Signal Processing - September 2017 - 29

spoofing attacks have been proposed in scientific literature
(e.g., see [3] and references therein), the definition of robust
defenses is still an active research topic, also due to the wide
variety of attack scenarios.
The following discussion will focus on meaconing and
spoofing, and a list of possible attacks belonging to these categories is provided in Table 1. It is intended to be a survey
of the different threats, categorized with the granularity sufficient to distinguish the level of complexity/cost of realization
at the attacker side. At the receiver side, we will evaluate the
effectiveness of possible defensive mechanisms against various
threats in the section "Threat Analysis: Robustness of NMA/
SCA Against Specific Attacks." The attacks in Table 1 are
sorted according to an assessment of their cost, following the
definition of three cost items given in [9]: 1) the cost of developing or buying the hardware (HW), 2) the expertise required
to build the attack (including software development), and 3) the
complexity of operating the attack. The assessment has been
done over five qualitative levels (from very low to very high),
merging our personal expertise and knowledge with the results
presented in [3], [9], and [18]. Such an analysis has been done
for comparison purposes and is not intended to give absolute
values to the cost associated to each attack.
The attacks in Table 1 can be described by the following
definitions:
■ Meaconing: This is the reception and rebroadcasting of an
entire block of RF spectrum containing an ensemble of
received GNSS signals, without distinction between different satellite signals [3].
■ Meaconing with variable delay: This modified version of
the classical meaconing has the scope of controlling the
delay introduced by the meaconer and fooling potential
countermeasures based on the monitoring of the clock
drift [12]. It is implemented by capturing the received RF
signal and replaying it with a variable delay on the entire
signal capture.
■ Meaconing with modem: Referred to as a relaying attack
or worm-hole attack [19], this is a type of meaconing in
which the receiver is connected to a remote antenna (for
example, via a real-time radio link) located at the pretended position.
■ Simplistic spoofing: This type of attacker is able to generate counterfeit GNSS signals, not necessarily reflecting
any information on the current broadcast signals [3]. It can
be put in practice by using:
* low-cost HW for receiving and replaying the GNSS signals. In this case customized open-source signal simulators/synthesizers can be inserted in the set-up to control
and/or modify some of the signals parameters.
* commercial HW simulators that are normally expensive
and moderately complex to use.
■ Intermediate spoofing: In this case, the spoofer synchronously generates counterfeit signals, trying to simultaneously attack each tracking channel of the target receiver by
first performing the code-phase alignment between false
and genuine received signals [20].

■

■

■

■

■

■

■

■

IEEE SIGNAL PROCESSING MAGAZINE

Intermediate self-spoofing (also known as cooperative or
limpet spoofing): This refers to the case in which a complicit
victim user directly performs an intermediate attack [9]. The
key difference with respect to the previous attack is the
knowledge of the true location (and other states) of the
receiver, which is easily obtained and usable by the attacker.
Estimation and replay: This attack implies that the
spoofer receives the signal, estimates some information
on it, and uses that to generate a spoofer signal, generally
with a delay [21]. When applied to a signal with cryptographic defenses including unpredictable security codes,
the attack can be called security code estimation and
replay (SCER) [22]. Such an attack attempts to estimate
(and not only to predict) the values of each signal's
unpredictable security code chips (or navigation data
bits) on the fly.
Forward estimation attack (FEA): The basic idea of this
attack, recently proposed in [18], is to exploit the forward
error correction and interleaving schemes adopted in the
navigation message to increase the success rate of an estimation and replay attack, assuming that the receiver does
not perform any check before decoding the unpredictable symbols.
Meaconing with multiple receiver antennas: This involves a
more sophisticated meaconer that uses multiple receiver
antennas to independently steer the relative delays of its false
transmissions and produce specific position fixes [9].
Meaconing/spoofing with multiple transmission (transceiver)
antennas: Described in [9] as an advanced spoofer, it acts
against a multiantenna victim receiver, able to use multiple
independent spoofer transceiver antennas and match each one
to a corresponding receiver antenna.
Meaconing/spoofing with high-gain antennas: This is a sophisticated spoofing attack, based on the use of antennas with
enough gain to directly separate single GNSS signal components from the noise, including, for example, unknown or encrypted code chips of restricted-access signals. Depending
on the antennas directional gain, the achievable signal-tonoise ratio might not be sufficient to correctly estimate and
then spoof the signal components from all the satellites [19].
In such a situation, a meaconing-like attack is still feasible,
with some similarities to the previous case of meaconing
with multiple receiver antennas.
Nulling attack: This is an advanced spoofing technique
described in [9]. The spoofer also transmits the negative of
the true signals (i.e., with the same power but opposite carrier
phase) that, in this way, results canceled at the victim receiver
side. Such cancelation, aiming to eliminate any vestigial trace
of the true signal that could otherwise allow detecting the
attack, is very hard to achieve in practice.
Sophisticated spoofing: This can be carried out by a set of
coordinated and synchronized spoofers, able to attack the
victim receiver in an organized way [20]. Such coordinated
spoofers are able to generate and transmit counterfeit signals
as in the case of intermediate spoofing. In addition, they have
subcentimeter-level three-dimensional position information

|

September 2017

|

29



Table of Contents for the Digital Edition of Signal Processing - September 2017

Signal Processing - September 2017 - Cover1
Signal Processing - September 2017 - Cover2
Signal Processing - September 2017 - 1
Signal Processing - September 2017 - 2
Signal Processing - September 2017 - 3
Signal Processing - September 2017 - 4
Signal Processing - September 2017 - 5
Signal Processing - September 2017 - 6
Signal Processing - September 2017 - 7
Signal Processing - September 2017 - 8
Signal Processing - September 2017 - 9
Signal Processing - September 2017 - 10
Signal Processing - September 2017 - 11
Signal Processing - September 2017 - 12
Signal Processing - September 2017 - 13
Signal Processing - September 2017 - 14
Signal Processing - September 2017 - 15
Signal Processing - September 2017 - 16
Signal Processing - September 2017 - 17
Signal Processing - September 2017 - 18
Signal Processing - September 2017 - 19
Signal Processing - September 2017 - 20
Signal Processing - September 2017 - 21
Signal Processing - September 2017 - 22
Signal Processing - September 2017 - 23
Signal Processing - September 2017 - 24
Signal Processing - September 2017 - 25
Signal Processing - September 2017 - 26
Signal Processing - September 2017 - 27
Signal Processing - September 2017 - 28
Signal Processing - September 2017 - 29
Signal Processing - September 2017 - 30
Signal Processing - September 2017 - 31
Signal Processing - September 2017 - 32
Signal Processing - September 2017 - 33
Signal Processing - September 2017 - 34
Signal Processing - September 2017 - 35
Signal Processing - September 2017 - 36
Signal Processing - September 2017 - 37
Signal Processing - September 2017 - 38
Signal Processing - September 2017 - 39
Signal Processing - September 2017 - 40
Signal Processing - September 2017 - 41
Signal Processing - September 2017 - 42
Signal Processing - September 2017 - 43
Signal Processing - September 2017 - 44
Signal Processing - September 2017 - 45
Signal Processing - September 2017 - 46
Signal Processing - September 2017 - 47
Signal Processing - September 2017 - 48
Signal Processing - September 2017 - 49
Signal Processing - September 2017 - 50
Signal Processing - September 2017 - 51
Signal Processing - September 2017 - 52
Signal Processing - September 2017 - 53
Signal Processing - September 2017 - 54
Signal Processing - September 2017 - 55
Signal Processing - September 2017 - 56
Signal Processing - September 2017 - 57
Signal Processing - September 2017 - 58
Signal Processing - September 2017 - 59
Signal Processing - September 2017 - 60
Signal Processing - September 2017 - 61
Signal Processing - September 2017 - 62
Signal Processing - September 2017 - 63
Signal Processing - September 2017 - 64
Signal Processing - September 2017 - 65
Signal Processing - September 2017 - 66
Signal Processing - September 2017 - 67
Signal Processing - September 2017 - 68
Signal Processing - September 2017 - 69
Signal Processing - September 2017 - 70
Signal Processing - September 2017 - 71
Signal Processing - September 2017 - 72
Signal Processing - September 2017 - 73
Signal Processing - September 2017 - 74
Signal Processing - September 2017 - 75
Signal Processing - September 2017 - 76
Signal Processing - September 2017 - 77
Signal Processing - September 2017 - 78
Signal Processing - September 2017 - 79
Signal Processing - September 2017 - 80
Signal Processing - September 2017 - 81
Signal Processing - September 2017 - 82
Signal Processing - September 2017 - 83
Signal Processing - September 2017 - 84
Signal Processing - September 2017 - 85
Signal Processing - September 2017 - 86
Signal Processing - September 2017 - 87
Signal Processing - September 2017 - 88
Signal Processing - September 2017 - 89
Signal Processing - September 2017 - 90
Signal Processing - September 2017 - 91
Signal Processing - September 2017 - 92
Signal Processing - September 2017 - 93
Signal Processing - September 2017 - 94
Signal Processing - September 2017 - 95
Signal Processing - September 2017 - 96
Signal Processing - September 2017 - 97
Signal Processing - September 2017 - 98
Signal Processing - September 2017 - 99
Signal Processing - September 2017 - 100
Signal Processing - September 2017 - 101
Signal Processing - September 2017 - 102
Signal Processing - September 2017 - 103
Signal Processing - September 2017 - 104
Signal Processing - September 2017 - 105
Signal Processing - September 2017 - 106
Signal Processing - September 2017 - 107
Signal Processing - September 2017 - 108
Signal Processing - September 2017 - 109
Signal Processing - September 2017 - 110
Signal Processing - September 2017 - 111
Signal Processing - September 2017 - 112
Signal Processing - September 2017 - 113
Signal Processing - September 2017 - 114
Signal Processing - September 2017 - 115
Signal Processing - September 2017 - 116
Signal Processing - September 2017 - 117
Signal Processing - September 2017 - 118
Signal Processing - September 2017 - 119
Signal Processing - September 2017 - 120
Signal Processing - September 2017 - 121
Signal Processing - September 2017 - 122
Signal Processing - September 2017 - 123
Signal Processing - September 2017 - 124
Signal Processing - September 2017 - 125
Signal Processing - September 2017 - 126
Signal Processing - September 2017 - 127
Signal Processing - September 2017 - 128
Signal Processing - September 2017 - 129
Signal Processing - September 2017 - 130
Signal Processing - September 2017 - 131
Signal Processing - September 2017 - 132
Signal Processing - September 2017 - 133
Signal Processing - September 2017 - 134
Signal Processing - September 2017 - 135
Signal Processing - September 2017 - 136
Signal Processing - September 2017 - 137
Signal Processing - September 2017 - 138
Signal Processing - September 2017 - 139
Signal Processing - September 2017 - 140
Signal Processing - September 2017 - 141
Signal Processing - September 2017 - 142
Signal Processing - September 2017 - 143
Signal Processing - September 2017 - 144
Signal Processing - September 2017 - 145
Signal Processing - September 2017 - 146
Signal Processing - September 2017 - 147
Signal Processing - September 2017 - 148
Signal Processing - September 2017 - 149
Signal Processing - September 2017 - 150
Signal Processing - September 2017 - 151
Signal Processing - September 2017 - 152
Signal Processing - September 2017 - 153
Signal Processing - September 2017 - 154
Signal Processing - September 2017 - 155
Signal Processing - September 2017 - 156
Signal Processing - September 2017 - 157
Signal Processing - September 2017 - 158
Signal Processing - September 2017 - 159
Signal Processing - September 2017 - 160
Signal Processing - September 2017 - 161
Signal Processing - September 2017 - 162
Signal Processing - September 2017 - 163
Signal Processing - September 2017 - 164
Signal Processing - September 2017 - 165
Signal Processing - September 2017 - 166
Signal Processing - September 2017 - 167
Signal Processing - September 2017 - 168
Signal Processing - September 2017 - 169
Signal Processing - September 2017 - 170
Signal Processing - September 2017 - 171
Signal Processing - September 2017 - 172
Signal Processing - September 2017 - 173
Signal Processing - September 2017 - 174
Signal Processing - September 2017 - 175
Signal Processing - September 2017 - 176
Signal Processing - September 2017 - 177
Signal Processing - September 2017 - 178
Signal Processing - September 2017 - 179
Signal Processing - September 2017 - 180
Signal Processing - September 2017 - 181
Signal Processing - September 2017 - 182
Signal Processing - September 2017 - 183
Signal Processing - September 2017 - 184
Signal Processing - September 2017 - 185
Signal Processing - September 2017 - 186
Signal Processing - September 2017 - 187
Signal Processing - September 2017 - 188
Signal Processing - September 2017 - 189
Signal Processing - September 2017 - 190
Signal Processing - September 2017 - 191
Signal Processing - September 2017 - 192
Signal Processing - September 2017 - 193
Signal Processing - September 2017 - 194
Signal Processing - September 2017 - 195
Signal Processing - September 2017 - 196
Signal Processing - September 2017 - Cover3
Signal Processing - September 2017 - Cover4
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_201809
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_201807
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_201805
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_201803
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_201801
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_1117
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0917
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0717
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0517
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0317
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0117
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_1116
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0916
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0716
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0516
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0316
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0116
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_1115
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0915
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0715
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0515
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0315
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0115
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_1114
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0914
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0714
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0514
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0314
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0114
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_1113
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0913
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0713
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0513
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0313
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0113
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_1112
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0912
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0712
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0512
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0312
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0112
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_1111
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0911
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0711
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0511
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0311
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0111
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_1110
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0910
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0710
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0510
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0310
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0110
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_1109
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0909
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0709
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0509
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0309
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0109
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_1108
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0908
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0708
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0508
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0308
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0108
https://www.nxtbookmedia.com