Back to Tutorials

Topic 11

GNSS Security and Interference

11.1 GNSS Vulnerabilities: Why Satellite Signals Are Easy Targets 11.2 GNSS Jamming: How Interference Blinds Receivers 11.3 GNSS Spoofing: Manipulating Position with Fake Signals 11.4 Detection and Mitigation: Protecting GNSS Systems from Attack
All Topics
11.4 · Advanced

Detection and Mitigation: Protecting GNSS Systems from Attack

Introduction

GNSS jamming and spoofing cannot be fully prevented - the fundamental physics of weak satellite signals and open civil codes create vulnerabilities that no receiver design can completely eliminate. The engineering challenge is therefore one of detection and mitigation: identifying when GNSS output is corrupted and limiting the operational consequences. A multi-layer defence combining receiver-level monitoring, signal authentication, antenna techniques, and sensor fusion provides robust protection for critical applications.

Key Concept: No single countermeasure defeats all GNSS threats. Robust protection requires layered defences: monitor the signal quality, authenticate the signal source, cross-check with independent sensors, and design systems that fail safely when GNSS is unavailable or untrusted.

Automatic Gain Control Monitoring

The Automatic Gain Control (AGC) in a GNSS receiver analogue front-end adjusts the amplifier gain to maintain a consistent signal level at the analogue-to-digital converter input. Under normal conditions, the GNSS signal is buried in thermal noise and the AGC holds the combined noise-plus-signal level approximately constant. When a jammer activates, the broadband noise power increases dramatically and the AGC reduces gain to compensate. Monitoring the AGC level (or the ADC clipping rate) provides a sensitive indicator of RF interference that responds within milliseconds of jamming onset.

AGC-based jamming detection is now standard in professional survey receivers and aviation GNSS units. The receiver logs AGC events, alerts the operator, and may flag positions computed during suspected jamming periods as unreliable.

Multi-Antenna and Direction-Finding Techniques

A single antenna cannot determine the direction of a received signal. Multiple antennas arranged in a known geometry can. A controlled reception pattern antenna (CRPA) array uses phase differences between antenna elements to form nulls in the antenna gain pattern - electronically steering a region of reduced sensitivity toward the interference source while maintaining sensitivity toward the sky.

For spoofing detection specifically, a multi-antenna array can compare the angle-of-arrival of received signals. Authentic GPS satellites are spread across the sky at various azimuths and elevations. A spoofing transmitter, regardless of how many fake satellite signals it generates, originates from a single physical location. A multi-antenna system can detect this direction-of-arrival anomaly and flag the signals as suspect.

Inertial Navigation Cross-Check

An Inertial Measurement Unit (IMU) provides position, velocity, and attitude estimates that are completely independent of radio signals. During normal operation, GNSS and IMU solutions are blended in a Kalman filter, and the residuals - the differences between GNSS measurements and IMU predictions - are monitored for consistency.

When spoofing occurs, the GNSS position is dragged toward the false location while the IMU continues dead-reckoning from the true position. The growing discrepancy between GNSS and IMU appears as large innovation residuals in the Kalman filter, triggering a spoofing flag. The tighter the IMU quality and the more recent the last verified GNSS fix, the sooner and more reliably the discrepancy is detected.

Clock and Timing Consistency

GNSS receivers maintain an estimate of GPS system time. A sophisticated spoofer must manipulate not just position but also the apparent time to avoid detection - and this is technically difficult. Monitoring the receiver internal clock against an independent oscillator, or checking GPS time against a secondary timing source (e.g., a PTP network clock), provides an additional layer of spoofing detection particularly relevant for timing applications.

OSNMA - Galileo Open Service Navigation Message Authentication

Galileo Open Service Navigation Message Authentication (OSNMA) is a cryptographic solution to the spoofing problem. OSNMA embeds digital signatures in the Galileo E1 navigation message, allowing a receiver to verify that the navigation data - and by extension the signals carrying it - originated from a genuine Galileo satellite rather than a ground-based spoofer.

OSNMA uses a TESLA (Timed Efficient Stream Loss-tolerant Authentication) protocol: a hash chain structure where authentication keys are released after a delay, allowing receivers to retrospectively verify earlier messages. The scheme is designed so that a spoofer cannot forge authenticated messages without access to the Galileo master keys, which are held in a secure facility.

Note: OSNMA authenticates the Galileo signals, but cannot authenticate GPS, GLONASS, or BeiDou signals. A receiver that also tracks GPS must still rely on non-cryptographic methods to verify GPS signal authenticity. Full multi-constellation authentication will require similar schemes to be deployed on other systems.

Receiver Autonomous Integrity Monitoring for Spoofing

Traditional RAIM detects measurement failures from satellite faults. Extended RAIM concepts for spoofing look for anomalies specific to the spoofing scenario:

  • C/N0 consistency: All satellites showing similar, elevated signal levels suggesting a nearby transmitter rather than a distributed constellation.
  • Pseudorange rate consistency: Spoofed signals that drag a receiver position must show pseudorange rates inconsistent with the satellite geometry.
  • Position domain monitoring: Comparing position solution subsets using different satellite combinations - a spoofer must simultaneously fool all subsets consistently, which is technically demanding.

Operational Countermeasures

Beyond receiver-level techniques, system designers can implement operational countermeasures:

  • Redundant timing sources: Critical infrastructure should maintain atomic clocks or eLoran as backup timing references independent of GNSS.
  • Position plausibility checks: Navigation systems can reject positions that imply physically impossible trajectories - exceeding the vehicle maximum speed, teleporting across a continent, or appearing in the wrong hemisphere.
  • Geographic fencing: Applications that know their operational area can flag positions that fall outside a predefined geographic boundary.

Summary

Defending GNSS-dependent systems against jamming and spoofing requires a layered approach that no single technique can provide on its own. AGC monitoring detects jamming. OSNMA authenticates Galileo signals cryptographically. Multi-antenna arrays detect spoofing by direction of arrival. IMU cross-checking catches spoofing by trajectory inconsistency. Together, these techniques create a defence-in-depth posture that makes successful attacks significantly harder to execute without detection.

← Previous
11.3: GNSS Spoofing: Manipulating Position with Fake Signals
Next →
12.1: GNSS Signal Structure and Modulation: Inside the Broadcast