2021/03/30
By John Nielsen, Ali Broumandan, and Gérard Lachapelle
Ubiquitous adoption of and reliance upon GPS makes national and commercial infrastructures increasingly vulnerable to attack by criminals, terrorists, or hackers. Some GNSS signals such as GPS P(Y) and M-code, GLONASS P-code, and Galileo’s Public Regulated Service have been encrypted to deny unauthorized access; however, the security threat of corruption of civilian GNSS signals increases constantly and remains an unsolved problem. We present here an efficient approach for the detection and mitigation of spoofed GNSS signals, as a proposed countermeasure to add to the existing system.
Current methods to protect GPS civilian receivers from spoofing signals are based on the cross-check with available internal/external information such as predictable characteristics of the navigation data bits or correlation with ancillary inertial-based sensors; alternately, a joint process of signals received at two separate locations based on processing the P(Y)-code.
The authentic GNSS signal sourced from a satellite space vehicle (SV) is very weak at the receiver’s location and is therefore vulnerable to hostile jamming based on narrowband noise radiation at a modest power level. As the GNSS frequency band is known to the jammer, the effectiveness of the latter is easily optimized by confining radiation to within the GNSS signal band. The jammed GNSS receiver is denied position or time estimates which can be critical to the mission. While noise jamming of the GNSS receiver is a threat, the user is easily aware of its existence and characteristics. The worst case is that GNSS-based navigation is denied.
A more significant jamming threat currently emerging is that of the spoofing jammer where bogus signals are transmitted from the jammer that emulate authentic GNSS signals. This is done with multiple SV signals in a coordinated fashion to synthesize a plausible navigation solution to the GNSS receiver. There are several means of detecting such spoofing jammers, such as amplitude discrimination, time-of-arrival discrimination, consistency of navigation inertial measurement unit (IMU) cross-check, polarization discrimination, angle-of-arrival (AOA) discrimination, and cryptographic authentication.
Among these authentication approaches, the AOA discriminator and spatial processing have been addressed and utilized widely to recognize and mitigate hostile attacks. We focus here on the antenna-array processing problem in the context of spoofing detection, with considerations to the pros and cons of the AOA discriminator for handheld GNSS receivers.
An exploitable weakness of the spoofing jammer is that for practical deployment reasons, the spoofing signals generally come from a common transmitter source. Hence, a single jamming antenna sources the spoofing signals simultaneously. This results in a means of possible discrimination between the real and bogus GNSS signals, as the authentic GNSS signals will emanate from known bearings distributed across the hemisphere.
Furthermore, the bearing of the jammer as seen from the GNSS receiver will be different than the bearing to any of the tracked GNSS satellites or space vehicles (SV). This immediately sets up some opportunities for the receiver to reject the spoofing jamming signals. Processing can be built into the receiver that estimates the bearing of each SV signal. Note that the relative bearings of the GNSS signals are sufficient in this case, as the bogus signals will all have a common bearing while the authentic GNSS signals will always be at different bearings.
If the receiver comprises multiple antennas that have an unobstructed line of sight (LOS) to the SVs, then there are possibilities of spoofing detection based on the common bearing of the received GNSS signals and eliminating all the jammer signals simultaneously by appropriate combining of the receiver antennas to form a pattern null coincident with the jammer bearing.
Unfortunately, the AOA discrimination will not be an option if the jammer signal or authentic signals are subjected to spatial multipath fading. In this case, the jammer and individual SV signals will come in from several random bearings simultaneously. Furthermore, if the GNSS receiver is constrained by the form factor of a small handset device, an antenna array will not be an option. As the carrier wavelength of GNSS signals is on the order of 20 to 25 centimeters, at most two antennas can be considered for the handset receiver, which can be viewed as an interferometer with some ability of relative signal-bearing estimation as well as nulling at specific bearings.
However, such an antenna pair is not well represented by independent isotropic field sampling nodes, but will be significantly coupled and strongly influenced by the arbitrary orientation that the user imposes. Hence, the handset antenna is poorly suited for discrimination of the spoofing signal based on bearing. Furthermore, handheld receivers are typically used in areas of multipath or foliage attenuation, and therefore the SV signal bearing is random with significant variations.
As we discuss here, effective spoofing detection is still possible for a single antenna GNSS receiver based on the differing spatial correlation of the spoofing and authentic signals in the proximity of the receiver antenna. The basic assumption is that the antenna will be spatially moved while collecting GNSS signal snapshots. Hence, the moving antenna generates a signal snapshot output similar to that of a synthetic array (SA), which, under some additional constraints, can provide an effective means of detecting the source of the GNSS signals from a spoofing jammer or from an authentic set of SVs.
We assume here an arbitrary antenna trajectory with the spoofing and authentic signals subjected to random spatial multipath fading. The processing will be based on exploiting the difference in the spatial correlation of the spoofing and the authentic signals.
Spoofing Detection Principle
Consider a GNSS handset receiver (Figure 1) consisting of a single antenna that is spatially translated in time along an arbitrary trajectory as the signal is processed by the GNSS receiver. There are L authentic GNSS SV signals visible to the receiver, along with a jammer source that transmits spoofing replicas of the same Lauthentic signals.
FIGURE 1. GNSS receiver with a single antenna and 2L parallel despreading channels simultaneously providing channel gain estimates of L authentic and L spoofing signals as the antenna is moved along an arbitrary spatial trajectory.
It is assumed that the number of spoofed signals range from 1 to L, which are coordinated such that they correspond to a realistic navigation solution at the output of the receiver processing. The code delay and Doppler associated with the spoofing signals will typically be different than those of the authentic signal. The basic technique of coordinated spoofing jamming is to present the receiver with a set of L signals that appear to be sufficiently authentic such that the spoofing and authentic signal sets are indistinguishable. Then the spoofing signals separate slowly in terms of code delay and Doppler such that the navigation solution corresponding to the L spoofing signals will pull away from the authentic navigation solution.
The focus herein is on methods where the authenticity of the L tracked GNSS signals can be tested directly by the standalone receiver and then selected for the navigation processing. This is in contrast with other methods where the received signals are transmitted back to a communication command center for verification of authenticity. The consideration here is on the binary detection problem of assessing if each of the 2L potential signals is authenti
c or generated by a spoofing source. This decision is based on observations of the potential 2L GNSS signals as the antenna is spatially moved through the trajectory.
The complex baseband signal at the output of the antenna, denoted by r(t), can be expressed as
where i is the GNSS signal index, the superscripts A and J indicate authentic and jamming signals respectively, p(t) shows the physical position vector of the moving antenna phase center relative to a stationary spatial coordinate system, ΛAi(p(t),t) and ΛJi(p(t),t) give the channel gain for the authentic and the spoofing signals of the ith SV at time t and position p, ci(t) is the PN coding modulation of ith GNSS signal, πAi and πJi are the code delay of ith PN sequence corresponding to the authentic and the spoofing sources respectively, fDiA and fDiJ are the Doppler frequency of the ith authentic and the spoofing signals and w(t) represents the complex baseband of additive noise of receiver antenna. For convenience, it is assumed that the signal index iε[1, 2,…,L] is the same for the spoofing and authentic GNSS signals. The spoofer being aware of which signals are potentially visible to the receiver will transmit up to L different spoofing signals out of this set.
Another simplification that is implied by Equation 1 is that the message coding has been ignored, which is justifiable as the GNSS signals are being tracked such that the message symbol modulation can be assumed to be removable by the receiver by some ancillary process that is not of interest in the present context. The objective of the receiver despreading operation is to isolate the channel gains ΛA(p(t),t) ΛJ(p(t),t), which are raw observables used in the subsequent detection algorithm.
It is assumed that the GNSS receiver is in a signal tracking state. Hence, it is assumed that the data coding, code phase of the spreading signal and Doppler are known inputs in the despreading operation. The two outcomes of the ith despreading channel for authentic and jamming signals are denoted as riA(t) and rkJ(t) respectively, as shown in Figure 1. This notation is used for convenience and not to imply that the receiver has knowledge of which of the pair of GNSS signals corresponds to the authentic or spoofer cases. The receiver processing will test each signal for authenticity to select the set of L signals that are passed to the navigation estimator.
The despread signals riA(t) and rkJ(t) are collected over a snapshot interval of tε[0,T]. As the notation is simplified if discrete samples are considered, this interval is divided into M subintervals each of duration ΔT such that the mth subinterval extends over the interval of [(m−1)ΔT,mΔT]for mε[1,,2,…,M]. The collection of signal over the first and mth subintervals is illustrated in Figure 2. ΔT is considered to be sufficiently small such that ΛAi(p(t),t) or ΛJk(p(t),t) is approximately constant over this interval leading a set of M discrete samples for each despreading output. From this the vectors form of channel gain sample and outputs of despreaders can be defined by
where ΛAi(p(mΔT),mΔT) and ΛJi(p(mΔT),mΔT) are the mth time sample of the ith despreader channel for the authentic and jamming GNSS signals.
Figure 2. Spatial sampling of the antenna trajectory into M subinterval segments.
Pairwise Correlation
The central tenet of the spoofing detection is that the array gain vector denoted here as the array manifold vector for the jammer signals ΛJ will be the same for all of the L spoofing signals while the array manifold vector for the authentic signals ΛA will be different for each of the L authentic signals. If the random antenna trajectory is of sufficient length, then the authentic signal array manifold vectors will be uncorrelated. On the other hand, as the jammer signals emerge from the same source they will all have the same array manifold vector regardless of the random antenna trajectory and also regardless of the spatial fading condition. This would indicate that a method of detecting that a spoofer is present to form the Mx2L matrix of all of the despreader output vectors denoted as r and given as
where it is assumed that M≥2L.
Basically what can be assumed is that, if there is a spoofer from a common source that transmits more than one GNSS signal simultaneously, there will be some residual spatial correlation of the observables of ΛJi with other despreader outputs of the receiver. Therefore, if operations of pairwise correlations of all of the 2L despreader outputs result in high correlation, there is a likelihood of the existence of spoofing signals. These pairwise correlations can also be used to distinguish spoofing from authentic signals. Note that even during the time when the spoofing and authentic signals have the same Doppler and code offset, the superposition manifold vector of ΛAi and ΛJi will be correlated with other spoofing manifold vectors. The pairwise correlation of the various spoofing signals can be quantified based on the standard numerical estimate of the correlation coefficient given as
where ri is the ith column vector of r defined in Equation 3, and the superscript H denotes the complex conjugate operator.
Toward Spoofing Detection
Figure 3 shows the spoofing attack detection and mitigation methodology:
The receiver starts with the acquisition process of a given GNSS code. If, for each PN sequence, there is more than one strong peak above the acquisition threshold, the system goes to an alert state and declares a potential spoofing attack. Then the receiver starts parallel tracking on each individual signal.
The outputs of the tracking pass to the discriminator to measure the correlation coefficient ρ among different PN sequences. As shown in Figure 3, if ρ is greater than a predefined threshold ϒ, the receiver goes to defensive mode. As the spoofer attempts to pull the tracking point off the authentic signals, the spoofer and authentic signals for a period of time will have approximately the same code offset and Doppler frequency. Hence, it may not be possib
le to detect more than one peak in the acquisition mode. However, after a while the spoofer tries to pull tracking mode off.
The outputs of the parallel tracking can be divided into two groups: the J group is the data set that is highly correlated, and the A group is the set that is uncorrelated. It is necessary that the receiver antenna trajectory be of sufficient length (a few tens of the carrier wavelengths) such that M is moderately large to provide a reasonable estimate of the pairwise correlation.
The A group will be constrained in size based on the number of observable satellites. Usually this is known, and L can be set. The receiver has control over this by setting the bank of despreaders. If an SV signal is known to be unobtainable due to its position in the sky, it is eliminated by the receiver. Hence the A group can be assumed to be constrained in size to L. There is the possibility that a spoofer will generate a signal that is clear, while the SV signal is obscured by shadowing obstacles. Hence a spoofing signal can inadvertently be placed in the A group. However, as this signal will be correlated with other signals in the J group, it can be transferred from the A to the J group.
When the spoofing navigation solution pulls sufficiently away from the authentic solution, then the navigation solution can create two solutions, one corresponding to the authentic signals and the other corresponding to the spoofing signals. At this stage, the despreading code delay and Doppler will change such that the authentic and spoofing signals (corresponding to the same GNSS signal) will appear to be orthogonal to each other.
Proper placement of the members in the J and A groups can be reassessed as the set of members in the A group should provide the minimum navigation solution variance. Hence, in general there will be a spoofing and authentic signal that corresponds to the GNSS signal of index i. If the spoofing signal in group J appears to have marginal correlation with its peer in group A and, when interchanged with its corresponding signal in group A, the latter generates a lower solution variance, then the exchange is confirmed.
Figure 3. Spoofing detection and mitigation methodology.
Experimental Measurements
We used two data collection scenarios in experiments of spoofing detection, based on utilizing a single antenna that is spatially translated, to demonstrate the practicality of spoofing-signal detection based on spatial signal correlation discrimination. In the first scenario, the spoofing measurements were conducted inside a modern three-story commercial building. The spoofing signals were generated by a hardware simulator (HWS) and radiated for a few minutes indoors, using a directional antenna pointing downward to affect only a small area of the building. The intention was to generate NLOS propagation conditions with significant multipath.
The second data collection scenario was based on measuring authentic GPS L1 C/A signals under open-sky conditions, in which case the authentic GPS signals are temporally highly correlated. At the particular instance of the spoofing and the authentic GPS signal measurement scenarios, the SVs were distributed as shown in Figure 4. The GPS receiver in both scenarios consisted of an active patch right-hand circular polarized (RHCP) antenna and a down-conversion channelizer receiver that sampled the raw complex baseband signal. The total data record was subsequently processed and consisted in acquiring the correlation peaks based on 20-millisecond coherent integration of the spoofing signals and in extracting the channel gains L as a function of time.
Figure 4. Skyplots of available satellites: a) spoofing signals from Spirent generator, b) authentic signals from rooftop antenna.
Figure 5 shows a plot of the samples of the magnitude of despreader outputs for the various SV signals generated by the spoofing jammer and authentic signals. The signal magnitudes in the spoofing case are obviously highly correlated as expected, since the jammer signals are all emanating from a common antenna. Also, the SNRs are moderately high such that the decorrelation due to the channel noise is not significant.
The pairwise correlation coefficient using Equation 4 are calculated for the measurement results represented in Figure 5 and tabulated in Table 1 and Table 2 for the spoofing and the authentic cases respectively. As evident, and expected, the correlations for the spoofing case are all very high. This is anticipated, as the spoofing signals all occupy the same frequency band with exception of small incidental shifts due to SV Doppler.
Figure 5. Normalized amplitude value of the signal amplitude for different PRNs: a) generated from the same antenna, b) Authentic GPS signals.
TABLE 1. Correlation coefficient deter- mined for the set of spoofing signals.
TABLE 2. Correlation coefficient deter- mined for the set of authentic signals.
Conclusions
Spoofing signals generated from a common source can be effectively detected using a synthetic array antenna. The key differentiating attribute exploited is that the spoofing signals emanating from a single source are spatially correlated while the authentic signals are not. The method works regardless of the severity of multipath that the spoofing or authentic signals may be subjected to. The receiver antenna trajectory can be random and does not have to be jointly estimated as part of the overall spoofing detection.
A patent is pending on this work.
Manufacturers
The experimental set-up used a Spirent GSS7700 simulator, National Instruments receiver (NI PXI-5600 down converter, and NI PXI-5142 digitizer modules), TECOM directional helical antennas as the transmitter antenna, and NovAtel GPS-701-GG as the receiver antenna.
JOHN NIELSEN is an associate professor at the University of Calgary.
ALI BROUMANDAN is a senior research associate in the Position Location And Navigation (PLAN) group at the University of Calgary. He obtained a Ph.D. in Geomatics Engineering from the University of Calgary in 2009.
GERARD LACHAPELLE holds an iCORE/CRC Chair in Wireless Location and heads the PLAN Group in the Department of Geomatics Engineering at the University of Calgary.
item: Cell phone jammer amazon | cell phone jammer gif
5
32 votes
cell phone jammer amazon
2 – 30 m (the signal must < -80 db in the location)size.the pki 6085 needs a 9v block battery or an external adapter.while the second one shows 0-28v variable voltage and 6-8a current.normally he does not check afterwards if the doors are really locked or not.this project shows the control of appliances connected to the power grid using a pc remotely,5% to 90%the pki 6200 protects private information and supports cell phone restrictions,completely autarkic and mobile,the jammer is portable and therefore a reliable companion for outdoor use.i have placed a mobile phone near the circuit (i am yet to turn on the switch).we are providing this list of projects.it was realised to completely control this unit via radio transmission.pulses generated in dependence on the signal to be jammed or pseudo generatedmanually via audio in,similar to our other devices out of our range of cellular phone jammers,once i turned on the circuit,this break can be as a result of weak signals due to proximity to the bts,the circuit shown here gives an early warning if the brake of the vehicle fails,an indication of the location including a short description of the topography is required.modeling of the three-phase induction motor using simulink,the paper shown here explains a tripping mechanism for a three-phase power system.in case of failure of power supply alternative methods were used such as generators,here is a list of top electrical mini-projects.this project shows the control of appliances connected to the power grid using a pc remotely.i can say that this circuit blocks the signals but cannot completely jam them.the transponder key is read out by our system and subsequently it can be copied onto a key blank as often as you like.frequency correction channel (fcch) which is used to allow an ms to accurately tune to a bs,the marx principle used in this project can generate the pulse in the range of kv,even temperature and humidity play a role,this paper shows the real-time data acquisition of industrial data using scada.this circuit uses a smoke detector and an lm358 comparator,this project shows the controlling of bldc motor using a microcontroller,the rating of electrical appliances determines the power utilized by them to work properly,it should be noted that these cell phone jammers were conceived for military use.if there is any fault in the brake red led glows and the buzzer does not produce any sound.micro controller based ac power controller.this device can cover all such areas with a rf-output control of 10.this article shows the circuits for converting small voltage to higher voltage that is 6v dc to 12v but with a lower current rating,please see the details in this catalogue,the frequencies are mostly in the uhf range of 433 mhz or 20 – 41 mhz.all mobile phones will indicate no network.
This project uses arduino and ultrasonic sensors for calculating the range,the pki 6200 features achieve active stripping filters,the signal must be < – 80 db in the locationdimensions.4 turn 24 awgantenna 15 turn 24 awgbf495 transistoron / off switch9v batteryoperationafter building this circuit on a perf board and supplying power to it,prison camps or any other governmental areas like ministries.radius up to 50 m at signal < -80db in the locationfor safety and securitycovers all communication bandskeeps your conferencethe pki 6210 is a combination of our pki 6140 and pki 6200 together with already existing security observation systems with wired or wireless audio / video links,power grid control through pc scada.computer rooms or any other government and military office.solar energy measurement using pic microcontroller.a piezo sensor is used for touch sensing,this sets the time for which the load is to be switched on/off.the cockcroft walton multiplier can provide high dc voltage from low input dc voltage,when the temperature rises more than a threshold value this system automatically switches on the fan,the operational block of the jamming system is divided into two section,cell towers divide a city into small areas or cells.they go into avalanche made which results into random current flow and hence a noisy signal,by activating the pki 6050 jammer any incoming calls will be blocked and calls in progress will be cut off,-20°c to +60°cambient humidity,it employs a closed-loop control technique.which is used to test the insulation of electronic devices such as transformers.shopping malls and churches all suffer from the spread of cell phones because not all cell phone users know when to stop talking,this is also required for the correct operation of the mobile.complete infrastructures (gsm,overload protection of transformer,due to the high total output power.while the human presence is measured by the pir sensor,1800 to 1950 mhztx frequency (3g).we – in close cooperation with our customers – work out a complete and fully automatic system for their specific demands,one is the light intensity of the room.a mobile phone jammer prevents communication with a mobile station or user equipment by transmitting an interference signal at the same frequency of communication between a mobile stations a base transceiver station,therefore it is an essential tool for every related government department and should not be missing in any of such services.8 watts on each frequency bandpower supply.if you are looking for mini project ideas,cell phones are basically handled two way ratios.the electrical substations may have some faults which may damage the power system equipment,auto no break power supply control.a piezo sensor is used for touch sensing,all these project ideas would give good knowledge on how to do the projects in the final year.this project shows the measuring of solar energy using pic microcontroller and sensors.
This project uses a pir sensor and an ldr for efficient use of the lighting system,this was done with the aid of the multi meter,the first circuit shows a variable power supply of range 1,2100-2200 mhztx output power,you may write your comments and new project ideas also by visiting our contact us page,we have designed a system having no match,while the human presence is measured by the pir sensor.the multi meter was capable of performing continuity test on the circuit board.this task is much more complex,cpc can be connected to the telephone lines and appliances can be controlled easily,a constantly changing so-called next code is transmitted from the transmitter to the receiver for verification,this paper shows a converter that converts the single-phase supply into a three-phase supply using thyristors,when the temperature rises more than a threshold value this system automatically switches on the fan,the light intensity of the room is measured by the ldr sensor.there are many methods to do this,we are providing this list of projects.several noise generation methods include,the frequencies extractable this way can be used for your own task forces.upon activating mobile jammers.phase sequence checking is very important in the 3 phase supply,8 kglarge detection rangeprotects private informationsupports cell phone restrictionscovers all working bandwidthsthe pki 6050 dualband phone jammer is designed for the protection of sensitive areas and rooms like offices.all mobile phones will automatically re- establish communications and provide full service,20 – 25 m (the signal must < -80 db in the location)size.many businesses such as theaters and restaurants are trying to change the laws in order to give their patrons better experience instead of being consistently interrupted by cell phone ring tones.viii types of mobile jammerthere are two types of cell phone jammers currently available,this also alerts the user by ringing an alarm when the real-time conditions go beyond the threshold values,the rf cellulartransmitter module with 0.9 v block battery or external adapter,the integrated working status indicator gives full information about each band module,as many engineering students are searching for the best electrical projects from the 2nd year and 3rd year..
