On the Requirements for Successful GPS Spoofing Attacks

Nils Ole Tippenhauer Christina Ppper Kasper B. Rasmussen

Srdjan Capkun
Dept. of Computer Science Dept. of Computer Science Computer Science Dept. Dept. of Computer Science
ETH Zurich, Switzerland ETH Zurich, Switzerland UCI, Irvine, CA ETH Zurich, Switzerland
tinils@inf.ethz.ch poepperc@inf.ethz.ch kbrasmus@ics.uci.edu capkuns@inf.ethz.ch

ABSTRACT kle monitors, and aviation controls trust the correct monitoring of
An increasing number of wireless applications rely on GPS signals airplane traffic.
for localization, navigation, and time synchronization. However, This heavy reliance on civilian GPSfollowing the discontinu-
civilian GPS signals are known to be susceptible to spoofing at- ation of the selective availability feature of GPS in the year 2000
tacks which make GPS receivers in range believe that they reside motivated a number of investigations on the security of GPS. These
at locations different than their real physical locations. In this pa- investigations found that civilian GPS is susceptible to jamming
per, we investigate the requirements for successful GPS spoofing and spoofing attacks [9, 11, 16, 19]. Successful spoofing experi-
attacks on individuals and groups of victims with civilian or mili- ments on standard receivers have been reported [7, 23], showing
tary GPS receivers. In particular, we are interested in identifying that commercial-off-the-shelf receivers do not detect such attacks.
from which locations and with which precision the attacker needs The increased availability of programmable radio platforms such as
to generate its signals in order to successfully spoof the receivers. USRPs [5] leads to a reduced cost of attacks on GPS. However, the
We will show, for example, that any number of receivers can requirements for GPS spoofing were so far not analyzed systemati-
easily be spoofed to one arbitrary location; however, the attacker is cally and many of the previously proposed countermeasures [8, 16]
restricted to only few transmission locations when spoofing a group assume a weak attacker that is, e. g., not able to generate signals
of receivers while preserving their constellation. with sufficient precision.
In addition, we investigate the practical aspects of a satellite- In this work, we investigate spoofing attacks on civilian and mil-
lock takeover, in which a victim receives spoofed signals after first itary GPS and analyze the requirements for their success as well as
being locked on to legitimate GPS signals. Using a civilian GPS their limitations in practice. We divide the problem of GPS spoof-
signal generator, we perform a set of experiments and find the min- ing into the following two problems: (i) sending the correct spoof-
imal precision of the attackers spoofing signals required for covert ing signals such that they reach the receiver with the right timing,
satellite-lock takeover. and (ii) getting a victim that is already synchronized to the legiti-
mate GPS service to lock onto the attackers spoofing signal. Re-
garding the first problem, we analyze the effects of GPS spoofing
1. INTRODUCTION signals on multiple receivers and analyze under which conditions a
The Global Positioning System (GPS), originally introduced by group of victims can be spoofed such that, e. g., their mutual dis-
the US military, has become an essential component for numerous tances are preserved. Our analysis shows that, in order to spoof a
civilian applications. Unlike military GPS signals, civilian GPS group of victims while preserving the mutual distances, the attacker
signals are not encrypted or authenticated and were never intended can only transmit from a restricted set of locations. To the best of
for safety- and security-critical applications. Nevertheless, GPS- our knowledge, such an analysis has not been done before. The
provided locations are being used in applications such as vehic- second problem of taking over the satellite lock is relevant for per-
ular navigation and aviation, asset monitoring (e. g., cargo track- forming attacks in real-world situations. In most cases, the victim
ing), and location-based services (e. g., routing) [22]. The use of will have been receiving legitimate GPS signals when the spoofing
the GPS system also includes time synchronization; examples are attack starts. It is thus important to know the required precision
time stamping in security videos and critical time synchronization of the spoofing signal such that the victim seamlessly (i. e., with-
in financial, telecommunications and computer networks. Users out detection) switches lock from the legitimate GPS signal to the
highly rely on the precision and correctness of GPS location and attackers spoofing signal. We explore the influence of imperfec-
time: transport companies depend on the correctness of localiza- tions (in different aspects of signal power and timing) in a series of
tion to track trucks, cargoes, and goods under GPS surveillance, experiments and discuss the findings.
courts rely on criminals being correctly tracked by GPS-based an- In short, our main contributions are as follows: First, we define
the GPS group spoofing problem. Second, we analyze spoofing at-
tacks on single and multiple receivers in civilian and military GPS
systems and we infer theoretical bounds on the conditions for their
success. Third, using a GPS signal generator1 , we investigate the
Permission to make digital or hard copies of all or part of this work for requirements for civilian GPS spoofing by seamless satellite-lock
personal or classroom use is granted without fee provided that copies are takeover under varying power, timing, and location precision of the
not made or distributed for profit or commercial advantage and that copies attackers spoofing signals and we provide bounds on these param-
bear this notice and the full citation on the first page. To copy otherwise, to
republish, to post on servers or to redistribute to lists, requires prior specific 1
permission and/or a fee. Satellite signal generators are also called satellite simulatorswe
Copyright 20XX ACM X-XXXXX-XX-X/XX/XX ...$10.00. use both notations in this paper.

1
eters for the receiver used in our experiments.
The structure of the paper is as follows. We give background
information on GPS positioning and discuss related work on GPS
spoofing in Section 2. We introduce the GPS spoofing problem
and our system and attacker models in Section 3. In Section 4,
we analyze under which conditions GPS spoofing attacks are suc-
cessful on single victims and groups of victims. The results of our
experimental evaluation are presented in Section 5. In Section 6,
we introduce a novel countermeasure against GPS spoofing attacks
which is based on multiple receivers. We conclude the paper in
Section 7. Figure 1: A GPS receiver V works by observing the signals
from a set of satellites. The relative delays of the signals si (t)
can be used to solve four equations which determine the 3-
2. BACKGROUND dimensional position L and the time offset of the receiver V .
In this section, we introduce the fundamental concepts of GPS
(based on [11]) which are necessary for this work. We also sum-
marize related work on the security of GPS. The clock offset adds a fourth unknown scalar. With pseudo-
range measurements to at least four transmitters Si , the resulting
2.1 The Global Positioning System system of equations (4) can be solved for both L and , providing
The Global Positioning System (GPS) uses a number of satel- both the exact position and time, without requiring a precise local
lite transmitters Si located at known locations LS 3
i R . Each clock. Given LS S S S
i = (xi , yi , zi ), L = (x, y, z), and = c , we
transmitter is equipped with a synchronized clock with no clock can transform (4) into the following set of equations [1]:
offset to the exact system time tS and broadcasts a carefully cho-
sen navigation signal si (t) (low auto-/cross-correlation2 , including (x xS 2 S 2 S 2
i ) + (y yi ) + (z zi ) = (Ri )
2
Si (5)
timestamps and information on the satellites deviation from the
Geometrically, given a , each Si s equation translates into a sphere
predicted trajectories). The signal propagates with speed c (see
with LSi being the center. The set of equations (5) is overdeter-
Figure 1).
mined for more than four satellites and generally does not have a
A receiver V located at the coordinates L R3 (to be deter-
unique solution for L because of data noise. It can be solved by nu-
mined) and using an omnidirectional antenna will receive the com-
merical methods such as a least-mean-square approach or Newtons
bined signal of all satellites in range:
method [1].
|LS L|
X  
g(L, t) = A i si t i + n(L, t) (1) 2.2 Related Work
i
c
In 2001, the Volpe report [8] identified that (malicious) interfer-
where Ai is the attenuation that the signal suffers on its way from ence with the civilian GPS signal is a serious problem. Starting
LS S
i to L, |Li L| denotes the Euclidean distance between Li and
S
with this report, practical spoofing attacks were discussed in sev-
L, and n(L, t) is background noise. eral publications. In [23], the authors use a WelNavigate GS720
Due to the properties of the signals si (t), the receiver can sepa- satellite simulator mounted in a truck to attack a target receiver in
rate the individual terms of this sum and extract the relative spread- a second truck. The authors succeeded in taking over the victims
ing code phase, satellite ID, and data content using a replica of the satellite lock by manually placing an antenna close to the victims
used spreading code. Given the data and relative phase offsets, the receiver. After the victim was locked onto the attackers signal
receiver can identify the time delay |LS i L|/c for each satellite the spoofing signal could be sent from a larger distance. Instead
and from that infer the ranges of using a GPS simulator, the authors of [7] create GPS spoofing
signals by decoding legitimate GPS signals and generating time-
di = |LS
i L|. (2) shifted copies which are then transmitted with higher energy to
overshadow the original signals; a similar approach is also used
With three known ranges di to known transmitter positions LS i ,
in [14]. This approach requires less expensive equipment but intro-
three equations (2) can be solved unambiguously for L (unless all
duces considerable delays between the legitimate and the spoofed
three Si are located on a line). Since highly stable clocks (e. g.,
signals. GPS spoofing attacks are discussed analytically in [11],
cesium oscillators) are costly and GPS receivers cannot participate
showing that an attacker can manipulate the arrival times of mil-
in two-way clock synchronization, in practice, V will have a clock
itary and civilian GPS signals by pulse-delaying or replaying (in-
offset to the exact system time: t = tS + . With this, Eq. 1 can
dividual) navigation signals with a delay. We note that there is no
be rewritten:
unique attacker model used for spoofing attacks, and thus the as-
X  di 
sumptions on the attackers capabilities vary between these works.
g(L, tS ) = A i si t + n(L, tS ) (3)
i
c Given the lack of attacker models, the proposed countermeasures
range from simple measures to constant monitoring of the channel.
where the receiver can only infer the pseudoranges Ri from the In [8], consistency checks based on inertial sensors, cryptographic
delays di /c + : authentication, and discrimination based on signal strength, time-
of-arrival, polarization, and angle-of-arrival are proposed. The au-
Ri = di + c . (4) thors of [16, 17, 24] propose countermeasures based on detecting
the side effects of a (not seamless) hostile satellite-lock takeover,
2
In civilian GPS, the signals are spread using publicly known e. g., by monitoring the local clock and Doppler shift of the sig-
spreading codes. The codes used for military GPS are kept secret; nals. Kuhn proposes an asymmetric scheme in [11], based on the
they serve for signal hiding and authentication. delayed disclosure of the spreading code and timing information.

2
 Si i-th satellite Ai i-th attacker unit
LSi coordinates of Si PiA physical coordinates of Ai
si signal sent by Si LA i claimed coordinates of Ai
Vj j-th victim (receiver) sAi signal sent by Ai
Lj GPS coordinates of Vj iA time offset of sA
i
Lj spoofed coordinates of Vj j GPS clock offset of Vj
Pj physical coordinates of Vj j spoofed clock offset of Vj

Rij Vj s calculated PR to Si c signal propagation speed
RijA
Vj s spoofed PR (by Ai ) j = j c

Table 1: Summary of notations (PR = pseudorange).

Figure 2: Basic attack scenario. (a) Visualization of the setup. e. g. the one reported in [23]. In this scenario, a cargo truck (the
The victim uses a GPS-based localization system and is syn- victim), had a GPS unit that was housed in a tamper-proof cas-
chronized to the legitimate satellites. (b) Abstract representa- ing and was sending cryptographically authenticated status updates
tion of the scene. (c) The attacker starts sending own spoofing with a fixed rate to a monitoring center. The attacker planned to
and jamming signals. (d) The victim synchronizes to the at- steal the truck to get access to its loaded goods at a remote place.
tackers signals. He got close to the victim and started transmitting forged (spoofed)
signals in order to modify the location computed by the receiver
(see Figure 2). In this setting, if the attacker can influence the lo-
In general, countermeasures that rely on modifications of the GPS calization process, he can make the victim report positions to the
satellite signals or the infrastructure (such as [11] and certain pro- monitoring center that are unrelated to its actual physical position
posals in [8]) are unlikely to be implemented in the near future due and thus steal the truck without raising suspicion or revealing the
to long procurement and deployment cycles. At the same time, trucks real location.
countermeasures based on lock interrupts or signal jumps do not
detect seamless satellite-lock takeovers. 3.2 System Model
Few publications [3, 1214] present experimental data on the ef- Our system consists of a set of legitimate GPS satellites and a
fects seen by the victim during a spoofing attack. The authors set V of victims (see Table 1 for notations used). Each victim is
of [13] use a setup based on two antennas to measure the phase equipped with a GPS receiver that can compute the current position
difference for each satellite to detect the lock takeover. [3] and [14] and time as described in Section 2. We assume that each receiver
analyze the spoofing effect on the carrier and code level. The au- Vj V is able to receive wireless GPS signals, compute its po-
thors of [12] present a device that prevents spoofing by monitor- sition, and store its position/time-tuples. If several GPS receivers
ing and potentially suppressing the received signals before they are belong to a common group (e. g., they are mounted on the same
processed by the GPS receiver. vehicle), we assume that they can communicate to exchange their
All works above only consider attacks on single GPS receivers computed locations or are aware of the groups (fixed) formation.
but not on groups of receivers. In addition, none of them inves- The GPS location of each individual victim Vj V is given by
tigated the requirements for successful attacks on public GPS re- its coordinates Lj R3 in space and the victims clock offset j
ceivers, such as required precision of the attackers spoofing sig- with respect to the GPS system time tS . We note that the computed
nals. Although we expect that more works on GPS spoofing and GPS coordinates Lj and clock offset j do not necessarily corre-
anti-spoofing countermeasures were performed in classified (mili- spond to the true (physical) coordinates Pj R3 and time.3 We
tary) settings, they are not accessible to the public. define the local time of Vj as tj = tS + j , i. e., j < 0 refers to an
internal clock that lags behind. We use L to denote the set of GPS
3. PROBLEM FORMULATION locations of the victims in V.
In order to give an intuition of the problem, we present our mo- A GPS spoofing attack may manipulate a receivers coordinates
tivation and an exemplary use case. Subsequently we define our in space and/or its local time. We denote a victims spoofed coor-
system and attacker models and formulate the GPS spoofing prob- dinates by Lj R3 and the spoofed time offset by j . We use L
lem. for the set of spoofed victim locations.
In our analysis in Section 4, we distinguish between civilian
3.1 Motivation GPS, which uses the public C/A codes so that each satellite sig-
nal si contains only public information, and military GPS, which
The fundamental reasons why GPS spoofing works have been
provides authentic, confidential signals using the secret P(Y) codes.
discussed in the literature before, and spoofing attacks have been
In the experimental evaluation in Section 5, we use a satellite signal
demonstrated on single receivers experimentally. In this work, we
generator for civilian GPS.
show under which conditions the attacker can establish the cor-
rect parameters to launch a successful spoofing attack on one or 3.3 Attacker Model
more victims, and later in the experiments, how inaccuracies in
GPS signals can be trivially spoofed under a Dolev-Yao [4]-like
these parameters influence the lock takeover during the attack. This
attacker that is able to fully control the wireless traffic by inter-
analysis enables us to identify which attacks are theoretically pos-
cepting, injecting, modifying, replaying, delaying, and blocking
sible and which attacks would be noticeable as (potentially non-
messages without temporal constraints for individual receivers, see
malicious) signal loss at the GPS receivers. This is important for
Figure 3(b). If the attacker has full control over the input to each
proposing effective receiver-based countermeasures, which are not
individual receiver antenna, he can send the signals as they would
implemented yet in current standard GPS receivers.
3
Our work is further motivated by the real-life spoofing attacks, Typically, the difference |L P | is less than a few meters [21].

3
 |LS A
i Pi | c, i. e., signals can be delayed but not sent prior
to their reception. We note that neither the spreading codes
nor the data content of the signal need to be known to the
attacker for a successful selective-delay attack.
We note that these attacker models are very strong. Nevertheless,
we consider them appropriate for our analysis because we want to
make general statements that hold even under very strong (worst-
case) attackers with sophisticated equipment.

Figure 3: Models of the attackers antenna coverage. (a) The

3.4 Formulation of GPS Spoofing Problems
attackers signals reach all victims (used in the analysis of this We first define GPS spoofing attacks and then present two GPS
paper). (b) The attackers antennas each only reach one victim. spoofing problems for the attacker.
This requires the attacker to be in close proximity to the victims Definition 1 (GPS Spoofing Attack). Let a victim V compute its
if the distances between the receivers are small. GPS location as L and its GPS time as t in the absence of an at-
tacker. In a GPS spoofing attack, the attacker sends spoofing sig-
nals to manipulate the victims GPS-based location calculations.
be received at any location Lj . This would, however, require the As a result, V computes its location as L 6= L and/or time as
attacker to either be very close to each receiver or to use directional t 6= t.
antennas with narrow beam widths and shielding to prevent that the
signals intended for one victim are also received by another victim; Definition 1 can also be extended to groups of victims:
in both cases, the number of required attacker antennas would be Definition 2 (GPS Group Spoofing Problem). Let L be a set of
linear in the number of target locations for each Vj V and let tj T denote the tar-
victims. In this work we get time for Vj . The GPS Group Spoofing Problem is the problem
assume that the signals sent by the attacker are transmitted wire- of finding combinations of GPS signals sA i (sent by the attacker),
lessly and that they will be received by all victims in V, see Fig- transmission times tA S A
i = t + i (when the spoofing signals are
ure 3(a). sent), and physical transmission locations PiA (from where the at-
The attacker controls a set of wireless transmitters that he can tacker transmits) such that the location or time of each Vj V is
move and position independently. We denote by PiA R3 the spoofed according to Definition 1.
physical location of the i-th transmission unit of the attacker (ma-
We note that the physical attacker locations PiA do not have to
nipulating the signals of satellite Si ), and the set of all physical
correspond to the claimed satellite positions LA i in the GPS mes-
attacker locations from where the attacker is transmitting by P A .
sages (for civilian GPS, LA i can even be chosen by the attacker).
We assume that the attackers inherent, unwanted clock offset to the
As we will show in Section 4.2, the GPS spoofing problem for a
GPS system time is negligible4 and use iA to capture the time shift
single victim has a trivial solution for any target location.
introduced by the attacker in the transmission of signal sA i with
In Section 4.3, we will analyze the necessary restrictions on the
respect to the signal si and the system time tS . For example, for
spoofed locations such that the GPS Group Spoofing Problem can
1A = 10 ms, the attacker transmits the spoofed signal 10 ms after
be solved. We therefore define a decisional version of the GPS
the signal s1 was transmitted by satellite S1 .
Group Spoofing Problem.
For our analysis, we assume that the attacker is aware of the
victims physical locations (the influence of errors in the attackers Definition 3 (Decisional GPS Group Spoofing Problem). Let P be
location estimates is evaluated in Section 5). We further denote by the set of physical locations of the victims in V. Let L and T
|LSi Pj | the physical distance between satellite Si and victim
be defined according to Definition 2. The Decisional GPS Group
Vj . Similarly, |PiA Pj | denotes the physical distance between Spoofing Problem for P, L , T is the decision problem whether
the attackers antenna at PiA and victim Vj . Given this setting, we there exists at least one set of attacker locations P A from where
distinguish the following two types of attacks: the attacker can send the spoofing signals sAi such that the location
Attacks on civilian (unauthenticated) GPS: The attacker can de- or time of each victim Vj V is spoofed according to Definition 1.
lay signals or send them prematurely, i. e., iA R. He can In practice, the GPS Group Spoofing Problems (Definitions 2
modify the content of received GPS signals or arbitrarily gen- and 3) may be restricted in terms of attacker capabilities. For ex-
erate the spoofing signals sA i using the public GPS parame- ample, the attacker may only be able to position his transmission
ters (e. g., by using a GPS signal generator). This is possible antennas at a restricted set of physical locations PA , at a restricted
because civilian GPS signals are not authenticatedgiven set of claimed satellite positions LA , or he may only be able to
the right hardware, anyone can transmit his own GPS sig- send the spoofing signals at a restricted set of transmission times
nals. Thus the attacker can also modify the claimed locations TA (e. g., if he must receive legitimate signals before he can send
of the satellites: LA S
i 6= Li . We note that on standard GPS the spoofing signals). In these cases, the GPS Group Spoofing
receivers, the data content in the received GPS signals is not Problems can be modified to take the restricted attacker capabili-
checked for plausibility or consistency [15]. ties LA A A
, P , T as additional input and find solutions that fulfill
Attacks on military (authenticated) GPS: The attacker is not able P P , L LA
A A A
, or T
A
TA .
to generate valid military GPS signals. All he can do is to
capture and relay existing signals, e. g. by separating signals 4. SOLVING GPS SPOOFING PROBLEMS
from different satellites using high-gain directional antennas
and broadband transceivers (called Selective-Delay in [11]). We now analyze how our attacker (as defined in Section 3.3) can
spoof the locations of one or more receivers. In this section, we
This means that the attacker can delay existing GPS signals
abstract away from implementation issues (such as taking over an
and amplify or attenuate them. He is restricted by iA
established lock to legitimate satellites, see Section 5), and assume
4
The attacker can synchronize his time to legitimate GPS signals. that there are no legitimate signals present on the channel.

4
 Equally, we define bijk as the difference of pseudoranges of the

claimed satellite location LA
i and the spoofed victim locations Lj

and Lk (see Figure 4):
bijk = Rij

Rik
= |Lj LA A
i | |Lk Li | + j k . (12)

Figure 4: The GPS spoofing scenario for two victims in 2 di-

4.2 Spoofing to One Location
mensions. The attacker is impersonating a satellite with the
Result 1. One or more receivers Vj V can be spoofed to any
claimed (forged) location LA i , using an antenna positioned at one location L using a single attacker antenna. Spoofing multiple
PiA . The victims are two receivers with physical positions at P1
receivers to the same location L will generally lead to different
and P2 . For each signal sA A
i , the attacker ensures that Ri1 and
A time offsets j at each victim.
Ri2 match Ri1 and Ri2 , and therefore V1 and V2 compute their
locations as L1 and L2 with clock offsets 1 and 2 . Here, bi12 The reason for this is that the time-differences of arrival of the
and bi12 are the differences of pseudoranges between V1 and individual satellite signals determine the location that each receiver
V2 . will compute. If the spoofed signals are all sent from the same
attacker antenna, all victims will obtain the same time-differences.
A detailed proof is given in Appendix A, along with a discussion
4.1 Construction of Pseudoranges of the resulting time differences at the victims.
The attackers physical location PiA , his transmission time offset
iA , and the claimed satellite position LA i all influence the loca- 4.3 Spoofing to Multiple Locations
tion Lj as computed by a victim Vj (see Sections 2 and 3.2). By We next consider multiple receivers at distinct physical loca-
setting his physical location PiA and transmission offset iA , the tions P1 , . . . , Pn that the attacker tries to spoof to the locations
attacker can influence the pseudorange computation at the victim. L1 , . . . , Ln . Following Result 1, an attacker can spoof any number
The expected pseudorange that a victim at physical position Pj will of receivers in the transmission range to the same coordinates L
compute based on the attackers signal sA i is with differing j . If the victims have a way of establishing (coarse)
A
Rij = |Pj PiA | + iA c (6) relative distances, e. g., by estimating their respective distances vi-
sually, or can detect their mutual time offsets, they are able to de-
To determine its location, each victim solves a system of equa- tect such attacks. Therefore, we will now focus on attacks in which
tions with the calculated pseudoranges (see Figure 4): multiple victims are shifted to a set of new locations that preserve
their mutual distances and mutual time offsets.
|Lj LA
i | = Rij j (7)
As stated in Result 1, if the attacker is using only one transmis-
Here, LAi are the (claimed) satellite coordinates of Si extracted by
sion antenna, any possible placement of this antenna will lead to
Vj from the GPS message, Rij
is the pseudorange to satellite Si as two victims computing their location to the same coordinates L ,
calculated by Vj based on the received signal, and j = j c is with a small time synchronization error. Hence, the attacker can-
the time offset times propagation speed as calculated by the victim. not use only one antenna to shift the victims to different locations.
For each impersonated satellite, the attacker must send a signal We will now show that, using multiple antennas, the attacker can
sA
i such that solving Equation 7 by the victim yields the target lo-
spoof two victims to any locations while preserving their mutual
cation Lj and the target time offset j . This requires Rij
A
= Rij , time offsets, with certain restrictions on the time offset in the case
or: of military GPS receivers.

|Pj PiA | + A A
i = |Lj Li | + j . (8) Result 2. Two receivers at the physical locations P1 6= P2 can
be spoofed to the locations L1 6= L2 and time offsets 1 , 2 if the
In attacks on civilian GPS, the attacker is free to choose PiA , attacker is free to choose any PiA and LA A
i . For each si , the pos-
iA , and LAi . This means that the system of equations (8) is under- A
sible transmission locations Pi lie on one half of a two-sheeted
determined for a single victim. The attacker can fix two of the hyperboloid defined by L1 , L2 , 1 , 2 , LA
i , and P1 , P2 .
variables to his liking and solve for the third.
When the attack targets a military GPS receiver, the attacker can- In order to spoof V1 , V2 to L1 , L2 and 1 , 2 , the attacker must
not change the data content of the messages and is restricted to iA , send each si such that it arrives with the correct delay at the physi-
which is greater than or equal to the transmission delay from the cal locations of the victims, i. e., bi12 = bi12 si . As bijk is defined
satellite to the attacker. Hence, the claimed satellite location in the by PiA and, likewise, bijk is defined by LA i , the attacker can always
message is the correct location of the legitimate satellite: LA i = find combinations of PiA and LA that yield the correct pseudorange
i
LS A A S
i . In addition, the attacker is restricted by i |Pi Li |. We (for attacks on civilian GPS). He can then use Equation 8 to find the
can therefore rewrite Equation 8 as appropriate iA .

|Pj PiA | + |PiA LS A
i | |Lj Li | + j . (9)
In the case of military GPS, the attacker cannot change the claimed

Or, using the triangle inequality placements of the satellites: LA S
i = Li . Hence, bi12 is determined

|Pj LS A by the selection of L1 , L2 and 1 , 2 . In this case, Equation 8 yields
i | |Lj Li | + j . (10)
one hyperboloid for each sA A
i with possible values of Pi and i .
A

In the following, let bijk be the difference in pseudoranges to PiA We demonstrate this by giving a simple example: the victims
between Vj and Vk (see Equation 6): are located at P1 = (1, 0, 0) and P2 = (1, 0, 0), the physical
A A
distance between the victims is |P1 P2 | = 2. The attacker wants
bijk = Rij Rik = |Pj PiA | |Pk PiA |. (11) to spoof the two victims to the locations L1 = (0, 0, 0) and L2 =

5
 As previously, to show this, we consider each signal sA i sepa-
rately. By computing bi12 , bi13 , bi14 (and bi11 = 0) according to
Equation 11 and setting bijk = bijk , we can construct three hyper-
boloids. Their intersection points are possible placements for the
antennas of the attacker. As the intersection of two hyperboloids
yields a spaced curve, the intersection of three hyperboloids is an
intersection of this curve with a third hyperboloid, which results
in at most two points. We can also arrive at this number of solu-
Figure 5: Hyperbolas of possible antenna placements for the at- tions by considering the system of four quadratic equations based
tacker when impersonating a satellite for two victims (Example on Equation 7. These can be transformed into three linear and one
for Result 2, in 2D). Each hyperbola represents possible place- quadratic equation [1], defining the solutions for the location LA i
ments for an antenna PiA . and time offset iA . As the quadratic equation has at most two solu-
tions [1], and each of the linear equations has one unique solution,
there are at most two solutions for the attackers position and trans-
(0, 2, 0), both with time offset zero: 1 = 2 = 0. The attacker mission time.
now (arbitrarily) chooses LA A
1 = (3, 2, 0), L2 = (2, 0, 0),
and LA 3 = (2, 2, 0) for the claimed satellite positions in the GPS This result can also be observed in our example by adding a
messages. This determines three hyperboloids relative to P1 and fourth victim placed at P4 = (10, 0, 0), which is spoofed to L4 =
P2 based on b112 , b212 , and b312 . (1, 0, 0) with 4 = 0. The possible placements for the attackers
antenna is now the intersection of the previously obtained curve
Result 3. A necessary condition for a successful GPS group spoof- with another hyperboloid, yielding two points only (Figure 6(c)).
ing attack is that Vj , Vk , si , bijk |Pj Pk | .
Result 6. In a GPS group spoofing attack on five or more victims
In other words, the difference bijk of the perceived pseudoranges V1 , . . . , Vn to specific locations Lj and time offsets j , there is at

of each signal sA i at any two spoofed victim locations Lj and Lk most one possible placement for PiA to impersonate a satellite at
must be smaller than or equal to the distance between the victims LA i . This is the intersection point of n 1 hyperboloids defined by
physical locations Pj and Pk . From Equation 11 and the triangle bi12 , . . . , bi1n .
inequality it follows that bijk |Pj Pk |. Since it must hold that
bijk = bijk , if bijk > |Pj Pk | for any si , then there is no possible This result directly continues our previous reasoning: Each added
solution for the attackers placement PiA . Thus we get victim adds another hyperboloid to the set of hyperboloids which
must intersect to yield a possible PiA . For five or more receivers,
|Pj Pk | |Lj LA A
i | |Lk Li | + j k (13) the set of (n 1) linear equations and one quadratic equation is
as a necessary condition for a successful attack. overdetermined, and therefore has at most one solution.

As we know from Result 2, for two victims, all possible an- From Result 5, we know that for military GPS receivers, there
tenna placements for the attacker lie on a hyperboloid defined by are at most two solutions for a given combination of Pj , Lj , j , and
Pj , Lj , j and LA LA S
i = Li . For attacks on civilian GPS receivers, the attacker can
i . We will now extend this result to the case of
three and more victims. In the following, we assume that bijk influence the position of the two solutions of the system of equa-
|Pj Pk | is fulfilled Vj , Vk and si , i. e., it is physically possible tions by changing the claimed satellite location LAi . We will now
to spoof the locations of the receivers. give an intuition where these solutions are located for a formation-
preserving GPS spoofing attack.
Result 4. In a GPS group spoofing attack on three victims V1 , V2 , V3
to specific locations Lj and time offsets j , all possible attacker Result 7. When spoofing a group of GPS receivers V1 , . . . , Vn
placements PiA lie on the intersection of two hyperboloids defined such that the formation (i. e., the mutual distances and relative time
by bi12 , bi13 . offsets) is preserved, there is always at least one solution to the
decisional group GPS spoofing problem.
This can be shown by constructing two hyperboloids using bi12
and bi13 as in Result 2. Both hyperboloids yield the possible place- One way to show this result is to use an affine transformation to
ments of attackers antennas to achieve the correct pseudorange for describe the relation between physical and spoofed locations of the
V1 , V2 or V1 , V3 , respectively. Each point on the intersection of the receivers and senders. If the formation of the victims is preserved,
two hyperboloids has a specific iA and is at the correct distance to there exists a bijective affine augmented transformation matrix T
all three victims. Therefore, all points of this space curve are valid which describes this translation and rotation. Assuming that L and
PiA to solve the group spoofing problem. P are represented as augmented row vectors, we can therefore write
T Lj = Lj . Then, the inverse transformation T 1 applied to LAi
We can extend our example from Result 2 by a third victim will yield a possible antenna placement PiA = T 1 LA i , because
placed at P3 = (1, 5, 0), which is spoofed to L3 = (1, 1, 0) with all pseudoranges Rij
between Lj and LAi and the measured range
3 = 0. This reduces the possible locations from the hyperboloid as A
Rij between Pi and Pj will be the same (the transformation pre-
shown in Figure 6(a) to the intersection curve of the hyperboloids serves the Euclidean distance).
constructed using bi12 and bi13 , as shown in Figure 6(b).
As a consequence of Results 6 and 7, spoofing five or more re-
Result 5. In a GPS group spoofing attack on four victims V1 , . . . , V4 ceivers while retaining their formation has exactly one solution, an
to specific locations Lj and time offsets j , there are at most two affine transformation of the claimed satellite position LA
i .
possible placements for PiA to impersonate a satellite at LA i . These
are the intersection points of three hyperboloids defined by bi12 , Summary of results: Table 2 gives an overview of sets of possible
bi13 , bi14 . positions PiA for the attackers antenna depending on the number

6
 15 15 15
10 10 10
5 5 5
z 0 z 0 z 0
5 5 5
10 10 10
15 15 15
0 4 0 0
4 4 4 4 4
2 2 8 2
0 8 0 0 8
y 12 x y 2 12 x y 12 x
2 16 16 2 16
4 4 20 4
20 20
(a) 2 receivers (b) 3 receivers (c) 4 receivers

Figure 6: Visualization of possible attacker placements. For (a) two victims, all points on the hyperboloid are viable solutions; for (b)
three victims the solutions lie on a curve (red/white intersection); and (c) for four victims only two points are viable solutions (white
dots).

Spoofing to Spoofing to multiple

one location locations (preserved formation)
n Civ. & Mil. GPS Civilian GPS Military GPS
1 PiA R3 - -
2 PiA R3 set of hyperboloids one hyperboloid
3 PiA R3 set of intersections intersection of
of two hyperboloids two hyperboloids
4 PiA R3 set of 2 points 2 points
5 PiA R3 set of points 1 point Figure 7: The experimental setup.

Table 2: Summary of results for the number of possible at-

tacker locations PiA for n victims. from that satellite. The satellite lock makes spoofing attacks harder
since a spoofing signal is likely to be misaligned (in phase, Doppler
shift, or data content) to the legitimate signal. When the attackers
of victims and on the target locations: spoofing all receivers to one signal is turned on, this momentary interruption in the data-flow
location or each victim to a different location with a preserved for- from that satellite could cause the victim to be temporarily unable
mation. The results are shown for civilian and military GPS; hy- to compute his position. Therefore, we now investigate how the
perboloid refers to half of a two-sheeted hyperboloid. In the table attacker can take over the victims lock with the victim losing the
we assume that the condition of Result 3 holds. ability to calculate its position, even for a moment.
The results in Table 2 show that there are no restrictions on the In Section 3 we assumed a strong attacker, who is always able to
attackers position for spoofing any number of victims to one lo- generate signals with perfect timing and power level, and who has
cation (PiA R3 ). With an increasing number of victims and a perfect knowledge of his own and the victims position. In a practi-
constant formation, the attacker is getting more and more restricted cal attack, many of these assumptions might be invalid. We conduct
in terms of his antenna placement. For civilian GPS, the attacker experiments to evaluate the influence of such imperfections. Be-
has more degrees of freedom because he can select claimed (false) cause we do not change the claimed location of the satellite in the
satellite locations LA i and thus influence the hyperboloid, intersec- data sent by the attacker, all discussed imperfections should apply
tion of hyperboloids, etc., whereas these are fixed for military GPS equally for military and public GPS receivers.
(i. e., there is only one specific hyperboloid of attacker positions for
each transmitted signal per pair of victims).
5.1 Experimental Setup and Procedure
5. EXPERIMENTS ON SATELLITE-LOCK In our experiments, the spoofing signals and the legitimate GPS
signals are sent over a cable to eliminate the influence of the trans-
TAKEOVER mission channel. This enables us to measure the unique influence
A GPS spoofing attack in the presence of legitimate GPS satellite of the parameters of interest while disregarding channel and an-
signals requires the attacker to make the victim stop receiving sig- tenna noise. These results therefore show the minimal precision of
nals from the legitimate satellites and start receiving the attackers the signal parameters required for a successful attack on our target
signals. If this takeover is noticed by the victim, e. g. because the platform.
victim suddenly loses contact to previously seen satellites, it can We conduct the lock takeover attacks using a Spirent GSS7700
detect the spoofing attack. While the victim might lose contact GPS simulator (see Figure 7). The GPS signal simulator is a hard-
due to random noise or environmental changes, the attacker ideally ware device that generates GPS signals and is controlled by a dedi-
should take over without being noticed. We say that the receiver cated simulation PC running the SimGen simulation software pack-
has a lock on a specific transmitter when it is already receiving data age [20]. The GSS7700 GPS simulator generates two independent

7
 8000
longitude
2000 1
latitude failed takeover (ratio)
height

Average error (m)

Error (m)

6000 lost lock (ratio)

1600 0.8
error (m)

Error ratio
1200 0.6
4000

800 0.4
2000

400 0.2

0
0 50 t 100 t 150 200 250 300 0 0
s m 3 2 1 0 1 2 3 4 5 6 7
Time (s) Relative power in dB
(a) Sample run with +0dB power offset (b) Average error as a function of power offset
300
longitude 500 1
latitude failed takeover (ratio)
height 400 lost lock (ratio)

Average error (m)

0.8
200 error (m)
Error (m)

Error ratio
300 0.6

200 0.4
100

100
0.2

0 0
0 50 100 150 200 250 300 0
ts tm 0 20 40 60 80 100 120 140 160 180
Time (s) Time offset in ns
(c) Sample run with 120ns time offset (d) Average error as a function of time offset

Figure 8: (a-b) Effects of relative signal power. (a) Example of unsuccessful takeover with too little power used. The spoofing signal
is switched on at ts = 60s and starts moving at tm . (b) Average error over the measurement as a function of relative power. (c-d)
Example of effects of spoofing signals with time offset. (c) During the takeover, the location jumps, in particular the height. The
spoofing signal is switched on at t = 60s. (d) Average error over the measurement as a function of the time offset.

GPS constellations with up to 16 satellites in each. One constel- gate are relative signal power, relative time offset and constant time
lation is simulating the signals from the legitimate GPS satellites, offset. For each parameter value, five experiments were run.
and the other is simulating the attackers signals. Both are mixed We say that the lock takeover was successful if at the end of the
together and sent to the GPS receiver via a wired connection. The experiment the victims final location is close to L . If the victim
GPS receiver in our experiments is an Antaris evaluation kit by u- is close to L but was close unable to compute a valid position for
blox, containing the ATR0600 GPS chip from Atmel. more than one second during the lock takeover, we consider the
At the start of each experiment, we send only the legitimate GPS attack a partial success and use the number of seconds the victim
signals for a static location. We reset the GPS receiver to make sure was not able to calculate a valid position as an error metric.
all experiments are independent and no internal state is kept from
a previous experiment. After about 30 seconds the GPS receiver
will lock on to enough satellites to be able to calculate a stable po-
5.2 Results of the Experiments
sition. This position is the legitimate position L and the goal of the Relative signal power of the spoofing signal: In this experiment,
attacker is now to move the victim to a new location L such that (i) ideal spoofing signals are sent, but the power of the spoofing sig-
the victim is continuously able to compute its position (ii) no no- nals is varied between 2dB and +8dB relative to the legitimate
ticeable discontinuities in the location are reported by the victims signals.
receiver. Figure 8(a) shows the effect of using spoofing signals that have
The attack then consists of two phases: first, the attacker sends the same power as the legitimate signals. In this figure, ts marks
signals which are supposed to match the legitimate satellites sig- the time at which the spoofing signals are turned on and tm the
nals at the location of the victim. These are generated by the at- time when the spoofed location starts to move away from Linit .
tacker by approximating the current location of the victim as Linit , The errors in longitude, latitude, and height are shown separately
and constructing signals with time delays and data content appro- and are measured between the location as reported by the receiver
priate for that location (see Section 4.1). This first phase lasts for and the one sent by the simulator. Although the victim reports the
one minute to allow the victim to lock on to the new signals. In spoofed location for some time, it switches back to L after 170s of
the second phase, the attacker start to move the spoofed location the experiment, which causes the growing error in longitude.
towards the final location L , imitating an acceleration of 0.5m/s2 . Figure 8(b) shows the error in meters between the position re-
After 3 minutes, the final location is reached. If this final location ported by the GPS receiver and the location sent by the attacker, as
is not remotely close to L (height difference 150m, horizontal a function of the relative power of the attackers signals. The error
distance 1km), we consider the takeover failed. bars show the standard deviation for the error value over the five
We vary the distance between the victims true location L and experimental runs. The gray bars indicate the ratio of experiments
its initial location as assumed by the attacker Linit as one of the in which the receiver was unable to determine its position during
parameters in the experiments. We refer to this distance as the lo- the experiment. We use this as a metric to evaluate the smoothness
cation offset dinit = |L Linit |. The other parameters we investi- of the lock takeover. If the receiver reported a location too far away
from L , we count this run as failed takeover. Blue bars in the figure

8
 longitude 300 1
600
latitude failed takeover (ratio)
height lost lock (ratio) 0.8

Average error (m)

200
error (m)

Error ratio
400
Error (m)

0.6

100 0.4
200

0.2

0
0 0
0 50 ts 100 tm 150 200 250 300 0 50 100 150 200 250 300 350 400
Time (s) Location offset in m
(a) Sample run with 340m location offset (b) Average error as a function of location offset

longitude 400 1
120 latitude failed takeover (ratio)
height lost lock (ratio) 0.8

Average error (m)

300
error (m)

Error ratio
80 0.6
Error (m)

200

0.4
40 100
0.2

0
0 0
0 50 ts 100 tm 150 200 250 300 0 20 40 60 80 100 120 140 160 180
Time (s) Satellite signal desynchronization in ns
(c) Sample run with 140ns time delay mismatch offset (d) Average error as a function of time delay mismatch

Figure 9: (a-b) Example of effects of spoofing signals with location offset. (a) Example with 340m offset. During the takeover, the
location is unstable. The spoofing signal is switched on at t = 60s. (b) Average error over the measurement as a function of the
location offset. (c-d) Example of effects of spoofing signals with inconsistent time offset for half of the satellites. (c) With a 140ns
time offset between the attackers satellites, the takeover leads to an unstable lock. The spoofing signal is switched on at t = 60s. (d)
Average error over the measurement as a function of the time delay mismatch.

denote the ratio of attempts in which the GPS receiver was unable to the time offset, this location offset can lead to a relatively large
to compute a valid location. error during the lock takeover. An example with offset of 340m is
It can be seen that for at least 2dB more power, the receiver con- given in Figure 9(a).
sistently locks onto the spoofing signals without any offset occur- In Figure 9(b), we show the average error as a function of the lo-
ring. 2dB of power is sufficiently low to not be detected by power cation offset. Regardless of the intermediate errors, eventually the
based spoofing-countermeasures in practice. victim always synchronizes to the attackers signals in all our ex-
Constant time offset influence: The second question we investi- periments. This shows that the initial position is not very sensitive
gate is the effect of a general delay on all signals sent by the attacker to small errors. If an attacker knows the location of his victim to
relative to the legitimate signals. Such time delays can occur if the within about 100 meters, he can perform a smooth takeover without
attackers system setup is not perfectly compensating for internal the victim losing lock. There will of course be a detectable jump in
delays, the distance to the victim is unknown or the system clock position from L to Linit when the attackers signal is turned on but
of the attacker is not synchronized perfectly to the clock of the le- the victim will not lose lock with any satellite.
gitimate GPS satellites. The interesting question is if such a general Relative time offset influence: In the case where the attacker has
time offset will result in detectable errors in the victims reported access to more than one transmission antenna, he can send the
position, and if such a time offset will increase the chance of the spoofing signals using two or more omnidirectional antennas (see
victim losing lock completely during the takeover. To evaluate the Section 4). Depending on the relative position of the individual an-
influence of a constant time offset, we run the tests with time off- tennas, the victim will receive the spoofing signals with different
sets between 0ns and 240ns. We plot the location error between time delays. Relative time offsets of the signals can also be caused
the attackers intended location and the actual location reported by by inaccuracies in the delay setup in the case of military GPS sig-
the victim an example run in Figure 8(c). The effects are consistent nals. In this experiment, we evaluate the consequences of having
over several runs with the same parameters, but can vary quite a lot half of the spoofed satellite signals shifted by a fixed amount of
with these parameters. time relative to the other half of the signals. In Figure 9(c), we
In Figure 8(d), we show the general relation between the average show an example run with a time delay mismatch of 140ns. The
errors during the measurement as a function of the time offset for results for all tested values are presented in Figure 9(d).
the first 120ns. After this time, lock takeover was not working
consistently any more.
Location offset influence: In this series of experiments we deter- 5.3 Discussion on Practical Issues in Spoofing
mine the influence of an offset dinit between the position of the Attacks
victim as determined from the legitimate satellites L and the spoof- Because our experiments are based on a single GPS receiver,
ing signals sent by the attacker Linit . We evaluate the influence of we do not attempt to make precise general statements about the
such a location offset for values between 0 and 450m. Similarly parameter values that are necessary to perform a seamless takeover
of any platform. Instead we point out that ranges with acceptable

9
 Parameter value required
for successful spoofing
Relative signal power +2dB
Constant time offset 75ns
Location offset 500m
Relative time offset 80ns

Table 3: Required parameter ranges for seamless lock-takeover

in a GPS spoofing attack in our experiments.

values exist and we present the values for our receiver in Table 3.
According to our experiments, the constant time offset is sensi-
tive to variation and should be less than 75ns. Anything more than
that will cause the GPS receiver to lose lock when the spoofing sig-
nal is turned on. A value of 75ns roughly corresponds to a distance Figure 10: Proposed countermeasures: For an attacker with a
of 22.5m, meaning that the attacker must know the distance from single antenna, the two-receiver countermeasure is enough. If
himself to the victim with an accuracy of 22.5m (or better) a the attacker uses multiple antennas, four (or more) receivers
higher offset will cause the victim to lose lock due to the signal severely restrict the attackers antenna placements. Wrong an-
(chip phase) misalignment. We found that the initial location off- tenna placements will change the distances of the receivers and
set will cause a noticeable jump of the victims reported position can thus be detected.
during the attack. Large offsets could therefore be detected by the
victim by monitoring its position. Any change in the arrival time
of the signal from different antennas will directly impact the posi- ducting such an attack is very difficult. It becomes even impossible
tion calculated by the victim. If the relative time offset gets above if the victim can hide the exact positioning of at least one GPS re-
80ns the signals are sufficiently misaligned to cause the receiver to ceiver from the attacker (e. g., by keeping it mobile on the vehicle)
lose lock. This means that, if an attacker has multiple antennas, he such that the attacker cannot adapt to its position.
must precisely know the distance from each antenna to the attacker In summary, our countermeasure requires no modifications of
in order to be able to spoof a desired location. the GPS signal, the satellite infrastructure, or the GPS receiver, it is
resistant against a wide range of attackers, and it can be deployed
using multiple standard GPS receivers.
6. GPS SPOOFING COUNTERMEASURE Outlook: Further possible applications are not restricted to mobile
Spoofing detection based on lock loss has two disadvantages: (i) scenarios with a fixed formation (such as in the cargo ship exam-
strong attackers can achieve a seamless satellite-lock takeover, and ple above). The countermeasure can also be applied (i) to fixed and
(ii) lock loss can occur due to natural causes (e. g. signal loss in static (i. e., immobile) settings where GPS is used for time synchro-
a tunnel). We propose a countermeasure against GPS spoofing at- nization and (ii) to mobile settings with varying formations (e. g.,
tacks that does not rely on the signal analysis or on the lock loss mobile formation of cars, robots, etc.). In the latter case, the de-
of signal. Instead, our mechanism is based on our insights of Sec- vices can apply additional ranging techniques to identify their for-
tion 4 and relies on the use of several GPS receivers. These GPS mation and use it in the sanity check with the calculated GPS loca-
receivers can be deployed in a static, known formation, e. g., they tions (as long as the ranging techniques are secure [?, 2, 6, 10, 18]).
are fixed on the deck of a cargo ship (see Figure 10). The basic We leave the elaboration of these ideas for future work.
idea of the countermeasure is the following: If the GPS receivers
can exchange their individual GPS locations, they can check if their
calculated locations preserve their physical formation (within cer- 7. CONCLUSION
tain error bounds). In the case that the calculated GPS locations do In this paper, we analyzed the requirements for successful GPS
not match the known formation, an attack must be suspected and spoofing attacks on individuals and groups of victims with civilian
there should be a warning message. For the exchange of position- or military GPS receivers. In particular, we identified from which
ing information, the victim could also resort to wired connections if locations and with which precision the attacker needs to generate
available (which would be resistant against spoofing and jamming its signals in order to successfully spoof the receivers.
attacks). For example, we show how spoofing a group of victims can only
Even if only two GPS receivers are used, this countermeasure be achieved from a restricted set of locations, if the attacker aims to
can detect any attacker that is only using a single antenna. As preserve the mutual distances and time offsets of the victims. With
shown in Result 1, in case of a single-antenna attack both GPS growing size of the group of victims, less spoofing location become
receivers would report the same location (with small time offsets). available, until only single points remain for 5 victims or more. In
As shown in Results 46, a strong attacker using multiple an- addition, we discussed the practical aspects of seamless satellite-
tennas could attempt to send signals such that the mutual distances lock takeover. We used a GPS signal generator to perform a set
between multiple receivers are preserved. Nevertheless, each addi- of experiments in which we investigated the required precision of
tional receiver of the victim makes these spoofing attacks exceed- the attackers spoofing signals. Besides demonstrating the effects
ingly more difficult because the space of possible antenna place- of such lock takeovers on the victim, our results include minimal
ments for the attacker gets reduced significantly (see Table 2). From bounds for critical parameters to allow a seamless takeover of our
Results 6 and 7 we know that there exists only one location per target platform. Finally, we proposed a technique for the detection
satellite where the attacker can place his antenna; this location is of spoofing based on a group of standard GPS receivers (without
the rotated and translated satellite position of the GPS signal. Con- specific spoofing detection measures) in a static formation.

10
8. REFERENCES (2008).
[1] B ENSKY, A. Wireless Positioning Technologies and [17] PAPADIMITRATOS , P., AND J OVANOVIC , A. Protection and
Applications. GNSS Technology and Applications Series. fundamental vulnerability of GNSS. In Proceedings of the
Artech House, 2008. International Workshop on Satellite and Space
[2] B RANDS , S., AND C HAUM , D. Distance-bounding Communications (2008).
protocols. In Workshop on the theory and application of [18] R ASMUSSEN , K. B., AND C APKUN , S. Realization of rf
cryptographic techniques on Advances in cryptology distance bounding. In Proceedings of the USENIX Security
(EUROCRYPT) (1994), Springer. Symposium (2010).
[3] C AVALERI , A., M OTELLA , B., P INI , M., AND FANTINO , [19] S COTT, L. Anti-spoofing & authenticated signal
M. Detection of spoofed GPS signals at code and carrier architectures for civil navigation systems. In Proceedings of
tracking level. In Proceedings of the 5th ESA Workshop on the ION GNSS International Technical Meeting of the
Satellite Navigation Technologies and European Workshop Satellite Division (2003).
on GNSS Signals and Signal Processing (Navitec) (2010). [20] S PIRENT C OMMUNICATIONS PLC. SimGEN simulation
[4] D OLEV, D., AND YAO , A. C. On the security of public key software. http://www.spirent.com.
protocols. IEEE Transactions on Information Theory 29, 2 [21] U. S. D EPARTEMENT OF D EFENSE . Global positioning
(1983). system. standard positioning service. performance standard,
[5] E TTUS. Universal software radio peripheral (USRP). Sep 2008.
http://www.ettus.com. [22] U. S. G OVERNMENT . Global positioning system.
[6] H ANCKE , G. P., AND K UHN , M. G. An RFID Distance http://www.gps.gov, 2010.
Bounding Protocol. IEEE Computer Society. [23] WARNER , J. S., AND J OHNSTON , R. G. A simple
[7] H UMPHREYS , T. E., L EDVINA , B. M., P SIAKI , M. L., demonstration that the global positioning system (GPS) is
OH ANLON , B. W., AND K INTNER , P. M. Assessing the vulnerable to spoofing. Journal of Security Administration
spoofing threat: Development of a portable GPS civilian (2002).
spoofer. In Proceedings of the ION GNSS International [24] WARNER , J. S., AND J OHNSTON , R. G. GPS spoofing
Technical Meeting of the Satellite Division (2008). countermeasures. Homeland Security Journal (2003).
[8] J OHN A. VOLPE NATIONAL T RANSPORTATION S YSTEMS
C ENTER. Vulnerability assessment of the transportation APPENDIX
infrastructure relying on the global positioning system. Final
Report, 2001. A. PROOF OF RESULT 1
[9] J OHNSTON , R. G., AND WARNER , J. S. Think GPS cargo
tracking = high security? Think again. In Proceedings of To show Result 1, we first focus on a single receiver V1 and civil-
Transport Security World (2003). ian GPS. The attacker selects a target location L , a target time
[10] K UHN , M., L UECKEN , H., AND T IPPENHAUER , N. O. offset 1 , and any arbitrary attacker location PiA . Given this, Equa-
UWB impulse radio based distance bounding. In tion 8 yields A i . Using one transmission antenna (i. e. P1 =
A

Proceedings of the Workshop on Positioning, Navigation and PjA j)5 , the attacker transmits all signals sAi with the delay A
i =
A
Communication (WPNC) (2010). i /c.
[11] K UHN , M. G. An asymmetric security mechanism for While this will successfully spoof the location and time of one
navigation signals. In Proceedings of the Information Hiding victim, other victims in the vicinity will receive the same signals
Workshop (2004). with slight time delay or advancement. We now consider a set of
[12] L EDVINA , B. M., B ENCZE , W. J., G ALUSHA , B., AND receivers V = {V1 , . . . , Vn } that are positioned at different physi-
M ILLER , I. An in-line anti-spoofing device for legacy civil cal locations P = {P1 , . . . , Pn }.
GPS receivers. In Proceedings of the ION International Since the attacker sends all signals sA i from the same position
Technical Meeting (2010). P1 = P2A = . . . , we can follow that b1jk = b2jk = . . . for all
A

[13] M ONTGOMERY, P. Y., H UMPHREYS , T. E., AND L EDVINA , signals sA i . To compute the effect of the offset on the pseudoranges

B. M. Receiver-autonomous spoofing detection: on each victim, we can express each victims pseudorange relative
Experimental results of a multi-antenna receiver defense to the pseudorange of the first victim: Rij = Ri1 + b1j1 . Each
against a portable civil GPS spoofer. In Proceedings of the victim will measure pseudoranges based on their physical distances
A
ION International Technical Meeting (2009). to the attacker: Rij = Rij . We can now substitute (11) into (7) and
[14] M OTELLA , B., P INI , M., FANTINO , M., M ULASSANO , P., get the following equation for each signal sA i and Vj :

N ICOLA , M., F ORTUNY-G UASCH , J., W ILDEMEERSCH , |Lj LA

i | = Ri1 (j b1j1 ). (14)
M., AND S YMEONIDIS , D. Performance assessment of low
cost GPS receivers under civilian spoofing attacks. In Thus, for every Vj , these equations only differ by the different value
Proceedings of the 5th ESA Workshop on Satellite (j b1j1 ) = 1 . This means that all Vj compute an identical
Navigation Technologies and European Workshop on GNSS location L , but different clock offsets j :
Signals and Signal Processing (Navitec) (2010). 1 
[15] NAVIGATION C ENTER , U.S. D EPARTMENT OF H OME j = 1 + |Pj PiA | |P1 PiA | . (15)
c
S ECURITY. Global Positioning System, Standard Positioning
Service: Signal Specification. http://www.navcen.uscg.gov,
June 1995. 2nd edition. 5
For civilian GPS, one physical transmission location for all at-
[16] PAPADIMITRATOS , P., AND J OVANOVIC , A. GNSS-based tacker signals does not imply that the claimed locations LA
i in the
Positioning: Attacks and countermeasures. In Proceedings of spoofed messages are the same. For the victim to be able to com-
the IEEE Military Communications Conference (MILCOM) pute its location, it must hold that LA A
1 6= L2 6= . . . .

11
 Result 1 shows that an attacker can make a group of victims be- satellites are enlarged (i. e., if |L1 LS S
i | > |P1 Li | Si ), the
lieve to be at a specific location by sending one set of satellite sig- time offset of the victim can be made negative (causing the victim
nals from the same antenna. All victims will believe to be at the to advance its clock). The minimal value of 1 is determined by
same location L , but with different time offsets. The additional
time offset j k between victim Vj and Vk introduced by the at- j max(|P1 LS S
i | |L1 Li |). (16)
i
|L L |
tacker is bounded by their mutual distance |j k | j c k and As the attacker can always delay the signals, he can arbitrarily delay
is typically on the order of nanoseconds for victims a few meters the victims clock also in military GPS.
apart. One direct conclusion for military GPS is that it is not possible
In attacks on military GPS, Equation 10 shows an interesting to advance the victims clock while retaining the original location
relation between the resulting time offset of the main victim 1 and L1 = L1 . The clock offsets of other victims V2 , . . . , Vn relative
the distance between the spoofed location and each satellite: If L1 to the first victim as expressed in Equation 15 remain the same
is chosen such that |L1 LS S
i | |P1 Li | for any Si , then the time for attacks on military GPS if all signals are sent from the same

offset 1 at the victim must be positive. On the other hand, since location P1A = P2A = . . . .
1 is the same for all satellites, only if the distances from L1 to all

12