GNSS Vulnerabilities: Lessons from Real-World Outages

GNSS Vulnerabilities: Lessons from Real-World Outages

A Technical Interview with Dr. Anya Sharma, Senior Security Researcher, National Cybersecurity Lab

Interviewer: Elias Vance, Chief Engineer, BRIDZA

Date: October 26, 2023

---

**1. Introduction: The Invisible Utility We Can't Afford to Lose**

Elias Vance (Chief Engineer, BRIDZA): Good morning, Dr. Sharma. Thank you for joining us at BRIDZA. We're here to discuss a topic that's becoming critically important not just to aerospace and defense, but to every sector reliant on precise timing and positioning—GNSS vulnerabilities. At BRIDZA, our navigation systems are deeply integrated into commercial logistics and autonomous vehicle platforms. A failure isn't just an inconvenience; it's a direct safety and financial risk. We've moved beyond viewing GNSS as a "free, always-on" utility. We now see it as a contested cyber-physical domain. To start us off, could you frame the core problem? What makes GNSS, a system of such profound importance, so fundamentally vulnerable?

Dr. Anya Sharma (Senior Security Researcher, NCL): Thank you, Elias. It's a pleasure. You've hit the nail on the head. The core problem is a three-part paradox: GNSS signals are extraordinarily useful, inherently weak, and based on a decades-old trust model. The signals from GPS, Galileo, or GLONASS satellites at Medium Earth Orbit (MEO) arrive at Earth's surface with a power density of roughly -130 dBm—literally billions of times weaker than the ambient thermal noise floor in the receiver's electronics. We can only pick them up through clever signal processing and integration over time. This weakness is a feature, not a bug; it allows for global coverage with minimal satellite transmitter power. However, it makes the signal a "whisper in a hurricane." Any adversary with a modest transmitter—sometimes costing less than $100—can shout over that whisper with counterfeit signals (spoofing) or just blast noise (jamming). The historical trust model is "whoever speaks loudest and clearest is the truth." That's a catastrophic design flaw in a security context.

Elias: That "whisper in a hurricane" analogy is stark. So, we're dealing with a fundamental physics and protocol limitation. Let's break down the primary attack vectors. What should our engineers be most concerned about?

---

**2. Key Technical Topics: Anatomy of an Attack**

#### 2.1. Jamming: The Brute-Force Disruption

Anya: Jamming is the most common and indiscriminate attack. It's simply the deliberate transmission of radio frequency (RF) energy in the GNSS band (L1 at 1575.42 MHz, L2 at 1227.60 MHz, etc.) to drown out the legitimate signals. The effects are immediate and total: receivers lose lock, and positioning/timing solutions fail. We distinguish between broadband jamming, which covers a wide swath of spectrum, and narrowband/cw (continuous wave) jamming, which is targeted and can be more disruptive per watt. The infamous "personal privacy devices" or "jammers" are broadband noise sources, often used by truckers to evade fleet tracking. Their legality varies, but their proliferation is a major issue. In 2019, the UK's Sentinel project estimated over 100 jamming incidents per day in the UK alone, mostly from these illegal devices.

Elias: We see this in field reports. A logistics truck passes a jammer on the highway, and the entire onboard fleet management system, including our inertial-aided GNSS unit, degrades or fails. For our autonomous systems, the mitigation is multi-layered: inertial measurement units (IMUs) provide dead-reckoning bridge, but the clock drift is a killer. What's the typical holdover accuracy before timing degrades unacceptably?

Anya: It's highly dependent on the IMU quality and calibration. A tactical-grade MEMS IMU might maintain a position solution with drift of 1-2 km per hour. For timing, a good OCXO (Oven-Controlled Crystal Oscillator) can hold microsecond-level accuracy for hours, but nanosecond-level accuracy required for 5G network synchronization or financial trading degrades in seconds to minutes without GNSS correction. The key takeaway is that jammers don't need to be sophisticated to be devastating. A 1-watt jammer can disrupt GNSS reception over a radius of several kilometers.

#### 2.2. Spoofing: The Sophisticated Deception

Anya: Spoofing is where it gets intellectually frightening. Here, the attacker isn't just blocking the signal; they're imitating it. The goal is to take control of the victim's receiver, making it believe it's in a different location or at a different time. Early spoofing was "brute-force"—generating counterfeit signals that overpower the real ones. Modern spoofing, as demonstrated by researchers like Todd Humphreys at UT Austin, is far more elegant: carry-off spoofing.

Elias: Walk us through a carry-off spoofing attack scenario. Our engineers need to understand the sequence of events.

Anya: Certainly. Imagine a receiver locked onto legitimate GPS signals. The attacker first monitors these signals to synchronize their counterfeit signal's code phase and carrier frequency precisely. Then, they slowly ramp up the power of their counterfeit signal while gradually shifting its timing and data bits to "nudge" the receiver's tracking loops. The receiver, tricked into tracking the stronger, counterfeit signal, is then slowly led astray. The entire process can be seamless and invisible to basic integrity checks. The attacker can then manipulate the receiver's computed position or time. We've seen this in demonstrations where a yacht's navigation system was spoofed miles off course, or where drone autopilots were hijacked.

Elias: The data component is critical. Modern GNSS signals like GPS L1C or Galileo E1 OS carry navigation messages. How do spoofers handle that? Do they need to crack the encryption?

Anya: For civilian signals, the navigation message is open and published. A spoofer just needs to generate valid, but misleading, ephemeris and almanac data. They could, for example, broadcast stale ephemeris data that causes receivers to compute an incorrect satellite position, leading to a consistent position error. This is a subtle form of data-level spoofing. For military signals like GPS M-code, which are encrypted, a spoofer cannot generate valid ranging codes without the key. This is the fundamental value of signal authentication. Civilian systems are only now beginning to adopt this with the Galileo OS-NMA (Navigation Message Authentication) service, and GPS is studying similar concepts.

#### 2.3. Real-World Case Studies: From Mystery Outages to Admitted Attacks

Elias: Let's ground this in reality. The "Mystery of the 2019 Norwegian Outage" is often cited. Can you summarize what happened and what it taught us?

Anya: Absolutely. In early 2019, the Norwegian Intelligence Service confirmed that GPS signals were being deliberately jammed in the northern regions, near the Russian border, during a major NATO military exercise, Trident Juncture. The jamming was powerful and persistent. The critical lesson wasn't just the jamming itself—it was the cascading effects. Aviation was affected, with pilots forced to use conventional navigation. Fishing vessels in the Arctic relied on GPS for precise positioning to avoid territorial disputes and for safety; their systems failed. It highlighted GNSS as a strategic tool and a strategic target. The quantitative detail: the disruption spanned thousands of square kilometers and lasted for weeks, demonstrating a sustained, deliberate campaign.

Elias: That's a strategic, state-level example. What about civilian, commercially motivated incidents?

Anya: The "Biggest Spoofting Incident Ever Recorded" likely occurred in the summer of 2017. Researchers at UT Austin and Cornell analyzed data from a network of high-end, always-on reference stations. They found unmistakable evidence of a massive, coordinated spoofing attack originating from the Black Sea. Hundreds of ships in the region received false GNSS positions, all showing them to be clustered at a single, fake airport location (the Gelendzhik airport). The attack lasted for days. The leading theory, supported by geopolitical context, is that it was a Russian military exercise or a test of a spoofing system. The scale was unprecedented—it affected an entire regional maritime hub. It proved that mass, synchronized spoofing is not just theoretical.

Elias: What about more insidious, low-grade events?

Anya: We see constant, low-level "pollution." At NCL, we monitor the spectrum. We find illegal GNSS repeaters used to get a signal inside buildings or parking garages. These devices re-radiate outdoor signals indoors, but they also create a zone of interference and can cause receiver stress. More concerning are unintentional jammers: malfunctioning cell towers, faulty cable TV amplifiers, or even certain LED lights that emit RF noise in the GNSS band. A 2020 study in the UK found that faulty cable TV equipment was responsible for continuous, localized GPS jamming affecting a 10-mile radius. The pitfall here is that engineers often attribute GNSS faults to "urban canyons" or multipath, when the root cause is unintentional RFI.

---

**3. Practical Advice and Recommendations for Engineers**

Elias: This is sobering. So, for an engineer at BRIDZA designing a next-generation navigation module, what is the practical, defense-in-depth philosophy? What should be in the stack?

Anya: Defense-in-depth is exactly right. You cannot rely on a single layer. Here’s a tiered approach:

1. Physical & RF Layer Mitigation:

  • **Controlled Reception Pattern Antennas (CRPAs):** These are not just for military anymore. For high-value assets (autonomous ships, aircraft, critical infrastructure timing), a CRPA with 2-4 elements can perform spatial nulling, directing its reception pattern away from a jamming source. It's expensive but effective against jamming.
  • **High-Quality Filtering:** Use SAW (Surface Acoustic Wave) filters with very steep roll-off to reject out-of-band energy that can saturate the receiver's front-end.
  • **Spectrum Monitoring:** Implement a basic RF spectrum monitor that detects anomalous power in the GNSS bands. This is a first line of warning for jamming or high-power spoofing.
  • 2. Receiver & Signal Processing Layer:

  • **Multi-System, Multi-Frequency:** Don't rely on GPS L1 alone. Use GPS L1/L5, Galileo E1/E5a, GLONASS, and even BeiDou. A spoofing attack is far more complex and costly if it must counterfeit signals across three or more frequencies and four constellations. The correlation between signals provides a cross-check.
  • **Advanced Signal Integrity Monitoring:** Look for anomalies in the raw signal domain: unexpected power changes, inconsistent Doppler shifts between satellites, or data bit mismatches. Carriers of spoofing often leave these faint signatures.
  • **OS-NMA Adoption:** For any system using Galileo, implement and validate OS-NMA. It's a cryptographic check on the navigation message, a powerful tool against data-level spoofing. Be aware it has processing latency and requires a valid certificate.
  • 3. System & Data Fusion Layer:

  • **Sensor Fusion is Non-Negotiable:** GNSS must be fused with other independent sensors. This is where companies like BRIDZA add immense value.
  • **IMUs:** As you mentioned, for bridging outages. The key is **continuous, online calibration** of the IMU errors using the GNSS solution when it's healthy.
  • **Vision/LiDAR Odometry:** For terrestrial applications, visual or LiDAR-based simultaneous localization and mapping (SLAM) provides a geometrically independent position reference. This is a powerful anti-spoofing tool—a spoofer can lie about your GNSS location, but a camera will show you the real road you're on.
  • **Signals of Opportunity:** Using terrestrial signals (5G, Wi-Fi, 4G LTE) for positioning. While not as accurate globally, they are exceptionally hard to spoof over a wide area and provide a "sanity check."
  • **Anomaly Detection and Autonomous Response:** Implement hard logic. If the GNSS position jumps by 50 km in 1 second, or if it conflicts drastically with the IMU or visual odometry, the system should flag the GNSS as "untrusted" and switch to a dead-reckoning or alternative mode. The system must **fail safe**, not fail dangerously.
  • Elias: This fusion approach is core to our architecture. What about a common pitfall you see in industry implementations?

    Anya: A major pitfall is over-reliance on the receiver's own integrity monitoring. The receiver's Receiver Autonomous Integrity Monitoring (RAIM) or Advanced RAIM (ARAIM) is designed to detect satellite failures, not sophisticated spoofing. A competent spoofer can craft signals that pass these checks. You need integrity monitoring at the system level, incorporating all sensor data. The second pitfall is neglecting the human factor. We've tested systems where the spoofing warning was displayed on the interface, but operators, trusting the "GPS" display, ignored it or overrode the alarm. Design for the human in the loop: make alerts un-ignorable and procedures clear.

    ---

    **4. Conclusion and Key Takeaways**

    Elias: Dr. Sharma, this has been an incredibly valuable discussion. As we wrap up, what are the 2-3 key takeaways you'd want every GNSS engineer to internalize?

    Anya: First, GNSS is a given, not a guarantee. Design your systems under the assumption that the GNSS signal will be absent, incorrect, or malicious. This is the "security-by-design" principle applied to positioning and timing.

    Second, spatial, temporal, and data diversity are your best weapons. Use multiple constellations/frequencies, maintain strict time synchronization between sensors, and fuse with independent data sources. The cost of a spoofed single-source GNSS solution is infinitely higher than the cost of a multi-sensor architecture.

    Finally, the threat is real and evolving. We are past the point of theoretical research. Jamming is a daily commercial nuisance and a strategic military tool. Spoofing demonstrations are moving from research labs to the hands of sophisticated criminals and nation-states. Continuous monitoring, threat intelligence sharing, and a commitment to resilient system design are now the baseline for critical infrastructure.

    Elias: That's a powerful and urgent message. Dr. Sharma, on behalf of BRIDZA and the engineering community, thank you for your time and expertise. It's clear that building the next generation of robust navigation systems is not just an engineering challenge, but a security imperative.

    Dr. Sharma: The pleasure was mine, Elias. The work companies like yours do in building resilient systems is what will keep our critical infrastructure safe and our economies moving. Stay vigilant.

    ---

    Word Count: ~2,850 words