[PaulHoule]

Some people say that there isn't much open literature on GPS anti-spoofing, but there are many patents filed by the likes of Lockheed-Martin, Boeing, BAE, etc.

I find the multiple antenna answers interesting.

For instance, one of the easier attack scenarios against an airplane is to have a directional antenna on the ground. Because airplanes broadcast their GPS position via ADS-B, you could also know that you'd succeeded.

In a case like that, however, the radio signal from the ground would be stronger than the signal from the sky and it would be obvious what was going on, unless the attacker managed to get the power level just right.

With multiple receivers you also will see very different results with spoofing than with a real signal. For instance if you had a receiver at the front of the airplane and one at the back of the airplane, the time delay for all the fake satellites would be the same (they all come from the same place) whereas the time delays (e.g. position) would be noticeably different from real sats.

[londons_explore]

if an attacker knows that the plane has two antennas, and their exact locations, he/she can generate the "correct" signals at each plane antenna with two attacker antennas and lots of math.

Getting their exact locations is simplified by the fact the location is being transmitted by ADS-B...

[knorker]

Nice.

That sounds tricky though. You need to be very precise. The attacker needs to provide different received signal to two antennas meters (at most!) apart, at a distance of maybe kilometers, on a moving target. That's a hair thin angle.

The aircraft just needs to TDoA "did it come from above or below (assuming an attack from the ground). That's 180 degrees.

Or am I missing something? Unless I am, this doesn't sound feasible to me.

[PaulHoule]

The equipment I have pictured in my mind is one of the two-axis trackers that radio hams use to track satellites with a long but narrow Yagi-Uda antenna. (If that can handle the bandwidth)

These tend to move in jerks and will get in real trouble if you try to move them over the zenith, but they do a great job with LEO satellites and would do OK to uplink one signal to an airplane.

You might be able to hit two receivers if you had a phased array antenna like the Starlink antenna but bigger, but now it isn't a simple hacking project anymore.

BTW, don't try it. There are certain things like aviation and nuclear power that "Posse Comitatus" doesn't apply to and you could find yourself looking down the barrel of an M4 carbine and getting frog-talk from the USMC much quicker than you'd expect.

[knorker]

The gain of a Yagi (even these ridiculously long ones) I don't think are anywhere near precise enough. Keep in mind that even a 20dB gain antenna (simplified, since radiation patterns are complicated) only focuses the radiation pattern into 3.6 degrees. That's over 7 times the diameter of the moon in the sky.

I think even at GNSS frequencies you may need Arecibo-sized antennas to get useful directivities. E.g. check this diagram: http://www.coseti.org/9006-013.htm

No, I think a phased array is a better bet, but if it's possible to steer that tightly, you'd need a shitload of antennas. Like, a shitload. E.g. US PAVE PAWS active phased array has 2677 antennas to create a 2.2 degree beam. "Only" ~4.5 moons.

I don't know the maths, but that probably means millions or billions of antennas to beamform this right.

So yeah, I'm staying with "not feasible", probably even for a superpower.

[londons_explore]

You don't need to make a finely focussed beam... You simply need to be able to put nulls at each of the planes antennas.

If the attacker has two antennas on the ground, say 1km apart, and the plane is 1km up, then no real precision is required - there exists a phase offset between your two antennas where only one of the planes antennas picks up your signal, and the other antenna picks up nothing. If the plane where stationary, this could be found by a simple sweep of possible phase offsets.

If the plane is moving, it becomes harder to find and track the necessary offset, but if the plane is flying half way between the attackers ground based antennas, the offset is ~constant, so a sweep again starts to look doable...

[knorker]

So TX1 sends data headed for RX1, plus the TX2 signal phase-modulated to cancel out TX2 at RX1?

I don't know how much an aircraft shakes, but if I understand what you're saying then this is possibly even harder. You'd need to predict the positions in fractions of a wavelength, don't you? And atmospheric changes could possibly affect it too.

> If the plane is moving

In the air, they tend to. On the ground accurate positioning is less important to protect.

[Thervicarl]

> Because airplanes broadcast their GPS position via ADS-B, you could also know that you'd succeeded.

If the GPS is integrated with inertial navigation systems, the effect of GPS spoofing on the computation of the position (that could be observed by ADS-B) might prove tricky to anticipate.