Detection of Replay Attacks to GNSS based on Partial Correlations and Authentication Data Unpredictability

Abstract: Intentional interference, and in particular GNSS spoofing, is currently one of the most significant concerns of the Positioning, Navigation and Timing (PNT) community. With the adoption of Open Service Navigation Message Authentication (OSNMA) in Galileo, the E1B signal component will continuously broadcast unpredictable cryptographic data. This allows GNSS receivers not only to ensure the authenticity of data origin but also to detect replay spoofing attacks for receivers already tracking real signals with relatively good visibility conditions. Since the spoofer needs to estimate the unpredictable bits introduced by OSNMA with almost zero delay in order to perform a Security Code Estimation and Replay (SCER) attack, the spoofer unavoidably introduces a slight distortion into the signal, which can be the basis of a spoofing detector. In this work, we propose five detectors based on partial correlations of GNSS signals obtained over predictable and unpredictable parts of the signals. We evaluate them in a wide set of test cases, including different types of receiver and spoofing conditions. The results show that one of the detectors is consistently superior to the others, and it is able to detect SCER attacks with a high probability even in favorable conditions for the spoofer. Finally, we discuss some practical considerations for implementing the proposed detector in receivers, in particular when the Galileo OSNMA message structure is used.