Single-Satellite-Based Geolocation of Broadcast GNSS Spoofers from a Low Earth Orbit

Zachary L. Clements; Patrick B. Ellis; Iain Goodridge; Matthew J. Murrian; Mark L. Psiaki,; Todd E. Humphreys

doi:10.33012/navi.750

Single-Satellite-Based Geolocation of Broadcast GNSS Spoofers from a Low Earth Orbit

Zachary L. Clements
Zachary L. Clements
¹ Department of Aerospace Engineering and Engineering Mechanics, University of Texas at Austin, Austin, TX
- Find this author on Google Scholar
- Find this author on PubMed
- Search for this author on this site
- For correspondence: [email protected]
Patrick B. Ellis
Patrick B. Ellis
² Spire Global, Inc., Vienna, VA
Iain Goodridge
Iain Goodridge
² Spire Global, Inc., Vienna, VA
Matthew J. Murrian
Matthew J. Murrian
² Spire Global, Inc., Vienna, VA
Mark L. Psiaki,
Mark L. Psiaki,
³ Department of Aerospace and Ocean Engineering, Virginia Tech, Blacksburg, VA
and Todd E. Humphreys
Todd E. Humphreys
¹ Department of Aerospace Engineering and Engineering Mechanics, University of Texas at Austin, Austin, TX

NAVIGATION: Journal of the Institute of Navigation
March 2026,
73
navi.750;
DOI: https://doi.org/10.33012/navi.750

Abstract

This paper presents an analysis and experimental demonstration of single-satellite single-pass geolocation of a terrestrial broadcast global navigation satellite system (GNSS) spoofer from a low Earth orbit (LEO). The proliferation of LEO-based GNSS receivers offers the prospect of unprecedented spectrum awareness, enabling persistent GNSS interference detection and geolocation. Accurate LEO-based single-receiver emitter geolocation is possible when a range-rate time history can be extracted for the emitter. This paper presents a technique crafted specifically for indiscriminate broadcast-type GNSS spoofing signals. Furthermore, it explores how unmodeled oscillator instability and worst-case spoofer-introduced signal variations degrade the geolocation estimate. The proposed geolocation technique is validated by a controlled experiment, in partnership with Spire Global, in which a LEO-based receiver captures broadcast GNSS spoofing signals transmitted from a known ground station on a non-GNSS frequency band.

Keywords

1 INTRODUCTION

The combination of easily accessible low-cost global navigation satellite system (GNSS) spoofers and the emergence of increasingly automated GNSS-reliant systems has prompted a need for multi-layered defenses against GNSS spoofing. A GNSS spoofer emits an ensemble of false GNSS signals with the intent that the victim receiver(s) will accept them as authentic GNSS signals, thereby inferring a false position fix and/or clock offset (Jafarnia-Jahromi et al., 2012; Psiaki & Humphreys, 2016). A successful spoofing attack may lead to serious consequences.

The academic community has long warned the public about the threat of GNSS spoofing (Humphreys, 2012; Humphreys et al., 2008; Scott, 2003). Within the past decade, significant progress has been made in GNSS spoofing detection and mitigation (Humphreys, 2017; Jafarnia-Jahromi et al., 2012; Psiaki & Humphreys, 2016, 2020; Rados et al., 2024). Reliable spoofing detection techniques even exist for challenging environments such as dynamic platforms in urban areas, where strong multipath and in-band noise are common (Gross & Humphreys, 2017; Gross et al., 2018; O’Hanlon et al., 2010; O’Hanlon et al., 2012; Psiaki et al., 2014; Wesson et al., 2018). Consistency checks between the estimated signal and onboard inertial sensors can provide quick and reliable spoofing detection (Clements, Yoder, & Humphreys, 2022, 2023; Kujur et al., 2024; Tanil et al., 2018). Clock state monitoring can also be used to detect spoofing (Hwang & McGraw, 2014; Jafarnia-Jahromi et al., 2013; Khalajmehrabadi et al., 2018). Cryptographic authentication techniques are currently being developed and implemented to verify received signals (Anderson et al., 2023, 2024; Fernandez-Hernandez et al., 2023; Humphreys, 2013; Kerns et al., 2014; Mina et al., 2024).

Although recent advances in GNSS spoofing detection have been inspiring, many older GNSS receivers in current operation are unable to incorporate such defenses, leaving them vulnerable to attacks. For example, the civilian maritime and airline industries are encountering GNSS jamming and spoofing at an alarming rate (Arraf, 2024; C4ADS, 2019; Felux et al., 2024; Gebrekidan, 2023; Osechas et al., 2022; Tangel & FitzGerald, 2024; Workgroup, 2024). Anomalous positioning information broadcast by ships in Automatic Identification System (AIS) messages and by airplanes in Automatic Dependent Surveillance-Broadcast (ADS-B) messages indicates recent widespread jamming and spoofing. These civilian aircraft and ships ensnared by GNSS spoofing are likely unintended targets caught in electronic warfare crossfire near ongoing conflict zones.

GNSS spoofing attacks can be sorted into two categories, targeted spoofing and broadcast spoofing. In targeted spoofing, an attacker transmits spoofing signals for a specific (possibly moving) target it wishes to deceive. In this type of attack, the attacker tailors a spoofing trajectory for its specific target, causing a gradual pull-off from the victim’s true trajectory and compensating for the relative motion between the spoofer and the target to minimize the target’s probability of detection (Kerns et al., 2014). Targeted spoofing is a sophisticated, expensive, and difficult-to-detect attack that requires the attacker to have the ability to precisely track the target and craft spoofing signals in accordance with the target’s motion, all in real time. Because of its complexity and narrow scope, this form of spoofing is the least common. Other GNSS receivers besides the targeted victim can also be captured by these signals, but a non-targeted receiver can more easily detect such spoofing. Moreover, targeted spoofing may involve narrow beamforming, making reception by non-target receivers unlikely.

Broadcast spoofing is less expensive, less complex, wider in geographic extent than targeted spoofing, and thus more common. In broadcast spoofing, an attacker transmits spoofing signals broadly, with the intent to deceive all GNSS receivers within a wide area. Because broadcast spoofing is non-targeted, victim GNSS receivers typically experience a sudden jump in position and/or timing, which is trivial to detect with basic spoofing detection checks. Yet despite being easy to detect, broadcast spoofing remains effective at denying GNSS access to victims lacking proper defenses. When a GNSS receiver cannot confidently differentiate between authentic and spoofing signals, it is rendered useless—or worse: hazardously misleading. The spoofers recently affecting the aviation and maritime industries appear to be of the broadcast type.

Given that many currently deployed GNSS receivers are unable to defend themselves against even easy-to-detect broadcast spoofing, GNSS users must be warned of hazardous GNSS-challenged environments. The proliferation of low Earth orbit (LEO)-based GNSS receivers provides the potential for unprecedented spectrum awareness, enabling GNSS interference detection, classification, and geolocation with worldwide coverage (Chew et al., 2023; Clements et al., 2023a, 2023b; LaChapelle et al., 2021; McKibben et al., 2023; Murrian et al., 2021). Existing and proposed LEO constellations provide worldwide coverage with frequent revisit rates, allowing for an always-updating operating picture, a noted shortfall in current capabilities (Berkowitz, 2024). Several commercial enterprises have seized the opportunity to deploy constellations of LEO satellites to provide spectrum monitoring and emitter geolocation as a service (e.g., Spire Global and Hawkeye360).

With multiple time-synchronized receivers, geolocation of emitters producing arbitrary wideband signals is possible and has been extensively studied (Clements et al., 2023a, 2023b; Ho & Chan, 1997; Musicki et al., 2010; Sidi & Weiss, 2014). Multiple time-synchronized receivers can exploit time- and frequency-difference-of-arrival (T/FDOA) measurements to estimate an emitter’s location. The authors of the current paper were able to geolocate over 30 GNSS interference sources across the Near East from a dual-satellite time-synchronized capture (Clements et al., 2023a, 2023b). However, planning simultaneous multi-satellite captures to enable T/FDOA-based geolocation can be expensive and difficult to coordinate, whereas single-satellite collections are straightforward and less costly. Accordingly, this paper focuses on single-satellite geolocation.

Accurate single-satellite geolocation of emitters with arbitrary waveforms is impossible in general: if the signal’s carrier cannot be tracked, only coarse received-signal-strength techniques can be applied. Yet, if a signal’s carrier can be tracked or if the Doppler can be otherwise measured, then accurate single-satellite-based emitter geolocation is possible from Doppler measurements alone, provided that the emitter’s carrier frequency is quasi-constant (Ellis & Dowla, 2018, 2020; Ellis et al., 2020; Murrian et al., 2021). However, if a transmitter introduces any significant level of complexity to the carrier-phase behavior, such as frequency modulation or clock dithering, the accuracy of Doppler-based single-satellite techniques is degraded.

Specialized methods are needed to address GNSS spoofers, as they do not transmit at a constant carrier frequency: they add an unknown time-varying frequency component to each spoofing signal, imitating the range rate between the corresponding spoofed GNSS satellite and the counterfeit spoofed location (Kerns et al., 2014). A key contribution of the current paper is a technique that removes the unknown time-varying frequency component added by GNSS spoofers so that a range-rate time history can be extracted for geolocation. Chen et al. (2024) also presented a single-receiver spoofer geolocation technique based on counterfeit clock observables. However, Chen et al. (2024) considered only the spoofed pseudorange measurements and relied on a stationary receiver initialization period, which is not possible in LEOs.

The key observation behind this paper’s technique is that each spoofed navigation signal will share a common frequency shift owing to the range rate between the LEO receiver and the terrestrial spoofer. If a GNSS receiver processes a sufficient number of spoofing signals to form a navigation solution, then the receiver’s internal estimator will naturally combine the common frequency shift of each signal from the shared range rate with the receiver clock drift (clock offset rate) estimate. Therefore, the time history of the spoofed receiver clock drift can be exploited for geolocation because the range rate between the LEO receiver and the terrestrial spoofer is embedded in this measurement.

This paper makes four primary contributions. First, it presents a single-satellite, single-pass GNSS spoofer geolocation technique that extracts the range rate between a LEO-based receiver and a terrestrial broadcast spoofer from captured raw samples. Second, it offers an experimental demonstration of the technique with a truth solution. Third, it derives an analytic expression for how transmitter clock instability degrades the single-satellite geolocation solution. Fourth, it investigates the geolocation positioning errors as a function of worst-case spoofed clock behavior.

Preliminary conference versions of this paper have been published (Clements et al., 2022; Clements et al., 2024). The current version significantly extends these works by providing the third and fourth contributions mentioned above.

2 SIGNAL MODELS

2.1 GNSS Spoofing Signals

The goal of a broadcast GNSS spoofer is to deceive the victim receiver(s) into inferring a false position, velocity, and timing (PVT) solution, denoted as $\tilde{x} = {[r_{\tilde{r}}^{┬}, δ t_{\tilde{r}}, v_{\tilde{r}}^{┬}, δ {\dot{t}}_{\tilde{r}}]}^{┬}$ , where $r_{\tilde{r}}$ is the spoofed position in Earth-centered Earth-fixed (ECEF) coordinates, $δ t_{\tilde{r}}$ is the spoofed clock bias increment, $v_{\tilde{r}}$ is the spoofed velocity, and $δ {\dot{t}}_{\tilde{r}}$ is the spoofed clock drift increment. To achieve a successful attack, the spoofer must generate an ensemble of self-consistent signals. To this end, the attacker must (1) select a counterfeit PVT solution for the victim to infer, (2) select an ensemble of GNSS satellites to spoof, and (3) for each spoofed navigation satellite, generate a signal with a corresponding navigation message, code-phase time history, and carrier-phase time history consistent with (1) and (2).

A general baseband signal model for broadcast spoofing signals is now presented. The ensemble of spoofing signals transmitted by the spoofer is denoted as follows:

$x (t) = \sum_{n = 1}^{N} S_{n} (t)$ 1

This ensemble contains N spoofing signals, where the n-th spoofing signal is denoted as s_n (t) for n = 1,2, …, N. The n-th spoofing baseband signal takes the following form:

$s_{n} (t) = A_{n} D_{n} [t - τ_{n} (t)] C_{n} [t - τ_{n} (t)] \exp [j 2 π θ_{n} (t)]$ 2

where A_n is the carrier amplitude, D_n (t) is the data bit stream, C_n (t) is the spreading code, τ_n (t) is the code phase, and θ_n (t) is the negative beat carrier phase (Psiaki & Humphreys, 2016). The Doppler of the n-th spoofing signal is related to θ_n (t) as follows:

${\tilde{f}}_{n} (t) = \frac{d}{d t} θ_{n} (t)$ 3

The spoofer adds a unique Doppler component to each spoofing signal that mimics the combined Doppler of the following components: (1) the range rate between the spoofed satellite and spoofed position, (2) the spoofed receiver clock drift, and (3) the spoofed satellite clock drift. Additionally, the spoofed code-phase and carrier-phase time histories must be mutually consistent to avoid code-carrier divergence. Accordingly, the Doppler of the n-th transmitted spoofing signal may be modeled as follows:

${\tilde{f}}_{n} (t) = - \frac{1}{λ} {\hat{r}}_{\tilde{r} n}^{⊤} (t) (v_{\tilde{r}} (t) - v_{\tilde{S} n} (t)) - \frac{c}{λ} (δ {\dot{t}}_{\tilde{r}} (t) - δ {\dot{t}}_{\tilde{S} n} (t))$ 4

where λ is the carrier wavelength, c is the speed of light, ${\hat{r}}_{\tilde{r} n}$ is the unit vector pointing from the n-th spoofed navigation satellite to the spoofed position, both in ECEF coordinates, $v_{\tilde{r}}$ is the spoofed receiver velocity, $v_{\tilde{s} n}$ is the n-th spoofed navigation satellite velocity, and $δ {\dot{t}}_{\tilde{s} n}$ is the spoofed clock drift of the n-th navigation satellite. One can immediately appreciate that the Doppler frequency is different for each spoofing signal. If this were a targeted spoofer, there would be an additional Doppler term in Equation (4) that compensates for the relative motion between the victim and spoofer; however, in the case of broadcast spoofing, this term is zero.

2.2 Received Doppler Model

Let us first consider a scenario in which a moving receiver captures a transmitted signal with a constant carrier frequency. The received Doppler f_D(t) at the moving receiver can be modeled as follows:

$f_{D} (t) = - \frac{1}{λ} {\hat{r}}^{𝖳} (t) (v_{r} (t) - v_{t} (t)) - \frac{c}{λ} (δ {\dot{t}}_{r} (t) - δ {\dot{t}}_{t} (t))$ 5

where $\hat{r}$ is the unit vector pointing from the transmitter to the receiver, v_r is the velocity of the receiver, v_t is the velocity of the transmitter, $δ {\dot{t}}_{r}$ is the clock drift of the receiver, and $δ {\dot{t}}_{t}$ is the clock drift of the transmitter. Note that this is a simplified Doppler model that neglects higher-order terms. Psiaki (2021) presented a complete Doppler model. For the purposes of this paper, the simplified model is adequate, as will be confirmed by the experimental results.

Now let us consider a scenario in which a moving receiver captures an ensemble of transmitted spoofing signals from a stationary terrestrial spoofer (v_t (t) = 0), as shown in Figure 1. Clements et al. (2022) provided an analysis of how spoofer motion affects the geolocation solution. However, would-be spoofers are typically stationary; otherwise, they face the additional difficulty of compensating for their motion to avoid producing easily detectable false signals. Therefore, a stationary spoofer will be assumed throughout the remainder of this paper.

Each observed signal at the receiver will contain a common Doppler shift f_D due to the the relative motion between the transmitter (spoofer) and the receiver. Each observed signal will also manifest a common frequency shift due to the clock drift of the transmitter and the clock drift of the receiver. Dropping time indices for clarity, we may write the observed Doppler of the n-th spoofing signal at the moving receiver, f_n, as follows:

$\begin{matrix} f_{n} & = f_{D} + {\tilde{f}}_{n} \\ = - \frac{1}{λ} {\hat{r}}^{𝖳} v_{r} - \frac{c}{λ} (δ {\dot{t}}_{r} - δ {\dot{t}}_{t}) - \frac{1}{λ} {\hat{r}}_{\tilde{r} n}^{𝖳} (v_{\tilde{r}} - v_{\tilde{S} n}) - \frac{c}{λ} (δ {\dot{t}}_{\tilde{r}} - δ {\dot{t}}_{\tilde{S} n}) \end{matrix}$ 6

FIGURE 1

Doppler components in single-satellite spoofer geolocation

The Doppler components corresponding to Equation (5) are shown on the left. The Doppler components for each spoofing signal corresponding to Equation (4) are shown in red on the right.

The difficulty of single-satellite GNSS spoofer geolocation arises from the ${\tilde{f}}_{n}$ term: this term is typically unknown, time-varying, and different for each spoofing signal. In the case of the matched-code jammer discovered by Murrian et al. (2021), ${\tilde{f}}_{n} = 0$ . One may suppose that the operator’s intent in that case was not to deceive victim receivers into inferring false locations, as would be the case for a spoofer. When ${\tilde{f}}_{n} = 0$ , the observed Doppler can be modeled as the range rate between the transmitter and receiver, with a constant measurement bias over the capture to account for the clock drift of the transmitter. In contrast, naive geolocation with the observed Doppler modeled as in Equation (6) yields final position estimates that are biased because the spoofing signals contain the unmodeled ${\tilde{f}}_{n} (t)$ term. In the following section, a technique is presented that removes ${\tilde{f}}_{n} (t)$ and extracts ${\hat{r}}^{𝖳} (t) v_{r} (t)$ , the range-rate time history between the transmitter and receiver, which can be exploited for geolocation.

3 CONCEPTUAL OVERVIEW OF BROADCAST GNSS SPOOFER GEOLOCATION

This section presents an overview of the technique for spoofer geolocation originally presented by Clements et al. (2022) and Clements et al. (2024). The common Doppler components across all spoofing signals from Equation (6) are indicated below:

$f_{n} = \underset{common}{\underset{︸}{- \frac{1}{λ} {\hat{r}}^{𝖳} v_{r} - \frac{c}{λ} (δ {\dot{t}}_{r} - δ {\dot{t}}_{t})}} - \frac{1}{λ} {\hat{r}}_{r n}^{𝖳} (v_{\tilde{r}} - v_{\tilde{S} n}) - \frac{c}{λ} (\underset{common}{\underset{︸}{δ {\dot{t}}_{\tilde{r}}}} - δ {\dot{t}}_{\tilde{S} n})$ 7

All common Doppler terms can be combined into a single term:

$γ (t) = \frac{1}{c} {\hat{r}}^{⊤} (t) v_{r} (t) + δ {\dot{t}}_{r} (t) - δ {\dot{t}}_{t} (t) + δ {\dot{t}}_{\tilde{r}} (t)$ 8

so that Equation (6) may be written as follows:

$f_{n} = - \frac{1}{λ} {\hat{r}}_{\tilde{r} n}^{⊤} (v_{\tilde{r}} - v_{\tilde{S} n}) - \frac{c}{λ} (γ - δ {\dot{t}}_{\tilde{S} n})$ 9

Upon processing an ensemble of spoofing signals, a GNSS receiver’s PVT estimator produces, at each navigation epoch, the state estimate:

$\hat{x} (t) = {[{\hat{r}}_{\tilde{r}}^{⊤} (t), \hat{ξ} (t), {\hat{v}}_{\tilde{r}}^{⊤} (t), \hat{γ} (t)]}^{⊤}$ 10

which is composed of the estimated spoofed position, estimated receiver clock bias $\hat{ξ} (t)$ , estimated spoofed velocity, and estimated receiver clock drift $\hat{γ} (t)$ (Günther, 2014). Clements et al. (2024) and Odijk (2017) provided a brief review of PVT estimation from pseudorange and Doppler measurements. Note that the estimated

receiver clock bias $\hat{ξ} (t)$ will include $δ t_{\tilde{r}}$ as a component but will not generally be equal to $δ t_{\tilde{r}}$ .

In contrast, the estimated clock drift $\hat{γ} (t)$ will track γ(t) closely, provided that the PVT estimator is configured with a clock model whose process noise intensity is sufficient to accommodate the variations in γ(t) due to spoofing. Expressed in s/s, $\hat{γ} (t)$ contains all common Doppler terms, because the PVT estimator attributes common-mode frequency deviations across received signals to the receiver’s clock drift. Importantly, $\hat{γ} (t)$ is unaffected by the unknown non-common Doppler components from ${\tilde{f}}_{n} (t)$ for all n ∈ {1,2,…,N}.

The time history $\hat{γ} (t)$ is the key to spoofer geolocation because it depends strongly on the range rate between the LEO-based receiver and the terrestrial spoofer. In particular, information about the transmitter’s location is embedded in ${\hat{r}}^{⊤} (t) v_{r} (t)$ , which, for a LEO-based receiver, is typically the dominant component in $γ (t)$ . A nonlinear least-squares estimator based on $\hat{γ} (t)$ is developed in the next section to estimate the spoofer’s position.

The other three terms in $γ (t)$ , namely, $δ {\dot{t}}_{t} (t)$ , $δ {\dot{t}}_{t} (t)$ , and $δ {\dot{t}}_{\tilde{r}} (t)$ , are nuisance terms that potentially degrade geolocation accuracy. Fortunately, their contributions are typically minor or can be estimated. Let us first consider $δ {\dot{t}}_{t} (t)$ . If the satellite’s GNSS receiver and the radio frequency (RF) front-end capturing spoofing signals are driven by the same oscillator, then $δ {\dot{t}}_{t} (t)$ is automatically estimated by the onboard GNSS receiver, provided that this term is not significantly affected by the spoofing; thus, we can compensate for $δ {\dot{t}}_{t} (t)$ .

It is worth mentioning that one of the core assumptions in any geolocation system is that the capture platform has knowledge of its PVT; otherwise, geolocation is impossible. In the scenario assumed in this paper, the LEO-based receiver has access to its PVT from an onboard GNSS receiver that is robust to terrestrial interference. Despite the presence of spoofing signals, code- and carrier-tracking of the authentic GNSS signals is maintained, owing to sufficient separation of the false and authentic signals in the code-Doppler space, as achieved by Murrian et al. (2021). Furthermore, robustness is achieved if a zenith-facing antenna feeds the onboard GNSS receiver’s RF front-end, as the gain directed toward Earth will be strongly attenuated. The PVT can be trivially maintained by a multi-constellation receiver when only single-constellation spoofing signals are present. In the event that all GNSS signals are unavailable owing to terrestrial interference, knowledge of the receiver’s position and velocity can be maintained by using orbital propagation models such as simplified general perturbations 4 (SGP4). Over short periods, the orbit is stable enough that the receiver will be able to maintain sufficient PVT accuracy from the onset of GNSS denial.

The terms $δ {\dot{t}}_{t} (t)$ and $δ {\dot{t}}_{\tilde{r}} (t)$ originate from the spoofer. Specifically, $δ {\dot{t}}_{t} (t)$ originates from the spoofer’s hardware, whereas $δ {\dot{t}}_{\tilde{r}} (t)$ originates from the spoofer’s software. The former arises from the clock drift in the spoofer. This term can often be accurately modeled as constant over short (e.g., 60-s) capture intervals and estimated as part of the geolocation process (Murrian et al., 2021). The spoofed clock drift $δ {\dot{t}}_{\tilde{r}} (t)$ arises from the spoofer’s attack configuration and will manifest at the victim as an increment to the victim’s clock drift. Although this term can be troubling for geolocation, a potential attacker would typically opt to keep $δ {\dot{t}}_{\tilde{r}} (t)$ as nearly constant, because if $δ {\dot{t}}_{\tilde{r}} (t)$ grows too rapidly to be explained by the expected variation in clock drift for the receiver’s oscillator type, the victim receiver could flag the anomaly and thereby detect the spoofing attack.

This constraint can be generalized to the sum $δ {\dot{t}}_{t} (t) + δ {\dot{t}}_{\tilde{r}} (t)$ and summarized as follows: if the spoofer allows extraordinary frequency instability in its own oscillator such that $δ {\dot{t}}_{t} (t)$ changes too rapidly or if the spoofer attempts to induce a quickly varying spoofed clock drift so that $δ {\dot{t}}_{\tilde{r}} (t)$ changes too rapidly, the geolocation accuracy is degraded but, simultaneously, the spoofing attack becomes trivially detectable.

Moreover, for a targeted spoofing attack in which the spoofer attempts to compensate for the true spoofer-to-victim line-of-sight velocity, γ (t) could contain an additional time-varying term. If this term were to vary rapidly with time, it would cause challenges for this paper’s technique. Relatedly, if the targeted victim’s position and velocity were somehow accurately known to the LEO-based receiver, this paper’s technique could produce accurate results, provided that the estimator presented in the next section were updated to account for the known victim motion. Finally, if the targeted victim receiver is stationary, this paper’s technique can be applied without modification.

Section 6 explores the consequences for geolocation of cases in which $δ {\dot{t}}_{t} (t)$ departs from a constant model. It also presents an analysis of how aggressively an attacker can ramp $δ {\dot{t}}_{\tilde{r}} (t)$ without being detected by an optimal spoofing detection strategy that monitors the receiver clock drift and an analysis of how the rate of change in $δ {\dot{t}}_{t} (t) + δ {\dot{t}}_{\tilde{r}} (t)$ translates to geolocation error.

4 SPOOFER GEOLOCATION WITH γ

This section presents the measurement model, derives the measurement noise covariance matrix, and presents a nonlinear least-squares estimator for single-satellite spoofer geolocation.

4.1 Measurement Model

When a GNSS receiver processes spoofing signals, it first generates spoofed GNSS observables. These GNSS observables are beset with errors, modeled as zero-mean additive white Gaussian noise (AWGN), arising from thermal noise, local electromagnetic interference, atmospheric and relativistic effects, ephemeris errors, and other minor effects. At every navigation epoch, the noisy spoofed GNSS observables are fed to the receiver’s PVT estimator to produce an optimal estimate of the spoofed PVT solution, including $\hat{γ} (t)$ .

Let $γ [i] = γ (i Δ t)$ and $\hat{γ} [i] = \hat{γ} (i Δ t)$ , where Δt is the constant PVT solution interval and i ∈ I = {1,2, …,I} is the solution index within a given data capture interval. Let z [i] denote the i-th measurement to be used for spoofer geolocation, modeled as follows:

$z [i] = c \hat{γ} [i] = c γ [i] + w_{a} [i], i \in I$ 11

The velocity-equivalent estimation error w_a [i], which has units of m/s, is a discrete-time noise process with $𝔼 [w_{a} [i]] = 0$ and $𝔼 [w_{a} [i] w_{a} [j]] = σ_{a}^{2} δ_{i j}$ , for all i, j ∈ I. Section 4.2 will justify this model’s assumption that w_a [i] is white (uncorrelated in time) for a sufficiently large ∆t that is larger than the settling time of its phase-locked loop (PLL) or frequency-locked loop and the settling time of any Kalman filter used for obtaining the spoofed fix.

As stated before, $δ {\dot{t}}_{t}$ is assumed to be known and fully compensated for; accordingly, it will be neglected hereafter. Additionally, $δ {\dot{t}}_{\tilde{r}}$ is part of the spoofer’s attack configuration and, for now, will be modeled as constant owing to the constraints mentioned in the prior section.

A more comprehensive model is considered for $δ {\dot{t}}_{t} (t)$ . Let $δ {\dot{t}}_{t} [i] = δ {\dot{t}}_{t} (i Δ t)$ , i ∈ I. Over a capture interval, $δ {\dot{t}}_{t} [i]$ is modeled as follows:

$c δ {\dot{t}}_{t} [i] = c δ {\dot{t}}_{t} [0] + b [i], i \in I$ 12

where $δ {\dot{t}}_{t} [0]$ represents the spoofer oscillator’s constant frequency bias and b[i] is a Gaussian random walk process expressed as follows:

$b [i] = \sum_{k = 1}^{i} v [k], i \in I$ 13

where v [k] is a discrete-time Gaussian random process with $𝔼 [v (k)] = 0$ , $𝔼 [v [k] v [j]] = σ_{v}^{2} δ_{k j}$ and 𝔼 [w_a [k] v [j]] = 0 for all k, j ∈ I, and b [0] = 0. Based on the model presented by Brown and Hwang (2012, Chap. 8), $σ_{v}^{2}$ can be characterized as follows:

$σ_{v}^{2} = 2 π^{2} h_{- 2} Δ t c^{2}$ 14

where h₋₂ is the first parameter of the standard clock model based on the fractional frequency error power spectrum (Murrian et al., 2021). Scaling by c² converts this term to units of (m/s)².

Note that $δ {\dot{t}}_{t} [0]$ and $δ {\dot{t}}_{\tilde{r}}$ can be combined into a single measurement bias b₀ that is constant across the capture interval. Furthermore, the AWGN and Gaussian random walk can also be combined into a single noise term w [i]. Thus, we have the following:

$b_{0} = - c δ {\dot{t}}_{t} [0] + c δ {\dot{t}}_{\tilde{r}}$ 15

$w [i] = w_{a} [i] + b [i], i \in I$ 16

Given all of this, Equation (11) is rewritten so that the final measurement model takes the following form:

$z [i] = {\hat{r}}_{i}^{𝖳} v_{r, i} + b_{0} + w [i], i \in I$ 17

The associated measurement covariance matrix R for the process w[i] is now derived. Clearly, w[i] has a mean of zero; however, because it contains a Gaussian random walk term, it is correlated over time. The [ i, j ]-th element of its measurement covariance matrix is as follows:

$\begin{matrix} R [i, j] & = 𝔼 [w [i] w [j]] \\ = 𝔼 [(w a [i] + \sum_{k = 1}^{i} v [k]) (w_{a} [j] + \sum_{l = 1}^{j} v [l])] \\ = 𝔼 [w_{a} [i] w_{a} [j]] + 𝔼 [(\sum_{k = 1}^{i} v [k]) (\sum_{l = 1}^{j} v [l])] \\ = 𝔼 [w_{a} [i] w_{a} [j]] + \sum_{k = 1}^{i} \sum_{l = 1}^{j} 𝔼 [v [k] v [l]] \\ = σ_{a}^{2} δ_{i j} + σ_{v}^{2} \min {i, j} \end{matrix}$ 18

From this result, the measurement covariance matrix containing the AWGN and Gaussian random walk can be written as follows:

$R = R_{a} + R_{b} where R_{a} = σ_{a}^{2} 𝕀_{I \times I} and R_{b} = σ_{v}^{2} M_{I \times I}$ 19

Here, 𝕀 _I×I is the identity matrix, and M is an I × I matrix with M [i, j] = min{i, j}, i ∈ I. Note that this covariance matrix is a general result that can be applied to any range-rate-based positioning technique in which the transmitter clock state is unknown.

4.2 Effects of Estimated γ

One might question the choice to model the estimation error process $w_{a} [i] = c (\hat{γ} [i] - γ [i])$ as white, because $\hat{γ} [i]$ is the product of a state estimator and it is well known that state estimation errors are correlated in time. At epoch i, let $\tilde{x} [i]$ denote the sequential PVT estimator’s full state estimation error, W [i] its feedback gain, F [i] its state transition matrix, and P [i] its state covariance. The covariance between sequential state errors has been reported by Bar-Shalom et al. (2001, Chap. 5):

$𝔼 [\tilde{x} [i + 1] {\tilde{x}}^{𝖳} [i]] = (I - W [i + 1] H [i + 1]) F [i] P [i]$ 20

The correlation between w_a [i +1] and w_a [i] for i ∈ I can be determined by analysis of this equation, as w_a [i] is an element of $\tilde{x} [i]$ .

Let us consider a scenario in which the spoofer induces a static location with a typical Global Positioning System (GPS) satellite geometry. The state estimated by an affected receiver consists of the position, clock bias, and clock drift, as in Equation (10). We assume that the receiver’s PVT estimator applies a dynamics model consistent with a static position and the clock process noise model of Brown and Hwang (2012). Furthermore, we assume that measurement errors are independent, zero-mean, and Gaussian with standard deviations of 1 m and 0.5 m/s, respectively, for the spoofed pseudorange and Doppler measurements.

A key tuning parameter in this model is the process noise of the receiver clock drift, which is governed by the h₋₂ coefficient, as in Equation (14). Figure 2 shows the Pearson correlation coefficient for w_a [i] between subsequent navigation epochs over various values of modeled h₋₂ as a function of the time between epochs. As the process noise and time between epochs increase, the time correlation of sequential estimation errors is reduced. This type of analysis can be performed to help determine the measurement interval length beyond which errors in the sequential estimates $\hat{γ} [i]$ can be accurately approximated as AWGN. For example, Figure 2 indicates that, for h₋₂ ≥3 × 10⁻¹⁹, measurements spaced by 100 ms or more may be treated as independent.

If h₋₂ is increased even further, the navigation filter becomes a sequence of point solutions and, in effect, the white noise model of w_a [i] is undoubtedly correct. The selection of h₋₂ becomes a tuning parameter for the system designer. This analysis involving nominal h₋₂ values is relevant because currently deployed LEO-based GNSS receivers can perform this technique and may not have the flexibility to change their own process noise.

FIGURE 2

Pearson correlation coefficient between sequential estimation errors w_a[i] as a function of time between estimation epochs for various values of h₋₂

As the receiver’s modeled process noise intensity increases, the time correlation between estimation errors decreases.

4.3 Range-Rate Nonlinear Least-Squares Estimator

Now that the measurements and the measurement covariance have been defined, a batch nonlinear least-squares estimator may be developed to solve for the state x:

$x = [\begin{matrix} r_{t} \\ b_{0} \end{matrix}]$ 21

where r_t is the transmitter’s ECEF position and b₀ is the unknown measurement bias. Let z represent the I × 1 stacked measurement vector. The standard weighted nonlinear least-squares cost function is as follows:

$J (x) = \frac{1}{2} {[z - h (x)]}^{𝖳} R^{- 1} [z - h (x)]$ 22

where h(x) is the nonlinear measurement model function. The optimal estimate of x minimizes the cost J.

The linearized measurement model H is an I × 4 matrix that takes the following form:

$H = [\begin{matrix} \frac{d h_{1}}{d r_{t}} & 1 \\ ⋮ & ⋮ \\ \frac{d h_{1}}{d r_{t}} & 1 \end{matrix}]$ 23

where:

$\frac{d h_{i} (x)}{d r_{t}} = v_{r, i}^{𝖳} \frac{({\hat{r}}_{i} {\hat{r}}_{i}^{𝖳} - 𝕀_{3 \times 3})}{ρ_{i}}$ 24

is the 1 × 3 Jacobian of the i-th range-rate measurement. The range between the receiver and the transmitter at the i-th measurement is denoted as ρ_i. This measurement model Jacobian is equivalent to columns 1, 2, 3, and 8 of the Jacobian presented by Psiaki (2021), up to a scale factor.

Enforcing an altitude constraint significantly improves the problem’s observability. This constraint can be incorporated as an additional pseudo-measurement of the transmitter’s altitude with respect to the WGS-84 ellipsoid, modeled as follows:

$z [I = 1] = h_{alt} (x) + w_{alt}$ 25

where the measurement error $w_{alt} \sim 𝒩 (0, σ_{alt}^{2})$ is assumed to be independent of those for z [i], i ∈ I. The measurement’s 1 × 4 Jacobian is as follows:

$H_{alt} = [\cos (ϕ_{lat}) \cos (λ_{lon}), \cos (ϕ_{lat}) \sin (λ_{lon}), \sin (ϕ_{lat}), 0]$ 26

where ϕ_lat and λ_lon are the latitude and longitude of r_t, respectively. The measurement vector z, vector-valued function h(x), Jacobian H, and error covariance R are all appropriately augmented to include the altitude pseudo-measurement.

Finally, the estimation error’s Cramér-Rao lower bound (CRLB) can be approximated as follows:

$P_{x x} = {(H^{𝖳} R^{- 1} H)}^{- 1}$ 27

5 EXPERIMENTAL RESULTS

The single-satellite geolocation technique described above was verified in a joint demonstration between the University of Texas Radionavigation Laboratory (UT RNL) and Spire Global. In this experiment, an ensemble of self-consistent spoofing signals was transmitted from a ground station while an overhead LEO satellite performed a raw signal capture. This section details the setup and results of the experiment. Preliminary results were presented by Clements et al. (2024), including a comprehensive description of the special adaptations made to handle the spoofer’s non-GNSS carrier frequency.

5.1 Experimental Design

The UT RNL provided a baseband binary file containing an ensemble of GNSS spoofing signals to be transmitted, a filtered and downsampled version of the “clean static” recording in the TEXBAT data set (Humphreys et al., 2012). The original recording was a high-quality 16-bit 25-Msps (complex) recording of authentic GNSS signals centered at GPS L1 from a stationary antenna on top of the former Aerospace Engineering building at UT Austin. The front-end in the original recording was driven by a 10-MHz oven-controlled crystal oscillator (OCXO). Low-pass filtering and downsampling of the original file were required to ensure that the transmitted signal was contained within Spire’s available bandwidth. Additionally, onboard the satellite, the S-band capture device and onboard GNSS receiver were driven by the same oscillator, allowing precise time-tagging and compensation.

The spoofing file was transmitted from a ground station located in Perth, Australia. The transmitter was driven by a temperature-controlled crystal oscillator (TCXO). The transmitted spoofing signals were centered at the S-band to avoid interfering with the GNSS bands. While the ground station was transmitting the spoofing file, an overhead LEO satellite performed a raw signal capture over 20 s, centered at the S-band carrier and sampled at 5 Msps (complex). In practice, all processing would be done by an onboard receiver. The duration of the raw capture should be as long as a frame in the spoofed navigation message, or 30 s in the case of GPS L1/CA, to ensure that the entire spoofed satellite ephemeris for each spoofed satellite could be decoded. Figure 3 shows locations relevant to the demonstration. In the context of this paper, the physical location of the transmitter (spoofer) is in Perth, Australia, and the spoofed location sits atop the former Aerospace Engineering building in Austin, Texas. Note that this spoofer could also be characterized as a meacon with a long delay from reception to transmission. The goal is to geolocate the spoofer’s position in Perth.

5.2 Experimental Spoofer Geolocation with γ

The transmitted spoofing signals captured in LEO were processed with the UT RNL’s GRID software-defined GNSS receiver (Clements et al., 2021; Nichols et al., 2022; Pany et al., 2024). Figure 4 shows the PVT solution obtained by processing the pseudorange and Doppler measurements of the spoofing signals. The position solution is slightly biased because of the code-carrier divergence caused by shifting the original L1-centered signal to the S-band carrier (Clements et al., 2024). On GRID’s display, the 4,810-m/s clock drift (labeled δtRdot) is immediately noticeable. Of course, no oscillator on a GNSS receiver would experience a clock drift so extreme.

FIGURE 3

Left: The spoofed location atop the former Aerospace Engineering building in Austin, Texas; center: the actual spoofer location, a Spire Global ground station located in Perth, Australia; right: the ground track of the Spire Global LEO satellite during the 20-s signal capture

FIGURE 4

Left: UT RNL’s GRID receiver display when processing the spoofing signals; right: a scatter of GRID-derived position solutions

In the right panel, the red dot indicates the spoofed position. The three-dimensional bias is 45.9 m, primarily concentrated in the vertical direction. This error is attributed to the S-band carrier.

To coax GRID into properly processing the S-band spoofing signals, special modifications to the receiver’s configuration and PVT estimator were required. Reconfiguring such parameters is trivial within GRID’s software-defined architecture. The bandwidths of the receiver’s delay-locked loop (DLL) and PLL were increased to maintain lock despite the code-carrier divergence introduced by the S-band carrier. The bandwidth of the DLL was set to 1.7 Hz, and the bandwidth of the PLL was set to 40 Hz, introducing more noise. To minimize spurious variations in $\hat{γ} (t)$ , the receiver’s dynamics model was set to “static,” consistent with an assumed static spoofed location. The receiver’s innovation-based anomaly monitor was disabled to prevent rejection of the PVT solution owing to the unusually high estimated clock drift rate. Other considerations related to the S-band carrier have been detailed by Clements et al. (2024).

A Doppler-equivalent time history $\hat{γ} (t)$ over 17.75 s is shown as a black trace in Figure 5, along with the raw measured Doppler of each spoofing signal. The GNSS receiver allowed itself to be spoofed, and the true range rate between the LEO-based receiver and the terrestrial transmitter was included in the receiver’s clock drift estimate, as explained in Section 3. The measured Doppler time history of each spoofing signal, as given in Equation (6), follows the shape of $\hat{γ} (t)$ because the range rate between the spoofer and LEO-based receiver is dominant in all traces. The deviation in the measured Doppler time history of each spoofing signal from $\hat{γ} (t)$ is ${\tilde{f}}_{n} (t)$ , as presented earlier.

The time history of $\hat{γ} (t)$ was fed to the nonlinear least-squares estimator described in Section 4. The final position fix, shown in Figure 6, was within 68 m of the true location. Importantly, the true emitter position lay within the estimate’s horizontal 95% error ellipse. For the measurement covariance matrix, σ_a was set to 0.15 m/s, and σ_v was set to 0.0163 m/s, which is consistent with the transmitter’s TCXO. The eccentricity of the error ellipse is dictated by the receiver–transmitter geometry. Figure 6 shows the Doppler post-fit residuals, with respect to the estimated spoofer position and the true spoofer position. The residuals with respect to the estimated spoofer position are zero-mean with a standard deviation of 0.12 m/s. Such small and unbiased residuals indicate that the estimator’s model for $\hat{γ} (t)$ is highly accurate. Thus, this experiment provides a validation of this paper’s geolocation technique.

Measured Doppler time history of each received spoofing signal, as well as the Doppler-equivalent time history γ^(t) (black trace), which is used for geolocation

FIGURE 5

Measured Doppler time history of each received spoofing signal, as well as the Doppler-equivalent time history $\hat{γ} (t)$ (black trace), which is used for geolocation

Left: The final spoofer position estimate (white) based on γ^(t) is displayed, with the true spoofer location shown in red. The error of the final estimate is 68 m. The true emitter is contained within the 95% horizontal error ellipse, derived from Equation (27), which has a semimajor axis of 6.7 km. Right: Post-fit range-rate residuals of γ^(t) time history with respect to the estimated spoofer position (top) and true spoofer position (bottom) are displayed. The residuals with respect to the estimated position are unbiased and have a standard deviation of 0.12 m/s.

FIGURE 6

Left: The final spoofer position estimate (white) based on $\hat{γ} (t)$ is displayed, with the true spoofer location shown in red. The error of the final estimate is 68 m. The true emitter is contained within the 95% horizontal error ellipse, derived from Equation (27), which has a semimajor axis of 6.7 km. Right: Post-fit range-rate residuals of $\hat{γ} (t)$ time history with respect to the estimated spoofer position (top) and true spoofer position (bottom) are displayed. The residuals with respect to the estimated position are unbiased and have a standard deviation of 0.12 m/s.

5.3 Experimental Spoofer Geolocation with GNSS Observables

This paper’s advocated technique requires a means for obtaining ephemerides and clock models of the spoofed navigation satellites implied in the spoofing. However, for cases in which the GNSS receiver onboard a LEO satellite cannot be configured to produce a PVT solution from the spoofed signals yet does produce standard Doppler observables for each spoofed signal, traditional Doppler-based geolocation, as described by Murrian et al. (2021), can be applied to estimate the spoofer’s location. Of course, as shown earlier, this approach will yield a biased estimate of the spoofer’s position because the time-varying frequency term ${\tilde{f}}_{n} (t)$ is unmodeled. However, if the spoofing signals induce a static terrestrial location, the position bias due to the nonzero ${\tilde{f}}_{n} (t)$ is small enough that the geolocation solution remains useful.

The position bias is relatively small because the Doppler time rate of change between a stationary receiver on the surface of the Earth and a GNSS satellite in medium Earth orbit is never more than 1 Hz/s and is typically much smaller. Thus, the range rate between the LEO-based receiver and the physical spoofer is the dominant term in f_n (t). Figure 7 shows the biased position fixes and corresponding error ellipses when each f_n (t) time history is fed as measurements to the nonlinear least-squares estimator as described in Section 4. Only two of the seven 95% error ellipses contain the true spoofer position. The spread of the spoofer position estimates is relatively tight, with the maximum error being 1.9 km. Depending on the desired accuracy requirements, this level of accuracy may be sufficient. Note that if the spoofer’s induced trajectory were dynamic rather than static, the spread of the geolocation estimates would be larger, as shown by Clements et al. (2022).

Figure 8 presents the range-rate residuals with respect to the estimated spoofer position (top panel) and the true spoofer position (bottom panel). In the range-rate residuals with respect to the true spoofer position, the time-varying frequency component is visible, especially for pseudorandom noise (PRN) 13 and 23, which also yield the final spoofer position estimates with the largest amount of error.

FIGURE 7

Geolocation using the observed Doppler time history of each spoofed PRN Each individual spoofer position estimate is biased owing to the unmodeled frequency component.

FIGURE 8

Top: Range rate residuals with respect to the estimated spoofer position; bottom: range-rate residuals with respect to the true spoofer position

6 SPOOFER CLOCK INSTABILITY ERROR ANALYSIS

This section analyzes how transmitter clock instability translates to range-rate-based geolocation positioning error. It is important to characterize such errors as they manifest in real-world applications. In this section, we assume that $δ {\dot{t}}_{\tilde{r}} = 0$ so that the effects of actual—not induced—clock instability may be considered in isolation. The marginal contribution of transmitter clock instability to horizontal positioning error scales directly with the transmitter oscillator quality, specified by h₋₂ in Equation (14). This general result applies to any clock quality and any capture geometry.

As an example, let us consider the capture scenario in Section 5 for a 20-s capture over Perth. Table 1 shows the contribution of transmitter clock instability to the semi-major and semi-minor axes of the 95% horizontal error ellipse in the absence of all other error sources. The orientation of the error ellipse is determined by the capture geometry. In general, the semi-major axis lies in the cross-track direction of the satellite’s motion, whereas the semi-minor axis lies in the along-track direction. Table 1 shows that single-satellite range-rate-based geolocation is sensitive to the transmitter clock quality. Thus, in theory, a spoofer could use a low-quality oscillator to degrade the geolocation accuracy. However, the spoofing signals would then be more easily detected by victim receivers, as will be discussed in the next section, rendering the spoofing less effective.

View this table:

TABLE 1 Theoretical Marginal Contribution of Transmitter Clock Instability to the 95% Horizontal Error Ellipse for the Capture Scenario Specified in Section 5 in the Absence of All Other Error Sources

The importance of correctly modeling R is emphasized here by using Monte Carlo trials to compare two key metrics in geolocation: the root mean square error (RMSE) between the true and estimated spoofer position and the containment percentage.

For the RMSE comparison, the true range-rate time history for the 20-s capture scenario specified in Section 5 was computed. For each Monte Carlo trial, both a realization of a Gaussian random walk consistent with a specified h₋₂ and AWGN with σ_a = 0.1 m/s were added to the true range rate. The noisy range-rate measurements were served to the nonlinear least-squares estimator with the correct measurement covariance R, as specified in Equation (19), and then with an incorrect measurement covariance equal to R_a (i.e., R_b in Equation (19) was set to zero). After 10,000 Monte Carlo trials, the sample RMSE was calculated for the sets of geolocation estimates corresponding to R and R_a. This procedure was repeated with various h₋₂ values representative of a range of oscillators from low-quality TCXOs to OCXOs. The results are shown in Figure 9.

One can observe that the sample RMSE exhibited when the correct measurement covariance R is used nearly achieves the CRLB. By contrast, erroneously modeling the measurement noise as AWGN, as is the case when only R_a is used, ignores the time correlation introduced by the transmitter clock instability, resulting in an increase of more than 20% in the RMSE when the transmitter is driven by a low-quality TCXO. Indeed, the degradation in RMSE is only noticeable for h₋₂ >3 × 10⁻²³, corresponding to a low-quality OCXO or worse. The increase in RMSE becomes more prominent when a low-quality oscillator drives the transmitter because, in this case, the unmodeled Gaussian random walk process is the dominant contributor to the measurement noise, increasing the correlation between measurements.

Although taking R_a alone as the measurement covariance is incorrect, an unbiased estimate is still achieved. Nonetheless, the associated estimated state error covariance becomes erroneously low. Using the correct measurement covariance produces an unbiased minimum-variance estimate with a properly sized state error covariance.

In addition to yielding a worse RMSE, using R_a results in a significantly worse containment percentage within the corresponding theoretical 95% error ellipse. The containment percentage is the percentage of trials in which the true transmitter position lies within the theoretical 95% error ellipse centered at the estimated location.

Left: Monte Carlo sample RMSE as a function of h−2 with the capture geometry specified in Section 5, for an estimator applying the correct (R) and incorrect (Ra) measurement covariance; right: percentage increase in sample RMSE when Ra is applied rather than R

FIGURE 9

Left: Monte Carlo sample RMSE as a function of h₋₂ with the capture geometry specified in Section 5, for an estimator applying the correct (R) and incorrect (Ra) measurement covariance; right: percentage increase in sample RMSE when Ra is applied rather than R

FIGURE 10

Left: Monte Carlo containment percentage when the theoretical 95% error ellipse is calculated with R_a alone (setting R_b = 0 in Equation (19)), for various values of the underlying parameter σ_a; right: area of the corresponding theoretical 95% error ellipse as a function of σ_a

In the right panel, the horizontal line shows the area of the theoretical 95% error ellipse with the correct full measurement covariance R. The vertical lines in both plots indicate the true value of σ_a assumed in the Monte Carlo simulations.

A separate study of 10,000 Monte Carlo trials was conducted, again with the capture geometry specified in Section 5. For each trial, both a realization of AWGN with σ_a = 0.1 m/s and a Gaussian random walk consistent with a TCXO with σ_a = 0.1 m/s and a Gaussian random walk consistent with a TCXO with h₋₂ = 3 × 10⁻²¹ were added to the true range rate. When the correct measurement covariance R was used, the corresponding theoretical 95% error ellipse contained the transmitter in 95.31% of trials, as expected by a properly modeled estimator. The area of this 95% error ellipse was 3.47 km².

By contrast, when R_b was neglected and only R_a was used, there was significant degradation in the containment percentage. For a case with R_a based on σ_a = 0.1 m/s, the containment percentage fell to 1.38%. Figure 10 shows the containment percentage for identical cases, except with different values of the modeled σ_a. As one would expect, increasing the modeled σ_a improves the containment percentage. If σ_a were increased to 1.7 m/s, a 95% containment percentage with R_a would be achieved. However, this artificial inflation of σ_a comes at the cost of having a larger 95% error ellipse. Figure 10 also shows the area of the theoretical 95% error ellipse for various values of σ_a. The area of the 95% error ellipse for σ_a = 1.7 m/s is 5.90 km², corresponding to a 70% increase in the 95% error ellipse area when compared with that obtained by using the correct measurement covariance. If σ_a were set to maintain the same 95% error ellipse area as the correct measurement covariance, a containment percentage of only 84.8% would be achieved.

The spoofer’s oscillator quality is typically unknown, which makes the selection of the estimator’s modeled h₋₂ a design parameter. The range of plausible h₋₂ values is likely limited to TCXO quality or better; otherwise, the transmitted spoofing signals would be easily detectable by victims. A multi-model approach can be taken, where the estimator of each model assumes a different h₋₂ value. The convergence of the state estimate can be tested through a goodness-of-fit test on the weighted sum of squared errors, as presented by Blackman and Popoli (1999).

Thus, properly modeling the transmitter instability is essential in range-rate-based geolocation so that the minimum-variance estimate is calculated and the theoretical containment percentage is maintained.

7 CONTROLLING SPOOFING DETECTION WHILE DEGRADING GEOLOCATION ACCURACY

Researchers have developed formidable defenses against spoofing based on receiver clock state monitoring (Hwang & McGraw, 2014; Jafarnia-Jahromi et al., 2013; Khalajmehrabadi et al.,2018). A would-be spoofer has little flexibility to meddle with the spoofed clock drift $δ {\dot{t}}_{\tilde{r}} (t)$ if intending to avoid detection by such defenses. It follows that a stealthy spoofer is scarcely able to purposefully degrade geolocation accuracy.

However, let us consider a conspicuous spoofer—one willing to accept a potentially high spoofing detection rate among affected receivers performing optimal time-based spoofing detection. In this case, the spoofer is allowed more flexibility to manipulate $δ {\dot{t}}_{\tilde{r}} (t)$ with the aim of either (1) inflating the victim receivers’ timing error or (2) confounding geolocation based on this paper’s technique. This section derives and analyzes the attack configuration that maximally increases geolocation error while maintaining a specified detection rate among affected receivers implementing an optimal receiver clock drift monitoring spoofing detection strategy.

7.1 Optimal Spoofing Detection via Clock Drift Monitoring

An optimal spoofing detection technique via receiver clock drift monitoring is presented here. Let us consider a time interval that spans k ∈ К = {1,2,…,K} uniformly sampled navigation epochs. At the k-th epoch, the distribution of a GNSS receiver’s measured clock drift $δ {\dot{t}}_{u}$ is modeled as follows:

$c δ {\dot{t}}_{u} [k] \sim N (c δ {\dot{t}}_{u} [k - 1], σ_{u}^{2}) where σ_{u}^{2} = σ_{m}^{2} + q$ 28

is the steady-state measurement variance. Here, $σ_{m}^{2}$ is the component of the variance due to the measurement noise and clock dynamics function, and q is the process noise for $c δ {\dot{t}}_{u}$ , which is related to the time between navigation epochs ∆t and the GNSS receiver clock parameter $h_{- 2}^{u}$ , as reported by Brown and Hwang (2012):

$q = 2 π^{2} h_{- 2}^{u} Δ t c^{2}$ 29

We take the following as the normalized increment in the measured receiver clock drift at the k-th epoch:

$η_{k} = \frac{c δ {\dot{t}}_{u} [k] - c δ {\dot{t}}_{u} [k - 1]}{σ_{u}} \sim N (0, 1)$ 30

Here, we assume that increments are independent so that $𝔼 [η_{k} η_{j}] = δ_{i j}$ for all k, j ∈ К.

Optimal spoofing detection amounts to a hypothesis test that attempts to distinguish the null hypothesis h₀ (receiver unaffected by spoofing) from the alternative hypothesis h₁ (receiver captured by spoofing). Note that this section focuses solely on $δ {\dot{t}}_{\tilde{r}} [k]$ , the spoofed clock drift increment, while assuming that the spoofer’s transmitter clock drift $δ {\dot{t}}_{t} (t) = 0$ , which is opposite the preceding section’s assumption. Additionally, this analysis assumes a static GNSS receiver performing detection, enabling a focus on time-based spoofing detection. The normalized spoofed clock drift increment across one inter-epoch interval has the following form:

$μ_{k} = \frac{c δ {\dot{t}}_{\tilde{r}} [k] - c δ {\dot{t}}_{\tilde{r}} [k - 1]}{σ_{u}}$ 31

with an initialization value of $c δ {\dot{t}}_{\tilde{r}} [0] = 0$ at k = 0, the moment when the spoofer captures the receiver.

Let θ_k represent the receiver’s estimated clock drift increment at the k-th epoch under either hypothesis. With the foregoing setup, this increment can be modeled as follows:

$H_{0} : θ_{k} = η_{k}, k \in K$ 32

$H_{1} : θ_{k} = η_{k} + μ_{k}, μ_{k} \neq 0, k \in K$ 33

Under h₁, the value of μ_k is unknown to the receiver and belongs to the set [−∞,0)∪(0,∞). A uniformly most powerful test does not exist for this hypothesis because the critical regions corresponding to μ_k <0 and μ_k >0 are different (Poor,1994). Instead, a locally most powerful (LMP) test is applied. The LMP design problem is nearly the same as the Neyman-Pearson design problem, such that the probability of detection is maximized while maintaining a fixed probability of false alarm P_F. For a single epoch, the detection statistic $Λ * (θ_{k})$ is as follows:

$Λ^{*} (θ_{k}) = θ_{k}^{2}$ 34

and has the following distributions under H₀ and H₁:

$H_{0} : Λ^{*} (θ_{k}) \sim χ_{1}^{2}$ 35

$H_{1} : Λ^{*} (θ_{k}) \sim χ_{1}^{2} (λ), λ = μ_{k}^{2}$ 36

where $χ_{n}^{2}$ and $χ_{n}^{2} (λ)$ denote, respectively, the chi-squared and noncentral chi-squared distributions with n degrees of freedom and noncentrality parameter λ.

Let us consider detection based on data taken over a time interval that spans K navigation epochs. Let $θ = {[θ_{1}, θ_{2}, \dots, θ_{K}]}^{┬} \in ℝ^{K}$ and $μ = {[μ_{1}, μ_{2}, \dots, μ_{K}]}^{┬} \in ℝ^{K}$ . The joint test statistic is then as follows:

$Λ^{*} (θ) = \sum_{k \in K} θ_{i}^{2} = θ^{⊤} θ$ 37

with the following distributions under H₀ and H₁:

$H_{0} : Λ^{*} (θ) \sim χ_{K}^{2}$ 38

$H_{1} : Λ^{*} (θ) \sim χ_{K}^{2} (λ), λ = \sum_{k \in K} μ_{i}^{2} = μ^{⊤} μ$ 39

An optimal-decision constant false alarm rate threshold v* for P_F can be calculated:

$P_{F} = P (Λ^{*} (θ) > v^{*} | H_{0}) = 1 - F (v *; K)$ 40

where F (v* K) is the cumulative distribution function of $χ_{K}^{2}$ evaluated at the detection threshold v*. The probability of detection is as follows:

$P_{D} (μ) = P (Λ^{*} (θ) > v^{*} | H_{1}) = 1 - F (v *; K, λ)$ 41

$= Q_{K / 2} (\sqrt{λ}, \sqrt{v^{*}})$ 42

where F (v* K, λ) is the cumulative distribution function of $χ_{K}^{2} (λ)$ and Q_m (α,β) is the Marcum Q function with m = K/2. The hypothesis test takes the following form:

The spoofer must optimize its attack configuration against this optimal spoofing detection strategy.

7.2 Expression for Geolocation Error

One of the assumptions made when developing the estimator presented in Section 4 was that $δ {\dot{t}}_{\tilde{r}}$ is constant. If, instead, $δ {\dot{t}}_{\tilde{r}} (t)$ is time-varying, the measurements $\hat{γ} [i]$ for all i ∈ I used for geolocation become perturbed, increasing the geolocation error. Let ∈ [i] represent the unmodeled time-varying $c δ {\dot{t}}_{\tilde{r}} [i]$ for all i ∈ I. Then, at the i-th measurement epoch, $c \hat{γ} [i] = c γ [i] + \in [i]$ . Let the vector of measurement perturbations over the capture interval be represented as $ϵ = {[ϵ [1], ϵ [2], \dots, ϵ [I]]}^{⊺} \in ℝ^{I}$ , and let $\tilde{x} = {[\tilde{e}, \tilde{n}, \tilde{b}]}^{┬}$ denote the geolocation estimation error in the east direction, north direction, and frequency bias, where $\tilde{e}$ and $\tilde{n}$ are defined in the east-north-up frame centered at the true spoofer position. Let $\tilde{H} \in ℝ^{I \times 3}$ denote the measurement Jacobian with respect to $\tilde{x}$ . The error $\tilde{x}$ can be calculated as follows:

$\tilde{x} = {({\tilde{H}}^{⊤} R^{- 1} \tilde{H})}^{- 1} {\tilde{H}}^{⊤} R^{- 1} ϵ = B ϵ$ 44

The horizontal position error vector e_h is defined as follows:

$e_{h} = {[\tilde{e}, \tilde{n}]}^{⊤}$ 45

Let $\tilde{B}$ be the first two rows of B, and define the matrix A ∈ ℝ^I×I as follows:

$A = {\tilde{B}}^{⊤} \tilde{B}$ 46

The absolute horizontal positioning error e_h due to the perturbation ∈ can then be computed:

$e_{h} = \sqrt{e_{h}^{⊤} e_{h}} = \sqrt{ϵ^{⊤} A ϵ}$ 47

Thus, the squared horizontal geolocation error $e_{h}^{2}$ is related to the perturbation ∈ by the quadratic form ∈^┬ A∈.

The spoofer seeks the perturbation ∈ that maximizes e^h so that it can maximally degrade the accuracy of geolocation by a single-sensor platform performing range-rate-based geolocation via this paper’s technique. Suppose that ∈ is subject to the constraint || ∈ || ≤ξ, which will be defined in the next section. The optimization problem then has the following form:

$ϵ^{*} = \underset{| | ϵ | | \leq ζ}{argmax} ϵ^{⊤} A ϵ$ 48

To solve this problem, A is factorized as A= QDQ^┬, where Q is orthogonal and D = diag(d₁, d₂, …, d_I) is a diagonal matrix composed of eigenvalues of A, which are all positive. We assume that the columns of Q contain the unitary eigenvectors corresponding to eigenvalues ordered such that d₁≥d₂≥…≥d_I. Then, we have the following:

$ϵ^{⊤} A ϵ = ϵ^{⊤} Q D Q^{⊤} ϵ = y^{⊤} D y$ 49

where $| | ϵ | | = | | Q^{┬} ϵ | | = | | y | |$ . The value of y that satisfies ||y|| ≤ζ and maximizes y^┬Dy is given by y* = [ζ,0,0,…,0]^┬. Let v* ∊ ℝ^I denote the unitary eigenvector corresponding to the largest eigenvalue of A. The optimal ε for this optimization problem is then as follows:

$ϵ^{*} = \pm Q y^{*} = \pm ζ v^{*}$ 50

7.3 Jointly Optimized Spoofer Clock Drift Selection

Now that an optimal spoofing detector based on the receiver clock drift has been presented and a perturbation ε^* that maximizes the horizontal geolocation error subject to the constraint ||ε*||<ζ has been defined, a spoofer can develop an attack configuration for $c δ {\dot{t}}_{\tilde{r}} (t)$ that maximizes e_h while maintaining a specified probability of detection. It is assumed that the spoofer has perfect knowledge of the LEO-based receiver’s position and velocity, which is representative of a worst-case scenario.

Let $c δ {\dot{t}}_{\tilde{r}} = c {[δ {\dot{t}}_{\tilde{r}} [1], δ {\dot{t}}_{\tilde{r}} [2], \dots, δ {\dot{t}}_{\tilde{r}} [I]]}^{┬} \in ℝ^{I}$ represent the spoofer’s discretized time-varying attack configuration for $δ {\dot{t}}_{\tilde{r}} (t)$ . Suppose that the spoofer sets $c δ {\dot{t}}_{\tilde{r}} = \in^{*}$ . Then, the vector of spoofed clock drift increments over K = I -1 navigation epochs is equivalent to the following:

$μ = \frac{ζ}{σ_{u}} C v^{*} \in ℝ^{K} where C = [\begin{matrix} - 1 & 1 & 0 & \dots & 0 \\ 0 & - 1 & 1 & ⋱ & ⋮ \\ ⋮ & ⋱ & ⋱ & ⋱ & 0 \\ 0 & \dots & 0 & - 1 & 1 \end{matrix}] \in ℝ^{K \times I}$ 51

The only task remaining for the spoofer is to determine the value of ζ so that ∊^* can be scaled appropriately. Suppose that the spoofer is willing to allow a detection probability ${\bar{P}}_{D}$ for the detection test in Equation (43). Based on the parameters σ_u,I, and P_F, the parameter ζ can be chosen to maintain an expected probability of detection ${\bar{P}}_{D}$ . Given the functional form of the probability of detection in Equation (42), ζ must satisfy the following equation:

$Q_{K / 2} (\frac{ζ}{σ_{u}} | | C v^{*} | |, \sqrt{v^{*}}) = {\bar{P}}_{D}$ 52

Following this step, the spoofed clock drift trajectory $c δ {\dot{t}}_{\tilde{r}}^{*}$ that maximizes the geolocation error while maintaining a specified probability of detection can be represented as follows:

$c δ {\dot{t}}_{\tilde{r}}^{*} = \pm ζ (v^{*} - 1 v^{*} [1])$ 53

where 1 is an appropriately sized vector of all ones and v*[1] is the first element of v*. Note that subtracting 1v* [1] ensures that $c δ {\dot{t}}_{\tilde{r}} [1] = 0$ , consistent with initialization of the spoofing attack. This subtraction does not change the optimization processes: it only affects the estimated frequency bias b₀, which is merely a nuisance parameter.

To illustrate the application of this analysis, we consider the following example. Suppose a spoofer wishes to choose $δ {\dot{t}}_{\tilde{r}}^{*}$ to maximally degrade geolocation by a LEO-based receiver capturing its signals over 21 s with the geometry shown in Figure 3. Let us further suppose that the LEO-based receiver computes measurements at 1 Hz, so that I = 21, and sets R with σ_a = 0.1 m/s and σ_v consistent with a TCXO. The attack trajectory v* - 1v* [1] that maximizes the horizontal geolocation error is shown in Figure 11. Interestingly, the spoofer allocates the greatest detection risk (largest increments) at the beginning and end of the 21-s capture, while maintaining a lower risk (smaller increments) in the interim.

Now we assume that spoofing-affected receivers are performing navigation solutions once per second with σ_m = 0.05 m/s. Figure 12 displays the maximum horizontal geolocation error given a triad of ${\bar{P}}_{D}$ , P_F, and affected receiver clock quality. For example, if the spoofer accepts a detection rate of ${\bar{P}}_{D} = 0.5$ by receivers equipped with a TCXO having their spoofing detector set with P_F = 10⁻³, the maximum e_h due to $c δ {\dot{t}}_{\tilde{r}}^{*}$ is 8.4 km.

To give the reader an idea of how capture geometry affects the maximum horizontal geolocation error, we consider the same scenario, but with a 21-s detection-and-geolocation segment beginning 30 s earlier. This capture geometry is more favorable for geolocation, resulting in a maximum horizontal geolocation error of 2.2 km. In contrast, we can also consider a 21-s segment beginning 30 s after the original. This capture geometry is worse for geolocation, resulting in a maximum horizontal geolocation error of 23.5 km. It is important to note that this worst-case

FIGURE 11

The attack trajectory v[i]* - v*[1] that maximizes e_h for the LEO-based receiver geometry shown in Figure 3

Worst-case geolocation error for a spoofer that optimizes cδt˙r˜ for receivers performing 1-Hz spoofing detection tests with σm = 0.05 m/s and for the LEO-based receiver geometry shown in Figure 3 The geolocation error is shown over a range of P̄D for two representative victim receiver clock quality levels and three representative values of PF.

FIGURE 12

Worst-case geolocation error for a spoofer that optimizes $c δ {\dot{t}}_{\tilde{r}}$ for receivers performing 1-Hz spoofing detection tests with σ_m = 0.05 m/s and for the LEO-based receiver geometry shown in Figure 3

The geolocation error is shown over a range of P̄_D for two representative victim receiver clock quality levels and three representative values of P_F.

error is not a limitation of this paper’s technique, but a limit of single-satellite range-rate-based geolocation of GNSS spoofers in general. Moreover, it should be remembered that the foregoing analysis is for a worst-case situation in which the spoofer knows the LEO-based receiver’s position and velocity time history.

8 CONCLUSION

This paper presented a single-satellite, single-pass technique for locating GNSS spoofers from a LEO. The technique was validated in a controlled experiment in partnership with Spire Global in which a LEO-based receiver captured GNSS spoofing signals transmitted from a ground station. An analytic expression was derived for how actual transmitter clock instability degrades the geolocation solution. Finally, the geolocation positioning error was investigated as a function of worst-case spoofed clock behavior subject to a constraint on probability of detection.

HOW TO CITE THIS ARTICLE:

Clements, Z.L, Ellis, P.B., Goodridge, I., Murrian, M.J., Psiaki, M.L., & Humphreys, T.E. (2026). Single-satellite-based geolocation of broadcast GNSS spoofers from a low Earth orbit. NAVIGATION, 73. https://doi.org/10.33012/navi.750

ACKNOWLEDGMENTS

This work was supported by the U.S. Department of Transportation under Grant 69A3552348327 for the CARMEN+ University Transportation Center and by affiliates of the center within the Wireless Networking and Communications Group at The University of Texas at Austin.

This is an open access article under the terms of the Creative Commons Attribution License, which permits use, distribution and reproduction in any medium, provided the original work is properly cited.

REFERENCES

↵
Anderson, J., Lo, S., Neish, A. & Walter, T. (2023). Authentication of satellite-based augmentation systems with over-the-air rekeying schemes. NAVIGATION, 70(3). https://doi.org/10.33012/navi.595
Google Scholar
Anderson, J., Lo, S. & Walter, T. (2024). Authentication security of combinatorial watermarking for GNSS signal authentication. NAVIGATION, 71(3). https://doi.org/10.33012/navi.655
Google Scholar
↵
Arraf, J. (2024, April). Israel fakes GPS locations to deter attacks, but it also throws off planes and ships. https://www.npr.org/2024/04/22/1245847903/israel-gps-spoofing
Google Scholar
↵
Bar-Shalom, Y., Li, X. R., & Kirubarajan, T. (2001). Estimation with applications to tracking and navigation. Wiley. https://doi.org/10.1002/0471221279
Google Scholar
↵
Berkowitz, M. J. (2024). America’s asymmetric vulnerability to navigation warfare: Leadership and strategic direction needed to mitigate significant threats. National Security Space Association. https://nssaspace.org/wp-content/uploads/2024/07/NAVWAR-FINAL.pdf
Google Scholar
↵
Blackman, S. S.,&Popoli, R. (1999). Kinematic state estimation: Filtering and prediction. In Design and analysis of modern tracking systems. Artech House.
Google Scholar
↵
Brown, R. G.,& Hwang, P. Y. (2012). Introduction to random signals and applied Kalman filtering. Wiley.
Google Scholar
↵
C4ADS (2019, March). Above us only stars: Exposing GPS spoofing in Russia and Syria. https://c4ads.org/reports/above-us-only-stars
Google Scholar
↵
Chen, X., Morton, Y., Yu, W.-X.,& Truong, T.-K. (2024). GNSS spoofer localization with counterfeit clock bias observables on a mobile platform. IEEE Sensors Journal, 24(14), 21916–21930. https://doi.org/10.1109/JSEN.2023.3310976
Google Scholar
↵
Chew, C., Maximillian, R. T.,& Lowe, S. (2023). RFI mapped by spaceborne GNSS-R data. NAVIGATION, 70(4). https://doi.org/10.33012/navi.618
Google Scholar
↵
Clements, Z., Ellis, P.,& Humphreys, T. E. (2023a). Dual-satellite geolocation of terrestrial GNSS jammers from low Earth orbit. In Proc. of the IEEE/ION Position, Location and Navigation Symposium (PLANS), Monterey, CA, 458–469. https://doi.org/10.1109/PLANS53410.2023.10140058
Google Scholar
↵
Clements, Z., Ellis, P.,& Humphreys, T. E. (2023b). Pinpointing GNSS interference from low Earth orbit. Inside GNSS, 18(5), 42–55. https://insidegnss.com/pinpointing-gnss-interference-from-low-earth-orbit/
Google Scholar
↵
Clements, Z., Ellis, P., Psiaki, M. L.,& Humphreys, T. E. (2022). Geolocation of terrestrial GNSS spoofing signals from low Earth orbit. In Proc. of the 35th International Technical Meeting of the Satellite Division of the Institute of Navigation (ION GNSS+ 2022), Denver, CO, 3418–3431. https://doi.org/10.33012/2022.18444
Google Scholar
↵
Clements, Z., Goodridge, I., Ellis, P., Murrian, M. J.,& Humphreys, T. E. (2024). Demonstration of single-satellite GNSS spoofer geolocation. In Proc. of the 2024 International Technical Meeting of the Institute of Navigation, Long Beach, CA, 361–373. https://doi.org/10.33012/2024.19539
Google Scholar
↵
Clements, Z., Iannucci, P. A., Humphreys, T. E.,& Pany, T. (2021). Optimized bit-packing for bit-wise software-defined GNSS radio. In Proc. of the 34th International Technical Meeting of the Satellite Division of the Institute of Navigation (ION GNSS+ 2021), St. Louis, MO, 3749–3771. https://doi.org/10.33012/2021.18015
Google Scholar
↵
Clements, Z., Yoder, J. E.,& Humphreys, T. E. (2022). Carrier-phase and IMU based GNSS spoofing detection for ground vehicles. Proceedings of the 2022 International Technical Meeting of the Institute of Navigation, Long Beach, CA, 83–95. https://doi.org/10.33012/2022.18252
Google Scholar
↵
Clements, Z., Yoder, J. E.,& Humphreys, T. E. (2023). GNSS spoofing detection: An approach for ground vehicles using carrier-phase and inertial measurement data. GPS World, 34(2), 36–41. https://editions.mydigitalpublication.com/article/GNSS+Spoofing+Detection/4517965/783583/article.html
Google Scholar
↵
Ellis, P.,& Dowla, F. (2018). Performance bounds of a single LEO satellite providing geolocation of an RF emitter. 9th Advanced Satellite Multimedia Systems Conference and the 15th Signal Processing for Space Communications Workshop (ASMS/SPSC), 1–5. https://doi.org/10.1109/ASMS-SPSC.2018.8510737
Google Scholar
↵
Ellis, P.,& Dowla, F. (2020). Single satellite emitter geolocation in the presence of oscillator and ephemeris errors. IEEE Aerospace Conference, 1–7. https://doi.org/10.1109/AERO47225.2020.9172600
Google Scholar
↵
Ellis, P., Van Rheeden, D.,& Dowla, F. (2020). Use of Doppler and Doppler rate for RF geolocation using a single LEO satellite. IEEE Access, 8, 12907–12920. https://doi.org/10.1109/access.2020.2965931
Google Scholar
↵
Felux, M., Fol, P., Figuet, B., Waltert, M.,& Live, X. (2024). Impacts of global navigation satellite system jamming on aviation. NAVIGATION, 71(3). https://doi.org/10.33012/navi.657
Google Scholar
↵
Fernandez-Hernandez, I., Winkel, J., O’Driscoll, C., Cancela, S., Terris-Gallego, R., López-Salcedo, J. A., Seco-Granados, G., Dalla Chiara, A., Sarto, C., Blonski, D.,& de Blas, J. (2023). Semi-assisted signal authentication for Galileo: Proof of concept and results. IEEE Transactions on Aerospace and Electronic Systems, 59(4), 4393–4404. https://doi.org/10.1109/TAES.2023.3243587
Google Scholar
↵
Gebrekidan,& S. (2023, November). Electronic warfare confounds civilian pilots, far from any battlefield. The New York Times. https://www.nytimes.com/2023/11/21/world/europe/ukraine-israel-gps-jamming-spoofing.html
Google Scholar
↵
Gross, J. N.,& Humphreys, T. E. (2017). GNSS spoofing, jamming, and multipath interference classification using a maximum-likelihood multi-tap multipath estimator. Proceedings of the 2017 International Technical Meeting of the Institute of Navigation, Monterey, CA, 662–670. https://doi.org/10.33012/2017.14919
Google Scholar
↵
Gross, J. N., Kilic, C.,& Humphreys, T. E. (2018). Maximum-likelihood power-distortion monitoring for GNSS-signal authentication. IEEE Transactions on Aerospace and Electronic Systems, 55(1), 469–475. https://doi.org/10.1109/TAES.2018.2848318
Google Scholar
↵
Günther, C. (2014). A survey of spoofing and counter-measures. NAVIGATION, 61(3), 159–177. https://doi.org/10.1002/navi.65
Google Scholar
↵
Ho, K.,& Chan, Y. (1997). Geolocation of a known altitude object from TDOA and FDOA measurements. IEEE Transactions on Aerospace and Electronic Systems, 33(3), 770–783. https://doi.org/10.1109/7.599239
Google Scholar
↵
Humphreys, T. E. (2012). Statement on the vulnerability of civil unmanned aerial vehicles and other systems to civil GPS spoofing. United States House of Representatives Committee on Homeland Security: Subcommittee on Oversight, Investigations, and Management.
Google Scholar
↵
Humphreys, T. E. (2013). Detection strategy for cryptographic GNSS anti-spoofing. IEEE Transactions on Aerospace and Electronic Systems, 49(2), 1073–1090. https://doi.org/10.1109/TAES.2013.6494400
Google Scholar
↵
Humphreys, T. E. (2017). Interference. In P. J. Teunissen & O. Montenbruck (Eds.), Springer handbook of global navigation satellite systems, 469–503. Springer International Publishing. https://doi.org/10.1007/978-3-319-42928-1_16
Google Scholar
↵
Humphreys, T. E., Bhatti, J. A., Shepard, D. P., & Wesson, K. D. (2012). The Texas Spoofing Test Battery: Toward a standard for evaluating GNSS signal authentication techniques. Proc. of the 25th International Technical Meeting of the Satellite Division of the Institute of Navigation (ION GNSS 2012), Nashville, TN, 3569–3583. https://www.ion.org/publications/abstract.cfm?articleID=10532
Google Scholar
↵
Humphreys, T. E., Ledvina, B. M., Psiaki, M. L., O’Hanlon, B. W., & Kintner, P. M., Jr. (2008). Assessing the spoofing threat: Development of a portable GPS civilian spoofer. Proc. of the 21st International Technical Meeting of the Satellite Division of the Institute of Navigation (ION GNSS 2008), Savannah, GA, 2314–2325. https://www.ion.org/publications/abstract.cfm?articleID=8132
Google Scholar
↵
Hwang, P. Y., & McGraw, G. A. (2014). Receiver autonomous signal authentication (RASA) based on clock stability analysis. Proc. of IEEE/ION Position, Location and Navigation Symposium (PLANS), Monterey, CA, 270–281. https://doi.org/10.1109/PLANS.2014.6851386
Google Scholar
↵
Jafarnia-Jahromi, A., Broumandan, A., Nielsen, J., & Lachapelle, G. (2012). GPS vulnerability to spoofing threats and review of antispoofing techniques. International Journal of Naivgation and Observation, 2012(1), 127072. https://doi.org/10.1155/2012/127072
Google Scholar
↵
Jafarnia-Jahromi, A., Daneshmand, S., Broumandan, A., Nielsen, J., & Lachapelle, G. (2013). PVT solution authentication based on monitoring the clock state for a moving GNSS receiver. European Navigation Conference (ENC 2013), Vienna, Austria.
Google Scholar
↵
Kerns, A. J., Shepard, D. P., Bhatti, J. A., & Humphreys, T. E. (2014). Unmanned aircraft capture and control via GPS spoofing. Journal of Field Robotics, 31(4), 617–636. https://doi.org/10.1002/rob.21513
Google Scholar
↵
Kerns, A. J., Wesson, K. D., & Humphreys, T. E. (2014). A blueprint for civil GPS navigation message authentication. Proc. of the IEEE/ION Position, Location and Navigation Symposium (PLANS 2014), Monterey, CA, 262–269. https://doi.org/10.1109/PLANS.2014.6851385
Google Scholar
↵
Khalajmehrabadi, A., Gatsis, N., Akopian, D., & Taha, A. F. (2018). Real-time rejection and mitigation of time synchronization attacks on the Global Positioning System. IEEE Transactions on Industrial Electronics, 65(8), 6425–6435. https://doi.org/10.1109/TIE.2017.2787581
Google Scholar
↵
Kujur, B., Khanafseh, S., & Pervan, B. (2024). Optimal INS monitor for GNSS spoofer tracking error detection. NAVIGATION, 71(1). https://doi.org/10.33012/navi.629
Google Scholar
↵
LaChapelle, D. M., Narula, L., & Humphreys, T. E. (2021). Orbital war driving: Assessing transient GPS interference from LEO. Proc. of the 34th International Technical Meeting of the Satellite Division of the Institute of Navigation (ION GNSS+ 2021), St. Louis, MO, 3556–3568. https://doi.org/10.33012/2021.17986
Google Scholar
↵
McKibben, A., McKnight, R., Peters, B. C., Arnett, Z., & Ugazio, S. (2023). Interference effects on a multi-GNSS receiver on-board a cubesat in LEO. Proc. of the 36th International Technical Meeting of the Satellite Division of the Institute of Navigation (ION GNSS+ 2023), Denver, CO, 1245–1258. https://doi.org/10.33012/2023.19247
Google Scholar
↵
Mina, T., Kanhere, A., Shetty, A., & Gao, G. (2024). GPS spoofing-resilient filtering using self contained sensors and chimera signal enhancement. NAVIGATION, 71(2). https://doi.org/10.33012/navi.636
Google Scholar
↵
Murrian, M. J., Narula, L., Iannucci, P. A., Budzien, S., O’Hanlon, B. W., Psiaki, M. L., & Humphreys, T. E. (2021). First results from three years of GNSS interference monitoring from low Earth orbit. NAVIGATION, 68(4), 673–685. https://doi.org/10.1002/navi.449
Google Scholar
↵
Musicki, D., Kaune, R., & Koch, W. (2010). Mobile emitter geolocation and tracking using TDOA and FDOA measurements. IEEE Transactions on Signal Processing, 58(3), 1863–1874. https://doi.org/10.1109/TSP.2009.2037075
Google Scholar
↵
Nichols, H. A., Murrian, M. J., & Humphreys, T. E. (2022). Software-defined GNSS is ready for launch. Proc. of the 35th International Technical Meeting of the Satellite Division of the Institute of Navigation (ION GNSS+ 2022), Denver, CO, 996–1013. https://doi.org/10.33012/2022.18313
Google Scholar
↵
Odijk, D. (2017). Positioning model. In P. J. Teunissen & O. Montenbruck (Eds.), Springer handbook of global navigation satellite systems, 605–638. Springer International Publishing. https://doi.org/10.1007/978-3-319-42928-1
Google Scholar
↵
O’Hanlon, B., Bhatti, J., Humphreys, T. E., & Psiaki, M. (2010). Real-time spoofing detection in a narrow-band civil GPS receiver. Proc. of the 23rd International Technical Meeting of the Satellite Division of the Institute of Navigation (ION GNSS 2010), Portland, OR, 2211–2220. https://www.ion.org/publications/abstract.cfm?articleID=9335
Google Scholar
↵
O’Hanlon, B., Psiaki, M., Bhatti, J., & Humphreys, T. (2012). Real-time spoofing detection using correlation between two civil GPS receiver. Proc. of the 25th International Technical Meeting of the Satellite Division of the Institute of Navigation (ION GNSS 2012), Nashville, TN, 3584–3590). https://www.ion.org/publications/abstract.cfm?articleID=10533
Google Scholar
↵
Osechas, O., Fohlmeister, F., Dautermann, T. & Felux, M. (2022). Impact of GNSS-band radio interference on operational avionics. NAVIGATION, 69(2). https://doi.org/10.33012/navi.516
Google Scholar
↵
Pany, T., Akos, D., Arribas, J. Bhuiyan, M. Z. H., Closas, P., Dovis, F., Fernandez-Hernandez, I., Fernández-Prades, I., Gunawardena, S., Humphreys, T., Kassas, Z. M., Salcedo, J. A. L., Nicola, M., Psiaki, M. L., Rügamer, A., Song, Y.-J. & Won, J.-H. (2024). GNSS software defined radio: History, current developments, and standardization efforts. NAVIGATION, 71(1). https://doi.org/10.33012/navi.628
Google Scholar
↵
Poor, H. V. (1994). Elements of hypothesis testing. In An introduction to signal detection and estimation (2nd ed.). Springer.
Google Scholar
↵
Psiaki, M. L. (2021). Navigation using carrier Doppler shift from a LEO constellation: TRANSIT on steroids. NAVIGATION, 68(3), 621–641.https://doi.org/10.1002/navi.438
Google Scholar
↵
Psiaki, M. L. & Humphreys, T. E. (2016). GNSS spoofing and detection. Proc. of the IEEE, 104(6), 1258–1270.https://doi.org/10.1109/JPROC.2016.2526658
Google Scholar
↵
Psiaki, M.L. & Humphreys, T. E (2020). Position, navigation, and timing technologies in the 21st century: Integrated satellite navigation, sensor systems, and civil applications. Wiley-IEEE. https://doi.org/10.1002/9781119458449.ch25
Google Scholar
↵
Psiaki, M. L., O’Hanlon, B. W., Powell, S. P., Bhatti, J. A., Wesson, K. D., Humphreys, T. E., & Schofield, A. (2014). GNSS spoofing detection using two-antenna differential carrier phase. Proc. of the 27th International Technical Meeting of the Satellite Division of the Institute of Navigation (ION GNSS+ 2014), Tampa, FL, 2776–2800. https://www.ion.org/publications/abstract.cfm?articleID=12530
Google Scholar
↵
Radoš, K., Brkić, M. & Begušić, D. (2024). Recent advances on jamming and spoofing detection in GNSS. Sensors, 24(13). 4210. https://doi.org/10.3390/s24134210
Google Scholar
↵
Scott, L. (2003). Anti-spoofing and authenticated signal architectures for civil navigation systems. Proc. of the 16th International Technical Meeting of the Satellite Division of the Institute of Navigation (ION GPS/GNSS 2003), Portland, OR, 1543–1552. https://www.ion.org/publications/abstract.cfm?articleID=5339
Google Scholar
↵
Sidi, A.,& Weiss, A. (2014). Delay and Doppler induced direct tracking by particle filter. IEEE Transactions on Aerospace and Electronic Systems, 50(1), 559–572. https://doi.org/10.1109/TAES.2013.120326
Google Scholar
↵
Tangel, A.,& FitzGerald, D. (2024, September). Electronic warfare spooks airlines, pilots and air-safety officials. https://www.wsj.com/business/airlines/electronic-warfare-spooks-airlines-pilots-and-air-safety-officials-60959bbd
Google Scholar
↵
Tanil, C., Khanafseh, S., Joerger, M.,& Pervan, B. (2018). An INS monitor to detect GNSS spoofers capable of tracking vehicle position. IEEE Transactions on Aerospace and Electronic Systems, 54(1), 131–143. https://doi.org/10.1109/TAES.2017.2739924
Google Scholar
↵
Wesson, K. D., Gross, J. N., Humphreys, T. E.,& Evans, B. L. (2018). GNSS signal authentication via power and distortion monitoring. IEEE Transactions on Aerospace and Electronic Systems, 54(2), 739–754. https://doi.org/10.1109/TAES.2017.2765258
Google Scholar
↵
Workgroup, G. S. (2024). GPS spoofing: Final report of the GPS spoofing workgroup (tech. rep.). OPSGROUP https://ops.group/blog/gps-spoofing-final-report
Google Scholar

PDF

In this Issue

Print
Download PDF
Article Alerts

Alerts for this Article

User Name *

Password *

Sign In to Email Alerts with your Email Address
Email *
Email Article

Email This Article

Thank you for your interest in spreading the word on NAVIGATION: Journal of the Institute of Navigation.
NOTE: We only request your email address so that the person you are recommending the page to knows that you wanted them to see it, and that it is not junk mail. We do not capture any email address.
Your Email *

Your Name *

Send To *

Enter multiple addresses on separate lines or separate them with commas.

You are going to email the following
Single-Satellite-Based Geolocation of Broadcast GNSS Spoofers from a Low Earth Orbit
Message Subject
(Your Name) has sent you a message from NAVIGATION: Journal of the Institute of Navigation

Message Body
(Your Name) thought you would like to see the NAVIGATION: Journal of the Institute of Navigation web site.

Your Personal Message
Citation Tools
Citation Tools
Single-Satellite-Based Geolocation of Broadcast GNSS Spoofers from a Low Earth Orbit

Zachary L. Clements

Zachary L. Clements

Patrick B. Ellis

Patrick B. Ellis

Iain Goodridge

Iain Goodridge

Matthew J. Murrian

Matthew J. Murrian

Mark L. Psiaki,

Mark L. Psiaki,

and Todd E. Humphreys

Todd E. Humphreys

Institute of Navigation

Mar 2026,

73

navi.750;

DOI: 10.33012/navi.750

Citation Manager Formats

BibTeX
Bookends
EasyBib
EndNote (tagged)
EndNote 8 (xml)
Medlars
Mendeley
Papers
RefWorks Tagged
Ref Manager
RIS
Zotero

Share
Share This Article
Single-Satellite-Based Geolocation of Broadcast GNSS Spoofers from a Low Earth Orbit

Zachary L. Clements

Zachary L. Clements

Patrick B. Ellis

Patrick B. Ellis

Iain Goodridge

Iain Goodridge

Matthew J. Murrian

Matthew J. Murrian

Mark L. Psiaki,

Mark L. Psiaki,

and Todd E. Humphreys

Todd E. Humphreys

Institute of Navigation

Mar 2026,

73

navi.750;

DOI: 10.33012/navi.750

Share This Article:
Post
Like 0
Bookmark this Article

SAVE ITEM IN SELECTED FOLDER.

User Name *

Password *

Remember my user name & password.

Jump to section

No citing articles found.

Google Scholar

Show more Original Article

PDF Help

Keywords

emitter geolocation, GNSS spoofing, interference localization, spectrum monitoring

Single-Satellite-Based Geolocation of Broadcast GNSS Spoofers from a Low Earth Orbit

Abstract

1 INTRODUCTION

2 SIGNAL MODELS

2.1 GNSS Spoofing Signals

2.2 Received Doppler Model

3 CONCEPTUAL OVERVIEW OF BROADCAST GNSS SPOOFER GEOLOCATION

4 SPOOFER GEOLOCATION WITH γ

4.1 Measurement Model

4.2 Effects of Estimated γ

4.3 Range-Rate Nonlinear Least-Squares Estimator

5 EXPERIMENTAL RESULTS

5.1 Experimental Design

5.2 Experimental Spoofer Geolocation with γ

5.3 Experimental Spoofer Geolocation with GNSS Observables

6 SPOOFER CLOCK INSTABILITY ERROR ANALYSIS

7 CONTROLLING SPOOFING DETECTION WHILE DEGRADING GEOLOCATION ACCURACY

7.1 Optimal Spoofing Detection via Clock Drift Monitoring

7.2 Expression for Geolocation Error

7.3 Jointly Optimized Spoofer Clock Drift Selection

8 CONCLUSION

HOW TO CITE THIS ARTICLE:

ACKNOWLEDGMENTS

REFERENCES

In this Issue

NAVIGATION: Journal of the Institute of Navigation

Alerts for this Article

Email This Article

Citation Tools

Single-Satellite-Based Geolocation of Broadcast GNSS Spoofers from a Low Earth Orbit

Citation Manager Formats

Share This Article

Single-Satellite-Based Geolocation of Broadcast GNSS Spoofers from a Low Earth Orbit

SAVE ITEM IN SELECTED FOLDER.

Jump to section

Related Articles

Cited By...

More in this TOC Section

Similar Articles

Keywords