Interviewer: Elias Vance, Chief Engineer, BRIDZA
Date: October 26, 2023
---
Elias Vance (Chief Engineer, BRIDZA): Good morning, Dr. Sharma. Thank you for joining us at BRIDZA. We're here to discuss a topic that's becoming critically important not just to aerospace and defense, but to every sector reliant on precise timing and positioning—GNSS vulnerabilities. At BRIDZA, our navigation systems are deeply integrated into commercial logistics and autonomous vehicle platforms. A failure isn't just an inconvenience; it's a direct safety and financial risk. We've moved beyond viewing GNSS as a "free, always-on" utility. We now see it as a contested cyber-physical domain. To start us off, could you frame the core problem? What makes GNSS, a system of such profound importance, so fundamentally vulnerable?
Dr. Anya Sharma (Senior Security Researcher, NCL): Thank you, Elias. It's a pleasure. You've hit the nail on the head. The core problem is a three-part paradox: GNSS signals are extraordinarily useful, inherently weak, and based on a decades-old trust model. The signals from GPS, Galileo, or GLONASS satellites at Medium Earth Orbit (MEO) arrive at Earth's surface with a power density of roughly -130 dBm—literally billions of times weaker than the ambient thermal noise floor in the receiver's electronics. We can only pick them up through clever signal processing and integration over time. This weakness is a feature, not a bug; it allows for global coverage with minimal satellite transmitter power. However, it makes the signal a "whisper in a hurricane." Any adversary with a modest transmitter—sometimes costing less than $100—can shout over that whisper with counterfeit signals (spoofing) or just blast noise (jamming). The historical trust model is "whoever speaks loudest and clearest is the truth." That's a catastrophic design flaw in a security context.
Elias: That "whisper in a hurricane" analogy is stark. So, we're dealing with a fundamental physics and protocol limitation. Let's break down the primary attack vectors. What should our engineers be most concerned about?
---
#### 2.1. Jamming: The Brute-Force Disruption
Anya: Jamming is the most common and indiscriminate attack. It's simply the deliberate transmission of radio frequency (RF) energy in the GNSS band (L1 at 1575.42 MHz, L2 at 1227.60 MHz, etc.) to drown out the legitimate signals. The effects are immediate and total: receivers lose lock, and positioning/timing solutions fail. We distinguish between broadband jamming, which covers a wide swath of spectrum, and narrowband/cw (continuous wave) jamming, which is targeted and can be more disruptive per watt. The infamous "personal privacy devices" or "jammers" are broadband noise sources, often used by truckers to evade fleet tracking. Their legality varies, but their proliferation is a major issue. In 2019, the UK's Sentinel project estimated over 100 jamming incidents per day in the UK alone, mostly from these illegal devices.
Elias: We see this in field reports. A logistics truck passes a jammer on the highway, and the entire onboard fleet management system, including our inertial-aided GNSS unit, degrades or fails. For our autonomous systems, the mitigation is multi-layered: inertial measurement units (IMUs) provide dead-reckoning bridge, but the clock drift is a killer. What's the typical holdover accuracy before timing degrades unacceptably?
Anya: It's highly dependent on the IMU quality and calibration. A tactical-grade MEMS IMU might maintain a position solution with drift of 1-2 km per hour. For timing, a good OCXO (Oven-Controlled Crystal Oscillator) can hold microsecond-level accuracy for hours, but nanosecond-level accuracy required for 5G network synchronization or financial trading degrades in seconds to minutes without GNSS correction. The key takeaway is that jammers don't need to be sophisticated to be devastating. A 1-watt jammer can disrupt GNSS reception over a radius of several kilometers.
#### 2.2. Spoofing: The Sophisticated Deception
Anya: Spoofing is where it gets intellectually frightening. Here, the attacker isn't just blocking the signal; they're imitating it. The goal is to take control of the victim's receiver, making it believe it's in a different location or at a different time. Early spoofing was "brute-force"—generating counterfeit signals that overpower the real ones. Modern spoofing, as demonstrated by researchers like Todd Humphreys at UT Austin, is far more elegant: carry-off spoofing.
Elias: Walk us through a carry-off spoofing attack scenario. Our engineers need to understand the sequence of events.
Anya: Certainly. Imagine a receiver locked onto legitimate GPS signals. The attacker first monitors these signals to synchronize their counterfeit signal's code phase and carrier frequency precisely. Then, they slowly ramp up the power of their counterfeit signal while gradually shifting its timing and data bits to "nudge" the receiver's tracking loops. The receiver, tricked into tracking the stronger, counterfeit signal, is then slowly led astray. The entire process can be seamless and invisible to basic integrity checks. The attacker can then manipulate the receiver's computed position or time. We've seen this in demonstrations where a yacht's navigation system was spoofed miles off course, or where drone autopilots were hijacked.
Elias: The data component is critical. Modern GNSS signals like GPS L1C or Galileo E1 OS carry navigation messages. How do spoofers handle that? Do they need to crack the encryption?
Anya: For civilian signals, the navigation message is open and published. A spoofer just needs to generate valid, but misleading, ephemeris and almanac data. They could, for example, broadcast stale ephemeris data that causes receivers to compute an incorrect satellite position, leading to a consistent position error. This is a subtle form of data-level spoofing. For military signals like GPS M-code, which are encrypted, a spoofer cannot generate valid ranging codes without the key. This is the fundamental value of signal authentication. Civilian systems are only now beginning to adopt this with the Galileo OS-NMA (Navigation Message Authentication) service, and GPS is studying similar concepts.
#### 2.3. Real-World Case Studies: From Mystery Outages to Admitted Attacks
Elias: Let's ground this in reality. The "Mystery of the 2019 Norwegian Outage" is often cited. Can you summarize what happened and what it taught us?
Anya: Absolutely. In early 2019, the Norwegian Intelligence Service confirmed that GPS signals were being deliberately jammed in the northern regions, near the Russian border, during a major NATO military exercise, Trident Juncture. The jamming was powerful and persistent. The critical lesson wasn't just the jamming itself—it was the cascading effects. Aviation was affected, with pilots forced to use conventional navigation. Fishing vessels in the Arctic relied on GPS for precise positioning to avoid territorial disputes and for safety; their systems failed. It highlighted GNSS as a strategic tool and a strategic target. The quantitative detail: the disruption spanned thousands of square kilometers and lasted for weeks, demonstrating a sustained, deliberate campaign.
Elias: That's a strategic, state-level example. What about civilian, commercially motivated incidents?
Anya: The "Biggest Spoofting Incident Ever Recorded" likely occurred in the summer of 2017. Researchers at UT Austin and Cornell analyzed data from a network of high-end, always-on reference stations. They found unmistakable evidence of a massive, coordinated spoofing attack originating from the Black Sea. Hundreds of ships in the region received false GNSS positions, all showing them to be clustered at a single, fake airport location (the Gelendzhik airport). The attack lasted for days. The leading theory, supported by geopolitical context, is that it was a Russian military exercise or a test of a spoofing system. The scale was unprecedented—it affected an entire regional maritime hub. It proved that mass, synchronized spoofing is not just theoretical.
Elias: What about more insidious, low-grade events?
Anya: We see constant, low-level "pollution." At NCL, we monitor the spectrum. We find illegal GNSS repeaters used to get a signal inside buildings or parking garages. These devices re-radiate outdoor signals indoors, but they also create a zone of interference and can cause receiver stress. More concerning are unintentional jammers: malfunctioning cell towers, faulty cable TV amplifiers, or even certain LED lights that emit RF noise in the GNSS band. A 2020 study in the UK found that faulty cable TV equipment was responsible for continuous, localized GPS jamming affecting a 10-mile radius. The pitfall here is that engineers often attribute GNSS faults to "urban canyons" or multipath, when the root cause is unintentional RFI.
---
Elias: This is sobering. So, for an engineer at BRIDZA designing a next-generation navigation module, what is the practical, defense-in-depth philosophy? What should be in the stack?
Anya: Defense-in-depth is exactly right. You cannot rely on a single layer. Here’s a tiered approach:
1. Physical & RF Layer Mitigation:
2. Receiver & Signal Processing Layer:
3. System & Data Fusion Layer:
Elias: This fusion approach is core to our architecture. What about a common pitfall you see in industry implementations?
Anya: A major pitfall is over-reliance on the receiver's own integrity monitoring. The receiver's Receiver Autonomous Integrity Monitoring (RAIM) or Advanced RAIM (ARAIM) is designed to detect satellite failures, not sophisticated spoofing. A competent spoofer can craft signals that pass these checks. You need integrity monitoring at the system level, incorporating all sensor data. The second pitfall is neglecting the human factor. We've tested systems where the spoofing warning was displayed on the interface, but operators, trusting the "GPS" display, ignored it or overrode the alarm. Design for the human in the loop: make alerts un-ignorable and procedures clear.
---
Elias: Dr. Sharma, this has been an incredibly valuable discussion. As we wrap up, what are the 2-3 key takeaways you'd want every GNSS engineer to internalize?
Anya: First, GNSS is a given, not a guarantee. Design your systems under the assumption that the GNSS signal will be absent, incorrect, or malicious. This is the "security-by-design" principle applied to positioning and timing.
Second, spatial, temporal, and data diversity are your best weapons. Use multiple constellations/frequencies, maintain strict time synchronization between sensors, and fuse with independent data sources. The cost of a spoofed single-source GNSS solution is infinitely higher than the cost of a multi-sensor architecture.
Finally, the threat is real and evolving. We are past the point of theoretical research. Jamming is a daily commercial nuisance and a strategic military tool. Spoofing demonstrations are moving from research labs to the hands of sophisticated criminals and nation-states. Continuous monitoring, threat intelligence sharing, and a commitment to resilient system design are now the baseline for critical infrastructure.
Elias: That's a powerful and urgent message. Dr. Sharma, on behalf of BRIDZA and the engineering community, thank you for your time and expertise. It's clear that building the next generation of robust navigation systems is not just an engineering challenge, but a security imperative.
Dr. Sharma: The pleasure was mine, Elias. The work companies like yours do in building resilient systems is what will keep our critical infrastructure safe and our economies moving. Stay vigilant.
---
Word Count: ~2,850 words