Abstract: Understanding GNSS signal structure is fundamental to comprehending spoofing vulnerabilities. This article provides a technical deep-dive into the signal architectures of major GNSS constellations—GPS, Galileo, and BeiDou—analyzing the specific characteristics that enable spoofing attacks. We examine modulation schemes, spreading codes, navigation message structures, and the security implications of design decisions made decades ago.
. Introduction
All Global Navigation Satellite Systems (GNSS) share a common architectural heritage: satellites transmit precisely timed signals containing navigation data, and receivers compute position through time-of-arrival measurements. However, the specific implementation details vary significantly between constellations, creating different vulnerability profiles.
While Article 1 introduced the general threat landscape of GNSS spoofing, this installment focuses on the root cause: the signal structure itself. Why are some signals easier to spoof than others? How do modernization efforts address these flaws? And what limitations remain even in next-generation signals?
. GPS Signal Structure
.1 Legacy Signals (L1 C/A)
The GPS L1 Coarse/Acquisition (C/A) signal remains the most widely used—and most vulnerable—GNSS signal in existence. Its design dates back to the 1970s, prioritizing accessibility over security.
Signal Characteristics:
text
编辑
┌────────────────────────────────────────────────────────────────┐
│ GPS L1 C/A Signal Structure │
├────────────────────────────────────────────────────────────────┤
│ Carrier Frequency: 1575.42 MHz │
│ Modulation: BPSK(1) │
│ Chipping Rate: 1.023 Mcps │
│ Code Length: 1023 chips (C/A code) │
│ Code Period: 1 ms │
│ Data Rate: 50 bps │
│ Signal Power: ~-130 dBm (minimum) │
└────────────────────────────────────────────────────────────────┘
.2 Vulnerability Analysis
The L1 C/A signal suffers from three critical weaknesses:
Short Code Length: The 1023-chip C/A code repeats every millisecond. This makes it trivial for an attacker to capture, record, and replay the signal (a technique known as meaconing).
Predictable Structure: The Gold codes used for satellite identification are generated from well-documented polynomials:
G1(X) = 1 + X³ + X¹⁰
G2(X) = 1 + X² + X³ + X⁶ + X⁸ + X⁹ + X¹⁰
C/A Code = G1(X) ⊕ G2(X-tapped)
Because these algorithms are public, any adversary can generate valid codes for any satellite ID.
No Authentication: The navigation message contains no cryptographic authentication. A spoofer can craft arbitrary ephemeris (orbit) and clock data, and the receiver will accept it as truth.
.3 Modernized GPS Signals
Recognizing these flaws, GPS has introduced new signals with improved security characteristics, though adoption takes time.
表格
Signal Frequency Security Features Status
L1C 1575.42 MHz Pilot channel, better correlation Operational
L2C 1227.60 MHz Civilian, improved structure Operational
L5 1176.45 MHz Safety-of-life, higher power Operational
M-Code L1/L2 Military, encrypted, anti-jam Restricted
L1C Improvements:
Longer Spreading Codes: Increased to 10,230 chips, making acquisition harder for simple spoofers.
Pilot Channel: A data-less component allows for improved tracking sensitivity.
Better Multipath Resistance: Improved modulation reduces errors in urban environments.
Limitation: Still lacks cryptographic authentication for civilian use.
. Galileo Signal Architecture
.1 Open Service Signals
Galileo was designed with security considerations from the outset, though its Open Service (OS) initially remained vulnerable to sophisticated spoofing.
E1 Signal Structure:
text
编辑
┌────────────────────────────────────────────────────────────────┐
│ Galileo E1 Open Service │
├────────────────────────────────────────────────────────────────┤
│ │
│ Carrier Frequency: 1575.42 MHz (same as GPS L1) │
│ Modulation: CBOC(6,1,1/11) │
│ Subcarrier: 1.023 MHz + 6.138 MHz │
│ Chipping Rate: 1.023 Mcps (data) / 2.046 Mcps (pilot) │
│ Code Length: 4092 chips │
│ Code Period: 4 ms │
│ Data Rate: 125 bps (with FEC) │
│ │
└────────────────────────────────────────────────────────────────┘
.2 OSNMA – Open Service Navigation Message Authentication
Galileo leads the civilian sector with OSNMA, the first free-to-air navigation message authentication system.
OSNMA Architecture:
text
┌─────────────────────────────────────────────────────────────────┐
│ OSNMA Authentication Chain │
├─────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ DSM-KROOT │───▶│ DSM-DSM │───▶│ DSM-HKROOT │ │
│ │ (Root Key) │ │ (Data) │ │ (Hash) │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ Navigation Message │ │
│ │ Ephemeris │ Clock │ Almanac │ Authentication Tags │ │
│ └─────────────────────────────────────────────────────┘ │
│ │
│ Key Features: │
│ • TESLA-based delayed key disclosure │
│ • 40-bit authentication tags │
│ • ~30 second authentication latency │
│ • Backward compatible with legacy receivers │
│ │
└─────────────────────────────────────────────────────────────────┘
OSNMA Limitations:
Authentication Latency: The ~30-second delay required for key disclosure creates a window where brief spoofing attacks can succeed before detection.
Receiver Support: Not all GNSS receivers currently support OSNMA verification.
Acquisition Phase: OSNMA protects the navigation message but does not secure the initial signal acquisition phase.
.3 Public Regulated Service (PRS)
For government and critical infrastructure, Galileo offers the PRS:
Encrypted signals inaccessible to standard receivers.
Higher power for jam resistance.
Restricted access (government authorized only).
Dual-frequency operation for robustness.
. BeiDou Signal Architecture
.1 BeiDou-2 (Regional) vs. BeiDou-3 (Global)
China’s BeiDou system has evolved significantly. While BeiDou-2 laid the groundwork, BeiDou-3 introduces modern signal structures aligned with international standards.
B1I Signal (BeiDou-2 Legacy):
Parameter Value
Frequency 1561.098 MHz
Modulation BPSK(2)
Chipping Rate 2.046 Mcps
Code Length 2046 chips
Code Period 1 ms
Data Rate 50 bps
B1C Signal (BeiDou-3 Modern):
Parameter Value
Frequency 1575.42 MHz (aligned with GPS/Galileo)
Modulation QMBOC(6,1,4/33)
Chipping Rate 1.023 Mcps
Code Length 10,230 chips
Code Period 10 ms
Data Rate 50/100 bps
.2 BeiDou Authentication (B2C)
BeiDou-3 introduces a unique approach to civilian signal authentication via the B2C signal.
B2C Authentication Features:
Spread Spectrum Authentication: Uses watermarking techniques.
Embedded Codes: Short authentication codes are embedded directly within the signal structure.
Lower Latency: Verification takes approximately 6 seconds, significantly faster than Galileo’s OSNMA.
Authentication Process:
Receiver acquires B2C signal.
Extracts authentication watermark.
Verifies against known key sequence.
Confirms signal authenticity.
Continues tracking if verified.
. GLONASS Signal Characteristics
.1 FDMA vs. CDMA
GLONASS uniquely uses Frequency Division Multiple Access (FDMA) for its legacy signals, differing from the CDMA approach of GPS, Galileo, and BeiDou.
FDMA Characteristics:
Each satellite transmits on a slightly different frequency.
L1 Formula: 1602 + k × 0.5625 MHz (where k is the channel number).
All satellites use the same code; separation is achieved via frequency.
Security Implication: Frequency separation provides inherent resistance to wideband spoofing, as an attacker must generate multiple precise frequencies simultaneously.
Modern CDMA Signals:
L3OC: A new civilian CDMA signal aligned with international standards.
Offers better interoperability but loses the frequency-diversity security benefit of legacy FDMA.
.2 Vulnerability Comparison
Aspect FDMA (Legacy) CDMA (Modern)
Spoofing Complexity Higher (requires multi-frequency gen) Lower (single frequency)
Receiver Complexity Higher (multiple front-ends) Lower
Interoperability Poor Good
Security Moderate (frequency diversity) Low (similar to GPS L1)
. Comparative Vulnerability Analysis
.1 Signal Acquisition Vulnerability Matrix
The length of the spreading code and its repetition period are primary indicators of acquisition vulnerability.
Constellation Code Length Period Complexity Vulnerability
GPS L1 C/A 1023 1 ms Low HIGH
Galileo E1 4092 4 ms Medium MEDIUM
BeiDou B1I 2046 1 ms Low HIGH
BeiDou B1C 10230 10 ms Medium MEDIUM
GLONASS L1 511 1 ms Low* HIGH
Note: FDMA adds complexity for wideband spoofing, slightly mitigating the risk despite short codes.
.2 Navigation Message Vulnerability
Regardless of the physical layer, all civilian navigation messages share common logical vulnerabilities:
No Integrity Protection: Message content can be modified in transit without detection.
No Source Authentication: Receivers cannot cryptographically verify the satellite origin.
Predictable Structure: Ephemeris data follows known orbital models, allowing attackers to predict future values.
Long Validity: Ephemeris data is valid for hours, enabling “replay attacks” using old but still technically valid data.
. Spoofing Implications by Signal Type
.1 Code-Phase Spoofing
This technique exploits short code repetition periods.
Method: Capture one code period, replay it with a modified time delay.
Result: The receiver computes a false pseudorange, shifting the calculated position.
Most Effective Against: GPS L1 C/A, GLONASS L1, BeiDou B1I.
.2 Navigation Message Spoofing
This targets the data content rather than the signal timing.
Method: Maintain signal lock while slowly injecting false ephemeris or clock correction data.
Result: The position solution drifts gradually, often staying below the receiver’s fault detection thresholds.
Effective Against: All civilian signals, including authenticated ones during the key latency window (e.g., the first 30s of OSNMA).
.3 Meaconing
The simplest form of spoofing.
Method: Record legitimate signals and rebroadcast them with amplification.
Result: Creates a false time and position based on the location of the repeater.
Detection Difficulty: Very high. Since the signals are authentic (just delayed), standard receivers cannot distinguish them from real satellite signals without multi-antenna setups or external timing references.
. Future Signal Developments
The industry is moving towards robust authentication and resilience:
GPS III and Beyond: Deployment of L1C with improved structure and higher power. Future blocks may include civilian authentication.
Galileo Second Generation: Enhanced OSNMA with reduced latency and improved signal flexibility.
BeiDou-4 Planning: Proposals include quantum communication integration for unbreakable timing and LEO (Low Earth Orbit) augmentation for stronger signal power.
. Conclusion
Signal structure fundamentally determines spoofing vulnerability. Legacy signals like GPS L1 C/A and GLONASS L1 remain highly susceptible due to short codes and a complete lack of authentication. While modern signals like Galileo E1 (OSNMA) and BeiDou B2C introduce critical security improvements, they are not silver bullets; limitations such as authentication latency and the need for widespread receiver upgrades persist.
The path forward requires a multi-layered approach:
Widespread deployment of authenticated signals across all constellations.
Receiver adoption of authentication verification logic.
Multi-constellation, multi-frequency operation to increase the complexity of successful attacks.
Integration with complementary PNT sources (e.g., cellular, LEO satellites, inertial navigation).
In the next article, we will move from theory to practice, examining advanced spoofing methodologies and real-world attack scenarios.
This article is Part 2 of the GNSS Security Technologies series. For questions or collaboration, please contact the author via the blog.
References:
IS-GPS-200: GPS Interface Specification.
Galileo OS SIS ICD: European GNSS Service Centre.
BeiDou SIS ICD: China Satellite Navigation Office.
Anderson, J., et al. “GNSS Signal Authentication.” ION GNSS+, 2023.