Security

Spoofing the Gps On

Satellite Phones
It is believed that Pakistani intelligence agencies are assisting the terrorists in
Kashmir by ‘spoofing’ the signals of Thuraya satellite phones that the terrorists
use, so as to mislead Indian intelligence agencies about their actual location.
This article examines whether this is possible or not, and if possible, what
countermeasures can be taken to detect or thwart spoofing

neering professionals, here I present a

concise overview of the subject.

Spoofing: more serious

 Dr N.C. Asthana to track the location of such satellite
phones by making the in-built GPS of
than jamming
The popular belief and media per-
ception is that powerful transmitters
have been set up across the Line of
Control and the international border
dividing India and Pakistan, blanking
out signals from the Thuraya phones
used by terrorists. This is not correct.
The strength of the GPS signal on the
earth’s surface averages -160 dBW.
While many GPS receivers leave large
space for signal dynamics, enough
power space is left for the GPS signals
to be overridden. One does not require
powerful transmitters to be set up by
a nation for that—even low-power
transmitters would do the job.
Spoofing is completely different
from jamming. A spoof is defined as
a malicious signal that overpowers
the authentic signal and misleads the

T
he Indian media, citing govern-
ment sources, claims that Paki-
stani intelligence agencies are
assisting the terrorists in Kashmir by
‘spoofing’ the signals of the Thuraya
satellite phones that the terrorists use.
Since intelligence agencies supposedly
monitor the terrorists’ use of satellite
phones, it is believed that the purpose
of such spoofing is to make it impossi-
ble for the Indian intelligence agencies
the satellite phone give out deliberately
wrong coordinates of the handset.
Should it be correct, this is a very seri-
ous matter because it will be difficult
to interdict such terrorists in the first
place and also Pakistan can easily deny
that its soil is being used for assisting
the terrorists.
Since spoofing is a complex sub-
ject and little is known about it even
amongst most communication engi-
receiver to use a forged signal for
further processing. Spoofing could be
done to gain access to services that are
restricted to a certain geographic area
(such as a particular game broadcast)
or to hide the location of a shipment
that is being remotely tracked. It could
also be used by an employee to cheat
his employer of his true location or by
a criminal who is being tracked by the
law and does not want the tracker to

6 6 • D e c e m b e r 2 0 1 0 • e l e c t ro n i c s f o r yo u w w w. e f y m ag . co m
Security
know his correct location.
The objective of jamming is to
simply interrupt the availability of
GPS signals in space at the receiver.
In-band or out-of-band harmonic RF
transmissions could mask the weak
GPS spread-spectrum signals. The
effect is to corrupt the signal at the re-
ceiver so that no valid GPS signal can
be decoded by the receiver.
Spoofing is more serious than
jamming because jamming causes the
service to degrade in performance,
while spoofing takes control of the user
receiver. Jamming is a low-tech meth-
od and at best, a prank. It would not
serve the purpose of terrorists or those
assisting them. They must mislead the
agencies intercepting the calls, which
falls in the realm of spoofing and could
be done in two ways: misleading the
GPS receiver and misleading the loca-
tion server.
Misleading the GPS
receiver
This involves an attacker providing
the receiver with a misleading signal,
fooling the receiver to use fake signals
in space for positioning calculations.
The receiver produces a misleading
position solution.
Two basic configurations are pos-
sible: GPS signal generator and GPS
receiver spoofers.
GPS signal generator. GPS signal
generators that are readily available
6 8 • D e c e m b e r 2 0 1 0 • e l e c t ro n i c s f o r yo u
from several vendors could be used as
spoofers. For use as a spoofer, the RF
output of the signal generator is ampli-
fied and transmitted, possibly using a
directional antenna. In this case, the
transmitted signals are not phase- and
frequency-matched to the GPS signals
being received from satellites in the
locality, and the navigation data does
not replicate the currently active navi-
gation data.
Although a receiver could be
fooled by this approach, particularly if
the target receiver is first jammed and
forced to reacquire, the spoofing sig-
nal generated in this fashion typically
looks like noise—rather than a usable
signal—to a receiver tracking it.
GPS receiver spoofer. Spoofers
in this category are coupled to a GPS
receiver. The GPS receiver tracks satel-
lite signals at a location and decodes
the navigation data. The spoofer then
generates a signal that mimics the in-
cident satellite signals in all respects.
Conceivably, a spoofer could add a cal-
culated offset to each satellite signal to
compensate for a specified geometric
offset to the target GPS antenna. The
spoofer is also able to vary the strength
of the constituent signals so that they
appear at the target antenna having the
same relative strengths as the authentic
signals.
Cornell University’s GRID dual-fre-
quency software-defined GPS receiver
is an example of this type of spoofer.
It can simultaneously track twelve
coarse/acquisition (C/A) channels and
generate eight C/A spoofing channels.
The hardware required for this type
of spoofer is neither very costly nor
difficult to procure but the technical
knowledge required must be of a high
order. The Cornell experiments were
widely reported in the media and led
to a great deal of speculations.
there are four GPS observables
that can be directly measured by a GPS
receiver: the GPS message, code rang-
es, fractional phase ranges and Dop-
pler shift. In a GPS receiver, pseudor-
andom noise (PRN) code correlation is
performed at a high frequency to re-
move the PRN code. The received GPS
signal is passed through a high-pass
filter to remove navigation data. After
the navigation message is removed, the
resulting signal is the Doppler-shifted
carrier. The Doppler-shifted carrier
is then passed to a phase-locked loop
(PLL) and compared with a receiver-
generated carrier to get the fractional
phase offset.
The GPS message can be spoofed
because PRN code is available to the
public. The PRN code ranges of C/A
code and P-code are direct observa-
bles. One chip of C/A code range will
cause 300km ambiguity. The range
measurement for C/A code is the
basic observation of GPS receivers
and it is derived from the time shift
of the receiver PRN sequence and the
PRN sequence that is multiplexing the
incoming signal. This time shift, how-
ever, can be controlled by spoofing
w w w. e f y m ag . co m
Security
Countermeasures to Receiver-end Spoofing
Method Test statistic
Method 1 Absolute signal power
Method 2 Signal power changing rate
Method 3 Relative signal strengths on
all carriers
Method 4 Range rate
Method 5 Doppler shift
Method 6 Correlation peaks
Method 7 GPS signal after removing
all navigation data
Method 8 Range differences: phase/
code, L1/L2
Method 9 Ephemeris data
Method 10 Signal power and data
not need to avoid cross-checking at the
spoofed receiver, the position solution
can be forged in advance and then
the pseudo-range model used again
to get a time sequence of the spoofed
pseudo-range.
In one possible application of this
sort of spoofing, consider spoofing of
the vessel monitoring system (VMS).
The VMS (typically employing GPS
today) records the voyage of the vessel
and automatically provides the data to
the fisheries monitoring centre of the
EU member state where the vessel is
registered as well as the member state
in whose waters the vessel is fishing.
Naturally, the data can be used to de-
tect passage into waters for which the
vessel is not licensed.
In this case of spoofing, the intent
of the operator would be to log a fic-
tional voyage that does not disclose
illegal fishing activities. In such a
situation, all the spoofer has to do is
to disconnect the GPS antenna and
attach a local GPS signal generator
instead.
Simple GPS fraud kits are avail-
able for about $2535 that could feed
spoofed signals into the RS-232 port
7 0 • D e c e m b e r 2 0 1 0 • e l e c t ro n i c s f o r yo u
Function Limitation
Limit the spoof signal Antenna attitude and envi-
power ronment related
Detect stationary spoof Antenna attitude and envi-
station ronment related
Detect spoofing on single Affected by ionosphere
carrier refraction
Bound the phase and code Related to GPS receiver’s
range rate moving direction
Detect spoof that uses one None
transmitter to spoof all
satellites
Correlate L1/L2 binary Low performance on
message Y-code
Recover authentic data Requires low spoof/au-
thentic signal power ratio
Identify signal source Needs to be L1/L2 receiver
Verify ephemeris data None
including satellite position
Jump detection None
of the VMS after disabling the antenna
and opening the VMS box. There are
also sophisticated GPS signal simula-
tors available for about $126,700 that
could be connected to or radiated to-
wards the VMS unit.
Countermeasures to
receiver-end spoofing
As a one-way broadcast system, GPS is
not immune to spoof attack, except the
Y-code whose encryption algorithm is
unavailable to civilian users. a spoof
can never be detected using check
matrices, like the CRC check, in the
digital domain. However, it’s possible
by cross-checking the observables, in-
termediate measurement and position-
ing solutions.
Various countermeasures to receiv-
er-end spoofing are summarised in
the table. We could also use angle-of-
arrival discrimination. It uses a dual-
antenna receiver based on observation
of L1 carrier differences between mul-
tiple antennae referenced to a common
oscillator. If the expected delta phase
measurements do not agree with the
expected phase profiles within bounds
set by the expected noise and attitude
uncertainty, a spoofing signal is identi-
fied.
For a spoofer to defeat the algo-
rithm as implemented, the spoofing
system must emulate the expected car-
rier-phase deltas between the pair of
antennae for all satellites in track. this
geometry can’t be emulated for several
satellites if the spoofer is limited to one
transmitting antenna.
A spoofer with two separate points
of transmission might be able to defeat
the algorithm. However, this would
also require the spoofer to know the
geometry of the GPS antenna array,
locate a matched transmitter antenna
very close to each GPS antenna, and
deal with multipath, signal leakage
and self-interference problems.
Why is spoofing the
military GPS difficult?
While the GPS P-code is heavily en-
crypted and thus is hard to spoof, the
civilian GPS signal (the C/A code),
is easy to spoof because the signal
structure, spread-spectrum codes and
modulation methods are open to the
public. This could make you think of
a frightening scenario where terror-
ists mislead the GPS of GPS-guided
missiles and bombs so that they hit an
unintended target, thereby precipitat-
ing a crisis.
Manipulating the military GPS is,
however, much more difficult. Con-
siderable research has been carried out
in this regard. Security design of the
M-code signal is based on next-gener-
ation cryptography and other aspects,
including a new keying architecture.
The modulation of the M code signal
is a binary offset carrier signal with
subcarrier frequency of 10.23 MHz and
spreading code rate of 5.115 MHz, de-
noted as BOC(10.23,5.115) or BOC(10,5)
modulation; the spreading code transi-
tions are aligned with square-wave
subcarrier transitions. Spreading and
data modulations employ biphase
modulation, so that the signal occu-
pies one phase quadrature channel
of the carrier. The spreading code is a
pseudorandom bitstream from a signal
w w w. e f y m ag . co m

protection algorithm, having no appar-
ent structure or period.
The baseline acquisition approach
uses direct acquisition of the M code
navigation signal, obtaining process-
ing gain through the use of large cor-
relator circuits in the user equipment.
The M code signal has been designed
for autonomous acquisition, so a re-
ceiver can acquire the M code signal
without access to C/A code or Y code
signals.
Misleading the location
server
Typically, in a system, the location
server (LS) is a secure user plane
location (SUPL) platform (OMA-AD-
SUPL). It may be a serving mobile loca-
tion centre (SMLC) in a GSM network
(3GPP TS 23.271), a standalone SMLC
(SAS) in a UMTS network (3GPP TS
23.271) or another type of network
node. The SUPL location platform
(SLP) is a network entity on the Inter-
net that is used to facilitate location.
The user-plane location protocol (ULP)
is an HTTP-based protocol, used be-
tween the SLP and the SUPL-enabled
terminal (OMA-TS-ULP). The SLP
has a connection to a global naviga-
tion satellite system (GNSS) reference
server in order to retrieve and cache
assistance data.
Location requests are initiated ei-
ther from the SUPL-enabled terminal
(SET), which is known as a SET-initi-
ated transaction, or from the network,
which is known as a network-initiated
transaction. A network-initiated re-
quest is made by a location-based
application (LBA), which sends a
request to the SLP for the location of a
particular handset. The SLP performs
the messaging with the SET and de-
termines the location before returning
that location to the LBA.
When an A-GPS location fix is
required, the SLP calculates the GPS
assistance data that is specific to the
approximate location of the SET. When
the SET is in a cellular network, the
approximate location generally comes
from the coverage area of the serving
w w w. e f y m ag . co m
cell. The SET provides the identifica-
tion of the cell (cell-ID) to the SLP. The
SLP determines which satellites are in
view from the approximate location
and provides to the SET assistance data
for those satellites.
The assistance data types sent to
the SET depend on the mode of A-
GPS. In handset-based A-GPS, the
SLP generally provides the navigation
model, ionosphere model, reference
time and reference location. The hand-
set uses this information to lock onto
the satellites and calculate a location.
It then returns the location to the SLP.
In handset-assisted mode, the SLP
Spoofing is more serious than jamming because
jamming causes the service to degrade in
performance, while spoofing takes control of the
user receiver
provides the acquisition assistance
and the reference time for the handset
to lock onto the satellites and return
the measurements to the SLP. The SLP
invokes the position calculation func-
tion in order to calculate the location
of the handset.
The spoofer must provide GPS
measurements that result in the LS
calculating a location that is desired
by the spoofer (or attacker). For the
network-initiated case, once the LS
(SLP) determines the location of the
handset, the location is provided to
the network entity that requested it.
If the LS is trusted by the recipient of
the location, the location is considered
to be valid even though it may not be.
The aim of the spoofer is to con-
vince the LS to provide the location
that the attacker desires. The attacker
does this by falsifying (or spoofing) the
measurement data such that the loca-
tion provided by the LS is effectively
predetermined by the attacker.
In order to spoof his location, the
spoofer needs the satellite ephemeris.
The ephemeris may be from a request
to the SLP for assistance data. Alterna-
tively, the ephemeris may come from
another source such as the Internet.
e l e c t ro n i c s f o r yo u • D e c e m b e r 2 0 1 0 • 7 1
Security
One source of the orbital data is
the International GNSS Service (IGS).
This is used to determine the location
of the satellites for the given time.
The spoofer calculates the range of
each satellite in view of the desired
location and uses that as the basis
for determining the pseudo-range
measurements. The measurements
are generally converted into pseudo-
ranges by simulating a clock error and
introducing other errors such as the
ionosphere, troposphere and other
random errors.
The key piece of information that
the spoofer needs to provide to the SLP
is the cell-ID. From that, the SLP will
look up the coverage area of the cell
and calculate the assistance data. This
coverage area will also use that as the
initial location estimate for the position
calculation function (PCF). The cell-ID
is also often used for location assur-
ance on the SLP. For the spoofer, one
way of knowing the cell-IDs is to log
cell-IDs against locations and build up
a database over time.
Countermeasures to
location server spoofing
This kind of spoofing can also be
detected by the server. A server with
anti-spoofing capability will be able
to detect the measurements being
spoofed. Some of the obvious signs on
the server of spoofing are:
1. Clock error: The receiver clock
error is very small—less than 1x10-10
second.
2. Residuals: The residuals calculat-
ed as part of the least squares process
are very small.
3. Uncertainty ellipse: The uncer-
tainty ellipse is very small (less than
one metre of uncertainty).
A more clever spoofer will manipu-
late the measurements by introducing
Security
some random errors to each measure-
ment. He will also manipulate all the
measurements by a fixed amount in
order to simulate a handset clock error.
He may also send a subset of satellite
measurements instead of the complete
set of satellites in view.
Architecture of satellite
telephone communication
interception systems
Monitoring systems are commercially
available. These systems log the loca-
tion of Thuraya handsets operating
within user-selected spot beams and
the telephone numbers with which
they communicate.
Thuraya has a pair of signaling
channels. one is transmitted at L-band
Location server spoofing, in any case, is not easy to
accomplish as both the hardware and the technical
knowledge required are not easy to come by
by the satellite and received by all
Thuraya phones in the spot beam. This
signaling channel is called broadcast
common control channel (BCCH). In
addition to BCCH, access-grant con-
trol channel, paging-control channel,
frequency-correction channel and basic
alerting channel are time-division-
multiplexed on the same carrier.
The other signaling channel is
called random-access control channel
(RACH). It provides access to the net-
work for Thuraya phones. All Thuraya
phones within the spot beams transmit
bursts at L band on the RACH chan-
nel. The satellite relays these bursts to
PGW at the C band.
The interception systems typically
use a scanning technique to identify
C-band downlink frequencies for spot
beams of interest. These channels can
subsequently be monitored to record
the position of mobiles operating
within that spot beam and capture de-
tails of the telephone numbers that the
mobiles contact. The scanning process
is performed once in 24 hours, as the
frequencies used are dynamically al-
located and changed periodically by
7 2 • D e c e m b e r 2 0 1 0 • e l e c t ro n i c s f o r yo u
Thuraya satellite.
The position of the target is known
to be within GPS accuracy (typically
10-20 metres under current conditions).
A GIS mapping software is integrated
with the system to plot the location of
the target set.
Each receiver is independently
tunable to any spot beam of the
Thuraya network. The interception
system monitors L-band link from
the mobile to the satellite and C-band
feeder link from the satellite to the
earth station. Since the power trans-
mitted by the mobile handset on the
uplink is very low and so difficult
to monitor, the system monitors this
information on the C-band downlink
(satellite to earth). It automatically
maps the uplink RACH control chan-
nel and the appropriate TCH channel
of the suspect’s handset at the C-band
to appropriate L-band downlink chan-
nel of the target spot beam. After that,
it is only a matter of deciphering the
cipher algorithms used on Thuraya
network.
Spoofing: Is it practical?
Location server spoofing, in any case,
is not easy to accomplish as both the
hardware and the technical knowl-
edge required are not easy to come
by. It is difficult to believe that the
terrorists or the Pakistani intelligence
agencies have this level of technical
know-how. Further, the costs in-
volved also need to be kept in mind.
The immense cost would not really be
worth the trouble.
In any case, in spite of the popu-
lar belief, so far not a single Thuraya
set has been recovered that could be
stripped and analysed to prove that
it is spoofed or its hardware has been
modified to mislead the LS.
But given that scores of terrorists
have been killed by the security forces
and huge quantities of arms, ammuni-
tion and communication equipment
recovered from them, how is it that
not even a single Thuraya phone of
the required modifications has been
recovered yet?
There is a good reason as to why
the handset cannot be recovered. If it
is accepted that Pakistani intelligence
agencies are spoofing the Thuraya
sets so that their location may not be
known and hence the complicity of
Pakistan in the affair may be denied,
why would they run the risk of giving
such sets to the terrorists? They know
it well that terrorists may be killed and
the phones recovered from them. In
that case, spoofed phones would make
for an incontrovertible evidence of
their complicity, thereby defeating the
very purpose of the entire exercise. The
risk is not worth the trouble.
There is little which can be done to
prevent dynamic spoofing of the LS, if
at all it is being done. Spoofing can be
detected at the server but getting the
original signal is difficult or at least
not worth the effort. It therefore makes
little sense to cry about it.
All the commercially available
interception systems use proprietary
technologies. These have therefore
not been subjected to peer-reviewed
research in which the functioning
of their systems and sub-systems is
systematically analysed for the pos-
sibility of the unintended introduction
of such errors. In all probability, the
time-variable GPS coordinates which
the intelligence agencies are suppos-
edly getting and which they think are
due to dynamic spoofing, are to be at-
tributed to hitherto unknown measure-
ment errors or system errors in their
interception systems. 
The author is a Ph.D. in physics and an IPS of-
ficer posted as the Inspector General of Police
(Operations), CRPF, in Kashmir. He has consider-
able experience in communications intelligence,
having worked in the Intelligence Bureau for nearly
a decade. The current subject is one with which
he is, as IG of CRPF in Kashmir in-charge of the
operations of 28 battalions, involved on a daily
basis
w w w. e f y m ag . co m