how does gps spoofing work?
what is gps?
Global Positioning System is the American military term for an series of satellites around the globe used to determine the position of objects. We use GPS for everyday navigation on vehicles and maps and we rely on it. I should probably mention, the term I should be using is GNSS. GPS has become synonymous
with pretty much all satellite navigation systems but there are others that other countries use. Russia uses GLONASS (global orbiting navigation satellite system) as well as; Galileo (Europe), BeiDou (China), and QZSS (Japan).
GPS is essential for military purposes. Drones for ISR purposes as well as UAV’s that carry payloads rely heavily on GPS for navigation and data collection. GPS spoofing is a common attack in modern warfare, we see heaps of these instances in wars in Eastern Europe and the Middle East today.
When we uses the term ‘spoofing’, it just means to send fake information, thats why we hear the term spoofing in so many words used to describe different cyberattacks. GPS Spoofing is just another cyberattack where the reciever is decieved with fake information.
GPS spoofing is actually something you can try at home via software spoofing, Gps spoofing apps were popular when Pokemon Go was big because it allowed the player to trick their phone into thinking they were in a different position. This is very different to external spoofing which convinces a different reciever of a different postion and no this is not a VPN. VPN’s just route your internet traffic into a different server.
how do authentic gps signals work?
Global positioning system is centered around satellites that orbit the earth. These satellites are constantly broadcasting navigation data, GPS receivers on the ground uses data broadcasted from three different satellites in order to calculate position.
Trilateration, like the name dictates uses data being broadcasted from three different satellites. Its easy to confuse with triangulation which uses different angeles from point A to point B and calculates where the lines will cross to determine position.
Trilateration uses an unknown angle but a known length, essentially a circle. In the image below, Point one refers to satellite 1. In this figure, we don’t know where the points cross along the perimeter of the circle.
We know with two satellites that the point of contact could be at either crossover point, but we are still looking for only one point of contact.
We can identify the receiver's position based on where the three circumferences of the satellites intersect. In real life, these are spheres used to determine position. Obviously, when using three-point, there’s going to be two points of intersection, but because GPS is an earth-centered system, we can rule out one of the points, meaning the other is the location of our receiver.
So imagine GPS receiver as a detective trying to pinpoint your location. It does this by listening to signals from multiple satellites orbiting the Earth. By calculating the distance from each satellite, it triangulates your position.
How does a satellite know where it is?
GPS relies on ephemeris data is a pretty important component of the GPS system, providing the precise orbital information of each GPS satellite. Including the Orbit (pictured below) which tells us the satellites path around Earth, this will give us information about the satellites location at any given time.
We can see two other variables in the orbital plane, Which is the inclination (i) and longitude of the ascending node (Ω) which determines the direction of the satellite's orbital plane in space, essentially just distance from the earth. This also gives us more information about position at a given time.
Then we have the position within the orbit. The two variables that determine this are the argument of perigee (ω) and true anomaly (ν). These two give us the position of the satellite's exact location within its orbit. The argument of perigee tells us the starting point relative to the distance from the ascending node, and the true anomaly indicates how far along the orbit the satellite has traveled from that starting point.
Ephemerides | GEOG 862: GPS and GNSS for Geospatial Professionals
Theres also other factors that I’m not going to go to deep into which are also calculated such as atmospheric correction which is just the adjustments to account for radio signals traveling through the the ionosphere, which is a layer of the upper atmosphere containing charged particles, that can bend and slow down the GPS signal. As well as the troposphere, the lower layer of the atmosphere, also creates a delay to the GPS signal, though this delay is apparently less than the ionosphere. This delay is just caused by the varying density of the air.
Now we know how GPS works, how do receivers get spoofed?
architecture of GPS interception
So we know that GPS positioning relies on multiple satellites to determine the position of the receiver. Spoofing in its simplest form is overpowering satellite signals with your fake signals so the receiver picks them up and assumes a different position to the one given.
So we can imagine that spoofing works by introducing a fake signal that is stronger than the genuine satellite signals. This stronger signal, transmitted by a spoofing device, essentially "lies" to the GPS receiver about your location.
An important thing to note. Above, when we discussed how GPS signals work and one of the reasons they require so many calculations is, GPS radio waves aren’t that strong. So to create a fake satellite, we need to send signals that are stronger than the authentic ones being created.
GPS satellites work by constantly sending out radio signals, including ranging signals that calculate the distance from the receiver to the satellite by measuring the time taken for the receiver to pick up. In the image above we can see the receiver position is overpowered by fake GPS technology where the signals are stronger than the legitimate GNSS satellites.
Different variables can determine how long the attack can go on for. This includes distance to the target, how strong the transmitter is, targets countermeasures such as signal authentication, and enviromental conditions.
Lets talk about real life technology. Pokrova is Ukraines main electronic warfare system, named after the Feast of Protection, used to spoof Russian air defenses. Unfortunately information about Pokrova’s exact system is classified. Pokrova was deployed in 2024 and apparently has been successful at combating Russias weapons. How could it potentially work? When we talk about radio signals being used to communicate between satellites and receivers. Radio signals operate in different frequencies depending on their purpose. GPS satellites use two main frequencies L1 and L2.
L1 is the primary civilian frequency, operating at 1575.42 MHz. It carries the C/A code (Coarse/Acquisition code), which is freely available to all users. While L2 operates at 1227.60 MHz and is used for both civilian and military purposes. It carries the P code (Precision code), which is encrypted and needs to be authorized in order to be accessed. We know that frequencies carry ranging signals, which are given unique codes (kind of like data packets being sent over a network) that allow GPS receivers to measure the time it takes for the signal to travel from the satellite to the receiver. By calculating the distance to multiple satellites, the receiver can triangulate its position.
This is where it gets more complex, While simply transmitting a stronger signal can disrupt a receiver, sophisticated spoofing attacks need to replicate the entire GPS signal, including the navigation message. If we want to spoof an enemy drone, we need to take several steps. Obviously, the spoofer needs to transmit on the same frequencies as genuine GPS satellites (L1 and L2). As well, the spoofed signal needs to be modulated with the same codes (C/A code and P code) as the authentic signals. This ensures the receiver recognizes it as a legitimate GPS signal. Applying this however will only replicate the signal structure, we also need to replicate the navigation message.
It’s kind of difficult to visually describe a navigation message but I did manage to find this on Navipedia. In order to come across as a legitimate satellite signal, the spoofer must transmit a modified navigation message containing false ephemeris data. This data will mislead the receiver about the satellite's actual position. As well as the spoofer's internal clock needs to be matched up with the GPS system's time to maintain the actual timing information within the navigation message as if it was a legitimate message.
GPS Navigation Message - Navipedia
It’s hard to visualize the image above because it’s being carried on radio wave bands, that are spread out to prevent interference. In each frame and subframe, it carries specific information, such as ephemeris data, almanac data, and clock corrections. This is essentially like an email being sent to you from your GPS satellite (or GPS spoofer depending).
We know that in order to spoof a reciever, the signal must be stronger than the actual satellite, but also communicate within the same bandwidth. This can be achieved through the use of high-powered amplifiers and directional antennas. What are they?
There are several types of amplifiers used in warfare. Traveling Wave Tube Amplifiers (TWTAs) which are known for their high power output and wide bandwidth, making them suitable for amplifying the spoofed GPS signals. As well as Solid State Power Amplifiers (SSPAs), These amplifiers use solid-state components like transistors, offering advantages like higher efficiency, smaller size, and better reliability compared to TWTAs. The amplifier used often depends on millitary budget, as well as practical application TWTAs are more difficult to move around and get close to a target however they are more powerful.
At an electron level, TWTAs use a beam of electrons traveling through a long, evacuated tube with a helical wire wrapped around it. The input signal interacts with this electron beam, causing it to amplify. While SSPAs use solid-state components, primarily transistors (like those made from gallium arsenide or gallium nitride), to amplify the signal.
It’s actually pretty cool how these work. I have attatched an image below. At the start of the TWTA we have a heater element that heats up the cathode. The heated cathode then emits electrons, which are accelerated by the gun anode to form a kind of beam traveling down the length of the tube. The input signal or fake GPS satellite, is applied to the helix, and creates an electromagnetic wave that travels along the helix at the same speed as the electron beam. As the beam interacts with the wave on the helix, energy is transferred from those electrons to the wave, which then amplifies the signal.
diagram of a TWTA
Directional antennas focus the transmitted signal in a specific direction. This can increase the power of the spoofed signal at the target receiver, increasing the likelihood of overpowering genuine satellite signals. y concentrating the signal in a specific direction, directional antennas also minimize interference with other GPS receivers in the vicinity. This reduces potential consequences and makes the spoofing attack more discreet.
There are different types of antenna used in this scenario to overpower genuine GPS signals. Parabolic Antennas which have a dish-shaped reflector that focuses the signal in a specific direction, increasing the signal strength in that direction and reducing signal loss in other directions. Phased Array Antennas which consist of multiple antenna elements that can be electronically steered to focus the signal in different directions. This allows for rapid beam steering and can be used to track and target specific receivers, these are more useful if you know exactly what your target is and where it is.
how do we defend against GPS spoofing?
Obviously, GPS spoofing is an ever evolving landscape. We know that at its core, GPS spoofing is a combination of overpowering a signal using amplifiers, matching the signal frequency and navigation message to make the fake signal appear legitimate. How do we prevent spoofing from occurring?
The first countermeasure I’m going to discuss is a cyptography based countermeasure, Digital Signatures. The GPS satellite adds a unique digital signature to its navigation message. This signature is created using a secret key known only to the satellite and authorized receivers. Digital signatures use asymmetric cryptographic algorithms such as rivest-shaldman algorithm where if we imagine the satellite as the server side and the receiver as the client side. Each navigation message is encrypted with a public key and the client has a copy of the private key to decrypt the message.
INS (inertial navigation system), This is an independent backup form of navigation used by aerial vehicles. By measuring acceleration and rotation constantly, INS can estimate the vehicle's position and orientation relative to a known starting point. Its relation to preventing GPS spoofing is that INS can be used as a cross reference to check if GPS is correct. The reason why INS isn’t used as a main source of navigation is due to how it measures position. INS relies on accelerometers which measure changes in velocity and gyroscopes that measure change in orientation/rotation. INS is known to be prone to error accumulation where small errors in measurement build up over time which leads to larger position errors which is known as drift. INS is also prone to errors caused by disturbances from shocks and vibrations. However INS is a great tool for checking if you are currently being spoofed.
We already covered the fact that GNSS is the umbrella term for all position satellite systems across the globe. A great way to protect against spoofing is to utilize all systems when possible. This includes GLONASS (Russia), Galileo (Europe), and BeiDou (China).Each constellation acts independently, with its own set of satellites and signals. If an adversary wanted to spoof a receiver that is currently operating using multiple GNSS systems they would need to know the structure of the signals from each constellation, including their frequencies, modulation schemes, and navigation messages. Then they would need to replicate the signals from each constellation. While at the same time they would have to to transmit spoofed signals from all of the constellations simultaneously, ensuring that the receiver locks onto the spoofed signals instead of the genuine ones.
It is generally possible for countries to use all of the major GNSS systems. However, Not all GPS receivers are capable of receiving signals from all GNSS constellations. Some receivers may be designed to work only with a specific constellation, while others may be able to receive signals from multiple constellations. As well, availability of signals from different constellations can vary depending on the location, in some areas, the signals from certain constellations are blocked or degraded
We can also rely on hybrid-based techniques to defend against GPS spoofing which is when we combine data from multiple sources to determine location more accurately than using any single system. This is valuable when dealing with challenging environments or just a compromised receiver. We already know that the basis of a hybrid system is the GPS/GNSS navigation plus INS. We can add in other sensor systems to ensure accurate positioning. As well as Vision-Based Systems where we use cameras to identify landmarks, match images to maps, or detect visual features to determine position. There is also Wi-Fi/Cellular Trilateration which uses the strength of Wi-Fi or cellular signals from known access points, so the system can estimate its position. When comparing data from different sources, the system can detect inconsistencies that could mean a problem with one of the sources, such as GPS spoofing or sensor malfunction.
We already use hybrid systems in day to day life through self driving cars and airplanes, they both use a combo of of GPS, INS, cameras, lidar, and radar to navigate and localize themselves.
Traditional Network based techniques often involve monitoring the signal strength and quality of GPS signals. As well as pen-testing techniques such as running GPS emulators which simulate the GPS signal and organizations can test the quality of their systems against common attacks. This would involve static testing which compares the emulator's output to real-world GPS data under controlled conditions (e.g., stationary testing) to ensure accurate position, as well as dynamically testing the emulator's performance under various dynamic conditions, such as movement, changes in altitude, and exposure to environmental factors which involves stuff like temperature and humidity.
Once we know that the GPS emulator work under normal conditions, it can be exposed to possible attacks, so we can then test its ability to generate accurate and realistic navigation messages, including ephemeris data, almanac data, and clock corrections. As well as your basic security audits such as resistance to tampering and unauthorized modification, hardware components used in the emulator, such as the processor, memory, and communication interfaces and how secure it is.
honourable mention
This is kind of relevant but it’s more that it’s really interesting, lets go over some background. In 1836, Michael Faraday discovered that excess electrical charge on a conductor resides only on its outer surface. He demonstrated this by building a room coated with metal foil. When high-voltage electricity was discharged onto the outside of the room, the inside was unaffected. This concept is known as a Faraday Cage.
How does this work? Say that we have a sheet of metal. When an external electric field is applied to this cage, the free electrons within the metal redistribute themselves. They move around until they create an opposing electric field inside the cage. This opposing field cancels out the external field, leaving the inside of the cage neutral.
If we use GPS signals as an example. Receivers are built to receive electromagnetic waves obviously, which makes them more prone to spoofing attacks. So pretty much Faraday cages are designed to block electromagnetic waves. GPS signals are electromagnetic waves. If a GPS receiver was inside a Faraday cage, it would not be able to receive the signals from the satellites.
So the way around this is we could partially shield a GPS receiver from external signals using a Faraday cage. By shielding the receiver from external signals, it can make it more difficult for a spoofer to transmit a stronger signal and overwhelm legitimate signals.
Testing Mobile Apps with GPS Spoofing: Our Testing Approach
There’s a really cool link above with a tutorial on how to make your own Faraday cage from tinfoil
Why is this relevant?
Why should we care about GPS spoofing?
This is a common attack used today in ongoing wars around the planet, and even in our day to day, GPS technology is relevant to countless aspects of our lives. It can affect you because it can also be used to target civilian aircraft, ships, and vehicles, although that hopefully won’t happen to you. Spoofing can disrupt transportation systems, disrupt financial transactions, and compromise the integrity of critical infrastructure like power grids and communication networks.
We have seen how important it is in the war between Russia and Ukraine. Both sides heavily rely on drones for surveillance, reconnaissance, and attack missions. Spoofing disrupts the drone's navigation and can destabilize its flight, potentially causing it to crash. As well as interfere with artillery and missile systems like precision-guided munitions and do things like cause them to strike unintended targets which can result in civilian casualties which is not fun.
At the end of the day, it’s an important piece of technology and another field in the landscape that is cyberwarfare.