Introduction

Spoofing poses an increasingly common threat to users of Global Navigation and Satellite Systems (GNSS), impacting safety and mission-critical applications across terrestrial, maritime and aerial domains. As a result, unprotected GNSS receivers and other GNSS dependent systems are becoming increasingly vulnerable to attack, regardless of whether they are intended targets or accidental victims. Understanding various spoofing attacks and their operational impacts on any receivers is vital. This understanding includes the ability to identify various methods of attacks, evaluate failure patterns, grasp how a device reacts to a given threat, as well as understanding of recovery procedures (Homeland 2022). Addressing these challenges involves the development of anti-spoofing techniques by the end users or more particularly, receiver manufacturers.

The introduction of civilian GPS spoofing, as documented in Humphreys et al. (2008), marked a significant shift in the threat landscape. Unlike previous spoofing attempts that relied on initial jamming, this new approach deceives target receivers at the tracking stage without significantly compromising the tracking characteristics (i.e., in terms of variation in phase or code tracking loops). Following this, the landscape for commercial GNSS users underwent a notable change with the emergence of affordable GPS spoofers, as discussed in Lin and Qing (2015). The affordability of basic spoofing afterwards led to an upsurge in spoofing incidents (EUSPA 2023b; GPSWorld 2023). In response to these growing threats, research on spoofing detection and mitigation techniques has been ongoing since the introduction of civilian GPS spoofers (Montgomery et al. 2009; Cavaleri et al. 2010; Broumandan et al. 2015; Magiera and Katulski 2015; Orouji and Mosavi 2021; Shang et al. 2022). A comprehensive exploration of various spoofing generation techniques, receiver vulnerabilities on spoofing, and approaches for detection and mitigation are presented in Jafarnia-Jahromi et al. (2012), including example spoofing scenarios for real-world receiver testing.

The spoofing detection can be preliminary categorized into four groups: signal power monitoring, multi-correlator tracking (Jafarnia-Jahromi et al. 2012; Guo et al. 2018; Turner et al. 2020), signal quality monitoring (Phelts 2001), and cryptographic signature validation (Anderson et al. 2017; Motella et al. 2021). Numerous other approaches have been proposed, such as spatial processing, time of arrival discriminator, consistency checks with other navigation systems, code and phase rate consistency check, and received ephemeris consistency check, among others.

As the way of spoofing attacks and their characteristics continuously evolve alongside the modernization of GNSS signals, continuous research is vital for the development of effective detection and mitigation techniques. For instance, monitoring correlation peaks is one such technique, as multipath and spoofing both distort the peaks in the composite signal. If the code and carrier phase of the spoofing signal closely align with the authentic signal, the correlation peak monitoring based technique may erroneously detect the spoofing signal as multipath (Magiera and Katulski 2015). Therefore, thorough evaluation and testing of each spoofing detection or mitigation technique is essential to address the evolving and growing nature of spoofing threats.

Evaluating the effectiveness of these techniques requires commonly used datasets resembling real-world situations. This is often accomplished by establishing a spoofing test-bed consisting of one or more software/hardware simulator and other complex setups. One such test-bed is essential for performing various vulnerability assessments, providing fine-grained control over crucial parameters. These tests aim to evaluate the resilience of Position Navigation and Timing (PNT) systems by determining how GNSS receivers react to potential spoofing attacks, applying mitigation techniques, re-testing the improved system and adjusting parameters as needed (Perdue et al. 2016). However, establishing such a complex test-bed typically requires significant budget, specialized software and hardware, expert professionals and time. Furthermore, achieving a code and carrier phase-aligned coherent spoofing attack is extremely difficult and often requires repeated attempts.

Therefore, a set of well-known open datasets emerges as a pragmatic solution to save money and time and to ease complexity. The Texas Spoofing Test Battery (TEXBAT) is one such dataset introduced by the University of Texas (Humphreys et al. 2012). For many years, researchers and professionals have been driven to the TEXBAT datasets to assess the spoofing vulnerability of GPS receivers. Various statistical spoofing detection and mitigation techniques are proposed by using TEXBAT datasets including (Gamba et al. 2017; Kuusniemi et al. 2017; Khan et al. 2020). The Oak Ridge Spoofing and Interference Test Battery (OAKBAT) was introduced following the framework of the TEXBAT datasets (Albright et al. 2020). OAKBAT datasets contain GPS L1 C/A and Galileo E1 signals while TEXBAT datasets contain only GPS L1 C/A signals. These datasets and studies have primarily focused on legacy GNSS signals and have demonstrated various approaches to identify and mitigate spoofing. The current state of the art however reveals several limitations, most existing spoofing datasets are limited in scope, often focusing on simple spoofing scenarios and lacking representation of modernized GNSS signals. Additionally, the available software tools for processing GNSS signals are limited, do not fully support the multi frequency diversity in the event of single frequency or constellation spoofing. It is also crucial to test the spoofing vulnerability of other GNSS signals from lower L-band such as GPS L5 and Galileo E5a. Both datasets, on the other hand, are lacking lower L-band signals. The authenticity testing of GNSS navigation messages is another key part of any resilient navigation system. Galileo Open Service Navigation Message Authentication (OSNMA) is an authentication technique allowing a receiver to verify that the navigation message is coming from a trusted source and has not been modified in the way (ESA 2021). Galileo OSNMA data bits, broadcast on the E1-B data channel since late 2020, are absent from existing datasets, highlighting a key gap in the current landscape. Our research aims to fill these gaps by creating a completely new set of digitized GNSS In-phase and Quadrature (I/Q) data that includes both legacy and modernized signals in sophisticated and realistic spoofing scenarios.

This paper is inspired by the authors’ recent work (Islam et al. 2023) where details of spoofing signal generation under a simulated environment and their impact on the different-grade GNSS receivers are presented. Motivated by the limitations of previously available datasets and the importance of assessing modernized GNSS signals and contemporary spoofing events, this paper introduces a new GNSS spoofing data repository from Finnish Geospatal Research Institute (FGI) named as ’FGI-SpoofRepo’. This repository consist of a set of raw I/Q data with live GNSS signals. GNSS spoofing attacks can be carried out in many ways depending on the expertise of the spoofers and available resources. FGI-SpoofRepo comprise a set of four digitized recordings of live static datasets of GPS L1 C/A, Galileo E1, GPS L5 and Galileo E5a signals. The new datasets contain three types of spoofing scenarios: Targeted Spoofing (time and position synchronous), Untargeted Spoofing (time and or position asynchronous), and Meaconing (re-radiator). These datasets integrate real-world live signals with simulated spoofing signals, admitting the inherent challenges of spoofing the live signal in a controlled environment. The real-world nature of the datasets incorporates environmental effects and cryptographic signatures, such as OSNMA, portraying them as very good example candidates of open data for testing performance of spoofing detection and mitigation techniques with multi-frequency multi-constellation receivers.

This paper provides a thorough overview of the spoofing dataset generation, accompanied by an in-depth analysis of each dataset. Processing of the datasets has been carried out by an open-source software-defined receiver named ’FGI-GSRx’, released as open-source in 2022 (Kai et al. 2022). An updated open-source version of FGI-GSRx is released along with the datasets and software features including necessary modifications for processing and analyzing the new datasets. The novel contribution of this paper lies in the generation of a completely new set of digitized GNSS I/Q data involving both legacy and modernized signals in sophisticated spoofing scenarios. Adding real-world multi-frequency, multi-constellation signals, inherently including cryptographic signatures in the Galileo E1 signal and updated version of the software receiver has further empowered the novelty. By utilizing these advancements in new datasets and software, researchers can develop and verify new techniques to detect and counteract GNSS spoofing, ultimately strengthening the resilience and reliability of GNSS-based systems. The remainder of the paper progresses as follows. The experimental setup reveals the spoofing generation procedure and an overview of the used equipment. Following that, the spoofing scenario definition section details the spoofing scenarios and their characteristics. Afterwards, the data analysis section thoroughly assesses the characteristics of each scenario by the FGI-GSRx software receiver. Finally, the paper summarizes the results and outlines potential directions for future research activities.

Experimental setup

This section encompasses several key components, each contributing to the comprehensive datasets preparation process. These components include a Software-Defined GNSS simulator, an external reference clock for precise timing, a receiving antenna for live signal reception, an amplifier to compensate cable losses, an RF front-end for capturing I/Q data, and an open-source software-defined receiver for in-depth analysis. The composition of these equipment ensures a controlled environment for the experiments. The experimental setup of spoofing datasets generation is presented in Fig. 1.

Fig. 1
figure 1

Experimental setup diagram of spoofing test-bed

Full size image

  • Spoofing Signal Generation All the spoofing signals in the datasets are generated using the Safran Skydel software-defined GNSS simulator (Safran 2023) in conjunction with external hardware. Skydel is an advanced GNSS signal simulator known for its customizability and scalability, with integrated interference generation capabilities across multiple frequencies and constellations. Most simulation parameters are controllable on the fly while the simulation is running, a feature of particular relevance in the context of jamming and spoofing experiments.

    It is crucial to initialize the simulator with the most up-to-date broadcast GNSS ephemeris data for an accurate spoofing signal generation. Using outdated ephemeris information may result in unsuccessful spoofing attempt. Within the simulator, there is a provision to import Receiver Independent Exchange (RINEX) compatible files, which are used to update the orbits of GPS and Galileo satellites. When a RINEX file is imported, it overrides the existing information on orbits, perturbations, clock, group delay, and health status. The broadcast ephemeris data in RINEX format can be sourced from NASA’s Crustal Dynamics Data Information System (CDDIS)(Noll 2010).

    The simulation time is carefully synchronized with GPS time for targeted time synchronous scenarios, which is obtained from a reference GNSS timing receiver. The timing receiver generates a 1 Pulse Per Second (1 PPS) signal and a 10 MHz reference signal to the Universal Software Radio Peripheral (USRP) X310. This effectively ensures that the USRP maintains timing synchronization with the reference receiver.

    The connectivity between Skydel and the USRP is facilitated through a high-speed 10 Gigabit Ethernet link, ensuring real-time data transmission. Within the USRP, the I/Q data is up-converted into an RF signal, operating at a rate of 60 MS/s (mega samples per seconds) with both the L1/E1 and L5/E5a frequency. Subsequently, the RF signal is then combined with an authentic live-sky GNSS signal using a signal-mixer.

  • External Clock Septentrio’s PolaRX5T is utilized as an external reference clock to discipline the USRP X310. The PolaRx5TR is designed to achieve precise time synchronization in applications involving time and frequency transfer. In such applications, the device receives a 10 MHz reference signal and a 1 PPS signal from an external clock source, which, in our case, is the PolaRX5T.

  • Receiver Antenna A reference antenna is used to fetch live GNSS signals. The same antenna is also used to connect a reference receiver that provides a clock source to USRP. The live signal is obtained using Septentrio’s PolaNt Choke Ring antenna, which is a high-precision antenna that supports various GNSS signals (Septrentio 2023).

  • Amplifier-Splitter A Low Noise Amplifier (LNA) plays a crucial role in signal amplification and compensating for cable losses between the rooftop antenna and the receiver port. An Amplified Loaded DC Blocked Splitter (ALDCBS1X4) is employed featuring one active input and four RF outputs. In the context of data collection, one of the output port is connected to a reference receiver, denoted as the PolarRx5TR. An additional output port from the amplifier is connected to a mixer. This mixer is responsible for combining spoofing signals with authentic live-sky GNSS signals.

  • FGI-GSRx Multi-Frequency, Multi-Constellation Receiver The FGI-GSRx is a MATLAB-based Software-Defined Receiver (SDR) developed by the Finnish Geospatial Research Institute (FGI). The software receiver plays a vital role in many national and international projects, serving as a key tool for testing and validating innovative receiver processing algorithms (Söderholm et al. 2016; Kai et al. 2022; Pany et al. 2024). In recent times, the GNSS community has been granted access to the FGI-GSRx as an open-source software under the General Public License (FGI-NLS 2022). The architecture of this software allows the development and testing of new algorithms at any stage within the receiver processing chain, with minimal modifications to the original structure.

    The current open-source version of FGI-GSRx can process GPS L1 C/A, Galileo E1, BeiDou B1, GLONASS G1, and NavIC L5 signals. However, all the datasets in this manuscript also contain GPS L5 and Galileo E5a signals. FGI has not yet made the GPS L5 and Galileo E5a signals based receiver implementation open to the public. Therefore, the authors utilize two separate versions of FGI-GSRx for processing the datasets: i) The open-source FGI-GSRx, and ii) The in-house FGI-GSRx. The users of FGI-GSRx open-source version will be able to reproduce the results with the shared datasets for GPS L1 and Galileo E1 signals. The users will need to utilize any other third party open-source SDR tool, for example, GNSS-SDR (Pany et al. 2024) in order to process GPS L5 and Galileo E5a datasets. However, the processing results for GPS L5 and Galileo E5a signals are anyway presented here with the in-house FGI-GSRx.

  • RF Recording Device The raw I/Q data samples are captured using the stereo dual-band GNSS front-end developed by Nottingham Scientific Limited (NSL). The front-end comprises two distinct Radio Frequency (RF) chains: the MAX2769B, responsible for covering the upper L-band, also known as the L1 chain, and the MAX2112, which encompasses both upper and lower L-bands, collectively referred to as the L-band chain. The Local Oscillator (LO) associated with the L1 chain is tunable within the frequency range of 1550 MHz to 1610 MHz, allowing for precise adjustment to GNSS signals within this spectrum. Similarly, the LO for the L-band chain can be adjusted within the range of 900 MHz to 2400 MHz, enabling the capture of any signals within the L-band. The configuration detailed in Table 1 is used for capturing the raw I/Q data.

  • Dataset Replay Validation Setup The recording setup was validated by transmitting and recording again a scenario using USRP X310 and NSL Stereo front-end. Usable sample rates for the USRP were calculated by dividing the device’s 200 MHz master clock rate with an integer. The dataset had to therefore re-sampled from 26 MHz to 25 MHz which was done during pre-processing using Scipy’s Signal package. The L1 band signals were also down-converted from IF (Intermediate Frequency) \(1575.42-1569.03 = 6.39\) MHz to baseband. The developed Python script is also made available alongside the datasets allowing the users to replay the datasets for their own test and validation.

    GNU Radio companion was used to program the USRP to transmit the re-sampled FGI-SpoofRepo dataset. 60 dB attenuation was used between the USRP and the Stereo front-end to approximately match the transmitted RF power to live-sky. The recorded dataset was processed in FGI-GSRx using the same configurations as was used with the original dataset. A constant frequency offset of around 1.2 kHz was observed between the original and replayed-recorded dataset, but this effect was compensated automatically by the acquisition module and the carrier tracking loop of FGI-GSRx.

    The setup used for the replay validation is illustrated in Fig. 2. The re-recorded FGI-SpoofRepo dataset was processed in FGI-GSRx to verify that the replayed and then re-recorded file could be useful without a significant drop in signal-tracking performance. A similar validation process was also attempted using a USRP X310 and commercial receivers i.e; u-blox M8T and F9P. The u-blox receivers (M8T) were able to receive both L1 C/A and E1 signals but not the L5 and E5a as the receivers do not support the use of L5-only solution.

Table 1 RF recording configuration of the NSL Stereo dual-band GNSS front-end
Full size table
Fig. 2
figure 2

Setup used for replaying and re-recording FGI-SpoofRepo dataset

Full size image

Spoofing scenario definition

The true receiver is stationary in all four scenarios. It’s position estimated by a geodetic-grade receiver is 60.182\(^{\circ }\)N, 24.828\(^{\circ }\)E with an altitude of 47.248 m. The true receiver is connected with a rooftop antenna at the Otaniemi premises of the Finnish Geospatial Research Institute (FGI). As the recordings are made on live signals, the starting date and time are always unique for each dataset. The initial 130 s across all datasets are free from intentional interference, making a clean baseline before the injection of the spoofing signals. It is worth noting that all live skyplots are generated based on information from the navigation engine of FGI-GSRx, with only those satellites utilized in the final Position, Velocity, and Timing (PVT) computation. On the other hand, skyplots for the spoofing signals are generated using log information provided by the simulator. The uniform replication of satellites, along with their corresponding elevation and azimuth concerning live signals, holds significant importance, particularly in scenarios involving targeted or synchronous spoofing attacks.

Table 2 Summary of spoofing scenarios
Full size table

Table 2 offers a detailed insight into the spoofing datasets and the associated techniques used to generate those datasets. The Targeted Single-Frequency Multi-Constellation (SFMC) scenario is generated by synchronizing the initial time and position with the true receiver, along with the injection of the latest available ephemeris. The intended spoofed location follows a circular trajectory. A similar process is followed for the Targeted Dual-Frequency Multi-Constellation (DFMC) scenario. On the contrary, both Untargeted DFMC and Meaconing DFMC scenarios do not maintain initial time and position synchronization with the true signal. In both scenarios, the intended spoof location remains static. However, in the Untargeted case, the spoofed time is advanced by hours, while in Meaconing, the spoofed time is delayed by minutes. Above all, the injection of the latest ephemeris is not applicable in both Untargeted and Meaconing cases.

Table 3 Summary of spoofing data repository
Full size table

A summary of the spoofing dataset repository is presented in Table 3. The repository contains several folders, each of which represents a different scenario. By accessing the folders, users will have access to two files that are specific to each signal. The table also includes the approximate size and duration of each file. It is to be noted that the duration provided in the table is truncated, and the actual files may contain a couple of seconds of extra data.

  • Targeted SFMC

    Both GPS L1 and Galileo E1 signals are spoofed in this scenario. The other RF chain comprising GPS L5 and Galileo E5a signals are not spoofed throughout the test. This test is intended to assess the potential fallback behaviour of modern GNSS receivers equipped with multiple frequencies and constellations. The simulated spoofing signals are generated using the most recent ephemeris data available from NASA’s CDDIS. The recordings are made on 2023-10-03 at 14:19:00 UTC over a 370 s duration. Figure 3 illustrates the skyplot for both spoofing and live signals on 2023-10-03 at 14:19:06 UTC. Eleven GPS satellites are simulated to match with live constellations. As for Galileo, the spoofing simulation replicates the live signal based on the ephemeris available during the recording. Notably, Galileo system’s PRN 14 and 18 have been temporarily excluded from active service, as documented in (EUSPA 2023a), which explains their disappearance from the live signal skyplot. Additionally, Galileo PRN 13 failed to meet the signal power threshold, consequently absent from the skyplot.

  • Targeted DFMC

    This scenario shares similar characteristics with the previous dataset with the main distinction being the inclusion of GPS L5 and Galileo E5a signals alongside GPS L1 and Galileo E1 signals in the spoofing. The recordings are made on 2023-10-20 at 13:20:02 UTC over a 370 s duration.

    Figure 4 illustrates the skyplot for both spoofing and live signals on 2023-10-20 at 13:20:13 UTC. In this scenario, similar to the previous one, eleven GPS satellites are simulated. However, the live signal exhibits an additional satellite, PRN 15 near the 10-degree cut-off threshold. The spoofing signal is missing the same satellite, as the signal generation has a cut-off threshold of 10 degrees. As for Galileo, nine satellites are simulated, yet the receiver acquire eight satellites from the live signal.

  • Untargeted DFMC

    This scenario differs significantly from the previous targeted scenarios, forming an untargeted attack characterized by asynchronous positioning and timing of the spoofer with respect to the true location. In this case, the spoofer’s intended position is simulated to be static at a distance of approximately 15 km from the actual location, with the spoofing time advanced by around 10 h. Recordings for this scenario are conducted on 2023-11-10 at 14:05:00 UTC, extending over a 377-second duration. The chosen target location for the spoofer is 60.16675899\(^{\circ }\)N, 24.56664248\(^{\circ }\)E, with an altitude of 2.00 m, and the spoofing start time is simulated on 2023-11-10 23:55:00 UTC.

    Figure 5 illustrates both the spoofing and live signals at specific epochs. Given the untargeted nature of this attack, the spatial distribution of live and simulated satellites does not aligned. The receiver is expected to view a new set of satellite constellations because of the considerable distance and the temporal divergence of nearly 10 h.

  • Meaconing DFMC

    The LabSat 3 Wideband record and replay device (LabSat 2023) is used in the meaconing test. The scenario is recorded outside of the FGI premises, about 60 m away from the rooftop antenna. After the recording, the replayed signal is introduced alongside the live signal with an approximately 15-minute delay. The re-transmitted signal is introduced after 155 s of clean recordings, marking an exception in comparison to other datasets. There is a lack of synchronization in time, but it includes all the characteristics of live sky signals. The signals that are spoofed in this scenario belong to GPS L1, L5, and Galileo E1, E5a. The recordings are made on 2023-11-16 at 15:04:36 UTC. The dataset lasts around 478 s which is longer than other datasets. This prolonged duration renders it useful for applications that require extended initialization periods, such as cryptographic signature validation. Figure 6 illustrates the skyplots for both spoofed and live signals on 2023-11-16 at 15:04:42.

Fig. 3
figure 3

Skyplots of Targeted SFMC scenario

Full size image
Fig. 4
figure 4

Skyplots of Targeted DFMC scenario

Full size image
Fig. 5
figure 5

Skyplots of Untargeted DFMC scenario

Full size image
Fig. 6
figure 6

Skyplots of Meaconing DFMC scenario

Full size image

Data analysis

This section provides a detailed analysis of each dataset, focusing on how it affects the receiver’s signal tracking and positioning performance. The open-source and in-house version of FGI-GSRx is utilized to perform the analysis. The open-source version is used to process the GPS L1 and Galileo E1 signals, whereas the in-house version is used to process the GPS L5 and Galileo E5a signals. In all scenarios, the position solution is computed using a 5-degree elevation mask and a 30 dB-Hz Carrier-to-Noise Density (\(C/N_0\)) threshold. In each scenario, there is a 1–5 s window of flexibility due to the manual execution of the spoofing attack. Moreover, a brief period is required for the synchronization between signal generation by Skydel simulator and the streaming of RF signals by the USRP. It is important to note that the impacts of a spoofing signal may not be immediately noticeable in the analysis upon injection due to the delay mentioned above.

  • Targeted SFMC Figure 7 illustrates the tracking results of PRN 03 of GPS L1 signal. The figure indicates smooth takeover of the receiver tracking loop by the spoofer. Following the injection of the spoofing signal at approximately 131 s, no loss of lock is observed. However, significant jumps in the amplitude of both the real and imaginary components of the prompt correlator are observed since both noise and signal power increase. The estimated Doppler exhibited the expected behaviour, and the Phase-Locked Loop (PLL) and Frequency-Locked Loop (FLL) maintained consistent lock throughout the duration. Although there are clear changes in FLL and PLL and the corresponding Doppler, these are well within the anticipated range.

    The analysis of targeted spoofing attack is further supported by the results presented in Fig. 8a, b. Both GPS and Galileo PRN experienced harmonious jumps in their \(C/N_0\) values, averaging 5 dB-Hz. The intended location of the spoofing signal is also distinctly portrayed in Figs. 9 and 10. A circle with a 70-m diameter represents the spoofer’s intended location. Figure 10 depicts deviation of East, North and Up components with respect to ground truth.

    • Time synchronous spoofing with multi-correlator monitoring

      Multi-correlator monitoring is used to further assess the alignment of the spoofing signal with the authentic signal. In this process, 41 complex correlators are utilized with a code delay window of ± 2 chips and a 0.1 chips correlator spacing. Figure 11 illustrates the normalized correlation function at various stages of tracking of GPS PRN 7. Before the capture at around \(136100^{th}\) millisecond (ms), the shape of the correlator output resembles a triangle that overlaps with the expected theoretically-generated triangle centered at zero. During the pull-off stage, for example at \(136800^{th}\) ms depicted in Fig. 11b, the spoofing signal coexists with the authentic signal introducing a 0.1 chips delay. Figure 11c then shows an instance at around \(137700^{th}\) ms, indicating successful locking onto the spoofing signal. It is noteworthy that this entire process unfolds rapidly, completing almost within a few seconds. The tight time synchronization between the spoofing signal and the authentic signal presents a substantial challenge for the receiver to successfully detect an ongoing spoofing (Hegarty et al. 2019).

  • Targeted DFMC

    In this scenario targeted spoofing is applied to GPS L5 and Galileo E5a signals in addition to L1 and E1. Figure 12a, b depict the seamless take over of both GPS L1 and Galileo E1 signals that evident in their \(C/N_0\) values. GPS L5 (PRN 8 and 9) and Galileo E5a (PRN 8, 13, and 24) satellites, on the other hand, exhibited a minor delay before locking onto the spoofing signal as seen in Fig. 12c, d. The inherited characteristics of GPS L5 and Galileo E5a, which is designed to provide better resilience against interferences, can be attributable to this delay. These characteristics include longer codes, better modulations, and higher chipping rates.

    The positioning performance of GPS L1 and Galileo E1 as illustrated in Figs. 13 and  14, is similar to the previous scenario since both scenarios are characterized by a targeted spoofing attack.

  • Untargeted DFMC

    Figure 15 illustrates the tracking result of GPS L1 signal’s PRN 15. After the injection of spoofing signal, the noise takes over, effectively appearing as jamming for the receiver for the rest of the duration. Two primary reasons contributed to this incident. Firstly, the receiver is already at the fine-tracking stage, and secondly, the spoofing signal is not aligned within the fraction of a code chip.

    Once the receiver enters the tracking stage, it has already locked onto the authentic signal, given the assumption that spoofing occurs after a specific initialization period. Unlike the acquisition stage, the receiver would not perform any exhaustive search at the tracking stage. If the carrier frequency and code phase of the spoofing signal are not closely aligned or are far from the authentic signal, the spoofing signal does not attract the receiver. Instead, due to this misalignment, the spoofing signal appears as noise for the receiver. As described in the previous section, the intended spoofed location is simulated 15 kms away from the actual location and 10 h ahead of the actual time, making it asynchronous in both time and position. This particular scenario is designed to reflect a situation where the spoofer possesses no prior information about the target receiver.

    If a receiver attempts to re-acquire a signal during an ongoing spoofing attack, it is likely to acquire the signal with the highest peak unless it has access to other assisted information. FGI-GSRx on the other hand is a post-processing receiver, and it does not attempt re-acquisition within the same dataset. Further discussion on this situation is provided in the meaconing section. The impact of the asynchronous attack is illustrated in Fig. 16. Following the injection of the spoofing signal, the estimated \(C/N_0\) of all satellites exhibit a sharp decline for all the analyzed GPS and Galileo signals.

    Figures 17 and  18 demonstrate that the receiver is not spoofed to the intended location, but a denial of service appears after the injection of the spoofing signal. The navigation solution is computed based on the predefined criteria described earlier that incorporate elevation and \(C/N_0\) thresholds. Following the injection of the spoofing signal, the initially set thresholds no longer meets the criteria, thereby preventing the receiver from offering any PVT solution.

    In summary, the FGI-GSRx successfully resisted spoofing attempts. It is also pertinent to mention here that although these non-coherent attacks result in an unsuccessful spoofing attempt, they can still pose a threat by mimicking jamming. This is inline with the other intention of the spoofer otherwise referred to as denial of service.

  • Meaconing DFMC

    Re-transmission of authentic signals often represents an asynchronous attack, wherein, in the worst-case scenario, there might be a complete misalignment in position and time. The code and carrier mismatch in the meaconing signal, resulting in a noise signal that essentially appears as a jamming signal. The impact of this phenomenon can be observed in Fig. 20a–d, where the injection of meaconing leads to a drop in \(C/N_0\) values for all satellites.

    The tracking loop performance of a Galileo E5a satellite is illustrated in Fig. 19. After the injection of the meaconing signal, a slight degradation in signal power becomes visible. Despite this, the Doppler, Frequency-Locked Loop (FLL), and Phase-Locked Loop (PLL) maintained their locks.

    The effect of meaconing attack may not be uniform across all GNSS receivers; those with re-acquisition capabilities may respond differently compared to receivers like FGI-GSRx. For instance, when re-transmission occurs with significantly high power, it can introduce additional noise and eventually saturate the receivers. Afterwards, the affected receiver might attempt a re-acquisition, potentially locking onto the spoofing signal. This phenomenon is of particular interest for observation with Commercial off-the-shelf (COTS) receivers (Islam et al. 2023).

    Figures 21 and  22 shows the positioning performance of FGI-GSRx during the meaconing attack. Contrary to expectations, the receiver did not lock onto the spoofing signal, indicating that it remained unspoofed.

    • Cold start during ongoing spoofing event

      The conventional assumption is that a receiver is operational before a spoofer injects the spoofing signals. However, what if the receiver starts operation during an ongoing spoofing event? An analysis is conducted using the meaconing scenario to explore this hypothesis. The receiver is switched-on in cold-start mode and it begins the acquisition process at around \(165^{th}\) second, when both authentic and spoofing signals are present. Under such a situation, a receiver is likely to pick up the signal with the highest peak, unless any other assisted information is available. Figure 23 illustrates the acquisition search space for the PRN 15 of the GPS L1 signal. As both authentic and spoofing signals coexist during the acquisition, the receiver picks up the spoofing signal with the highest peak. This susceptibility is particularly significant in untargeted and meaconing attacks given their untargeted nature, assuming a substantial offset in the code phase between the spoofing and the authentic signals (Li et al. 2020).

      Although, as illustrated in Fig. 20a–d, the receiver is not spoofed during the tracking stage, acquisition or re-acquisition during ongoing spoofing events may expose the GNSS receiver to potential threats from meaconing and untargeted attacks. Therefore, the identification of multi-peaks during the acquisition stage (Humphreys et al. 2008) is vital, especially when the receiver lacks additional assisted information.

  • Summary Results

    Table 4 provides a comprehensive overview of the positioning solution acquired across various scenarios and signal combinations by using both open-source and in-house versions of FGI-GSRx. In this table, symbols \(\varepsilon _{3D}\), \(\varepsilon _{H}\), and \(\varepsilon _{V}\) represent 3-Dimensional Root-Mean-Square (RMS), horizontal RMS, and vertical RMS in meters respectively, while \(\sigma _{H}\) and \(\sigma _{V}\) denote horizontal and vertical standard deviation in meters. In the Targeted SFMC scenario, GPS L5 and Galileo E5a signals are not simulated to be spoofed. Therefore, the L1+E1 solution is seen to be much deviated compared to the L5+E5a solution. It is vital to analyze the positioning performance under the combination of signals including both spoofing and unspoofing ones. Processing all signals together yields superior results compared to processing only spoofing signals, as evident in the Targeted SFMC scenario. In the Targeted DFMC scenario, all four signals are spoofed, and the estimated positioning solution by FGI-GSRx reflects the spoofer’s intended location in all the three combinations. For the Untargeted DFMC and Meaconing DFMC scenarios, FGI-GSRx remains unspoofed across all combinations. However, in the Untargeted DFMC scenario, a denial of service is observed after 120 s due to the impact of the spoofing signal on the receiver that appeared as jamming for the receiver. With a \(C/N_0\) threshold of 30 dB-Hz, there are not enough satellite measurements available for position computation. Consequently, it can be said that in case of Untargeted DFMC, the receiver is not compromised to the spoofer’s desired location, but it indeed experiences the denial of offering positioning service right after the injection of spoofing signal.

  • Validation Results for Replayed I/Q data

    Figure 24 shows average observed loss in tracking \(C/N_0\) for a replayed-recorded targeted DFMC scenario. The I/Q data was recorded using the setup defined in Sect. 2. The Galileo E5a signal showed a loss of around 1.5 dB-Hz compared to the original DFMC dataset, while no significant loss in \(C/N_0\) was observed for Galileo E1. The observed loss can be caused by a few reasons like added thermal noise and clock jitter from the process of transmitting and receiving the signal, or other inaccuracies in reproducing the digitized baseband signal back to RF. Different outcomes could be observed if parameters, like signal bandwidth and sample rate, or different transmitter and GNSS front-end were used.

Fig. 7
figure 7

Tracking of a GPS L1 satellite

Full size image
Fig. 8
figure 8

\(C/N_0\) of Targeted SFMC scenario

Full size image
Fig. 9
figure 9

Position estimated by the device under test

Full size image
Fig. 10
figure 10

Position deviation with respect to true location

Full size image
Fig. 11
figure 11

Multi-correlator monitoring of GPS L1 signal’s PRN 7 to demonstrate the impact of spoofing on the receiver tracking

Full size image
Fig. 12
figure 12

\(C/N_0\) of Targeted DFMC scenario

Full size image
Fig. 13
figure 13

Position estimated by the device under test

Full size image
Fig. 14
figure 14

Position deviation with respect to time

Full size image
Fig. 15
figure 15

Tracking result of GPS L1 signal’s PRN 15

Full size image
Fig. 16
figure 16

\(C/N_0\) of Untargeted DFMC scenario

Full size image
Fig. 17
figure 17

Position estimated by the device under test

Full size image
Fig. 18
figure 18

Position deviation with respect to true position

Full size image
Fig. 19
figure 19

Tracking loop of Galileo PRN 2

Full size image
Fig. 20
figure 20

\(C/N_0\) of Meaconing DFMC scenario

Full size image
Fig. 21
figure 21

Position estimated by the device under test

Full size image
Fig. 22
figure 22

Position deviation with respect to time

Full size image
Fig. 23
figure 23

Code-Doppler search result at \(165^{th}\) second by FGI-GSRx acquisition block

Full size image
Table 4 Summary of positioning performance
Full size table
Fig. 24
figure 24

Average \(C/N_0\) difference between a replayed-recorded and the originally recorded targeted DFMC data

Full size image

Conclusion and future work

This paper presents raw GNSS spoofing datasets across four scenarios, analyzed with an updated version of FGI-GSRx software receiver. The new set of raw I/Q spoofing data, comprising live-sky GNSS signals, fills a notable gap in existing datasets, enhancing the available resources to the GNSS community. Notably, these datasets cover multiple GNSS frequencies and incorporate cryptographic signatures (OSNMA) in Galileo E1-B data channel, positioning them as potential benchmarks for evaluating the resilience performance of multi-frequency multi-constellation receivers. An updated open-source version of FGI-GSRx is provided alongside the datasets with the necessary features for processing and analyzing the new data. This research aims to deepen our understanding of complex spoofing attacks on GNSS signals, offering insights into the challenges and opportunities for improving resilience in navigation systems. The datasets and analyses presented here provide a foundation for future research on GNSS technologies against evolving spoofing threats, thus contributing to the ongoing effort to safeguard satellite navigation systems worldwide.

The authors are currently working towards implementation of Galileo’s OSNMA-based spoofing detection in FGI-GSRx. In addition, the authors plan to implement a robust GNSS anomaly detection technique based on a combination of different receiver parameters. These include Automatic Gain Control (AGC) variation at the front-end level, phase and Doppler change rate detection at the tracking level, and the authentication status flag based on navigation message authentication at the navigation level.