DEMO: RTKiller -- manipulation of GNSS RTK rovers by reference base spoofing
Marco Spanghero, Panos Papadimitratos
TL;DR
This paper addresses the vulnerability of GNSS RTK correction networks to reference-station spoofing and jamming. It presents a practical demonstration (RTKiller) with three attack modes: synchronous single-constellation lift-off, asynchronous multiconstellation spoofing, and jamming, implemented via RTKLIB-based rovers and both in-house simulators and Skydel. Key findings show that attacker manipulation of the reference station can cause significant rover degradation, with 3D errors around $30$ m and up to hundreds of meters, and nearly half of attempts triggering baseline RTK solution failures. The work underscores the security risk of network-based GNSS corrections and motivates development of robust authentication, monitoring, and anti-spoofing mechanisms for RTK-based applications.
Abstract
Global Navigation Satellite Systems (GNSS) provide global positioning and timing. Multiple receivers with known reference positions (stations) can assist mobile receivers (rovers) in obtaining GNSS corrections and achieve centimeter-level accuracy on consumer devices. However, GNSS spoofing and jamming, nowadays achievable with off-the-shelf devices, are serious threats to the integrity and robustness of public correction networks. In this demo, we show how manipulation of the Position Navigation and Timing (PNT) solution at the reference station is reflected in the loss of baseline fix or degraded accuracy at the rover. Real Time Kinematics (RTK) corrections are valuable but fundamentally vulnerable: attacking the reference stations can harm all receivers (rovers) that rely on the targeted reference station.