Papers
Topics
Authors
Recent
Search
2000 character limit reached

SpAmming: Selective GNSS Denial Attack

Updated 4 July 2026
  • SpAmming is a selective denial-of-service attack on GNSS receivers that replicates specific PRN spreading codes to disrupt satellite signal tracking.
  • It manipulates CDMA correlator logic by injecting counterfeit signals with near-identical code and Doppler parameters, causing loss of satellite lock without broad-spectrum jamming.
  • Experimental setups using moderate SDR hardware demonstrate that SpAmming significantly increases time-to-first-fix and PVT loss rates, especially in cold-start scenarios.

SpAmming is a denial-of-service attack on GNSS receivers that leverages spoofing at the CDMA code level rather than raw noise emission. It targets only a subset of satellite PRNs, reproducing their spreading codes and modulation parameters without necessarily generating valid navigation messages, and aims to desynchronize or overwhelm the correlator for the targeted PRNs so that the receiver loses lock on those satellites. Unlike traditional jamming, which raises the noise floor, or conventional spoofing, which seeks to overwrite all visible satellite signals with counterfeit navigation data, SpAmming is a stealthy, narrow-target approach that can leave other genuine satellite signals intact while producing a denial-of-service effect against selected PRNs (Cosín et al., 5 Feb 2026).

1. Definition and threat model

The defining property of SpAmming is selective interference at the PRN level. The attacker reproduces the spreading code and modulation parameters of one or more target satellites and injects those signals so that the receiver cannot reliably acquire or track the legitimate satellite. The effect is operationally equivalent to denying access to part of the GNSS signal set, but without the wide-band noise signature associated with jamming and without the full constellation replacement typically associated with spoofing (Cosín et al., 5 Feb 2026).

This attack is framed against a receiver architecture that relies on CDMA multiplexing and correlator-based acquisition and tracking. The attacker’s goal is not necessarily to control the receiver’s full navigation solution, but to prevent acquisition or disrupt tracking of one or more target PRNs, causing a denial of service or forcing use of only unauthenticated satellites. The paper explicitly cites the possibility of disabling OSNMA-capable PRNs as part of the threat model (Cosín et al., 5 Feb 2026).

The stated attacker capabilities are moderate rather than exceptional. The required hardware is a moderate-power SDR, such as an Ettus USRP B210, together with a power combiner or splitter and cabling connected to the victim’s antenna input. The software requirement is the ability to generate arbitrary PRN-modulated waveforms, for example with gal-sdr-sim and GNU Radio. The attacker also needs approximate knowledge of in-view satellites and their PRNs, plus rough receiver clock offset and frequency offset, or some way to measure them (Cosín et al., 5 Feb 2026).

2. Signal-level mechanism

The paper models the received GNSS composite signal as

s(t)  =  k=1NAkck(t)dk(t)cos(2πfct+ϕk)  +  n(t)s(t)\;=\;\sum_{k=1}^{N}A_k\,c_k(t)\,d_k(t)\,\cos\bigl(2\pi f_{c}t + \phi_k\bigr)\;+\;n(t)

where AkA_k is the received amplitude of satellite kk, ck(t)c_k(t) is the spreading code, dk(t)d_k(t) is the navigation message, fcf_c is the carrier frequency, ϕk\phi_k is the carrier phase, and n(t)n(t) is additive noise (Cosín et al., 5 Feb 2026).

To acquire or track PRN ii, the receiver computes the correlation

Ri(τ,Δf)  =  T  s(t)  ci(t+τ)  exp(j2πΔft)  dt.R_i(\tau,\Delta f) \;=\;\int_{T}\;s(t)\;c_i(t+\tau)\;\exp\bigl(-j2\pi\,\Delta f\,t\bigr)\;\mathrm{d}t\,.

A clear peak in AkA_k0 at the correct code delay and Doppler offset indicates successful acquisition. SpAmming acts directly on this correlator logic by inserting a counterfeit PRN component for the targeted satellite (Cosín et al., 5 Feb 2026).

The attacker injects

AkA_k1

leading to a composite correlator input

AkA_k2

If AkA_k3 and AkA_k4 are chosen so that the spoofed and legitimate correlation peaks merge, or so that the spoofed peak dominates, the receiver cannot reliably lock onto the genuine satellite. The paper also notes an optional secondary-band component, such as raising AkA_k5 in E5B, to prevent multi-band cross-checking. In this configuration, the result is equivalent to jamming a selected PRN, but without a wide-band noise signature (Cosín et al., 5 Feb 2026).

A central point of the proposal is therefore that the denial-of-service effect emerges from code-level interference within the normal CDMA structure rather than from indiscriminate power injection. This is what motivates the claim that existing countermeasures against jamming or spoofing may fail to safeguard against it, because the attack is neither classical jamming nor full-fledged spoofing in the conventional sense (Cosín et al., 5 Feb 2026).

3. Experimental implementation

The proof of concept was built with a Leica AR20 rooftop antenna, an Ettus USRP B210 as SDR transmitter, a Minicircuits ZAPD-2-S+ combiner/splitter, a DC-block filter, and a u-blox ZED-F9P on a C099-F9P board as victim receiver. The software stack used gal-sdr-sim in Python 3 to generate baseband PRN signals, GNU Radio Companion for RF modulation, and u-center for logging and visualization of receiver status. All signals were cabled through the splitter to avoid unintentional over-the-air emissions (Cosín et al., 5 Feb 2026).

Three attack configurations were evaluated. The first was a raw-emission mode associated with cold-start behavior: the transmitter emitted only the target PRN code at constant power, with no Doppler adjustment and random code offset. The reported result was that the receiver acquired only the spoofed peak and never found the genuine satellite (Cosín et al., 5 Feb 2026).

The second configuration targeted warm-start behavior through Doppler-shift manipulation. The attacker measured the nominal Doppler on the target PRN and configured the spoofer with

AkA_k6

The paper notes that the USRP carrier may introduce a base Doppler of approximately AkA_k7 and that this must be compensated. The code offset was kept close to zero so that the spoofed and legitimate peaks overlapped (Cosín et al., 5 Feb 2026).

The third configuration addressed hot-start operation using precise code-phase offset and power control. The attacker estimated code delay and carrier phase from the live receiver and configured the spoofer to match them up to small offsets. The power margin AkA_k8 was adjusted between AkA_k9 and kk0. The paper also describes optional intermittent jamming in a parallel band, specifically E5B, to block auxiliary correlator checks (Cosín et al., 5 Feb 2026).

4. Receiver-state dependence and measured impact

The attack was evaluated under three initial receiver conditions: cold-started, warm-started, and already navigating with a PVT solution. The reported metrics were TTFF and PVT loss rate over one-minute windows. The results show strong dependence on receiver state, with particularly high effectiveness against cold starts (Cosín et al., 5 Feb 2026).

Scenario Attack effect Recovery behavior
Cold-start Attack TTFF kk1 s (no fix); PVT loss rate kk2 No recovery; persistent DoS
Warm-start Attack TTFF kk3–kk4 s; PVT loss rate kk5 during attack Instant recovery on stop
Hot-start kk6–kk7 resets per min; PVT loss rate kk8–kk9 Partial recovery; improved with E5B jamming

For cold-start receivers, the nominal TTFF was reported as ck(t)c_k(t)0–ck(t)c_k(t)1 s, but under attack the receiver did not obtain a fix within ck(t)c_k(t)2 s and the PVT loss rate was ck(t)c_k(t)3. The interpretation given in the paper is that the receiver never completes acquisition of the target PRN, resulting in deficient geometry and often no final fix (Cosín et al., 5 Feb 2026).

For warm-start receivers, nominal TTFF was ck(t)c_k(t)4–ck(t)c_k(t)5 s, while attack TTFF increased to ck(t)c_k(t)6–ck(t)c_k(t)7 s and the PVT loss rate was ck(t)c_k(t)8 during the attack. Recovery after attack cessation occurred within ck(t)c_k(t)9–dk(t)d_k(t)0 s according to the narrative description, while the summary table characterizes the behavior as instant recovery on stop (Cosín et al., 5 Feb 2026).

For hot-start receivers that were already navigating, the attack produced intermittent loss of lock corresponding to dk(t)d_k(t)1–dk(t)d_k(t)2 resets per minute and a PVT loss rate of dk(t)d_k(t)3–dk(t)d_k(t)4. The effect intensified when parallel-band jamming was added, with the paper stating that E5B jamming raised the loss rate to approximately dk(t)d_k(t)5 (Cosín et al., 5 Feb 2026).

These measurements establish that the attack does not depend on a single receiver state, although the paper explicitly concludes that it is particularly successful against cold-started receivers and can also be effective in other scenarios, especially if accompanied by other attacks (Cosín et al., 5 Feb 2026).

5. Detection and countermeasures

The paper outlines three principal detection strategies. The first is PRN-specific dk(t)d_k(t)6 monitoring: a sudden drop in dk(t)d_k(t)7 for one PRN while other PRNs remain nominal is proposed as a potential indicator of SpAmming. The limitation given is that natural dk(t)d_k(t)8 variability in multipath environments may produce false alarms (Cosín et al., 5 Feb 2026).

The second strategy is time-consistency checking, in which GNSS time is compared with an external reference such as NTP. Irregular offsets can indicate partial spoofing or partial signal denial. The limitation identified is that network delays and jitter reduce sensitivity (Cosín et al., 5 Feb 2026).

The third is direction-of-arrival analysis using CRPA. Spatial filtering can null the spoofer’s direction while preserving genuine satellites. The corresponding limitation is deployment cost and complexity: bulky, power-hungry antenna arrays are not available on many platforms (Cosín et al., 5 Feb 2026).

The article also discusses authentication-oriented countermeasures. Galileo OSNMA authenticates navigation messages but not PRN assignment, so an attacker can still supplant OSNMA-enabled PRNs. By contrast, full-PRN authentication, exemplified in the paper by the GPS Chimera concept, would bind each spreading code cryptographically to a key and thus prevent code-level SpAmming (Cosín et al., 5 Feb 2026).

A quantitative bound is provided for such PRN-level authentication: a scheme with false-alarm probability dk(t)d_k(t)9 can achieve detection probability fcf_c0 under fcf_c1. The paper presents this as a performance bound rather than as a demonstrated property of an implemented defense in the experimental setup (Cosín et al., 5 Feb 2026).

6. Relation to authenticated services and research directions

A recurring theme is that authenticated GNSS services are not automatically immune. The paper explicitly asks how SpAmming affects OSNMA and CAS services and whether partial spoofing can isolate authenticated PRNs, forcing the receiver to rely on unprotected ones. This makes PRN-level authentication, rather than message-only authentication, a central research direction (Cosín et al., 5 Feb 2026).

The first proposed research direction is formal quantification. The paper calls for statistical models of code-peak distortion under SpAmming to derive closed-form expressions for fcf_c2 and fcf_c3, and for extending experiments to multipath environments, mobile receivers, and different antenna types (Cosín et al., 5 Feb 2026).

The second direction is dynamic SpAmming. The paper suggests adaptive code-phase and Doppler sweeps that track receiver update loops in order to sustain denial over longer periods without external jamming. This would move the attack from a fixed-configuration proof of concept toward an adaptive interference strategy (Cosín et al., 5 Feb 2026).

The third direction concerns authenticated GNSS services. The paper proposes studying whether partial spoofing can isolate OSNMA-enabled satellites and suggests extending OSNMA with PRN binding or sequence hopping to defeat code-level substitution (Cosín et al., 5 Feb 2026).

The fourth concerns hybrid detection. Integration with inertial sensors and network time sources is proposed as a way to identify missing or corrupted PRN measurements more readily. This suggests that future mitigation may depend on multi-signal consistency rather than on a single anti-jamming or anti-spoofing monitor (Cosín et al., 5 Feb 2026).

In the formulation introduced by the paper, SpAmming therefore occupies a specific place in the GNSS threat landscape: it is a selective, PRN-level denial technique that exploits the correlator assumptions of CDMA receivers, produces effects comparable to jamming on targeted satellites, and challenges the adequacy of defenses designed only for classical jamming or full-spectrum spoofing (Cosín et al., 5 Feb 2026).

Definition Search Book Streamline Icon: https://streamlinehq.com
References (1)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to SpAmming.