DEMO: RTKiller -- manipulation of GNSS RTK rovers by reference base spoofing

TL;DR

This paper demonstrates how GNSS RTK rover positioning can be manipulated through spoofing of reference stations, exposing vulnerabilities in real-time correction systems used for high-precision navigation.

Contribution

It reveals a novel attack vector on GNSS RTK systems by spoofing reference stations, showing the potential to degrade or disrupt rover accuracy.

Findings

Manipulation of reference stations affects rover positioning accuracy.

RTK correction signals are vulnerable to spoofing attacks.

Spoofing can cause loss of baseline fix or degraded accuracy.

Abstract

Global Navigation Satellite Systems (GNSS) provide global positioning and timing. Multiple receivers with known reference positions (stations) can assist mobile receivers (rovers) in obtaining GNSS corrections and achieve centimeter-level accuracy on consumer devices. However, GNSS spoofing and jamming, nowadays achievable with off-the-shelf devices, are serious threats to the integrity and robustness of public correction networks. In this demo, we show how manipulation of the Position Navigation and Timing (PNT) solution at the reference station is reflected in the loss of baseline fix or degraded accuracy at the rover. Real Time Kinematics (RTK) corrections are valuable but fundamentally vulnerable: attacking the reference stations can harm all receivers (rovers) that rely on the targeted reference station.