GNSS Vulnerabilities: Why Satellite Signals Are Easy Targets

Introduction

GNSS has become invisible infrastructure - embedded in smartphones, aircraft, container ships, financial settlement systems, and power grids. This ubiquity makes GNSS a high-value target. Unlike most critical infrastructure, GNSS signals arrive from 20,000 km above the Earth at a power level too faint to feel through a building wall. This fundamental physical fragility, combined with unencrypted civil signals, creates vulnerabilities that are not merely theoretical.

Key Concept: The civil GNSS signal arriving at the Earth surface is approximately -130 dBm - far below the thermal noise floor of most electronics. It is inherently easy to overpower, mimic, or deny, and there is no cryptographic authentication on legacy civil signals.

The Signal Power Problem

GPS satellites transmit on L1 with approximately 50 watts of effective isotropic radiated power (EIRP) from an altitude of about 20,200 km. By the time the signal reaches a receiver on the ground it has spread across an area roughly 50 trillion square metres, resulting in a received power of approximately -130 dBm - about 20 dB below the thermal noise floor of a standard receiver front-end. Receivers extract the signal using the correlation properties of the PRN codes, which provide approximately 43 dB of processing gain. The signal is there, but only just.

A jammer operating with just 1 watt of output power at 1 km distance can produce a signal at the GPS receiver antenna approximately 60 dB stronger than the satellite signal. Jamming does not require sophisticated equipment or significant power - a pocket-sized device from an online marketplace is sufficient to deny GNSS to every receiver within hundreds of metres.

Unencrypted Civil Signals

Military GNSS signals - GPS P(Y) code, the M-code, Galileo PRS - are encrypted. A spoofer cannot generate a convincing replica without knowing the encryption keys. Civil signals, by contrast, are fully documented public standards. The GPS L1 C/A code structure, the Galileo E1 OS signal, and the BeiDou B1C signal are all described in publicly available interface documents. This openness is deliberate and necessary - it allows any manufacturer to build a compatible receiver. But it also means that any sufficiently motivated actor can generate signals that are indistinguishable from the real thing to a standard receiver.

Dependence Creates Risk

GNSS vulnerabilities extend beyond navigation. Many critical systems depend on GNSS for precise time synchronisation rather than position:

Telecommunications: 4G/5G base station synchronisation uses GPS timing to maintain network coherence. Loss of GPS timing degrades call handover and can cause network congestion.
Financial markets: Stock exchange timestamp systems use GPS to create legally admissible trade records. The EU MiFID II regulation requires timestamp accuracy to 100 microseconds.
Power grids: Phasor Measurement Units (PMUs) use GPS time to synchronise measurements across wide-area power grids, enabling real-time stability monitoring.
Broadcasting: Some digital broadcast standards use GPS for network synchronisation.

Note: A GPS timing attack does not need to affect position at all. A spoofed or jammed GPS clock can disrupt financial systems, power grids, and telecommunications networks without any vehicle ever going to the wrong location.

Signal Environment Challenges

Natural phenomena also create a challenging environment for GNSS receivers:

Ionospheric scintillation: Rapid fluctuations in ionospheric electron density, most severe near the geomagnetic equator and poles, can cause signal fading and loss of lock.
Solar radio bursts: During major solar events, the Sun can radiate broadband RF noise that competes directly with GNSS signals, causing temporary outages across wide areas.
Multipath: Reflections from buildings, terrain, and vehicles cause interference that degrades accuracy without completely denying service.

The Three Threat Categories

GNSS threats are commonly categorised into three types, each requiring different countermeasures:

Jamming: Overpowering the GNSS signal with noise or interference, causing the receiver to lose lock entirely. The receiver knows it has lost service.
Spoofing: Transmitting counterfeit GNSS signals that the receiver tracks instead of the real ones, resulting in a false but plausible position or time output. The receiver does not know it has been compromised.
Meaconing: Intercepting and re-broadcasting real GNSS signals with a time delay, causing a position error proportional to the delay. A historical technique, largely superseded by spoofing.

Summary

GNSS vulnerability stems from physics: weak signals, unencrypted civil codes, and pervasive societal dependence on both the positioning and timing functions of the system. Understanding these vulnerabilities is the first step toward building resilient systems. The following lessons examine jamming and spoofing in detail, before covering the detection and mitigation techniques that protect GNSS-dependent systems from attack.