Receiver Spoofing Robustness Tests

 

We test your GNSS receiver against  position and/or time manipulation spoofing.

We have all the equipment to perform different types of GNSS spoofing attacks such as Record and Replay attack, Meaconing, time-synchronized attacks with a sophisticated spoofing device and clock-drift-attacks with a signal generator.

 

 

Portfolio:

  • Performing different types of spoofing attacks in over the cable or over the air attacks
  • Time-synchronized, Record Replay and clock drift attacks with GPS L1 C/A and/or Galileo E1BC. Meaconing with all GNSS signals
  • We have a testbed where we can transmit spoofing signals over ca. 100 meters through multipath-rich environment.
  • We can simulate a moving user by using a rotating antenna
  • We can perform sophisticated software simulated attacks (only simulation no transmitting) with any kind of spoofer setup in terms of C/N0, power, start delay, velocity, acceleration for any GNSS signal
  • We analyze the spoofing experiment and create a detailed report
  • When required, receiver tracking parameters like C/N0 or Code-Minus-Carrier are additionally analyzed

 

For whom is the service:

  • If you have implemented a spoofing mitigation concept in your GNSS receiver and you want to avoid buying all the equipment to perform spoofing attacks or the time effort to implement the spoofing attacks is too high, we can perform the test for you.
  • The equipment for sophisticated attacks costs at minimum more than 20000 Euro, but also simpler attacks generally require costs of thousands of Euro. Our spoofing experts have the knowledge to perform, interpret and analyze different type of spoofing attacks for you.
  • If you want to know if a certain receiver/smartphone is robust against a specific type of spoofing attack under specific conditions, e.g. is the newest dual-frequency smartphone with A-GNSS provide any robustness against any spoofing attack?
  • If you want to know if a certain receiver/smartphone is robust against a specific type of spoofing attack under specific conditions, e.g. is the newest dual-frequency smartphone with A-GNSS provide any robustness against any spoofing attack?

 

hp1.PNG

Testbed for performing over the air attacks in multipath rich environment (trees,roofs)

 

loki.PNG
Spoofing device for sophisticated time-synchronized attacks

 

An example of a spoofing trajectory from Taufkirchen to Unterhaching is provided in the figure below. A commercial receiver was spoofed over the air and the position could be shifted kilometers away from the true static position:

loki2.png

 

The x, y and z deviation can be seen in the following plots on the left, the velocity components on the right. At around 250 s the spoofing was started and at around 400 s the position was shifted away with a constant acceleration. At 650 s the acceleration was changed in a linear shifting process for studying details in the tracking loop in the receiver.

 

loki3.PNG

 

Some of our publications:

[1] Blum,R., Dötterböck,D. and Pany,T. (2019) "Investigation of the Vulnerability of Mobile Networks Against Spoofing Attacks on their GNSS Timing-receiver and Developing a Meaconing Protection," Proceedings of the International Technical Meeting of the Institute of Navigation, pp. 345-362, 2019.

[2] Blum, R., Dütsch, N., Stöber, C., and Pany, T. (2020). New and existing signal quality monitoring metrics tested against simulations and time synchronized signal generator attacks. Proceedings of the 33th International Technical Meeting of the Satellite Division of the Institute of Navigation (ION GNSS), pp. 2608-2618.

[3] Blum, R., Dütsch, N., Dampf, J. and Pany,T.(2021). Time synchronized signal generator GNSS spoofing attacks against COTS receivers in over the air tests. Proceedings of the 2021 International Technical Meeting of the Institute of Navigation, January 2021.

[4] Blum, R. and Pany,T., Spoofing Defense Concept based on the Combination of SQM and Tracking Parameters, Tested Against 100 Simulated Spoofer Settings for GPS L1 C/A, In Proceedings of the 2022 International Technical Meeting of the Institute of Navigation, January 2022.

[5] Blum, R., Sharma, H. and Pany, T., Smartphone Behaviour Under Sophisticated Time Synchronized and Record and Replay Spoofing Attacks and the Role of GNSS Raw Measurements, In Proceedings of the 2022 International Technical Meeting of the Institute of Navigation, January 2022.

[6]  Maier, D.; Kraus, T.; Sanchez, D.; Blum, R.; Pany, T.  Real-Time Real-World Testbed for new GNSS Signals – an Update on the Feasibility Study of Using UAVs as GNSS Satellites , Sept. 2018, Inside GNSS

[7] Maier, Daniel S., Kraus, Thomas, Sánchez, Daniela E., Blum, Ronny, Pany, Thomas, "Real-Time Real-World Testbed for New GNSS Signals – an Update on the Feasibility Study of Using UAVs as GNSS Satellites," Proceedings of the 31st International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GNSS+ 2018), Miami, Florida, September 2018, pp. 3530-3543.

 

For further details and informations contact Ronny.Blum@unibw.de