DEMO: Relay/Replay Attacks on GNSS signals

TL;DR

This paper experimentally demonstrates relay and replay attacks on GNSS signals using off-the-shelf hardware, revealing vulnerabilities that bypass cryptographic protections and enabling effective spoofing of GNSS receivers.

Contribution

It provides the first experimental validation of relay/replay GNSS attacks with accessible hardware, highlighting practical vulnerabilities beyond simulations.

Findings

Relay/replay attacks can spoof GNSS signals without cryptographic hindrance

Off-the-shelf hardware suffices for effective GNSS signal relaying

Colluding adversaries can enhance attack precision and control

Abstract

Global Navigation Satellite Systems (GNSS) are ubiquitously relied upon for positioning and timing. Detection and prevention of attacks against GNSS have been researched over the last decades, but many of these attacks and countermeasures were evaluated based on simulation. This work contributes to the experimental investigation of GNSS vulnerabilities, implementing a relay/replay attack with off-the-shelf hardware. Operating at the signal level, this attack type is not hindered by cryptographically protected transmissions, such as Galileo's Open Signals Navigation Message Authentication (OS-NMA). The attack we investigate involves two colluding adversaries, relaying signals over large distances, to effectively spoof a GNSS receiver. We demonstrate the attack using off-the-shelf hardware, we investigate the requirements for such successful colluding attacks, and how they can be enhanced, e.g., allowing for finer adversarial control over the victim receiver.