The Texas Spoofing Test Battery:

Toward a Standard for Evaluating

GPS Signal Authentication Techniques
Todd Humphreys, Jahshan Bhatti, Daniel Shepard, and Kyle Wesson,
The University of Texas at Austin, Austin, TX

BIOGRAPHIES target to improve GPS security.

Todd E. Humphreys is an assistant professor in the de-

INTRODUCTION
partment of Aerospace Engineering and Engineering Me-
chanics at the University of Texas at Austin, and Direc-
Authentication of civil Global Positioning System (GPS)
tor of the UT Radionavigation Laboratory. He received
signals is increasingly a concern. Spoofing attacks, in
a B.S. and M.S. in Electrical and Computer Engineering
which counterfeit GPS signals are generated for the pur-
from Utah State University and a Ph.D. in Aerospace En-
pose of manipulating a target receiver’s reported position
gineering from Cornell University. He specializes in apply-
and time, have been demonstrated with low-cost commer-
ing optimal estimation and signal processing techniques to
cial equipment against a wide variety of GPS receivers [1],
problems in radionavigation. His recent focus is on radion-
[2], [3], [4]. Such attacks threaten the integrity of financial
avigation robustness and security.
transactions, communications, and power grid monitoring
Jahshan A. Bhatti is pursuing a Ph.D. in the Department operations that depend on GPS signals for accurate posi-
of Aerospace Engineering and Engineering Mechanics at tioning and timing [5], [6], [7].
The University of Texas at Austin, where he also received
Whereas the military GPS waveform was originally de-
his B.S. and M.S. He is a member of the UT Radionavi-
signed to be unpredictable and therefore resistant to spoof-
gation Laboratory. His research interests are in the devel-
ing [8], the civil GPS waveforms are precisely specified in
opment of small satellites, software-defined radio applica-
publicly-available documents [9]. Also, although not en-
tions, space weather, and GNSS security and integrity.
tirely constrained by the signal specifications, the naviga-
Daniel P. Shepard is pursing a Ph.D. in the Department of tion data messages modulated onto the civil waveforms are
Aerospace Engineering and Engineering Mechanics at The highly predictable. Known signal structure and data bit
University of Texas at Austin, where he also received his predictability make civil GPS signals susceptible to spoof-
B.S. He is a member of the UT Radionavigation Labora- ing attacks.
tory. His research interests are in GNSS security, estima-
Several researchers have proposed techniques for overlay-
tion and filtering, and guidance, navigation, and control.
ing unpredictable but verifiable modulations on existing
Kyle D. Wesson is pursuing a Ph.D. in the Department and future civil GPS signals [10], [11], [12], [13], [14].
of Electrical and Computer Engineering at The Univer- These space-segment-side cryptographic techniques offer
sity of Texas at Austin. He received his B.S. in Electrical the promise of effective globally-available signal authenti-
and Computer Engineering from Cornell University. He cation without requiring additional hardware such as mul-
is a member of the UT Radionavigation Laboratory and tiple antennas [15] or inertial measurement equipment [16],
the Wireless Networking and Communications Group. His which would be impractical in cost-sensitive applications.
research interests include GNSS security and interference
Unfortunately, even while many of the technical chal-
mitigation.
lenges of implementing space-segment-side cryptographic
civil GPS authentication have been overcome, daunting
ABSTRACT procedural and financial hurdles remain. This sober-
ing reality has lead several researchers to conclude that
A battery of recorded spoofing scenarios has been compiled efforts to authenticate civil GPS signals over the next
for evaluating civil Global Positioning System (GPS) sig- decade should focus on strategies that do not require
nal authentication techniques. The battery can be consid- support from the GPS space segment. Examples of
ered the data component of an evolving standard meant to such space-segment-independent authentication strategies
define the notion of spoof resistance for commercial GPS can be categorized as (1) receiver-autonomous signal-
receivers. The setup used to record the scenarios is de- processing-oriented techniques, which require no antenna
scribed. A detailed description of each scenario reveals motion or specialized antenna hardware [17], [18], [19]; (2)
readily detectable anomalies that spoofing detectors could receiver-autonomous antenna-oriented techniques, which

Copyright c 2012 by Todd Humphreys, Jahshan Bhatti, Preprint of the 2012 ION GNSS Conference
Daniel Shepard, and Kyle Wesson Nashville, TN, September 18–21, 2012
require antenna motion or specialized antenna hardware ticating the civil GPS L1 C/A signals. Accordingly, one
[20], [15], [21]; and (3) techniques that exploit the existing might argue that the TEXBAT recordings need only cap-
encrypted military signals to offer civil GPS signal authen- ture the main lobe of the C/A power spectrum, which is
tication for networked GPS receivers [22], [23], [24], [25]. approximately 2-MHz wide and, due to the C/A code’s
sinc2 (f /fc)-shaped power profile for chip rate fc , contains
All existing or proposed civil GPS signal authentication
more than 90% of the total C/A signal power.
schemes are premised on hypothesis tests involving statis-
tical models for the authentic and counterfeit GPS signals. But a narrow 2-MHz bandwidth would be inadequate to
These models make simplifying assumptions that permit support evaluation of authentication techniques such as
tractable analytical treatment of the detection problem. the Vestigial Signal Defense [18] that are based on a de-
In general, the statistics of the null hypothesis (only au- tailed characterization of the broadcast GPS-signals, a
thentic signals present) are readily verifiable by laboratory characterization that captures not only the signals’ the-
experiment but the statistics of the alternative hypothesis oretical structure but also any filtering or other effects im-
(spoofing attack underway) are not easily verified. This posed by the transmitter. For these techniques, a wide
is because sophisticated signal generation hardware capa- radio frequency capture bandwidth is necessary to prevent
ble of code- and carrier-phase-aligned spoofing attacks is signal distortion that could be interpreted as spoofing and
neither commercially available nor straightforward to con- lead to false alarms. A wideband recording is also neces-
struct. Thus, for example, experimental validation of the sary to support evaluation of GPS signal authentication
authentication technique proposed in [22] was limited to techniques that rely on the presence of the military P(Y)
the null hypothesis. signals, whose main lobe is 10 times wider than that of the
C/A signals.
A testbed capable of simulating realistic spoofing attacks is
needed so that the efficacy of proposed civil GPS signal au-
thentication techniques can be experimentally evaluated.
−130
A generic testbed capable of evaluating all known authen-
tication techniques would be prohibitively expensive (e.g., −135
it would require a large anechoic chamber for evaluating −140
receiver-autonomous antenna-oriented techniques). But if
the scope of evaluation is limited to receiver-autonomous −145
Power density (dB/Hz)

signal-processing-oriented techniques and networked tech- −150

niques (categories (1) and (3) above), then it is possible
−155
not only to develop an inexpensive testbed but to share the
testbed’s data component so that the tests can be repli- −160
cated in laboratories across the globe. −165

This paper presents the Texas Spoofing Test Battery −170

(TEXBAT), a set of six high-fidelity digital recordings of
−175
live static and dynamic GPS L1 C/A spoofing tests con-
ducted by the Radionavigation Laboratory of the Univer- −180
−20 −15 −10 −5 0 5 10 15 20
sity of Texas at Austin. The battery can be considered Frequency Deviation from GPS L1 (MHz)
the data component of an evolving standard meant to de-
Fig. 1. Power spectral density estimate of the GPS signal corre-
fine the notion of spoof resistance for civil GPS receivers. sponding to PRN 31 as received on 22 April, 2003 by the Stanford
According to this standard, successful detection of or im- 46-meter-diameter radio telescope (original data courtesy of Dennis
perviousness to all spoofing attacks in TEXBAT, or a fu- Akos). The complex sampling rate of the digitized data was 46.08
Msps.
ture version thereof, could be considered sufficient to cer-
tify a civil GPS receiver as spoof resistant, as suggested
in recent congressional testimony [26]. In what follows, To appreciate the richness of data in a wide band around
the setup and procedure used to record the various TEX- L1, consider Fig. 1, which shows a power spectral density
BAT scenarios is described. Thereafter, each scenario is estimate of the GPS signal corresponding to pseudoran-
detailed and analyzed, revealing obvious anomalies that dom number (PRN) code 31 as received in April 2003 by a
future GPS receivers could be designed to detect. high-gain (52 dBi) radio telescope. Besides a gentle asym-
metry, the spectrum reveals that the full bandwidth of the
transmitted GPS signals is approximately 30 MHz (the fil-
BANDWIDTH AND QUANTIZATION CONSID- tering effects visible beyond 30 MHz are likely dominated
ERATIONS by the satellite’s transmission hardware rather than the
recording equipment, which was sampling at 46.08 Msps).
The initial version of TEXBAT, as presented in this pa- Therefore, a bandwidth exceeding 30-MHz would be re-
per, is focused solely on evaluating techniques for authen- quired to capture all C/A signal information that may be

2
relevant to authentication. The GPS Spoofer
However, recognizing a practical need to minimize the size The central component of the TEXBAT recording setup is
of recorded files, the recordings in TEXBAT were limited the University of Texas (UT) GPS spoofing device, whose
to a complex sampling rate of 25 Msps, which, with the design and operation are described in [1], [29], [30], [3],
high-quality front-end filtering employed, provides a flat [4]. The latest version of the UT spoofing device is much
frequency response over a 20-MHz bandwidth around L1. improved compared to the original version introduced in
With a 20-MHz captured bandwidth, only 0.04 dB of C/A [1]. For example, the current version has greater through-
signal power is lost and filtering effects on the C/A signal put: it is capable of simultaneously tracking and spoofing
due to the TEXBAT recording hardware are negligible. up to 14 GPS L1 C/A signals while continuing to perform
Given its civil GPS focus, it is not necessary for TEXBAT background acquisition of emerging GPS satellite signals.
to avoid filtering (distorting) the P(Y) signals, which, ac- Other key features of the spoofer relevant to TEXBAT are
cording to Fig. 1 would require a bandwidth exceeding phase alignment, navigation data bit prediction, variable
30 MHz. Instead, TEXBAT need only provide enough output attenuation, and noise padding.
P(Y) signal power so that the networked authentication
techniques discussed in [22], [23], [24], [25], which rely on Phase Alignment
cross-correlation with the P(Y) signals, can function prop-
erly. A 20-MHz bandwidth preserves all but 0.44 dB of the The UT spoofer receives authentic civil GPS L1 C/A and
P(Y) spectral power, which should be adequate to support GPS L2C signals and generates counterfeit GPS L1 C/A
such techniques. signals that are closely code-phase aligned with their au-
thentic counterparts. The spoofer is currently not capable
Now consider quantization. As discussed in [27], quanti-
of generating signals that are carrier-phase aligned with
zation causes bandpass signal power to “spill” out of the the authentic signals at the location of a target receiver;
band of the original, unquantized signal. This has approx- indeed, it appears that such carrier-phase alignment is a
imately the same effect on GPS signals as reducing the practical impossibility for any spoofing device except un-
signal power and increasing the broad-band noise power. der controlled laboratory conditions in view of the precise
The net result of these two effects is a decrease in each
(cm-level) relative position knowledge required.
received signal’s carrier-to-noise ratio (C/N0 ). Thus, one
consideration when choosing the number of quantization But neither do the carrier phases of the UT spoofer’s sig-
levels N for TEXBAT recordings is to determine an ac- nals wander arbitrarily with respect to those of the authen-
ceptable loss in C/N0 for the authentic and counterfeit tic signals. As the spoofer attempts to induce a position or
signals. timing deviation in the target receiver by shifting the code
phase of its counterfeit signals, it can adopt either of two
Hegarty shows in [28] that when the captured bandwidth is strategies with respect to carrier phase generation. In the
wide compared with the main sinc2 (f /fc ) lobe, the C/N0 default mode, the rate of change of its signals’ carrier phase
loss for N -level quantization is 2.06 dB for N = 2 (1 bit), is proportional to the rate of change of the corresponding
0.64 dB for N = 4 (2 bit), 0.26 dB for N = 8 (3 bit),
code phase. If τ̇ and φ̇ represent the rate of change of code
and 0.14 dB for N = 16 (4 bit). Thus, if maintaining phase and carrier phase, in seconds per second and cycles
signal C/N0 were the only imperative, no more than 4-bit per second, respectively, then in the spoofer’s default mode
quantization would practically be required. these are related by
But TEXBAT quantization must also accommodate a wide φ̇ = fc τ̇
dynamic range. In potential TEXBAT scenarios, the dif- where fc is the GPS L1 frequency in Hz.
ference in power between the authentic and counterfeit sig-
nal ensembles could be large. In these cases a high num- In an alternative mode, the so-called frequency lock mode,
ber of quantization levels makes it possible to recover the the UT spoofer maintains approximately fixed whatever
weaker signals from the data, which may be a key strategy initial phase offset arises between its counterfeit signals
for some signal authentication technique. Therefore, TEX- and the authentic signals, and continues to maintain this
BAT complex samples were recorded with 16-bit quan- fixed carrier phase offset even while it shifts the code phase
tization to ensure a more-than-adequately-wide dynamic of its counterfeit signals to induce a position or timing devi-
range. ation in the target receiver. This ability to lock the relative
(counterfeit-to-authentic) carrier phase even while shift-
ing the relative (counterfeit-to-authentic) code phase en-
RECORDING SETUP ables the spoofer to evade some spoofing detection strate-
gies that are designed to watch for the rapid amplitude
This section discusses the TEXBAT recording setup, which variations caused by interacting authentic and counterfeit
is depicted graphically in Fig. 2. Each principal compo- phasors of comparable magnitude when the authentic and
nent of the setup will be treated in turn. counterfeit φ̇ values differ.

3
 Fig. 2. Diagram of the TEXBAT recording setup.

Navigation Data Bit Prediction the spoofer compensates for its ∼5-ms processing delay
and for geometrical and cable delays by predicting the
value of the navigation data stream slightly more than 5
To initialize an attack with an induced position, veloc-
ms in advance. In this way, the spoofer can achieve meter-
ity, and timing (PVT) solution that is indistinguishable
level alignment between its signals and the authentic ones
from the authentic PVT solution, it is not enough for the
at the location of the target receiver.
spoofer to achieve code-phase alignment with the authen-
tic signals, it must also align its simulated navigation data
bit stream with that of the authentic signals. But, due to Variable Output Attenuation
processing, geometrical, and cable delays, it is impossible
Before exiting the spoofer, counterfeit signals pass through
for the spoofer to read the value of the incoming navigation
a digital attenuator with a 31.5-dB range whose attenu-
data bits off the air and immediately replay them so that
ation value can be set dynamically by the control com-
they arrive at the target receiver perfectly aligned with the
puter. This enables the spoofer to finely adjust the so-
authentic data bits and having the correct value over the
called spoofer power advantage, or the ratio of the power
entire length of each data bit. Indeed, this impossibility
of the counterfeit signal ensemble to the power of the au-
is precisely what makes navigation message authentication
thentic signal ensemble as seen by the target receiver.
effective for GPS signal authentication, as discussed in [13]
and [14].
Noise Padding
Rather than read the navigation data bits off the air for im-
mediate replay, the UT spoofer takes advantage of the near The analog signal ensemble generated by the UT spoofer
perfect predictability of the navigation data that modulate contains only a modest amount of noise interference. In
the GPS L1 C/A signals. Over the course of a 12.5-minute other words, the native noise floor of the output signal en-
navigation data superframe, the spoofer collects the data semble is low—much lower than the noise floor present at
bits corresponding to each tracked GPS satellite. Alterna- the output of a high-quality GPS antenna’s low-noise am-
tively, the spoofer can obtain the 12.5-minute superframe plifier (LNA). To appreciate the consequence of this low
for each satellite from its control computer. Thereafter, native noise floor, consider that if the UT spoofer is config-

4
ured to generate only a single output GPS L1 C/A signal tem.
(corresponding to a single PRN code), the native C/N0
of the output signal exceeds 60 dB-Hz. Of course, when RF Signal Capture System
more simulated GPS signals are added to the ensemble, the
C/N0 associated with any one of the signals drops because A National Instruments PXIe-5663 6.6 GHz vector sig-
the other signals act as interference. nal analyzer (VSA) was used to downmix and digitize the
A low native noise floor would not be a problem for the combined authentic and spoofing signals in each TEXBAT
spoofer if it were always configured to match the power of spoofing scenario. In accordance with the conclusions of
each counterfeit signal to that of the corresponding authen- the earlier section on bandwidth and quantization consid-
tic signal at the location of the target receiver’s antenna, erations, the VSA was configured to capture complex 16-
or in the case of a direct cable injection test, at the radio bit samples at a rate of 25 Msps. The digitized data were
frequency (RF) input to the target receiver. In this case, then stored to disc.
the noise floor observed by the target receiver is essentially
determined by the LNA in the receiver’s antenna or in the RF Signal Replay System
receiver’s own front-end.
The TEXBAT scenarios can be replayed through a Na-
But in many cases it may be advantageous for the spoofer
tional Instruments PXIe-5673E 6.6 GHz vector signal gen-
to significantly overpower the authentic signals; for exam-
erator (VSG). Other VSGs may also be capable of replay-
ple, to eliminate interaction with them. Or it may be
ing the data, which are stored simply as binary 16-bit in-
necessary to directly inject a powerful spoofing signal en-
phase and quadrature samples. A separate XML file ac-
semble into the RF front-end of a receiver under test. In
companying each scenario’s binary data file provides all
these cases, if the spoofer is generating less than ∼13 sim-
parameters relevant to data replay.
ulated signals, the C/N0 values registered by the target
receiver for each received GPS signal become unnaturally
high, owing to the low native noise floor of the spoofer’s RECORDING PROCEDURE
output ensemble. (When generating 13 or more signals,
the signals’ mutual interference is sufficient to establish an Contrary to what Fig. 2 implies, the authentic signal
appropriate noise floor from the perspective of any partic- stream in the recorded TEXBAT scenarios did not come
ular signal.) directly from the receive antenna. Instead, two “clean”
(spoof-free) data sets were initially recorded, one static
To prevent unnaturally high C/N0 values in these cases, and one dynamic. The clean static data set was replayed
the UT spoofer can be configured to add a variable level through the NI VSG to serve as the authentic signal stream
of “noise padding”—broadband interference—to its own for TEXBAT scenarios 1-4. The clean dynamic data set
output ensemble. In this way, the spoofer can dictate a was used similarly for scenarios 5 and 6. The clean dy-
maximum C/N0 value for each of its output signals even namic data set was originally recorded from an antenna
while transmitting at high power. mounted atop a vehicle traveling in Austin, TX. Both clean
data sets are provided as part of TEXBAT. This proce-
Receive Antenna dure for generating the TEXBAT recordings ensures that
users of TEXBAT can observe the behavior of their sys-
Prior to and during a spoofing attack, the spoofer draws in tems under nominal unspoofed conditions and then repeat
authentic GPS signals from a reference antenna. For the the test controlling for all variables except for the presence
static scenarios in TEXBAT the reference antenna was a of spoofing.
Trimble Geodetic Zephyr II antenna located on the WRW Users of TEXBAT data will observe the effects of up to
building on the campus of the University of Texas. For three different clocks in the carrier phase time histories
the dynamic scenarios, the antenna was a vehicle-mounted produced by their receiver under test: (1) the oscillator
Antcom 53G1215A-XT-1 antenna. The reference antenna that drove the VSA when recording the original clean data
output is also combined with the spoofer output and fed set, (2) the oscillator that drives the VSG when the TEX-
into the RF signal capture system as the authentic signal BAT user replays a scenario, and (3) the reference oscil-
stream. lator of the user’s receiver under test. A stable external
OCXO reference oscillator was used to drive the VSA and
Reference Clock VSG at each stage of recording and playback to ensure
that clock effects on the recorded TEXBAT data would
The GPS spoofer is fed with a stable reference from an ex- be mild. Most likely, the clock effects imprinted on the
ternal 10-MHz oven controlled crystal oscillator (OCXO). data by the recording hardware will be less significant than
An identical oscillator (not shown in Fig. 2) is used to those imprinted by the receiver under test. Note that dur-
drive the mixer and digitizer in the RF signal capture sys- ing a TEXBAT scenario recording the VSG replaying the

5
authentic signal stream and the VSA recording the com- where the spoofer operator has physical access to the tar-
bined spoofed and authentic signal streams are driven by get receiver’s antenna and can cleanly substitute, either by
the same external oscillator; thus, this stage of the record- blocking the authentic signals or by cable switch-out, the
ing procedure does not introduce any additional clock ef- counterfeit signals for the authentic ones.
fects.
The counterfeit signal ensemble in Scenario 1 is much
Each of the six TEXBAT spoofing scenarios is approxi- weaker than the (amplified) authentic ensemble, so the
mately 7 minutes (420 seconds) long. No spoofing signals switch event is obviously evident in the time history of nor-
were injected during the first 100 seconds or so to allow malized signal power at about the 100-second mark in Fig.
time for receivers under test to brace for the attack by ac- 3. Clearly, an in-band power indicator would have easily
quiring all authentic signals present and obtaining a clean detected a disruption in the antenna environment or RF
navigation and timing solution. chain in this case. But it should be borne in mind that the
spoofer easily could have matched the pre- and post-switch
DETAILED DESCRIPTION OF TEXBAT SCE- in-band power levels; thus, in-band power is not a robust
NARIOS spoofing indicator for a case involving a switch attack.
Figure 4 shows that after the switch event the C/N0 of a
TEXBAT includes six spoofing attack scenarios plus two representative GPS signal falls by several dB (top panel).
clean data sets on which the scenarios are based. Ta- A simple spoofing detection strategy could be designed to
ble I summarizes the essential parameters of each of the trigger on this discontinuity. However, it should be noted
six scenarios. “Spoofing Type” indicates the dimension that the spoofer could have reduced or eliminated the dis-
along which the spoofing occurs, whether position or time. continuity by decreasing the level of its noise padding.
If position, the spoofer gradually induces an erroneous Moreover, there is no indication either in the Doppler time
600-meter position offset in the target receiver’s perceived history fD (t) or in the phase trauma flag that spoofing is
Earth-centered, Earth-fixed (ECEF) position coordinates; present.
if time, it gradually induces an erroneous 2-µs (600-meter-
equivalent) offset in the receiver’s perceived GPS time. Figure 5 shows the time history of the receiver ECEF po-
“Platform Mobility” indicates whether the GPS naviga- sition deviation from the mean. Comparing the blue and
tion solution derived from the underlying clean data set green traces, it is clear that no reliable indicator of spoof-
is static or dynamic. Scenarios 1-4 are static scenarios ing can be extracted from the navigation solution alone
based on the clean static data set; scenarios 5 and 6 are in this case. Similarly, Fig. 6 shows that the receiver
dynamic scenarios based on the clean dynamic data set. clock offset rate δt˙R (bottom panel) would not be a reli-
“Power Adv.” indicates the spoofer’s power advantage, able indicator in this case. The receiver clock offset δtR
or the ratio of the power of the counterfeit signal ensem- (top panel) shows a ∼10-meter discontinuity at the switch
ble to the power of the authentic signal ensemble as seen event. This indicates that there was a ∼30-ns common-
by the target receiver. Power advantage is expressed in mode error (advance) in the spoofer’s alignment with the
dB. “Frequency Lock” indicates whether the spoofer was authentic signals. This may seem like a telltale signature
configured to operate in its frequency lock mode or in its on which a detector could trigger, but it is not a reliable
default unlocked mode, as described previously. “Noise indicator given that there is nothing inherently difficult in
Padding” indicates whether the spoofer was configured to compensating for this common code phase advance inside
noise-pad its output signals (“Enabled”) or transmit with- the spoofer.
out additional noise padding (“Disabled”). “Size” indi- It should be pointed out that even though in this scenario
cates the size of the binary file in which the scenario data the spoofer did not attempt to drag the target receiver off
are recorded, in GB. in time, it well could have, and at a rate gradual enough
To facilitate development of spoofing detection techniques, to be within the drift envelope of the target’s reference
a discussion of each TEXBAT scenario follows. The re- oscillator.
sponse of a particular GPS L1 C/A receiver, the science- Figure 7 shows, for a short interval spanning the switch
grade UT/Cornell/ASTRA CASES sensor [31], [32], [33], event, the navigation-data-free output time history of 21
to each scenario’s spoofing attack will be presented graphi- complex correlation taps uniformly spaced at an interval of
cally. It will become clear that each scenario offers obvious 0.1 C/A code chips and centered at the receiver’s prompt
clues indicating the presence of spoofing. tap. These in-phase (top panel) and quadrature (bottom
panel) strip charts are highly informative for spoofing de-
Scenario 1: Static Switch tection. In fact, it can be shown that these data (at
an arbitrarily short accumulation interval and including
Scenario 1 involves a near-instantaneous switch from an the data bit modulation) and a total in-band power mea-
exclusively authentic signal stream to an exclusively coun- surement together constitute the complete information set
terfeit stream. This scenario is meant to represent a case

6
 TABLE I
Texas Spoofing Test Battery: Scenario Summary

Scenario Designation Spoofing Platform Power Frequency Noise Size

Type Mobility Adv. (dB) Lock Padding (GB)
1: Static Switch N/A Static N/A Unlocked Enabled 43
2: Static Overpowered Time Push Time Static 10 Unlocked Disabled 42.5
3: Static Matched-Power Time Push Time Static 1.3 Locked Disabled 42.6
4: Static Matched-Power Pos. Push Position Static 0.4 Locked Disabled 42.6
5: Dynamic Overpowered Time Push Time Dynamic 9.9 Unlocked Disabled 38.9
6: Dynamic Matched-Power Pos. Push Position Dynamic 0.8 Locked Disabled 38.9

available for GPS signal authentication. It is obvious from

55
Fig. 7 that a disruption began between 90 and 100 seconds.

C/N (dB−Hz)
Not only did the amplitude of the in-phase accumulations 50
change, but also the correlation shape changed slightly.

0
Moreover, a Fourier transform of the complex time history 45
0 50 100 150 200 250 300 350 400 450
from any single tap would reveal the post-attack emergence
−400
of anomalous frequencies in the complex accumulations.

f (Hz)
−500
Unfortunately, in the case of a switch attack, a sophisti-

D
−600
cated spoofer could be designed to avoid causing these and
−700
other distortions of the complex correlation function. The 0 50 100 150 200 250 300 350 400 450
absence of interaction between the authentic and coun- Phase Trauma Flag 1
terfeit signals allows the spoofer to focus on refining its
switchover procedure and the shape and behavior of its in- 0.5

duced complex correlation function. This implies that the

0
switch attack is an especially potent one for the spoofer. 0 50 100 150 200 250 300 350 400 450
Time in seconds
Fortunately, analysis of subsequent scenarios will reveal
that, for attacks in which both authentic and counterfeit Fig. 4. Scenario 1: Time history of C/N0 (top panel), fD (center
panel), and the phase trauma indicator (bottom panel) correspond-
signals are present at significant levels, it is exceedingly ing to a single signal being spoofed. In each panel, the green trace
challenging for the spoofer to prevent distortion of the shows the receiver’s unspoofed response and the blue trace shows the
complex correlation function due to interaction between receiver’s spoofed response.
the authentic and counterfeit signals.

5 10
∆ X (meters)
Normalized Power (dB)

0
0
−5

−10 −10
0 50 100 150 200 250 300 350 400 450
−15 10
∆ Y (meters)

−20
0 50 100 150 200 250 300 350 400 450
Time in seconds 0

Fig. 3. Scenario 1: Time history of normalized power in a 2-MHz −10

band centered at GPS L1. 0 50 100 150 200 250 300 350 400 450
10
∆ Z (meters)

Scenario 2: Static Overpowered Time Push 0

In Scenario 2, the spoofer executes a timing attack with −10

0 50 100 150 200 250 300 350 400 450
a 10-db power advantage over the authentic signal ensem- Time in seconds

ble. The sequence of figures depicting the effects of the Fig. 5. Scenario 1: Time history of receiver ECEF position devia-
attack is the same as for Scenario 1 (this is also true for tion from mean. In each panel, the green trace shows the receiver’s
all subsequent scenarios). unspoofed response and the blue trace shows the receiver’s spoofed
response.
Attacking with overwhelming power is to the spoofer’s ad-

7
 40 slope in Fig. 8 shallower), such a gradual increase would
20 expose the spoofer to detection by techniques looking for
δ t (meters)

interaction between the authentic and counterfeit signals.

0
Hence, in a non-switch attack the spoofer can be effectively
R

−20 “boxed in” by a combination of in-band power monitoring

and complex correlation function monitoring.
−40
0 50 100 150 200 250 300 350 400 450
Figure 9 shows that the spoofer in Scenario 2 significantly
0.2
increased the C/N0 of a representative GPS signal as it
d/dt δ t (meters/second)

initiated its attack. There is also an obvious deviation in

0.1 fD due to the spoofer’s effecting the time spoofing in its
0 default frequency unlocked mode. As it moves the tar-
get receiver off in time, the spoofer adjusts the induced
R

−0.1
Doppler fD to be appropriately proportional to the rate
−0.2 of change in the common code phase. It is interesting to
0 50 100 150 200 250 300 350 400 450
Time in seconds note in the lower panel in Fig. 9 that both the initial
takeover (at around 80 seconds) and the initial time pull-
Fig. 6. Scenario 1: Time history of δtR (top panel) and δt˙R (bottom off (at around 115 seconds) disturb the composite carrier
panel). In each panel, the green trace shows the receiver’s unspoofed
response and the blue trace shows the receiver’s spoofed response. phase enough to trigger the target receiver’s phase trauma
indicator.

1
Because Scenario 2 involves only a time attack, there is
little effect on the target receiver’s ECEF position history,
Inphase lag in chips

0.5 though, as with the phase trauma indicator, there is some

disturbance at initial capture and initial time pull-off (Fig.
0
10).
−0.5 The profile of the timing attack is evident in Fig. 11. In its
frequency unlocked mode, the spoofer induces a common
−1
1 offset in fD on all signals. The offset follows a trapezoidal
trajectory, which translates to a trapezoidal excursion in
Quadrature lag in chips

0.5 δt˙R (lower panel) that is obviously well outside the en-
velope of this particular receiver’s native clock variations.
0
But with a shallower acceleration profile, or a less-stable
−0.5
receiver clock, the variation in δt˙R may not appear anoma-
lous.
−1
90 92 94 96 98 100 102 104 106 108 110 As was true for Scenario 1, the complex correlation func-
Time in seconds
tion plots (Fig. 12) reveal a great deal about Scenario
Fig. 7. Scenario 1: Navigation-data-free output time history of 21 2. Most striking is the oscillation that begins just after
complex correlation taps uniformly spaced at an interval of 0.1 C/A 110 seconds. This has an intuitive explanation. Because
code chips and centered at the receiver’s prompt tap. In-phase (top
panel) and quadrature (bottom panel) accumulations are based on
frequency lock is disabled, the relative (counterfeit to au-
2-second coherent summations. thentic) phase angle begins to ramp, following a profile
proportional to the ramp of δtR in the upper panel of Fig.
11. Consequently, the composite counterfeit and authentic
vantage in the sense that the authentic signals are forced signal phasor, which is the one actually being tracked by
into the noise floor by the action of the target receiver’s the receiver’s phase lock loop, begins to experience am-
automatic gain control function. Thus, the weak vesti- plitude variations: the counterfeit and authentic phasors
gial authentic signals do not interact significantly with the interact now constructively, now destructively. Note that
counterfeit signals, which implies that a high-power at- a strong oscillation is evident even though the counterfeit
tack’s correlation signature may look no more suspicious phasor is 3.1 times longer (10 time more powerful) than
than that of a switch attack. the authentic one.
However, the target receiver can readily detect a high- Clearly, such an oscillation raises suspicion of a spoofing
power attack by monitoring its in-band received power. attack. It is, however, not conclusive given than strong
Figure 8 makes this evident: the spoofer’s 10-dB power natural multipath signals tend to cause a similar oscillation
advantage reveals itself as an abrupt 8-dB increase in the [18], [34]. Moreover, the spoofer can prevent the telltale
in-band power. While it is true that the spoofer could oscillation by decoupling the code and carrier phase in the
slow the rate at which it increases power (i.e., make the

8
signals it generates, as the UT spoofer does in its frequency 10

∆ X (meters)
lock mode.
0
10
Normalized Power (dB)

−10
0 50 100 150 200 250 300 350 400 450
5 10

∆ Y (meters)
0 0

−5 −10
0 50 100 150 200 250 300 350 400 450 0 50 100 150 200 250 300 350 400 450
Time in seconds
10

∆ Z (meters)
Fig. 8. Scenario 2: Time history of normalized power in a 2-MHz
band centered at GPS L1. 0

−10
55 0 50 100 150 200 250 300 350 400 450
Time in seconds
C/N (dB−Hz)

50 Fig. 10. Scenario 2: Time history of receiver ECEF position devia-

0

tion from mean. In each panel, the green trace shows the receiver’s
45 unspoofed response and the blue trace shows the receiver’s spoofed
0 50 100 150 200 250 300 350 400 450 response.
−400
f (Hz)

−500
800
D

−600
δ t (meters) 600
−700
0 50 100 150 200 250 300 350 400 450 400
Phase Trauma Flag

1 200
R

0
0.5
−200
0 50 100 150 200 250 300 350 400 450
0
0 50 100 150 200 250 300 350 400 450
Time in seconds 6
d/dt δ t (meters/second)

Fig. 9. Scenario 2: Time history of C/N0 (top panel), fD (center 4

panel), and the phase trauma indicator (bottom panel) correspond-
2
ing to a single signal being spoofed. In each panel, the green trace
shows the receiver’s unspoofed response and the blue trace shows the
R

0
receiver’s spoofed response.
−2
0 50 100 150 200 250 300 350 400 450
Time in seconds
Scenario 3: Static Matched-Power Time Push
Fig. 11. Scenario 2: Time history of δtR (top panel) and δt˙R (bottom
panel). In each panel, the green trace shows the receiver’s unspoofed
Scenario 3 is identical to Scenario 2 except that the response and the blue trace shows the receiver’s spoofed response.
spoofer’s power advantage is reduced from 10 dB to 1.3
dB and the spoofer’s frequency lock mode is enabled. The
reduction in power advantage is evident in Fig. 13, which
the UT spoofer’s frequency locking behavior is not per-
shows that the 1.3 dB power advantage leads to an in-
fect: there exists a slight residual differential Doppler that
crease in in-band power of only 2.3 dB, compared to 8 dB
causes the counterfeit and authentic phasors, now approx-
for Scenario 2. Scenario 3 is meant to represent a case
imately matched in magnitude, to slowly rotate with re-
in which the spoofer attempts to approximately match its
spect to each other. This slow beating gives rise to sus-
ensemble power to that of the authentic signals.
tained intervals of constructive (high C/N0 ) and destruc-
Figures 15 to 17 reveal the consequences of having fre- tive (low C/N0 ) interference whose C/N0 values differ by
quency lock enabled and nearly-matched counterfeit and 10 dB. Such beating could only be ascribed to multipath
authentic signal ensemble power. The absence of phase in a narrow set of circumstances in which the direct-path
trauma events and anomalous excursions in fD and δt˙R signal has been attenuated and the multipath and direct
reflect the fact that the spoofer’s induced carrier phase signals exhibit a slight differential Doppler. But such cases
is well-behaved—approximately locked at some relative could be distinguished from the present one because in the
phase angle to the corresponding authentic signal’s car- former the in-band signal power would not be expected to
rier phase. However, Figs. 14 and 17 make it clear that rise.

9
 55

C/N (dB−Hz)
1

50
Inphase lag in chips

0.5

0
45
0 0 50 100 150 200 250 300 350 400 450
−400
−0.5

f (Hz)
−500

D
−1 −600
1
−700
0 50 100 150 200 250 300 350 400 450
Quadrature lag in chips

0.5

Phase Trauma Flag

1

0
0.5

−0.5
0
0 50 100 150 200 250 300 350 400 450
−1 Time in seconds
70 80 90 100 110 120 130
Time in seconds
Fig. 14. Scenario 3: Time history of C/N0 (top panel), fD (center
panel), and the phase trauma indicator (bottom panel) correspond-
Fig. 12. Scenario 2: Navigation-data-free output time history of 21 ing to a single signal being spoofed. In each panel, the green trace
complex correlation taps uniformly spaced at an interval of 0.1 C/A shows the receiver’s unspoofed response and the blue trace shows the
code chips and centered at the receiver’s prompt tap. In-phase (top receiver’s spoofed response.
panel) and quadrature (bottom panel) accumulations are based on
2-second coherent summations.
100

∆ X (meters)
Note that although the slow beating in this case is an ar- 0
tifact of the UT spoofer’s inability to achieve perfect fre-
quency lock, it remains true that when counterfeit and au- −100
0 50 100 150 200 250 300 350 400 450
thentic signals are approximately matched in power the 100
spoofer can hardly avoid some kind of constructive or
∆ Y (meters)

destructive interference. This follows from the spoofer’s 0

presumed inability to precisely control the initial relative
counterfeit-to-authentic carrier phase. −100
0 50 100 150 200 250 300 350 400 450

Note also that although in this scenario the spoofer suc- 100
∆ Z (meters)

cessfully induced a 600-meter (∼2-µs) offset in δtR in the

particular receiver targeted, the pulloff was not smooth. 0

Without the benefit of overwhelming signal power and

−100
without the frequency aiding from the target receiver’s 0 50 100 150 200 250 300 350 400 450
Time in seconds
phase lock loop (a consequence of the spoofer’s having fre-
quency lock enabled), the spoofer struggles to induce the Fig. 15. Scenario 3: Time history of receiver ECEF position devia-
target receiver’s delay lock loops to track its signals instead tion from mean. In each panel, the green trace shows the receiver’s
of the authentic ones. The large excursions in ECEF posi- unspoofed response and the blue trace shows the receiver’s spoofed
response.
tion (Fig. 15) and the rough initial departure of δtR (upper
panel of Fig. 16) are evidence of a struggle between the
counterfeit and authentic signals for control of the target Scenario 4: Static Matched-Power Position Push
receiver’s delay lock loops.
Scenario 4 is identical to Scenario 3 except that the
3
spoofer’s power advantage has been reduced still further
Normalized Power (dB)

2 (from 1.2 to 0.4 dB) and the spoofing drives the target re-
ceiver off in position instead of time—specifically, an offset
1
of 600 m in the Z-coordinate.
0
The spoofer’s near-zero-dB power advantage is evident in
−1 two ways in Fig. 18. First, the steady-state increase in in-
0 50 100 150 200 250 300 350 400 450
Time in seconds band power is low—less than 2 dB. Second, there arises an
oscillation in the in-band power during initial pulloff. This
Fig. 13. Scenario 3: Time history of normalized power in a 2-MHz oscillation reflects a substantial coherence in the spoofing
band centered at GPS L1.
signals: their constructive and destructive interaction with

10
 600

400
3

Normalized Power (dB)

δ t (meters)

200 2
0
R

1
−200
0
−400
0 50 100 150 200 250 300 350 400 450
−1
0 50 100 150 200 250 300 350 400 450
0.8 Time in seconds
d/dt δ t (meters/second)

0.6
Fig. 18. Scenario 4: Time history of normalized power in a 2-MHz
0.4 band centered at GPS L1.
0.2
R

0
55

C/N (dB−Hz)
−0.2
0 50 100 150 200 250 300 350 400 450
Time in seconds
50

0
Fig. 16. Scenario 3: Time history of δtR (top panel) and δt˙R (bottom
panel). In each panel, the green trace shows the receiver’s unspoofed 45
0 50 100 150 200 250 300 350 400 450
response and the blue trace shows the receiver’s spoofed response.
−400

f (Hz)
−500
1

D
−600
Inphase lag in chips

0.5 −700
0 50 100 150 200 250 300 350 400 450
Phase Trauma Flag 1
0

0.5
−0.5

0
−1 0 50 100 150 200 250 300 350 400 450
1 Time in seconds
Quadrature lag in chips

0.5 Fig. 19. Scenario 4: Time history of C/N0 (top panel), fD (center
panel), and the phase trauma indicator (bottom panel) correspond-
0 ing to a single signal being spoofed. In each panel, the green trace
shows the receiver’s unspoofed response and the blue trace shows the
−0.5
receiver’s spoofed response.

−1
90 100 110 120 130 140 150 160 170 180 190 200
Time in seconds 100
∆ X (meters)

Fig. 17. Scenario 3: Navigation-data-free output time history of 21

0
complex correlation taps uniformly spaced at an interval of 0.1 C/A
code chips and centered at the receiver’s prompt tap. In-phase (top
panel) and quadrature (bottom panel) accumulations are based on −100
0 50 100 150 200 250 300 350 400 450
4-second coherent summations.
100
∆ Y (meters)

0
the authentic signals tends to occur in unison. An oscil-
lation is also manifest in Scenario 3’s in-band power (Fig.
−100
13), but its amplitude is less because the counterfeit and 0 50 100 150 200 250 300 350 400 450
authentic signal powers are not so evenly matched.
600
∆ Z (meters)

Even more than with Scenario 3, the spoofer’s low power 400
advantage and the approximately locked counterfeit-to- 200
authentic carrier phase make pulloff of the target receiver’s 0
0 50 100 150 200 250 300 350 400 450
delay lock loops a challenge. In fact, the persistent offset Time in seconds
in ∆X (Fig. 15) and δtR (Fig. 16), despite the spoofing
being solely in the Z dimension, suggests that at least one Fig. 20. Scenario 4: Time history of receiver ECEF position devia-
tion from mean. In each panel, the green trace shows the receiver’s
of the target receiver’s channels remained locked to the au- unspoofed response and the blue trace shows the receiver’s spoofed
thentic signal in this case. This again highlights that for response.
the spoofer a low power advantage is perilous.

11
 50

Normalized Power (dB)

0 8
δ t (meters)

−50 6

−100 4
R

−150 2
0
−200
0 50 100 150 200 250 300 350 400 450
−2
0 50 100 150 200 250 300 350
Time in seconds
0.4
d/dt δ t (meters/second)

0.2 Fig. 23. Scenario 5: Time history of normalized power in a 2-MHz

band centered at GPS L1.
0
R

−0.2
55

C/N0 (dB−Hz)
−0.4
0 50 100 150 200 250 300 350 400 450
Time in seconds 50

Fig. 21. Scenario 4: Time history of δtR (top panel) and δt˙R (bottom 45
panel). In each panel, the green trace shows the receiver’s unspoofed 0 50 100 150 200 250 300 350 400 450
response and the blue trace shows the receiver’s spoofed response. 400

fD (Hz)
300

1 200

100
Inphase lag in chips

0 50 100 150 200 250 300 350 400 450

0.5
Phase Trauma Flag 1
0
0.5
−0.5
0
0 50 100 150 200 250 300 350 400 450
−1 Time in seconds
1
Quadrature lag in chips

Fig. 24. Scenario 5: Time history of C/N0 (top panel), fD (center

0.5 panel), and the phase trauma indicator (bottom panel) correspond-
ing to a single signal being spoofed. In each panel, the green trace
0 shows the receiver’s unspoofed response and the blue trace shows
the receiver’s spoofed response. The unspoofed and spoofed phase
−0.5 trauma indicators have different amplitudes only for visual clarity.

−1
60 80 100 120 140 160 180 200 220 240 260
Time in seconds 1000
∆ X (meters)

0
Fig. 22. Scenario 4: Navigation-data-free output time history of 21
complex correlation taps uniformly spaced at an interval of 0.1 C/A −1000
code chips and centered at the receiver’s prompt tap. In-phase (top
−2000
panel) and quadrature (bottom panel) accumulations are based on 0 50 100 150 200 250 300 350 400 450
4-second coherent summations.
500
∆ Y (meters)

Scenario 5: Dynamic Overpowered Time Push −500

−1000
0 50 100 150 200 250 300 350 400 450
Scenario 5 is similar to Scenario 2 except that the receiver
1000
platform is dynamic rather than static and the spoofer’s
∆ Z (meters)

frequency lock feature is disabled. The target receiver’s

0
ability to defend itself from a spoofing attack is much
eroded in this case. While as before the spoofer’s inel- −1000
0 50 100 150 200 250 300 350 400 450
egant takeover leaves behind telltale variations in C/N0 Time in seconds
and some phase trauma, the target receiver, considering
its dynamic platform, may easily confuse these for natu- Fig. 25. Scenario 5: Time history of receiver ECEF position devia-
tion from mean. In each panel, the green trace shows the receiver’s
ral phenomena. The challenge of spoofing detection on a unspoofed response and the blue trace shows the receiver’s spoofed
dynamic platform is to distinguish spoofing effects from response.
natural fading and multipath.

12
 1000
4

Normalized Power (dB)

δ t (meters)

500 3

2
R

0
1

−500 0
0 50 100 150 200 250 300 350 400 450
−1
0 50 100 150 200 250 300 350
40 Time in seconds
d/dt δ t (meters/second)

20 Fig. 28. Scenario 6: Time history of normalized power in a 2-MHz

band centered at GPS L1.
0
R

−20
55

C/N0 (dB−Hz)
−40
0 50 100 150 200 250 300 350 400 450
Time in seconds 50

Fig. 26. Scenario 5: Time history of δtR (top panel) and δt˙R (bottom
45
panel). In each panel, the green trace shows the receiver’s unspoofed −50 0 50 100 150 200 250 300 350 400 450
response and the blue trace shows the receiver’s spoofed response. 300

fD (Hz)
250

200
1
150
−50 0 50 100 150 200 250 300 350 400 450
Inphase lag in chips

0.5 Phase Trauma Flag 1

0 0.5

−0.5 0
−50 0 50 100 150 200 250 300 350 400 450
Time in seconds
−1
1
Fig. 29. Scenario 6: Time history of C/N0 (top panel), fD (center
Quadrature lag in chips

0.5
panel), and the phase trauma indicator (bottom panel) correspond-
ing to a single signal being spoofed. In each panel, the green trace
shows the receiver’s unspoofed response and the blue trace shows
0
the receiver’s spoofed response. The unspoofed and spoofed phase
trauma indicators have different amplitudes only for visual clarity.
−0.5

−1
50 60 70 80 90 100 110 120 130 140 150 1000
Time in seconds
∆ X (meters)

0
Fig. 27. Scenario 5: Navigation-data-free output time history of 21 −1000
complex correlation taps uniformly spaced at an interval of 0.1 C/A
code chips and centered at the receiver’s prompt tap. In-phase (top −2000
0 50 100 150 200 250 300 350 400 450
panel) and quadrature (bottom panel) accumulations are based on
4-second coherent summations. 500
∆ Y (meters)

−500

−1000
Scenario 6: Dynamic Matched-Power Position 0 50 100 150 200 250 300 350 400 450
Push 1000
∆ Z (meters)

0
Scenario 6 is similar to Scenario 4 except that the re-
ceiver platform is dynamic rather than static. Again, the −1000
0 50 100 150 200 250 300 350 400 450
spoofer’s modest power advantage and frequency lock set- Time in seconds
ting complicate its takeover of the target receiver’s track-
ing loops, forcing it to leave behind clues of its presence. Fig. 30. Scenario 6: Time history of receiver ECEF position devia-
tion from mean. In each panel, the green trace shows the receiver’s
To defend itself, the target receiver must distinguish these unspoofed response and the blue trace shows the receiver’s spoofed
clues from similar variations that arise naturally on a dy- response.
namic platform.

13
 200 ceiver were analyzed, revealing numerous anomalies that
0 could be targeted for spoofing detection. In this regard,
δ t (meters)

the target receiver’s complex correlation function is espe-

−200
cially fraught with spoofing clues.
R

−400
An admixture of counterfeit and authentic signals of com-
−600 parable power inevitably leads to interaction between the
0 50 100 150 200 250 300 350 400 450
two, which, if the target receiver can distinguish from
20
natural multipath and fading effects, is a useful spoofing
d/dt δ t (meters/second)

indicator. In-band power monitoring effectively limits a

10
spoofer’s ability to eliminate interaction by increasing its
0 signal power advantage. Hence, in a non-switch attack
the spoofer can be effectively “boxed in” by a combina-
R

−10
tion of in-band power monitoring and complex correlation
−20
0 50 100 150 200 250 300 350 400 450
function monitoring. This is especially effective for static
Time in seconds receivers because the nominal local multipath and fading
environment can be characterized and thus distinguished
Fig. 31. Scenario 6: Time history of δtR (top panel) and δt˙R (bottom
panel). In each panel, the green trace shows the receiver’s unspoofed
from spoofing.
response and the blue trace shows the receiver’s spoofed response.
ENDNOTE
1
The University of Texas Radionavigation Laboratory has
teamed with National Instruments to offer TEXBAT
Inphase lag in chips

0.5
as a free data set to researchers, manufacturers, and
0 government entities wishing to develop and test GPS
L1 C/A signal authentication techniques. Please visit
−0.5 radionavlab.ae.utexas.edu and click on “RNL Public
Data Sets” for information on how to dowload TEXBAT.
−1
1
Quadrature lag in chips

0.5
References
[1] Humphreys, T. E., Ledvina, B. M., Psiaki, M. L., O’Hanlon,
0
B. W., and Kintner, Jr., P. M., “Assessing the spoofing threat:
development of a portable GPS civilian spoofer,” Proceedings
−0.5 of the ION GNSS Meeting, Institute of Navigation, Savannah,
GA, 2008.
−1
60 80 100 120 140 160 180 200 220 [2] Shepard, D. and Humphreys, T. E., “Characterization of Re-
Time in seconds ceiver Response to a Spoofing Attack,” Proceedings of the
ION GNSS Meeting, Institute of Navigation, Portland, Oregon,
Fig. 32. Scenario 6: Navigation-data-free output time history of 21 2011.
complex correlation taps uniformly spaced at an interval of 0.1 C/A
code chips and centered at the receiver’s prompt tap. In-phase (top [3] Shepard, D., Bhatti, J., and Humphreys, T., “Evaluation of
panel) and quadrature (bottom panel) accumulations are based on Smart Grid and Civilian UAV Vulnerability to GPS Spoofing
Attacks,” Proceedings of the ION GNSS Meeting, Institute of
4-second coherent summations.
Navigation, Nashville, Tennessee, 2012.
[4] Shepard, D. P., Humphreys, T. E., and Fansler, A. A., “Evalu-
ation of the Vulnerability of Phasor Measurement Units to GPS
CONCLUSIONS Spoofing Attacks,” International Journal of Critical Infrastruc-
ture Protection, 2012, to be published.
The Texas Spoofing Test Battery (TEXBAT), a set of six [5] Anon., “Vulnerability assessment of the transportation infras-
high-fidelity digital recordings of live static and dynamic tructure relying on the Global Positioning System,” Tech. rep.,
GPS L1 C/A spoofing tests, was introduced as a data set John A. Volpe National Transportation Systems Center, 2001.
for the development and evaluation of civil GPS signal au- [6] Anon., “Global Positioning System Impact To Critical Civil In-
thentication techniques. TEXBAT can also be thought of frastructure (GICCI),” Tech. rep., Mission Assurance Division,
Naval Surface Warfare Center, 2009.
as the data component of a draft standard for defining the
notion of spoofing resistance for civil GPS receivers. The [7] Kroener, U. and Dimc, F., “Hardening of civilian GNSS track-
ers,” Proceedings of the 3rd GNSS Vulnerabilities and Solutions
TEXBAT recording setup was designed to ensure that the Conference, Royal Institute of Navigation, Krk Island, Croatia,
recorded scenarios are, insofar as is practical, a faithful Sept. 2010.
representation of the corresponding live attacks. The ef- [8] Spilker, Jr., J. J., Global Positioning System: Theory and Ap-
fects of each of the six scenarios on a particular target re- plications, chap. 3: GPS Signal Structure and Theoretical Per-

14
 formance, American Institute of Aeronautics and Astronautics, GPS Receiver,” Proceedings of the ION GNSS Meeting, Insti-
Washington, D.C., 1996, pp. 57–119. tute of Navigation, Nashville, Tennessee, 2012.
[9] Anon., “Global Positioning System Directorate Systems Engi- [26] Humphreys, T. E., “Statement on the vulnerability of
neering and Integration Interface Specification IS-GPS-200F,” civil unmanned aerial vehicles and other systems to civil
Tech. rep., 2011, http://www.gps.gov/technical/icwg/. GPS spoofing,” http://homeland.house.gov/sites/homeland.
house.gov/files/Testimony-Humphreys.pdf, July 2012.
[10] Scott, L., “Anti-spoofing and authenticated signal architectures
for civil navigation systems,” Proceedings of the ION GNSS [27] Curran, J., Borio, D., Lachapelle, G., and Murphy, C., “Re-
Meeting, Institute of Navigation, Portland, Oregon, 2003, pp. ducing Front-End Bandwidth May Improve Digital GNSS Re-
1542–1552. ceiver Performance,” Signal Processing, IEEE Transactions on,
Vol. 58, No. 4, april 2010, pp. 2399 –2404.
[11] Hein, G., Kneissl, F., Avila-Rodriguez, J.-A., and Wallner, S.,
“Authenticating GNSS: Proofs against spoofs, Part 2,” Inside [28] Hegarty, C., “Analytical model for GNSS receiver implementa-
GNSS , September/October 2007, pp. 71–78. tion losses,” NAVIGATION, Journal of the Institute of Navi-
gation, Vol. 58, No. 1, 2011, pp. 29.
[12] Pozzobon, O., “Keeping the Spoofs Out: Signal Authentica-
tion Services for Future GNSS,” Inside GNSS , Vol. 6, No. 3, [29] Humphreys, T. E., Ledvina, B. M., Psiaki, M. L., O’Hanlon,
May/June 2011, pp. 48–55. B. W., and Kintner, Jr., P. M., “Assessing the spoofing threat,”
GPS World, Vol. 20, No. 1, Jan. 2009, pp. 28–38.
[13] Wesson, K., Rothlisberger, M., and Humphreys, T. E., “Prac-
tical Cryptographic Civil GPS Signal Authentication,” NAVI- [30] Humphreys, T. E., Bhatti, J., and Ledvina, B., “The GPS As-
GATION, Journal of the Institute of Navigation, Vol. 59, No. 3, similator: a Method for Upgrading Existing GPS User Equip-
2012, pp. 177–193. ment to Improve Accuracy, Robustness, and Resistance to
Spoofing,” Proceedings of the ION GNSS Meeting, Institute of
[14] Humphreys, T. E., “Detection Strategy for Cryptographic Navigation, Portland, Oregon, 2010.
GNSS Anti-Spoofing,” IEEE Transactions on Aerospace and
Electronic Systems, 2011, to be published; available at http: [31] B.Deshpande, K., Bust, G. S., Clauer, C. R., Kim, H., Macon,
//radionavlab.ae.utexas.edu/detstrat. J. E., Humphreys, T. E., Bhatti, J. A., Musko, S. B., Crowley,
G., and Weatherwax, A. T., “Initial GPS Scintillation results
[15] Montgomery, P. Y., Humphreys, T. E., and Ledvina, B. M., “A from CASES receiver at South Pole, Antarctica,” Radio Sci-
Multi-Antenna Defense: Receiver-Autonomous GPS Spoofing ence, 2012, in preparation after favorable reviews.
Detection,” Inside GNSS , Vol. 4, No. 2, April 2009, pp. 40–46.
[32] O’Hanlon, B., Psiaki, M., Powell, S., Bhatti, J., Humphreys,
[16] White, N., Maybeck, P., and DeVilbiss, S., “Detection of in- T. E., Crowley, G., and Bust, G., “CASES: A Smart, Compact
terference/jamming and spoofing in a DGPS-aided inertial sys- GPS Software Receiver for Space Weather Monitoring,” Pro-
tem,” Aerospace and Electronic Systems, IEEE Transactions ceedings of the ION GNSS Meeting, Institute of Navigation,
on, Vol. 34, No. 4, 1998, pp. 1208–1217. Portland, Oregon, 2011.
[17] Ledvina, B. M., Bencze, W. J., Galusha, B., and Miller, I., “An [33] Crowley, G., Bust, G. S., Reynolds, A., Azeem, I., Wilder, R.,
In-Line Anti-Spoofing Module for Legacy Civil GPS Receivers,” O’Hanlon, B. W., Psiaki, M. L., Powell, S., Humphreys, T. E.,
Proceedings of the ION ITM , San Diego, CA, Jan. 2010. and Bhatti, J. A., “CASES: A Novel Low-Cost Ground-based
DualFrequency GPS Software Receiver and Space Weather
[18] Wesson, K., Shepard, D., Bhatti, J., and Humphreys, T. E., “An
Monitor,” Proceedings of the ION GNSS Meeting, Institute of
Evaluation of the Vestigial Signal Defense for Civil GPS Anti-
Navigation, Portland, Oregon, 2011.
Spoofing,” Proceedings of the ION GNSS Meeting, Institute of
Navigation, Portland, Oregon, 2011. [34] Pany, T., Riedl, B., Winkel, J., Worz, T., and Schwikert, R.,
“Coherent Integration Time: The Longer, the Better,” Inside
[19] Dehghanian, V., Nielsen, J., and Lachapelle, G., “GNSS Spoof-
GNSS , Vol. 4, No. 6, November/December 2009, pp. 52–61.
ing Detection Based on Receiver C/No Estimates,” Proceedings
of the ION GNSS Meeting, Institute of Navigation, Nashville,
Tennessee, 2012.
[20] Lorenzo, D. S. D., Gautier, J., Rife, J., Enge, P., and Akos, D.,
“Adaptive Array Processing for GPS Interference Rejection,”
Proceedings of the ION GNSS Meeting, Institute of Navigation,
Long Beach, CA, Sept. 2005.
[21] Broumandan, A., Jafarnia-Jahromi, A., Dehgahanian, V.,
Nielsen, J., and Lachapelle, G., “GNSS Spoofing Detection in
Handheld Receivers based on Signal Spatial Correlation,” Pro-
ceedings of the IEEE/ION PLANS Meeting, Institute of Navi-
gation, Myrtle Beach, SC, April 2012.
[22] Lo, S., DeLorenzo, D., Enge, P., Akos, D., and Bradley, P., “Sig-
nal Authentication,” Inside GNSS , Vol. 0, No. 0, Sept. 2009,
pp. 30–39.
[23] Psiaki, M. L., O’Hanlon, B. W., Bhatti, J. A., and Humphreys,
T. E., “Civilian GPS spoofing detection based on dual-receiver
correlation of military signals,” Proceedings of the ION GNSS
Meeting, Institute of Navigation, Portland, Oregon, 2011.
[24] Psiaki, M., O’Hanlon, B., Bhatti, J., Shepard, D., and
Humphreys, T., “GPS Spoofing Detection via Dual-Receiver
Correlation of Military Signals,” IEEE Transactions on
Aerospace and Electronic Systems, 2012, to be published; avail-
able at http://web.mae.cornell.edu/psiaki/.
[25] O’Hanlon, B., Psiaki, M., Bhatti, J., and Humphreys, T., “Real-
Time Spoofing Detection Using Correlation Between two Civil

15