They aren't. A spoofer doesn't need to know what the signal means/be able to decrypt it. Just retransmit signal received from a different place at higher power. Only way to distinguish it from a real one is timing, but that requires an atomic clock, which is $15,000 and too expensive for most applications.
But, military grade GPS receivers use virtual beam forming to achieve a very high attenuation of spoofing signal so they are extremely hard to spoof, they always get the real signal as stronger.
They arn't very easy to avoid, say you capture the signal from a satellite that is not visible to the receiver, or being jammed out, unless you have an extremely high precision clock, you can just delay the signal rebroadcast and spoof away.
Everything involved in GPS requires all the nodes (both the senders and the receivers) to have "extremely high precision clocks."
That's the whole idea, really: you, the receiver, have a clock, and a map of where the various GPS satellites will be around the earth at given times. You "hear" the current time announced from three satellites (along with their station IDs), and compare those times to your clock to figure out the flight time of the data, and thus the distance to the satellites. Then you take the satellites' known positions on the map at the current time, plus the flight times, and triangulate your own position.
If one of the three times you've received is a "lie", then its relative time will correspond to an impossible distance for that GPS satellite to be relative to where the map says it should be (e.g. over the horizon relative to you), and relative to where the other two satellites that you heard from are. (Theoretically you could receive such signals—using reflectors, like HAMs do—but GPS discounts this possibility and just considers it invalid data.)
The vast majority of consumer GPS receivers take their clock from a quartz crystal. The accuracy will be somewhere between 10 parts per million (ppm) and 30 ppm. 5-15 minutes per year of drift - sounds pretty precise, right?
Except when you're measuring the time of flight of signals going close to the speed of light, 10ppm of clock slew gives you 3,000 m/s of clock slew.
That's why GPS receivers actually need to see 4 satellites to get an accurate fix; receivers actually calculate position in four dimensions - x, y, z and time.
Anyway, consequences:
1. The GPS receiver in your phone doesn't have an 'extremely high precision clock' by the standards of high precision clocks.
2. You could mount a replay attack against a receiver introducing error at up to 3km per second in such a way that it won't be readily detectable over other errors in the system.
3. Due to practical issues involved with such a replay attack, it'd probably be possible to crash a drone or misdirect it by a few hundred meters; but incredibly difficult to misdirect it to a distant country or anything like that.
GPS receivers do not have clocks. Atomic clocks are expensive and large; there is no way you get one every device.
Only the satellites have atomic clocks. The receiver get the time from the satellites. It basically compares the time delay between the satellites to determine position and time.
I didn't say they have atomic clocks. They do have clocks, though. Like most computers do. And they are high-precision, and are low-drift enough to predict the locations of satellites as long as they have been re-synchronized within the last few days or so.
Which, as you say, also happens by just observing the time signatures from the satellites. You need four visible satellites to determine your own time, though, whereas you only need three for position, so time isn't re-synched as often as position is calculated. The internal clock in the receiver allows the receiver to carry on tracking with only three time sources for a while.
But, to be clear on the topic of the parent discussion: I believe JDAM missiles (the ones that actually do use GPS) do have either an atomic clock source [more recently], or [formerly] have at least a high-precision monotonic clock source with low drift that is synchronized at point-of-launch by the clock on the bomber, which also has an HPC that was calibrated at its launch by a real atomic clock. They don't need to rely on external time-sync.
And modern ICBMs? Well, unless your jammer/spoofer can keep up with them, or is itself a satellite, you're only going to be able to affect them when they're on their descent course and making final adjustments. And, like this article says (https://www.technologyreview.com/s/423363/how-cruise-missile...), ICBMs have redundant aiming systems based on computer vision applied to either visual-spectrum or radar-based sensors.
Yeah, I'm not terribly worried about military drones. But as a civilian pilot I worry a lot about whether the non-military-grade GPS in my airplane is telling me the truth.
Hopefully GPS isn't your sole source of information.
When I'm out scrambling I make sure that I carry multiple navigational aids so that I can cross-check. I also pay attention to terrain features before trips as well as during so that I can locate myself, or in the worst case make my way to the handrails that I've identified on my map.
> Hopefully GPS isn't your sole source of information.
Nowadays, in modern airplanes, it often is your only source of positional information when you're in instrument conditions (which is, of course, when it matters most).
Compass, Altimeter, topographic maps, notes about the route that I've made. Even a watch can aid navigation if you can calculate your speed and see any terrain features.
If anything doesn't jive with what I expect or what I'm seeing I try to understand why.
Great! That is a big difference. Cheap enough for every jet aircraft, most turboprops, and some of the most expensive guided munitions (cruise missiles, or nukes like B.61 Mod 12 for sure).
But, military grade GPS receivers use virtual beam forming to achieve a very high attenuation of spoofing signal so they are extremely hard to spoof, they always get the real signal as stronger.