On the Limitations of GPS Time-Spoofing Attacks

Mehmet Özgün Demir∗ , Güneş Karabulut Kurt† , and Ali Emre Pusane∗
∗ Boğaziçi University, Istanbul, Turkey, {ozgun.demir1, ali.pusane}@boun.edu.tr
† Istanbul Technical University, Istanbul, Turkey, gkurt@itu.edu.tr

Abstract—In recent years, there has been a number of incidents

against the security of the location services. Jamming and
spoofing attacks are intensively studied to find effective detection
and mitigation techniques to provide secure signaling. However,
the effects of the number of spoofing signals are not completely
understood yet. In this paper, we focus on the distance-based
consequences of GPS time-spoofing attacks. We analyze the
impacts of falsification of GPS time stamp and signal travel
time, where there are still authenticated signals in addition to
the spoofing signals. The results show that the spoofer may be
very effective even if it only generates a copy of one GPS signal
by creating its attack signal.
Keywords—GNSS security; GPS spoofing location error; time-
spoofing attacks.

I. I NTRODUCTION Fig. 1. A simple GPS model with N = 6 available satellites to the user,
Even if satellite communication systems have early de- while there is a spoofer, who is capable of generating the combination of
Ns ≥ N = 6 fake GPS signals.
ployments, which are mostly based on military usage, in the
beginning, currently, these systems are irreplaceable in various
areas. Not surprisingly, they are used as a first choice to
navigate in open-sea, air, and ground transportation. However, spoofing attacks in GNSS; hence, their countermeasures are
the security for these systems is mostly negligible until the also varied [1], [6]. In general, spoofers send a combination
recent past. Due to the vulnerability of the use of civilian of legitimate GPS signals to the receiver. A primary spoofing
Global Navigation Satellite System (GNSS) signals, there are attack is called a meaconing attack, during which the meaconer
significant threats against secure signaling between transmitter estimates the correct signals, and repeats the collected signals.
and receiver. Recently, several incidents have been reported, After a successful attack, the receiver obtains old signal
such as the highjack of an aerial vehicle (AV) of the USA data with wrong time information. Another spoofing attack
by Iran using spoofing [1]. There are also reported real-world is transmitting higher powerful signals than legitimate GPS
incidents of Global Positioning Systems (GPS) spoofing in signals during the acquisition stage of the receiver. This type
Russia and the Black Sea region [2], where spoofing is used of basic attacks can be easily detected with power monitoring
as a defense mechanism. With the development of software- [7], and it is hard to synchronize this attack with the receiver’s
defined radios (SDR), generating attack signals against posi- acquisition process.
tioning systems is significantly cheaper and more manageable In the literature, spoofing attacks that focus on time infor-
than before; as a result, there are several examples of these mation at the receiver side are considered as serious threats
attacks utilizing SDR [3]. for true positioning [8]. These attacks can be generated by
Due to the lack of security solutions in most of the satellite changing the GPS timestamp or falsifying signal travel time.
positioning systems, e.g., the L1 signal in GPS, there are They can be realized for all satellites or a group of satellites
high risks for the attacks against secure positioning. In the with different fake time information. In the literature, most of
literature, jamming and spoofing are considered to be the the papers focus on that the spoofer can generate a signal as
principal attacks against GPS security [4]. These attacks can the combination of the signals of all possible GPS satellites.
also be implemented with commercial off-the-shelf products However, the effects of additional legitimate GPS signals
[2]. Jamming is a significant attack to wipe out the legitimate except to the spoofing signals are barely studied [9]. In this
signaling in communication systems, and GPS is not an paper, we focus on time-spoofing attacks, and we analyze
exemption. Due to the very low power level of GPS signals, the impacts of the number of combined fake GPS signals,
a jammer may generate signals with limited energy [5]. which create a spoofing signal, on the receiver position errors.
Compared to jamming, spoofing is much more advance. The joint analysis of time-spoofing attack and the size of the
Based on spoofing attacks, the attackers try to mimic the spoofing signal is our main contribution to the literature since
transmitter, whose signals are received and used by the re- these two issues are not jointly studied yet.
ceivers without being detected. There are several versions of In the following section, we briefly explain the GPS model

978-1-7281-6376-5/20/$31.00 ©2020 IEEE 313 TSP 2020

Authorized licensed use limited to: Chaitanya Bharathi Institute of Tech - HYDERABAD. Downloaded on August 21,2020 at 11:16:19 UTC from IEEE Xplore. Restrictions apply.
 with a spoofer. In Section III, the details of the spoofing attack where c is the speed of light and ttr is the signal travel time.
are provided. After that, the simulation environment and the There are also clock bias errors on both sides as
results are given in Section IV. We conclude the paper in
ti = Ti + τi , (3)
Section V.
k k k
t =T +τ , (4)
II. S YSTEM M ODEL k
where Ti is the real receive time, and T is the true trans-
Today, various types of GNSS based communication plat- mission time with respect to the atomic clock. τi and τ k are
forms are used with different satellites, and in this paper, we the clock biases at the receiver side and satellite, respectively.
focus on the GPS program. In Fig. 1, the basic GPS based When we rearrange the terms, the pseudorange expression
system model is given with a potential user, who tries to is rewritten with the effects of the ionosphere (Iik ), the
obtain its position, and with a spoofer, whose objective is to troposphere (Tik ), and observational errors (eki ) between the
falsify the user with wrong positioning information. In satel- k th satellite and the ith receiver as
lite location services, GPS receivers obtain the broadcasted
ρki = dki + c(τi − τ k ) + Iik + Tik + eki . (5)
ephemeris messages, which include navigation message, GPS
timestamp with orbit parameters. GPS time stamp information In this expression, we would like to calculate the 3 unknown
is represented in seconds in a week, and it is refreshed each Cartesian coordinates of the receiver position, and the receiver
week. One bit change in this timestamp information leads to clock bias τi ; therefore, we need at least 4 pseudoranges
at least 6 seconds due to the length of GPS subframes [10]. term. It should be noted that the satellite position and the
Because of the specific feature of GNNS platforms, a satellite clock bias denoted as τ k are known in the ephemeris
receiver should be able to see at least 4 satellites to find its [11], [13]. The least-square (LS) method is generally applied
position by operating trilateration techniques [11]. However, after utilizing Taylor’s expansion theorem to find the receiver
in most cases, 4 satellites do not provide precise positioning position. Since we focus on time-spoofing attacks in GPS
services. Therefore, we consider N = 6 available GPS platforms, we use well-studied LS methods without any mod-
satellites that provide the highest signal powers from available ification to find receivers’ position and omit the details of the
32 GPS satellites. In the rest of this paper, we use Earth-North- employment of LS techniques in navigation systems.
Up (ENU) coordinate system during the calculation of position
III. T IME - SPOOFING ATTACKS IN GPS
errors of the receiver. At the receiver side, “raw” GPS signals
are obtained as the combination of navigation data, a carrier In order to achieve the accurate falsification of the receiver,
wave, and spreading codes [12]. This received signal can be there are some general techniques to influence the receiver as
written as being a legitimate transmitter before introducing false position
data. The attackers may firstly jam the GPS signaling to force
the receiver into the searching stage and then apply their
N
nX o spoofing attack. In this case, the chance of lock to the spoofed
y(t) = Re Ai Di [t − τi (t)]Ci [t − τi (t)]ej[wc t−φi (t)] ,
signal is higher at the receiver’s perspective. Another strategy
i=1
(1) is that the spoofer may primarily reproduce correct signals
with a very low power level, then it increases their power level
where N is the spreading-code-specific signals, i.e., the num- slowly until successful locking by the receiver. After being
ber of satellites, Ai is the carrier amplitude of the ith signal, locked, the spoofer may shift receivers’ frequency, power level,
Di (t) is data bit stream of the ith signal, Ci (t) is the and spreading codes. The following GPS spoofing signal is
spreading code, τi (t) is the code phase of the ith signal, sent after a successful acquisition by the receiver, while NS
wc is the carrier frequency, and φi (t) the ith beat carrier is the number of accumulated legitimated-like GPS signals
[1], [6]. Trilateration is used with 4 pseudoranges for each NS
nX o
visible satellites at minimum to locate the GPS receivers with ys (t) = Re Asi D̂i [t − τsi (t)]Ci [t − τsi (t)]ej[wc t−φsi (t)] .
the position, velocity, and time (PVT) information. These i=1
pseudoranges are calculated from broadcasted GPS ephemeris (6)
data at the receiver side, and its value is highly dependent on In this expression, Asi is the signal amplitude for correspond-
time information at the receiver. ing spoofing signal, D̂i (t) is the estimated data bitstream,
During the calculation of pseudorange, we have two differ- τsi (t), and φsi (t) are the code phase and the beat carrier
ent terms for expressing time. ti is the receiver time of the ith of spoofing signals, respectively. In the signal medium, the
receiver, and tk is the signal transmission time from the k th generated spoofing signal is very similar to the legitimate
satellite. The pseudorange term differs from the dki , which is GPS signal. As shown in (6), they transmit fake data signals
the real range between the satellite and the receiver, due to with the copied spreading codes at the correct frequency with
this time difference, and it is calculated as small phase errors. After an attack, the received signal is the
ρki = c × (ti − tk ), (2) collection of actual signal, the spoofed signal, and noise as
| {z }
ttr ytot (t) = y(t) + ys (t) + ν(t). (7)

314

Authorized licensed use limited to: Chaitanya Bharathi Institute of Tech - HYDERABAD. Downloaded on August 21,2020 at 11:16:19 UTC from IEEE Xplore. Restrictions apply.
 TABLE I. PARAMETERS OF T IME -S POOFING ATTACK

∆ttr (milliseconds) ∆tk (seconds) ttr = 10ms ttr = 0.1ms ttr = 0.001ms
Signal Travel Time Attack GPS Time Stamp Attack
ttr = 1ms ttr = 0.01ms detection level
±10, ±1, ±0.1, ±0.01, ±0, 001 ±6, ±5, ±4, ±3, ±2, ±1

X-plane
104

error
100
NS = 1 NS = 3 NS = 5 detection level 10-5
1 2 3 4 5 6
NS = 2 NS = 4 NS = 6

Y-plane
104

error
100
X-plane

4
10
error

100 10-5
10 -5 1 2 3 4 5 6
10 1 0.1 0.01 0.001

Z-plane
error
104 100
Y-plane
error

100
10-5 1 2 3 4 5 6
10 1 0.1 0.01 0.001 NS
Z-plane

104
error

Fig. 3. Receivers’ position errors in meters are given on each plane with
100 respect to the values of NS ≥ N for ∆ttr .
10-5
10 1 0.1 0.01 0.001
ttr (Milliseconds) detection, horizontal distance error, and vertical distance error
should be less than 1 kilometer and 150 meters, respectively
Fig. 2. Receivers’ position errors in meters are given on each plane with [3]. Since we reconsider with ENU coordinate system, distance
respect to the values of ∆ttr given in Table I for NS ≥ N . errors on X and Y axes should be less than 700 meters, which
are the approximate values for the circle with a radius of 1
kilometer. In the rest of the paper, 700 and 150 meters are
For the presence of the spoofing signal, we can rewrite (5) for the reference detection levels for X and Y-planes, and the Z-
the spoofing signal as plane, respectively. We present the distance errors for each
ρsi = dˆi + dk + c(τi − τ s ) + esi , (8) ENU coordinates in X, Y, Z planes for the attacks given in
Table I.
where dˆi is the distance between ith receiver and spoofer, and In Fig. 2, the position errors for each planes are given for
dk is the false location data added by the spoofer for the k th various values of NS with respect to ∆ttr with a reference
satellite. This expression does not include any errors due to detection level. These results demonstrate that the increased
the ionosphere or troposphere since we assume that spoofer value of ∆ttr leads to very high distance errors in each
location is on earth. In time-spoofing attacks, the spoofer may coordinate. When ∆ttr is larger than 0.01ms, the attack will
violate the GPS time stamp by injecting a time error ∆tk , be detected in X and Y-planes, even if the attacks, which
which directly influences dki . An advance spoofer adjusts dk are larger than 0.001ms, can be detected in Z-plane. When
regarding the real distance between the corresponding satellite we analyze the results given in Fig. 2-3 jointly, the results
and the receiver. In other time-spoofing attacks, the spoofer for NS = 4 and NS = 3 are significant on X and Y-
may change the signal travel time by adding ∆ttr . This planes, respectively. It is harder to detect these cases due to
falsified information can also be shown with the dk term fewer position errors when δtr is being smaller. When the
since the false pseudorange is adjusted with fake location data spoofer generates its signals as the combination of all available
regarding signal travel time. satellites, e.g., N = NS , the spoofer may successfully violate
the receivers’ position, as shown in Fig. 3.
IV. S IMULATION R ESULTS After a GPS satellite time stamp attack is generated, the
In our simulations, we utilize the SoftGNNS v3.0 MAT- results are demonstrated in Fig. 4 and 5 with respect to the
LAB toolbox provided in [13], where the GPS signals are chosen ∆tk in Table I for NS ≥ N . As the main difference
recorded as raw data, where the position of the receiver of the results for ∆tk and ∆ttr based attacks, many scenarios
is 45◦ 30 55.270800 N , 7◦ 390 31.989600 E at 183.970m. height violate the receivers’ location without detecting in ∆tk based
without any spoofing attack. Both of the attacks are studied GPS time stamp attacks. In Fig. 4, we can perceive that the
for the parameters given in Table I for one simulation due to most threatening attack is the NS = 1 scenario due to its
the lack of the probabilistic parameters, while NS ≤ N = 6. simplification since only a single copy of GPS-like signals can
As a quality metric for successful spoofing attack without a be very effective for spoofing instead of sending a combination

315

Authorized licensed use limited to: Chaitanya Bharathi Institute of Tech - HYDERABAD. Downloaded on August 21,2020 at 11:16:19 UTC from IEEE Xplore. Restrictions apply.
 NS = 1 NS = 3 NS = 5 detection level tk = 6s tk = 4s tk = 2s detection level
k k
NS = 2 NS = 4 NS = 6 t = 5s t = 3s tk = 1s

104 104
X-plane

X-plane
error

error
102 102
6 5 4 3 2 1 1 2 3 4 5 6

103 103
Y-plane

Y-plane
error

error
101 101
6 5 4 3 2 1 1 2 3 4 5 6
104 104
Z-plane

Z-plane
error

error
102 102
6 5 4 3 2 1 1 2 3 4 5 6
tk (Seconds) NS

Fig. 4. Receivers’ position errors in meters are given on each plane with Fig. 5. Receivers’ position errors in meters are given on each plane with
respect to the values of ∆tk given in Table I for NS ≥ N . respect to the values of NS ≥ N for ∆tk .

of various GPS-like signals. This type of attack may effectively R EFERENCES

falsify the users’ location even for increased ∆tk errors, e.g., [1] M. L. Psiaki and T. E. Humphreys, “GNSS spoofing and detection,”
∆tk = 4 in Fig. 4. This type of attack can be used as Proceedings of the IEEE, vol. 104, no. 6, pp. 1258–1270, 2016.
[2] K. Jansen, “Detection and localization of attacks on satellite-based
the initial step for convincing a receiver, then the number navigation systems,” Ph.D. dissertation, Ruhr-Universität Bochum, Uni-
of spoofing signals and the amount of ∆tk can be slowly versitätsbibliothek, 2019.
increased. As shown in Fig. 5, spoofers can significantly [3] N. O. Tippenhauer, C. Pöpper, K. B. Rasmussen, and S. Capkun, “On
the requirements for successful GPS spoofing attacks,” in Proceedings of
falsify receivers location information with incremental number the 18th ACM Conference on Computer and Communications Security.
of spoofed signals even if there are some reductions for the ACM, 2011, pp. 75–86.
cases NS = 4 and NS = 5 for Y and Z-planes, respectively. [4] D. Schmidt, K. Radke, S. Camtepe, E. Foo, and M. Ren, “A survey
and analysis of the GNSS spoofing threat and countermeasures,” ACM
However, attackers should consider that they cannot simply Computing Surveys (CSUR), vol. 48, no. 4, p. 64, 2016.
change by GPS time stamp since each bit change has the [5] L. d. A. Faria, C. A. Silvestre, M. A. F. Correia, and N. A. Roso,
precision of at least 6 seconds. This attack is also not effective “GPS jamming signals propagation in free-space, urban and suburban
environments,” Journal of Aerospace Technology and Management,
when the GPS signal is encrypted; therefore, the attacker vol. 10, 2018.
should create physical delays for the GPS timestamp with [6] N. Stenberg, “Spoofing mitigation using multiple GNSS-receivers,”
additional hardware costs during the generation of GPS-like Master’s thesis, Linköping University, SE-581 83 Linköping, Sweden,
2019.
spoofing signals. [7] E. G. Manfredini, D. M. Akos, Y.-H. Chen, S. Lo, T. Walter, and P. Enge,
“Effective GPS spoofing detection utilizing metrics from commercial
receivers,” in Proceedings of the Institute of Navigation International
V. C ONCLUSION Technical Meeting, 2018.
[8] X. Wei and B. Sikdar, “Impact of GPS time spoofing attacks on
Spoofing attacks have become a significant issue in navi- cyber physical systems,” in IEEE International Conference on Industrial
gation systems security in recent years due to the incidents Technology (ICIT), 2019, pp. 1155–1160.
[9] G. Falco, M. Nicola, E. Falletti et al., “A dual antenna GNSS spoofing
against existing location services. In this paper, we focus on detector based on the dispersion of double difference measurements,” in
the impacts of time-spoofing attacks, including falsification 2018 9th ESA Workshop on Satellite NavigationTechnologies and Eu-
of the GPS time stamp and signal travel time information ropean Workshop on GNSS Signals and Signal Processing (NAVITEC).
IEEE, 2018, pp. 1–8.
on GPS platforms. The analyses are completed while taking [10] A. Annex, “Global positioning system standard positioning service
into account the number of authenticated GPS signals and signal specification,” United States Coast Guard Navigation Center,
the quantity of artificial GPS-like signals within the spoofing 1995.
[11] G. Blewitt, “Basics of the gps technique: observation equations,” Geode-
attack. The results show that the GPS time stamp attacks are tic applications of GPS, pp. 10–54, 1997.
more effective than signal travel time-based attacks. Also, the [12] D. Manandhar, Y. Suh, and R. Shibasaki, “GPS signal acquisition
precision of GPS time stamp attacks can be adjusted with and tracking-an approach towards development of software-based GPS
receiver,” Technical Report of IEICE, 2004.
additional costs in attack design while staying incognito. As [13] K. Borre, D. M. Akos, N. Bertelsen, P. Rinder, and S. H. Jensen,
future work, we plan to analytically analyze the impacts of the A software-defined GPS and Galileo receiver: a single-frequency ap-
number of GPS-like signals within the spoofing signal and find proach. Springer Science & Business Media, 2007.
the theoretical bounds of the time-spoofing attacks.

316

Authorized licensed use limited to: Chaitanya Bharathi Institute of Tech - HYDERABAD. Downloaded on August 21,2020 at 11:16:19 UTC from IEEE Xplore. Restrictions apply.