Technology

|

08 Mar 2023

GNSS/GPS jamming and spoofing tests under actual conditions

A step further in improving the resilience of receivers against RF interference

gps jamming tests at jammertest 2022, bleik's shore

What is GNSS/GPS jamming and spoofing?

Improvements in technology open gates to threats, especially when it comes to digital technology. Weak GNSS/GPS signals are susceptible to interference. This can occur in two ways: jamming or spoofing the signal. GNSS/GPS jamming is the interference on frequencies from external sources. It can provoke the receiver to lose the position information. The second threat, spoofing, happens when fake GNSS/GPS signals interfere with a receiver, thus deceiving users by displaying distinct locations or times.

GNSS/GPS jammers and field tests

More and more often, we hear about jamming and spoofing GNSS/GPS signals. The awareness of these threats keeps rising. Thus, the current state demands doubling down efforts to implement anti-jamming and anti-spoofing solutions.

Experts have assessed GNSS/GPS anti-jamming and anti-spoofing functionalities in controlled environments (laboratories) for more than ten years. These tests, however, cannot analyze and cover all aspects of the receiver’s behavior under jamming or spoofing attacks. For this reason, field test verifications are essential; they serve to complement laboratory testing. Outdoor tests support:

•    Identifying characteristics of typical jamming and spoofing signals in a real user environment.
•    Verifying the receiver’s anti-jamming and anti-spoofing capabilities.
•    Understanding how receivers behave in the presence of jamming and spoofing under dynamic conditions.

These points are essential to recognize gaps and hence improve the receiver’s resilience.

For engineers, going from the laboratory to the roads becomes challenging due to the protection of GNSS frequency bands; broadcasting RF signals in GNSS frequency bands is illegal unless authorities grant special permission. Therefore, this is the second time the Norwegian authorities have organized a field test such as Jammertest 2022. Thanks to their efforts, GNSS manufacturers and other technology suppliers from all over Europe can leverage such a convenient event.

The test

The Northern shore of Norway was the scenario for Jammertest 2022. In conjunction with Norwegian authorities, a group of experts embarked on an enterprise to evaluate GNSS/GPS jamming and spoofing under normal atmospheric conditions. 

Over one hundred people gathered for a week to evaluate their equipment under intense jamming and spoofing activity. The tests took place on different roads and in various weather conditions. Three main location areas were the scenario to jam and spoof subsets of frequency bands: a high-jammer test area and two low-effect jammer test areas.

jammertest 2022 gps jamming tests

The Norwegian communications authority or the police confiscated most GNSS/GPS signal jammers for the event. However, some were found online, although not meant for public use.

The tests were split into two categories: Jamming scenarios and Spoofing scenarios. Jamming tests were further divided into two groups; a high-effect jammer with CW and PRN (BPSK-modulated) jamming signals and low-effect jammers (broadband sweep-types). As for spoofing tests, experts considered two categories: basic and advanced attacks. Fundamental attacks encompassed the spoofing of L1 C/A satellite signals by evaluating a given position and time. Advanced attacks involved synchronized open-air GPS L1 spoofing signals under different time frames (time step, frequency step, or false leap second). The following table shows the diverse types of tests and specifications used during this experimentation week. 

ActivitySpecifications
General statistic tests
Low-effect jammer and high-effect/Personal Jammers
Low-effect jammers (1. l.j.a)
Experts conducted all tests with a GNSS signal jammer inside the car and outside it (Single band, Dual-band, and Multiband)
High-effect jammer. Modulation: L1; L1, G1; L1, G1, L2; L1, G1, L2, L5i
Jamming
Step-up tests and tests of different signal types and frequency bands

Power ramp from 2nW to 20 W EIRP (100 dB dynamics)
Steps at 2dB
Ramps go first up and then down again
Directional antenna (right-hand circular polarization)

Ramp 1: L1 only, CW; Ramp 2: L1 only, PRN;
Ramp 3: L1, G1, L2, L5, CW; Ramp 4: L1, G1, L2, L5, PRN

Jamming
Step-up tests and tests with different signal types and frequency bands. Tests using jammers over more extended periods
Long-time jamming with high-effect GNSS signal jammer (20 W)i  
High-effect jammer
i. Bands and combinations not covered in the first session (B1l, G2, E5b)ii
Jamming
Driving tests on roads with static high and low-effect jammers

Part 1
Driving under long-time jamming with a high-effect jammer (5W or lower)i  
Driving with a jammer inside or in a nearby vehicle
i. Convoy of three cars with a jammer in the in-between vehicleii

Part 2
“Jammer playground” at 2. l.j.aiii iv

Jamming
Driving tests on roads with dynamic jammers

Part 1
Jammer inside the oncoming vehicle
- Convoy meets vehicle with jammer (two vehicles with jammers five minutes apart from each other)
Jammer inside the vehicle, standing still by the road
- Vehicle stands still with a jammer within it; other vehicles pass by
More driving scenariosv

Part 2
“Jammer playground” at 2. l.j.aiii iv

Spoofing
Fundamental spoofing attacks in combination with jamming attacks
L1 C/A spoofing
i. Given position; ii. Given time; iii. Given position and time; iv. Drift position
Spoofing trial
More advanced spoofing attacks in combination with jamming attacks
i. GPS L1 CA and/or Galileo E1 signals combined with multi-constellation, multi-band jamming
ii. Synchronized GPS L1/Galileo E1 spoofing
iii. Manipulation of spoofed signal timing information
Innovative ideas for tests and demonstration testsDemos
New tests ideas from previous days

i Experts repeated all tests twice, first with CW and then with PRN (BPSK)
ii Driving in the vicinity of Bleik
iii A loose test session took place in Grunnvatn with Jammers not used in part 1
iv Driving in the vicinity of Grunnvatn
v Possible to drive everywhere

Results

Driving around Andøya under these conditions and overcoming obstacles (for instance, synchronizing signals while recording activities) led to a better understanding of the receiver’s behavior during jamming and spoofing. Key observations inferred from this experimenting week encompass the following:

1) The receiver shows robustness due to signal processing and mitigation techniques, increasing the availability of position and time.
2) The most significant contribution to the availability of position and time comes from the processing of multiple frequency bands and sensor data as follows: 

    a. When a single frequency receiver with sensor data (DR) loses GNSS fix/signals, it can still provide position and time through the DR.
    b. When a multi-frequency receiver loses signals from a jammed band, it can still provide GNSS fix/signals based on a second frequency.

The following graph illustrates a long-time jamming scenario under a high-effect GNSS signal jammer (20 W) on the L1 band. The graph shows the number of signals per frequency band used to estimate position, velocity, and time solution.

l1 vs l2 long time comparison gps jamming

The reduction in the number of signals corresponds to the received jamming power, mainly determined by the distance to the jammer. No signal from the L1 band is available near the jamming source. The L2 band reception is impaired by substantial interference (20 W transmit power). Nevertheless, the receiver can detect at least four signals even in this scenario, providing accurate position, velocity, and time solutions.

3) In most scenarios, interference does not significantly compromise the accuracy of position and time, even during high-impact jamming, let alone fundamental jamming.

The following image shows one of the trajectories vehicles followed to obtain information during the test campaign, driving through Bleik’s village in open space. In this case, vehicles moved first toward the jammer and then away from it.

high effect gps jamming scenario around Bleik

Figure 1. Results from a dynamic, high-effect jammer scenario around Bleik.

The ZED-F9P receiver outputs sufficient accuracy during the whole session. Because when the jammer causes the loss of L1 GNSS/GPS signals, the receiver navigates using L2 signals. Accuracy, still acceptable during jamming, was in the order of 6m (street width).

Just before you go

The specifications and time frames used in this exercise enabled participants to determine receivers’ behavior in the presence of jamming and spoofing under real-life conditions. Thanks to these events, technology developers could obtain rich conclusions. For u-blox, this was the perfect opportunity to evaluate the resilience of current GNSS receivers in a real environment. We also gained access to insights for improving the security of future devices‒an aspect the company cares most about. Needless to say, this would not have been possible without the support of the Norwegian Public Roads Administration, the Norwegian Communications Authority, and the Norwegian Defense Research Establishment; their efforts are indeed fundamental and much appreciated.

 

 

You might also be interested in