On the Requirements for Successful GPS Spoofing Attacks

Nils Ole Tippenhauer

Christina Ppper

Dept. of Computer Science Dept. of Computer Science

ETH Zurich, Switzerland
ETH Zurich, Switzerland

tinils@inf.ethz.ch

Srdjan Capkun

Computer Science Dept.

UCI, Irvine, CA

Dept. of Computer Science

ETH Zurich, Switzerland

poepperc@inf.ethz.ch kbrasmus@ics.uci.edu capkuns@inf.ethz.ch

ABSTRACT

kle monitors, and aviation controls trust the correct monitoring of

airplane traffic.
This heavy reliance on civilian GPSfollowing the discontinuation of the selective availability feature of GPS in the year 2000
motivated a number of investigations on the security of GPS. These
investigations found that civilian GPS is susceptible to jamming
and spoofing attacks [9, 11, 16, 19]. Successful spoofing experiments on standard receivers have been reported [7, 23], showing
that commercial-off-the-shelf receivers do not detect such attacks.
The increased availability of programmable radio platforms such as
USRPs [5] leads to a reduced cost of attacks on GPS. However, the
requirements for GPS spoofing were so far not analyzed systematically and many of the previously proposed countermeasures [8, 16]
assume a weak attacker that is, e. g., not able to generate signals
with sufficient precision.
In this work, we investigate spoofing attacks on civilian and military GPS and analyze the requirements for their success as well as
their limitations in practice. We divide the problem of GPS spoofing into the following two problems: (i) sending the correct spoofing signals such that they reach the receiver with the right timing,
and (ii) getting a victim that is already synchronized to the legitimate GPS service to lock onto the attackers spoofing signal. Regarding the first problem, we analyze the effects of GPS spoofing
signals on multiple receivers and analyze under which conditions a
group of victims can be spoofed such that, e. g., their mutual distances are preserved. Our analysis shows that, in order to spoof a
group of victims while preserving the mutual distances, the attacker
can only transmit from a restricted set of locations. To the best of
our knowledge, such an analysis has not been done before. The
second problem of taking over the satellite lock is relevant for performing attacks in real-world situations. In most cases, the victim
will have been receiving legitimate GPS signals when the spoofing
attack starts. It is thus important to know the required precision
of the spoofing signal such that the victim seamlessly (i. e., without detection) switches lock from the legitimate GPS signal to the
attackers spoofing signal. We explore the influence of imperfections (in different aspects of signal power and timing) in a series of
experiments and discuss the findings.
In short, our main contributions are as follows: First, we define
the GPS group spoofing problem. Second, we analyze spoofing attacks on single and multiple receivers in civilian and military GPS
systems and we infer theoretical bounds on the conditions for their
success. Third, using a GPS signal generator1 , we investigate the
requirements for civilian GPS spoofing by seamless satellite-lock
takeover under varying power, timing, and location precision of the
attackers spoofing signals and we provide bounds on these param-

An increasing number of wireless applications rely on GPS signals

for localization, navigation, and time synchronization. However,
civilian GPS signals are known to be susceptible to spoofing attacks which make GPS receivers in range believe that they reside
at locations different than their real physical locations. In this paper, we investigate the requirements for successful GPS spoofing
attacks on individuals and groups of victims with civilian or military GPS receivers. In particular, we are interested in identifying
from which locations and with which precision the attacker needs
to generate its signals in order to successfully spoof the receivers.
We will show, for example, that any number of receivers can
easily be spoofed to one arbitrary location; however, the attacker is
restricted to only few transmission locations when spoofing a group
of receivers while preserving their constellation.
In addition, we investigate the practical aspects of a satellitelock takeover, in which a victim receives spoofed signals after first
being locked on to legitimate GPS signals. Using a civilian GPS
signal generator, we perform a set of experiments and find the minimal precision of the attackers spoofing signals required for covert
satellite-lock takeover.

1.

Kasper B. Rasmussen

INTRODUCTION

The Global Positioning System (GPS), originally introduced by

the US military, has become an essential component for numerous
civilian applications. Unlike military GPS signals, civilian GPS
signals are not encrypted or authenticated and were never intended
for safety- and security-critical applications. Nevertheless, GPSprovided locations are being used in applications such as vehicular navigation and aviation, asset monitoring (e. g., cargo tracking), and location-based services (e. g., routing) [22]. The use of
the GPS system also includes time synchronization; examples are
time stamping in security videos and critical time synchronization
in financial, telecommunications and computer networks. Users
highly rely on the precision and correctness of GPS location and
time: transport companies depend on the correctness of localization to track trucks, cargoes, and goods under GPS surveillance,
courts rely on criminals being correctly tracked by GPS-based an-

Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that copies
bear this notice and the full citation on the first page. To copy otherwise, to
republish, to post on servers or to redistribute to lists, requires prior specific
permission and/or a fee.
Copyright 20XX ACM X-XXXXX-XX-X/XX/XX ...$10.00.

1
Satellite signal generators are also called satellite simulatorswe
use both notations in this paper.

eters for the receiver used in our experiments.

The structure of the paper is as follows. We give background
information on GPS positioning and discuss related work on GPS
spoofing in Section 2. We introduce the GPS spoofing problem
and our system and attacker models in Section 3. In Section 4,
we analyze under which conditions GPS spoofing attacks are successful on single victims and groups of victims. The results of our
experimental evaluation are presented in Section 5. In Section 6,
we introduce a novel countermeasure against GPS spoofing attacks
which is based on multiple receivers. We conclude the paper in
Section 7.

2.

Figure 1: A GPS receiver V works by observing the signals

from a set of satellites. The relative delays of the signals si (t)
can be used to solve four equations which determine the 3dimensional position L and the time offset of the receiver V .

BACKGROUND

In this section, we introduce the fundamental concepts of GPS

(based on [11]) which are necessary for this work. We also summarize related work on the security of GPS.

The clock offset adds a fourth unknown scalar. With pseudorange measurements to at least four transmitters Si , the resulting
system of equations (4) can be solved for both L and , providing
both the exact position and time, without requiring a precise local
S
S
S
clock. Given LS
i = (xi , yi , zi ), L = (x, y, z), and = c , we
can transform (4) into the following set of equations [1]:

2.1 The Global Positioning System

The Global Positioning System (GPS) uses a number of satel3
lite transmitters Si located at known locations LS
i R . Each
transmitter is equipped with a synchronized clock with no clock
offset to the exact system time tS and broadcasts a carefully chosen navigation signal si (t) (low auto-/cross-correlation2 , including
timestamps and information on the satellites deviation from the
predicted trajectories). The signal propagates with speed c (see
Figure 1).
A receiver V located at the coordinates L R3 (to be determined) and using an omnidirectional antenna will receive the combined signal of all satellites in range:


X
|LS L|
A i si t i
g(L, t) =
+ n(L, t)
(1)
c
i

2
S 2
S 2
2
(x xS
i ) + (y yi ) + (z zi ) = (Ri )

2.2 Related Work

In 2001, the Volpe report [8] identified that (malicious) interference with the civilian GPS signal is a serious problem. Starting
with this report, practical spoofing attacks were discussed in several publications. In [23], the authors use a WelNavigate GS720
satellite simulator mounted in a truck to attack a target receiver in
a second truck. The authors succeeded in taking over the victims
satellite lock by manually placing an antenna close to the victims
receiver. After the victim was locked onto the attackers signal
the spoofing signal could be sent from a larger distance. Instead
of using a GPS simulator, the authors of [7] create GPS spoofing
signals by decoding legitimate GPS signals and generating timeshifted copies which are then transmitted with higher energy to
overshadow the original signals; a similar approach is also used
in [14]. This approach requires less expensive equipment but introduces considerable delays between the legitimate and the spoofed
signals. GPS spoofing attacks are discussed analytically in [11],
showing that an attacker can manipulate the arrival times of military and civilian GPS signals by pulse-delaying or replaying (individual) navigation signals with a delay. We note that there is no
unique attacker model used for spoofing attacks, and thus the assumptions on the attackers capabilities vary between these works.
Given the lack of attacker models, the proposed countermeasures
range from simple measures to constant monitoring of the channel.
In [8], consistency checks based on inertial sensors, cryptographic
authentication, and discrimination based on signal strength, timeof-arrival, polarization, and angle-of-arrival are proposed. The authors of [16, 17, 24] propose countermeasures based on detecting
the side effects of a (not seamless) hostile satellite-lock takeover,
e. g., by monitoring the local clock and Doppler shift of the signals. Kuhn proposes an asymmetric scheme in [11], based on the
delayed disclosure of the spreading code and timing information.

(2)

With three known ranges di to known transmitter positions LS

i ,
three equations (2) can be solved unambiguously for L (unless all
three Si are located on a line). Since highly stable clocks (e. g.,
cesium oscillators) are costly and GPS receivers cannot participate
in two-way clock synchronization, in practice, V will have a clock
offset to the exact system time: t = tS + . With this, Eq. 1 can
be rewritten:


X
di
g(L, tS ) =
A i si t
+ n(L, tS )
(3)
c
i
where the receiver can only infer the pseudoranges Ri from the
delays di /c + :
Ri = di + c .

(5)

Geometrically, given a , each Si s equation translates into a sphere

with LS
i being the center. The set of equations (5) is overdetermined for more than four satellites and generally does not have a
unique solution for L because of data noise. It can be solved by numerical methods such as a least-mean-square approach or Newtons
method [1].

where Ai is the attenuation that the signal suffers on its way from
S
S
LS
i to L, |Li L| denotes the Euclidean distance between Li and
L, and n(L, t) is background noise.
Due to the properties of the signals si (t), the receiver can separate the individual terms of this sum and extract the relative spreading code phase, satellite ID, and data content using a replica of the
used spreading code. Given the data and relative phase offsets, the
receiver can identify the time delay |LS
i L|/c for each satellite
and from that infer the ranges
di = |LS
i L|.

Si

(4)

In civilian GPS, the signals are spread using publicly known

spreading codes. The codes used for military GPS are kept secret;
they serve for signal hiding and authentication.
2

Si
LS
i
si
Vj
Lj
Lj
Pj

Rij
A
Rij

i-th satellite
coordinates of Si
signal sent by Si
j-th victim (receiver)
GPS coordinates of Vj
spoofed coordinates of Vj
physical coordinates of Vj
Vj s calculated PR to Si
Vj s spoofed PR (by Ai )

Ai
PiA
LA
i
sA
i
iA
j
j
c
j

i-th attacker unit

physical coordinates of Ai
claimed coordinates of Ai
signal sent by Ai
time offset of sA
i
GPS clock offset of Vj
spoofed clock offset of Vj
signal propagation speed
= j c

Table 1: Summary of notations (PR = pseudorange).

Figure 2: Basic attack scenario. (a) Visualization of the setup.
The victim uses a GPS-based localization system and is synchronized to the legitimate satellites. (b) Abstract representation of the scene. (c) The attacker starts sending own spoofing
and jamming signals. (d) The victim synchronizes to the attackers signals.

e. g. the one reported in [23]. In this scenario, a cargo truck (the

victim), had a GPS unit that was housed in a tamper-proof casing and was sending cryptographically authenticated status updates
with a fixed rate to a monitoring center. The attacker planned to
steal the truck to get access to its loaded goods at a remote place.
He got close to the victim and started transmitting forged (spoofed)
signals in order to modify the location computed by the receiver
(see Figure 2). In this setting, if the attacker can influence the localization process, he can make the victim report positions to the
monitoring center that are unrelated to its actual physical position
and thus steal the truck without raising suspicion or revealing the
trucks real location.

In general, countermeasures that rely on modifications of the GPS

satellite signals or the infrastructure (such as [11] and certain proposals in [8]) are unlikely to be implemented in the near future due
to long procurement and deployment cycles. At the same time,
countermeasures based on lock interrupts or signal jumps do not
detect seamless satellite-lock takeovers.
Few publications [3, 1214] present experimental data on the effects seen by the victim during a spoofing attack. The authors
of [13] use a setup based on two antennas to measure the phase
difference for each satellite to detect the lock takeover. [3] and [14]
analyze the spoofing effect on the carrier and code level. The authors of [12] present a device that prevents spoofing by monitoring and potentially suppressing the received signals before they are
processed by the GPS receiver.
All works above only consider attacks on single GPS receivers
but not on groups of receivers. In addition, none of them investigated the requirements for successful attacks on public GPS receivers, such as required precision of the attackers spoofing signals. Although we expect that more works on GPS spoofing and
anti-spoofing countermeasures were performed in classified (military) settings, they are not accessible to the public.

3.

3.2 System Model

Our system consists of a set of legitimate GPS satellites and a
set V of victims (see Table 1 for notations used). Each victim is
equipped with a GPS receiver that can compute the current position
and time as described in Section 2. We assume that each receiver
Vj V is able to receive wireless GPS signals, compute its position, and store its position/time-tuples. If several GPS receivers
belong to a common group (e. g., they are mounted on the same
vehicle), we assume that they can communicate to exchange their
computed locations or are aware of the groups (fixed) formation.
The GPS location of each individual victim Vj V is given by
its coordinates Lj R3 in space and the victims clock offset j
with respect to the GPS system time tS . We note that the computed
GPS coordinates Lj and clock offset j do not necessarily correspond to the true (physical) coordinates Pj R3 and time.3 We
define the local time of Vj as tj = tS + j , i. e., j < 0 refers to an
internal clock that lags behind. We use L to denote the set of GPS
locations of the victims in V.
A GPS spoofing attack may manipulate a receivers coordinates
in space and/or its local time. We denote a victims spoofed coordinates by Lj R3 and the spoofed time offset by j . We use L
for the set of spoofed victim locations.
In our analysis in Section 4, we distinguish between civilian
GPS, which uses the public C/A codes so that each satellite signal si contains only public information, and military GPS, which
provides authentic, confidential signals using the secret P(Y) codes.
In the experimental evaluation in Section 5, we use a satellite signal
generator for civilian GPS.

PROBLEM FORMULATION

In order to give an intuition of the problem, we present our motivation and an exemplary use case. Subsequently we define our
system and attacker models and formulate the GPS spoofing problem.

3.1 Motivation
The fundamental reasons why GPS spoofing works have been
discussed in the literature before, and spoofing attacks have been
demonstrated on single receivers experimentally. In this work, we
show under which conditions the attacker can establish the correct parameters to launch a successful spoofing attack on one or
more victims, and later in the experiments, how inaccuracies in
these parameters influence the lock takeover during the attack. This
analysis enables us to identify which attacks are theoretically possible and which attacks would be noticeable as (potentially nonmalicious) signal loss at the GPS receivers. This is important for
proposing effective receiver-based countermeasures, which are not
implemented yet in current standard GPS receivers.
Our work is further motivated by the real-life spoofing attacks,

3.3 Attacker Model

GPS signals can be trivially spoofed under a Dolev-Yao [4]-like
attacker that is able to fully control the wireless traffic by intercepting, injecting, modifying, replaying, delaying, and blocking
messages without temporal constraints for individual receivers, see
Figure 3(b). If the attacker has full control over the input to each
individual receiver antenna, he can send the signals as they would
3

Typically, the difference |L P | is less than a few meters [21].

A
|LS
i Pi | c, i. e., signals can be delayed but not sent prior
to their reception. We note that neither the spreading codes
nor the data content of the signal need to be known to the
attacker for a successful selective-delay attack.
We note that these attacker models are very strong. Nevertheless,
we consider them appropriate for our analysis because we want to
make general statements that hold even under very strong (worstcase) attackers with sophisticated equipment.

3.4 Formulation of GPS Spoofing Problems

Figure 3: Models of the attackers antenna coverage. (a) The

attackers signals reach all victims (used in the analysis of this
paper). (b) The attackers antennas each only reach one victim.
This requires the attacker to be in close proximity to the victims
if the distances between the receivers are small.

We first define GPS spoofing attacks and then present two GPS
spoofing problems for the attacker.
Definition 1 (GPS Spoofing Attack). Let a victim V compute its
GPS location as L and its GPS time as t in the absence of an attacker. In a GPS spoofing attack, the attacker sends spoofing signals to manipulate the victims GPS-based location calculations.
As a result, V computes its location as L 6= L and/or time as
t 6= t.

be received at any location Lj . This would, however, require the

attacker to either be very close to each receiver or to use directional
antennas with narrow beam widths and shielding to prevent that the
signals intended for one victim are also received by another victim;
in both cases, the number of required attacker antennas would be
linear in the number of
victims. In this work we
assume that the signals sent by the attacker are transmitted wirelessly and that they will be received by all victims in V, see Figure 3(a).
The attacker controls a set of wireless transmitters that he can
move and position independently. We denote by PiA R3 the
physical location of the i-th transmission unit of the attacker (manipulating the signals of satellite Si ), and the set of all physical
attacker locations from where the attacker is transmitting by P A .
We assume that the attackers inherent, unwanted clock offset to the
GPS system time is negligible4 and use iA to capture the time shift
introduced by the attacker in the transmission of signal sA
i with
respect to the signal si and the system time tS . For example, for
1A = 10 ms, the attacker transmits the spoofed signal 10 ms after
the signal s1 was transmitted by satellite S1 .
For our analysis, we assume that the attacker is aware of the
victims physical locations (the influence of errors in the attackers
location estimates is evaluated in Section 5). We further denote by
|LS
i Pj | the physical distance between satellite Si and victim
Vj . Similarly, |PiA Pj | denotes the physical distance between
the attackers antenna at PiA and victim Vj . Given this setting, we
distinguish the following two types of attacks:
Attacks on civilian (unauthenticated) GPS: The attacker can delay signals or send them prematurely, i. e., iA R. He can
modify the content of received GPS signals or arbitrarily generate the spoofing signals sA
i using the public GPS parameters (e. g., by using a GPS signal generator). This is possible
because civilian GPS signals are not authenticatedgiven
the right hardware, anyone can transmit his own GPS signals. Thus the attacker can also modify the claimed locations
S
of the satellites: LA
i 6= Li . We note that on standard GPS
receivers, the data content in the received GPS signals is not
checked for plausibility or consistency [15].
Attacks on military (authenticated) GPS: The attacker is not able
to generate valid military GPS signals. All he can do is to
capture and relay existing signals, e. g. by separating signals
from different satellites using high-gain directional antennas
and broadband transceivers (called Selective-Delay in [11]).
This means that the attacker can delay existing GPS signals
and amplify or attenuate them. He is restricted by iA
4

Definition 1 can also be extended to groups of victims:

Definition 2 (GPS Group Spoofing Problem). Let L be a set of
target locations for each Vj V and let tj T denote the target time for Vj . The GPS Group Spoofing Problem is the problem
of finding combinations of GPS signals sA
i (sent by the attacker),
S
A
transmission times tA
i = t + i (when the spoofing signals are
sent), and physical transmission locations PiA (from where the attacker transmits) such that the location or time of each Vj V is
spoofed according to Definition 1.
We note that the physical attacker locations PiA do not have to
correspond to the claimed satellite positions LA
i in the GPS messages (for civilian GPS, LA
i can even be chosen by the attacker).
As we will show in Section 4.2, the GPS spoofing problem for a
single victim has a trivial solution for any target location.
In Section 4.3, we will analyze the necessary restrictions on the
spoofed locations such that the GPS Group Spoofing Problem can
be solved. We therefore define a decisional version of the GPS
Group Spoofing Problem.
Definition 3 (Decisional GPS Group Spoofing Problem). Let P be
the set of physical locations of the victims in V. Let L and T
be defined according to Definition 2. The Decisional GPS Group
Spoofing Problem for P, L , T is the decision problem whether
there exists at least one set of attacker locations P A from where
the attacker can send the spoofing signals sA
i such that the location
or time of each victim Vj V is spoofed according to Definition 1.
In practice, the GPS Group Spoofing Problems (Definitions 2
and 3) may be restricted in terms of attacker capabilities. For example, the attacker may only be able to position his transmission
antennas at a restricted set of physical locations PA , at a restricted
set of claimed satellite positions LA
, or he may only be able to
send the spoofing signals at a restricted set of transmission times
TA (e. g., if he must receive legitimate signals before he can send
the spoofing signals). In these cases, the GPS Group Spoofing
Problems can be modified to take the restricted attacker capabiliA
A
ties LA
, P , T as additional input and find solutions that fulfill
A
A
A
A
P P , L LA
TA .
, or T

4. SOLVING GPS SPOOFING PROBLEMS

We now analyze how our attacker (as defined in Section 3.3) can
spoof the locations of one or more receivers. In this section, we
abstract away from implementation issues (such as taking over an
established lock to legitimate satellites, see Section 5), and assume
that there are no legitimate signals present on the channel.

The attacker can synchronize his time to legitimate GPS signals.

4

Equally, we define bijk as the difference of pseudoranges of the

claimed satellite location LA

i and the spoofed victim locations Lj

and Lk (see Figure 4):

bijk = Rij
Rik

= |Lj LA
i | |Lk Li | + j k .

4.2 Spoofing to One Location

Figure 4: The GPS spoofing scenario for two victims in 2 dimensions. The attacker is impersonating a satellite with the
claimed (forged) location LA
i , using an antenna positioned at
PiA . The victims are two receivers with physical positions at P1
A
and P2 . For each signal sA
i , the attacker ensures that Ri1 and
A

Ri2 match Ri1 and Ri2 , and therefore V1 and V2 compute their
locations as L1 and L2 with clock offsets 1 and 2 . Here, bi12
and bi12 are the differences of pseudoranges between V1 and
V2 .

Result 1. One or more receivers Vj V can be spoofed to any

one location L using a single attacker antenna. Spoofing multiple
receivers to the same location L will generally lead to different
time offsets j at each victim.
The reason for this is that the time-differences of arrival of the
individual satellite signals determine the location that each receiver
will compute. If the spoofed signals are all sent from the same
attacker antenna, all victims will obtain the same time-differences.
A detailed proof is given in Appendix A, along with a discussion
of the resulting time differences at the victims.

4.1 Construction of Pseudoranges

The attackers physical location PiA , his transmission time offset
iA , and the claimed satellite position LA
i all influence the location Lj as computed by a victim Vj (see Sections 2 and 3.2). By
setting his physical location PiA and transmission offset iA , the
attacker can influence the pseudorange computation at the victim.
The expected pseudorange that a victim at physical position Pj will
compute based on the attackers signal sA
i is
A
Rij
= |Pj PiA | + iA c

4.3 Spoofing to Multiple Locations

We next consider multiple receivers at distinct physical locations P1 , . . . , Pn that the attacker tries to spoof to the locations
L1 , . . . , Ln . Following Result 1, an attacker can spoof any number
of receivers in the transmission range to the same coordinates L
with differing j . If the victims have a way of establishing (coarse)
relative distances, e. g., by estimating their respective distances visually, or can detect their mutual time offsets, they are able to detect such attacks. Therefore, we will now focus on attacks in which
multiple victims are shifted to a set of new locations that preserve
their mutual distances and mutual time offsets.
As stated in Result 1, if the attacker is using only one transmission antenna, any possible placement of this antenna will lead to
two victims computing their location to the same coordinates L ,
with a small time synchronization error. Hence, the attacker cannot use only one antenna to shift the victims to different locations.
We will now show that, using multiple antennas, the attacker can
spoof two victims to any locations while preserving their mutual
time offsets, with certain restrictions on the time offset in the case
of military GPS receivers.

(6)

To determine its location, each victim solves a system of equations with the calculated pseudoranges (see Figure 4):

|Lj LA
i | = Rij j

(7)

Here, LA
i are the (claimed) satellite coordinates of Si extracted by

Vj from the GPS message, Rij

is the pseudorange to satellite Si as
calculated by Vj based on the received signal, and j = j c is
the time offset times propagation speed as calculated by the victim.
For each impersonated satellite, the attacker must send a signal
sA
i such that solving Equation 7 by the victim yields the target loA

= Rij
,
cation Lj and the target time offset j . This requires Rij
or:

|Pj PiA | + A
i = |Lj Li | + j .

Result 2. Two receivers at the physical locations P1 6= P2 can

be spoofed to the locations L1 6= L2 and time offsets 1 , 2 if the
A
attacker is free to choose any PiA and LA
i . For each si , the posA
sible transmission locations Pi lie on one half of a two-sheeted
hyperboloid defined by L1 , L2 , 1 , 2 , LA
i , and P1 , P2 .

(8)
PiA ,

In attacks on civilian GPS, the attacker is free to choose

iA , and LA
i . This means that the system of equations (8) is underdetermined for a single victim. The attacker can fix two of the
variables to his liking and solve for the third.
When the attack targets a military GPS receiver, the attacker cannot change the data content of the messages and is restricted to iA ,
which is greater than or equal to the transmission delay from the
satellite to the attacker. Hence, the claimed satellite location in the
message is the correct location of the legitimate satellite: LA
i =
A
A
S
LS
i . In addition, the attacker is restricted by i |Pi Li |. We
can therefore rewrite Equation 8 as

|Pj PiA | + |PiA LS

i | |Lj Li | + j .

In order to spoof V1 , V2 to L1 , L2 and 1 , 2 , the attacker must

send each si such that it arrives with the correct delay at the physical locations of the victims, i. e., bi12 = bi12 si . As bijk is defined
by PiA and, likewise, bijk is defined by LA
i , the attacker can always
find combinations of PiA and LA
that
yield
the correct pseudorange
i
(for attacks on civilian GPS). He can then use Equation 8 to find the
appropriate iA .

(9)

In the case of military GPS, the attacker cannot change the claimed
S

placements of the satellites: LA

i = Li . Hence, bi12 is determined

by the selection of L1 , L2 and 1 , 2 . In this case, Equation 8 yields

A
A
one hyperboloid for each sA
i with possible values of Pi and i .
We demonstrate this by giving a simple example: the victims
are located at P1 = (1, 0, 0) and P2 = (1, 0, 0), the physical
distance between the victims is |P1 P2 | = 2. The attacker wants
to spoof the two victims to the locations L1 = (0, 0, 0) and L2 =

Or, using the triangle inequality

|Pj LS
i | |Lj Li | + j .

(10)

In the following, let bijk be the difference in pseudoranges to PiA

between Vj and Vk (see Equation 6):
A
A
bijk = Rij
Rik
= |Pj PiA | |Pk PiA |.

(12)

(11)

As previously, to show this, we consider each signal sA

i separately. By computing bi12 , bi13 , bi14 (and bi11 = 0) according to
Equation 11 and setting bijk = bijk , we can construct three hyperboloids. Their intersection points are possible placements for the
antennas of the attacker. As the intersection of two hyperboloids
yields a spaced curve, the intersection of three hyperboloids is an
intersection of this curve with a third hyperboloid, which results
in at most two points. We can also arrive at this number of solutions by considering the system of four quadratic equations based
on Equation 7. These can be transformed into three linear and one
quadratic equation [1], defining the solutions for the location LA
i
and time offset iA . As the quadratic equation has at most two solutions [1], and each of the linear equations has one unique solution,
there are at most two solutions for the attackers position and transmission time.

Figure 5: Hyperbolas of possible antenna placements for the attacker when impersonating a satellite for two victims (Example
for Result 2, in 2D). Each hyperbola represents possible placements for an antenna PiA .
(0, 2, 0), both with time offset zero: 1 = 2 = 0. The attacker
A
now (arbitrarily) chooses LA
1 = (3, 2, 0), L2 = (2, 0, 0),
and LA
=
(2,
2,
0)
for
the
claimed
satellite
positions
in the GPS
3
messages. This determines three hyperboloids relative to P1 and
P2 based on b112 , b212 , and b312 .

This result can also be observed in our example by adding a

fourth victim placed at P4 = (10, 0, 0), which is spoofed to L4 =
(1, 0, 0) with 4 = 0. The possible placements for the attackers
antenna is now the intersection of the previously obtained curve
with another hyperboloid, yielding two points only (Figure 6(c)).

Result 3. A necessary condition for a successful GPS group spoofing attack is that Vj , Vk , si , bijk |Pj Pk | .

Result 6. In a GPS group spoofing attack on five or more victims

V1 , . . . , Vn to specific locations Lj and time offsets j , there is at
most one possible placement for PiA to impersonate a satellite at
LA
i . This is the intersection point of n 1 hyperboloids defined by
bi12 , . . . , bi1n .

In other words, the difference bijk of the perceived pseudoranges

of each signal sA
i at any two spoofed victim locations Lj and Lk
must be smaller than or equal to the distance between the victims
physical locations Pj and Pk . From Equation 11 and the triangle
inequality it follows that bijk |Pj Pk |. Since it must hold that
bijk = bijk , if bijk > |Pj Pk | for any si , then there is no possible
solution for the attackers placement PiA . Thus we get

|Pj Pk | |Lj LA
i | |Lk Li | + j k

This result directly continues our previous reasoning: Each added

victim adds another hyperboloid to the set of hyperboloids which
must intersect to yield a possible PiA . For five or more receivers,
the set of (n 1) linear equations and one quadratic equation is
overdetermined, and therefore has at most one solution.

(13)

as a necessary condition for a successful attack.

From Result 5, we know that for military GPS receivers, there

are at most two solutions for a given combination of Pj , Lj , j , and
S
LA
i = Li . For attacks on civilian GPS receivers, the attacker can
influence the position of the two solutions of the system of equations by changing the claimed satellite location LA
i . We will now
give an intuition where these solutions are located for a formationpreserving GPS spoofing attack.

As we know from Result 2, for two victims, all possible antenna placements for the attacker lie on a hyperboloid defined by
Pj , Lj , j and LA
i . We will now extend this result to the case of
three and more victims. In the following, we assume that bijk
|Pj Pk | is fulfilled Vj , Vk and si , i. e., it is physically possible
to spoof the locations of the receivers.
Result 4. In a GPS group spoofing attack on three victims V1 , V2 , V3
to specific locations Lj and time offsets j , all possible attacker
placements PiA lie on the intersection of two hyperboloids defined
by bi12 , bi13 .

Result 7. When spoofing a group of GPS receivers V1 , . . . , Vn

such that the formation (i. e., the mutual distances and relative time
offsets) is preserved, there is always at least one solution to the
decisional group GPS spoofing problem.

This can be shown by constructing two hyperboloids using bi12

and bi13 as in Result 2. Both hyperboloids yield the possible placements of attackers antennas to achieve the correct pseudorange for
V1 , V2 or V1 , V3 , respectively. Each point on the intersection of the
two hyperboloids has a specific iA and is at the correct distance to
all three victims. Therefore, all points of this space curve are valid
PiA to solve the group spoofing problem.

One way to show this result is to use an affine transformation to

describe the relation between physical and spoofed locations of the
receivers and senders. If the formation of the victims is preserved,
there exists a bijective affine augmented transformation matrix T
which describes this translation and rotation. Assuming that L and
P are represented as augmented row vectors, we can therefore write
T Lj = Lj . Then, the inverse transformation T 1 applied to LA
i
will yield a possible antenna placement PiA = T 1 LA
i , because

all pseudoranges Rij

between Lj and LA
i and the measured range
A
Rij between Pi and Pj will be the same (the transformation preserves the Euclidean distance).

We can extend our example from Result 2 by a third victim

placed at P3 = (1, 5, 0), which is spoofed to L3 = (1, 1, 0) with
3 = 0. This reduces the possible locations from the hyperboloid as
shown in Figure 6(a) to the intersection curve of the hyperboloids
constructed using bi12 and bi13 , as shown in Figure 6(b).

As a consequence of Results 6 and 7, spoofing five or more receivers while retaining their formation has exactly one solution, an
affine transformation of the claimed satellite position LA
i .

Result 5. In a GPS group spoofing attack on four victims V1 , . . . , V4

to specific locations Lj and time offsets j , there are at most two
possible placements for PiA to impersonate a satellite at LA
i . These
are the intersection points of three hyperboloids defined by bi12 ,
bi13 , bi14 .

Summary of results: Table 2 gives an overview of sets of possible

positions PiA for the attackers antenna depending on the number
6

15
10
5
z 0
5
10
15
4

2
0
y

8
12 x

2
4

15
10
5
z 0
5
10
15
0
4
2
0
y

16

4
8
12 x

16

20

(a) 2 receivers

20

(b) 3 receivers

15
10
5
z 0
5
10
15
0
4

0
2
0
y

4
8
12 x

2
4

16
20

(c) 4 receivers

Figure 6: Visualization of possible attacker placements. For (a) two victims, all points on the hyperboloid are viable solutions; for (b)
three victims the solutions lie on a curve (red/white intersection); and (c) for four victims only two points are viable solutions (white
dots).

Spoofing to
one location
n Civ. & Mil. GPS
1
2
3

PiA R3
PiA R3
PiA R3

4
5

PiA R3
PiA R3

Spoofing to multiple
locations (preserved formation)
Civilian GPS

Military GPS

set of hyperboloids
set of intersections
of two hyperboloids
set of 2 points
set of points

one hyperboloid
intersection of
two hyperboloids
2 points
1 point

Figure 7: The experimental setup.

Table 2: Summary of results for the number of possible attacker locations PiA for n victims.

from that satellite. The satellite lock makes spoofing attacks harder
since a spoofing signal is likely to be misaligned (in phase, Doppler
shift, or data content) to the legitimate signal. When the attackers
signal is turned on, this momentary interruption in the data-flow
from that satellite could cause the victim to be temporarily unable
to compute his position. Therefore, we now investigate how the
attacker can take over the victims lock with the victim losing the
ability to calculate its position, even for a moment.
In Section 3 we assumed a strong attacker, who is always able to
generate signals with perfect timing and power level, and who has
perfect knowledge of his own and the victims position. In a practical attack, many of these assumptions might be invalid. We conduct
experiments to evaluate the influence of such imperfections. Because we do not change the claimed location of the satellite in the
data sent by the attacker, all discussed imperfections should apply
equally for military and public GPS receivers.

of victims and on the target locations: spoofing all receivers to one

location or each victim to a different location with a preserved formation. The results are shown for civilian and military GPS; hyperboloid refers to half of a two-sheeted hyperboloid. In the table
we assume that the condition of Result 3 holds.
The results in Table 2 show that there are no restrictions on the
attackers position for spoofing any number of victims to one location (PiA R3 ). With an increasing number of victims and a
constant formation, the attacker is getting more and more restricted
in terms of his antenna placement. For civilian GPS, the attacker
has more degrees of freedom because he can select claimed (false)
satellite locations LA
i and thus influence the hyperboloid, intersection of hyperboloids, etc., whereas these are fixed for military GPS
(i. e., there is only one specific hyperboloid of attacker positions for
each transmitted signal per pair of victims).

5.

5.1 Experimental Setup and Procedure

In our experiments, the spoofing signals and the legitimate GPS
signals are sent over a cable to eliminate the influence of the transmission channel. This enables us to measure the unique influence
of the parameters of interest while disregarding channel and antenna noise. These results therefore show the minimal precision of
the signal parameters required for a successful attack on our target
platform.
We conduct the lock takeover attacks using a Spirent GSS7700
GPS simulator (see Figure 7). The GPS signal simulator is a hardware device that generates GPS signals and is controlled by a dedicated simulation PC running the SimGen simulation software package [20]. The GSS7700 GPS simulator generates two independent

EXPERIMENTS ON SATELLITE-LOCK
TAKEOVER

A GPS spoofing attack in the presence of legitimate GPS satellite

signals requires the attacker to make the victim stop receiving signals from the legitimate satellites and start receiving the attackers
signals. If this takeover is noticed by the victim, e. g. because the
victim suddenly loses contact to previously seen satellites, it can
detect the spoofing attack. While the victim might lose contact
due to random noise or environmental changes, the attacker ideally
should take over without being noticed. We say that the receiver
has a lock on a specific transmitter when it is already receiving data
7

6000

4000

2000

50

100

150

200

250

300

1600

0.6

800

0.4

400

0.2

0
3

0
7

Relative power in dB

(b) Average error as a function of power offset

longitude
latitude
height

500

Average error (m)

Error (m)

Time (s)

300

200

100

400

failed takeover (ratio)

lost lock (ratio)
error (m)

0.8

300

0.6

200

0.4

100

0.2

50

ts

100

tm

150

0.8

1200

(a) Sample run with +0dB power offset

failed takeover (ratio)

lost lock (ratio)
error (m)

200

250

300

Time (s)

Error ratio

2000

Error ratio

longitude
latitude
height

Average error (m)

Error (m)

8000

20

40

60

80

100

120

140

160

180

Time offset in ns

(c) Sample run with 120ns time offset

(d) Average error as a function of time offset

Figure 8: (a-b) Effects of relative signal power. (a) Example of unsuccessful takeover with too little power used. The spoofing signal
is switched on at ts = 60s and starts moving at tm . (b) Average error over the measurement as a function of relative power. (c-d)
Example of effects of spoofing signals with time offset. (c) During the takeover, the location jumps, in particular the height. The
spoofing signal is switched on at t = 60s. (d) Average error over the measurement as a function of the time offset.
gate are relative signal power, relative time offset and constant time
offset. For each parameter value, five experiments were run.
We say that the lock takeover was successful if at the end of the
experiment the victims final location is close to L . If the victim
is close to L but was close unable to compute a valid position for
more than one second during the lock takeover, we consider the
attack a partial success and use the number of seconds the victim
was not able to calculate a valid position as an error metric.

GPS constellations with up to 16 satellites in each. One constellation is simulating the signals from the legitimate GPS satellites,
and the other is simulating the attackers signals. Both are mixed
together and sent to the GPS receiver via a wired connection. The
GPS receiver in our experiments is an Antaris evaluation kit by ublox, containing the ATR0600 GPS chip from Atmel.
At the start of each experiment, we send only the legitimate GPS
signals for a static location. We reset the GPS receiver to make sure
all experiments are independent and no internal state is kept from
a previous experiment. After about 30 seconds the GPS receiver
will lock on to enough satellites to be able to calculate a stable position. This position is the legitimate position L and the goal of the
attacker is now to move the victim to a new location L such that (i)
the victim is continuously able to compute its position (ii) no noticeable discontinuities in the location are reported by the victims
receiver.
The attack then consists of two phases: first, the attacker sends
signals which are supposed to match the legitimate satellites signals at the location of the victim. These are generated by the attacker by approximating the current location of the victim as Linit ,
and constructing signals with time delays and data content appropriate for that location (see Section 4.1). This first phase lasts for
one minute to allow the victim to lock on to the new signals. In
the second phase, the attacker start to move the spoofed location
towards the final location L , imitating an acceleration of 0.5m/s2 .
After 3 minutes, the final location is reached. If this final location
is not remotely close to L (height difference 150m, horizontal
distance 1km), we consider the takeover failed.
We vary the distance between the victims true location L and
its initial location as assumed by the attacker Linit as one of the
parameters in the experiments. We refer to this distance as the location offset dinit = |L Linit |. The other parameters we investi-

5.2 Results of the Experiments

Relative signal power of the spoofing signal: In this experiment,
ideal spoofing signals are sent, but the power of the spoofing signals is varied between 2dB and +8dB relative to the legitimate
signals.
Figure 8(a) shows the effect of using spoofing signals that have
the same power as the legitimate signals. In this figure, ts marks
the time at which the spoofing signals are turned on and tm the
time when the spoofed location starts to move away from Linit .
The errors in longitude, latitude, and height are shown separately
and are measured between the location as reported by the receiver
and the one sent by the simulator. Although the victim reports the
spoofed location for some time, it switches back to L after 170s of
the experiment, which causes the growing error in longitude.
Figure 8(b) shows the error in meters between the position reported by the GPS receiver and the location sent by the attacker, as
a function of the relative power of the attackers signals. The error
bars show the standard deviation for the error value over the five
experimental runs. The gray bars indicate the ratio of experiments
in which the receiver was unable to determine its position during
the experiment. We use this as a metric to evaluate the smoothness
of the lock takeover. If the receiver reported a location too far away
from L , we count this run as failed takeover. Blue bars in the figure
8

400

200

200

0.6

0.4

100

0.2
0

50

ts

100

tm

150

200

250

300

Time (s)

100

150

200

250

300

350

0
400

(b) Average error as a function of location offset

longitude
latitude
height

400

Average error (m)

120

80

40

50

Location offset in m

(a) Sample run with 340m location offset

Error (m)

0.8

300

failed takeover (ratio)

lost lock (ratio)
error (m)

0.8

0.6
200
0.4
100

Error ratio

failed takeover (ratio)

lost lock (ratio)
error (m)

Error ratio

Average error (m)

Error (m)

300

longitude
latitude
height

600

0.2
0

50

ts

100

tm

150

200

250

300

Time (s)

20

40

60

80

100

120

140

160

0
180

Satellite signal desynchronization in ns

(c) Sample run with 140ns time delay mismatch offset

(d) Average error as a function of time delay mismatch

Figure 9: (a-b) Example of effects of spoofing signals with location offset. (a) Example with 340m offset. During the takeover, the
location is unstable. The spoofing signal is switched on at t = 60s. (b) Average error over the measurement as a function of the
location offset. (c-d) Example of effects of spoofing signals with inconsistent time offset for half of the satellites. (c) With a 140ns
time offset between the attackers satellites, the takeover leads to an unstable lock. The spoofing signal is switched on at t = 60s. (d)
Average error over the measurement as a function of the time delay mismatch.
to the time offset, this location offset can lead to a relatively large
error during the lock takeover. An example with offset of 340m is
given in Figure 9(a).
In Figure 9(b), we show the average error as a function of the location offset. Regardless of the intermediate errors, eventually the
victim always synchronizes to the attackers signals in all our experiments. This shows that the initial position is not very sensitive
to small errors. If an attacker knows the location of his victim to
within about 100 meters, he can perform a smooth takeover without
the victim losing lock. There will of course be a detectable jump in
position from L to Linit when the attackers signal is turned on but
the victim will not lose lock with any satellite.
Relative time offset influence: In the case where the attacker has
access to more than one transmission antenna, he can send the
spoofing signals using two or more omnidirectional antennas (see
Section 4). Depending on the relative position of the individual antennas, the victim will receive the spoofing signals with different
time delays. Relative time offsets of the signals can also be caused
by inaccuracies in the delay setup in the case of military GPS signals. In this experiment, we evaluate the consequences of having
half of the spoofed satellite signals shifted by a fixed amount of
time relative to the other half of the signals. In Figure 9(c), we
show an example run with a time delay mismatch of 140ns. The
results for all tested values are presented in Figure 9(d).

denote the ratio of attempts in which the GPS receiver was unable
to compute a valid location.
It can be seen that for at least 2dB more power, the receiver consistently locks onto the spoofing signals without any offset occurring. 2dB of power is sufficiently low to not be detected by power
based spoofing-countermeasures in practice.
Constant time offset influence: The second question we investigate is the effect of a general delay on all signals sent by the attacker
relative to the legitimate signals. Such time delays can occur if the
attackers system setup is not perfectly compensating for internal
delays, the distance to the victim is unknown or the system clock
of the attacker is not synchronized perfectly to the clock of the legitimate GPS satellites. The interesting question is if such a general
time offset will result in detectable errors in the victims reported
position, and if such a time offset will increase the chance of the
victim losing lock completely during the takeover. To evaluate the
influence of a constant time offset, we run the tests with time offsets between 0ns and 240ns. We plot the location error between
the attackers intended location and the actual location reported by
the victim an example run in Figure 8(c). The effects are consistent
over several runs with the same parameters, but can vary quite a lot
with these parameters.
In Figure 8(d), we show the general relation between the average
errors during the measurement as a function of the time offset for
the first 120ns. After this time, lock takeover was not working
consistently any more.
Location offset influence: In this series of experiments we determine the influence of an offset dinit between the position of the
victim as determined from the legitimate satellites L and the spoofing signals sent by the attacker Linit . We evaluate the influence of
such a location offset for values between 0 and 450m. Similarly

5.3 Discussion on Practical Issues in Spoofing

Attacks
Because our experiments are based on a single GPS receiver,
we do not attempt to make precise general statements about the
parameter values that are necessary to perform a seamless takeover
of any platform. Instead we point out that ranges with acceptable
9

Relative signal power

Constant time offset
Location offset
Relative time offset

Parameter value required

for successful spoofing
+2dB
75ns
500m
80ns

Table 3: Required parameter ranges for seamless lock-takeover

in a GPS spoofing attack in our experiments.

values exist and we present the values for our receiver in Table 3.
According to our experiments, the constant time offset is sensitive to variation and should be less than 75ns. Anything more than
that will cause the GPS receiver to lose lock when the spoofing signal is turned on. A value of 75ns roughly corresponds to a distance
of 22.5m, meaning that the attacker must know the distance from
himself to the victim with an accuracy of 22.5m (or better) a
higher offset will cause the victim to lose lock due to the signal
(chip phase) misalignment. We found that the initial location offset will cause a noticeable jump of the victims reported position
during the attack. Large offsets could therefore be detected by the
victim by monitoring its position. Any change in the arrival time
of the signal from different antennas will directly impact the position calculated by the victim. If the relative time offset gets above
80ns the signals are sufficiently misaligned to cause the receiver to
lose lock. This means that, if an attacker has multiple antennas, he
must precisely know the distance from each antenna to the attacker
in order to be able to spoof a desired location.

6.

Figure 10: Proposed countermeasures: For an attacker with a

single antenna, the two-receiver countermeasure is enough. If
the attacker uses multiple antennas, four (or more) receivers
severely restrict the attackers antenna placements. Wrong antenna placements will change the distances of the receivers and
can thus be detected.

ducting such an attack is very difficult. It becomes even impossible

if the victim can hide the exact positioning of at least one GPS receiver from the attacker (e. g., by keeping it mobile on the vehicle)
such that the attacker cannot adapt to its position.
In summary, our countermeasure requires no modifications of
the GPS signal, the satellite infrastructure, or the GPS receiver, it is
resistant against a wide range of attackers, and it can be deployed
using multiple standard GPS receivers.
Outlook: Further possible applications are not restricted to mobile
scenarios with a fixed formation (such as in the cargo ship example above). The countermeasure can also be applied (i) to fixed and
static (i. e., immobile) settings where GPS is used for time synchronization and (ii) to mobile settings with varying formations (e. g.,
mobile formation of cars, robots, etc.). In the latter case, the devices can apply additional ranging techniques to identify their formation and use it in the sanity check with the calculated GPS locations (as long as the ranging techniques are secure [?, 2, 6, 10, 18]).
We leave the elaboration of these ideas for future work.

GPS SPOOFING COUNTERMEASURE

Spoofing detection based on lock loss has two disadvantages: (i)

strong attackers can achieve a seamless satellite-lock takeover, and
(ii) lock loss can occur due to natural causes (e. g. signal loss in
a tunnel). We propose a countermeasure against GPS spoofing attacks that does not rely on the signal analysis or on the lock loss
of signal. Instead, our mechanism is based on our insights of Section 4 and relies on the use of several GPS receivers. These GPS
receivers can be deployed in a static, known formation, e. g., they
are fixed on the deck of a cargo ship (see Figure 10). The basic
idea of the countermeasure is the following: If the GPS receivers
can exchange their individual GPS locations, they can check if their
calculated locations preserve their physical formation (within certain error bounds). In the case that the calculated GPS locations do
not match the known formation, an attack must be suspected and
there should be a warning message. For the exchange of positioning information, the victim could also resort to wired connections if
available (which would be resistant against spoofing and jamming
attacks).
Even if only two GPS receivers are used, this countermeasure
can detect any attacker that is only using a single antenna. As
shown in Result 1, in case of a single-antenna attack both GPS
receivers would report the same location (with small time offsets).
As shown in Results 46, a strong attacker using multiple antennas could attempt to send signals such that the mutual distances
between multiple receivers are preserved. Nevertheless, each additional receiver of the victim makes these spoofing attacks exceedingly more difficult because the space of possible antenna placements for the attacker gets reduced significantly (see Table 2). From
Results 6 and 7 we know that there exists only one location per
satellite where the attacker can place his antenna; this location is
the rotated and translated satellite position of the GPS signal. Con-

7. CONCLUSION
In this paper, we analyzed the requirements for successful GPS
spoofing attacks on individuals and groups of victims with civilian
or military GPS receivers. In particular, we identified from which
locations and with which precision the attacker needs to generate
its signals in order to successfully spoof the receivers.
For example, we show how spoofing a group of victims can only
be achieved from a restricted set of locations, if the attacker aims to
preserve the mutual distances and time offsets of the victims. With
growing size of the group of victims, less spoofing location become
available, until only single points remain for 5 victims or more. In
addition, we discussed the practical aspects of seamless satellitelock takeover. We used a GPS signal generator to perform a set
of experiments in which we investigated the required precision of
the attackers spoofing signals. Besides demonstrating the effects
of such lock takeovers on the victim, our results include minimal
bounds for critical parameters to allow a seamless takeover of our
target platform. Finally, we proposed a technique for the detection
of spoofing based on a group of standard GPS receivers (without
specific spoofing detection measures) in a static formation.
10

8.

REFERENCES

(2008).
[17] PAPADIMITRATOS , P., AND J OVANOVIC , A. Protection and
fundamental vulnerability of GNSS. In Proceedings of the
International Workshop on Satellite and Space
Communications (2008).
APKUN , S. Realization of rf
[18] R ASMUSSEN , K. B., AND C
distance bounding. In Proceedings of the USENIX Security
Symposium (2010).
[19] S COTT, L. Anti-spoofing & authenticated signal
architectures for civil navigation systems. In Proceedings of
the ION GNSS International Technical Meeting of the
Satellite Division (2003).
[20] S PIRENT C OMMUNICATIONS PLC. SimGEN simulation
software. http://www.spirent.com.
[21] U. S. D EPARTEMENT OF D EFENSE . Global positioning
system. standard positioning service. performance standard,
Sep 2008.
[22] U. S. G OVERNMENT . Global positioning system.
http://www.gps.gov, 2010.
[23] WARNER , J. S., AND J OHNSTON , R. G. A simple
demonstration that the global positioning system (GPS) is
vulnerable to spoofing. Journal of Security Administration
(2002).
[24] WARNER , J. S., AND J OHNSTON , R. G. GPS spoofing
countermeasures. Homeland Security Journal (2003).

[1] B ENSKY, A. Wireless Positioning Technologies and

Applications. GNSS Technology and Applications Series.
Artech House, 2008.
[2] B RANDS , S., AND C HAUM , D. Distance-bounding
protocols. In Workshop on the theory and application of
cryptographic techniques on Advances in cryptology
(EUROCRYPT) (1994), Springer.
[3] C AVALERI , A., M OTELLA , B., P INI , M., AND FANTINO ,
M. Detection of spoofed GPS signals at code and carrier
tracking level. In Proceedings of the 5th ESA Workshop on
Satellite Navigation Technologies and European Workshop
on GNSS Signals and Signal Processing (Navitec) (2010).
[4] D OLEV, D., AND YAO , A. C. On the security of public key
protocols. IEEE Transactions on Information Theory 29, 2
(1983).
[5] E TTUS. Universal software radio peripheral (USRP).
http://www.ettus.com.
[6] H ANCKE , G. P., AND K UHN , M. G. An RFID Distance
Bounding Protocol. IEEE Computer Society.
[7] H UMPHREYS , T. E., L EDVINA , B. M., P SIAKI , M. L.,
OH ANLON , B. W., AND K INTNER , P. M. Assessing the
spoofing threat: Development of a portable GPS civilian
spoofer. In Proceedings of the ION GNSS International
Technical Meeting of the Satellite Division (2008).
[8] J OHN A. VOLPE NATIONAL T RANSPORTATION S YSTEMS
C ENTER. Vulnerability assessment of the transportation
infrastructure relying on the global positioning system. Final
Report, 2001.
[9] J OHNSTON , R. G., AND WARNER , J. S. Think GPS cargo
tracking = high security? Think again. In Proceedings of
Transport Security World (2003).
[10] K UHN , M., L UECKEN , H., AND T IPPENHAUER , N. O.
UWB impulse radio based distance bounding. In
Proceedings of the Workshop on Positioning, Navigation and
Communication (WPNC) (2010).
[11] K UHN , M. G. An asymmetric security mechanism for
navigation signals. In Proceedings of the Information Hiding
Workshop (2004).
[12] L EDVINA , B. M., B ENCZE , W. J., G ALUSHA , B., AND
M ILLER , I. An in-line anti-spoofing device for legacy civil
GPS receivers. In Proceedings of the ION International
Technical Meeting (2010).
[13] M ONTGOMERY, P. Y., H UMPHREYS , T. E., AND L EDVINA ,
B. M. Receiver-autonomous spoofing detection:
Experimental results of a multi-antenna receiver defense
against a portable civil GPS spoofer. In Proceedings of the
ION International Technical Meeting (2009).
[14] M OTELLA , B., P INI , M., FANTINO , M., M ULASSANO , P.,
N ICOLA , M., F ORTUNY-G UASCH , J., W ILDEMEERSCH ,
M., AND S YMEONIDIS , D. Performance assessment of low
cost GPS receivers under civilian spoofing attacks. In
Proceedings of the 5th ESA Workshop on Satellite
Navigation Technologies and European Workshop on GNSS
Signals and Signal Processing (Navitec) (2010).
[15] NAVIGATION C ENTER , U.S. D EPARTMENT OF H OME
S ECURITY. Global Positioning System, Standard Positioning
Service: Signal Specification. http://www.navcen.uscg.gov,
June 1995. 2nd edition.
[16] PAPADIMITRATOS , P., AND J OVANOVIC , A. GNSS-based
Positioning: Attacks and countermeasures. In Proceedings of
the IEEE Military Communications Conference (MILCOM)

APPENDIX
A.

PROOF OF RESULT 1

To show Result 1, we first focus on a single receiver V1 and civilian GPS. The attacker selects a target location L , a target time
offset 1 , and any arbitrary attacker location PiA . Given this, EquaA
tion 8 yields A
i . Using one transmission antenna (i. e. P1 =
A
with
the
delay

PjA j)5 , the attacker transmits all signals sA

i
i =
A
i /c.
While this will successfully spoof the location and time of one
victim, other victims in the vicinity will receive the same signals
with slight time delay or advancement. We now consider a set of
receivers V = {V1 , . . . , Vn } that are positioned at different physical locations P = {P1 , . . . , Pn }.
Since the attacker sends all signals sA
i from the same position
A
P1 = P2A = . . . , we can follow that b1jk = b2jk = . . . for all
signals sA
i . To compute the effect of the offset on the pseudoranges
on each victim, we can express each victims pseudorange relative
to the pseudorange of the first victim: Rij = Ri1 + b1j1 . Each
victim will measure pseudoranges based on their physical distances

A
to the attacker: Rij
= Rij
. We can now substitute (11) into (7) and
get the following equation for each signal sA
i and Vj :

|Lj LA
i | = Ri1 (j b1j1 ).

(14)

Thus, for every Vj , these equations only differ by the different value
(j b1j1 ) = 1 . This means that all Vj compute an identical
location L , but different clock offsets j :

1
j = 1 +
|Pj PiA | |P1 PiA | .
(15)
c
5

For civilian GPS, one physical transmission location for all attacker signals does not imply that the claimed locations LA
i in the
spoofed messages are the same. For the victim to be able to comA
pute its location, it must hold that LA
1 6= L2 6= . . . .
11

S
satellites are enlarged (i. e., if |L1 LS
i | > |P1 Li | Si ), the
time offset of the victim can be made negative (causing the victim
to advance its clock). The minimal value of 1 is determined by

Result 1 shows that an attacker can make a group of victims believe to be at a specific location by sending one set of satellite signals from the same antenna. All victims will believe to be at the
same location L , but with different time offsets. The additional
time offset j k between victim Vj and Vk introduced by the at|L L |
tacker is bounded by their mutual distance |j k | j c k and
is typically on the order of nanoseconds for victims a few meters
apart.
In attacks on military GPS, Equation 10 shows an interesting
relation between the resulting time offset of the main victim 1 and
the distance between the spoofed location and each satellite: If L1
S
is chosen such that |L1 LS
i | |P1 Li | for any Si , then the time

offset 1 at the victim must be positive. On the other hand, since

1 is the same for all satellites, only if the distances from L1 to all

S
j max(|P1 LS
i | |L1 Li |).
i

(16)

As the attacker can always delay the signals, he can arbitrarily delay
the victims clock also in military GPS.
One direct conclusion for military GPS is that it is not possible
to advance the victims clock while retaining the original location
L1 = L1 . The clock offsets of other victims V2 , . . . , Vn relative
to the first victim as expressed in Equation 15 remain the same
for attacks on military GPS if all signals are sent from the same
location P1A = P2A = . . . .

12