Android Raw GNSS Measurements as the New Anti-Spoofing and Anti-Jamming Solution

Reliable radio navigation signals are of extreme importance. Nowadays we rely on Global Navigation Satellite System (GNSS) related technologies for a range of uses ranging from agricultural, financial, transportation and military applications. As such, providing existing systems with the tools to combat the threat presented by malicious spoofing or jamming attacks is critical. The paper explores the properties of the different sensors available on a smartphones and evaluates their potential for spoofing and jamming detection. By properly assessing key sensor properties, this work will detect spoofing or jamming by monitoring alarm triggers set by a combination of sensors including but not limited to: (1) network location provider, (2) combined Automatic Gain Control (AGC) and C/N0 engine, (3) inertial sensor data, and (4) pseudorange residual metrics. In addition, we investigate the existence of the solution on the smartphone and further discuss the sensors with potential in the identification if any type of interference attack. Combining all together is GNSSAlarm, an Android application (still under development) that creates a tool, based on resources already in the pocket of millions of individuals and develops an effective anti-spoofing, anti-jamming tool that will allow proper functionality when in the presence of spoofing attacks and will notify the user when under jamming attacks. INTRODUCTION The GNSS industry has been revolutionized with the plan by several countries to launch satellites transmitting new signals in dedicated bands with the idea of an international GNSS system that allows for cross-compatibility and reduced expenses in receiver design. The concept started with the transmission of the Global Positioning System (GPS) L1 C/A signal, which became short after the gold standard of radio navigation. Globalnaya Navigatsionnaya Sputnikovaya Sistema (GLONASS) satellites followed and the constellation reached maturity during the Soviet Union era, but degraded after its collapse. However, in early 2000s efforts by the Russian Federation government were focused in the restoration of the constellation which is now fully functional. The Galileo constellation finally cemented this idea with the addition of the E1 open service signals. Most recently, we had the addition of the Beidou constellation and its B1 signals. It is also true that the existing and new constellations offer signals in frequencies other than the L1 band, but the design for multiple constellation receiver at the smallest cost/ power consumption benefits from this single frequency approach. With the technological advantages of our era, GNSS receivers have been drastically reduced in price and size. This allows for smaller single frequency chipsets that use multiple constellations to compute the position solution to be used in day to day devices such as wrist watches, smart-phones, etc. Moving multiple signals from different constellation into a single band makes this design paradigm stronger since there is significant hardware reutilization and software techniques can be used to do the low level signal processing. The release of GNSS chips like the Broadcom BCM47755, first chip with support for dual frequency capabilities ready for consumer market applications like phones, add another level of capabilities. However, the widespread deployment is still years from being fully integrated into these devices, and most wearables receivers rely in this single frequency approach. Hence, with the community moving towards this direction, it is worth asking, Is there a threat in the signal processing for single band receivers? What are the advantages of navigation system with rich frequency diversity? Previous research highlights [1] [2] feasibility and effectiveness of cheap Personal Privacy Devices (PPD and their impact on the radio navigation signals. It can be speculated then that a system moving toward the single band navigation system by means of the Code Division Multiple Access (CDMA) exploitation is also extremely susceptible to Radio Frequency Interference (RFI)) attacks that can easily null the band usage with the press of a single button. An analysis of commercial off the shelves PPD showed how these devices can turn a wide range of CDMA signals completely unusable in its presence [2]. Another interesting case recently reported episodes of Global Positioning System (GPS) spoofing happening in the Black Sea [3]. Given the resources available, receivers can no longer simply rely in one single constellation or the other, the future relies in the design of receivers capable of mixing solutions from multiple constellations in a wide range of frequencies. Although, not the ultimate solution, it does make the work harder for malicious attack on the band. Perhaps the presence of a GLONASS capable receiver would have avoided this by allowing the system to eliminate the compromised GPS measurements and perform navigation with the aid of the GLONASS Frequency Division Multiple Access (FDMA) signals, assuming off course that the latest were not also spoofed in the area during those episodes. Research also suggest that there are many motivations to spoof, even outside the military environments. Work developed in [4] showed that a quick search on the Google Play store shows multiple pages of applications attempting to fake GPS measurements. The first app, “Fake GPS Go Location Spoofer Free”, alone has over 91,241 reviews as of September, 2018. In addition, work developed in [5] showed how easy is to spoof the navigation solution in the phone using software radios and additional equipment totaling to less than $300 USD. The most concerning episode of spoofing in the Android domain accounts for the work developed by [6] which presents a practical spoofing of navigation services in a combination of false navigation signals transmitted and fake maps integration. This work account for the first time spoofing does not only happens in the location engine but also in the navigation engine of the device. As such, with millions of devices nowadays relying in the legacy GPS signal, a more practical solution needs to be applied. Modern Android devices with lower level GNSS measurements may have a solution to this conundrum. In 2016 the Android framework Application Programming Interface (API) allowed access to raw GNSS measurements. Released originally under Android API 7.0, the framework gave access to multiple raw measurements including navigation messages, pseudo-ranges, pseudo-range rates, Doppler frequency, constellation status, etc. More recently and with the release of Android API 8.0, the Google framework is now also providing AGC measurements in its android.location modules. However, it is worth mentioning, that even though the Android API supports all these measurements, phone manufacturers are not forced to comply with providing those and availability of some of the measurements will vary by device. In this paper, we develop and examine GNSSAlarm, an Android app to perform RFI and spoofing detection via a combination of methods that take advantage of native hardware inside the phone to increase the integrity of the positioning system. We initially consider the AGC measurements in the device. This set of measurements are extremely useful when detecting high power jamming and spoofing attacks and have been used in the past for detecting such kind of faulty signals [7]. In the detection process the receiver will stop providing a position solution in the affected bands, at which time the AGC could be used to detect the nature of the problem. This will then trigger a safe mode operation in the app in which the subsequent measurements will be used with the knowledge that in the presence of jamming or spoofing attacks. We will also examine the raw GNSS measurements generated by the phone and combine those into a solution that explores the potential of the sum of squares residuals, which will add protection levels for the GNSS navigation solution. In addition, we will also look into the fused position algorithm of the framework and use those in the aid of the spoofing detection attack when cellular connection or Wi-Fi access points are available. Finally, we perform a direct comparison of the inertial sensors available inside the phone (accelerometers and gyroscopes) and use this as another set of measurements helping in the spoofing or RFI detection. This design allows for a robust and reliable system that could be used as a tool in the detection and removal of corrupted measurements in a position solution. A series of testing exercises, where the GPS signal was either jammed or spoofed were used to validate the claims presented in this paper. Most of the experiments performed were done simulating isolated locations where cell phone service was not available and as such the device will only rely in its internal hardware sensors and its raw GNSS measurements. Exposing the phone to this environment as well as hours of nominal data that illuminate typical day to day activities will help catalog the performance of the device under such conditions and will help examine the proper level of thresholding for alarm identification when in the presence of jamming or spoofing. PHONE MEASUREMENTS Smartphones nowadays host a wide variety of sensors to satisfy the demands of growing market needs or applications. The multi-purpose usage of the device is cumbersome and its use is no longer limited to the telephony domain. Sensors in smartphones today include cameras, GNSS sensors, motion sensors, temperature, pressure, etc. In the same way that developers make use of those features to solve a user need, this work uses a set of sensors on the device to provide a solution for spoofing and jamming detection. Previous sections showcased documented episodes of malicious attacks, and in most cases the targeted sensors were corrupted by the fake signals. However, given that smar