1. Introduction
As the application of the satellite navigation system has penetrated into all aspects of social life and military applications, the navigation terminal may receive incorrect timing and positioning results owing to spoofing signals, which may lead to catastrophic consequences. Spoofing may gradually become a severe threat to satellite navigation systems [
1]. Since the US Transportation Department first raised concerns regarding spoofing in satellite navigation in 2001, spoofing has been attracting increasing attention from several countries, especially the military, and has gradually become a hotspot in satellite navigation interference technology research [
2].
Spoofing refers to the interference technology, wherein the interference source generates a spoofing signal that is highly similar to the authentic satellite navigation signal or forwards the authentic signal, causing the target receiver sensor to misinterpret the spoofing signal as the authentic satellite navigation signal for acquiring and tracking, which results in the receiver sensor outputting error messages or without information. Spoofing is more destructive and threatening than other forms of interference [
3].
Regardless of whether the spoofing is spoofing on a target receiver in the signal acquisition phase or the tracking phase, the control of the spoofing signal power is an important problem to be studied. When a receiver is in the acquisition phase, the spoofing signal can effectively spoof the receiver by generating multiple false correlation peaks and increasing the noise floor [
4]. During the signal acquisition phase, the receiver searches within the two-dimensional space of the Doppler shift and the code phase, and calculates the signal parameters at the highest correlation peak above the priori decision threshold [
5]. A spoofing signal produces a higher power correlation peak in the search domain by generating a higher power signal. At this time, a receiver is easily locked at the peak of the spoofing signal, thereby affecting the positioning result of the receiver [
6].
In an actual scenario, it is better to use the method of suppressing interference to make receiver lose lock, and then implement the method of spoofing [
7]. When the receiver is in cold start or loss lock and reacquisition (loss of lock caused by natural environment or suppressed interference), a spoofing signal present in the environment may be and acquired by the receiver. The method of entering the receiver through the acquisition phase is simple and effective. However, for a receiver with a certain spoofing detection capability, after it is successfully pulled into the spoofing signal, to effectively implement persistent spoofing, it is necessary to control the power without being noticed by the receiver. For example, in a normal environment, the noise floor of the receiver is relatively stable; however, when a spoofing signal invades, there is a cross-correlation interference between the spoofing signal and authentic signal, and the noise floor is raised. When the noise floor is raised to a certain extent, authentic signals may be submerged in the noise [
8]. If the power of spoofing signal is extremely high, it is easy for the target receiver to detect an abnormality and other navigation devices are used, and effective spoofing cannot be achieved [
4]. Therefore, it is of immense importance to explore the implementation of spoofing and the subsequent power control problems for receivers in the acquisition phase.
Some scholars conducted research on the necessary conditions for successful spoofing. In 2014, Ma et al. discussed the effective implementation of spoofing, which requires a 5 dB jamming-to-signal ratio to ensure that the receiver acquires the spoofing signal during the acquisition phase [
9]. In 2015, Hu and others adjusted the spoofing power in real time, while realizing the traction of the receiver acquisition loop, noise floor was limited to 3 dB, and the maximum spoofing signal-to-noise ratio was limited to 22 dB, thereby achieving a continuous effective spoofing [
10]. In 2016, Pang et al. categorized spoofing into acquisition phase and tracking phase, it is believed that in the acquisition phase, if receiver has not locked signal, spoofing can be successfully implemented as long as the spoofing signal power is greater than the authentic signal power [
11].
Additionally, avoiding spoofing detection is also a problem that needs to be studied [
12]. In 2012, Ali jafarnia jahromi believed that because spoofing signals can raise the noise floor of the receiver, the receiver can detect and identify spoofing signals more effectively by measuring the absolute power of correlation peak than by monitoring technology. In 2013, Lv and others proposed that in the signal acquisition process, if the peak of the spoofing signal and authentic signal exceeds 1.5 chips, the correlation function will have multi-peak characteristics [
13]. In 2014, Daniel P. Shepard et al. used the Monte Carlo experiments to verify that the carrier frequency difference is extremely large in the process of acquiring the spoofing signal and authentic signal under the specific receiver phase locked loop parameter setting, causing the receiver to loss of lock [
14]. Some scholars also studied the implementation methods of spoofing. In 2018, Sheng and others studied spoofing algorithm, through theoretical analysis, it was confirmed that for the acquisition phase, the algorithm of suppressing and spoofing needs to be adopted [
15].
There are also some spoofing detection methods, such as the method of measuring the total signal energy based on spoofing signal and authentic signal proposed by Hu et al. [
16]. However, when the phase difference and Doppler frequency difference between the spoofing signal and authentic signal are small, the spoofing detection performance deteriorates, and for multipath signals, the spoofing detection performance also deteriorates. Oligeri et al. used the unencrypted IRIDIUM Ring Alert (IRA) message broadcast by IRIDIUM satellite to detect spoofing [
17]. Pini et al. proposed a low complexity strategy for detecting intermediate spoofing attacks based on Neyman Pearson theory [
18]. Chen et al. proposed a spoofing detection method using two antennas, which can detect a single spoofing signal or spoofing signals from multiple directions. However, for dynamic scenes, the spoofing detection value is unstable [
19]. Obviously, any spoofing detection technology is difficult to detect all spoofing methods, and our research focuses on the design of spoofing signal power to avoid the related power detection techniques as much as possible. Navigation security, or GNSS security, like renewable energy, has attracted more and more attention [
20,
21].
Currently, there is limited research involving GNSS spoofing signal power control, and there is no systematic complete power control scheme, most of which is limited to qualitative or simulation, and the actual application effect is still unclear. It is of immense importance to explore the implementation of spoofing and the subsequent power control problems for receivers in the acquisition phase.
With regard to the application of the algorithm, we need to explain that in the application of the actual spoofer, when it is difficult for the spoofer to obtain the accurate position of target receiver, it is usually used to jamming first to make the receiver lose lock and then implement spoofing. In order to maintain the concealment of spoofing, the power control of spoofing signal is a key issue at this time. Under this background, we propose a spoofing signal power control strategy under the receiver power constraint for the receiver and subsequent control in the acquisition stage. On the one hand, the algorithm can make the spoofer successfully cheat the receiver, on the other hand, the power value of the spoofing signal can be kept as hidden as possible.
A new GNSS spoofing signal power control algorithm for receiver power constraints in the acquisition phase receiver and subsequent control is proposed in this research. The designed experimental platform proves that the designed algorithm can conceal itself, take over receiver and subsequently pull positioning results with the aid of suppression interference. Furthermore, it provides a power control algorithm for suppressing post-spoofing and has a high applicability.
4. Experimental Verification
The experimental platform is setup as depicted in
Figure 5. It comprises GNSS signal simulator, host computer control software, test receiver, and connection feeder. GNSS signal simulator is used as an authentic signal and spoofing signal generating device. The host computer control software controls the code offset (unit: m), carrier phase offset (unit: m), and code rate (unit: m/s) of each spoofing signal relative to the authentic signal and carrier phase rate (unit: m/s), and relative power gain (unit: dB), power increase/decrease rate (unit: dB/s) by writing instructions. In addition, the Space Vehicle Identification (SVID), number of satellites, and signal power value of authentic signal and spoofing signal can be selected initially. The experiment uses the PolaRx5 receiver of Septentrio as the target receiver, which has advanced interference monitoring and anti-interference ability.
The following two groups of experiments are designed to compare the spoofing effect of the newly designed GNSS spoofing signal power control algorithm and spoofing signal high power control algorithm on a test receiver. In experiment 1, the high-power control algorithm was performed for the spoofing signal, and in experiment 2, the new power control algorithm was performed for the spoofing signal. In the two groups of experiments, except the GNSS spoofing signal power control algorithm, the other experimental conditions were the same.
4.1. Experiment on High Power Control Algorithm of Spoofing Signal
In experiment 1, high power control algorithm was used for spoofing signal. The design experimental procedure is as follows: ① First, PolaRx5 receiver is cold-started to ensure that the receiver is in the state of signal loss-locking after the receiver is suppressed for a long duration by the signal; ② after cold start, signal simulator is used to generate 6 channels of L1 authentic signals and 6 channels of same SVID spoofing signals, each branch spoofing signal has an initial code phase offset of 500 m and an initial carrier phase offset of 500 m with respect to the authentic signal, the spoofing signal is consistent with code rate and carrier phase rate of the authentic signal, compared with authentic signal, the power advantage of spoofing signal is 8 dB, all signals are simultaneously injected into receiver from the connected feeder to simulate the spoofing of the receiver in the signal acquisition phase. The process lasts for 3 min; ③ after 3 min, the other parameters of each spoofing signal are kept unchanged, only the code rate is adjusted to 1
and the carrier phase rate is adjusted to 1 m/s, which increases code phase and carrier phase by a fixed slope. The duration of this process is 3 min. After 246 s, the experimental key instruction design is depicted in
Figure 6.
In
Figure 6, “OFFSET” indicates the code phase offset, carrier phase offset, relative power gain relative to authentic signal, command start time, and duration time; “RAMP” indicates the initial code phase offset, initial carrier phase offset, initial relative power gain, code rate and carrier phase rate, power increase/decrease rate, relative to authentic signal, and command start time and duration time.
The following analyzes the changes of Doppler frequency, carrier-to-noise ratio, and Earth-Centered, Earth-Fixed (ECEF) of the receiver in the test process.
The ground truth in ECEF has been set, the reference position in ECEF is −1,445,000 m in the X-axis direction, 6,150,000 m in the Y-axis direction, 180,000 m in the Z-axis direction. The ECEF coordinate given in this experiment is the positioning error vector subject to the reference position.
The statistical results of Doppler frequency range (difference between maximum and minimum), maximum
, minimum
and average
of six signals received by test receiver are shown in
Table 1.
Figure 7 and
Figure 8 show the change of Doppler frequency with time of the six signals received by test receiver. During the period of 4–184 s, spoofing signal and authentic signal affect receiver at the same time, and Doppler frequency of six signals fluctuates. According to the statistics during 0–200 s, the range of Doppler frequency is 87,900 Hz. During 184–200 s, code rate and carrier phase rate of spoofing signals change, and Doppler frequency of signals remains stable.
Figure 9 and
Figure 10 show the change of
of the six signals received by test receiver with time. During the period of 0–200 s,
changes smoothly. The maximum
of SVID18, SVID30 and SVID31 signals are not less than the threshold
of the receiver for 45 dB/Hz, then the received signal
is not less than the threshold
of the receiver, this will make it easy for the power monitoring technology of the receiver to detect the spoofing signal.
Figure 11 shows the change of ECEF coordinate positioning results with time. During the period of 4–184 s, the spoofing signal and authentic signal affect the receiver at the same time. The range of ECEF three-dimensional coordinates is 12,260 m, 104,200 m and 10,180 m, respectively. The high-power spoofing signal causes a large fluctuation in the positioning results of receiver. During the period of 184–200 s, the corresponding spoofing signal begins to pull the positioning result stage, and the positioning result of the receiver is gradually pulled. The range of three-dimensional coordinates of ECEF is 213.5 m, 1848 m and 93.45 m, respectively, so the positioning result of the receiver has changed greatly.
In the experiment, we have explained in the designed experimental steps. In order to verify that the receiver in the state of lost lock recapture and cold start is spoofed, after the cold start of receiver, spoofing signal and authentic signal are injected into receiver at the same time. Because the code rate and carrier phase rate of spoofing signal are changed, if the receiver is controlled by spoofing signal, The positioning result of receiver will change. Because the positioning result of the receiver is constantly biased in the experiment, we can judge that the receiver is controlled by spoofing signal, but the high-power spoofing signal is not hidden enough.
4.2. Experiment of New GNSS Spoofing Signal Power Control Algorithm
In experiment 2, a new power control algorithm is performed for the spoofing signal. The design experimental procedure is as follows: ① First, the PolaRx5 receiver is cold-started to ensure that receiver is in the state of signal loss-locking after the receiver is suppressed for a long duration by the signal; ② after a cold start, a signal simulator is used to generate 6 channels of L1 authentic signals and 6 channels of same SVID spoofing signals, each branch spoofing signal has an initial code phase offset of 500 m and an initial carrier phase offset of 500 m with respect to the authentic signal, the spoofing signal is consistent with the code rate and carrier phase rate of the authentic signal, the power of spoofing signal relative to the authentic signal is set according to the power allocation optimization algorithm, all signals are simultaneously injected into the receiver from the connected feeder to simulate the spoofing of receiver in the signal acquisition phase. The process lasts for 3 min; ③ after 3 min, the other parameters of each spoofing signal are kept unchanged, only the code rate is adjusted to 1 m/s and the carrier phase rate is adjusted to 1 m/s, which increases code phase and carrier phase by a fixed slope. The duration of this process is 3 min. After 246 s, the experimental key instruction design is depicted in the figure below.
In
Figure 12, “OFFSET” indicates the code phase offset, carrier phase offset, relative power gain relative to authentic signal, command start time, and duration time; “RAMP” indicates the initial code phase offset, initial carrier phase offset, initial relative power gain, code rate and carrier phase rate, power increase/decrease rate, relative to authentic signal, and command start time and duration time.
The following analyzes the changes of Doppler frequency, carrier-to-noise ratio, and ECEF of the receiver in the test process.
The ground truth in ECEF has been set, the reference position in ECEF is −1,448,700 m in the X-axis direction, 6,209,100 m in the Y-axis direction, 175,000 m in the Z-axis direction. The ECEF coordinate given in this experiment is the positioning error vector subject to the reference position.
The statistical results of Doppler frequency range (difference between maximum and minimum), maximum
, minimum
and average
of six signals received by test receiver are shown in
Table 2.
Figure 13 and
Figure 14 show the change of Doppler frequency with time of six signals received by the test receiver. During the period of 4–184 s, spoofing signal and authentic signal affect receiver at the same time, and Doppler frequency of six signals fluctuates. Compared with experiment 1, Doppler frequency fluctuation period is only 0–50 s, and the duration is shortened by 130 s, with a reduction percentage of 72.2%, the average value of Doppler frequency range is 21,183 Hz from 0 s to 200 s. Compared with experiment 1, Doppler frequency range is reduced by 66,717 Hz, with a reduction percentage of 75.9%; During 184–200 s, code rate and carrier phase rate of spoofing signals change, and Doppler frequency of the signal remains stable.
Figure 15 and
Figure 16 show the change of
of six signals received by test receiver with time. During the period from 0 s to 200 s,
changes smoothly. If the maximum
of six signals is less than the threshold
of receiver for 45 dB/Hz, received signal
is less than the threshold
of receiver, so receiver is not easy to detect spoofing signal.
Figure 17 shows the change of ECEF coordinate positioning results with time. During the period from 4 s to 184 s, the spoofing signal and authentic signal affect the receiver at the same time. The range of ECEF three-dimensional coordinates is 13.64 m, 194.7 m and 33.81 m, respectively. Compared with experiment 1, the change range of positioning results caused by spoofing signal is obviously small, which indicates that the process of spoofing signal taking over receiver is more stable, this is helpful to improve the concealment of spoofing. The time is between 184 s and 200 s. At this time, the corresponding spoofing signal begins to be biased. The positioning result of the receiver is gradually biased. The three-dimensional coordinate range of ECEF is 1.498 m, 12.68 m and 2.747 m, respectively. Because the code phase and carrier phase of six spoofing signals change 16 m during this period, the three-dimensional coordinate range of ECEF in experiment 2 is more reasonable than that in experiment 1. It shows that receiver is taken over by spoofing signal, and spoofing is implemented successfully.
Based on the analysis of experiment 1 and experiment 2, compared with the conventional spoofing signal high power control algorithm, the new GNSS spoofing signal power control algorithm can shorten Doppler frequency fluctuation time by 72.2%, reduce the range by 75.9%, and reduce of the received signal. When spoofing signal takes over the receiver, the range of the three-dimensional coordinates of ECEF is significantly reduced, which indicates that the newly designed GNSS spoofing signal power control algorithm can make the spoofing behavior more hidden and make it more difficult for the target receiver to detect the spoofing behavior.