A Survey and Analysis of the GNSS Spoofing Threat and Countermeasures 64:7
effective if the receiver is starting up or is first knocked out of lock by a jamming
attack.
3.2.1. Meaconing.
The simplest form of spoofing is meaconing, which is the capture
and retransmission of legitimate GNSS signals after a delay. Meaconing, however, is
difficult in the case of the encrypted military signal, such as the GPS P(Y), because
it is modulated onto a far longer PRN sequence. Since receivers have their own clock,
they could easily detect the out-of-phase alignment of the W code [Humphreys 2013a].
Additionally, because the P(Y) GPS signal is transmitted well below the background
noise level, retransmitting it would require an accurate estimation of the secret W
code, which can be achieved via “semicodeless” techniques [Jung et al. 2003].
For the civilian signals, however, no such difficulty of spoofing arises. Since the
relative arrival times of the four signals are unchanged by the meaconing process, the
navigation solution will be that of the meaconer [Papadimitratos and Jovanovic 2008a;
Wesson et al. 2012]. The timing solution will likewise be that of the meaconer, plus the
time taken to retransmit the signals to the victim [Wesson et al. 2012].
However, meaconing does not seem suitable for attacks against timers. The first
stage of an attack is to substitute the spoofed signal for the real one. Since a timer
already knows its own location, it would read the delayed time being transmitted by the
meaconer, resulting in a sudden shift in the timing solution equal to the time required
to retransmit the signal. This would clash with the known local time maintained by the
clock and could be used to raise an alarm. However, meaconing could also be performed
initially with a zero delay by predicting the signal values in advance and synchronizing
with the true signals [Wesson et al. 2012].
3.2.2. SCER.
A variation of meaconing called security code estimation and replay
(SCER) or “selective delay” [Kuhn 2004] involves the rebroadcast of individual satel-
lite signals after a delay [Wesson et al. 2012]. This can modify both the position and/or
timing solutions. An attacker could then manipulate the position solution only and so
avoid a time jump when starting an attack [Pozzobon 2011]. SCER is described more
fully in Papadimitratos and Jovanovic [2008a].
3.2.3. Other Forms of Spoofing.
Other forms of spoofing are categorized by the level of
sophistication. Humphreys and Motella divide these into “simplistic” (broadcast of ar-
bitrary GNSS signals without synchronization with legitimate signals), “intermediate”
(spoofing synchronized with legitimate signals), and “sophisticated” (using multiple
phase-locked intermediate spoofers) [Humphreys et al. 2008; Motella et al. 2010].
A spoofing device, called limpet spoofers [Lo and Enge 2010] can be attached to the
vehicle or timer it is intended to spoof. These devices overcome many of the practical
limitations on spoofing described in Section 5 but require both compromise of the
physical security of the receiver and, in practice, also a level of miniaturization that
has not yet been achieved.
4. SPOOFING/JAMMING SCENARIOS
A wide variety of spoofing threat scenarios are mentioned in the literature. This section
examines the main ones in sufficient depth to assess the seriousness of the vulnerabil-
ities in practical scenarios. However, this must be combined with an assessment of the
practical limitations on carrying spoofing attacks, which is explored in the following
Section 5. The overall assessment of the vulnerabilities will be made at the end of that
section and summarized in Table I.
Jamming threats are also described only when they overlap with spoofing. Where
appropriate, a critical assessment of work done in each field will be made. However,
most of these threats remain unexplored as separate research topics.
ACM Computing Surveys, Vol. 48, No. 4, Article 64, Publication date: May 2016.