map, estimates that the number of affected flights per day increased from a few dozen to over 1,100 in the six months leading up to August 2024.
Anti-Spoofing Technologies
GNSS anti-spoofing technologies focus on detecting and mitigating against spoofed signals, using various methods including signal anomaly detection, cryptographic authentication, and redundancy with other navigation systems.
Detection involves identifying certain common indicators of spoofing, including:
- Value Jumps: When a GNSS receiver is tricked by false GNSS signals, certain signal parameters will change rapidly as the receiver locks onto the new false values. Such rapid value changes would not occur with legitimate GNSS signals, so they are almost always an indication of a spoofing attack.
- Time Stamp Anomalies occur when the GNSS receiver switches from tracking a legitimate signal to a fake one during a forwarding attack.
- Doppler Shifts describe the changes in the radio wavelengths observed when a receiver is moving relative to the source or satellite. The Doppler shift will be the same for all legitimate GNSS satellite signals because they all come from the same direction. Thus any Doppler shift anomalies can indicate a spoofing attack.
Mitigation of spoofing attacks can be either at the signal layer or the information layer. Receiver autonomous integrity monitoring (RAIM) is a common signal layer technique that acts as a built-in “integrity watchdog” for GNSS receivers. RAIM uses redundant pseudorange3 measurements from multiple satellites to detect and exclude false signals. When more satellites are available than required for a position fix, the extra pseudoranges should all be consistent with the computed position. Any pseudorange differing significantly from the expected value is considered an outlier, potentially indicating a satellite fault signal integrity problem. Traditional RAIM uses fault detection (FD) only, however, newer GPS receivers incorporate fault detection and exclusion (FDE), which enables them to continue to operate in the presence of a GPS failure.
Signal level encryption, such as GPS P(Y) code (USA) and Galileo Public Regulated Service (PRS) (Europe), is employed in military systems and for qualifying sensitive applications. Encryption is not typically authorized for commercial applications. However, various authentication mechanisms, such as Galileo’s Open Service Navigation Message Authentication (OSNMA), are being introduced. OSNMA is a freely available, GNSS-embedded feature, operating at the information level and providing end-to-end authentication of navigation messages transmitted by Galileo satellites. This feature provides OSNMA-capable receivers with assurance of the integrity of the received Galileo navigation message.
Other common spoofing mitigation techniques include the use of multi-frequency receivers, multi-constellation receivers, and improved antenna systems. Receivers that can receive and process signals on multiple frequencies from different satellite constellations are more resistant to attacks, while many advanced antenna designs are available that counteract the effects of jamming and spoofing. Many solutions also integrate alternative sources of PNT data, such as Wi-Fi-/cellular-based positioning, assisted GPS, and industry-specific, ground-based reference sources, including Real Time Kinematic (RTK).
How Antennas Can Mitigate Jamming
The most challenging type of jamming uses in-band signals. One of the few mitigation technologies is Controlled Reception Pattern Antenna (CRPA) systems, which use multiple antenna elements to null out the interfering signals so the receiver can focus on the legitimate GNSS signals. The effectiveness of this spatial filtering depends partly on having enough antenna elements to counter each jamming signal. For instance, a CPRA system may have four, eight, or 16 antenna elements based on the anticipated scale of the attack.
Every GNSS constellation has multiple signals, each operating at a different frequency. These can provide alternatives when the primary GNSS signals are jammed. A multi-constellation defense requires either a multiband GNSS receiver or an external GNSS receiver that supports the fallback. When coupled with a CPRA, this enables the system to support all frequency bands simultaneously and perform independent beam nulling in each of those bands. (For a deeper dive, see “Get Out of a Jam: How GNSS Antennas Help Thwart Jamming Attacks.”)
Ongoing Challenges and Developments
Many advanced anti-spoofing solutions are expensive and do not scale easily for widespread use in consumer and low-budget applications. Also, the rapidly evolving nature of jamming and spoofing attacks can make existing solutions obsolete, and the industry continues to develop new methods of detecting and mitigating against threats.
One such example is the Galileo Smart Traceability Anti-spoofing (GSTA) project, which focuses on enhancing the security of Galileo’s GNSS system against spoofing attacks. Completed in late 2024, the GSTA solution integrates multiple technologies, including GNSS, ADS-B, and network-based timing synchronization to detect and mitigate threats in real-time. GSTA also features an enhanced signal processing algorithm that provides high resilience against sophisticated spoofing techniques. GSTA’s capabilities and readiness for continued development and deployment in real-world scenarios have been extensively validated through a series of field tests.
Researchers are also investigating the incorporation of AI and machine learning (ML) algorithms into detection systems. Advanced ML algorithms and neural network architectures potentially offer a robust defense mechanism against the continually evolving GNSS threat landscape. As AI and ML technologies continue to evolve, their integration into GNSS security solutions will be key.
