GNSS SpAmming: a spoofing-based GNSS denial-of-service attack
Sergio Angulo Cosín, Javier Junquera-Sánchez, Carlos Hernando-Ramiro, José-Antonio Gómez-Sánchez
TL;DR
GNSS systems face jamming and spoofing, but SpAmming introduces a spoofing-based denial-of-service attack that exploits CDMA multiplexing to disrupt a receiver's access to a legitimate satellite signal while remaining subtle. The authors present an SDR-based experimental proof-of-concept against Galileo OSNMA, evaluating cold-start, warm-start, and hot-start scenarios and various spoofing configurations. The results show strong effectiveness in cold-start conditions and conditional effectiveness in other states, with improved outcomes when combined with targeted jamming. The work highlights the need for stronger PRN-level authentication and broader OSNMA protection, and outlines future research to quantify impact on authenticated services and extend defenses against SpAmming-informed attacks.
Abstract
GNSSs are vulnerable to attacks of two kinds: jamming (i.e. denying access to the signal) and spoofing (i.e. impersonating a legitimate satellite). These attacks have been extensively studied, and we have a myriad of countermeasures to mitigate them. In this paper we expose a new type of attack: SpAmming, which combines both approaches to achieve the same effects in a more subtle way. Exploiting the CDMA multiplexing present in most GNSSs, and through a spoofing attack, this approach leads the receiver to lose access to the signal of a legitimate satellite, which would be equivalent to a denial of service; but in this case the existing countermeasures against jamming or spoofing would not allow safeguarding its effectiveness, as it is neither of them. An experimental proof-of-concept is presented in which its impact is evaluated as a function of the previous state of the receiver. Using an SDR-based system developed at the Space Security Centre, the attack is executed against a cold-started receiver, a warm-started receiver, and a receiver that has already acquired the PVT solution and is navigating. Different attack configurations are also tested, starting from a raw emission of the false signal, to surgical Doppler effect configuration, code offset, etc. Although it is shown to be particularly successful against cold-started receivers, the results show that it is also effective in other scenarios, especially if accompanied by other attacks. We will conclude the article by outlining possible countermeasures to detect and, eventually, counteract it; and possible avenues of research to better understand its impact, especially for authenticated services such as OSNMA, and to characterize it in order to improve the response to similar attacks.