Try to spoof us. But fool us? Not a chance.
Jamming and spoofing detection and mitigation in a commercial receiver.
This has never been more evident than in the case of the OEM7 family of receivers. Rather than being designed with planned obsolescence, the configuration was built with future relevance very much in mind. Forward thinking on technical capabilities has since become crucial in the struggle against GNSS jamming and spoofing.
Over the past several years, NovAtel customers have become more and more aware that they may have a problem in their midst. Am I being jammed? Am I being spoofed? My equipment is telling me so.
Customers see anomalous behavior in their positioning domain, and suspect something. They expect to have a GNSS position and they don’t, or their position shows something strange, something unexpected happening. Their equipment may show them going around in circles when they are actually standing still or proceeding in a direct line. What’s going on?!?
They may think, if I’m being jammed, I’d like to know, so I can report this to the authorities. Or am I being spoofed? How can I tell?
Prior to the release of the OEM7 receivers, without an elaborate reference set-up or a lengthy post-investigation by authorities, it was impossible to know.
But the detection and mitigation capability against these spurious phenomena went into the MINOS7 application specific integrated circuit (ASIC) at the heart of this formidable receiver and its accompanying Interference Toolkit (ITK).
“The ability to do this was built into the ASIC at the very beginning of the OEM7 development cycle,” recalled Neil Gerein, senior director of marketing at Hexagon’s Autonomy & Positioning division, where he has worked for the past two decades as an aerospace & defense product manager, GPS systems engineer and in other roles.
“We thought, ‘This would be cool to have, let’s design it in.’"
A year or two prior to the release of the OEM7 receivers, when the design process was getting underway, NovAtel engineers anticipated the great coming need for spoofing and jamming detection at the user level, in the midst of performing professional GNSS work.
“We knew jamming and spoofing protection was going to be important, but it hadn’t totally materialized. We made ourselves flexible enough that we could enable it in firmware and adjust it in firmware. There is underlying hardware that enables it. We foresaw it years ago, but the threat wasn’t fully there, the market wasn’t ready for it.”
The ASIC is the first element established in a new family of receivers, Gerein said. “You do this once and that’s the chip that runs it; it’s hardware, locked down. That’s the foundation.”
The MINOS7 ASIC does all the high-speed processing necessary for good carrier-phase measurements, and much more. Within it, sleeping at the start but increasingly activated by NovAtel’s customers as they encounter problems, is the mighty beast known as GRIT: GNSS Resilience and Integrity Technology. GRIT is a firmware suite developed for the OEM7 receivers to expand situation awareness and distribute interference mitigation tools across applications and environments. GRIT defends against GNSS interference, whether malicious or unintentional, jamming or spoofing.
“It takes GRIT to protect your position,” as the saying goes. Its detailed situation awareness is the first step in characterizing the signal environment. It then enables interference mitigation through anti-jam technology and digital filters.
A variety of techniques are used, and only a few of them are explained in this article. Among them is the time-tagged analog-to-digital converter (ADC) samples that allows users to characterize jamming signals and develop their own interference location algorithms.
Now, the market is not only ready and fully aware, it is equipped. In surveying, machine control, precision agriculture, construction, autonomy or any of the myriad applications for which the multi-constellation, multi-frequency receiver card is integrated into advanced industrial equipment, there’s no need to shut down operations when encountering interference. OEM7 and GRIT put the power to take action into the user’s hands.
The problem and the solution
A spoofer recreates individual satellite signals, increasing the power at which it’s transmitting to become stronger than the true signal, so users acquire and then start tracking the false indication that will soon lead them astray. A jammer, of course, simply makes the signal unobtainable.
“Why would someone do that?” posed GPS expert consultant Logan Scott of Logan Scott Consulting.
“For the military, it’s pretty obvious,” he answered. “The adversary wants to deny your use of navigation, to lessen your effectiveness and create confusion. In the civil sector, you might initially think, well, it’s going to be terrorist exploits and so on, but actually it’s usually criminal enterprises. It has to do with the fact that there are a lot of things that report our position.
“So if somebody, for instance, uses some equipment to pave somebody else’s driveway illegally, or conduct illegal dumping or fishing or sand dredging or shipment hijacking, things along those lines. It’s usually related to some\ kind of criminal activity. But you also need to be concerned about accidental jamming, malfunctioning equipment, antennas of all kinds that can start emitting signals in the GNSS band.
“The message here is that you don’t have to be the target to be affected.
“One of the things that is really evolving right now is we’re seeing a lot more use of radios,” Scott continued. “They have become inexpensive, but at the same time they’re capable of very sophisticated waveforms.”
The readily available HackRF gadget, open-source hardware for software-defined radios (SDRs), serves as an instant jammer or spoofer. Essentially, a HackRF can be turned into a very cheap GNSS simulator.
As an example, Scott cited an online video showing a teenager “going from zero to operational in about 10 minutes. He knows Linux but he’s not an expert on GPS. He finds some routines, and if you watch this video it’s really remarkable; 10 minutes in, his phone is saying it’s in Cuba, and he really has no expertise in GPS. So, with SDRs we are finding spoofing is available to basically anyone—people who are not expert in the subject.”
In 2016, the European Union launched STRIKE3, which monitored GNSS signals for three years from stations in 23 countries. The project detected more than 450,000 L1/E1 interference signals. Experts suspect only a fraction of what was actually going on was detected.
Under the GRIT portfolio on any OEM7 receiver, the user can turn on features and see clearly whether a signal is jammed or spoofed. Sometimes even before it affects the final positioning, navigation and timing solution gives the ability to do mitigation as well.
“With all OEM7 receivers, out of the box, you can detect there’s something happening in the frequency domain,” Gerein advised. “Customers can look at the spectrum.
“If a customer desires more functionality, they can purchase additional options. Now they have spoofing detection and digital filters to see where the interference is and to mitigate the interference. The next level is time-tagged ADC samples.”
He continued: “The real powerful thing is, we have already deployed OEM7 in multiple locations all over the world. People can turn on that capability now.
“You can just call and enable that feature on your fielded units to discover you’re being spoofed, if you suspect it.
“We’re very confident that we can tell you if somebody is trying to spoof you. You’re nobody’s fool!”
Gerein referred to a 2020 article in Inside GNSS magazine: “Nobody’s Fool: Spoofing Detection in a High-Precision Receiver.” In it, NovAtel engineers Ali Broumadan, VP Sandy Kennedy and GNSS research engineer John Schleppe delivered real-world test results backing up all the concepts discussed here.
“An onboard spoofing detection unit collects metrics from the GNSS signal processing chain,” the article begins, “and provides a real-time indication if the receiver is under spoofing attack. Test results from several spoofing scenarios are based on GNSS hardware simulations, repeaters and software-defined radios in conditions ranging from stationary to kinematic, with low and high levels of multipath.”
The meaconing threat is also very real. The so-called “little brother of spoofing” re-transmits received GNSS signals, relieving the perpetrator of the effort and expense of generating complex signal structures. Because the meaconing process changes the relative delays of the meaconed GNSS signals seen by the user’s receiver, compared to the relative delays of the authentic GNSS signals, the receiver will output an erroneous position.
GRIT applies equally well against meaconing.
NovAtel has received reports from customers for years that something seemed off, but users have had difficulty = telling exactly what. Now they can tell, unequivocally. “You’re being spoofed, or you’re being jammed at this frequency and this signal power, so now you can do something about it,” Gerein said.
NovAtel OEM receivers have a robust communication protocol that customers have employed over decades. Users take that information and put it into their applications, as part of regular status and logging mechanisms.
Now, with a firmware upgrade that works on any existing OEM7 hardware, they have access to GRIT. Some features have been introduced at different firmware drops, for example, the latest 7.08 downloadable firmware upgrade on the company’s website.
“We can detect spoofers before they affect your positioning solution,” Gerein said. “We’re smelling the smoke before we see the fire. It’s not just one thing we do in the receiver, it’s a whole bunch of bundled technology, from detecting the RF environment, and knowing how people are going to try to spoof, and looking for those cases. Having a very high fidelity set of measurements allows us to do that.
“We don’t explain what our algorithms are because we don’t want people to be able to avoid them, but we have a host of different anomalous detection methods.
“You know within a few seconds that something is going south.” GRIT provides a detection of a spoofing attack before it even affects user position. It is necessary to be warned in advance, to have early warning systems, particularly in autonomous systems so the user can either fall back to backup means or take manual control of the platform.
In the tests described in the “Nobody’s Fool” article, a real-time spoofing detection unit onboard an OEM7 receiver monitored GPS L1 C/A observations at a rate of 0.5 Hz. The detection metric outputs then were fed to an onboard central spoofing detection unit, which provided a decision as to whether the receiver was under spoofing attack every two seconds. All the spoofing detection unit required was a one-time calibration in an environment free of spoofing signals.
Across a wide range of scenarios, attacks were identified as soon as the spoofing signals presented themselves, and even before the receiver position was spoofed. Experimental results in jamming, high multipath, static and kinematic environments were used to analyse the false alarm probability of the detector. No false detection was observed during the tests under clean no-spoofing conditions.
Power spectrum analysis
Two of the many techniques employed by GRIT will be briefly described here. Spectrum power measurement is one of them. Is a noticed change simply due to background environment? Is it multipath? Or is it spoofing?
A successful approach to spoof a receiver is to jam and then spoof it. Hence, GRIT monitors the input power to detect additional power injected by interference signals. GRIT looks at not just the relative power but at the absolute power in dbm coming into the receiver. With this, the user gets a very precise way of doing the power measurement, an absolute power measurement.
Looking at a receiver’s analog-to-digital conversion process (Figure p. 12), an analog amplifier goes into the analog-to-digital converter (ADC). The ADC has a limited dynamic range, so the receiver has a control loop, known as automatic gain control (AGC), which basically adjusts the volume if too much power is coming in. The volume is turned down by the AGC and then the ADC is back within its dynamic range. Monitoring the setting of the AGC is a very good indicator of jamming because GNSS signals are located below thermal noise. If a sudden increase in power shows up in the front end, it usually has something to do with interference. This can be used as a pickoff to identify the fact that either jamming or spoofing is occurring.
One of NovAtel’s customers in India was having some real troubles, but had no way to prove it. A visiting company applications engineer took a receiver and walked it around the university campus where the problem was occurring. He logged the absolute power measurements available within the OEM7 receiver. Then, using a method called “power likelihood mapping” developed by NovAtel engineers, they were able to predict the likelihood that the interference was coming from a specific corner of a particular building. It turned out to be spurious emissions at 1580 megahertz from a weather antenna on the corner of that building.
This would be difficult to pick up on a normal set of tools such as looking at the frequency, but using the power measurements they were able to locate it quickly. Generally, once you know what the problem is—and if it’s the case that the origin of the problem can’t be removed—you can apply the digital filters in the Interference Toolkit to mitigate the interference.
Time-tagged snapshots of raw digital samples constitute another method of jamming detection, using multiple receivers.
“We actually had the opportunity to do that here at our headquarters in Calgary,” Gerein recalled. “We were noticing some anomalous power measurements in our reference network. It was happening every day for a few minutes, between 6 and 6:30 p.m. So we took some receivers that had enabled this time-tagging and we created a short deployable reference network. We set up a two-hour test, around the time where we were seeing this happen every weekday.
“Using that detection array, we had one portable receiver on one side of the highway and three more on the other side collecting the data. That evening we came back and played it through some post-processing on a PC that was doing a time-difference-of-arrival. And sure enough, we could locate a moving interferer on the southbound lanes of Deerfoot Trail highway, going southbound at 105 kilometres an hour in a 100-kilometre zone. A camera that we had set up was time-tagging as well, so we identified the probable jammer as a white pickup truck that appeared to be going by every day around six o’clock. This is right under the main flight path of the Calgary International Airport. This person may be just using the boss’s vehicle outside of regular work hours, but they’re potentially causing interference at a much larger level.
“It’s not just sophisticated jammers anymore. It’s everywhere.”
This method of time-tagging ADC samples was imaginatively codenamed “Sprinkler.” Back in the OEM6 era, the NovAtel research team created a prototype receiver implementation that sent all the samples from the ADC through the Ethernet port. The team attached the receiver and it internally calculated precise GNSS time to each sample. “CTO emeritus Pat Fenton called that Firehose, because the continuous data was like drinking from a firehose,” Gerein recalled. “John Schleppe realized that for situation awareness and geo-location of interference applications you don’t need continuous access to all the ADC samples, you just need little snapshots of the data once every second. A few milliseconds, two or three, every second is sufficient for most applications. The user is no longer needing to drink from the firehose of data, they only need access to a ‘Sprinkler.’”
NovAtel has released “Sprinkler” to its customers, and they use it on their jamming trials. It captures what’s jamming, when.
Looking toward the future
The GRIT time-tagging method may be useful to authenticate signals. Scott, who invented the new proposed Chips Message Robust Authentication (CHIMERA) for GPS, thinks it will be applicable there.
“Every time we introduce technology, other people find new uses for it,” Gerein said. “That’s the most exciting thing for me. They can really stretch out the technology.”
“This is a game-changer for anti-jam and anti-spoof,” Gerein said. “This could expand what people think is possible in a commercial receiver.
“We’re an OEM provider. Our customers take a lot of care in selecting the receiver for their products; they really trust us that their roadmaps can live on it for a long time.
“Sometimes that support means four years from now there are other threats emerging, so we need to keep up with those threats, foresee those threats and be ready when they emerge.”
Read the full PDF here: