Tagged: GNSS

Extensive Russian GPS Spoofing Exposed in Report

Recently a US non-profit known as the Center of Advanced Defense (C4ADS) released a report titled "Exposing GPS Spoofing in Russia and Syria". In the report C4ADS detail how GPS and Global Navigation Satellite Systems (GNSS) spoofing is used extensively by Russia for VIP protection, strategic facility protection and for airspace denial in combat zones such as Syria. Using simple analysis methods that civilians can use, they were able to detect multiple spoofing events. 

GNSS spoofing involves creating a much stronger fake GNSS signal that receivers lock on to, instead of the actual positioning satellites. The fake signal is used to either jam GNSS signals, or report an incorrect location of the spoofers choice.

In the report, C4ADS mention how they used AIS data to identify 9,883 instances of GNSS spoofing which affected 1,311 commercial vessels since the beginning of February 2016. AIS is a marine vessel tracking system similar to the ADS-B tracking system that is used on aircraft. It works by broadcasting on board GPS data to nearby ships for collision avoidance. Although they don't appear to mention their AIS data sources, sites like marinetraffic.com collect and aggregate AIS data submitted by volunteer stations. By looking for anomalies in the collected AIS data, such as ships suddenly appearing at airports, they are able to determine when GNSS spoofing events occurred. 

An airport is chosen by Russia as the spoofed location presumably because most commercial drone manufacturers do not allow their drones to fly when their GPS shows them near an airport. This prevents commercial drones from being able to fly in spoofed areas.

C4ADS Research shows GPS spoofing detected via AIS data
C4ADS Research shows GPS spoofing detected via AIS data

Using AIS data, the researchers were also able to determine that the Russian president uses GNSS spoofing to create a bubble of protection around him. During a visit to the Kerch Bridge in annexed Crimea the researchers found that some vessels near his location suddenly began appearing at a nearby airport. Similar events were detected at multiple other visits by the Russian president.

Another interesting method they used to determine GNSS anomalies was to look at position heatmaps derived from fitness tracking apps. These phone/smart watch apps are often used by runners to log a route and to keep track of distance ran, speeds etc. The researchers found that runners going through central Moscow would sometimes suddenly appear to be at one of two Moscow airports. 

In a previous post we showed how Amungo Navigation's NUT4NT+ system was used to detect and locate GPS anomalies at the Kremlin. The C4ADS report also notes how several other Russian government facilities also show signs of GPS anomalies. Of interest, from photos they also saw that the Kremlin has an 11-element direction finding array which could be used to locate civilian drone controllers.

Finally, in the last sections they show how C4ADS and UT Austin used a GPS receiver on board the International Space Station (ISS) to monitor a GPS spoofer at an airbase in Syria. Using Doppler analysis they were able to determine the location of the spoofer and confirm that it is likely the cause of multiple complaints of GPS interference by marine vessels in the area.

C4ADS and UT Texas determine the location of a GPS spoofer in Syria via ISS GPS data
C4ADS and UT Texas determine the location of a GPS spoofer in Syria via ISS GPS data

The BBC also ran a story on this which is available here.

NUT2NT+ Crowdfunding: Open Source GNSS RF-to-bits Receiver

Back in May 2018 we first posted about Amungo Navigation's NUT4NT+ project, which is a four channel global navigation satellite system (GNSS) board based on the NT1065 chip. With the right antenna, it is capable of receiving any navigation satellite including GPS, GLONASS, Galileo, BeiDou, IRNSS, and QZSS. With access to multiple satellite systems, the positioning resolution can be down to the centimeter.

Currently Crowd Funding now on CrowdSupply is the NUT2NT+, which is their low cost 2-input GNSS board. Early bird units are going for $250 (12 units left at the time of posting), with the normal price being $320. Compared to their previous legacy version it has an FPGA, TCXO, bias tee and other improvements. They write:

NUT2NT+ hardware is open source, as is the software - giving the user the ability to set a receiver’s modes and frequencies, to capture all signals continuously, and to have complete control over primary processing features.

Several startups and large companies offer proprietary GNSS positioning solutions and even mobile GNSS software-defined receivers. But a closed ecosystem reduces accessibility for an enthusiast or professional developer, and it limits what a user can do with their hardware. We are happy to bring NUT2NT+ to the world as an open source option.

We note that this is an advanced device for developers and experimenters, but the possible applications they write about such as precision positioning for autonomous vehicles and black box logging are quite interesting.

NUT2NT+ with RA125 antenna for precision positioning of autonomous vehicles.
NUT2NT+ with RA125 antenna for precision positioning of autonomous vehicles.

Their higher end four channel input version (which appears to only be for sale via contact on their website at the moment) can be used as a coherent receiver which can locate sources of GPS jamming via an augmented reality app. In our previous post we highlighted how they were able to find the location of the GPS jammer/spoofers famously active around the Russian Kremlin buildings.

XNZR is searching for Moscow GPS Spoofing Anomaly

Detecting GPS Jammers In Augmented Reality

The NT1065 is an all-in-one 4-channel global navigation satellite system (GNSS) receiver chip. It is highly versatile and can receive and decode multiple navigation satellites such as GPS, GLONASS, Galileo, BeiDou, IRNSS and QZSS. Being able to receive so many satellites, it is capable of centimeter level positioning.

The team at Amungo Navigation have taken this chip and have created a product called the NUT4NT+ which is essentially a development board for the NT1065, and all the software for signal processing with it is provided as open source software. In the near future they are planning to begin fundraising for the product over on the crowd funding site CrowdSupply.

One very interesting application that they have been developing with a device similar to the NUT5NT+ is a GPS Jammer/Spoofer detector system which they call the Amungo XNZR. This is a combined 4-channel GNSS receiver and 4-antenna GNSS antenna system built into a small package that fits onto the back of an Android tablet. When connected to the software it uses augmented reality (AR) to show you exactly where GPS jammers are in the vicinity by using coherent signal processing. If you're not familiar with AR, this is the technique of overlaying digital data/images on top of a live real world camera view.

Detecting a Kremlin GPS Spoofer in Augmented Reality
Detecting a Kremlin GPS Spoofer in Augmented Reality

In the video below they take their XNZR detector to Varvarka Street in Moscow Russia and determine the location of a GPS spoofer in the vicinity. 

More information about their product can be found on their homepage, and on various interesting forum posts by someone from the company that detail some of their experiments. Note that the forum posts are in Russian, but Google Translate can be used to translate the text.

XNZR is searching for Moscow GPS Spoofing Anomaly

GPS Tracking with a modified TCXO RTL-SDR

Michele from Michele’s GNSS blog has posted his results with using a modified R820T RTL-SDR with Temperature Controlled Oscillator (TCXO) for GPS reception and decoding. The RTL-SDR is capable of tracking GPS even without TCXO but improved performance can be expected with a more stable oscillator. He notes that the R820T with it’s 3.57 MHz IF is ideally suited for GPS reception when combined with an active GPS antenna. Using this setup he was able to track GPS satellites and the Galileo E1B/C GNSS satellites as well.

Michele modified his R820T RTL-SDR with a 28.8 MHz TCXO he obtained from a friend. It is however possible to purchase modified TCXO R820T dongles directly from the 1090mhz webstore.

Modified TCXO R820T RTL-SDR used for GPS reception.
Modified TCXO R820T RTL-SDR used for GPS reception.

Real Time GPS Positioning with the BladeRF

Over on YouTube user taroz1461 shows real time GPS positioning done in software using a BladeRF. The BladeRF is a ~$400 software defined radio which similar specs to the HackRF and compared to the RTL-SDR is capable of receiving much larger bandwidths and transmitting.

To do this decoding he used RTKLIB and his own GNSS-SDRLIB software which is a Windows GUI program. We aren’t sure if this software will work with the RTL-SDR, but we note that other people have had success with GPS positioning and the RTL-SDR.

Real-time GPS positioning with bladeRF

Using the RTL-SDR as a Software GPS Receiver

Dr. Carles Fernandez-Prades, Dr. Javier Arribas and Dr. Pau Closas have published an academic paper showing how they were able to implement an RTL-SDR based GNSS (Global Navigation Satellite System) receiver in software.

What they have done is use their open source GNSS software receiver program with a RTL-SDR connected to an active GPS antenna. An active GPS antenna requires DC power to be passed to the LNA in the GPS antenna through the antenna connection, so a Bias-T network is required to ensure DC power does not enter the RTL-SDR dongle.

More information can be found on their webpage here.

Rtlsdr_with_lna_patch_GA27