UnReference: analysis of the effect of spoofing on RTK reference stations for connected rovers
Marco Spanghero, Panos Papadimitratos
TL;DR
This paper investigates the vulnerability of RTK/DGNSS corrections to spoofing and jamming of fixed reference stations using RF-level simulations with a rover-station pair. It demonstrates that adversaries can degrade rover positioning by manipulating reference corrections across single or multiple constellations and bands, with dramatic effects on altitude and horizontal accuracy and even prolonged disruption in some scenarios. The study highlights practical attack methods (synchronous lift-off, asynchronous spoofing, and jamming) and shows that current open-source processing can be misled into incorrect fixes or fallback solutions. It also proposes robust countermeasures, including rover-side validation, station-side spoofing detection via drift and static checks, and multi-station consensus, arguing for a layered defense to preserve integrity of differential GNSS systems in critical applications.
Abstract
Global Navigation Satellite Systems (GNSS) provide standalone precise navigation for a wide gamut of applications. Nevertheless, applications or systems such as unmanned vehicles (aerial or ground vehicles and surface vessels) generally require a much higher level of accuracy than those provided by standalone receivers. The most effective and economical way of achieving centimeter-level accuracy is to rely on corrections provided by fixed \emph{reference station} receivers to improve the satellite ranging measurements. Differential GNSS (DGNSS) and Real Time Kinematics (RTK) provide centimeter-level accuracy by distributing online correction streams to connected nearby mobile receivers typically termed \emph{rovers}. However, due to their static nature, reference stations are prime targets for GNSS attacks, both simplistic jamming and advanced spoofing, with different levels of adversarial control and complexity. Jamming the reference station would deny corrections and thus accuracy to the rovers. Spoofing the reference station would force it to distribute misleading corrections. As a result, all connected rovers using those corrections will be equally influenced by the adversary independently of their actual trajectory. We evaluate a battery of tests generated with an RF simulator to test the robustness of a common DGNSS/RTK processing library and receivers. We test both jamming and synchronized spoofing to demonstrate that adversarial action on the rover using reference spoofing is both effective and convenient from an adversarial perspective. Additionally, we discuss possible strategies based on existing countermeasures (self-validation of the PNT solution and monitoring of own clock drift) that the rover and the reference station can adopt to avoid using or distributing bogus corrections.