A First-of-a-Kind Spoofing Detection Demonstrator
Exploiting Future Galileo E1 OS Authentication
Davide Margaria, Gianluca Marucco, Mario Nicola
Navigation Technologies Research Area
Istituto Superiore Mario Boella (ISMB)
Torino, Italy
margaria@ismb.it, marucco@ismb.it, nicola@ismb.it
Abstract—This paper presents the results of a demonstration
based on the use of the Navigation Message Authentication
(NMA) technique, which represents an effective countermeasure
against counterfeit Global Navigation Satellite System (GNSS)
signals and is one of the possibilities considered for the adoption
by Galileo. An intermediate spoofing attack has been simulated
in a vehicular case study, considering both a commercial GPS
receiver and a modified software receiver. The obtained results
demonstrate the potential vulnerability of current commercial
receivers and the added value of NMA, which has been exploited
in the software receiver for implementing a simple but effective
spoofing detection method.
Keywords—Spoofing Attack; Detection; Galileo E1 Open
Service; Navigation Message Authentication; Demonstrator.
I. INTRODUCTION: THE NEED FOR AUTHENTICATION
This work is motivated by the growing spoofing threat in
several fields of application and the related need for
authentication of Positioning, Navigation, and Timing (PNT)
information. The potential risk of spoofing attacks is becoming
a real menace, especially in the road domain [1]. In fact, in the
case of Intelligent Transport Systems (ITS), fraudulent users of
liability- and payment-critical applications can be motivated to
fool the system by a sufficient economic interest (e.g. in case of
road tolling, pay-as-you-drive insurance, etc.). In addition,
safety-critical applications (e.g. advanced driver assistance
systems, autonomous or semiautonomous ground vehicle
systems) could also benefit from solutions capable to decrease
the risk associated to misleading information in case of
spoofing attacks.
These threats push the interest and the demand for anti-
spoofing countermeasures and for GNSS services proving
higher reliability for the PNT information. It is worth to
highlight that the development of spoofing detection and
mitigation techniques is an active research topic for the GNSS
community [2].
Some solutions able to implement anti-spoofing
countermeasures have already been proposed in past years.
Most of them are based on the idea of taking advantage in
some way of the cryptographic features of restricted-use signals
(e.g. by means of codeless or semi-codeless approaches based
on military GPS signals or Galileo Public Regulated Service
978-1-5090-2042-3/16/$31.00 © 2016 IEEE
signals) or on the cross-check with non-GNSS measurements
(e.g. obtained from an inertial measurement unit) [2].
These solutions are not available for stand-alone GNSS
civil receivers, so special interest is being addressed towards
possible modifications to the civil GNSS Signal-In-Space (SIS)
to enable the accommodation of cryptographic measures
suitable to authenticate the received signal. Nowadays in-orbit
satellites do not broadcast yet authentication data within their
civil GNSS signals (e.g. GPS L1 C/A or Galileo E1 OS). Some
interesting options for the inclusion of an authenticated
message on top of Galileo E1 OS signals have recently been
proposed [3] [4] [5]. In addition, a specific solution suitable to
be implemented in the frame of the Galileo Commercial
Service (CS) is being finalized and has already been tested with
live satellite signals [6]. These authentication approaches or
evolutions of them are expected to become part of the Galileo
SIS in the short to mid-term.
The paper focuses on the applicability of the GNSS
Navigation Message Authentication for detecting specific
spoofing attacks, concentrating on a vehicular case study.
Aiming to an early demonstration of the added value of Galileo
E1 OS authenticated signals, a proper test bench has been
designed. In detail, the work has been organized into two parts:
firstly an example of spoofing attack has been implemented in
order to demonstrate the vulnerability of a commercial
automotive-grade GPS receiver. Then, the same attack has
been directed against a software receiver, capable to exploit the
authentication feature for the detection of counterfeit signals.
After this introduction, the paper is organized as follows.
Section II presents the methodology that has been adopted for
setting up an effective demonstration of a spoofing attack with
counterfeit Radio-Frequency (RF) signals. Beside theoretical
aspects, the attention is focused on the following aspects: the
implementation of a spoofing attack in a vehicular scenario, the
emulation of Galileo authenticated signals, and the
experimental setup, including the modifications implemented
in a software receiver in order to exploit the NMA. The
obtained results are then summarized in Section III, where the
added value of NMA for implementing a simple spoofing
detection approach is highlighted. Final remarks are drawn in
Section IV.
442
 II. METHODOLOGY AND EXPERIMENTAL SETUP
This section describes the vehicular case study which has
been investigated and assessed by means of simulations.
Details about the emulation of a spoofing attack, including
counterfeit signals and authenticated signals, are provided,
followed by the description of the experimental setup.

A. Vehicular Case Study: Real and Spoofing Scenarios

The selected scenario focused on a GNSS-based vehicular
application. The idea was to force an automotive-grade GNSS
receiver to compute a series of false positions, following a
different path with respect to the “true” one covered by the
receiver, as depicted in Fig. 1.
For example, this can be the case of a fraudulent driver that
wants to spoof his own on-board tracking system to avoid the
toll of the road along he drives: the positions log shows the car
on a free road while it is on a toll one.
Two trajectories have been considered for demonstration
purposes. Starting from the same point (the parking on the
lower-right side of Fig. 1), the two trajectories share the same
path for a while and then split apart along two different roads,
after a roundabout (see the red and green paths in Fig. 1).
Fig. 1. Selected real and counterfeit paths for the spoofing case study.
As far as the spoofing scenario is concerned, an attack
belonging to the category of intermediate spoofing [7] [8] has
been considered. In detail, as illustrated in Fig. 2, the spoofer
simultaneously attacks each tracking channel of the target
receiver by first performing code-phase alignment and then
signal lift-off [2]. The Early, Prompt, and Late correlators of
the tracking channel are denoted in Fig. 2 as red, green, and
blue points, respectively.

(a) (b)

(c) (d)
Fig. 2. Illustration of the subsequent phases of the intermediate spoofing attack on a single channel of a GNSS receiver, in terms of cross-correlation functions: at
the beginning only the authentic signal is present (a), then the counterfeit signal is aligned to the authentic signal and its power is increased (b) until the spoofer
gains control on the tracking loop (c) and arbitrarily modifies the delay of the correlation peak (d).

443
 During the attack, they continue to follow the highest
correlation peak without being able to distinguish between
authentic and spoofed signals.
In this work the aim was to simulate an intermediate attack
on multiple GNSS signals. For this reason, the spoofer has
been assumed capable to generate tightly synchronized
counterfeit signals for all the in-view GPS, EGNOS and
Galileo satellites, even in dynamic conditions (i.e. with a car
velocity up to 50 km/h). The attack has been based on a signal
lift-off in the first part of the path in Fig. 1, generating stronger
counterfeit signals aligned with the authentic signals. After
that, the code delays have been arbitrarily modified for all the
received channels, inducing the victim receiver to compute a
spoofed position estimate.
This kind of attack has been emulated for demonstration
purposes by means of an offline simulation, as discussed in
following paragraphs. For the sake of simplicity, the idea was
to emulate the attack by separately generating the received
GNSS signals in two different scenarios and then to properly
combine the signals. In detail, a real scenario with authentic
signals only (corresponding to the green path in Fig. 1) and a
spoofing scenario with counterfeit signals only (related to the
red path in Fig. 1) have been separately considered.
It must be pointed out that the spoofer is assumed to be
unable to produce valid authentication data in real-time. This
choice is motivated by the fact that more sophisticated attacks
are considered less likely and not commensurate to the
economic interest of the fraudulent user in the selected case
study. In fact, also due to the dynamic conditions of the victim
receiver on the car, a successful attack with valid NMA data
would imply a remarkable increase on the complexity and cost
of the spoofer. As an example, the implementation of a
Security Code Estimation and Replay attack would be required
(as described in [9]).
B. Emulation of Galileo Authenticated Signals
As far as the scenario with real signals only is concerned,
the attention has been focused on the proper emulation of
Galileo E1 OS authenticated signals, with a reasonable
complexity.
The core objective of a GNSS signal authentication
mechanism is to introduce features that increase the difficulty
for an attacker to generate counterfeit signals, but make it easy
for a receiver to determine if a received signal is authentic (i.e.
it originates from a GNSS satellite and not from a spoofer) [2].
The concept of signal authentication requires the presence
of a cryptographically secure portion in the received signal,
which is sometimes referred as security code, or digital
signature. It usually involves two sub-types of authentications
[9]:
• Origin authentication, i.e. a certification that the
security code originates from the GNSS Control
Segment (i.e. source authentication);
• Timing authentication, i.e. a certification that the
security code arrives promptly and intact (i.e. with the
correct time of arrival and with data integrity).
444
While the first aspect can be achieved with some relatively
simple modifications, mostly at system level only (i.e. inserting
some cryptographic features in the GNSS signal), the second
one is harder to implement. In fact, the authentication of the
pseudorange measurements and then of the PNT information
are required, implying complex modifications at receiver level.
In this work, a scheme based on Navigation Message
Authentication has been chosen for implementation. In detail,
the NMA is an authentication technique widely referenced in
GNSS literature (e.g. see [2] and references therein). It is based
on the authentication of satellite navigation messages by means
of digitally signing the navigation data and thus keeping the
navigation message clear (i.e. unencrypted).
The NMA approach is known to be a simple solution for
providing an authentication of the GNSS signal origin (i.e.
source authentication only). It is important to note that, since
the NMA acts at the navigation message level, it does not
ensure the correct time of arrival of the signal: it may fail
against meaconing or sophisticated spoofing attacks able to
decode live signals and replay counterfeit signals in near real-
time.
However, the NMA represents a first countermeasure
against simplistic and intermediate spoofing attacks. The NMA
is suitable to be complemented with one or more non-
cryptographic spoofing defenses at receiver level in order to
strengthen its robustness, providing both origin and timing
authentication. In addition, NMA-based approaches are capable
to potentially decrease the need for costly additional sensors or
other countermeasures to spoofing attacks. For these reasons,
the NMA represents an important added value with respect to
current unauthenticated civil GNSS signals.
An NMA-based solution tailored to Galileo E1 OS signals
has been proposed in some recent papers [3] [4] [5]. This
approach has been selected for implementation in this study.
The idea is to exploit the 40 bits marked as “Reserved 1”
within the I/NAV message transmitted through the Galileo E1b
data channel [10]. These bits can be used for inserting NMA
data, as in Fig. 3.
It must be noticed that the navigation data are arranged in
“pages”, lasting 2 seconds each. A nominal page is composed
by two page parts (even and odd) transmitted sequentially. The
40 bits of the “Reserved 1” field within the I/NAV exist only in
the odd page parts, then the corresponding data rate available
for authentication purposes is equivalent to 20 bits per second.
In [3], [4], and [5], these “Reserved 1” fields have been
proposed to be used for transmitting a sort of digital signature,
based on the Timed Efficient Stream Loss-tolerant
Authentication (TESLA) broadcast authentication protocol.
Since the focus of our demonstration was not the
cryptographic security itself (already well assessed in other
papers), a simplified digital signature has been adopted here for
emulating the selected NMA scheme.
In detail, a simple function of the satellite identifier (namely
the Pseudo Random Noise – PRN code number) has been used
as a basic signature for the navigation data of each Galileo
satellite in view.
 6. Perform the convolutional encoding and interleaving
of the edited page part;
7. Store the resulting I/NAV symbols is a new file, usable
for offline simulation purposes.
In this case, the custom digital signature will be received
every two seconds from each Galileo satellite, leading to a
Time Between Authentications (TBA) metric equal to two
seconds. This TBA value is relatively low due to the simplicity
of the authentication signature. More complex and thus robust
implementations proposed in recent literature as in [3] and [4]
show values of 10 and 30 seconds, respectively.
However, following analyses will not focus on a specific
NMA scheme and on its intrinsic performance (e.g. in terms of
TBA), but on the general impact of the authentication
mechanism at the receiver level. The selected implementation
is intended for demonstration purposes and will also be used to
draw general conclusions, applicable to different NMA-based
schemes and related to the impact in terms of receiver
complexity and architectural changes.

C. Experimental Setup and Receivers Under Test

The objective was to clearly demonstrate the vulnerability
of a commercial GNSS receiver to a spoofing attack and the
added value of Galileo E1 OS authenticated signals for
detecting such an attack. Starting from this general idea, a
proper testbench has been set up for offline simulation and
demonstration purposes, as shown in Fig. 4.
Fig. 3. Galileo E1B I/NAV message structure [3].

It must be pointed out that the insertion of such a custom

authentication data required to properly take into account the
convolutional encoding, the checksum (CRC) and the
interleaving scheme of the I/NAV as in [10]. In detail, the
I/NAV messages are transmitted by each Galileo satellite with
a data rate of 250 symbols per second. These symbols are
obtained from the convolutional encoding of a data stream at
125 bits per second (following a Forward Error Correction
scheme with 1/2 rate). After convolutional encoding, the
symbols are then interleaved as described in [10].
For these reasons, the following preparative steps have been
carried out before the simulation of authenticated signals: (a)

1. Open a log file containing valid I/NAV data symbols;

2. Recover the data bits from the symbols, separately
performing the deinterleaving, the Viterbi decoding,
and the CRC check for each Galileo satellite signal;
3. Look for odd page parts and identify the 40 bits related
to the “Reserved 1” field (i.e. the bits with indexes
from 19 to 58 in an odd page part);
4. Replace these bits with a custom digital signature: in
this case, an arbitrary pattern of 20 bits with ‘1’ logical
value, followed by the PRN code number expressed
over the remaining 20 bits, has been inserted;
(b)
5. Re-compute the CRC checksum on the modified data
and put the updated result in the CRC field; Fig. 4. Experimental setup adopted for GNSS simulation and RF signal
recording (a) and for data replay (spoofing attack) on receivers under test (b).

445
 The testbench has been realized by means of the following
hardware and software components (available at ISMB):
• a NavX-NCS professional signal and constellation
generator by IfEN, capable to simulate GPS, EGNOS
and Galileo RF signals in the L1/E1 band in different
user-defined scenarios [11];
• an Universal Software Radio Peripheral (USRP) model
N210 by Ettus Research, suitable for RF signal
recording and playback. A sampling frequency equal to
5 MHz has been selected for performing a baseband
equivalent representation of the RF signal with 16 bit
I/Q samples [12];
• a PRS10 Rubidium Oscillator by Stanford Research
Systems, that has been used to generate a common 10
MHz reference input for synchronizing both the NavX-
NCS generator and the USRP front-end [13];
• a u-blox 6T receiver, which has been selected as a
representative device from the class of consumer-grade
GNSS receivers for automotive applications [14];
• NGene2, a fully-software GNSS receiver developed by
the Navigation Signal Analysis and Simulation
(NavSAS) group, a joint research team of ISMB and
Politecnico di Torino. NGene2 is able to exploit several
radio frequency front-ends and to track live GPS,
EGNOS, and Galileo signals. It can be executed on a
general purpose PC or on an ARM-based embedded
platform [15] [16].
According to the case study previously described in Section
II.A, two different scenarios have been simulated with the
NavX-NCS generator: a “real” scenario, in which the GNSS
signals corresponding to the true path are emulated, and a
“spoofing” scenario, where “counterfeit” signals leading to the
fake trajectory in Fig. 1 are generated.
As previous highlighted, the two scenarios differ by the
presence or not of authentication data, which have been
inserted in the real scenario only. For this reason, a modified
I/NAV message, including authentication data, has been
inserted in the NavX-NCS generator in order to produce the
signals for the real scenario. Such a modified I/NAV message
has been generated starting from a log file with standard
navigation data from Galileo satellites, and then inserting a
simplified digital signature in the “Reserved 1” fields, as
previously discussed in Section II.B.
After the proper setup of the NavX-NCS generator, it has
been connected to the USRP in order to collect the raw RF
signal samples in both the real and spoofing scenarios. It must
be noticed that an accurate synchronization of both NavX-NCS
and USRP has been achieved by means of an external reference
clock (PRS10 Rubidium Oscillator), as shown in Fig. 4(a).
Such synchronization was necessary in order to ensure a
sufficient stability and repeatability of the generated signals,
leading to negligible differences in terms of Doppler shift and
sampling frequencies during subsequent RF simulations.
In this way the two data sets related to both the real and
spoofing scenarios have been properly collected and combined.
446
In detail, the two files have been post-processed with the
NGene2 software receiver in order to decode the Time of Week
(ToW) from the simulated GPS signal samples. Such timing
information, extracted from the two files, has been used in
order to align their contents with a resolution of one sample
(i.e. ±200 ns with the selected sampling frequency of 5 MHz).
After this initial alignment, the two files have been
combined for simulating the spoofing attack, aiming to mimic
the superimposition of counterfeit and real signals as
previously shown in Fig. 2. This result has been obtained by
dynamically adjusting the relative amplitude and the relative
delay of the samples of the second file (related to the spoofing
scenario) with respect to the first file. In detail, both the two
files had a total duration of 180 seconds. They have been
combined in order to generate an output file to be used to feed
the receivers under test. In the following the files combination
steps and their expected effects on a conventional receiver (i.e.
a device not implementing any detection strategy) are reported:
1. From 0 to 120 s: this phase includes an initial
stationary condition lasting 120 seconds (useful for the
correct initialization of the receivers under test). A
static position in the parking on the lower-right side of
Fig. 1 is simulated. Only the samples of the first file
(related to the real signal) are copied in the output file;
2. From 120 to 130 s: signals are simulated as received by
a moving device starting its motion and following the
simulated path as in Fig. 1. Only the first file content is
copied in the output file. The receiver is expected to be
still locked to the real signal, as subsequently verified
and depicted in Fig. 2(a);
3. From 130 to 140 s: the spoofer is powered on, varying
the relative amplitude ratio of the counterfeit signal
with respect to the real signal from 0 to 3 dB, as in Fig.
2(b). This effect is obtained by summing the samples
of the two files with an increasing amplification factor
for the second file;
4. From 140 to 150 s: the spoofed signal is anticipated
with respect to the authentic signal, as in Fig. 2(c).
This effect is obtained by skipping one sample per
second in the spoofing file, before to combine it with
the authentic signal samples. After 10 seconds, a delay
of 10 samples is obtained (corresponding to about 600
meters, at the selected sampling frequency);
5. From 150 to 180 s: the two files continue to be
summed, without further modifications on the relative
delay and amplitude. During this phase the spoofer is
expected to take full control on the tracking loops of
the receiver and to arbitrarily manipulate the estimated
position, as then verified in Fig. 2(d).
The resulting combined samples were used in order to test
the effectiveness of the simulated spoofing attack on the
receivers. Special attention has been devoted to bypass the
problem of the RF irradiation of counterfeit GNSS signals, thus
avoiding legal issues. In detail, a RF replay of the combined
samples has been carried out by connecting the USRP to both
the receivers under test with a signal splitter, as in Fig. 4(b).
 It must be pointed out that the GPS receiver on the right
side of Fig. 4(b) (i.e. u-blox 6T) represents a consumer-grade
device representative of the state-of-the-art for vehicular
applications, but not yet ready to exploit the Galileo
authenticated signals.
On the other hand, the GNSS software receiver NGene2,
shown in the left side of Fig. 4(b), has been adapted in order to
decode in real-time the Galileo authenticated signals and to
detect an attack in case of failure of the authentication
procedure. Just a few modifications on the NGene2 algorithms
have been required in order to exploit the Galileo authenticated
navigation message. In detail, the data demodulation
functionalities have been adapted for correctly decoding the
custom digital signature and to check its validity. Another
minor modification involved the management logic for the
tracking channels: only Galileo signals with valid
authentication data have been used for the position
computation, whereas unauthenticated signals have been
properly flagged and excluded from the solution; if the number
of satellites with authenticated signal is not enough to grant the
availability of the position computation, then also not
authenticated signals are used and the PNT information is
flagged as not authenticated.
It is worth to remark that the impact of these modifications
on the receiver architecture is moderate.
Fig. 5. Screenshot showing the outputs of the commercial receiver under test (u-blox 6T) during the simulated spoofing attack.
447
This point confirms the feasibility and the limited
implementation complexity of this method or similar NMA-
based approaches in future mass-market receivers.
In addition, this solution represents a simple way for
detecting simplistic or intermediate spoofing attacks with a
reasonable implementation complexity, as discussed in
following section.
III. OBTAINED RESULTS
The setup presented in previous section has been used in
order to carry out an offline simulation of a spoofing attack.
The obtained results from the two receivers under test (see Fig.
5 and Fig. 6) are reported in following paragraphs.
A. Spoofing Attack to a Commercial Receiver
The objective of this preliminary test was to investigate the
vulnerability of the commercial receiver (i.e. u-blox 6T) to the
counterfeit signals. For this reason, the receiver has been feed
with the combined signal replayed by the USRP, as previously
shown in Fig. 4(b). In this way, an intermediate spoofing attack
has been simulated in a controlled environment, without
irradiating any RF signal. As an example of the behavior of the
receiver under test, its Graphical User Interface (GUI) is
displayed in Fig. 5.
 (a)

(b)
Fig. 6. Screenshots of the NGene2 software receiver, reporting valid position fixes based on authenticated Galileo signals only in the first part of the test (a) and
unauthenticated positions during the spoofing attack, as soon as the counterfeit signals take control of the tracking loops (b).

448
 It can be noticed that, despite that the true signals were still
present during the simulated attack, the receiver tracked the
counterfeit signals and reported the false path. The behavior of
the receiver has been assessed by the real-time inspection of the
data displayed on the GUI and the post-processing analysis of
the NMEA data logs.
The obtained results did not highlight any inconsistency or
anomaly on the receiver outputs: the receiver reported valid
position fixes and reasonable Carrier-to-Noise (C/N0) density
ratios for all the satellites, even during the signal lift-off. This
test showed the potential vulnerability of the commercial
receiver, which has been fooled without any clue of the attack.
B. Spoofing Detection Exploiting Galileo Authentication
The spoofing test has also been simultaneously done on the
NGene2 receiver. Fig. 6 shows a couple of screenshots of its
GUI, reporting the receiver outputs during two different phases.
In this case, the analysis was intended to verify the spoofing
detection capability of the NGene2 receiver, exploiting the
Galileo authenticated navigation message (as previously
discussed in Section II.C).
Fig. 6(a) refers to the initial phase of the attack, when the
tracking loops of the receiver were still tracking the authentic
signals from all the satellites in view (GPS, EGNOS and
Galileo). The receiver channels report the respective Galileo
signals status as authenticated: this means that the receiver
successfully verified the digital signatures to authenticate the
navigation message of these signals. Here only Galileo
authenticated signals have been used to compute the navigation
solution, whereas other unauthenticated signals (from GPS and
EGNOS satellites) have been discarded from the solution.
On the other hand, Fig. 6(b) shows a screenshot taken in a
later phase of the attack, when the spoofer has already gained
the full control of all the receiver channels in order to
arbitrarily manipulate the estimated position. In this case, the
number of satellites with authenticated signals does not grant
the possibility to compute a PNT solution, so also
unauthenticated signals are used. Consequently, the receiver
reports the PNT solution as not authenticated and then provides
a correct detection of the on-going attack.
It must be noticed that a counterfeit signal can be detected
as soon as it takes control of a tracking loop of the receiver and
causes a failure in the verification of the authentication data
field. In this case, the counterfeit signal does not contain valid
authentication data on the Galileo navigation message and then
the receiver can easily detect the attack. If less than four
authenticated signals are available, the receiver can declare the
positioning solution as no more authenticated.
The obtained results validate the effectiveness of the NMA-
based approach as a simple spoofing countermeasure. In this
selected scenario the spoofing detection can be accomplished
within two seconds from the instant when the spoofer gains
control of the tracking channels of the victim receiver (i.e. from
the replacement of the real signals with stronger counterfeit
signals). This result depends on the periodicity of the custom
digital signature adopted for demonstration purposes (with a
TBA equal to two seconds, in this case) and can be easily
449
generalized to other alternative NMA solutions based on
different authentication periodicities (as previously discussed in
Section II.B).
At this point it is possible to conclude that, thanks to the
navigation message authentication, a basic detection of an
intermediate spoofing attack can be implemented with a limited
complexity on a mass-market receiver. In fact, as previously
discussed, this approach requires just few modifications on the
receiver algorithms (i.e. for the demodulation of the navigation
data and the management of authenticated/unauthenticated
channels). No major changes on the conventional receiver
architecture are required, thus increasing the usefulness and the
attractiveness of this kind of solution.
As an additional remark, it must be noticed that an NMA-
based detection represents a first step for implementing more
sophisticated countermeasures against spoofing attacks. For
instance, among several advanced features, the NGene2
software receiver has the possibility of running the tracking
loops with a user-defined number of correlators. This multi-
correlator approach, originally intended for signal quality
monitoring, can also be leveraged as an advanced spoofing
countermeasure.
As an example, Fig. 6(b) shows several correlation
functions of received signals computed with thirty-two
correlators each one. During the attack, the presence of two
correlation peaks can be clearly noticed: one due to the real
signal and the other related to the spoofed signal. This feature
can be exploited not just to detect an on-going spoofing attack,
checking for the presence of multiple correlation peaks, but
also to mitigate it, identifying the authentic peak and excluding
any counterfeit replica.
However, the implementation of a spoofing mitigation
strategy is by far more complex than just a detection approach,
because it involves deep modifications in the receiver
architecture and the use of specific processing algorithms, as
multiple tracking loops for each satellite signal. For example,
the spoofing attack can be detected when the spoofed signal
power overcomes the real one and the decoded message
becomes unauthenticated. After this detection, the receiver
would need to start a mitigation procedure in order to recover
the authentic signal: this can be done for example by means of
multiple correlators or by repeating the acquisition and tracking
procedures. This mitigation approach would increase the
effective number of tracking channels of the receiver, in order
to separately check the validity of the authentication data for all
the detected signals replicas (potentially doubling the total
number of required channels).
This kind of modifications can be introduced in modular
and flexible architectures, as in the case of the NGene2
receiver, where most of the receiver functionalities can be
modified by means of simple software upgrades. However,
consumer-grade receivers are usually based on proprietary
architectures and tight constraints in terms of hardware and/or
software resources.
For these reasons, a remarkable effort and major changes
on the functional blocks of the receiver can be necessary in
order to accommodate a complete spoofing mitigation solution.
On the other hand, depending also on the application
requirements, a simple detection approach can be an appealing
solution in order to readily exploit the added value of NMA,
with a minor complexity increase.
IV. CONCLUSIONS
This work provides an early demonstration of the suitability
of future Galileo E1 OS authenticated signals for the
implementation of countermeasures against spoofing attacks. A
test bench capable to simulate an intermediate spoofing attack
in a vehicular scenario has been designed and configured. It is
capable to generate both authenticated and counterfeit signals
in dynamic conditions and to fool a commercial receiver,
without any clue of the attack.
Another key contribution of the paper is the implementation
of a spoofing detection approach in a software receiver, based
on the exclusion of satellite signals without valid NMA data.
A practical demonstration of these aspects, especially the
spoofing detection capability, has been successfully carried out
in the frame of the 22nd ITS World Congress (Bordeaux,
France, 5-9 October 2015) [17] [18].
This activity proved that the impact of this NMA-based
method on the receiver architecture is moderate, requiring just
few modifications for the data demodulation functionalities and
the exclusion of unauthenticated signals. For this reason, the
feasibility and the low implementation complexity of this kind
of approaches in consumer-grade receivers has been confirmed.
The obtained results highlight the added value of future
Galileo signals and, more in general, of NMA applied to civil
GNSS signals in order to raise the bar against potential
spoofing attacks. Furthermore, NMA enables the detection of
simplistic or intermediate spoofing attacks with a limited
implementation complexity, requiring just a few modifications
on the receiver algorithms.
As soon as live authenticated signals will be available, they
will be easily exploited by future receivers, also paving the way
to more sophisticated anti-spoofing approaches (e.g. based on
Galileo Commercial Service signals).
In addition to further testing with live Galileo signals,
future activities will also include more detailed performance
assessments, in order to evaluate the probabilities of missed
detection and false alarm of the spoofing detection approach.
450
REFERENCES
[1] D. Margaria, E. Falletti, and T. Acarman, “The need for GNSS position
integrity and authentication in ITS: conceptual and practical limitations
in urban contexts,” Proc. of 2014 IEEE Intelligent Vehicles Symposium
(IV’14), Dearborn, Michigan, June 2014, pp. 1384-1389.
[2] F. Dovis, GNSS Interference Threats and Countermeasures, 1st ed.
Norwood, MA: Arthec House, 2015.
[3] I. Fernández-Hernández I. et al., “Design drivers, solutions and
robustness assessment of navigation message authentication for the
Galileo open service,” Proc. of the 27th International Technical Meeting
of The Satellite Division of the Institute of Navigation (ION GNSS+
2014), Tampa, Florida, September 2014, pp. 2810-2827.
[4] J.T. Curran, M. Paonni, and J. Bishop, “Securing the open-service: a
candidate navigation message authentication scheme for Galileo E1
OS,” Proc. of European Navigation Conference - Global Navigation
Satellite Systems (ENC-GNSS 2014), Rotterdam, the Netherlands, April
2014.
[5] P. Walker et al., “Galileo open service authentication: a complete service
design and provision analysis," Proc. of the 28th International Technical
Meeting of The Satellite Division of the Institute of Navigation (ION
GNSS+ 2015), Tampa, Florida, September 2015, pp. 3383-3396.
[6] I. Fernández-Hernández et al., “Galileo’s commercial service. Testing
GNSS high accuracy and authentication,” Inside GNSS,
January/February 2015, pp. 38-48.
[7] T. E. Humphreys, B. M. Ledvina, M. L. Psiaki, B. W. O’Hanlon, and P.
M. Kintner, “Assessing the spoofing threat: development of a portable
GPS civilian spoofer,” Proc. of the 21st International Technical Meeting
of the Satellite Division of The Institute of Navigation (ION GNSS
2008), Savannah, GA, September 2008, pp. 2314-2325.
[8] B. M. Ledvina, W. J. Bencze, B. Galusha, and I. Miller, “An in-line anti-
spoofing device for legacy civil GPS receivers,” Proc. of the 2010
International Technical Meeting of The Institute of Navigation, San
Diego, CA, January 2010, pp. 698-712.
[9] K. Wesson, M. Rothlisberger, and T. Humphreys, “Practical
cryptographic civil GPS signal authentication,” Navigation, Journal of
The Institute of Navigation, Vol. 59, No. 3, Fall 2012, pp. 177-193.
[10] European Union, European GNSS (Galileo) Open Service Signal In
Space Interface Control Document, OS SIS ICD, Issue 1, Revision 2,
November 2015.
[11] IFEN website, NavX-NCS Professional GNSS Simulator,
www.ifen.com/products/navx-gnss-test-solutions
[12] Ettus Research website, USRP N210 Software Defined Radio (SDR),
http://www.ettus.com/product/details/UN210-KIT
[13] Stanford Research Systems website, PRS10 Rubidium Frequency
Standard, http://www.thinksrs.com/products/PRS10.htm
[14] u-blox website, EVK-6T evaluation kit, https://www.u-
blox.com/en/product/evk-6
[15] M. Fantino, A. Molino, and M. Nicola, “N–Gene GNSS receiver:
benefits of software radio in navigation,” Proc. of the European
Navigation Conference - Global Navigation Satellite Systems (ENC-
GNSS 2009), Naples, Italy, May 2009.
[16] M. Troglia Gamba, M. Nicola, and E. Falletti, “Performance assessment
of an ARM-based dual-constellation GNSS software receiver,” Proc. of
the International Conference on Localization and GNSS (ICL-GNSS
2015), Gothenburg, Sweden, June 2015.
[17] 22nd ITS World Congress Bordeaux 2015 website, demonstration
showcase, http://itsworldcongress.com/demonstration-showcase/
[18] NavSAS lab, “NavSAS-ISMB Demo at ITS World Congress 2015 in
Bordeaux,” YouTube video, published on October 6, 2015. Available at:
https://youtu.be/rIZERfCCjKs?t=7s