Back to Tutorials

Topic 11

GNSS Security and Interference

11.1 GNSS Vulnerabilities: Why Satellite Signals Are Easy Targets 11.2 GNSS Jamming: How Interference Blinds Receivers 11.3 GNSS Spoofing: Manipulating Position with Fake Signals 11.4 Detection and Mitigation: Protecting GNSS Systems from Attack
All Topics
11.3 · Intermediate

GNSS Spoofing: Manipulating Position with Fake Signals

Introduction

Where jamming blinds a GNSS receiver, spoofing deceives it. A spoofer generates counterfeit satellite signals that the receiver tracks in preference to the real ones, resulting in a false but internally consistent position or time output. The receiver continues to operate normally - displaying a valid fix, logging positions, and steering navigation systems - all based on fabricated data. This makes spoofing potentially far more dangerous than jamming in safety-critical applications.

Key Concept: Spoofing generates fake GNSS signals that overpower the authentic ones. Because the receiver sees signals that appear genuine - correct PRN codes, consistent Doppler, plausible navigation messages - it accepts them without alarm. The result is a false position or time that the system trusts completely.

How Spoofing Works

A GPS spoofer must generate signals that pass the receiver acquisition and tracking criteria. This requires:

  1. Signal generation: Software Defined Radio (SDR) hardware capable of generating GPS L1 C/A signals (or other civil signals) at the correct carrier frequency, with correct PRN code structure and timing.
  2. Power management: Spoof signals must arrive at the receiver antenna at a power level slightly above the authentic satellite signals - enough to capture the tracking loops without triggering obvious anomalies.
  3. Coherent takeover: Sophisticated spoofers gradually shift the tracking loops onto the spoofed signals by initially matching the authentic signal closely and then slowly dragging the apparent position to the desired false location. An abrupt takeover causes a position jump that may trigger integrity alerts.
  4. Constellation simulation: A convincing spoofer must simultaneously generate signals for all satellites in view, with correct Doppler shifts and relative timing, to produce a complete and geometrically consistent false position.

The Black Sea Incident (2017)

One of the most widely documented spoofing events occurred in the Black Sea in June 2017. Multiple vessels near the Russian port of Novorossiysk simultaneously reported their GPS positions as being at Gelendzhik Airport - approximately 25 nautical miles inland. Affected ships included at least 20 vessels, all showing consistent false positions at the same inland location. The incident was reported to the US Maritime Administration and is widely attributed to testing of a GPS spoofing capability, possibly associated with protection of a VIP facility in the area.

Iranian Drone Capture (2011)

In December 2011, Iran displayed what it claimed was an intact, largely undamaged Lockheed Martin RQ-170 Sentinel reconnaissance drone that had been operating in Iranian airspace. Iranian engineers subsequently claimed the drone had been captured by spoofing its GPS signal - feeding it false coordinates that caused the drone autopilot to believe it was approaching its home base in Afghanistan, causing it to land at an Iranian location instead. While the details remain disputed, the incident generated significant interest in GPS-spoofing attacks against autonomous systems.

Financial System Timing Attacks

Beyond navigation, spoofing attacks on GNSS timing signals represent a significant threat to financial infrastructure. A spoofed GPS clock can cause a trading venue timestamp system to report incorrect times, potentially creating false evidence of trade sequencing. More severely, a coordinated timing attack across multiple systems could disrupt the synchronisation of clearing and settlement systems. This threat is taken seriously by financial regulators and central banks, several of which have commissioned vulnerability assessments of their GNSS timing dependencies.

Why Detection Is Difficult

A naive single-antenna receiver has almost no ability to detect spoofing from signal characteristics alone. The spoofed signals are real GPS signals in every measurable sense - correct frequency, correct PRN code, correct navigation message format. Detection requires looking for inconsistencies that spoofing introduces:

  • Signal strength anomalies: All satellites suddenly having similar, unusually high C/N0 values suggests a single-point source rather than a distributed constellation.
  • Position jump or impossible trajectory: The receiver position jumps to an implausible location, or velocity estimates become physically unreasonable.
  • Cross-check failure: The GNSS position disagrees with an independent sensor (IMU, odometer, barometer) by more than expected.
  • Astronomical consistency: For high-integrity applications, satellite positions can be cross-checked against an independent star tracker or inertial reference to detect constellation geometry manipulation.
Note: Commercially available, low-cost SDR hardware costing under $300 is sufficient to generate basic GPS L1 spoofing signals. The barrier to spoofing is lower than most practitioners assume, and the threat extends well beyond nation-state actors to commercial criminals and industrial saboteurs.

Summary

GNSS spoofing is a sophisticated attack that produces false, trusted position or timing outputs without triggering the denial-of-service indicators that make jamming detectable. Real-world incidents - from maritime positioning fraud to potential drone captures - demonstrate that spoofing is no longer a theoretical threat. The following lesson covers the detection and mitigation techniques available to defend against both jamming and spoofing.

← Previous
11.2: GNSS Jamming: How Interference Blinds Receivers
Next →
11.4: Detection and Mitigation: Protecting GNSS Systems from Attack