Results and Lessons Learned from the NAVITEC 2024 Resilient GNSS Challenge

Kurzfassung

I) INTRODUCTION Global Navigation Satellite Systems (GNSS) are vulnerable to multiple forms of Radio Frequency (RF) interference. These include unintentional phenomena, such as spurious emissions from faulty electronics, and intentional threats, such as jamming and spoofing events [1], which have significantly increased in the last few years. Jamming is primarily used as a deception tactic in several conflict zones, resulting in the denial of GNSS services across extensive geographical regions. Spoofing incidents have also risen notably, as documented by different GNSS stakeholders including aviation operators and geodetic monitoring systems. Jamming and spoofing can cause Denial-of-Service (DoS) or, even worse, provide misleading information with severe impacts on society, especially in Positioning, Navigation, Timing (PNT) applications. To reduce the risks associated with these threats, GNSS receiver manufacturers are introducing security features in their devices, which are now able to detect and potentially mitigate the effects of these types of interference. In this respect, the Norwegian Jammertest campaign (https://jammertest.no/) has become the largest annual GNSS resilience tests’ event enabling industry, academia, and the public sector to test GNSS resilience solutions in open-air scenarios under difference live jamming and/or spoofing conditions. In September 2024, the event lasted five days and it featured multiple jamming and spoofing test scenarios. The European Space Agency (ESA) participated in the Norwegian Jammertest 2024 and collected more than 100 terabytes of In-phase/Quadrature (IQ) samples and several hours of GNSS raw measurements from receivers of various grades. This allowed for the collection of data covering a large part of the GNSS spectrum under different jamming and spoofing conditions. Additionally, several user dynamic conditions were considered. Events such as the Jammertest aim to promote international collaboration, share best practices, and develop common solutions that can help mitigate the impact of emerging GNSS threats. In this spirit, ESA launched the "Resilient GNSS Challenge" where some of the raw measurements collected during the 2024 Norwegian Jammertest were shared openly with the research community. The challenge was organized as part of the 11th ESA Workshop on Satellite Navigation Technologies (NAVITEC), held at the European Space Research and Technology Centre (ESTEC) at the end of 2024. Participants were encouraged to collaborate, analyze the data, and propose solutions to different problems focusing on spoofing events. In the first scenario, the positioning of static user under spoofing was considered, whereas a second scenario consisted of two challenges: the accurate positioning of a spoofed dynamic user, as well as determining the angle-of-arrival (AoA) for the spoofing source. The goal of this manuscript is to describe the challenges and technical solutions identified by the teams ranked in the first three positions of the ESA’s Resilient GNSS Challenge. This work shares the experiences gained by the teams and provides a comprehensive overview of the results obtained, including limitations and recommendations for effective spoofing mitigation. Notice that in all challenges, only raw observation data based on the Receiver INdependent EXchange (RINEX) format was provided, without additional information at receiver level, such as IQ samples, and with relatively limited information as further described in this work. This manuscript is divided into three parts. First, it describes two scenarios with three associated problems, so detailing the raw GNSS data and additional information made available for each problem. Next, it explains the methodologies and results obtained when solving the three problems. Finally, a discussion on the main outcomes of the challenge is provided, thus offering recommendations for future work. II) RESILIENT GNSS CHALLENGE DESCRIPTION The first scenario consisted of a coherent position attack from a stationary spoofer using the broadcast (true) ephemerides. The idea was to test equipment and systems when exposed to false and misleading GNSS/PNT, with a main focus on positioning [2]. While the victim receiver was kept static, the spoofer simulated various drone dynamics, including both stationary and moving conditions. Data were collected using a professional multi-frequency, multi-constellation receiver. Only the GPS L1 signal was spoofed, but all the measurements were contaminated and affected by timing errors and interferences. In this scenario, it was required to compute the user location in the most accurate way possible. For this purpose, data from a reference station, located approximately nine kilometers from the affected receiver, was also made available. The second scenario involved an incoherent position and spoofing attack from a mobile spoofer. The spoofer antenna was mounted on the roof of a vehicle, which was kept static for the first ten minutes of the test. In the second part, the spoofer was moving at a speed of around 40 km/h. The spoofed position remains fixed and approximates the true starting position throughout the test. For this scenario, two problems had to be solved. In the first problem, data was collected from an antenna array made of four elements regularly spaced on a square with sides of 10 centimeters. The IQ data collected from the four antennas were processed by an advanced Software Defined Radio (SDR) receiver developed by ESA. The receiver was then used to generate raw measurements from the GPS L1 Coarse/Acquisition (C/A) signals. These observations were supplied in RINEX format to the teams, so requiring estimating the AoA of the spoofer in the local frame of the affected receiver. The second problem was based on the data collected again by a professional multi-frequency, multi-constellation receiver. Similarly to the case considered in scenario one, it was requested to estimate the true receiver position, i.e. moving after a first static period of a few minutes. During the competition, no information about the spoofed or jamming conditions was provided to the teams. For all three problems, the teams had to analyze the actual reception conditions, including identifying spoofed signals and understanding the dynamics of both spoofer and victim receivers. In this respect, the temporal behavior of the Carrier-to-Noise power spectral density ratio (C/N0) across different satellites proved to be highly effective in a preliminary determination of the receiver dynamics, for example, allowing identifying the potentially spoofed signals and frequencies. III) RESULTS & SOLUTIONS When both receiver and spoofer are kept static, the C/N0 of the different signals changes gradually and is affected only by minor fades and variations. In contrast, larger and faster variations occur under fast dynamic conditions. Based on these preliminary considerations, it was possible to determine that the affected receiver was kept static during the entire duration of scenario one. The spoofed signals generated by the same antenna cross the same communication channel when reaching the victim receiver. Thus, they are affected by the same impairments and suffer correlated power changes. In this respect, the C/N0 value can be used for spoofing detection [3]. Although this method is effective in dynamic conditions, its reliability diminishes under static conditions, e.g., when both the receivers and the spoofer consistently occupy the same location. As noted, the C/N0 time series show fewer variations in such cases. In scenario one, periodic jumps and noisy variations in the order of kilometers affected carrier-phase and pseudo-range from all frequencies, making it unfeasible to obtain a valid position solution. For scenario one, the only measurements not corrupted by spoofing were Doppler observations. It was therefore possible to identify which signals were completely spoofed. Only on GPS L1 C/A signals, Doppler components clearly indicated that the user was moving while the C/N0 time series suggested a static receiver. Therefore, GPS L1 C/A measurements were discarded, and the remaining Doppler observations – potentially not affected by the spoofing – were used to compute a Doppler-based navigation solution. The algorithm developed for Low Earth Orbit (LEO) satellites by [4] was adapted here to the specific scenario and it allowed the computation of the static position solution. For scenario two, we had two problems. In the first problem, the AoA estimation was required to identify the spoofer (azimuth) direction in the local frame of a 2x2 patch antenna array. In this case, only measurements for GPS L1 signal were provided to the teams, i.e. including code, phase, Doppler, and C/N0 data. To mitigate common mode errors across the four antennas, a single?difference model was adopted relying on carrier-phase differencing between antenna pairs. The same AoA appeared for all transmitting satellites, which indicates a sign of potentials spoofing. Given that the C/N0 data contained useful information regarding the measurement quality, it was incorporated as a weighting factor in the estimation, de facto ensuring that higher quality signals carried proportionally greater influence on the estimated AoA. This method proved to reliably detect suspicious AoA patterns, so enhancing situational awareness under such spoofing scenarios. In the last problem of the competition, relative to scenario two, the objective was again to estimate an accurate positioning for a dynamical user. The preliminary analysis of C/N0 values revealed that authentic Galileo E5aQ, E5bQ and E6C signals were most likely correctly received. On the contrary, GPS L1 C/A and Galileo E1 signals were characterized by highly correlated C/N0 values, thus resulting in the precise positioning algorithms failing to converge when utilizing these measurements. Instead, by using Galileo triple-frequency signals (E5aQ, E5bQ, and E6C), it was possible to properly determine the user position. A few different approaches were attempted, for instance using Single Point Positioning (SPP), Precise Point Positioning (PPP), and Real-Time Kinematic (RTK) solutions. The SPP solution did not meet the requirements for high-accuracy kinematic positioning. Consequently, the PPP and RTK methods were utilized, with the latter leveraging data from the nearby reference station already employed in scenario one. Instead, for the PPP solution, satellites products from the International GNSS Service (IGS) were used, whereas no integer ambiguity resolution was attempted in both strategies. The final manuscript will offer an in-depth look at the positioning solutions proposed by the teams for the ESA’s Resilient GNSS Challenge, including error time series, observation residuals, and configuration settings. IV) DISCUSSION AND CONCLUSIONS Initiatives such as the Norwegian Jammertest campaign and ESA’s Resilient GNSS Challenge are of paramount importance to create awareness among the scientific community, better understand threats such as jamming and spoofing events, along with fostering collaboration among research institutions. Their positive impact can also be amplified through the publication of open data and problem solutions, while a larger involvement of GNSS/PNT communities is surely beneficial in the definition of new methodologies, along with potential novel technologies in response to such threats expected to become more and more common in the next years. Overall, this research contribution serves to highlight, analyze, and discuss mitigation techniques developed in the context of the Resilient GNSS Challenge, thus describing all scenarios, successful and unsuccessful proposed solutions, along with providing key lessons learned during the NAVITEC 2024 competition. ACKNOWLEDGMENTS We would like to thank Xurxo Otero Villamide, Luciano Musumeci, and Cecilia Kalmeijer for their contributions to the organization of the ESA’s Resilient GNSS Challenge, as well as all other participating teams. REFERENCES [1] M.L. Psiaki, and T.E. Humphreys, "GNSS Spoofing and Detection", in Proceedings of the IEEE, vol. 104, no. 6, pp. 1258-1270, June 2016. https://doi.org/10.1109/JPROC.2016.2526658 [2] Jammertest Consortium (2024). Jammertest 2024 Test Catalogue [2024-10-14]. Accessible online at https://jammertest.no/content/files/2025/02/Testcatalog.pdf [3] V. Dehghanian, J. Nielsen, and G. Lachapelle, "GNSS Spoofing Detection Based on Receiver C/N0 Estimates", Proceedings of the 25th International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GNSS 2012), Nashville, TN, September 2012, pp. 2878-2884. [4] M.L. Psiaki, "Navigation using carrier Doppler shift from a LEO constellation: TRANSIT on steroids." NAVIGATION: Journal of the Institute of Navigation, Sep 2021, 68(3) 621-641. https://doi.org/10.1002/navi.438