GNSS SpAmming: a spoofing-based GNSS denial-of-service attack

GNSSs are vulnerable to attacks of two kinds: jamming (i.e. denying access to the signal) and spoofing (i.e. impersonating a legitimate satellite). These attacks have been extensively studied, and we have a myriad of countermeasures to mitigate them. In this paper we expose a new type of attack: SpAmming, which combines both approaches to achieve the same effects in a more subtle way. Exploiting the CDMA multiplexing present in most GNSSs, and through a spoofing attack, this approach leads the receiver to lose access to the signal of a legitimate satellite, which would be equivalent to a denial of service; but in this case the existing countermeasures against jamming or spoofing would not allow safeguarding its effectiveness, as it is neither of them. An experimental proof-of-concept is presented in which its impact is evaluated as a function of the previous state of the receiver. Using an SDR-based system developed at the Space Security Centre, the attack is executed against a cold-started receiver, a warm-started receiver, and a receiver that has already acquired the PVT solution and is navigating. Different attack configurations are also tested, starting from a raw emission of the false signal, to surgical Doppler effect configuration, code offset, etc. Although it is shown to be particularly successful against cold-started receivers, the results show that it is also effective in other scenarios, especially if accompanied by other attacks. We will conclude the article by outlining possible countermeasures to detect and, eventually, counteract it; and possible avenues of research to better understand its impact, especially for authenticated services such as OSNMA, and to characterize it in order to improve the response to similar attacks.

💡 Research Summary

The paper introduces a novel GNSS denial‑of‑service (DoS) technique called SpAmming, which blends spoofing and jamming concepts to selectively block individual satellite signals without raising the typical alarms associated with either attack. Traditional GNSS attacks fall into two categories: (1) jamming, where broadband noise raises the noise floor and prevents acquisition or tracking, and (2) spoofing, where an adversary reproduces a satellite’s signal (PRN, modulation, navigation message) to feed the receiver false data. Both have been extensively studied and mitigated through signal characterization, authentication services (e.g., Galileo’s OSNMA), directional antennas, and other counter‑measures.

SpAmming exploits the CDMA multiplexing inherent to GNSS constellations. By transmitting a counterfeit signal that mimics only the code (PRN) and Doppler/phase characteristics of a chosen satellite, the attacker can make that satellite’s acquisition or tracking impossible while leaving the rest of the constellation untouched. Crucially, the counterfeit signal does not need to carry a coherent navigation message; it merely needs to interfere at the chip level, making the attack simpler than full‑message spoofing and less detectable than conventional jamming, which typically causes a sharp C/N₀ drop.

The experimental platform consists of: a Leica AR20 antenna capturing authentic GNSS signals, an Ettus USRP B210 SDR generating the spoofed signal, a power splitter (Mini‑Circuits ZAPD‑2‑S+) to combine the two streams, and a u‑blox ZED‑F9P receiver on a C099‑F9P development board. Signal generation is performed with a custom Python tool (gal‑sdr‑sim) and transmitted via GNU Radio Companion. All tests are conducted over coaxial cable to avoid unintended interference.

Three receiver states are examined:

1. Cold‑Start – the receiver has no prior ephemeris, almanac, or time. By injecting a false signal for a visible satellite (SVID 13) with an arbitrary Doppler offset, the acquisition process is thwarted. After the attack stops, the receiver continues to search using the wrong Doppler value and fails to reacquire the satellite, resulting in a permanent loss of that satellite’s contribution.

2. Warm‑Start – the receiver possesses an almanac and a coarse time estimate. Here the attacker must match the legitimate satellite’s Doppler and code offset. The USRP’s intrinsic 1.2 kHz Doppler bias is compensated, and the spoofed signal is limited to the E1 band (the E5B band is jammed to prevent the receiver from falling back to the more robust signal). The attack succeeds only while the spoofed signal is present; once removed, the receiver regains the satellite.

3. Hot‑Start – the receiver is already tracking and has a full PVT solution. The attacker reproduces the exact Doppler, phase, and code offset observed at the receiver. While Doppler matching is straightforward, precise code‑offset replication proves difficult, leading to intermittent success. Adding intermittent E1‑band jamming dramatically improves effectiveness, achieving results comparable to the warm‑start case.

The results demonstrate that SpAmming is practically guaranteed to succeed against cold‑started receivers, making it a potent threat for devices that frequently power‑cycle (e.g., smartphones, IoT nodes). For warm‑started and hot‑started receivers, sustained attack duration or combined jamming is required for reliable denial. The authors also note that because OSNMA authentication is only available on a subset of Galileo satellites, an attacker can force a receiver to rely solely on unauthenticated satellites, thereby simplifying subsequent spoofing attacks.

Current defenses are insufficient for SpAmming. Message‑level authentication (OSNMA) does not protect the PRN itself, allowing an attacker to impersonate the satellite’s code without triggering authentication failures. Traditional jamming detectors rely on abrupt C/N₀ reductions, which SpAmming does not cause. The paper proposes two primary counter‑measures: (1) PRN‑level authentication, as exemplified by the GPS Chimera service, which would enable receivers to verify the legitimacy of the spreading code; and (2) full‑constellation authentication, extending OSNMA or similar services to all satellites. Additionally, physical layer defenses such as multi‑antenna arrays and Controlled Reception Pattern Antennas (CRPA) can help filter out malicious components.

In conclusion, SpAmming introduces a new threat model that merges spoofing precision with jamming’s denial effect while evading existing detection mechanisms. The proof‑of‑concept demonstrates that software‑defined radio can readily implement the attack, especially during the vulnerable cold‑start phase. Future work should explore dynamic code/phase adjustment techniques, multi‑satellite coordinated attacks, and a thorough impact assessment on authenticated services like OSNMA, thereby guiding the development of robust, next‑generation GNSS security architectures.