DEMO: Relay/Replay Attacks on GNSS signals
This work addresses security risks for systems relying on GNSS positioning and timing, but it is incremental as it builds on prior simulation-based research with experimental validation.
The paper tackled the problem of GNSS vulnerabilities by experimentally implementing a relay/replay attack using off-the-shelf hardware, demonstrating that such attacks can spoof receivers even with cryptographic protections like OS-NMA.
Global Navigation Satellite Systems (GNSS) are ubiquitously relied upon for positioning and timing. Detection and prevention of attacks against GNSS have been researched over the last decades, but many of these attacks and countermeasures were evaluated based on simulation. This work contributes to the experimental investigation of GNSS vulnerabilities, implementing a relay/replay attack with off-the-shelf hardware. Operating at the signal level, this attack type is not hindered by cryptographically protected transmissions, such as Galileo's Open Signals Navigation Message Authentication (OS-NMA). The attack we investigate involves two colluding adversaries, relaying signals over large distances, to effectively spoof a GNSS receiver. We demonstrate the attack using off-the-shelf hardware, we investigate the requirements for such successful colluding attacks, and how they can be enhanced, e.g., allowing for finer adversarial control over the victim receiver.