1 Introduction

Over the last decades, positioning, navigation and GPS-dependent systems have enjoyed a tremendous attention. Therefore, security and integrity of these systems are very important. The target in designing secure systems is to fortify a system’s weakest link against predictable attacks [1]. GPS is a modern technology, but not secure. Some unavoidable error sources such as clock errors and satellite circuit displacement, limits its precision [2]. In otherwise, GPS is vulnerable to interference due to some shortcomings. Mainly, it confronts by three main attacks: blocking, jamming and spoofing [3]. The conventional precision improvement approaches [47] can’t encounter these attacks. Spoofing is more sinister than others, owing to the fact that the targeted receiver is unaware and so cannot warn users that its navigation solution is untrustworthy. Since, the adversary can emit signals identical to those sent by satellites and so mislead the receiver. In general, vulnerability of GPS is mainly owing to radio navigation system, weak GPS signal strength on the earth and openness of technical data of GPS, plus good stability and predictability of signal [8]. These problems provide specified opportunity for spoofers to generate and replace the counterfeit signals such that the targeted receiver cannot detect. However, the spoofing signal during the attack and after that makes some effects which can be detected and compensated by precisely investigating.

Because of different spoofing kinds, there are various countermeasures. In other words, each anti-spoofing technique has relevance to a special type of spoofing. As a result, it is necessary to go through the exercise of providing civil GPS spoofing. This allows researchers to explore the range of practical spoofing techniques, and so determine hard and easy aspects of spoofing to perform in real world. With this information, the difficulty of mounting a spoofing attack can be more accurately evaluated and receiver developers can prioritize their spoofing defenses by choosing countermeasures that are effective against easily-implementable spoofing techniques.

During past decade, numerous reports have been published for spoofing [916], detection [1423] and mitigation of spoofing [1418] approaches. In this paper, after studying different techniques a new spoofing scenario will be proposed. Section 2 reviews and explains former proposed spoofing techniques and practical samples of them. In the next section, the developed method will be reported. Section 4 relates simulations and test results to examine the suggested approach. Finally, Sect. 5 states the conclusion.

2 Review of Spoofers

Spoofing threats can be classified into three main groups: simplistic, intermediate and sophisticated spoofers. The discussion in the remainder of this section pertains to a complete review of spoofers.

2.1 Simplistic

This group encompasses a spoofer that simply attaches a power amplifier and an antenna to a GPS signal simulator and radiates the RF signal toward the target receiver. This can produce GPS signals, but cannot make them synchronize with the current broadcast GPS signals. However, if the adversary signals power be greater than the legitimate signals power, misleading commercial receivers would be possible [14].

Despite the ease of mounting a spoofing attack with a signal simulator, there are some drawbacks. One is cost and another is size. Hiding the simulator is another challenge [9]. The threat posed by a simulator-based spoofing attack is diminished by the fact that detecting such an attack appears to be easy, since synchronizing a simulator’s output with the actual GPS signals in its vicinity is difficult. An unsynchronized attack may cause the victim receiver to lose lock and have to sustain a partial or complete reacquisition. Such a forced reacquisition would raise suspicion of a spoofing attack and nevertheless likely lead to an abrupt change in the victim receiver’s GPS time estimate. The victim receiver could fag jumps of more than 100 ns, as evidence of possible spoofing. The presence of 100 s of counterfeit GPS signals may confuse the receiver’s acquisition and hand off-to-track logic or may deny the receiver navigation entirely [15].

An extension to the traditional GPS signal simulator is a signal generator that transmits more GPS signals than the number that is expecting to see at the receiver’s antenna. In opposition to the claimed low possibility of attacks that use simplistic spoofers, the ease of organizing such an attack, the abundance of information on GPS hardware and software signal simulators, besides the potential for navigation confusion or denial of navigation make this type of attack attractive to those whom wish to cause mischief or harm. Thus, this mode of attack can be described as one that generates navigation confusion or denial of navigation, depending on how the receiver deals with the multiplicity of signals. GPS signal simulators are decreasing in cost and becoming more available.

A successful experiment using this type of attack is described in Ref. [24] in 2002, by transmitting a sufficiently powerful signal that interferes with and obscures the GPS signals. The attacker has to first force the receiver to lose its lock on the satellite signals. This can be also achieved by jamming legitimate GPS signals. They placed the simulator, desktop PC and the computer monitor in the cab of a truck. The antenna was attached to the grill of the truck. If the equipment could broadcast a stronger signal, spoofing over a greater distance will be possible.

In summary, the ease of mounting an attack via GPS signal simulator makes this attack mode relatively relevant. However, the mere fact that a simplistic attack is easy to defend does not increase security. A gaping vulnerability will remain until civil GPS receivers at least are equipped with the elementary anti-spoofing techniques required to detect a simulator-type attack.

2.2 Intermediate

The second group synchronizes its counterfeit GPS signals with authentic ones, such that the fake signals can more-easily masquerade as genuine ones. The receiver-spoofer can be made small enough to be placed inconspicuously near the target receiver’s antenna. The receiver component draws in legitimate GPS signals to estimate its own position, velocity, and time. Due to proximity, these apply to the victim antenna. Based on these estimates, the receiver-spoofer then generates counterfeit signals and generally orchestrates the spoofing attack. The receiverspoofer could even be placed rather distant from the target receiver if the target was stationary, and its position relative to the receiver-spoofer had been pre-surveyed.

One of the main challenges that must be overcome to carry out a successful spoofing attack is to gain position and velocity of the target receiver antenna. This knowledge is required to precisely position the counterfeit signals relative to the genuine signals at the target antenna. Without such information, a spoofing attack is easily recognized.

2.2.1 Replay/Meaconing

The simplest way to make an intermediate spoofing, tested in 2008 first time, is to receive legitimate GPS signals at one location and relays to another location without any modification [16]. This way the adversary can avoid detection if cryptography is employed, while it can “present” a victim with GPS signals that are not normally visible at the victim’s location. The replay attack is characterized by two features: (1) the adversarial node capability to receive, record and replay GPS signals and (2) the delay between reception and retransmission of a signal. The spoofed signal can also be generated by manipulating and rebroadcasting actual signals, called meaconing.

2.2.2 Synchronized

As above mentioned, the primary difficulty in carrying out a spoofing attack is determining the 3-D vector to the target receiver’s antenna. An attack via a receiver-spoofer overcomes this difficulty by construction. The receiver-spoofer is able to synchronize its signals to GPS time and align the counterfeit and genuine signals by virtue of its proximity to the target antenna. Agile control over signal amplitude, GPS timing, navigation data bits and code-phase alignment makes attacks by this receiver-spoofer difficult to detect. A practical sample of this attack is made by Humphreys and his colleagues in 2008 [15]. Indeed, this was extended of Cornell GRID receiver [25]. Each channel of the target receiver is brought under control of the receiver-spoofer. The counterfeit correlation peak is aligned with the peak corresponding to the genuine signal. The power of the counterfeit signal is then gradually increased. Eventually, the counterfeit signal gains control of the delay-lock-loop tracking points that track the correlation peak and consequently a false navigation solution is generated. An attack via portable receiver-spoofer could be more difficult to detect against than the simplistic spoofer. In addition, the electromagnetic radiation emitted from the spoofer’s antenna can be targeted in a narrow beam, further complicating detection. Unsurprisingly, this fact along with the need for sub-cm-level knowledge of the target receiver’s antenna location is challenging, make the likelihood of coordinated attacks with such a device relatively low [1315].

2.3 Sophisticated

The third spoofer group is most sophisticated and effective one, which is the synchronous attack that coordinates not only its signals with the current broadcast signals, but also with the counterfeit GPS signals of other nearby spoofers. In other words, a sophisticated attacker contains several receiver-spoofer devices sharing a common reference oscillator and communication link, with each device mounted to one of the target receiver’s antennas. It is worth to note that the angle-of-arrival defense fails under this attack scenario.

Naturally, this attack inherits nearly all challenges of mounting a single receiver-spoofer attack, with the additional expense of multiple receiver-spoofers and the additional complexity, since the perturbations to the incoming signals must be phase coordinated. However, carrier phase alignment and synchronizing the spoofing arrays is possible only for a bounded region around the target receiver. Moreover, physical limitations for placing the spoofer antenna toward the victim receiver made implementation of these attackers so hard and impossible in some cases because of target receiver’s motion [13, 14].

3 Proposed Delay and Mixing Mechanism

In most cases to generate spoofing signals, complicated softwares and devices or not easily accessible simulators are used. Saving and delaying the authentic signal is earlier investigated [10]. By expanding this idea, counterfeit signal is generated from the collected data set. At the beginning, the input signal is sampled for a specific period and after delaying as a proper time, combined by the real signals. Actually, the delay and combine procedure construct the counterfeit signal by combining the main and delayed signal. However, in other spoofing scenarios the fake signal contains only one signal. The L1 signal, transmitted from GPS satellites is described in this equation [8]:

$$ S_{L1} \left( t \right) = A_{P} P_{i} \left( t \right)W\left( t \right)D_{i} \left( t \right)\cos \left( {\omega_{L1} \left( {t + \Delta t} \right) + \varphi_{L1} } \right) + A_{C} C_{i} \left( t \right)D_{i} \left( t \right)\sin \left( {\omega_{L1} \left( {t + \Delta t} \right) + \varphi_{L1} } \right) $$
(1)

where A P is amplitude of P code, P i (t) is the P code of i-th PRN, W(t) is cryptographic code, D i (t) is the i-th PRN navigation message, ω L1 is the angular frequency of L1 signal, φ L1 is L1 signal phase, A C is C/A code amplitude, C i (t) is i-th PRN C/A code and Δtis satellite signal spreading delay. As it can be noted that the first part of the equation is accessible only for military GPS receivers. Ignoring spreading delay, processed signal in civil GPS receivers can be written as follows:

$$ S_{{L1_{CA} }} \left( t \right) = A_{C} C_{i} \left( t \right)D_{i} \left( t \right)\sin \left( {\omega_{L1} \left( t \right) + \varphi_{L1} } \right) $$
(2)

Assuming this equation as authentic signal, constructed counterfeit signal by delay and combination procedure can be written as:

$$ C_{{L1_{CA} }} \left( t \right) = A_{C}^{A} C_{i}^{A} \left( t \right)D_{i}^{A} \left( {\text{t}} \right)\sin \left( {\omega_{L1} \left( {{\text{t}} - \Delta t_{A} } \right) + \varphi_{L1}^{A} } \right) + A_{C}^{D} C_{i}^{D} \left( {\text{t}} \right)D_{i}^{D} \left( {\text{t}} \right)\sin \left( {\omega_{L1} \left( {{\text{t}} - \Delta t_{D} } \right) + \varphi_{L1}^{D} } \right) $$
(3)

where the A and D footers respectively present the authentic and delayed signal. The Eq.  (3) is indeed spreading signal as spoofing. For generating this signal we need to save the authentic signal. Then, this signal that demonstrates as delayed one will be combined with the authentic one. After providing and transmitting the fake signal, the received signal by the victim receiver can be expressed as:

$$ R_{{L1_{CA} }} \left( t \right) = S_{{L1_{CA} }} \left( t \right) + C_{{L1_{CA} }} \left( t \right) $$
(4)

For negating the authentic signal in the GPS receiver, the power of the constructed counterfeit signal can be increased [15, 22]. Neglecting Δt A the Eq. (4) can be corrected as:

$$ R_{{L1_{CA} }} \left( t \right) \approx C_{{L1_{CA} }} $$
(5)

As mentioned above, spoofing signal power is adjusted greater than the authentic one in order to successfully mislead the target receiver [12]. Since power of received GPS signal is low on the surface of the Earth [8], spoofing signal power can be simply adjusted higher than the authentic one in order to prevent easy detection [21]. In summary, spoofing data is generated in four steps:

  1. Step 1:

    Saving the authentic GPS signal as a delayed signal and estimating its power level.

  2. Step 2:

    Combining the delayed and authentic signal.

  3. Step 3:

    Adjusting the combined signal power proportional to estimated power level in step 1.

  4. Step 4:

    Spreading the constructed counterfeit signal toward the target receiver.

We suppose that the counterfeit signal is the dominant term in the input signal and the victim receiver tracks only the spoofing signals. The block diagram of the total implemented system is demonstrated in Fig. 1. In fact, the spoofing scenario causes to change the preamble bits at beginning of the navigation message sub-frame. So, the sub-frames are changed and a new navigation bits are generated. This lead to variation of TOW and satellite clocks correction, so the satellite’s pseudo-range and position are changed extremely. As can be shown in Fig. 2, the geometry position of the target receiver is deviated in this way. Updating rate of HOW every 6 s is the main reason of excessive satellite position deviation. As it is known, HOW is the first 17 bits of TOW [26].

Fig. 1
figure 1

Total implemented system

Full size image
Fig. 2
figure 2

Effects of spoofing signal

Full size image

4 Performance Analysis and Test Results

In the delay and combine procedure, two parameters are effective: delay time and amplitude of delayed signal. For validation of the proposed algorithm, four different data sets are investigated. Changing the delay time and amplitude of counterfeit signal conduces to different data sets. This section presents some test scenarios that have been used for evaluating the performance of suggested algorithm.

At first, we saved the authentic signal during a specified time used in each test. After some preprocessing, it is combined by the authentic signals in different delays. Then, the mixed signal transmits to the target receiver. Preprocessing concludes adjusting the delayed signal amplitude proportional to the current scale in each scenario to combine signals.

Also, it is worth to note that difference between the authentic and delayed signal in every two continuous sample is approximately 17 ms. In other words, if in the n-th sample difference between the authentic and delayed signal is 1 s, in the (n+1)-th sample the delay will be 1 s and 17 ms. In all tests, the received spoofing signal in the target receiver and its counterpart authentic signal were analyzed in personal computer by Matlab software [26]. Finally, the position errors due to spoofing are reported in details.

Case A. \( \varvec{A}_{\varvec{C}}^{\varvec{D}} = \varvec{A}_{\varvec{C}}^{\varvec{A}} \)

In this scenario, amplitude of authentic and delayed signals is equal. At first, we inspected spoofing and real signals at frequency domain. According to Fig. 3, there is no observable difference in frequency domain of two signals. The Fig. 4 shows acquisition result of one sample of constructed signal. As it is observed, four satellites of the spoofing signal are common with the authentic one; PRN18 is added and PRN14 is omitted.

Fig. 3
figure 3

Frequency domain: a authentic signal and b spoofing signal

Full size image
Fig. 4
figure 4

Acquisition result: a authentic signal and b spoofing signal

Full size image

Operation of this signal is finished in this step, since the extracted navigation message from tracking segment can’t solve the navigation equations. Indeed, the constructed signal contains no preamble bits. None of more than 2500 sample of these tests with variant delay times reaches a reasonable answer.

Case B. \( \varvec{A}_{\varvec{C}}^{\varvec{D}} = 2\varvec{A}_{\varvec{C}}^{\varvec{A}} \)

In this scenario, delayed signal amplitude is twice that of the authentic signal. In the first step, more than 2500 samples by different delay times were examined. In 21 samples, successful spoofing signal was created. Histogram, frequency domain and acquisition output are shown in Figs. 5, 6 and 7, respectively, for one of them. As can be seen, there is no obvious difference between features of two signals. Moreover, statistical distribution and frequency domain of two signals are similar.

Fig. 5
figure 5

Histogram: a authentic signal and b spoofing signal

Full size image
Fig. 6
figure 6

Power density: a authentic signal and b spoofing signal

Full size image
Fig. 7
figure 7

Acquisition result: a authentic signal and b spoofing signal

Full size image

The spoofing signal contains four satellites of authentic signal and prevents the other two satellites to pass the tracking segment. Spoofing error is also specified separately in East, North and Up (ENU) coordinates. More details of produced spoofing data sets are reported in Table 1. As can be seen in the Table, this data set can spoof the victim single frequency GPS receiver from 96 to 1900 m.

Table 1 Details of spoofing error at first scenario
Full size table

Furthermore, Fig. 8 shows spoofing error versus delay time. It is obvious that there isn’t a definite relation between delay time and position error. However, it can be extracted that number of successful spoofing data sets in small delay times are more than those with big delay time. However, larger position errors due to spoofing occurred in big delay times.

Fig. 8
figure 8

Spoofing error versus delay time at first data set

Full size image

To assurance of yield results, the test was repeated two other times. In the second epoch, 20 successful results gathered. Table 2 and Fig. 9 show details of these samples. In this test, 54 and 1758 m are respectively minimum and maximum RMS errors in position. In the next epoch, more than 750 samples with different delays were investigated. We produced 19 effective spoofing data sets, by 90 and 1795 m as minimum and maximum amount of them. More aspects of them can be seen in Table 3 and Fig. 10.

Table 2 Details of spoofing error at second scenario
Full size table
Fig. 9
figure 9

Spoofing error versus delay time at second data set

Full size image
Table 3 Details of spoofing error at third scenario
Full size table
Fig. 10
figure 10

Spoofing error versus delay time at third data set

Full size image

Another issue that is receiving more attention in the Tables 1, 2 and 3 is that effect of spoofing signal in three coordinates is not similar. The position error in U axis is more than others. In other words, the counterfeit signal affects the height of the target receiver majorly. The successful samples of three scenarios are collected in Fig. 11. It is obvious that distribution of successful spoofing signals decreases sharply after 5 s delay time.

Fig. 11
figure 11

Spoofing error versus delay time at three data sets

Full size image

Case C. \( \varvec{A}_{\varvec{C}}^{\varvec{D}} = 3\varvec{A}_{\varvec{C}}^{\varvec{A}} \)

In this scenario, amplitude ratio of spoofing signal to authentic signal is 3. About 1150 instances are tested and 996 samples of them are effective spoofing signal by position error between 2 and 2139 m. Successful examples are shown in Fig. 12. As can be seen, distribution of spoofing versus delay time is approximately uniform and most of examples have small spoofing meters. In other words, density of distribution is sparse in large spoofing values.

Fig. 12
figure 12

Spoofing error versus delay time at third scenario

Full size image

5 Conclusion

In this article, we proposed a new methodology for spoofing generation. In that, delay and combination procedure deviate the position of target receiver. In other words, unlike the previously suggested scenarios, the fake signal in this algorithm is combined of two GPS signal. Whereas, in former spoofing attacks, the counterfeit signal was a single GPS signal. Investigating more than 1000 successful samples terminated in that pseudo-range deviation seems as decreasing and extravagant satellite position deviation. However, pseudo-range variance is about 100 times more than satellite position deviation. Salient change of pseudo-range is a reasonable argument for extremely variation of the target GPS receiver height. These two factors redound to position error due to spoofing. On the other hand, difference of GPS signal features as doppler frequency is less than 2 % relative to authentic signal. As a result, this scenario is less expensive and more difficult to detect and resist in competition with simplistic spoofer, since it has a power normalizer and a lower hardware complexity and size. Moreover, spoofing signal is approximately synchrone with the authentic one, so there is no need to lose the target receiver lock and reacquisition. In summary, we could made changes in navigation bits and then deviate the receiver position. Indeed, this algorithm caused decreasing pseudo-range and excessive satellite position deviation without much hardware equipment.