GPS Spoofing

[Jamie]

Argh.
I suppose you mean ADS-B? That would make sense as it relies indirectly on the GPS position transmissions of other planes that probably also get spoofed. Alternatively it's the Mode-C/S transponder -- that includes TCAS, which is nasty.

Clearly the GPS-only iPad is easier to jam than a hard core airplane GPS. Hey, great that it is no longer needed to feed airplane GPS (from 429 via WiFi) into the EFB, let's use the Apple GPS, why not? It works fine!


Hoppie

ADS-B yes, typo. We still run the old TCAS2 7.1 as in the 747 I guess. Basic Transponder interrogation. Our iPad EFB get's his feed from GPS L via Arinc 629 cabled (USB-C interfaced) to the aircraft, not wifi.  Basically it's a tcp/ip4 network connection (popups up as Cabled Network in iPadOS) and our software (Lido/mPilot) gets his feed from this interface. The internal iPad GPS doesn't work, coated windows I guess.

My point was I haven't seen map-shifts on the ND yet, which doesn't mean they don't exist (don't know hwo the 747 handles this). They *do* exist, but I haven't seen one in the last 5 years. Not in the Airbus, not in de Boeing. Terrain map shift -> yes, pretty cool to experience a "TERRAIN PULL UP WHOOP WHOOP" in the middle of the night at FL410.

[Magoo]

Good discussions here, blockchain GPS could be the answer... in about 50 years.

[Jeroen D]

The internal iPad GPS doesn't work, coated windows I guess.

To, the best of my knowledge, only iPads with a SIM have GPS. Does yours have a SIM? The WiFi only version doesn't have GPS. I found out as I use my iPAD on my boat in addition to my Raymarine plotter. I installed a convertor into the Raymarine Network that outputs things like position, speed, course, AIS data on a WiFi signal that I catch with the iPAD and gets fed into the nautical map application.

Jeroen

[Jamie]

To, the best of my knowledge, only iPads with a SIM have GPS. Does yours have a SIM? The WiFi only version doesn't have GPS. I found out as I use my iPAD on my boat in addition to my Raymarine plotter. I installed a convertor into the Raymarine Network that outputs things like position, speed, course, AIS data on a WiFi signal that I catch with the iPAD and gets fed into the nautical map application.

Jeroen

Yes ours has an eSim. Never got a GPS position in the cockpit actually; not with my iPad nor with an iPhone.

[Jeroen Hoppenbrouwers]

Although technically GPS can be received in many GA aircraft cockpits, typical larger planes have coated cockpit windows with integrated heating layers, which effectively block any GPS signal entering the flight deck anyway. Allowing EFB-local GPS is therefore relevant for the "cheaper" side of the industry only.

[ccapilot]

Yes ours has an eSim. Never got a GPS position in the cockpit actually; not with my iPad nor with an iPhone.

try having the iPad next to the window 3 that does not have coating, it will get GPS signal, and once it has the signal, most of the time it stays locked, even when putting the iPad back to its holder near window 2. It works in the B777, I suspect the B747 should be the same. 

[Hardy Heinlin]

This is the layout of the new "Spoofing" page:



To create a jamming-only scenario, set the spoofing radius to zero (minimum and random) and enlarge the jamming zone as desired.

To create a spoofing-only scenario, set the jamming zone to 0 nm.

To create an extremely randomized spoofing zone, set the minimum radius to zero and enlarge the randomized radius addition as desired.

Does that make sense? I want the design to be simple, yet flexible for all kinds of training scenarios.


Regards,

|-|ardy


P.S.: Hello Internet, this is a simulation, not a real spoofing system!

[Will]

Would you have to enter the Zone Center and Spoofed to Location manually, or can you set the points by clicking on the map? Or could you enter an airport or waypoint instead of Lat/Long?

[Hardy Heinlin]

... could you enter an airport or waypoint instead of Lat/Long?

Yes.

There's a note at the bottom of the page :-)

[Will]

Oooops, sorry I missed that!

[Magoo]

That looks good.

[Hardy Heinlin]

Version A: Randomly increase radius by: [ 20 ] nm

Version B: Randomized radius addition: [ 20 ] nm

________________________________________

Which wording is better? A or B? For your info, the sim's logic is this: The radius will not only increase but also decrease. The reason I avoid the word "decrease" or "vary" is because I don't want the user to think the randomizer will decrease the minimum radius as well. E.g. when the core value is 100 and I say the core will vary by 20, the user might think the core will vary between 80 and 120. This is not the case in my logic. In my logic this example would vary between 100 and 120. So that's why I use the word "increase" or "addition". However, the user may now also ask: "What if 120 is reached, will it stay there?" No, it won't. It will decrease until the minimum is reached, then it will restart to increase. It's an oscillation. (Very slow and non-linear randomized.) So that's why I ask. Which is better? A or B? :-) I would say B.

[joergalv]

B

[Jamie]

I agree.

I've sent you an email Hardy, by the way. We track GPS spoofing (resulting in GPWS alerts) and GPS jamming (resulting in GPS FAIL/FAULT indications), and I've included some mappings

I played around with our charts a bit:
N53 34.7 E040 18.6 with a radius of 900NM would cover about 80% of the GPS trouble spots within the area where we are allowed to fly.

N32 14.9 E034 52.0 radius about ~400NM is also a hotspot.

I would say that, if it were possible to define around 4 of these circle positions, it would cover most of the GPS trouble areas.

It could also be useful to assign a probability or intensity value to each circle (e.g. a percentage of possible GPS jamming/spoofing), as some areas are consistently affected while others only experience occasional interference.

I probably wouldn't choose circles where interference gradually changes into spoofing within a certain range. In my experience, that's not really how it works. You typically have either interference (jamming) or spoofing; one doesn't gradually turn into the other. But that is my experience.

What could vary with distance is the intensity. The closer you get to the source, the greater the chance of being jammed or spoofed. That is something I do see in practice. On the FMC, you can clearly observe the GPS reception degrading as you get closer to the interference source.

Example: On a flight from Western Europe to Asia, we may lose GPS coverage from Romania/Bulgaria all the way to around Baku, assuming the GPS hardware recovers at all. Most of the time it doesn't, so GPS remains unavailable until we reach our destination.

This, of course, limits the types of approaches we can perform. For example, RNP approaches become unavailable and are therefore a no-go.

I don't know how the 747 experiences this, but this is my experience on the 777.

[Hardy Heinlin]

Jamie, this is way too complex for very little advantages :-)

There's just one circle. You can set the radius to a maximum of 3000 plus random 3000 (6000 total) plus 3000 for jamming (9000 total). That circle is so large that you'll get an almost straight spoofing borderline for a very long route section if you place it parallel to your route where the zone core is abeam the route at a distance nearly equal to its radius. That's what I mean by "flexible" :-) You can do various things with just one circle.

Same for random effects: Just use the random addition and place a very large circle abeam your route, so that the circle crosses your route only sometimes at random.

Re variable intensity: In PSX there'll be just jamming on/off and spoofing on/off. The GPS position will drift, not jump.

Remember, relevant is just the route corridor, not the entire planet. You don't need to set multiple circles to create a corridor like on your spoofing chart (thanks for the mail); if you fly through that spoofing corridor that has an entry and an exit point, you can also set a large circle that has an entry and an exit. It doesn't matter if that circle covers Italy (which is not affected in real life) if your route goes over Bulgaria. For training just your route counts, not the entire planet.


Regards,

|-|ardy

[Gary Oliver]

My plan is to get BACARS to grab the latest data from a GPS jamming API and update the new Jamming page with the closest to the aircraft, which will get the effect you are after as you fly through areas.

Cheers
G

[Hardy Heinlin]

On the FMC, you can clearly observe the GPS reception degrading as you get closer to the interference source.

Regarding "degrading": If you refer to the degrading Actual Navigation Performance (ANP display), that always decreases and increases gradually in order to dampen sudden performance drops or peaks. I think this dampening effect is computed by the FMC and is not a gradual value from the GPS unit. The dampening effect on the ANP in the FMC also occurs when switching radio sources or mixed IRS sources etc.

In other words, when a GPS failure occurs in PSX you will see a gradual change of the ANP – like in real life. The ANP will not jump; it's smooth. This gradual effect has been included since the first PSX version.


Regards,

|-|ardy

[Hardy Heinlin]

A question for Jeroen and all CPDLC experts:

Is there a maximum possible difference between the pilot's timestamp and the controller's true UTC timestamp beyond which the communication will fail due to a timeout?

For example: PSX may inhibit any CPDLC uplinks when the FMC's time differs from the true UTC by more than 10 minutes.

Or 3 minutes. Or whatever.

Does that make sense?

As usual, the FMC's time is set by this:
• If GPS is operating: Correct UTC (fake UTC when spoofed)
• Else if captain's clock SET DATE switch is set to RUN: Captain's time (may be set to a wrong UTC)
• Else if F/O's clock SET DATE switch is set to RUN: F/O's time (may be set to a wrong UTC)
• Else the FMC blanks all indications re time and fuel remaining

So, as the clocks too can set a wrong time, this question is not only related to spoofing actually.


|-|ardy


P.S.:
I just discovered in my PSX ACARS code (that I wrote 15 years ago) that my ACARS simulation uses the correct UTC when the ACARS DC power source is powered. Only if that is not powered, it will do the next "if" checks as described above (GPS, clocks etc.). – I can't remember why it first gets its time from the "ACARS DC" electronics. Does this box have its own independent clock?

P.P.S.:
Page 332 in the Aerowinx Operations Manual says: "ACARS uses the same priority logic to get time and date, unless ACARS uses its own clock system (requires ACARS DC power)." – I wrote this myself many years ago :-) Now I remember. OK, so to get any time spoofing in the ACARS you need to pull the "ACARS DC" circuit breaker (H9 on P6).

[Hardy Heinlin]

In PSX the FMC will automatically switch from GPS position update mode to IRS-ONLY position update mode when the GPS ANP gets higher than twice the RNP.

In the previous PSX versions this condition will never happen because the ANP of the GPS is always nearly zero.

But in my current test version this will happen during spoofing. I wonder if this automatic switch function is correct. I can't remember where I got this information from, or if it was just a theory.

Google says that there's no such automatic switch function, and that immediate pilot action is required. I.e. you need to inhibit the GPS manually.

Any opinions?


|-|ardy


Edit: I just found this quote from a Boeing bulletin:
____________________
• FMC may not automatically switch to radio navigation during spoofing
• During spoofing the shown ANP value may momentarily change to a much larger value (e.g., 20 NM),
then return to the previous value.
____________________

Well ... what does "may not" mean? I think I will interpret that as "does not".

But I guess I'll simulate this up/down curve in the ANP during spoofing.

[Hardy Heinlin]

Does anybody know if the FMC time source can be manually switched from the GPS source to the pilot's clock? If so, how?

In PSX it only switches to the pilot's clock when GPS is inoperative.

As we know, when GPS INHIBIT is selected in the FMC, the FMC will use radios or IRS for position updating. Will it use the pilot's clock when GPS is inhibited? In PSX it affects just the position updating, not the FMC time.


|-|ardy