GPS Spoofing

[United744]

GPS position *is* timing. That's how they screw with position.

GPS should be considered unreliable any time spoofing/jamming is suspected. The worst part is, the signals appear valid. Only position cross-check with RAW position data/radio beacons is the only way to be sure of system accuracy.

[Tom Gorzenski]

On the 10 of November 2023, Boeing issued FOTB No. 787-27 titled:
"Global Navigation Satellite System (GNSS) Radio Frequency Interference (RFI)",
with the following reason:
"To provide flight crew awareness of RFI in the GNSS, which includes Global Positioning System (GPS) jamming and spoofing. Provide this bulletin to flight crews."
If there is anybody interested I can share it here, but the thing is that the IRS/ARHS/GPS architecture is different

IMPORTANT:
The source of the IRS's problems on the 787 in GPS spoofing scenario is explained. It turns out that not only there is one IRS hybrid (GPS-assisted) on 787, but... there are only 2 hybrid (GPS-assisted) IRS units (2 x IRU) and 2 GPS-assisted ARHS units (2 x AHRU)    They  are very similar but laser gyro performance of AHRS is lower than in case of IRS laser gyros. So you can say there are 4 units able to provide inertial-only navigation (w/o GPS) but only two are high quality with low drift values. They all together form the ERS. And since GPS receivers are deeply embedded in all four of them, spoofing causes big problems. You can disable GPS data from FMC position updates in 787 but you can't stop them from feeeding the systems with corrupted data (in case of spoofing) and there is still no official Boeing procedure to pull out the virtual CBs for both GNSS receivers in such a scenario. Below you will find the 787 ERS Architecture diagram (if you can't see it - right click and then open the graphic in a new tab) - see how different it is from what we have in 747-400, but also 757/767:



I think a similar bulletin could have been issued for other Boeing models, including the 747-400. Unless Boeing considers spoofing scenario in 747-400 less critical than in 787, and for sure - here the problem should be much less, because the IRS (x3) is conventional, not hybrid. In the 787 aircraft even chronometers are fed with GPS data and you can't switch the feed off!
Is there anybody having access to it, if it exists at all, and able to share it here?

[Tom Gorzenski]

https://ops.group/blog/gps-spoofing-pilot-qrh-hotspots-and-what-to-expect/
https://ops.group/dashboard/wp-content/uploads/2023/11/GPS-Spoofing-Pilot-QRH-Guide-14NOV23.pdf
https://ops.group/blog/gps-spoofing-update-08nov2023/

[Balt]

GPS position *is* timing. That's how they screw with position.

GPS should be considered unreliable any time spoofing/jamming is suspected. The worst part is, the signals appear valid. Only position cross-check with RAW position data/radio beacons is the only way to be sure of system accuracy.

There are multiple ways to spoof the signal from what I understand. Altering time is one of them, but you can also alter the content of the ephemerides sent by the satellites. None of this is very hard to execute because of the low signal strength of the GNSS signals. And there's a bunch of github sources out there to get you started. Doesn't take a state actor these days.

[Jeroen Hoppenbrouwers]

Given that most spoofed positions seem to be an airport, I bet they either record the GPS at that airport for a while and re-broadcast it in a loop at much higher power, or they pick up live GPS at that airport and broadcast it live at higher power elsewhere.

In such a case where a fixed position appears on your ND for a while, it obviously is a form of jamming with a side effect. Literally it jams a peg in the gear box,. It is not intended to make you think you are elsewhere, it's painfully obvious. But it counts technically as spoofing.

[andrej]

including the 747-400. Unless Boeing considers spoofing scenario in 747-400 less critical than in 787, and for sure - here the problem should be much less, because the IRS (x3) is conventional, not hybrid.

Tom, from the QRH guide, there is at least one incident (well, only one in this document) involving B747. However, it is not specified which mode that would be. Does -8 has "hybrid IRS"? Because as you say, conventional IRS should not be impacted by this spoofing. Or?

Thanks!

[Tom Gorzenski]

Tom, from the QRH guide, there is at least one incident (well, only one in this document) involving B747. However, it is not specified which mode that would be. Does -8 has "hybrid IRS"? Because as you say, conventional IRS should not be impacted by this spoofing. Or?

Thanks!

Yes, in older airplanes like 747-400, 757, 767 spoofing seems to be not such a huge problem as in 787, with its hybrid IRUs and AHRUs that are fed continuously with GPS data, and currently there is no way 787 pilot can shut both GPS receivers down to stop feeding. In older planes you just select GPS updates (to FMC position) to OFF, as soon as you notice any sign of spoofing, or even before you enter spoofing-suspected area and you are mostly OK. Their conventional IRS can't get infected by spoofing. Of course EGPWS would be affected too, but at least you can do something about it in those older airplanes. In 787 even chronometers get affected by spoofing because you can't disable GPS input to them. I guess when 787 was designed nobody considered spoofing a serious threat and they thought only GPS (receiver or space/ground control) failure like single GPS satellite going rogue, or jamming - were the only issues to take care about.
I suspect -8 has conventional IRS, but you still can run into troubles if you do not quickly select OFF for GPS updates to FMC, but IMO this is not that critical as in case of 787. However, I can't find an explanation as to why a conventional IRS would fail in a GPS spoofing scenario...

[Tom Gorzenski]

In such a case where a fixed position appears on your ND for a while, it obviously is a form of jamming with a side effect. Literally it jams a peg in the gear box,. It is not intended to make you think you are elsewhere, it's painfully obvious. But it counts technically as spoofing.

I dare to disagree slightly. It is a spoofing technically and from any other point of view. Just not a sophisticated one (as opposed to a very highly sophisticated spoofing attack as decribed in the article about intercepting and forcing to land a US drone, by Iran) and easy to identify (especially with POS ON on the ND, so you can see the position determined by the GPS receiver in addition to IRS positions, etc.). It is not jamming, because jamming simply causes loss of signal and is an equivalent to having a temporary inoperative GPS receiver. Spoofing however, even as simple as fixed location at an airport, has a high potential to develop several problems on a flightdeck of a modern jet, where many systems (even chronometers) are fed with GPS (corrupted) data, yet pretenting to be fine, and pilots often can do nothing to stop feeding.

[Jeroen Hoppenbrouwers]

Ok I agree, jamming is far more likely to disable and that is the crucial difference here.

Hoppie

[Tom Gorzenski]

Ok I agree, jamming is far more likely to disable and that is the crucial difference here.

Yes, precisely...

I have learned that Boeing intends to hold a special conference on this issue in the near future....

[Tom Gorzenski]

And such were the various cool ideas in previous years...   

Boeing Eyes Blockchain in Bid to Fight GPS Spoofing
https://www.coindesk.com/markets/2017/12/18/boeing-eyes-blockchain-in-bid-to-fight-gps-spoofing/

An INS Monitor against GNSS Spoofing Attacks during GBAS and SBAS-assisted Aircraft Landing Approaches:
http://www.navlab.iit.edu/uploads/5/9/7/3/59735535/tanil_gnss_16.pdf

[boeing747430]

I find it peculiar that on the -8s of my company, DME/DME-update is off by default when the FMC initializes. I always turn it on to one more line of defense against spoofing. On our 744s it is on by default. Still, the area around Varna VOR (WRN) at the Black Sea often gives you mapshifts when under GPS-jamming (which is usually the case, over there) and using WRN for DME-updating. So I exclude WRN from the DME update.

Heard from a colleague last week, that on his A330 close to DXB, spoofing put them virtually to India. 😳

[Jeroen Hoppenbrouwers]

Related, especially the time part:
https://www.cnn.com/2023/11/21/politics/ukraine-power-grid-equipment-cisco/index.html

[boeing747430]

Love this kind of tnkering!♥️

[Tom Gorzenski]

I find it peculiar that on the -8s of my company, DME/DME-update is off by default when the FMC initializes.

The reasoning behind this eludes my mind...

By the way, do 747-8s have same conventional IRSs as 747-400s, or hybrid ones as 787s?

Regards, Tom

[Jeroen Hoppenbrouwers]

In the Netherlands, nearly all NDBs (only one left in the Belgium-Germany corner for foreign procedures) and many VORs were removed not long ago. But the (co-located) DMEs all remained. DME-DME isn't going away any time soon.

Hoppie

[boeing747430]

The reasoning behind this eludes my mind...

By the way, do 747-8s have same conventional IRS as 747-400s, or hybrid ones as 787s?

Regards, Tom

Hi Tom!
While I don't know whether the IRSs themselves are exactly the same, they at least work in the same manner as on the 744.

Best, Kim.

[Tom Gorzenski]

While I don't know whether the IRSs themselves are exactly the same, they at lest work in the same manner as on the 744.

So definitely not hybrid ones. Thank you! Take care, Tom

[Tom Gorzenski]

New GPS spoofing incident shows how it works:
https://ops.group/blog/new-gps-spoofing-incident-shows-how-it-works/