GPS Solutions (2024) 28:176

https://doi.org/10.1007/s10291-024-01719-2

ORIGINAL ARTICLE

An open GNSS spoofing data repository: characterization and impact

analysis with FGI‑GSRx open‑source software‑defined receiver
Saiful Islam1 · Mohammad Zahidul H. Bhuiyan1 · Muwahida Liaquat1 · Into Pääkkönen1 · Sanna Kaasalainen1

Received: 6 March 2024 / Accepted: 27 July 2024 / Published online: 12 August 2024
© The Author(s) 2024

Abstract
Spoofing is becoming a prevalent threat to the users of Global Navigation Satellite Systems (GNSS). It is important to deepen
our understanding of spoofing attacks and develop resilient techniques to effectively combat this threat. Detecting and miti-
gating these attacks requires thorough testing, typically conducted in a laboratory environment through the establishment
of a spoofing test-bed. The complexity, cost and resource demands of creating such a test-bed underscore the necessity of
utilizing openly available datasets. To address this need, this paper introduces a new GNSS spoofing data repository from
Finnish Geospatial Research Institute (FGI) named hereafter as ‘FGI-SpoofRepo’. This data repository consists of raw In-
phase and Quadrature (I/Q) data of live recordings of GPS L1 C/A, Galileo E1, GPS L5, and Galileo E5a signals. These
datasets encompass three distinct types of spoofing characteristics (synchronous, asynchronous, and meaconing), making
them very useful example candidates of open data for testing the performance of any anti-spoofing techniques (be it detec-
tion or mitigation). The inclusion of live signals in multiple GNSS frequencies and the presence of cryptographic signatures
in Galileo E1 signal make these datasets potential benchmarks for assessing the resilience performance of multi-frequency
multi-constellation receivers. The analysis of the datasets is carried out with an open-source MATLAB-based software-
defined receiver, FGI-GSRx. An updated version of FGI-GSRx, equipped with the necessary modifications for processing
and analyzing the new datasets, is released alongside the datasets. Therefore, the GNSS research community can utilize the
open-source FGI-GSRx or any third-party SDR to process the publicly available raw I/Q data for implementation, testing
and validation of any new anti-spoofing technique. The results show that time-synchronous spoofing seamlessly takes over
positioning solution, while time-asynchronous spoofing acts as noise or in some cases, completely prevent the receiver from
providing a positioning solution. Signal re-acquisition during an ongoing spoofing attack (cold start), the receiver tends to
lock onto the spoofing signal with the highest peak, posing a potential threat to GNSS receivers without assisted information.
Overall, this research aims to advance the understanding of complex spoofing attacks on GNSS signals, providing insight
into enhancing resilience in navigation systems.

Keywords GNSS · GPS · Galileo spoofing · Software-defined receiver

Introduction are intended targets or accidental victims. Understanding

various spoofing attacks and their operational impacts on
Spoofing poses an increasingly common threat to users of any receivers is vital. This understanding includes the abil-
Global Navigation and Satellite Systems (GNSS), impact- ity to identify various methods of attacks, evaluate failure
ing safety and mission-critical applications across terrestrial, patterns, grasp how a device reacts to a given threat, as well
maritime and aerial domains. As a result, unprotected GNSS as understanding of recovery procedures (Homeland 2022).
receivers and other GNSS dependent systems are becoming Addressing these challenges involves the development of
increasingly vulnerable to attack, regardless of whether they anti-spoofing techniques by the end users or more particu-
larly, receiver manufacturers.
* Saiful Islam The introduction of civilian GPS spoofing, as documented
saiful.islam@nls.fi in Humphreys et al. (2008), marked a significant shift in
the threat landscape. Unlike previous spoofing attempts
1
Department of Navigation and Positioning, Finnish that relied on initial jamming, this new approach deceives
Geospatial Research Institute, FGI-NLS, Espoo, Finland

Vol.:(0123456789)
176 Page 2 of 18 GPS Solutions (2024) 28:176

target receivers at the tracking stage without significantly complex test-bed typically requires significant budget, spe-
compromising the tracking characteristics (i.e., in terms of cialized software and hardware, expert professionals and
variation in phase or code tracking loops). Following this, time. Furthermore, achieving a code and carrier phase-
the landscape for commercial GNSS users underwent a nota- aligned coherent spoofing attack is extremely difficult and
ble change with the emergence of affordable GPS spoof- often requires repeated attempts.
ers, as discussed in Lin and Qing (2015). The affordability Therefore, a set of well-known open datasets emerges as a
of basic spoofing afterwards led to an upsurge in spoofing pragmatic solution to save money and time and to ease com-
incidents (EUSPA 2023b; GPSWorld 2023). In response to plexity. The Texas Spoofing Test Battery (TEXBAT) is one
these growing threats, research on spoofing detection and such dataset introduced by the University of Texas (Hum-
mitigation techniques has been ongoing since the introduc- phreys et al. 2012). For many years, researchers and profes-
tion of civilian GPS spoofers (Montgomery et al. 2009; sionals have been driven to the TEXBAT datasets to assess
Cavaleri et al. 2010; Broumandan et al. 2015; Magiera and the spoofing vulnerability of GPS receivers. Various statis-
Katulski 2015; Orouji and Mosavi 2021; Shang et al. 2022). tical spoofing detection and mitigation techniques are pro-
A comprehensive exploration of various spoofing genera- posed by using TEXBAT datasets including (Gamba et al.
tion techniques, receiver vulnerabilities on spoofing, and 2017; Kuusniemi et al. 2017; Khan et al. 2020). The Oak
approaches for detection and mitigation are presented in Ridge Spoofing and Interference Test Battery (OAKBAT)
Jafarnia-Jahromi et al. (2012), including example spoofing was introduced following the framework of the TEXBAT
scenarios for real-world receiver testing. datasets (Albright et al. 2020). OAKBAT datasets contain
The spoofing detection can be preliminary categorized GPS L1 C/A and Galileo E1 signals while TEXBAT datasets
into four groups: signal power monitoring, multi-correla- contain only GPS L1 C/A signals. These datasets and studies
tor tracking (Jafarnia-Jahromi et al. 2012; Guo et al. 2018; have primarily focused on legacy GNSS signals and have
Turner et al. 2020), signal quality monitoring (Phelts 2001), demonstrated various approaches to identify and mitigate
and cryptographic signature validation (Anderson et al. spoofing. The current state of the art however reveals sev-
2017; Motella et al. 2021). Numerous other approaches have eral limitations, most existing spoofing datasets are limited
been proposed, such as spatial processing, time of arrival in scope, often focusing on simple spoofing scenarios and
discriminator, consistency checks with other navigation sys- lacking representation of modernized GNSS signals. Addi-
tems, code and phase rate consistency check, and received tionally, the available software tools for processing GNSS
ephemeris consistency check, among others. signals are limited, do not fully support the multi frequency
As the way of spoofing attacks and their characteristics diversity in the event of single frequency or constellation
continuously evolve alongside the modernization of GNSS spoofing. It is also crucial to test the spoofing vulnerability
signals, continuous research is vital for the development of of other GNSS signals from lower L-band such as GPS L5
effective detection and mitigation techniques. For instance, and Galileo E5a. Both datasets, on the other hand, are lack-
monitoring correlation peaks is one such technique, as mul- ing lower L-band signals. The authenticity testing of GNSS
tipath and spoofing both distort the peaks in the composite navigation messages is another key part of any resilient navi-
signal. If the code and carrier phase of the spoofing signal gation system. Galileo Open Service Navigation Message
closely align with the authentic signal, the correlation peak Authentication (OSNMA) is an authentication technique
monitoring based technique may erroneously detect the allowing a receiver to verify that the navigation message is
spoofing signal as multipath (Magiera and Katulski 2015). coming from a trusted source and has not been modified in
Therefore, thorough evaluation and testing of each spoofing the way (ESA 2021). Galileo OSNMA data bits, broadcast
detection or mitigation technique is essential to address the on the E1-B data channel since late 2020, are absent from
evolving and growing nature of spoofing threats. existing datasets, highlighting a key gap in the current land-
Evaluating the effectiveness of these techniques requires scape. Our research aims to fill these gaps by creating a com-
commonly used datasets resembling real-world situations. pletely new set of digitized GNSS In-phase and Quadrature
This is often accomplished by establishing a spoofing test- (I/Q) data that includes both legacy and modernized signals
bed consisting of one or more software/hardware simulator in sophisticated and realistic spoofing scenarios.
and other complex setups. One such test-bed is essential This paper is inspired by the authors’ recent work (Islam
for performing various vulnerability assessments, providing et al. 2023) where details of spoofing signal generation under
fine-grained control over crucial parameters. These tests aim a simulated environment and their impact on the different-
to evaluate the resilience of Position Navigation and Timing grade GNSS receivers are presented. Motivated by the limi-
(PNT) systems by determining how GNSS receivers react to tations of previously available datasets and the importance
potential spoofing attacks, applying mitigation techniques, of assessing modernized GNSS signals and contemporary
re-testing the improved system and adjusting parameters as spoofing events, this paper introduces a new GNSS spoofing
needed (Perdue et al. 2016). However, establishing such a data repository from Finnish Geospatal Research Institute
GPS Solutions (2024) 28:176 Page 3 of 18 176

Fig. 1  Experimental setup dia-

gram of spoofing test-bed

(FGI) named as ’FGI-SpoofRepo’. This repository consist of both legacy and modernized signals in sophisticated spoof-
a set of raw I/Q data with live GNSS signals. GNSS spoof- ing scenarios. Adding real-world multi-frequency, multi-
ing attacks can be carried out in many ways depending on constellation signals, inherently including cryptographic
the expertise of the spoofers and available resources. FGI- signatures in the Galileo E1 signal and updated version of
SpoofRepo comprise a set of four digitized recordings of the software receiver has further empowered the novelty. By
live static datasets of GPS L1 C/A, Galileo E1, GPS L5 and utilizing these advancements in new datasets and software,
Galileo E5a signals. The new datasets contain three types researchers can develop and verify new techniques to detect
of spoofing scenarios: Targeted Spoofing (time and position and counteract GNSS spoofing, ultimately strengthening
synchronous), Untargeted Spoofing (time and or position the resilience and reliability of GNSS-based systems. The
asynchronous), and Meaconing (re-radiator). These datasets remainder of the paper progresses as follows. The experi-
integrate real-world live signals with simulated spoofing sig- mental setup reveals the spoofing generation procedure and
nals, admitting the inherent challenges of spoofing the live an overview of the used equipment. Following that, the
signal in a controlled environment. The real-world nature spoofing scenario definition section details the spoofing sce-
of the datasets incorporates environmental effects and cryp- narios and their characteristics. Afterwards, the data analysis
tographic signatures, such as OSNMA, portraying them as section thoroughly assesses the characteristics of each sce-
very good example candidates of open data for testing per- nario by the FGI-GSRx software receiver. Finally, the paper
formance of spoofing detection and mitigation techniques summarizes the results and outlines potential directions for
with multi-frequency multi-constellation receivers. future research activities.
This paper provides a thorough overview of the spoofing
dataset generation, accompanied by an in-depth analysis of
each dataset. Processing of the datasets has been carried out Experimental setup
by an open-source software-defined receiver named ’FGI-
GSRx’, released as open-source in 2022 (Kai et al. 2022). An This section encompasses several key components, each
updated open-source version of FGI-GSRx is released along contributing to the comprehensive datasets preparation pro-
with the datasets and software features including necessary cess. These components include a Software-Defined GNSS
modifications for processing and analyzing the new datasets. simulator, an external reference clock for precise timing, a
The novel contribution of this paper lies in the generation of receiving antenna for live signal reception, an amplifier to
a completely new set of digitized GNSS I/Q data involving compensate cable losses, an RF front-end for capturing I/Q
176 Page 4 of 18 GPS Solutions (2024) 28:176

data, and an open-source software-defined receiver for in- and Galileo satellites. When a RINEX file is imported,
depth analysis. The composition of these equipment ensures it overrides the existing information on orbits, perturba-
a controlled environment for the experiments. The experi- tions, clock, group delay, and health status. The broadcast
mental setup of spoofing datasets generation is presented ephemeris data in RINEX format can be sourced from
in Fig. 1. NASA’s Crustal Dynamics Data Information System
(CDDIS)(Noll 2010).
• Spoofing Signal Generation All the spoofing signals   The simulation time is carefully synchronized with
in the datasets are generated using the Safran Skydel GPS time for targeted time synchronous scenarios, which
software-defined GNSS simulator (Safran 2023) in con- is obtained from a reference GNSS timing receiver. The
junction with external hardware. Skydel is an advanced timing receiver generates a 1 Pulse Per Second (1 PPS)
GNSS signal simulator known for its customizability and signal and a 10 MHz reference signal to the Universal
scalability, with integrated interference generation capa- Software Radio Peripheral (USRP) X310. This effec-
bilities across multiple frequencies and constellations. tively ensures that the USRP maintains timing synchro-
Most simulation parameters are controllable on the fly nization with the reference receiver.
while the simulation is running, a feature of particular   The connectivity between Skydel and the USRP is
relevance in the context of jamming and spoofing experi- facilitated through a high-speed 10 Gigabit Ethernet link,
ments. ensuring real-time data transmission. Within the USRP,
  It is crucial to initialize the simulator with the most the I/Q data is up-converted into an RF signal, operating
up-to-date broadcast GNSS ephemeris data for an accu- at a rate of 60 MS/s (mega samples per seconds) with
rate spoofing signal generation. Using outdated ephem- both the L1/E1 and L5/E5a frequency. Subsequently, the
eris information may result in unsuccessful spoofing RF signal is then combined with an authentic live-sky
attempt. Within the simulator, there is a provision to GNSS signal using a signal-mixer.
import Receiver Independent Exchange (RINEX) com- • External Clock Septentrio’s PolaRX5T is utilized as an
patible files, which are used to update the orbits of GPS external reference clock to discipline the USRP X310.
The PolaRx5TR is designed to achieve precise time syn-
chronization in applications involving time and frequency
Table 1  RF recording configuration of the NSL Stereo dual-band transfer. In such applications, the device receives a 10
GNSS front-end MHz reference signal and a 1 PPS signal from an exter-
Parameters Frequency bands Frequency bands nal clock source, which, in our case, is the PolaRX5T.
(L1/E1) (L5/E5a) • Receiver Antenna A reference antenna is used to fetch
Center frequency (MHz) 1569.03 1176.45
live GNSS signals. The same antenna is also used to con-
Sampling rate (MHz) 26 26
nect a reference receiver that provides a clock source
Data type Real Complex
to USRP. The live signal is obtained using Septentrio’s
Sample bit width 8 bit (I) 8 bit + 8 bit (I + Q)
PolaNt Choke Ring antenna, which is a high-precision
Bandwidth (MHz) 4.2 10.09
antenna that supports various GNSS signals (Septrentio
2023).

Fig. 2  Setup used for replaying and re-recording FGI-SpoofRepo dataset

GPS Solutions (2024) 28:176 Page 5 of 18 176

• Amplifier-Splitter A Low Noise Amplifier (LNA) plays Table 3  Summary of spoofing data repository
a crucial role in signal amplification and compensating Folder name File name Size (KB) Duration (s)
for cable losses between the rooftop antenna and the
receiver port. An Amplified Loaded DC Blocked Splitter Targeted_SFMC TGS_L1_E1.dat 9878528 373
(ALDCBS1X4) is employed featuring one active input TGS_L5_E5a.dat 19757056 373
and four RF outputs. In the context of data collection, one Targeted_DFMC TGD_L1_E1.dat 9728448 373
of the output port is connected to a reference receiver, TGD_L5_E5a.dat 19456896 373
denoted as the PolarRx5TR. An additional output port Untargeted_DFMC UTD_L1_E1.dat 9595136 377
from the amplifier is connected to a mixer. This mixer is UTD_L5_E5a.dat 19190272 377
responsible for combining spoofing signals with authen- Meaconing_DFMC MCD_L1_E1.dat 12216512 478
tic live-sky GNSS signals. MCD_L5_E5a.dat 24433024 478
• FGI-GSRx Multi-Frequency, Multi-Constellation
Receiver The FGI-GSRx is a MATLAB-based Software-
Defined Receiver (SDR) developed by the Finnish Geo- • RF Recording Device The raw I/Q data samples are
spatial Research Institute (FGI). The software receiver captured using the stereo dual-band GNSS front-end
plays a vital role in many national and international pro- developed by Nottingham Scientific Limited (NSL).
jects, serving as a key tool for testing and validating inno- The front-end comprises two distinct Radio Frequency
vative receiver processing algorithms (Söderholm et al. (RF) chains: the MAX2769B, responsible for covering
2016; Kai et al. 2022; Pany et al. 2024). In recent times, the upper L-band, also known as the L1 chain, and the
the GNSS community has been granted access to the MAX2112, which encompasses both upper and lower
FGI-GSRx as an open-source software under the General L-bands, collectively referred to as the L-band chain. The
Public License (FGI-NLS 2022). The architecture of this Local Oscillator (LO) associated with the L1 chain is
software allows the development and testing of new algo- tunable within the frequency range of 1550 MHz to 1610
rithms at any stage within the receiver processing chain, MHz, allowing for precise adjustment to GNSS signals
with minimal modifications to the original structure. within this spectrum. Similarly, the LO for the L-band
  The current open-source version of FGI-GSRx can chain can be adjusted within the range of 900 MHz to
process GPS L1 C/A, Galileo E1, BeiDou B1, GLO- 2400 MHz, enabling the capture of any signals within the
NASS G1, and NavIC L5 signals. However, all the data- L-band. The configuration detailed in Table 1 is used for
sets in this manuscript also contain GPS L5 and Galileo capturing the raw I/Q data.
E5a signals. FGI has not yet made the GPS L5 and Gali- • Dataset Replay Validation Setup The recording setup
leo E5a signals based receiver implementation open to was validated by transmitting and recording again a
the public. Therefore, the authors utilize two separate scenario using USRP X310 and NSL Stereo front-end.
versions of FGI-GSRx for processing the datasets: i) The Usable sample rates for the USRP were calculated by
open-source FGI-GSRx, and ii) The in-house FGI-GSRx. dividing the device’s 200 MHz master clock rate with an
The users of FGI-GSRx open-source version will be able integer. The dataset had to therefore re-sampled from 26
to reproduce the results with the shared datasets for GPS MHz to 25 MHz which was done during pre-processing
L1 and Galileo E1 signals. The users will need to utilize using Scipy’s Signal package. The L1 band signals were
any other third party open-source SDR tool, for example, also down-converted from IF (Intermediate Frequency)
GNSS-SDR (Pany et al. 2024) in order to process GPS 1575.42 − 1569.03 = 6.39 MHz to baseband. The devel-
L5 and Galileo E5a datasets. However, the processing oped Python script is also made available alongside the
results for GPS L5 and Galileo E5a signals are anyway datasets allowing the users to replay the datasets for their
presented here with the in-house FGI-GSRx. own test and validation.

Table 2  Summary of spoofing Name Initial Initial Position switch Time shift Latest Spoofing signal(s)
scenarios position time ephemeris
Synch synch injected

Targeted SFMC Yes Yes Dynamic No Yes L1, E1

Targeted DFMC Yes Yes Dynamic No Yes L1, E1, L5, E5a
Untargeted DFMC No No Static Advance N/A L1, E1, L5, E5a
Meaconing DFMC No No Static Delay N/A L1, E1, L5, E5a
176 Page 6 of 18 GPS Solutions (2024) 28:176

Fig. 3  Skyplots of Targeted

SFMC scenario

Fig. 4  Skyplots of Targeted

DFMC scenario

  GNU Radio companion was used to program the Spoofing scenario definition
USRP to transmit the re-sampled FGI-SpoofRepo data-
set. 60 dB attenuation was used between the USRP and The true receiver is stationary in all four scenarios. It’s posi-
the Stereo front-end to approximately match the trans- tion estimated by a geodetic-grade receiver is 60.182◦ N,
mitted RF power to live-sky. The recorded dataset was 24.828◦ E with an altitude of 47.248 m. The true receiver is
processed in FGI-GSRx using the same configurations connected with a rooftop antenna at the Otaniemi premises
as was used with the original dataset. A constant fre- of the Finnish Geospatial Research Institute (FGI). As the
quency offset of around 1.2 kHz was observed between recordings are made on live signals, the starting date and
the original and replayed-recorded dataset, but this effect time are always unique for each dataset. The initial 130 s
was compensated automatically by the acquisition mod- across all datasets are free from intentional interference,
ule and the carrier tracking loop of FGI-GSRx. making a clean baseline before the injection of the spoofing
  The setup used for the replay validation is illustrated signals. It is worth noting that all live skyplots are gener-
in Fig. 2. The re-recorded FGI-SpoofRepo dataset was ated based on information from the navigation engine of
processed in FGI-GSRx to verify that the replayed and FGI-GSRx, with only those satellites utilized in the final
then re-recorded file could be useful without a significant Position, Velocity, and Timing (PVT) computation. On the
drop in signal-tracking performance. A similar valida- other hand, skyplots for the spoofing signals are generated
tion process was also attempted using a USRP X310 using log information provided by the simulator. The uni-
and commercial receivers i.e; u-blox M8T and F9P. The form replication of satellites, along with their corresponding
u-blox receivers (M8T) were able to receive both L1 C/A elevation and azimuth concerning live signals, holds signifi-
and E1 signals but not the L5 and E5a as the receivers do cant importance, particularly in scenarios involving targeted
not support the use of L5-only solution. or synchronous spoofing attacks.
GPS Solutions (2024) 28:176 Page 7 of 18 176

Fig. 5  Skyplots of Untargeted

DFMC scenario

Fig. 6  Skyplots of Meaconing

DFMC scenario

Table 2 offers a detailed insight into the spoofing datasets each of which represents a different scenario. By accessing
and the associated techniques used to generate those data- the folders, users will have access to two files that are spe-
sets. The Targeted Single-Frequency Multi-Constellation cific to each signal. The table also includes the approximate
(SFMC) scenario is generated by synchronizing the initial size and duration of each file. It is to be noted that the dura-
time and position with the true receiver, along with the injec- tion provided in the table is truncated, and the actual files
tion of the latest available ephemeris. The intended spoofed may contain a couple of seconds of extra data.
location follows a circular trajectory. A similar process is
followed for the Targeted Dual-Frequency Multi-Constel- • Targeted SFMC
lation (DFMC) scenario. On the contrary, both Untargeted   Both GPS L1 and Galileo E1 signals are spoofed in
DFMC and Meaconing DFMC scenarios do not maintain this scenario. The other RF chain comprising GPS L5
initial time and position synchronization with the true sig- and Galileo E5a signals are not spoofed throughout the
nal. In both scenarios, the intended spoof location remains test. This test is intended to assess the potential fallback
static. However, in the Untargeted case, the spoofed time is behaviour of modern GNSS receivers equipped with mul-
advanced by hours, while in Meaconing, the spoofed time tiple frequencies and constellations. The simulated spoof-
is delayed by minutes. Above all, the injection of the latest ing signals are generated using the most recent ephemeris
ephemeris is not applicable in both Untargeted and Meacon- data available from NASA’s CDDIS. The recordings are
ing cases. made on 2023-10-03 at 14:19:00 UTC over a 370 s dura-
A summary of the spoofing dataset repository is pre- tion. Figure 3 illustrates the skyplot for both spoofing
sented in Table 3. The repository contains several folders, and live signals on 2023-10-03 at 14:19:06 UTC. Eleven
176 Page 8 of 18 GPS Solutions (2024) 28:176

Fig. 7  Tracking of a GPS L1

satellite

Fig. 8  C∕N0 of Targeted SFMC

scenario

have been temporarily excluded from active service, as

documented in (EUSPA 2023a), which explains their dis-
appearance from the live signal skyplot. Additionally,
Galileo PRN 13 failed to meet the signal power thresh-
old, consequently absent from the skyplot.
• Targeted DFMC
  This scenario shares similar characteristics with the
previous dataset with the main distinction being the
inclusion of GPS L5 and Galileo E5a signals alongside
GPS L1 and Galileo E1 signals in the spoofing. The
recordings are made on 2023-10-20 at 13:20:02 UTC
over a 370 s duration.
 Figure 4 illustrates the skyplot for both spoofing and
live signals on 2023-10-20 at 13:20:13 UTC. In this
scenario, similar to the previous one, eleven GPS satel-
Fig. 9  Position estimated by the device under test lites are simulated. However, the live signal exhibits an
additional satellite, PRN 15 near the 10-degree cut-off
threshold. The spoofing signal is missing the same satel-
GPS satellites are simulated to match with live constel- lite, as the signal generation has a cut-off threshold of 10
lations. As for Galileo, the spoofing simulation replicates degrees. As for Galileo, nine satellites are simulated, yet
the live signal based on the ephemeris available during the receiver acquire eight satellites from the live signal.
the recording. Notably, Galileo system’s PRN 14 and 18
GPS Solutions (2024) 28:176 Page 9 of 18 176

Fig. 10  Position deviation with

respect to true location

Fig. 11  Multi-correlator monitoring of GPS L1 signal’s PRN 7 to demonstrate the impact of spoofing on the receiver tracking

• Untargeted DFMC clean recordings, marking an exception in comparison

  This scenario differs significantly from the previous to other datasets. There is a lack of synchronization
targeted scenarios, forming an untargeted attack charac- in time, but it includes all the characteristics of live
terized by asynchronous positioning and timing of the sky signals. The signals that are spoofed in this sce-
spoofer with respect to the true location. In this case, the nario belong to GPS L1, L5, and Galileo E1, E5a. The
spoofer’s intended position is simulated to be static at a recordings are made on 2023-11-16 at 15:04:36 UTC.
distance of approximately 15 km from the actual loca- The dataset lasts around 478 s which is longer than
tion, with the spoofing time advanced by around 10 h. other datasets. This prolonged duration renders it use-
Recordings for this scenario are conducted on 2023- ful for applications that require extended initialization
11-10 at 14:05:00 UTC, extending over a 377-second periods, such as cryptographic signature validation.
duration. The chosen target location for the spoofer is Figure 6 illustrates the skyplots for both spoofed and
60.16675899◦ N, 24.56664248◦ E, with an altitude of live signals on 2023-11-16 at 15:04:42.
2.00 m, and the spoofing start time is simulated on 2023-
11-10 23:55:00 UTC.
 Figure 5 illustrates both the spoofing and live signals
at specific epochs. Given the untargeted nature of this
attack, the spatial distribution of live and simulated satel- Data analysis
lites does not aligned. The receiver is expected to view
a new set of satellite constellations because of the con- This section provides a detailed analysis of each dataset,
siderable distance and the temporal divergence of nearly focusing on how it affects the receiver’s signal tracking
10 h. and positioning performance. The open-source and in-
• Meaconing DFMC house version of FGI-GSRx is utilized to perform the
  The LabSat 3 Wideband record and replay device analysis. The open-source version is used to process the
(LabSat 2023) is used in the meaconing test. The sce- GPS L1 and Galileo E1 signals, whereas the in-house ver-
nario is recorded outside of the FGI premises, about sion is used to process the GPS L5 and Galileo E5a sig-
60 m away from the rooftop antenna. After the record- nals. In all scenarios, the position solution is computed
ing, the replayed signal is introduced alongside the using a 5-degree elevation mask and a 30 dB-Hz Carrier-
live signal with an approximately 15-minute delay. to-Noise Density ( C∕N0 ) threshold. In each scenario,
The re-transmitted signal is introduced after 155 s of there is a 1–5 s window of flexibility due to the manual
176 Page 10 of 18 GPS Solutions (2024) 28:176

Fig. 12  C∕N0 of Targeted

DFMC scenario

• Targeted SFMC Figure 7 illustrates the tracking results

of PRN 03 of GPS L1 signal. The figure indicates
smooth takeover of the receiver tracking loop by the
spoofer. Following the injection of the spoofing signal at
approximately 131 s, no loss of lock is observed. How-
ever, significant jumps in the amplitude of both the real
and imaginary components of the prompt correlator are
observed since both noise and signal power increase. The
estimated Doppler exhibited the expected behaviour, and
the Phase-Locked Loop (PLL) and Frequency-Locked
Loop (FLL) maintained consistent lock throughout the
duration. Although there are clear changes in FLL and
PLL and the corresponding Doppler, these are well
within the anticipated range.
  The analysis of targeted spoofing attack is further
supported by the results presented in Fig. 8a, b. Both
Fig. 13  Position estimated by the device under test GPS and Galileo PRN experienced harmonious jumps in
their C∕N0 values, averaging 5 dB-Hz. The intended loca-
tion of the spoofing signal is also distinctly portrayed in
execution of the spoofing attack. Moreover, a brief period Figs. 9 and 10. A circle with a 70-m diameter represents
is required for the synchronization between signal genera- the spoofer’s intended location. Figure 10 depicts devia-
tion by Skydel simulator and the streaming of RF signals tion of East, North and Up components with respect to
by the USRP. It is important to note that the impacts of a ground truth.
spoofing signal may not be immediately noticeable in the
analysis upon injection due to the delay mentioned above.
GPS Solutions (2024) 28:176 Page 11 of 18 176

Fig. 14  Position deviation with

respect to time

Fig. 15  Tracking result of GPS

L1 signal’s PRN 15

– Time synchronous spoofing with multi-correlator • Targeted DFMC

monitoring   In this scenario targeted spoofing is applied to GPS
  Multi-correlator monitoring is used to further L5 and Galileo E5a signals in addition to L1 and E1.
assess the alignment of the spoofing signal with the Figure 12a, b depict the seamless take over of both GPS
authentic signal. In this process, 41 complex cor- L1 and Galileo E1 signals that evident in their C∕N0
relators are utilized with a code delay window of values. GPS L5 (PRN 8 and 9) and Galileo E5a (PRN
± 2 chips and a 0.1 chips correlator spacing. Fig- 8, 13, and 24) satellites, on the other hand, exhibited a
ure 11 illustrates the normalized correlation func- minor delay before locking onto the spoofing signal as
tion at various stages of tracking of GPS PRN 7. seen in Fig. 12c, d. The inherited characteristics of GPS
Before the capture at around 136100th millisecond L5 and Galileo E5a, which is designed to provide better
(ms), the shape of the correlator output resembles resilience against interferences, can be attributable to this
a triangle that overlaps with the expected theoreti- delay. These characteristics include longer codes, better
cally-generated triangle centered at zero. During the modulations, and higher chipping rates.
pull-off stage, for example at 136800th ms depicted   The positioning performance of GPS L1 and Galileo
in Fig. 11b, the spoofing signal coexists with the E1 as illustrated in Figs. 13 and 14, is similar to the
authentic signal introducing a 0.1 chips delay. Fig- previous scenario since both scenarios are characterized
ure 11c then shows an instance at around 137700th by a targeted spoofing attack.
ms, indicating successful locking onto the spoof- • Untargeted DFMC
ing signal. It is noteworthy that this entire process  Figure 15 illustrates the tracking result of GPS L1 sig-
unfolds rapidly, completing almost within a few nal’s PRN 15. After the injection of spoofing signal, the
seconds. The tight time synchronization between the noise takes over, effectively appearing as jamming for
spoofing signal and the authentic signal presents a the receiver for the rest of the duration. Two primary
substantial challenge for the receiver to successfully reasons contributed to this incident. Firstly, the receiver
detect an ongoing spoofing (Hegarty et al. 2019). is already at the fine-tracking stage, and secondly, the
176 Page 12 of 18 GPS Solutions (2024) 28:176

Fig. 16  C∕N0 of Untargeted

DFMC scenario

authentic signal, the spoofing signal does not attract the

receiver. Instead, due to this misalignment, the spoofing
signal appears as noise for the receiver. As described
in the previous section, the intended spoofed location is
simulated 15 kms away from the actual location and 10 h
ahead of the actual time, making it asynchronous in both
time and position. This particular scenario is designed to
reflect a situation where the spoofer possesses no prior
information about the target receiver.
  If a receiver attempts to re-acquire a signal during an
ongoing spoofing attack, it is likely to acquire the sig-
nal with the highest peak unless it has access to other
assisted information. FGI-GSRx on the other hand is
Fig. 17  Position estimated by the device under test a post-processing receiver, and it does not attempt re-
acquisition within the same dataset. Further discussion
on this situation is provided in the meaconing section.
spoofing signal is not aligned within the fraction of a The impact of the asynchronous attack is illustrated in
code chip. Fig. 16. Following the injection of the spoofing signal,
  Once the receiver enters the tracking stage, it has the estimated C∕N0 of all satellites exhibit a sharp decline
already locked onto the authentic signal, given the for all the analyzed GPS and Galileo signals.
assumption that spoofing occurs after a specific initiali-  Figures 17 and 18 demonstrate that the receiver is not
zation period. Unlike the acquisition stage, the receiver spoofed to the intended location, but a denial of service
would not perform any exhaustive search at the track- appears after the injection of the spoofing signal. The
ing stage. If the carrier frequency and code phase of the navigation solution is computed based on the predefined
spoofing signal are not closely aligned or are far from the criteria described earlier that incorporate elevation and
GPS Solutions (2024) 28:176 Page 13 of 18 176

Fig. 18  Position deviation with

respect to true position

Fig. 19  Tracking loop of Gali-

leo PRN 2

C∕N0 thresholds. Following the injection of the spoofing   The tracking loop performance of a Galileo E5a sat-
signal, the initially set thresholds no longer meets the ellite is illustrated in Fig. 19. After the injection of the
criteria, thereby preventing the receiver from offering any meaconing signal, a slight degradation in signal power
PVT solution. becomes visible. Despite this, the Doppler, Frequency-
  In summary, the FGI-GSRx successfully resisted Locked Loop (FLL), and Phase-Locked Loop (PLL)
spoofing attempts. It is also pertinent to mention here that maintained their locks.
although these non-coherent attacks result in an unsuc-   The effect of meaconing attack may not be uniform
cessful spoofing attempt, they can still pose a threat by across all GNSS receivers; those with re-acquisition
mimicking jamming. This is inline with the other inten- capabilities may respond differently compared to receiv-
tion of the spoofer otherwise referred to as denial of ser- ers like FGI-GSRx. For instance, when re-transmission
vice. occurs with significantly high power, it can introduce
• Meaconing DFMC additional noise and eventually saturate the receivers.
  Re-transmission of authentic signals often represents Afterwards, the affected receiver might attempt a re-
an asynchronous attack, wherein, in the worst-case sce- acquisition, potentially locking onto the spoofing signal.
nario, there might be a complete misalignment in posi- This phenomenon is of particular interest for observation
tion and time. The code and carrier mismatch in the with Commercial off-the-shelf (COTS) receivers (Islam
meaconing signal, resulting in a noise signal that essen- et al. 2023).
tially appears as a jamming signal. The impact of this  Figures 21 and 22 shows the positioning performance
phenomenon can be observed in Fig. 20a–d, where the of FGI-GSRx during the meaconing attack. Contrary to
injection of meaconing leads to a drop in C∕N0 values for expectations, the receiver did not lock onto the spoofing
all satellites. signal, indicating that it remained unspoofed.
176 Page 14 of 18 GPS Solutions (2024) 28:176

Fig. 20  C∕N0 of Meaconing

DFMC scenario

Fig. 23  Code-Doppler search result at 165th second by FGI-GSRx

Fig. 21  Position estimated by the device under test acquisition block

 – Cold start during ongoing spoofing

event
  The conventional assumption is that a receiver
is operational before a spoofer injects the spoofing
signals. However, what if the receiver starts opera-
tion during an ongoing spoofing event? An analy-
sis is conducted using the meaconing scenario to
explore this hypothesis. The receiver is switched-
Fig. 22  Position deviation with respect to time on in cold-start mode and it begins the acquisition
GPS Solutions (2024) 28:176 Page 15 of 18 176

Table 4  Summary of Scenario Signal subdivision Duration (s) 𝜀3D 𝜀H 𝜎H 𝜀V 𝜎V

positioning performance
TG SFMC L1+E1 370 55.58 51.95 32.68 19.76 5.57
L5+E5a 370 6.93 4.23 0.24 5.49 0.45
L1+E1+L5+E5a 370 34.46 32.15 19.52 12.34 7.2
TG DFMC L1+E1 370 56.69 53.07 33.40 19.93 2.00
L5+E5a 370 55.84 55.17 31.69 8.64 5.38
L1+E1+L5+E5a 370 56.05 55.84 32.43 4.85 2.14
UT DFMC L1+E1 370 2.86 1.92 0.93 2.11 1.12
L5+E5a 370 8.49 2.24 0.13 8.19 0.35
L1+E1+L5+E5a 370 4.79 2.38 0.46 4.15 1.05
Meconing DFMC L1+E1 470 4.83 2.93 0.96 3.84 2.64
L5+E5a 470 4.23 1.32 0.32 4.01 0.45
L1+E1+L5+E5a 470 2.58 1.50 0.50 2.09 0.89

• Summary Results
 Table 4 provides a comprehensive overview of the
positioning solution acquired across various scenarios
and signal combinations by using both open-source and
in-house versions of FGI-GSRx. In this table, symbols
𝜀3D , 𝜀H , and 𝜀V represent 3-Dimensional Root-Mean-
Square (RMS), horizontal RMS, and vertical RMS in
meters respectively, while 𝜎H and 𝜎V denote horizontal
and vertical standard deviation in meters. In the Tar-
Fig. 24  Average C∕N0 difference between a replayed-recorded and geted SFMC scenario, GPS L5 and Galileo E5a signals
the originally recorded targeted DFMC data are not simulated to be spoofed. Therefore, the L1+E1
solution is seen to be much deviated compared to the
L5+E5a solution. It is vital to analyze the positioning
process at around 165th second, when both authentic performance under the combination of signals includ-
and spoofing signals are present. Under such a situ- ing both spoofing and unspoofing ones. Processing all
ation, a receiver is likely to pick up the signal with signals together yields superior results compared to pro-
the highest peak, unless any other assisted informa- cessing only spoofing signals, as evident in the Targeted
tion is available. Figure 23 illustrates the acquisition SFMC scenario. In the Targeted DFMC scenario, all four
search space for the PRN 15 of the GPS L1 signal. signals are spoofed, and the estimated positioning solu-
As both authentic and spoofing signals coexist dur- tion by FGI-GSRx reflects the spoofer’s intended loca-
ing the acquisition, the receiver picks up the spoofing tion in all the three combinations. For the Untargeted
signal with the highest peak. This susceptibility is DFMC and Meaconing DFMC scenarios, FGI-GSRx
particularly significant in untargeted and meacon- remains unspoofed across all combinations. However, in
ing attacks given their untargeted nature, assuming the Untargeted DFMC scenario, a denial of service is
a substantial offset in the code phase between the observed after 120 s due to the impact of the spoofing
spoofing and the authentic signals (Li et al. 2020). signal on the receiver that appeared as jamming for the
  Although, as illustrated in Fig. 20a–d, the receiver receiver. With a C∕N0 threshold of 30 dB-Hz, there are
is not spoofed during the tracking stage, acquisition not enough satellite measurements available for position
or re-acquisition during ongoing spoofing events computation. Consequently, it can be said that in case of
may expose the GNSS receiver to potential threats Untargeted DFMC, the receiver is not compromised to
from meaconing and untargeted attacks. Therefore, the spoofer’s desired location, but it indeed experiences
the identification of multi-peaks during the acquisi- the denial of offering positioning service right after the
tion stage (Humphreys et al. 2008) is vital, especially injection of spoofing signal.
when the receiver lacks additional assisted informa- • Validation Results for Replayed I/Q data
tion.  Figure 24 shows average observed loss in tracking
C∕N0 for a replayed-recorded targeted DFMC scenario.
The I/Q data was recorded using the setup defined in
176 Page 16 of 18 GPS Solutions (2024) 28:176

Sect. 2. The Galileo E5a signal showed a loss of around SK; Funding acquisition: ZB, SK; Resources: SI, ZB, ML, IP, SK;
1.5 dB-Hz compared to the original DFMC dataset, while Supervision: ZB. All authors commented on previous versions of the
manuscript.
no significant loss in C∕N0 was observed for Galileo E1.
The observed loss can be caused by a few reasons like Funding Open Access funding provided by National Land Survey of
added thermal noise and clock jitter from the process of Finland. This work has been supported by the Academy of Finland’s
transmitting and receiving the signal, or other inaccura- special funding for research into crisis preparedness and security of
supply (project REASON - Resilience and Security of Geospatial
cies in reproducing the digitized baseband signal back to Data for Critical Infrastructures) and the National Emergency Supply
RF. Different outcomes could be observed if parameters, Agency of Finland programme Digital Security 2030.
like signal bandwidth and sample rate, or different trans-
mitter and GNSS front-end were used. Availability of data and materials The four datasets, including the
updated version of the FGI-GSRx and auxiliary scripts for potential
replay, can be accessed at the following webpage (https://​www.​maanm​
ittau​slait​os.​fi/​en/​resea​rch/​resea​rch/​gnss-​speci​alists/​fgi-​gnss-​jammi​ng-​
and-​spoof​i ng-​datas​et-​repos​itory-​fgi-​jsdr). Table 3 contains detailed
information about scenarios, folder names, and dataset sizes. The Finn-
ish Geospatial Research Institute (FGI) has made these datasets and
Conclusion and future work related scripts available to researchers and other interested stakehold-
ers. This initiative aims to enhance the robustness and effectiveness of
This paper presents raw GNSS spoofing datasets across receiver-based spoofing detection and mitigation techniques, thereby
four scenarios, analyzed with an updated version of FGI- strengthening overall security measures in satellite-based navigation
systems. All updates of the open-source FGI-GSRx receiver will be
GSRx software receiver. The new set of raw I/Q spoofing available along with the corresponding release notes. If there are any
data, comprising live-sky GNSS signals, fills a notable further inquiries, please feel free to contact FGI.
gap in existing datasets, enhancing the available resources
to the GNSS community. Notably, these datasets cover Declarations
multiple GNSS frequencies and incorporate cryptographic
Consent for publication All authors reviewed and approved the final
signatures (OSNMA) in Galileo E1-B data channel, posi- manuscript.
tioning them as potential benchmarks for evaluating the
resilience performance of multi-frequency multi-constel- Conflict of interest The authors declare no conflict of interest.
lation receivers. An updated open-source version of FGI-
GSRx is provided alongside the datasets with the neces- Open Access This article is licensed under a Creative Commons Attri-
sary features for processing and analyzing the new data. bution 4.0 International License, which permits use, sharing, adapta-
tion, distribution and reproduction in any medium or format, as long
This research aims to deepen our understanding of com- as you give appropriate credit to the original author(s) and the source,
plex spoofing attacks on GNSS signals, offering insights provide a link to the Creative Commons licence, and indicate if changes
into the challenges and opportunities for improving resil- were made. The images or other third party material in this article are
ience in navigation systems. The datasets and analyses included in the article’s Creative Commons licence, unless indicated
otherwise in a credit line to the material. If material is not included in
presented here provide a foundation for future research on the article’s Creative Commons licence and your intended use is not
GNSS technologies against evolving spoofing threats, thus permitted by statutory regulation or exceeds the permitted use, you will
contributing to the ongoing effort to safeguard satellite need to obtain permission directly from the copyright holder. To view a
navigation systems worldwide. copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
The authors are currently working towards implementa-
tion of Galileo’s OSNMA-based spoofing detection in FGI-
GSRx. In addition, the authors plan to implement a robust
GNSS anomaly detection technique based on a combination References
of different receiver parameters. These include Automatic
Albright A, Powers S, Bonior J, Combs F (2020) Oak ridge spoofing
Gain Control (AGC) variation at the front-end level, phase and interference test battery (OAKBAT) - GPS. In: Proceedings
and Doppler change rate detection at the tracking level, and of the 33rd international technical meeting of the satellite division
the authentication status flag based on navigation message of the institute of navigation (ION GNSS+ 2020), pp 3697–3712.
https://​doi.​org/​10.​13139/​ORNLN​CCS/​16644​29
authentication at the navigation level.
Anderson JM, Carroll KL, DeVilbiss NP, Gillis JT, Hinks JC,
O’Hanlon BW, Rushanan JJ, Scott L, Yazdi RA (2017) Chips-
Acknowledgements Special acknowledgement goes to the Safran
message robust authentication (chimera) for GPS civilian signals.
MINERVA academic programme for donating the Skydel simulator.
In: Proceedings of the 30th international technical meeting of
the satellite division of the institute of navigation (ION GNSS+
Author Contributions Conceptualization: SI and ZB; Methodology:
2017), pp 2388–2416
SI and ZB; Data curation: SI, IP, ML; Formal analysis and investiga-
Broumandan A, Jafarnia-Jahromi A, Lachapelle G (2015) Spoofing
tion: SI, ZB, ML, IP; Software: SI, ZB, ML, IP; Writing - original
detection, classification and cancelation (SDCC) receiver archi-
draft preparation: SI; Writing - review and editing: SI, ZB, ML, IP,
tecture for a moving GNSS receiver. GPS Solut 19:475–487
GPS Solutions (2024) 28:176 Page 17 of 18 176

Cavaleri A, Motella B, Pini M, Fantino M (2010) Detection of spoofed LabSat (2023) LabSat 3 Wideband Record and Replay Device
GPS signals at code and carrier tracking level. In: 2010 5th ESA [Accessed on 12 03, 2023]. https://​www.​labsat.​co.​uk/​index.​php/​
workshop on satellite navigation technologies and European work- en/​produ​cts/​labsat-​3-​wideb​and
shop on GNSS signals and signal processing (NAVITEC), pp 1–6 Li J, Zhu X, Ouyang M, Li W, Chen Z, Dai Z (2020) Research on
ESA (2021) Galileo Open Service Navigation Message Authentication multi-peak detection of small delay spoofing signal. IEEE Access
(OSNMA) 8:151777–151787. https://​doi.​org/​10.​1109/​ACCESS.​2020.​30169​
EUSPA (2023a) European GNSS (Galileo) Services Open Ser- 71
vice Quarterly Performance Report October–December 2022 Lin H, Qing Y (2015) GPS spoofing low-cost GPS simulator. In: Pro-
[Accessed on 12 03, 2023]. https://​www.​gsc-​europa.​eu/​sites/​ ceedings of the DEF CON, 23
defau​lt/​files/​sites/​all/​files/​Galil​eo-​OS-​Quart​erly-​Perfo​r mance_​ Magiera J, Katulski R (2015) Detection and mitigation of GPS spoof-
Report-​Q4-​2022.​pdf ing based on antenna array processing. J Appl Res Technol
EUSPA (2023b) The ultimate response to maritime spoofing attacks 13(1):45–57
[Accessed on 11 27, 2023]. https://​www.​euspa.​europa.​eu/​newsr​ Montgomery PY, Humphreys TE, Ledvina BM (2009) Receiver-auton-
oom/​news/​asgard-​ultim​ate-​respo​nse-​marit​ime-​spoof​i ng-​attac​ks omous spoofing detection: experimental results of a multi-antenna
FGI-NLS (2022) FGI-GSRx software receiver [Accessed on 12 10, receiver defense against a portable civil GPS spoofer. In: Proceed-
2023]. https://​www.​maanm​ittau​slait​os.​fi/​en/​fgi-​gsrx-​os ings of the 2009 international technical meeting of the institute of
Gamba MT, Truong MD, Motella B, Falletti E, Ta TH (2017) Hypoth- navigation, pp 124–130
esis testing methods to detect spoofing attacks: a test against the Motella B, Nicola M, Damy S (2021) Enhanced gnss authentica-
TEXBAT datasets. GPS Solut 21:577–589 tion based on the joint chimera/osnma scheme. IEEE Access
GPSWorld (2023) Increasing GNSS interference: UK and EU warn 9:121570–121582
aviation [Accessed on 11 27, 2023]. https://​www.​gpswo​rld.​com/​ Noll CE (2010) The crustal dynamics data information system: a
incre​asing-​gnss-​inter​feren​ce-​uk-​and-​eu-​warn-​aviat​ion/ resource to support scientific analysis using space geodesy. Adv
Guo Y, Miao L, Zhang X (2018) Spoofing detection and mitigation in Space Res 45(12):1421–1440
a multi-correlator GPS receiver based on the maximum likelihood Orouji N, Mosavi M (2021) A multi-layer perceptron neural network
principle. Sensors 19(1):37 to mitigate the interference of time synchronization attacks in sta-
Hegarty C, O’Hanlon B, Odeh A, Shallberg K, Flake J (2019) Spoof- tionary GPS receivers. GPS Solut 25:1–15
ing detection in GNSs receivers through cross-ambiguity function Pany T, Akos D, Arribas J, Bhuiyan MZH, Closas P, Dovis F, Fernan-
monitoring. In: Proceedings of the 32nd international technical dez-Hernandez I, Fernández–Prades C, Gunawardena S, Hum-
meeting of the satellite division of The Institute of Navigation phreys T et al (2024) Gnss software-defined radio: history, current
(ION GNSS+ 2019), pp 920–942 developments, and standardization efforts. NAVIGATION J Inst
Homeland S (2022) Resilient Positioning, Navigation, and Timing Navig 71(1)
(PNT) Conformance Framework Perdue L, Sasaki H, Boime G, Sicsik-Paré E (2016) 1.4 - Testing GNSS
Humphreys TE, Bhatti JA, Shepard DP, Wesson KD (2012) The Texas receivers robustness against spoofing attempts, pp 33–39. https://​
spoofing test battery: toward a standard for evaluating GPS signal doi.​org/​10.​5162/​etc20​16/1.4
authentication techniques. https://​api.​seman​ticsc​holar.​org/​Corpu​ Phelts RE (2001) Multicorrelator techniques for robust mitigation of
sID:​11395​2187 threats to GPS signal quality. Stanford University
Humphreys TE, Ledvina BM, Psiaki ML, O’Hanlon BW, Kintner PM Safran (2023) Safran Skydel GNSS Software Simulator [Accessed on
et al (2008) Assessing the spoofing threat: development of a port- 12 10, 2023]. https://​www.​safran-​group.​com/​produ​cts-​servi​ces/​
able GPS civilian spoofer. In: Proceedings of the 21st Interna- skydel-​gnss-​simul​ation-​softw​are
tional technical meeting of the satellite division of the institute of Septrentio (2023) High-precision geodetic full GNSS spectrum choke
navigation (ION GNSS 2008), pp 2314–2325 ring antenna [Accessed on 12 10, 2023]. https://​www.​septe​ntrio.​
Islam S, Bhuiyan MZH, Pääkkönen I, Saajasto M, Mäkelä M, com/​en/​produ​cts/​anten​nas/​polant-​choke​ring
Kaasalainen S (2023) Impact analysis of spoofing on different- Shang X, Sun F, Zhang L, Cui J, Zhang Y (2022) Detection and mitiga-
grade GNSS receivers. (2023) IEEE/ION Position. Location and tion of GNSS spoofing via the pseudorange difference between
Navigation Symposium (PLANS), pp 492–499. https://d​ oi.o​ rg/1​ 0.​ epochs in a multicorrelator receiver. GPS Solut 26:1–14
1109/​PLANS​53410.​2023.​10139​934 Söderholm S, Bhuiyan MZH, Thombre S, Ruotsalainen L, Kuusniemi
Jafarnia-Jahromi A, Broumandan A, Nielsen J, Lachapelle G (2012) H (2016) A multi-GNSS software-defined receiver: design, imple-
GPS vulnerability to spoofing threats and a review of antispoofing mentation, and performance benefits. Ann Telecommun. https://​
techniques. Int J Navig Observ doi.​org/​10.​1007/​s12243-​016-​0518-7
Kai B, Ignacio F-H, José A, L-S, Bhuiyan MZH (2022) GNSS software Turner M, Wimbush S, Enneking C, Konovaltsev A (2020) Spoofing
receivers. Cambridge University Press. https://​doi.​org/​10.​1017/​ detection by distortion of the correlation function. In: 2020 IEEE/
97811​08934​176 ION position, location and navigation symposium (PLANS), pp
Khan AM, Iqbal N, Khan AA, Khan MF, Ahmad A (2020) Detection 566–574
of intermediate spoofing attack on global navigation satellite sys-
tem receiver through slope based metrics. J Navig 73:1052–1068 Publisher's Note Springer Nature remains neutral with regard to
Kuusniemi H, Blanch J, Chen Y-H, Lo SC, Innac A, Ferrara GN, jurisdictional claims in published maps and institutional affiliations.
Honkala S, Bhuiyan MZH, Thombre S, Söderholm S, Walter T,
Phelts RE, Enge PK (2017) Feasibility of fault exclusion related to
advanced RAIM for GNSS Spoofing detection. https://​api.​seman​
ticsc​holar.​org/​Corpu​sID:​67182​166
176 Page 18 of 18 GPS Solutions (2024) 28:176

Saiful Islam received the M.Sc. Into Pääkkönen is an assistant

(Tech.) degree (Hons.) from research scientist at the Depart-
Tampere University (TAU), Fin- ment of Navigation and Position-
land, in 2019, where he is cur- ing at Finnish Geospatial
rently pursuing the Ph.D. degree. Research Institute (FGI). He
He is also a Research Scientist at holds a B.Sc. (Tech.) degree and
the Finnish Geospatial Research M.Sc. (Tech.) degree from Aalto
Institute (FGI-NLS). He is a University, Finland, with a major
member of the Navigation and in engineering physics and M.Sc
Sensing Technologies Group, (Tech.) degree. Into’s interests
Department of Navigation and include signal processing,
Positioning, FGI-NLS. He is applied physics, and navigation
involved in research projects on and communication technolo-
GNSS receiver development and gies. His current research at FGI
validation, timing algorithms, focuses on GNSS and LEO-PNT
maritime navigation, LEO-PNT, simulation and receiver develop-
GNSS jamming, and spoofing. He is one of the key people in the imple- ment, and varying topics related to resilient PNT such as IMU-GNSS
mentation of the GPS L5 solution in FGI-GSRx. His research interests fusion. He has also contributed to the development of FGI-GSRx
include GNSS signal processing, resilient software-defined radio GNSS software receiver with GPS L1C and Galileo HAS processing
(SDR) development, satellite-based augmentation systems (SBAS), and capabilities.
5G new radio (NR).
Sanna Kaasalainen is a professor
Mohammad Zahidul H. Bhui‑ and head of the Department of
yan is a Research Professor at Navigation and Positioning at the
the Department of Navigation National Land Survey of Fin-
and Positioning in Finnish Geo- land. She has a long-term
spatial Research Institute. He is research career in positioning,
also serving as an Adjunct Pro- remote sensing, optics, and space
fessor in Tampere University. sciences. She is a member of the
His main research interests European Commission Space
include multi-GNSS receiver Program Committee for Galileo
development, PNT robustness EGNOS Configuration and the
and resilience, seamless posi- navigation Program Board at the
tioning, LEO-PNT user receiver European Space Agency.
development, etc. He has been
also working as a Technical
Expert for the EU Agency for the
Space Program (EUSPA) in
H2020/Horizon Europe project reviewing and proposal evaluation.

Muwahida Liaquat received her

BE Computer Engineering, ME
Electrical Engineering in 2004
and 2006 respectively. She
received Ph.D Electrical Engi-
neering degree with specializa-
tion in signal processing and
control systems from National
University of Sciences and Tech-
nology, Pakistan in 2013. She is
working as a senior research sci-
entist at the Department of Navi-
gation and Positioning, Finish
Geospatial Research Institute,
National Land Survey of Fin-
land, and is also affiliated with
NUST, Pakistan. Her research focuses on various aspects of multi-tier
GNSS and LEO-PNT receiver design, GNSS vulnerabilities identifica-
tion and mitigation and sensor fusion algorithms.