GNSS-based positioning: Attacks and Countermeasures

Increasing numbers of mobile computing devices, user-portable, or embedded in vehicles, cargo containers, or the physical space, need to be aware of their location in order to provide a wide range of commercial services. Most often, mobile devices obtain their own location with the help of Global Navigation Satellite Systems (GNSS), integrating, for example, a Global Positioning System (GPS) receiver. Nonetheless, an adversary can compromise location-aware applications by attacking the GNSS-based positioning: It can forge navigation messages and mislead the receiver into calculating a fake location. In this paper, we analyze this vulnerability and propose and evaluate the effectiveness of countermeasures. First, we consider replay attacks, which can be effective even in the presence of future cryptographic GNSS protection mechanisms. Then, we propose and analyze methods that allow GNSS receivers to detect the reception of signals generated by an adversary, and then reject fake locations calculated because of the attack. We consider three diverse defense mechanisms, all based on knowledge, in particular, own location, time, and Doppler shift, receivers can obtain prior to the onset of an attack. We find that inertial mechanisms that estimate location can be defeated relatively easy. This is equally true for the mechanism that relies on clock readings from off-the-shelf devices; as a result, highly stable clocks could be needed. On the other hand, our Doppler Shift Test can be effective without any specialized hardware, and it can be applied to existing devices.

💡 Research Summary

The paper addresses the growing reliance on GNSS (especially GPS) for location‑aware services in mobile devices, vehicles, cargo containers, and other embedded systems, and it highlights the inherent vulnerability of GNSS receivers to malicious manipulation. The authors first describe replay attacks, where an adversary records authentic satellite signals and later rebroadcasts them at the appropriate time to a target receiver. Even with forthcoming cryptographic protections for GNSS (e.g., Galileo OS‑NMA, GPS M‑code), replay attacks remain effective because they simply reuse the original, already‑authenticated messages without needing to break the cryptography. This establishes that cryptographic integrity alone does not guarantee protection against signal‑level forgeries.

To counter such attacks, the paper proposes three detection mechanisms that rely on information a receiver can obtain before an attack begins: (1) inertial navigation, (2) high‑precision clock comparison, and (3) Doppler shift verification. Each method is evaluated experimentally.

1. Inertial‑Based Position Estimation – The receiver uses its internal IMU and previously known GNSS positions to predict its current location and velocity. If the newly received GNSS fix deviates beyond a threshold, the receiver flags a possible spoof. Experiments with low‑cost IMUs show rapid error accumulation; within 10 seconds the position error can exceed several hundred meters, making the method ineffective against short‑duration replay attacks. Consequently, inertial sensors alone cannot provide reliable real‑time protection.

2. Clock‑Based Validation – By comparing the UTC time derived from an off‑the‑shelf clock (e.g., a smartphone’s crystal oscillator) with the timestamp embedded in the satellite message, the receiver can detect inconsistencies caused by replayed signals. However, commercial clocks drift on the order of milliseconds per minute. Attackers can compensate for this drift, and the experiments reveal that only clocks with sub‑millisecond stability achieve detection rates above 80 %. Deploying atomic‑grade clocks would solve the problem but is impractical for most consumer devices due to cost, size, and power constraints.

3. Doppler Shift Test (DST) – Satellite‑to‑receiver signals exhibit a predictable Doppler shift determined by the satellite’s orbital velocity and the receiver’s own motion. Prior to any attack, the receiver can compute the expected Doppler frequency for each visible satellite using ephemeris data and its own estimated state. When a signal arrives, the receiver measures its actual Doppler shift and compares it to the prediction. A replayed signal, generated on the ground, will not carry the correct Doppler profile and therefore produces a measurable discrepancy. The authors demonstrate that even standard smartphones can measure Doppler with an accuracy better than 0.5 Hz, yielding a detection rate of roughly 99 % in realistic scenarios. Moreover, an adversary attempting to synthesize the correct Doppler in real time would need sophisticated, high‑speed signal‑generation hardware, dramatically raising the attack’s complexity and cost.

The comparative analysis shows that inertial and ordinary‑clock methods are easily defeated, while DST offers robust detection without requiring specialized hardware. The paper recommends integrating Doppler‑based verification into GNSS receiver firmware as a baseline defense, and it suggests that a layered approach—combining DST with auxiliary checks (e.g., occasional inertial cross‑validation)—could further harden systems against sophisticated spoofing campaigns.

In conclusion, the study underscores that GNSS security cannot rely solely on cryptographic message authentication; signal‑level attacks such as replay remain viable. Real‑time validation using physical properties of the signal—particularly Doppler shift—provides an effective, low‑cost countermeasure that can be retrofitted to existing devices and incorporated into future GNSS security standards.