On Mixing Authenticated and Non-Authenticated Signals Against GNSS Spoofing

Anti-spoofing techniques for current global navigation satellite systems (GNSS) authenticate signals on a single band and from a single system. However, nowadays commercial GNSS receivers commonly calculate the position, velocity, and time (PVT) solution by simultaneously utilizing signals from multiple constellations and bands, with a substantial enhancement in both accuracy and availability. Therefore, anti-spoofing techniques have recently been proposed that mix authenticated and onauthenticated signals to increase performance without sacrificing security. In this paper, we formalize the models of such signal mixture-based authentication checks. We propose a spoofing attack generating a fake signal that leads the victim to a target PVT solution, undetected. We analytically relate the degrees of freedom of the attacker in manipulating the victim’s solution to both the employed security checks and the number of open nonauthenticated signals that can be tampered with by the attacker. The performance of the considered attack strategies are tested on an experimental dataset. Finally, we assess the limits of PVTbased GNSS authentication checks where both authenticated and non-authenticated signals are used.


I. INTRODUCTION
Global navigation satellite systems (GNSSs) provide realtime positioning and timing for various civil and military applications.However, GNSS signals are particularly susceptible to both accidental and intentional interference due to their low received power.Furthermore, civilian GNSS signal and modulation formats are open to the public [1], [2]: therefore, an attacker can compromise location or timing-aware applications by generating fake GNSS signals, leading the receiver into the calculation of a fake location or time [3], [4].These attacks are referred to as spoofing attacks.Additionally, several works have reported successful attacks even using off-the-shelf hardware [5], [6].
Thus, service providers proposed several authentication mechanisms.On the system side, authentication is strengthened by incorporating into the broadcast GNSS signals specific features, which cannot be predicted and generated by the attacker.An authentication-enabled receiver can then interpret these characteristics to distinguish authentic signals from forgeries.The features can be inserted at two complementary levels: the data level, i.e, on navigation messages, and the ranging level, i.e., on pseudoranges between the satellite and receiver.
Navigation message authentication (NMA) techniques aim at ensuring the authenticity of the content of the navigation messages.Open service NMA (OS-NMA) [7] is a data authentication function for public Galileo E1B signals, in which the message transmitted by the satellites is interleaved with authentication data, generated through a broadcast authentication protocol called timed-efficient stream loss-tolerant authentication (TESLA) [8]- [10].However, NMA-based protocols are vulnerable to secure code estimation and replay (SCER) attacks [11], [12] that estimate the message signature to forge a fake signal in real-time.
Authentication at the ranging level operates on the signal spreading code, de facto authenticating each signal travel time, i.e., the time it takes for the signal to reach the receiver.Spreading code encryption (SCE) techniques are the most reliable options to limit access to GNSS signals, as they make the whole spreading code unpredictable.A SCE solution for Galileo is represented by the commercial authentication service (CAS), which will complement OS-NMA by offering spreading ranging level authentication in the E6 band.The assisted CAS (ACAS), recently presented in [13] and [14], is instead a spreading code authentication (SCA) method based on the navigation data received and authenticated by OS-NMA.For GPS, the chips-message robust authentication (CHIMERA) scheme, [15], [16], aims at jointly authenticating the navigation data and the spreading code of GPS signals for civil usage, implementing both NMA and SCA.This solution replaces a small part of the spreading code with a secret cryptographic sequence, which can be subsequently reproduced by the receivers when they become aware of the key.Navigation message data are instead protected by digitally signing most or all the data.Indeed, ranging level authentication reduces the effectiveness of SCER-type attacks, as discussed in [17].Thus, in the following, we will refer to signals protected by SCA (or SCE) as authenticated signals, while all the others are open signals.
Both ACAS and CHIMERA present several issues.First, data for range verification is only provided to the receivers a posteriori, therefore they do not allow the verification of the current position, velocity, and time (PVT).To address this, in [18], the authors proposed a strategy where only ACAS is used to derive a continuous, robust, and secure timing service: the application however is limited to static scenarios.A verification method operating on a continuous GPS signal and using a stochastic reachability-based Kalman filter is proposed in [19].However, this solution relies only on CHIMERA and does not take advantage of signals transmitted by other systems or over different frequency bands.
A second issue is that a receiver using only the authenticated signals to derive the PVT may reduce the solution accuracy and availability.To make the PVT solution more accurate, GNSS receivers typically exploit the signals of all the available frequency bands.Thus, a recent trend considers crossauthentication mechanisms, where, on the receiver side, authenticated signals are combined with open non-authenticated signals, and a consistency check is performed on the obtained solution.
To improve the trustfulness of the PVT, [20] discusses a stepwise approach wherein the receiver exploits the authenticated signals as trust anchors for the complete PVT solution.
In particular, the check between signals on the same band but different carrier frequencies has been included in [14] to verify the consistency between Galileo encrypted E6C and E1B open measurements.Still, the effectiveness of the proposed approach degrades when including signals from different systems and in urban scenarios.
In [21], the authors proposed a cross-authentication scheme with the goal of enhancing the Galileo ranging level protection, without relying on CAS, by leveraging on both CHIMERA and OS-NMA single system authentication concepts.Knowing that the GPS and the Galileo reference times are related by the GPS to Galileo time offset (GGTO) [22], they proposed a consistency check between the measured local clock biases and the GGTO retrieved from the navigation messages.However, we will show that it is possible to attack such a mechanism even by tampering with only the open Galileo signals.
In this paper, we investigate the security of crossauthentication for PVT-based checks in GNSS: in particular, we derive spoofing attack strategies targeting crossauthentication schemes showing that such mechanisms do not guarantee the authenticity of the computed solutions.More in detail, the main contributions of the paper are the following.
1) We introduce a new general framework for the PVT cross-authentication checks.In particular, we identify two classes of cross-checks: time-based checks for positioning services and position-based checks for timing.The discussed state-of-the-art mechanisms fit these classes.2) We introduce the attack strategies that break the crossauthentication checks, and a novel generation time spoofing attack of the signal generation type.3) We analytically investigate the limits of the new attack, for instance, relating the degrees of the freedom of the attacker in manipulating the victim's solution to parameters of the transmission/propagation scenario.4) We analytically evaluate the attack performance considering both a noiseless scenario and a realistic noisy scenario.5) We test the attacks by using an experimental dataset collected by a Septentrio PolarRx5 receiver.
The rest of this paper is organized as follows.Section II introduces the system model.Section III provides a general model for the PVT-based authentication checks.Then, Section IV describes the proposed attack strategies.Section VI presents the numerical results, obtained from the experimental dataset.Finally, Section VII provides the conclusions.

II. SYSTEM MODEL
We consider a multi-constellation receiver acquiring signals from M > 1 constellations.A subset of the received signals is authenticated, i.e., protected by a SCE (or SCA) mechanism.For instance, these may represent a set of Galileo signals protected by CAS in the E6C band or GPS signals protected by CHIMERA in L1 C/A.We assume no fault can happen in the authentication assessment of these signals; thus, the attacker cannot generate new signals to replace the authenticated ones.
In general, the victim receiver obtains signals from N visible satellites: N A are authenticated while the remaining N O = N − N A are open (i.e., non-authenticated).For ease of notation, the authenticated satellites are indexed by j = 1, . . ., N A , while non-authenticated satellites are indexed by j = N A + 1, . . ., N .After the general acquisition and tracking procedures (see, e.g., [23,Ch. 5]), the receiver obtains a vector of pseudoranges measurements r = [r 1 , . . ., r N ] T .
In nominal conditions, the PVT solution computed by the victim receiver is denoting the receiver's three-dimensional position in Earth-Centered Earth-Fixed (ECEF) coordinates, and the clock biases, one per each time reference.The procedure to obtain (1) is outlined in Appendix A. Indeed, we may consider a single time reference, e.g., one of the GNSS time references or the coordinated universal time (UTC), and relate the others reference, using the respective inter-system bias (ISB) [24,Ch. 21], thus obtaining the PVT solution as outlined in Appendix B. However, some of the considered mechanisms use instead the ISB to assess the authenticity of the solution, so, in these cases, we will estimate each clock bias separately from the others, as in (1).On the other hand, when the assessment is based on the receiver position, we will consider the PVT solution to be computed as in (2).

A. PVT Solution
In this Section, we briefly describe how GNSS receivers typically compute the PVT solution that will be used in the cross-authentication checks.
At each epoch, the PVT solution is computed following an iterative approach, starting from the initial solution p = [x, ŷ, ẑ, t1 , . . ., tM ] T , or p = [x, ŷ, ẑ, t] T , depending on whether we aim to get (1) or (2), respectively.In particular, p is the PVT computed at the previous epoch or a predefined starting point (cold start).The approach follows a linearization procedure, where the PVT is related to the range by the geometry matrix G (see Appendices A and B for details).Thus, given the range measurement of the jth signal r j and its estimate rj , the range residual is ∆r j = r j − rj . ( Next, observe that the pseudorange displacement ∆r is related to the position displacement ∆p as where we decomposed the geometry matrix considering the authenticated and the open signal in G A and G O , respectively.From the previous relation, it follows that ∆p can be computed from ∆r as where H is the Moore-Penrose pseudoinverse of G, often called also least-squares solution matrix.We remark that the components of matrix H depend only on the relative geometry between the user and the N satellites participating in the leastsquares computation.Finally the position is updated as p = p + ∆p, where p is the starting point for the next iteration. The iterative procedure continues until either i) the maximum number of iterations is reached or ii) the solution update is smaller than a user-defined step, i.e., ∆p < .More details about the procedure and the derivation of each term are reported in the Appendices.

B. Attacker Model
In this Section, we detail the attacker's capabilities and operations.We assume that the message data (e.g., atmospheric corrections and ephemeris) are retrieved from a publiclyavailable authenticated side channel.Additionally, we suppose that the actual victim receiver position is known by the attacker.We take into consideration two types of attacks: Generation attack: This attack consists of the generation and transmission of fake GNSS signals, corresponding possibly different PVT solutions than the one computed using the legitimate signals.Relay attack: This attack consists of sampling, recording, and relaying the entire modulated signal with unchanged code and data.This attack is sometimes referred to as meaconing.We remark that the attacker cannot perform a generation attack on authenticated signals, which are protected by SCA (or SCE), because he has no knowledge of the actual spreading code.The only action the attacker can perform on the authenticated signals is a relay attack.On the other hand, the attacker can generate, relay, or selectively delay the open signals, since, in this case, both the spreading code and the message content are entirely public.
We assume that the victim under attack acquires and locks onto the forged signals transmitted by the attacker.This is achieved, for instance, by increasing the transmitting power of the forged signals or canceling the legitimate open ones.
The attacker aims at inducing the victim receiver to obtain as PVT some target position p instead of the authentic solution p.To achieve this goal, he tampers the signals propagation times, altering the range residuals ∆r by a term ∆r T , such that, when under attack, (4) and (5) become respectively ∆ p ∆p + ∆p T = H∆ r .
This means that the range tampering ∆r T causes a displacement on the PVT solution ∆p T .So, the PVT update due to the attacker spoofing will be We remark that the iterative least squares approach to compute the PVT when under attack is approximated by a linear transformation only when the pseudorange displacement ∆r T introduced by the attacker is small with respect to r.In Section VI, we will test the effectiveness of the attack by exploiting the linearization procedure and evaluating the performance as a function of the distance between the target and the real position, i.e., the magnitude of the pseudorange displacements to be induced, thus testing the robustness of the linear approximation.
Fig. 1 shows the displacement of the attacker PVT due to the attacker tampering: in legitimate conditions, starting from p, the receiver would compute ∆p to obtain the legitimate solution p (in black).In turn, the attacker wants to lead the receiver to the target p (in red), thus he tampers the signals, causing the alteration ∆p T .In this case, instead of the true PVT, the victim computes p, as close as possible to the target p .Notice that Fig. 1 may represent the actual 3D position or the whole PVT vector, i.e., considering points in the 3 + M space.
For the sake of clarity, we will distinguish between authenticated and non-authenticated ranges residuals, ∆r T,A and ∆r T,O , that the attacker introduces to the authenticated and non authenticated signals, respectively Finally, it is natural to partition the least square matrix as where H A and H O represent the matrix associated to the authenticated and the open signals, respectively.In particular, since the attacker can only perform a relay attack on the authenticated signals, we model the tampering of the attacker on the authenticated ranges as ∆r T,A = k1, where 1 is the column vector filled with all ones.Indeed, when performing a generation attack, the attacker sets k = 0, i.e., only the open signals are actually fake.

III. PVT-BASED CROSS-AUTHENTICATION CHECKS MODELS
The receiver computes the PVT solution using both authenticated and non-authenticated ranges.Next, to assess its authenticity, it performs one or more consistency checks on the PVT (or in part of it).We use decision theory to describe the problem and consider the two hypotheses  The consistency check on the PVT provides one of the two decision Ĥ0 : Check passed, PVT is legitimate This allows us to define the false alarm and missed detection probabilities as In the next Sections, we describe the classes of consistency checks to authenticate the PVT, also related to the required service.

A. Time-Based Checks for Navigation Services
The receiver collects signals from M different GNSSs, with the PVT solution containing N s clock biases, one per GNSS time reference, thus, p is computed as in Appendix A. The time references are related by the ISB, thus the receiver considers the PVT to be authentic if where C is a matrix that selects and relates a pair of clock biases (with the appropriate sign), while δ t contains an upper bound of the expected ISB, eventually tuned to meet a predefined false alarm.The mechanism for time-based checks is summarized in Fig. 2. Matrix C has N c = 2 (M − 1) rows, with δ t containing M − 1 upper-bounds on the measured ISB.Therefore, C has M − 1 linearly independent rows.The i-th row of C is c i : this will be associated to the i-th element of δ t , δ t,i , such that the i-th check will be θ t,i = c i Hr ≤ δ t,i .For instance, in [21] where T is a threshold that is set by the receiver, and b is a bias set during the calibration phase.More details about the security check and the parameters' derivation are reported in [21].The check ( 12) can be framed in (11), by choosing This means that the attacker must craft a ∆r T that changes the estimated time offset by at most δ t .In the rest of the paper, we will refer to this scheme as ISB-based cross-authentication check.

B. Position-Based Checks for Timing Services
The goal here is to provide a secure GNSS-based timing source.We assume the receiver knows a priory its position, whose coordinates are denoted by these may be obtained either by computing the PVT using only authenticated ranges, received by a side channel, or it can be simply a priory (e.g., in a static scenario).However, none of these side channels provides a reliable timing correction.Hence, the receiver exploits all the available measurements, both authenticated and open, and obtains the PVT solution p = [x, y, z, t], containing the desired clock bias correction, as outlined in Appendix B. To verify its authenticity, the receiver verifies that the reconstructed position is consistent with its a-priori knowledge of the position, verifying that where represents the 3D position displacement with respect to the reference position.The position-based check is summarized in Fig. 3.If the check passes, i.e., the position computed using all the signals is coherent with the reference one, the solution is considered safe and the receiver uses the timing correction from p to correct the local clock.An example of such a setting is described in [18].

IV. PROPOSED ATTACK STRATEGIES
In this Section, we outline the proposed strategies that the attacker uses to alter the PVT solution without alerting the victim receiver.First, we focus on the ideal noiseless scenario, where the received signals of neither the attacker nor the victim are affected by noise.We will generalize the attack for a more realistic scenario in Section V.
To be successful the attacker must i) alter only the nonprotected signals, and choose the ∆r T such that ii) ∆ p passes the check employed by the victim, and iii) leads the victim to a PVT solution close to the target p .In this first phase, we assume that the victim receives the signals as intended by the attacker.Moreover, we consider that the attacker knows the pseudorange vector r that the victim would measure in the nominal scenario.In Section V, we will analyze the scenario wherein the attacker cannot pre-compensate the channel, and the victim receives a noisier copy of the tampered signal.
In the following Sections, we describe the attacking strategies for the timing and position-based checks.

A. Generation Attack Against Time-Based Checks
We consider a legitimate receiver employing the check described in Section III-A, where the PVT solution is considered to be authentic and the clock bias differences are coherent with the ISBs derived from a side channel.
First, we identify the set of feasible solutions that do not raise an alarm at the receiver.Next, we pick the solution that leads the receiver estimated position close to the target position p .
To identify the set of feasible solutions, we have the following result.
Theorem 1.Given a constraint vector δ , the set of feasible solutions for the attacker containing all the range alterations that do not raise an alarm in (11) is the affine space where ∆r p is a solution of δ = CH O ∆r T,O , and N (X) is the null space of X.Moreover, it holds Proof.Now, condition (11) requires We assume that, in the nominal scenario, the check ( 11) is passed, thus, C p+C∆p = δ ≤ δ t : for instance, this models also the case where the defender's measurements are affected by noise.So, to avoid raising an alarm, the attacker can choose any alteration that induce a change smaller than δ t − δ , i.e., from 17 the shift induced by the attacker is By using (5) and considering that only non-protected signals can be manipulated by the attacker, we have Being δ under the control of the attacker, he can choose it such that δ ∈ R(CH O ), so that (19) has at least one solution.Indeed, rank(CH O ) = M − 1, since C has M − 1 linearly independent rows. 1 The matrix resulting from the product Hence, by the Rouché-Capelli's theorem, (19) describes a linear undetermined system that admits infinitely many solutions, belonging to the affine space S as defined in (15), where ∆r p is any particular solution of (19), which can be found, for instance, by Gaussian elimination.Moreover, since the dimension of an affine space is the dimension of its associated linear space, we have So, each solution of 19 depends on N O − M + 1 parameters.
The above Theorem has two main consequences.First, let us consider the worst-case scenario for the attacker, where the legitimate range residuals ∆r already yield C∆p = δ.In this case, there is no margin for the attacker that, from 18, has to pick an attack with δ = 0. Still, (15) shows that it is possible to lead a successful attack, by picking ranges from the null space N (CH O ).
Secondly, it shows that the increased number of signals used in the PVT by the legitimate receiver potentially leads to an increased degree of freedom given to the attacker to manipulate the fake PVT solution, since the dimension of the null space increases.However, using more open signals improves the accuracy of the PVT estimation, when under attack.Therefore, a trade-off between accuracy and security is at stake here.Finally, there may be scenarios where N A < 4, therefore no fully authenticated PVT solution is available at all.In these cases, the victim receiver has to increase the number of the open signals used for the PVT or not compute any PVT at all.
Next, we derive the actual range alterations that lead the victim receiver to the target position p .We consider the worst-case scenario for the attacker, where δ = 0.In this case, (19) describes a linear homogeneous system whose solutions belong to the linear space S = N (CH O ).Indeed, this boils down to the general case by adding in the calculations a range vector related to the particular solution ∆r p .Thus, any solution belonging to S can be written as where u 1 , . . ., u K is an orthonormal basis of S, α k ∈ R ∀k = 1, . . ., K, and K dim (S).Notice that U is a matrix with 3 + M rows and K columns.
Target and fake positions are related by where in the last step we used the fact that the attacker will only use the range alterations that do not raise an alarm, i.e., belonging to (15) so having the form in (22).By imposing the target position to coincide to the fake one, i.e., p = p , we have and, resorting to the Moore-Penrose pseudoinverse, we obtain Finally, plugging this in (21), we obtain the target range alteration Indeed, as required, this attack will not raise any alarm while taking the victim exactly to p .Alternatively, by exploiting (22), we can choose the solution directly minimizing the distance between the induced and the target position, among those that do not raise an alarm, i.e., Indeed, as long as the space S is not empty, this problem can be solved by numeric methods.
Attack Against the GGTO-based Cross-authentication Check: We consider the authentication procedure in [21] and exploit the previous analysis to derive the attack.The technique proposed in [21] only considers signals from Galileo and GPS, so we have M = 2.According to (16), we expect to find a space of feasible solutions S with size dim (S) = N O − 1.We consider the worst-case scenario for the attacker where δ = 0. Combining ( 13) and ( 19) and denoting as h O,i the i-th row of H O , we have Thus, ∆r T,O belongs to the null space ).This corresponds to the orthogonal complement to the space generated by column vector (h O,4 − h O,5 ) T , or

B. Attack Against Position-Based Checks
We consider the class of checks described in Section III-B.Here, the victim is using GNSS for timing, while it is monitoring its own position, using the procedure outlined in Appendix B, which is used for the security check: for instance, a scenario where GNSS signals are used to synchronize the clock of a local area network (LAN) within one building is presented in [18].Indeed, in such condition the position is well-known, so the attacker can only tamper the timing estimation, and induce a PVT shift of the type where cγ T is the time shift induced by the attacker to the victim clock.To not raise an alarm, by (14) we need ξ 2 ≤ δ pos .
In the next paragraphs, we will present a relay and a generation attack against the position-based check.Using either one, the attacker is able to induce the target time shift (29).While a generation attack may be preferable since, for instance, it does not introduce additional noise at the victim due to the attacker receiver noise, we will prove that it can only be performed if N O ≥ 4 signals are used by the victim.
a) Relay Attack Against the Position-Based Check: Starting from 29 the attack can be compute straightly from 4 as where 1 is a vector of ones with the same size as p.In the worst-case scenario for the attacker, where ξ = 0 or, equivalently, δ pos = 0, i.e., no change in the position is tolerated at the legitimate receiver, it yields This means that the attacker has to receive, record, and retransmit with some delay both the authenticated and the open signals to induce the required attack, as typically done for the meaconing attack.On the other hand, this also shows that when picking ξ = 0 we are choosing a solution that differs by (at most) Gξ from the meaconing solution.
Finally notice that, as pointed out in Section II-B, this attack can be performed even when the ranges are authenticated by SCE or SCA.Still, this is a viable option only if the attacker is sufficiently close to the victim.Conversely, it may induce a different position calculation, that may alert the victim.However, especially when considering realistic scenarios, relay attacks may introduce additional noise.Thus, if possible, the attacker would rather use a generation attack even for positionbased checks.For this reason, in the next paragraph, we will present a generation attack strategy against position-based checks.
b) Generation Attack Against Position-Based Checks: In this Section, we show how and when it is possible for the attacker to perform a generation-type attack against the position-based check.The attacker aims at introducing a time shift equal to cγ T on the estimated clock bias, as in (31).So, by exploiting the linearization procedure of 5 and combining it with (29), the attacker must choose ∆r T to obtain Indeed, the range alteration ∆r T that solves (32) induces a shift only in the time component of the PVT solution computed by the victim.We remark that, for ease of reading, we focus on the worst-case scenario where ξ = 0.This can be easily extended also for the case where ξ = 0, by adding a term Gξ in (32).
Analogously to the procedure outlined in Section IV-A, we have that the set of feasible solutions of 32 is the affine space where, from 31, the particular solution is the meaconing attack We remark that to compute the PVT, it always holds N ≥ 4, so dim(N (H)) ≥ 0. Hence, any range tampering that induces the target time shift, can be written as where vectors u 1 , . . ., u N −4 form a basis for the null space N (H), collected as the columns of the basis matrix U .Our aim is to find the range tampering that belongs to S and does not require any alteration on the authenticated ranges.This latter requirement is formalized as where U NA and 1 NA collect the first N A rows of U and 1, respectively.
A sufficient condition for (36) to admit at least one solution is that U NA , with size N A × N − 4, be left invertible.This happens if N A < (N −4) or, equivalently, N O > 4. 2 Moreover this also assures that cγ T 1 NA ∈ R(H).Under this condition, the coefficients vector that assures (36) is computed as Finally, for the generation attack, the attacker has to pick ranges Indeed, by construction of β , ∆r n = 0 for 1 ≤ n ≤ N A , hence only the open signals need be tampered.Concluding, we showed that if N O ≥ 4, the attacker can exploit the just described procedure to perform a generationtype attack that alters the victim time of a factor γ T , generating only the open signals.

V. ANALYSIS FOR THE REALISTIC SCENARIO
In this Section, we analyze the performance of the attack considering a realistic scenario that takes into account the noise at the victim and the attacker receivers.We remark that, when the attacker performs a generation attack, the fake signals are only affected by the noise added at the victim receiver.On the other hand, when the attacker performs a relay attack, the tampered signals are affected by both the noises produced by the victim's and the attacker's receivers.We assume that the channels between the satellites and the receivers, of both the attacker and the victim, are additive white Gaussian noise (AWGN), as well as the channel between the attacker and the victim.We denote with σ L and σ A the noise standard deviations at the victim and attacker receiver, respectively.Moreover, as typically done for GNSS, we assume each channel to be independent, with equal variance.
The noise affects the pseudorange estimations, thus, the covariance matrices of the legitimate and tampered pseudoranges residuals, respectively, are where σ 2 T = σ 2 L when the attacker performs a generation attack, and σ 2 T = σ 2 L + σ 2 A when he performs a relay attack.Moreover, the legitimate pseudorange residuals are zero-mean, at the convergence of the PVT iterative computation.Taking into account the additional tampering introduced by the attacker, the tampered pseudoranges mean is In the next Sections, we separately consider the attacks to the timing and the position-based checks.

A. Attacks to the Time-Based Checks
Our aim is to statistically characterize the vector θ t , defined in (11), in realistic conditions.Indeed, θ t = CH∆r is a Gaussian vector since it is derived from the linear combination of the Gaussian vector ∆r.Thus, to characterize it, we have to compute its mean and covariance, considering both legitimate and under-attack conditions.
In the legitimate scenario, H 0 , the mean is while the covariance of θ t in H 0 is where, in the last step, we used the definition of Σ L given in (39).For the under-attack scenario, H 1 , the mean is given by while, analogously to (42), the covariance of θ t in H 1 is where the last equality follows from the definition of Σ T given in (39).Moreover, the attack to the time-based check described in Section IV-A is a generation attack, thus σ 2 T = σ 2 L .The false alarm and miss detection probabilities are, respectively, We remark that, in general, metrics θ t,i and θ t,j , with i = j, are not statistically independent.Attack Against the ISB-based Cross-authentication Check: We consider now the check of [21], where only Galileo and GPS are considered.First, we neglect the bias b+GGT O, which can be subtracted in advance from one measurement.So, it yields δ t,1 = δ t,2 = T .Moreover, from 13, c 1 = −c 2 , thus also θ t,1 = −θ t,2 , and (45) becomes where Next, we can invert the above relation to computing the threshold values as a function of the p FA set by the receiver, Analogously, calling µ 1 and µ 2 the first and second element of µ, respectively, the miss detection probability is where µ 1 = −µ 2 = c 1 H∆r T and σ 1 = σ T c 1 HH T c T 1 .Thus, (49) shows the missed detection probability as a function of the false alarm, legitimate and attacker channel noises, and µ.In particular, µ is also related to the range alteration induced by the attacker, which is a function of the distance between the true solution p and the target p .
In a generation attack scenario, where σ 0 = σ 1 , for small values of µ 1 , from 49 we get p MD = p FA , which means that fake signals are indistinguishable from the legitimate ones.This shows that the success probability depends on µ 1 , the amount of displacement induced by the attacker, so that the more the attacker tries to tamper with the signals, the easier it is for the victim to detect the attack.For instance, if we consider a relay attack for position spoofing, as selective delay, then σ 1 σ 0 , i.e., the noise standard deviation of the tampered pseudoranges is higher than that of the legitimate ones, p MD → 0 for any chosen p FA , thus the receiver is always able to detect the attack.In Section VI-C we will provide a numerical evaluation of these observations.

B. Attacks to the Position-Based Checks
Our aim is to statistically characterize the term θ pos in (14), in a realistic environment, i.e., when the measurements are affected by noise.In particular, we aim at relating security performance, i.e., false and miss detection, to the channel noise in the legitimate and under-attack scenarios, σ 2 L and σ 2 T .Notice that, in the legitimate case, this problem is equivalent to the general problem of characterizing the position accuracy for GNSS.
From ( 14), we can write where is the 3D position displacement with respect to the reference position.We remark that the reference position with coordinates (x ref , y ref , z ref ) is assumed to be known without error.Thus, to characterize the performance of the test (14) we model term first.Indeed, is a Gaussian vector since the position is derived as a linear combination of the Gaussian random vector ∆r, as in (5).In the legitimate case, we have since the PVT solution is expected to converge to the reference position itself.For the covariance we have where the subscript of H 1−3 refers to the fact that we are considering only rows 1, 2, and 3 of H.
Under attack, we have and, for the covariance, Note that ( 50) is a quadratic form, so we can take advantage of the following Theorem.
Theorem 2. The random variable θ 2 pos = T , with ∼ N (µ, Σ), can be written as where u ∼ N (0, I 3 ), Λ is the diagonal matrix obtained from the decomposition Σ = P ΛP T and b T = P T Σ − 1 2 µ.Hence, θ 2 pos can be expressed as the linear combination of non-central chi-square random variables of degree 1, with non-centrality parameter b 2 i .Proof.The proof can be found in [25,Ch. 3], for the quadratic form Q(X) = X T AX, but using A = I.Indeed, in the legitimate case, has zero mean, thus, θ 2 is actually the linear combination of (central) chi-square random variables of degree 1.Still, it is not possible to derive the closed-form expression for either the false alarm or miss detection probabilities, thus relating the metric value, θ pos to the chosen threshold.
For an application-oriented (but approximate) derivation of such relation we could exploit the definition of geometric dilution of precision (GDOP) [23,Ch. 7].First, we rotate the reference system to have the first three coordinates pointing to the east, north, up (ENU) reference frame.Next, repeating the steps in (52), we get as position error Hence, taking the trace operation, we define the GDOP as where σ 2 E , σ 2 N , and σ 2 U are the variances associated respectively with the error along the East, North, and vertical directions while σ 2 t is the error for the clock bias (measured in meters).To focus on the position error, it is useful to consider the position dilution of precision (PDOP) These terms are used to model, and therefore also to predict, the positioning error since the dilution of precision (DOP) values are related to the pseudorange noise and the geometry.Thus, low DOP values are typically associated with high PVT accuracy.An additional in-depth discussion of the DOP and their derivation can be found in [24,Ch. 21].Hence, it is possible to use this characterization to describe p(θ pos |H 0 ) and p(θ pos |H 1 ).Still, these estimates would be based only on an approximate model which is not suited for security analysis.The performance of the position check will be therefore evaluated only numerically, in Section VI-C.

VI. NUMERICAL RESULTS
In this Section, we assess the performance of the proposed attack against the authentication mechanism discussed in Section III.More in detail, first we describe the data collection procedure and the validation phase.Next, we test both the attacks of Section IV, considering both noiseless and noisy scenarios.

A. Data Collection
The dataset was built by collecting signals from a quasiurban environment with a Septentrio PolarRx5 receiver connected to an A42 Hemisphere antenna.In particular, the measurements were collected from our lab window sill (45.408 • N, 11.894 • E, altitude 30 m above the sea level).
The receiver output was post-processed obtaining a dataset of measurements from different constellations.We focused on GPS L1 C/A and Galileo E1 BC.The dataset, contained 10 min of measurements, collected with a frequency of 1 Hz, for a total of 600 PVT epochs.We consider the GPS signals as More in detail, for each considered epoch, the dataset contained: the pseudoranges measurements, the satellite clock biases, the tropospheric and the ionospheric delays (estimated using the Klobuchar model [26]), and the satellite positions.Satellite clock biases, atmospheric delays, and satellite positions were derived from the respective navigation message.
To test the performance of the attacks, we implemented a PVT computation block operating as summarized in the Appendices, following the description of [27,Ch. 8].
To validate our PVT block, we report in Fig. 4 respectively the positions computed by the Septentrio receiver, in blue, and those computed by our PVT block, in red.The positions obtained from the Septentrio receiver are slightly more precise than ours: the error standard deviations were 3.03 m and 3.13 m using, respectively, the Septentrio receiver and our PVT block.

B. Attacks in Ideal Scenario Conditions
We now present the attack performance in the noiseless scenario, thus σ L = σ T = 0, distinguishing between the attack to the time-based and the position-based checks.
a) Attack Against the Time-Based Check: We present the results of the proposed attack.In particular, we use the following procedure, where at each epoch we 1) compute the PVT solution by using the legitimate measurements (legitimate case);  2) chose the target position p 1 ; 3) solve problem (26), obtaining the tampered ranges ∆ r; 4) feed the tampered ranges to the PVT block; 5) check the authenticity of the solution using the ISB-based cross-authentication check (12).
In particular, we set the target position p 1 at 45.398°N, 11.876°E, with altitude 12 m (Prato della Valle square, Padua, Italy).The distance between the legitimate and the target position is roughly 1.7 km.
Notice that, between steps 3) and 4) we omitted the actual fake signal generation and the processing of the victim on the received signal.This means that we assumed that, under attack, the victim processes the tampered signal as intended by the attacker.Still as experimentally proved, e.g., in [5] and [6], it is indeed feasible to induce to the victim the fake signals, hence we skipped these steps.
Fig. 5 shows the positions computed in the legitimate and under-attack scenarios: the attacker is always able to induce the target position and only negligible errors are observed with respect to the target position.No issue has been observed in terms of availability, i.e., all the fake ranges led to the computation of a PVT.Fig. 6 shows the difference between the clock biases t O and t A used in the security check (12), computed respectively in the legitimate and under-attack case.Indeed, the check cannot distinguish the legitimate from the under-attack scenario, since the actual differences between legitimate and fake are well below the standard deviation of the metric itself.Hence, for any threshold T , the check cannot effectively detect the attack.For these reasons, we conclude that our attack can spoof the victim's position without being detected.Fig. 7 shows instead the detection error trade-off (DET) curves for different distances between target and actual position.Indeed as this distance increases, it becomes easier for the victim to detect the spoofing attack.In particular, the attack success probability rapidly decreases for distances higher than 10 km.This is in line with our observations in Section II-B, confirming that the linearization procedure is not reliable to design the attack if the target position is too far from the real one.Still, we remark that it may not be reasonable for the attacker to consider the target position too far since other signals of opportunity may be exploited by the victim to check the computed position.
b) Attack Against the Position-Based Check: We report the results of the attacks against the position crossauthentication checks, discussed in Section IV-B for the noiseless scenario.In particular, three different attacks are considered (Table I), with different induced time shifts and attack start times.
Fig. 8 shows the results of the step-change on the clock bias estimated by the victim.This represents a best-case scenario for the defender, since, typically, the time shift is induced in a ramp-like manner (e.g., see the classification of [28]).Indeed, if the considered attacks are successful, also the more sophisticated attacks will be successful as well.During the  tests, all the considered attacks achieve their aim, inducing the target time shifts.On the other hand, consider the actual position check, no significant position deviation is induced by any of the attacks, since the deviation is at the cm-level, well below the actual accuracy of the receiver.Again, none of these attacks would be detected by the victim using the considered cross-authentication checks.

C. Results with Noisy Measurements
In this Section, we evaluate the performance of the proposed attack in noisy conditions, distinguishing between time-based and position-based checks.
Starting from the experimental dataset, we run a Montecarlo simulation, repeating each experiment 35 times, therefore obtaining in total 21 000 PVT measurements.
a) Attacks Against the Time-Based Check: As proved in Section IV-A, we show that it is possible for the attacker to lead a successful attack using a generation attack.
We repeat the same attack simulation procedure adopted for the noiseless scenario but, between steps 3) and 4), we add AWGN to both the legitimate and the fake pseudoranges, according to the noise standard deviation at the victim receiver σ L , with σ L = 0, 1, 2, 4, and 9 m.We remark that, in this case, the attacker performs a generation attack, thus pseudoranges are only affected by the noise at the victim receiver.In general, a reasonable value for the noise standard deviation is 7. [23, Ch. 7] 3 .To evaluate the attack performance, we consider a target position 25.5 km away from the victim receiver location.Fig. 9 reports the DET curve for the generation attack against time-based checks, showing the miss detection probability p MD as a function of the false alarm probability p FA and various values of σ L .We notice that, as the noise at the victim receiver increases, the victim becomes unable to distinguish between legitimate and fake signals.Still, the results confirm that the check is not fully reliable even when the noise is minimum since, even in this condition, to get p MD < 10 −2 it would yield p FA ≈ 0.88, thus rejecting most of the legitimate signals.
b) Attacks Against the Position-Based Check: As discussed in Sections IV-B and IV-B0b, if N O < 4 only a relay attack can induce the desired clock-shift while keeping low the probability of being detected.Conversely, when N O ≥ 4, also a generation attack can be used to achieve the same goal.It is worth noting that, when both the relay and the generation attack are viable, the latter is always the preferred option, since it involves signal generation instead of retransmission, and, as a result, the attacker does not introduce additional noise to achieve a better performance in terms of p FA and p MD , as will be discussed in this Section.
First, we consider the relay-type attack described in Section IV-B.Indeed, this represents the worst case for the attacker.To show the attack performance, we add noise only to the tampered ranges, so we consider σ L = 0. Thus, the fake pseudoranges variance is σ 2 T = σ 2 A .We consider the scenarios where the attacker aims to induce a shift in the estimated clock bias ∆t − ∆t L = 10 µs.No relevant difference was observed when considering ∆t − ∆t L = 5 and 30 µs.In all the considered scenarios, when receiving the tampered signal, the victim computes the clock bias set by the 3 For instance, from our measurements, we get slightly more than 3 m.attacker, with only negligible error.Hence whenever no alarm was raised, the attacks were successful.Fig. 10 reports the DET curves of the attack for several values of σ A .Indeed, for σ A = 0, thus simulating an attacker able to perform a relay attack without adding any additional noise, tampered and legitimate signals are indistinguishable.On the other hand, as σ A increases, it is easier for the victim to detect the attack.Still, even when σ A = 9 m, the check is only partially effective since to get low values of missed detection the victim experience high false alarm: for instance to get p MD < 10 −3 (not such a low value for a security application) the victim would obtain a p FA > 0.2.
Concerning the generation attack against the time-based check, we carried out attack simulations adding the AWGN of the victim receiver to both fake and legitimate ranges, with σ L = 0, 1, 2, 4, and 9 m.For all the considered values of noise standard deviation, the fake ranges resulted to be indistinguishable from the legitimate ones, and all the DET curves collapsed to the line p FA = p MD .

VII. CONCLUSION
In this work, general attack strategies targeting crossauthentication PVT-based mechanisms were presented.In such mechanisms, the victim receiver computes the PVT using all the available signals, both open and authenticated and tries to assess the authenticity of the computed PVT using some a priori information.In particular, we focused on two classes of checks: the timing cross-authentication, such as [21], where the check is performed verifying if the clock biases relative to each system are related to the actual ISBs; the position crossauthentication, that may be used for a timing service, where the PVT is considered to be authentic if it leads (sufficiently close) to the expected position.For both scenarios, we show that the attacker leads the victim to a chosen target PVT solution, i.e., to a target 3D position or clock correction.We show that the success of the attack depends on both the number of open signals used by the receiver and the attacker conditions.Still, under realistic conditions, the attack is shown to be successful.
We considered both noiseless and noisy scenarios: in the latter, the receiver obtains a noisier replica of the signal tampered with by the receiver.Numerical results confirm the effectiveness of the attack in both the considered scenarios, showing that such a class of security checks is not able to protect the receiver effectively.
In several practical scenarios, less than 4 authenticated signals may be received so that the receiver cannot compute a PVT based on the authenticated signals solely.Our work shows that it is not possible to extend the authentication to open signals by using PVT-based consistency checks, so the receiver can either choose to compute a non-secure PVT or to not perform navigation at all.

APPENDIX A PVT COMPUTATION WITH SEPARATE TIME REFERENCES
We describe the PVT linearization procedure and the derivation of each term needed to update the PVT during the iterative approach, to compute the terms of 5.
From the received signal, we derive the pseudorange vector r.For ease of reading, we consider only signals from two systems: hence the PVT will contain entries t 1 and t 2 , the clock biases associated with each of the time references, e.g., to the GPS system time (GPST) and Galileo system time (GST).In particular, the receiver collects N 1 signals from the first constellation and N 2 = N − N 1 from the latter.
In general, each pseudorange is modeled by r j = ρ j + ct j − ct 1 1 1 (j) − ct 2 1 2 (j) + D atm,j + η , (59) where ρ j is the geometric range, i.e., the Euclidean distance between the (estimated) receiver position and the jth satellite position, with coordinates (x j , y j , z j ), defined as c is the speed of light, t j is the satellite clock bias, D atm,j models the atmospheric delays, and η models the remaining errors, considered as noise.The indicator functions 1 1 (j) and 1 2 (j) are introduced to identify the satellite constellations, i.e., 1 1 (j) = 1 if satellite j belongs to the first constellation and 0 otherwise, while 1 2 (j) = 1 if satellite j belongs to the second and is 0 otherwise.Notice that (approximations of) the satellites' positions, x j , y j , and z j , t j , and D atm,j , are retrieved directly from the navigation messages.Next, we introduce the terms a x,j x j − x ρj , a y,j y j − ŷ ρj , a z,j z j − ẑ ρj , which represent the components of the unit vector pointing from the (approximate) receiver to the jth satellite position.This allows us to introduce the geometry matrix Following the linearization procedure reported, for instance, in [23,Ch. 2], and recalling (3), we obtain ∆r j = a x,j ∆x+a y,j ∆y+a z,j ∆z− c t 1 1 1 (j)−c t 2 1 2 (j) , (63) which can be equivalently written in matrix form as (4).This relates the range residuals to the PVT update vector ∆p = [∆x, ∆y, ∆z, ∆t Lastly, given G, we can compute its Moore-Penrose inverse H and solve (5).More details about the PVT derivation and other aspects related to it, such as the impact of H on the solution accuracy, can be found in [23,Ch. 2,7] and [24,Ch. 21].

APPENDIX B PVT COMPUTATION WITH UNIQUE TIME REFERENCE
If the ISB between the system is known it is possible to take into account and solve the PVT linearization considering just one of the M time references.Without loss of generality, we consider the case where measurements are collected from two constellations and the ISB = t 2 − t 1 is known by the receiver.This relates to the case where the signals are received from both GPS and Galileo and the GGTO is obtained from the I/NAV messages.Next, (59) becomes r j = ρ j + ct j − ct 1 − c ISB 1 2 (j) + D atm,j + η , (65) Next, we can consider this as if the satellites were synchronized to the same time reference, thus matrix G becomes The rest of the procedure is analogous to the one reported in Appendix A.

Fig. 1 .
Fig. 1.Example of the scenario under attack: p is the solution at the iteration start, p is the legitimate solution, p is the attacker target solution, and p is the solution computed by the victim, mixing open and tampered signals.

H 1 :
PVT is fake, signals have been tampered with.

Fig. 2 .
Fig. 2. Block scheme of the time-based check.

)
Considering that h O,4 and h O,5 are column vectors of length N O , the null space in (28) has clearly size N O − 1 and, as expected, dim(S) = N O − 1.
authenticated (e.g., by CHIMERA) and the Galileo signals as open, and we collected signals from N = 8 different satellites in view, with N A = 3 and N O = 5.

Fig. 4 .
Fig. 4. Validation of our PVT block: position computed using our PVT block (blue) and the Septentrio's software (red).

Fig. 5 .
Fig. 5. Positions computed in the legitimate (blue) and under attack scenario (black), compared to the ground truth (red).The position computed in the under-attack scenario coincides with the target p .

Fig. 7 .
Fig. 7. DET curves for different distances between legit and target positions, for the time-based cross-authentication against the proposed generation attack.

Fig. 9 .
Fig. 9. DET curves with for the generation attack against time-based checks, when the attack target position is 25.5 km away from the victim location, for different values of σ L .

Fig. 10 .
Fig. 10.DET curves for the relay attack against the position crossauthentication check, for ∆t − ∆t L = 10 µs, for several values σ A and σ L fixed.
authors propose to authenticate the computed PVT solution through a time consistency check.In particular, they consider the PVT solution obtained by combining the signals from two constellations, one transmitting authenticated signals and the other transmitting open signals, following the procedure outlined in Appendix A. Then, denoting as t 1 and t 2 the clock biases associated with the time reference of each constellation, the PVT is authenticated by checking, at the receiver, if the difference |t 1 − t 2 | is consistent with the reference ISB, as (12)ic for the check(12): the metric computed under attack (black) is superimposed to the one computed in the legitimate case (red).

TABLE I PARAMETERS
OF THE ATTACK TO THE POSITION CROSS AUTHENTICATION CHECK: ATTACK STARTS tstart AND ADDITIONAL CLOCK BIASES ∆t − ∆t L .
Effect of the time attack on the clock bias estimated by the victim: ∆t for the legitimate case (red), for Attack 1 (green), 2 (blue), and 3 (purple), whose parameters are reported in TableI.
1 , ∆t 2 ] T .Notice that, the residuals as ordered naturally as