Why worry about PRS when you can have S-GNSS instead?

Source: Getting Lost in PT | A blog by Dr Ramsey Faragher

The 29th of March is coming. One of the many things we will be losing that day will be guaranteed access to the Galileo Public Regulated service, the encrypted signal that aims to protect PRS-enabled Galileo receivers from spoofing attacks, a critical requirement for a safety-of-life receiver, or one employed by the military or security services. Spoofing attacks have come a long way since Bond’s foray into P(Y) generators in Tomorrow Never Dies, today you just need access to Github and a £200 software-defined radio to happily make your smartphone believe it is anywhere you want it to be. Or your car. Or your A380’s ADS-B beacon (one of the pieces of equipment that is used to tell other aircraft where it is so that they don’t…..you know….hit it).

The imminent loss of PRS access has caused quite an uproar in the United Kingdom, with plans to build our own GNSS afoot. Fortunately however there is another option for providing an anti-spoofing technique which not only ignores the attack but can also locate its source. No, i’m not talking about a rather expensive Controlled Radiation Pattern Antenna. I’m referring to a software upgrade for existing GNSS receivers provided by Focal Point Positioning, that was demonstrated at the Royal Institute of Navigation’s International Navigation Conference at the end of 2018.

Focal Point Positioning’s S-GNSS upgrade provides improved accuracy, sensitivity and multipath mitigation, but it also provides a completely new category of measurements for a single-antenna GNSS receiver: angle of arrival. It is through the discrimination of arrival direction that S-GNSS can identify, ignore, and (if required) locate the source of spoofing. An example is given here.

An experiment was conducted in a large car park outside Cambridge, with a Labsat record and replay device used to capture the live GNSS signals. Then, in post processing, spoofing signals were injected into the raw data log file representative of a replay attack (meaconing), from a rooftop overlooking the car park. Such an attack is one of the more difficult spoofing attacks to overcome because encryption does not help – the signals being rebroadcast from nearby are the legitimate encrypted signals from the sky, and so they are not removed by the anti-spoofing module in a P(Y), or M-code, or a PRS receiver. Such an attack cannot result in a controlled, elegant “hijacking” of a receiver to move it deliberately away from the true location, but it can be used to cause severe multipath interference and inject errors into the receiver through forcing non-line-of-sight measurements into its navigation engine.

Screenshot 2019 02 18 at 00 54 19

The images below show the effect of the meaconing attack on a standard vector tracking GNSS receiver (blue) and the resilience of the S-GNSS receiver to the attack (red). The movie available here shows the Skyscan imagery for the scenario. In the movie, each circle is a skyplot for a given satellite generated using the underlying supercorrelation process within S-GNSS that is sensitive to angle of arrival. On each plot, the red dot represents the true location in the sky of a given satellite, and power detectable from the correct portion of the sky (the satellite’s direction) will cut through that red dot on the plot. Any energy on the plots that does not cut through the satellite position is a non-line-of-sight version of the signal. Typically these are reflections from objects in the environment, but in this case high power is detectable from the same location in the Southern part of the sky for all satellites when the meaconing attack is started, a short time into the scenario (at about 11 seconds in the movie, which plays back faster than real time). The angular information from the Skyscan plots can be used to determine the azimuth and elevation of the spoofer relative to the receiver.

Screenshot 2019 02 18 at 00 54 39

Focal Point Positioning have been working with a number of major chipset companies, including Broadcom and u-blox, to demonstrate the performance gains that are possible with the S-GNSS software upgrade. For more information, get in touch at www.focalpointpositioning.com