Detection of Replay Attacks to GNSS based on Partial Correlations and Authentication Data Unpredictability

Intentional interference, and in particular GNSS spoofing, is currently one of the greatest concerns of the Positioning, Navigation and Timing (PNT) community. With the adoption of Open Service Navigation Message Authentication (OSNMA) in Galileo, the E1B signal component will continuously broadcast unpredictable cryptographic data. This allows GNSS receivers not only to ensure the data origin authenticity but also to detect replay spoofing attacks for receivers already tracking real signals with relatively good visibility conditions. As the spoofer needs to estimate with almost zero delay the unpredictable bits introduced by OSNMA in order to perform a Security Code Estimation and Replay (SCER) attack, the spoofer unavoidably introduces a slight distortion into the signal, which can be the basis of a spoofing detector. In this work, we propose five detectors based on partial correlations of GNSS signals obtained over predictable and unpredictable parts of the signals. We evaluate them in a wide set of scenarios including different types of receiver and spoofing conditions. Results show that one of the detectors is consistently superior to the others, and it is able to detect SCER attacks with a high probability even in favorable conditions for the spoofer. Finally, we discuss some practical considerations for implementing the proposed detector in receivers, in particular when the Galileo OSNMA message structure is used.