Inside GNSS Media & Research

MAY-JUN 2018

Issue link:

Contents of this Issue


Page 48 of 67 M A Y / J U N E 2 0 1 8 Inside GNSS 49 likely go unnoticed by the receiver, and vice-versa for L1 signals in the L2 band. Noting these two facts, it was clear that if a single composite baseband signal consisting of all of the L1 C/A, L1 P(Y), L2C, and L2 P(Y) signals were generated and broadcast somewhere between L1 and L2, then it would be possible, with appropriate tuning, to cause genuine- looking signals to appear at L1 and again at L2. Because of this unusual generation technique, these signals were attenuated by approximately 23 decibels relative to the total broadcast power, that is, less than 0.5% of the total broadcast power appears as a useful signal. Nonetheless the signals are present in a useful form. An example of the resultant spectrum is shown in Figure 3 . is is the signal processing equivalent of playing a xylo- phone with a cat; it is ugly and illegal, but it works. Given that the spectrum aliasing could be used to repeat the broadcast signals across the required bands, what remained was to remove the high-power signal and adjust the power accordingly. Fortunately, when performing a conduc- tive test, (or a very-close range broad- cast), then achieving sufficient power is not a challenge, and even though over 99.5% of the power was spent in Nyquist bands not observed by the receiver, the remaining 0.5% was sufficient. Also, it was noted that most commercial receiv- ers implement relatively sharp band-pass filtering on the RF spectrum such that the large `interference' signal residing in the middle of the band was rejected. An example of the carrier-to-noise ratio observed by the receiver under test is shown in Figure 1. Note that all four signals were tracked, although the P(Y) codes appeared to suffer somewhat from the narrow-bandwidth of the re-broad- cast. In the figure, note also that only five of the satellites were L2C-enabled. e receiver tracked steadily for over 30 minutes, and produced a steady code- only position solution, an example of which is shown in Figure 4 . While the signals might be considered `ugly hacks' (which they are), it is important to note that contrary to popular belief neither the need for two center frequencies nor the lack of bandwidth on existing SDR platforms posed a particular problem. Moreover, although this article has demonstrated only a dual-frequency spoofing, the underlying principle can readily be extended to three or four center-frequencies. This has its most immediate value in the generation of GLONASS signals for spoofing mass- market L1-only receivers. Detection of Spoofing Based on Signal Anomalies Further characteristics that are popu- larly listed as red flags included: incon- sistent nav igation data; anoma lous code-carrier divergence; and obvious spectral shaping indicating unexpect- edly high received power levels. In light of the questionable validity of the claim FIGURE 2 Example of the commercial off-the-shelf (COTS) survey- grade receiver under test (top), during a conductive test with the single-frequency BladeRF software-defined-radio transceiver (bottom) broadcasting a signal with 12 MHz bandwidth at a single center-frequency, but causing the receiver to perceive both L1 and L2 signals at their appropriate center-frequencies of 1227.6 and 1575.42 MHz. To the best of the authors' knowledge, this is the first such demonstration. FIGURE 4 Example of the position reported by the receiver during the conductive rebroadcast test. FIGURE 3 L1 and L2 spectra under spoofing, during which time a single- frequency transmitter was broadcasting an instantaneous bandwidth of 12 MHz, yet producing tracked signals at both L1 and L2. 70 60 50 40 30 20 10 60 50 40 30 20 10 1,560 1,570 1,580 1,230 1,220 1,210 1,240 1,250 1,590 1,600 1,610 Power (dB) Power (dB) Frequency (MHz) Frequency (MHz)

Articles in this issue

Links on this page

view archives of Inside GNSS Media & Research - MAY-JUN 2018