Inside GNSS Media & Research

MAY-JUN 2018

Issue link: https://insidegnss.epubxp.com/i/987551

Contents of this Issue

Navigation

Page 49 of 67

50 Inside GNSS M A Y / J U N E 2 0 1 8 www.insidegnss.com MULTI-FREQUENC Y SPOOFING that dual-frequency signal generation is difficult, these further points are briefly discussed. E xcessive code-carrier divergence observed in the received signal is not a function of whether or not a signal is counterfeit, but rather is related to the particular method used in the genera- tion of the signal. In many cases, equip- ment that has been designed for use in telecommunications applications does not offer very precise carrier frequency tuning, and although it may report that it is tuned to, for example, L1, it may in fact be tuned to the nearest frequency that can be achieved with its synthe- sizer. For example, the device shown in Figure 5 uses a 20-bit fractional PLL and 30 megahertz reference (where the refer- ence clock is first multiplied by three), and so can only tune with a resolution of approximately 28 hertz. Similarly, the device used in one example at ION GNSS+ 2017, uses a 22-bit fractional- N synthesizer, and can only tune with a resolution of approximately 8.5 hertz that, given its 38.4 megahertz reference, matches a lmost exactly the 1.7 m/s reported excess code-carrier divergence. By calculating this residual frequency error it can be compensated with a non- zero IF at signal-synthesis, at no extra cost. Once this code-carrier divergence anomaly becomes part of the "spoofing defense", the adversary will simply cor- rect them in the signal-generation stage. As such, this kind of detection scheme is temporary, at best. To demonstrate this, a simple GPS/ Galileo L1/E1 spoofer was assembled and used to spoof a survey receiver. e signal generation function was carefully configured to address the synthesizer considerations discussed above, such that the exact carrier frequency was known, and the delta frequency to L1 was injected as a digital IF in the signal generation stage. The spoofer itself was based on a software-defined radio constellation simulator, written specifically to adhere to the resource constraints of a micro- computer such as the Raspberry-Pi and therefore uses very limited memory. e digital baseband GNSS signal ensemble is generated with a transmit bandwidth of 8 megahertz and is streamed via USB 2.0 to the transceiver board at an 8-bit sample depth. The device upconverts this signal to RF and broadcasts to the target receiver. e spoofer is controlled using a simple command-line interface that can be a accessed via SSH, enabling it to be controlled remotely via cell- phone, as shown in Figure 6 . e com- plete spoofer has an off-the-shelf build cost of approximately $400 (USD). e test spoofed a static position with between eight and 10 satellites in view (owing to rising and setting satellites). A one hour test was conducted and the receiver measurements were logged as FIGURE 6 Measured code-carrier divergence on eight spoofed GPS L1 C/A signals over twenty minutes FIGURE 5 The experimental GPS/Galileo L1/E1 spoofer used in the below experiment, based on a HackRF and micro-computer, a software-defined simulator, and controlled via a cell-phone app.

Articles in this issue

Links on this page

view archives of Inside GNSS Media & Research - MAY-JUN 2018