1

Time-based GNSS attack detection

Marco Spanghero and Panos Papadimitratos, Fellow, IEEE
Networked Systems Security (NSS) Group – KTH Royal Institute of Technology, Stockholm, Sweden
marcosp@[Link], papadim@[Link]

Abstract—To safeguard Civilian Global Navigation Satellite a coordinated manner. Such adversaries evade existing time-
Systems (GNSS) external information available to the platform based defense mechanisms.
encompassing the GNSS receiver can be used to detect attacks. As known vulnerabilities can be exploited to manipulate
Cross-checking the GNSS-provided time against alternative mul-
tiple trusted time sources can lead to attack detection aiming unprotected remote time references, trustworthy reference
at controlling the GNSS receiver time. Leveraging external, time information and secure time transfer methods [12] are
arXiv:2502.03868v1 [[Link]] 6 Feb 2025

network-connected secure time providers and onboard clock necessary; in addition to local timekeeping, i.e., embedded
references, we achieve detection even under fine-grained time oscillators. On the other hand, local time-based tests alone
attacks. We provide an extensive evaluation of our multi-layered cannot thwart GNSS attacks at cold start. Time information
defense against adversaries mounting attacks against the GNSS
receiver along with controlling the network link. We implement from external, networked servers, as long as those can be
adversaries spanning from simplistic spoofers to advanced ones authenticated, can mitigate networked-based attacks combined
synchronized with the GNSS constellation. We demonstrate with GNSS attacks. Nonetheless, intermittent network connec-
attack detection is possible in all tested cases (sharp disconti- tivity can deprive the receiver of such external time sources.
nuity, smooth take-over, and coordinated network manipulation) Naturally, one can combine the two ideas, GNSS-provided
without changes to the structure of the GNSS receiver. Leveraging
the diversity of the reference time sources, detection of take-over time validation based on recurring interaction with networked
time push as low as 150 µs is possible. Smooth take-overs forcing time servers and, in the meantime, validation based on the
variations as low as 30 ns/s are also detected based on on-board local clock hardware.
precision oscillators. The method (and thus the evaluation) is Building upon the method in [13], this work provides a com-
largely agnostic to the satellite constellation and the attacker prehensive evaluation of time-based GNSS attack detection.
type, making time-based data validation of GNSS information
compatible with existing receivers and readily deployable.
We consider heterogeneous clock sources studying their com-
bination based on accuracy, security, and availability. By pro-
filing the individual time reference providers, we optimize the
attack detection threshold, the needed computational power,
I. I NTRODUCTION
and energy consumption. We show a practical implementation
Global Navigation Satellite Systems (GNSS) provide ubiq- of a testbed using existing cryptographically secure coarse
uitous localization, navigation, and synchronization but are time references (Roughtime [14]), online secure (or insecure)
still vulnerable to adversarial manipulation ([1], [2]). Civilian time servers (NTS [15] and NTP [16]), and an accurate local,
GNSS receivers (at the time of writing) largely rely on unpro- on-board clock ensemble to provide reliable GNSS attack
tected signals (e.g. without cryptographic enhancements at the detection [13].
physical layer or the navigation messages [3], [4]). The Galileo Extending [13], this work contributes the following:
Open Service Navigation Message Authentication and the • An improved, refined method that now considers simul-
upcoming GPS Chimera aim at improving this situation ([5]– taneously all the time sources available to the system
[7]), however, operational deployment requires time [8]. Nev- instead of a staged approach (Section IV).
ertheless, cryptographic methods in newly deployed systems • An implementation of a fine-grained GNSS attacker ca-
will not cover receivers already present in the field, when mod- pable of controlling the GNSS receiver while controlling
ifications to the receiver structure are needed. Furthermore, the network connectivity at the GNSS-enabled platform
even when authenticated signals are considered, cryptographic and we evaluate the performance of the detection system
protection cannot fully address replay/relay attacks ([9]–[11]). against different classes of attacks (Section III).
GNSS receivers are often integrated into network-connected • A complete evaluation of the improved method and
devices capable of various degrees of computational power: system against the stronger attacker. We show how op-
in principle, the augmented GNSS receiver can validate the timization of the time source selection is possible based
GNSS-provided Position, Navigation, and Timing (PNT) by on the quality of the remote and local time references.
comparing it with other reference sources. Specifically, we Additionally, we discuss the security trade-offs of the
aim at detecting and containing attackers capable of tam- presented solution, regarding properties of remote time
pering with the GNSS receiver time solution, whether by references (Section VI, Subsections VI-E and VI-F).
synchronized signal lift-off or time skips: if such manipulation • Overall, a thorough feasibility investigation showing the
causes the time part of the solution to drift from the correct method can detect misbehaving GNSS-based time so-
time, protection is practical. Furthermore, the challenge is to lutions under all the tested scenarios, both for sharp
detect sophisticated adversaries aiming at spoofing the GNSS discontinuities of the PNT solution and sustained smooth
receiver while, possibly, controlling remote time providers, in takeover (Section VI).
 2

II. R ELATED W ORK sion (FDE), hardening the GNSS receiver against adversarial
manipulation. Albeit effective, RAIM and FDE methods re-
A brief discussion on attacks, followed by an analysis quire significant computation and access to the raw measure-
of orthogonal countermeasures that can co-exist with the ment from the GNSS receiver: most consumer-grade GNSS
method explored here prefaces the discussion of related work receivers do not integrate native RAIM capability or do not
validating GNSS PNT with the help of local and remote time expose raw measurements to the user.
sources. Time-based GNSS PNT validation - Correction services
Attacking GNSS receivers - Successful overtake of GNSS in the L-band contribute to the robustness and accuracy of the
receivers in the field is possible by spoofing attacks that PNT solution [48]: L-band corrections leverage an extensive
can be implemented either with signal generation or re- fixed receiver network to provide Real Time Kinematic (RTK)
play/meaconing ([17]–[20]). The risk of low-sophistication corrections over the network. Methods relying on short-range
attacks in the wild is high given the availability of low-cost networks to dedicated receivers or internet-provided correction
software-defined radio (SDR) hardware and software tools streams are complemented by satellite-downlink-provided cor-
which are openly available ([21]–[23]) even in the case of rections, whose availability is increasing even in the consumer
multi-constellation [24] and multi-frequency modes [25]. market and are designed to provide centimeter-level accuracy
Advanced implementations of receiver-spoofer matched ad- for precise positioning. For time-focused corrections, recent
versaries ([26], [27]) rely on signal lift-off techniques: this products like Fugro Atomichron promise accurate and reliable
requires code phase and Doppler shift synchronization at time and frequency, but cannot be evaluated at this time. [49].
the victim antenna phase center. Additionally, deployment of On the other hand, its recent introduction combined with the
attacks targeting mobile victims is complex, as precise tracking integration required by the receiver manufacturers will be a
of the victim antenna is required throughout the attack. In major limitation towards the adoption of this system. Gener-
a simpler setting, attacks targeting static timing-dedicated ally, while L-band correction services provide accurate aiding
receivers smoothly deceive and control the time solution at information, they require dedicated hardware and modems
the GNSS receiver, with the relevant case of phasor measure- to operate. This is a major limitation towards adoption in
ment units in smart grids ([28]–[31]). Time Synchronization consumer devices and generally low-power devices that are
Attacks (TSA) target the time solution of the GNSS receiver, limited. For the attacker, correction services can be effectively
minimally disturbing the location or navigation part [32]. used to precisely know the position of the intermediate spoofer
Even if centimeter-level knowledge of the victim’s antenna antenna, allowing accurate estimation of the lever arm (vector
position is required to perform a successful synchronized between the reference and victim antenna). This leads to a
lift-off, code/doppler frequency sweep takeover is possible more precise estimation of the victim’s position, aiding the
in commercial receivers. This approach eliminates the need overtake of the victim receiver.
for precise alignment of the spoofer signal and leverages the Commonly available connectivity (i.e., via cellular network)
higher tracking bandwidth of modern receivers to successfully can be used to access alternative PNT information securely,
implement the attack [33]. which intuitively can be leveraged for GNSS receiver-provided
Effective overtake, albeit to a lesser level of control, can be time validation. Solutions considering single or multiple pre-
achieved also by signal replay/relay (meaconing): the attacker cision embedded clocks proved successful in detecting offsets
re-transmits signals corresponding to a different time and/or and drift in the time solution due to an adversary ([50]–
place at the victim receiver, causing a shift in the PNT solution [53]). Receiver autonomous testing of the GNSS clock bias
[9]. Such methods, in a more advanced configuration known and drift allows monitoring of abrupt changes in the receiver
as Secure Code Estimation and Replay (SCER) are effective clock bias [54]. While this is often an indicator of spoofing
also against cryptographically protected navigation messages or other adversarial action, it requires the receiver front end
and signals ([34]–[36]). Similarly, Distance Decreasing attacks to be disciplined with a high-quality local oscillator and rely
cause significant alterations of the GNSS PNT, even against on moving antennas. While the second is common in mobile
cryptographically enhanced signals([37], [38]). devices but is not applicable for fixed installations, the first is
Safeguarding GNSS receivers - To counteract the growing usually difficult to achieve in commercial receivers, given that
issue of GNSS manipulation, countermeasures to achieve there is no access to the clock interface.
higher PNT solution robustness exist. Carrier-over-Noise Network time providers enable even sparsely connected
(C/N0 ) analysis with joint measurement of the receiver front- receivers to test the accuracy of the GNSS-provided time in
end gain allows detection of spoofing signals observing the respect to a set of remote references ([13], [55], [56]). Such
power envelope variation and distortion ([39]–[41]). So-called countermeasure complements and augments other methods
Doppler shift tests in the received signals allow the detec- based on signal properties ([42]) and can be integrated into ex-
tion of spoofed signals based on the transmitter frequency isting GNSS-enabled platforms without changes to the receiver
error ([42], [43]). Additionally, Receiver Autonomous Integrity structure or the existing hardware. Performance assessment of
Monitoring (RAIM) techniques ([44], [45]) allow detection secure time transfer in support of cryptographically enhanced
and exclusion of adversary-crafted GNSS signal, even in case GNSS signals shows that the accuracy of network-provided
of time-specific faults [46]. Additionally, multi-constellation time is sufficient for use with Chimera [57]. Furthermore,
failure detection [47] and collaborative/cooperative detection the application of a combination of diverse time references
methods proved capable of faulty signals detection and exclu- to the current GNSS receivers and signals proved capable
 3

of hardening the security of the receiver [13], [58], but a and time offset at the victim receiver, and v is the total system
systematic analysis of the actual capabilities against adver- noise.
saries targeting both the GNSS receiver and alternative time
providers is missing. This work sets out to validate in an p = Hx + v (1)
extended experimental context Section V the methodology
shown in [13], [56] when not limited to a staged approach Precise timekeeping is key for all GNSS systems to measure
but by considering as a whole any time reference available to the distance between the receiver and each satellite. In Eq. (2),
the system (as shown in Section IV). An extended advanced the satellite-receiver pseudorange for satellite (s) in the i-th
attacker model (Section III) is used in a comprehensive evalu- band is a function of the receiver’s time at signal reception
ation of the results (Section VI to demonstrate that time-based time, t̄r .
(s)
cross-check of the GNSS PNT solution against heterogeneous Pr,i = c(t̄r − t̄(s) ) (2)
time sources is practical.
Eq. (2) can be expressed as a function of the geometrical
(s)
range ρr , the receiver and satellite clock biases dt and
III. S YSTEM AND A DVERSARY MODEL dT respectively (for simplicity, we purposely exclude any
The system model recalls the setup from [13] by considering atmospheric correction terms as they only represent additive
an off-the-shelf consumer GNSS receiver connected to a com- errors). The resulting equation is shown in Eq. (3), where ϵp
putation and network connectivity platform. We assume the represents all the measurement and instrumentation delays in
system has one or more onboard precision reference oscillators the system.
to provide high-quality, stable reference time. When not under (s)
adversarial control, the GNSS receiver is always the most Pr,i = ρ(s)
r + c(dtr (tr ) + dT
(s) (s)
(t )) + ϵp (3)
accurate PNT source available to the system. We assume the
The transmission time (Eq. (3)) at the satellite can be
system always uses the most accurate PNT available unless a
obtained based on the Time of Week (TOW) in the navigation
discrepancy against any reference source is detected and the
message, once the tracking loops lock in the satellite signals,
PNT is deemed to be under attack. Under such conditions, the
while the receiver time offset (e.g., the time difference between
most trusted time reference is selected.
the receiver’s time and the satellite time) is progressively
As the time sources available to the system (which can refined. Based on the information obtained from the Locked
consist of either enhancements to the system components, or Delay Loop and its reference clock, the GNSS receiver can
provided by network-connected entities, beyond the GNSS obtain the actual pseudorange for one reference satellite. Based
receiver) are different, clear assumptions are needed for the on this reference signal, the GNSS receiver derives the relative
level of trustworthiness and performance required. Time ref- reception time of all the other satellites and their pseudoranges.
erences that are within the hardware boundaries of the GNSS- Finally, it can calculate the full PNT solution. Once the
enabled system (e.g. its packaging) are trusted, meaning the receiver is fully locked to the GNSS signal, and has a PNT
hardware device cannot be compromised. Time sources exter- solution the local clock error is corrected.
nal to the GNSS-enabled system (e.g., network-provided time) An adversary, crafting GNSS signals consistent with its
are deemed not trusted unless cryptographically protected, objective can control the GNSS receiver time. Due to the
authenticating the communication and validity of the time in- open structure of GNSS signals, an attacker can create signals
formation. Still, the system can use both trusted and untrusted with valid modulation, information content, and spectral com-
network time providers, but in case of a discrepancy among ponents. Additionally, navigation message information is also
the time solutions, it will resort to the most trusted provider, open and can be obtained either on the spot by direct down-
even at a penalty of reduced accuracy. Furthermore, we do not load from the GNSS constellation or using an internet-based
make any strict assumption on connectivity (which could be reference information provider. Under spoofing conditions, the
unavailable due to a benign fault or adversarial action), hence output of the correlator of the victim receiver can be modeled,
we do not require a constant exchange of information with the for the in-phase and in-quadrature components as Eqs. (4)
connected time references. and (5), where P denotes the power of the receiver signal; R
Additionally, at startup, the receiver can have no current and NAV are the autocorrelation function and the navigation
knowledge of the state of the constellation and the time message, respectively; t, f are the code and frequency offset
offset of its embedded oscillator (cold start) or the receiver deviations; ψ is the frequency tracking error and Tcoh is the
has already acquired a valid solution and obtained recent coherent integration time.
constellation status updates.
We consider the case of a single constellation GNSS re-
ceiver, specifically GPS: this does not limit the scope of the
p
Iv = Pa NAVa R(ta )sinc(fa Tcoh )cos(ψa )+
countermeasure shown here as it is compatible with different p
GNSS systems or even combinations of multiple constellations Ps NAVs R(ts )sinc(fs Tcoh )cos(ψs ) + ηI (4)
(i.e. multi-constellation GPS and Galileo receivers). The ob-
jective of the receiver is to solve Eq. (1), where p is a nx1
p
Qv = Pa NAVa R(ta )sinc(fa Tcoh )sin(ψa )+
vector of pseudoranges observations, H is an nx4 observation p
matrix, x = [x, y, z, t] is the receiver state vector of location Ps NAVs R(ts )sinc(fs Tcoh )sin(ψs ) + ηQ (5)
 4

In Eqs. (4) and (5), the notations s and a denote the spoofed and analyzes the effect of an adversary causing variations,
and authentic signals respectively. sharp or smooth, in the receiver time solution without limiting
The modified model for the PNT solution at the GNSS the adversarial action’s aim which could be the receiver’s
receiver under adversarial control, based on Eq. (1), takes into time itself or its position. Any attack capable of independent
account S, the result of the spoofed signals tracked by the modification of the position solution without disturbance of
receiver as shown in Eq. (6). the time solution, if achieved, would be undetectable by
any countermeasure monitoring the receiver clock solution,
p = Hx + S + v (6) including the one discussed here2 .
For an adversary to be considered as such it needs to cause Additionally, a gamut of more traditional attacks targeting
a tangible deviation in the legitimate time information either the synchronization and timing infrastructure exists ([60]–
on the GNSS side or by controlling the network-provided [62]), specifically focusing on network time manipulation. For
time. This means that an adversary simply replacing legiti- this reason, we extend the attacker action beyond the GNSS
mate signals with matching fake signals cannot be considered receiver to the communication link between the GNSS-enabled
harmful, as the resulting time information would still be platform and the Internet. Specifically, attacks focusing on
correct. Adversaries below the application requirement level the protocol and latency aspects of network-based time provi-
(e.g. causing a deviation that can be accounted for in the sion can be combined with time-aligned GNSS overtake to
normal noise level tolerated by the specific application) are minimize the detection probability. Such an adversary can
often undetectable by application and data layer methods. control the victim’s access to the network-provided time by
An unrefined attacker would generate signals matching an x denying, limiting, or tampering with the network access. In
solution matching the attacker’s intent without any awareness addition, the attacker can impersonate one or more selected
of the legitimate signals. Given enough power advantage or servers among the ones available to the victim. Attacks on
with a combination of a short jamming pulse, the adversary the Network Time Protocol (NTP) show that a strategically
first causes a loss of lock in the victim, following re-acquisition placed attacker can modify the perceived time at the victim
on the higher-power adversarial signals; the GNSS receiver is by fully or partially controlling the victim’s interaction with
tricked into obtaining a fake PNT solution. Due to the lack the remote NTP time server (or server pool) specifically when
of synchronization between the GNSS frames in the real and no cryptographic protection is provided. As a result of the
fake signals, sharp discontinuities in the PNT solution can be combination of the attack surfaces, on the GNSS receiver and
observed in the time component. the network side, a complex adversary is considered, capable
To successfully mount a synchronous attack, the attacker of different coordinated action on multiple components of the
aligns the simulated signals with the ones that are currently be- system, as shown in Fig. 1.
ing tracked by the victim receiver. To do so, two requirements
need to be satisfied: code phase and Doppler shift offsets of the
simulated signals need to be within the bandwidth of the track-
ing loop and the transmission time of the simulated signals
Network-based
need to match the start of the GNSS subframe. The parameters time infrastructure
for the initialization of the adversarial signals in Eqs. (4)
and (5) are obtained by an intermediate receiver: Doppler Internet access GNSS-
Computing enabled
shift and current code phase at the victim are corrected device device
to the intermediate receiver antenna position by calculating Latency control
the lever arm between the estimated position of the victim
Impersonation
receiver and the attacker antenna. Additionally, navigation
bits are obtained from publicly available distribution services Spoofing GNSS Local
receiver clock
(e.g., NASA CDDIS, Novatel) or through the intermediate
receiver itself. Given the long repetition period (12.5 min) the
navigation data bits are fully predictable. Fig. 1: An adversary capable of targeting the GNSS receiver
We are agnostic in terms of the specific type of attack and the network-based time reference.
mounted by the adversary to control the victim receiver
with the following limitation: the attacker spoofs civilian
(encryption-less) signals without cryptographical enhance- IV. M ETHODOLOGY
ments, which are compatible with the majority of the available Building upon [13], we introduce a significant change in the
receivers1 . The GNSS attacker model in this work is generic way the fusion of multiple sources is performed. Intuitively,
1 Other complex attacks that are possible against cryptographically enhanced 2 This is an intrinsic limitation of any time-based countermeasure. Beyond
receivers (such as Secure Code Estimation and Replay (SCER)) are beyond specific attacks designed for particular conditions (e.g., static receiver, con-
the scope of this work. An attacker can not maintain consistency of both the trolled environment), attacks to be expected in the wild are likely to be less
time and position solution at the onset of a SCER attack ([59]), making it a sophisticated, likely causing some level of variation in the clock solution.
good candidate for detection based on consistency of the time solution. On the Because of this, even if all-around assurance of the PNT solution is hard
other hand, the sophistication for such attacks to be successful makes them to guarantee based on the clock solution only, it is still a good indicator
unlikely against low-value targets. Nevertheless, considering SCER attacks is of likely misbehavior. Additionally, there is no limitation to combining this
worth a dedicated investigation. method with other detection schemes targeting different PNT aspects.
 5

although the method in [13] is effective, there is no limitation time solution as untrusted (Step 2b), until a new PNT solution
in the specific order external and internal time references are (Step 4). The confidence the platform has in this decision
combined, based on the available resources and connectivity. depends on the accuracy of the available time sources and
The GNSS receiver continuously provides the system with their perceived level of trust.
PNT updates, as long as enough satellites are in view. Sim- At this point, the system has current knowledge of the time
ilarly, provided that sufficient connectivity is available, the offset and can rely on the onboard clock to track the status of
device can track an arbitrary number of remote time references the GNSS-based time, monitoring changes in the drift or time
while monitoring the local oscillator. Based on this, the GNSS- offset. Upon successful integration of the clock parameters
enabled platform is provided at any given moment with a (Step 3a), the PNT solution is considered valid; it is otherwise
variety of different time providers, beyond the GNSS receiver discarded (Step 3b). Notably, the PNT solution can still be
itself, that can be used to validate the GNSS-based time. discarded based on the local clock information even if the
Intuitively, the system can combine whatever time reference validation based on the external time tracking is successful.
is available, and based on the comparison with the GNSS Additionally, the system can rely on the local oscillator to
receiver time, decide if the GNSS-based timestamp is to be keep track of drift and jitter in the reference sources (Step 5a).
deemed trusted. Periodic re-synchronization with the remote time server, based
As an adversary could capture the receiver before the first on its assumed performance and the available connectivity,
legitimate fix is obtained, it is important to protect the initial allows for re-calibration of the local oscillator (Step 5b).
acquisition process, bounding the initial PNT solution (and by
extension the initial receiver offset) within an error of a trusted A. External time reference providers
time source. In regards to external time reference providers, we limit
our scope to two types of time providers (Roughtime and
Sources OK NTP/NTS). Google Roughtime provides secure and digi-
5a
tally signed time information from an ecosystem of trusted
External time Validation Internal time providers. Notably, this is not a time transfer method (there
tracking 2a OK tracking is no two-way delay compensation) but more a secure time
2b 5b 3b 3a validation. NTS (and to a certain extent, NTP) allows secure
Resync
OK synchronization with precise two-way delay estimation against
1
Validation a remote time source but requires stable connectivity.
fail Validation Once the receiver solves Eq. (1) for dtr , it obtains the
PNT fail time offset between the receiver clock and the GPS timescale.
Solution The PNT solution is often expressed as aligned to the UTC
4
scale, which means that the receiver also compensates for
PNT Reject PNT Accept leap seconds that correspond to the offset between the GPS
timescale and UTC. Google Roughtime achieves a high level
Wait new PNT of time distribution assurance by providing digitally signed
coarse time information. To obtain secure time verification, a
Wait new PNT
client creates a request to a remote time reference and obtains
Fig. 2: Logical test progression a digitally signed reply containing the authenticated time. A
(s)
Roughtime measurement is TRT = {t(s) , R(s) }, which are the
absolute timestamp of UTC and the server’s confidence radius,
The logical progression is shown in Fig. 2: at startup,
which indicates the server’s estimate of its accuracy. Consider
the platform starts monitoring the GNSS receiver and any (s)
the following tGN SS , tRT , the receiver provided UTC, and
available time reference based on its local oscillator. Once a
the Roughtime timestamp. We can write the following binary
PNT solution is available (Step 1), the device needs to test the
hypothesis test for any Roughtime server available in the
validity of the GNSS-based time information. One immediate
ecosystem:
issue arises if no previous knowledge about the current correct
time is available and no remote time reference is reachable: in
(
(s)
H0 if |tGN SS − tRT | < R(s)
such a situation, the device could already be under attack but Hi = (7)
unable to validate the absolute time offset. In such a scenario, H1 otherwise
the device can only detect changes that happen by leaving the The result of Eq. (7) determines if the GNSS-provided UTC
spoofer-affected area or when the spoofing signal transmission scale is aligned with a trusted UTC scale (i.e. after the initial
stops, allowing the receiver to lock on real signals. validation, but at any epoch in time the receiver is providing
If connectivity is available (even for short time), the device a PNT solution). Even though Roughtime is not nearly as
tests if the GNSS-provided time is comparable with the one accurate as GNSS, it has the advantage, as corroborated in
obtained from the available remote time source. If the check Section VI, that even in adverse network conditions it can
corroborates the validity of the GNSS-provided time (Step 2a), provide time reliable time estimates.
the GNSS time is tested against the local clock. Otherwise, the Based on the available connectivity quality, the NTS server
GNSS platform rejects the GNSS-provided time and marks the pools allow direct verification of the GNSS time offset. This
 6

is performed by simply differencing the GNSS-obtained time

and the one (or multiple) obtained from the NTS pool, with an
S(tn+1 ) = H(tn+1 )P (tn+1|n )H T (tn+1 ) + R
approach similar to Eq. (7). In this case, the test, valid for each (10)
NTS server reachable at any epoch, is shown in Eq. (8), where x̂ = x(tn+1|n ) ± diag(S(tn+1 ))
(s)
tN T S is the NTS derived time and λTR is a threshold obtained Innovation testing based on Eq. (10) only considers one
based on the quality of the remote NTS source (which can be measurement at a time: the intuitive extension is to consider a
configured based on the application requirements). sequence of m state estimates x on which a windowed statistic,
(
(s)
and estimate variance and expected for all values within the
H0 if |tGN SS − tN T S | < λTR window. This proves to be a powerful yet computationally
Hi = (8)
H1 otherwise expensive tool [13], which helps in the case of lower-quality
local oscillators.
Generally, the hypothesis is tested per each server the
NTP/NTS client process on the GNSS device is monitoring,
which can create issues regarding the agreement of differ- C. Extracting remote clock properties using Allan variance
ent time sources. Regarding cross-checking of the multiple From a practical standpoint, periodic checking of the GNSS
NTS/NTP servers, this can be achieved either by evaluating the time solution against a set of trusted time sources can be
output of the single hypothesis per each test or by combining done by simple comparison. Several issues arise in doing so,
the NTP/NTS time estimated as shown in Subsection IV-D and which we highlight here. First and foremost, it is challenging
then testing the hypothesis on the compound time estimate. to meaningfully compare time sources that declare different
levels of accuracy and stability. As an example, a healthy
GNSS-provided time pulse has a resolution in the order of
B. Internal time reference providers
10 × 10−6 s (Fig. 10), while an internet-provided NTP server
Precise local oscillators can continuously oversee the state can provide only 10 × 10−5 s (at best) accuracy, depending on
of the receiver. Their usage is two-fold: the embedded os- the network path latency. Second, not all time sources provide
cillator establishes a local timescale with a known offset time in the same way: relative frequency stability and absolute
to the GNSS time (potentially zero) and allows monitoring time stamping are not necessarily ubiquitous but depend on
of the time solution even in the absence of connectivity. the specific time source and possibly the network condition
Second, if connectivity is present, the local oscillator can be for external time references.
used jointly with the external time validation and to monitor One major difficulty in establishing ”clusters” for different
any external time reference. Intuitively, within the provided time sources comes from the observability of the individual
stability window of the local oscillator, the progression of clock parameters: testing an oscillator’s quality and stability
time in the GNSS receiver and in the local timescale is requires observing the behavior of the clock over long periods.
identical, allowing the platform to monitor for any unexpected Time and frequency quality characterization is often performed
behavior of the GNSS-based time solution. During an attack using a clock whose intrinsic properties are better than the
causing the manipulation of the GNSS receiver time offset, one under test. For this reason, the extraction of quality
a discrepancy is measured between the local timescale and measurements based on sparse observations where the local
the GNSS-provided one even without internet connectivity. time reference is often of lower quality than the remote one
Consider the model from Eq. (9), normally used for a GNSS (which can either be the GNSS system or the network time
clock, where d, b are the clock drift and bias respectively, and infrastructure) is difficult and prone to artifacts caused by the
wd , wb are the process noise values for clock drift and bias. local clock.
       Practically one needs a good indicator of the quality of the
ḃ 0 1 b wb remote time source to be used as a binning metric to establish
= + (9)
d˙ 0 0 d wd a quality ranking between different time sources, allowing
progressive refinement of the belief in a specific time reference
The inter-scale clock bias ∆1,2 between the local oscillator
based on the length of the observation period.
timescale and the GNSS one is an uncorrelated random-walk
variable. A Kalman filter tracks the state of the timescale The Allan variance is a statistic metric commonly used
difference jointly with the frequency difference between the in the frequency domain to easily interpret the quality of a
GNSS disciplined clock and the reference oscillator. Over clock source [63]. Specifically, it is adimensional, it provides
short periods, both legitimate GNSS time and onboard pre- information regarding the measurement interval and allows for
cision reference are stable and with negligible drift. At the direct comparison of heterogeneous clock sources, capturing
update step, the system can reject new measurements based not only the stability but the noise sources and their type and
on the confidence interval derived from the covariance update can be used to rank the available time sources based on their
step. New measurements can be discarded if x̂ (the measured quality over time. Allan variance is defined as Eq. (11), where
vector of offset and drift for each clock in the system) is not τ indicates the integration step (usually defined in decades)
within the S confidence values of the predicted x, shown in and ⟨...⟩ denotes the expectation operator.
Eq. (10), where S, H, P, R are the covariance, measurements, 1
prediction, and measurement noise matrices. σy2 (τ ) = ⟨(xn+2 − 2xn+1 + xn )2 ⟩ (11)
2τ 2
 7

It is important to note how meaningful comparisons can be NTP server NTS server
NTP server NTS server RT server
extracted between clocks only where they exhibit the same NTS server NTS server RT server
behavior, defined by the accuracy over the integration period.
This can be obtained by direct analysis of the Allan deviation, Reference Roughtime
Chrony
notably its slope. There are characteristic values at which it oscillator Client

is evaluated: the White Noise rate (σN ), where the Allan Oscillator Timestamp Timestamp
deviation slope of −0.5, Flicker Noise (σK ), with slope of conditioning authentication authentication GNSS
receiver
0.0 and Random Walk (σB ), with Allan deviation slope of Server skew monitoring
Timestamp
crosscheck
0.5. Finally, the integration period beyond which the clock
accuracy is dominated by drift is characterized by an Allan One shot test
deviation slope of +1. In this region, the clock error grows Interval testing
too fast to be a used as a valid time reference against the GNSS
KF filter testing
time solution. Such indicators give visual and immediate
feedback on the quality of a time source or its behavior when
under adversarial control. Further detail on the derivation, Fig. 3: Solution testing based on multiple references.
calculation and evaluation of such parameters can be found
in [64].
Two clocks exhibiting comparable values of the Allan interval as [θ − ρd , θ + ρd ]. Differently from the Marzullo
deviation at the same integration time are likely to exhibit the algorithm, we take as a reference point the GNSS-provided
same properties. Consequentially, quality indicators extracted time and consider how many overlapping intervals contain the
from the Allan deviation can be used to cluster different clocks GNSS-provided one. Three outcomes exist: all intervals are
at different integration times. Intuitively this means that the in agreement with the GNSS time, only a subset of intervals
system tries to cluster together clocks that are comparable contain the GNSS time, and no interval overlaps with the
at the specific observation interval the validation system is GNSS-provided time. In the first case, the outcome is trivial,
operating (e.g. we compare every 60 s clocks that exhibit as all servers agree with the GNSS-provided solution which
similar drive and frequency offset when evaluated at the same is correct. In the last case, as there is an agreement on the
interval). This is specifically true for external time sources, time references, the GNSS-provided time can be considered
whose quality depends on their clock accuracy, network ac- as the misbehaving one. The remaining case requires careful
cess, and congestion. consideration, based on the number of agreeing sources. This
approach is suitable even in the presence of non-authenticated
sources, given that it takes into account both the stability of
D. Solution testing based on multiple references the time source (measured using the Allan variance) and the
Fig. 3 shows how the combination of multiple sources is properties of the network link, monitored by updating the root
achieved. Each time reference is authenticated (if provided distance.
with cryptographic information) and independently monitored The system aims to quantify the quality of the ”fused time”
to keep track of the individual clock performances allowing and the assurance level it can provide to the GNSS-provided
for minimal self-check on the clock source. The latter is time. While accuracy and stability are easily quantifiable the
achieved by monitoring the skew and by continuously updating same quality metrics used in the qualification of the time
the Allan deviation metric. Each timestamp, based on its sources applied to the overlapping intervals, the latter is more
properties, is fed to the test block that compares it with the complex. Primarily, it requires establishing the trust level the
GNSS-provided time solution (based on the approach devised user has for each time reference: intuitively, reference sources
in Section IV) providing the final application with a security that rely on cryptographic methods to protect the time transport
and robustness estimation of the GNSS receiver’s timing. provide a higher level of trust than those that do not. The trade-
Once quality indicators are obtained using the Allan devi- off that can be set in the time fusion state machine depends on
ation, it is possible to compare the PNT solution provided the specific requirements of the application leveraging GNSS-
by the GNSS receiver against any available time provider. derived time. Based on these assumptions, the system ranks
While the local clock has known and stable properties and network-based time based on the level of trust and calculates
its availability is guaranteed, this is not necessarily true for the assurance level of the detector output, where assurance
the external time references which can be added and removed levels indicate the level of trust the system has in the decision
to the time check. Similarly to what is adopted in NTP clock of the detector based on the trust in the reference time.
selection, Marzullo’s algorithm [16] can be exploited to decide It is important to note that the current consumer devices
if there is an agreement between the multiple network-based focus on availability, meaning that a time solution (e.g. GNSS-
references and the GNSS receiver’s time. based) is always provided to the user. Critical time systems
The selection of overlapping time sources is based on two instead shift focus towards constant accuracy, meaning that the
parameters θ, ρd , the declared time, and the root distance time solution provided to the user supposedly does not degrade
respectively (for consistency with the IETF NTPv4 standard, over time. Systems that do not require maximum accuracy or
as defined in [16], [65]). For each available time source, we availability can instead pursue a different path: the selection
calculate the upper and lower bounds of the declared time of the reference clock is based on the perceived level of trust
 8

a specific reference has when compared to its accuracy. This GNSS receiver GNSS Simulator Controller
allows the user to trade-off accuracy or availability depending Calculate take over
Collect ephemerides Spoofing rate
PNT
on the level of assurance the application requires for the time Collect sky view
Initialize simulated
Adversarial PNT
information. constellation
Initialize signal
Code phase / Doppler Frequency steering
parameters
V. I MPLEMENTATION
Signal TX
Signal generation unit
The components described in Section IV are implemented in streaming unit SDR
an experimental testbed, as shown in Fig. 4. Additionally, the Spoofer channel #1
testbed implements an extended attacker based on the model [...] +
provided in Section III capable of recreating advanced signal
Spoofer channel #n_sat
lift-off and simulation attacks jointly with disturbances on the
network link of the victim.
The reference device unit in Fig. 4 is used as a reference Fig. 5: Spoofing system with live sky synchronization.
system to validate the results, while the target device unit in
Fig. 4 is the experiment target, connected to the GNSS spoofer.
Both systems are based on an Altera DE0-SOC FPGA and 0.03

Ramp rate in meter per iteration [m/Hz]

are provided with a ZED-F9P GNSS receiver. Each node has
0.02
internet connectivity and the same set of remote time servers,
part of a publicly available network time infrastructure. For 0.01

monitoring and logging purposes, the target device unit can 0.00
measure its local clock offset against the reference device unit
−0.01
directly, on a local network connection.
−0.02

GNSS Spoofer −0.03

28 13:36 28 13:37 28 13:38 28 13:39 28 13:40 28 13:41 28 13:42 28 13:43 28 13:44 28 13:45
Reference GNSS Time of the day
receiver

Software defined
Fig. 6: Example of ramp generation for pseudoranges steering:
radio the ramp controls the rate of change of the pseudorange in
meters per iteration of the spoofing signal update.
DE0 Nano Soc Logging System DE0 Nano Soc

Data extraction
and processing
frame start. This has a dual purpose: in addition to precise
absolute transmission start time, it allows accurate frequency
Zed F9P GNSS Network backend Zed F9P GNSS control of the transmitter, making it harder for the receiver to
receiver receiver
Internet
apply countermeasures based on Doppler monitoring or other
Target device unit Reference device unit
signal parameters.
Fig. 4: Experimental testbed for time-based GNSS validation. Control of the victim receiver is achieved by modifying the
code phase and Doppler shifts of several or all satellites to
An attacker capable of spoofing GPS signals and controlling achieve the pseudoranges matching the attacker’s target PNT
the network link is connected to the target device unit, which solution [26]. The modification of the pseudorange needs to
receives a combination of original and spoofed signals. The be slow and progressive to avoid loss of lock at the receiver
spoofer is capable of deploying both coarse spoofing signals Fig. 6. There is a trade-off between attack aggressiveness
(without any synchronization to the real signals) or refined (i.e. drift rate of the time solution at the GNSS receiver),
spoofing signals (aligned with the real constellation, using attack objective, and access to the GNSS-enabled system
the reference receiver). Due to regulatory limitations, the that is unlikely known in advance and can favor the defense
transmission of the spoofing signals is conducted over cable, mechanism. A progressive stretch in the pseudoranges makes
and the attacker-simulated signals are combined with the the victim receiver time solution lag behind the legitimate
original signals at the test device unit GNSS receiver antenna. PNT, as the satellites are perceived to be further away from the
For the refined attack, we adopt a similar strategy to [33], victim receiver. Similarly, a decrease in pseudorange distance
consisting of generating signals that are synchronized to the caused an acceleration of the time perception at the victim.
legitimate ones within the error margin of the victim receiver Fig. 7 show the mode of operation of an advanced attacker
tracking loops. The functional blocks of the spoofer are shown considered in this work: initialization of the simulation signals,
in Fig. 5. In addition, to live sky information obtained with the transmission of the attack signals, the start of the pseudo-
the intermediate receiver, the radio front end and DSP clocks range ramp pull, an increase of the pseudorange ramp speed,
are synchronized, using a GPS-disciplined clock, with the real stabilization of the attack and finalization of the adversarial
GNSS signal to lock the transmission time start with the GNSS objective.
 9

×106 40
1.896

30
Pseudorange difference [m]

1.894

Pseudorange rate [m/s]

20

1.892 10

0
1.890

−10
1.888
−20
13:36 13:38 13:40 13:42 13:44 13:36 13:38 13:40 13:42 13:44
Time of the day Time of the day

SVG19 SVG15 SVG23 SVG24 SVG02 SVG12 SVG10 SVG19 SVG15 SVG23 SVG24 SVG02 SVG12 SVG10
SVG30 SVG21 SVG14 SVG13 SVG17 SVG22 SVG30 SVG21 SVG14 SVG13 SVG17 SVG22

(a) Pseudorange difference (reference vs target). (b) Pseudorange rate of change (reference vs victim).
Fig. 7: Adversary control profile at the victim receiver and comparison with ground truth from a reference receiver, in terms
of pseudorange difference (a) and pseudorange rate of change (b). The dashed line indicates the beginning of the attack.

VI. R ESULTS AND A NALYSIS is specified in the corresponding RFC ([14]). Although the
We organize the analysis in the following way: first, we servers perform similarly, Fig. 8a shows comparatively worse
discuss the profiling of the alternative time sources and the stability due to the higher network latency, which becomes the
main limitations that arise regarding their use as time sources, dominant factor at longer integration times.
both from an accuracy and security perspective. To achieve To be fully functional, Roughtime requires a healthy ecosys-
effective detection of misbehavior in GNSS-provided time, an tem of 3 or more servers to allow enchaining of the requests
analysis of the performance of the alternative time source is and cross-validation. At the moment, such infrastructure is
required. Second, we test the time-test countermeasure against not available or reliable (except for the two servers tested
a simplistic and an advanced attacker and discuss the effect here), limiting the applicability of the system beyond a simple
such an attacker has when coherently tampering with the interval-based cross-check and majority agreement.
network link. Tests are performed with both NTP and NTS Similarly, the performance of NTP/NTS and NTS servers
servers, when available. To the best of our knowledge, all is also analyzed using Eq. (11). Fig. 9 shows the performance
servers provided by Netnod provide the same performance in of geographically diverse servers over a publicly available
NTP and NTS mode, with a minimal increase in computation internet connection. Specifically, we focus on five servers
caused by NTS at the client side (which, on most modern located in the same country as the measurement system which
platforms, is negligible). Last, we discuss the limitations of the are provided by Netnod, and three servers provided by NIST.
method and the role of the local clock in adaptive sampling As in the Roughtime case, the network latency dominates
for the remote time sources. the error, but in this case, the effect is more subtle. While
the worst NTP/NTS server considered provides about three
orders of magnitude short-term stability compared to the best
A. Remote time providers classification and performance Roughtime time reference, it is clear how NTS is less tolerant
As discussed in Section IV, different time providers avail- of network latency than Roughtime. In the perspective of
able to the system can be classified based on availability, validating the GNSS-provided time solution, NTP/NTS is well
accuracy, and security level. These results will analyze how suited to perform online cross-checking of the time informa-
the performance of the remote (or local) time servers allows tion and provides a higher quality reference. On the other
validation of the GNSS time solution: a thorough investigation hand, these results are dependent on the performance of the
on the quality of the public Roughtime and NTS infrastructures connection and the overall latency. Tests performed to simulate
is worth a separate investigation. Notably, since the previous different levels of congestion show that increasing jitter causes
investigations [13], the Roughtime ecosystem did not grow the NTP/NTS time quality to progressively decrease at higher
but instead, several servers are unavailable. This limits the congestion rates.
possibility of testing different servers at different locations. Notably, in Fig. 9, one of the time references is misbehaving
We focus on two relevant time providers located in Califor- ([Link]) and can be easily rejected based on the fact
nia ([Link]) and at Cloudflare ([Link]) that the provided true time is not within the expected region.
which are the most reliable and available. Figs. 8a and 8b show This event is also shown in the RMS jitter measurement which
the Allan deviation (Eq. (11)) for the server timestamp (refer- is collected in real-time and shown in Fig. 11. Given the
ence), the local timestamp (target) and the inter-system offset. performance metrics extracted from the remote time reference
While Roughtime is not designed specifically for accuracy but the stratified approach presented in Section IV tackles two
mainly targets security and non-reliability of the time source, fundamental attacker behaviors: coarse asynchronous attacks
the servers exhibit better stability and accuracy than what and precisely aligned attacks.
 10

10 1 Allan deviation Allan deviation

10 1

10 2
10 2
N=7.07e-03
N=5.99e-03

B=2.37e-03
10 3
()

10 3

()
B=8.26e-04

10 4
10 4

K=3.67e-05
K=1.63e-05
10 5 10 5
100 101 102 103 104 100 101 102 103 104
s s
Time intervals (server) - 0xt Time offset - 0xt K Time intervals (server) - cloudflare Time offset - cloudflare K
Time intervals (target) - 0xt N B Time intervals (target) - cloudflare N B

(a) Roughtime server: [Link] (b) Roughtime server: [Link]

Fig. 8: Roughtime server stability ([Link], left and [Link], right) and local clock comparison (GNSS
disciplined clock).

Allan deviation Allan deviation

10 7 N=1.08e-07

10 3

10 4
10 8
()

()

B=5.24e-09
10 5

10 9

10 6
K=4.00e-10

100 101 102

s 100 101 102
s
[Link] - S1 [Link] - S1 [Link] - S1
[Link] - S1 [Link] - S1 [Link] - S1 N K B
[Link] - S1 [Link] - S1 [Link] - S1
[Link] - S1 [Link] - S1 [Link] - S1
Fig. 10: Allan deviation based on Eq. (11) for reference PPS
Fig. 9: Allan deviation based on Eq. (11): servers tiers are source, intercept points at noise transitions.
defined by stratum and latency.

ple requests to different servers at the same time using a nonce

B. Performance under simplistic attack derived from the GNSS-provided timestamp. Furthermore,
when estimating the coarse correctness of the GNSS-provided
Due to the relatively low accuracy of Roughtime, such a time, the roughness of the Roughtime server makes it robust
validation method is preferable for the initial validation of the to network latency for one-shot time checking. Combined with
PNT solution (accordingly to Subsection IV-C). Contrary to the robust cryptographic properties of Roughtime, this defeats
NTP/NTS, where the client tracks a single source, Roughtime practically any coarse adversary spoofing the time solution
allows enchaining multiple requests to separate misbehaving of the GNSS receiver, where coarse here is considered any
servers. This allows the GNSS-enabled system to craft multi- attacker not capable of synchronization with the GNSS frame.
 11

attack start
jamming event
0.10

10 3

Server misbehavior 0.05 Jamming event

Offset to selected Roughtime server [s]

10 4

0.005 s
0.01 s
0.015 s
RMS Jitter [s]

0.00

0.02 s
0.025 s
0.035 s
0.05 s
10 5 −0.05

0.07 s
0.1 s
−0.10
10 6

0.15 s
−0.15

24 13:15 24 13:20 24 13:25 24 13:30 24 13:35 24 13:40

0.2 s
epoch_ts −0.20

[Link] - S1 [Link] - S1 [Link] - S1 −50 0 50 100 150 200

[Link] - S1 [Link] - S1 [Link] - S1
[Link] - S1 [Link] - S1 [Link] - S1 Relative timescale to the start of the attack [s]
[Link] - S1 [Link] - S1 [Link] - S1
Fig. 12: GNSS spoofing attack: increasing first fix time offset
Fig. 11: NTP/NTS reference servers RMS Jitter. One time relative to the GNSS time (10 runs).
reference misbehaves during the sampling.

with the nature of the attack being only a time push and not
Fig. 12 shows the result of 10 attacks against a GNSS a progressive modification of the time offset. Interestingly,
receiver, with increasingly higher offset between simulated the raw clock offset and bias at the GNSS receiver are
signals and real signals GNSS frame. Notably, the Device unmodified by the attack, while the overall UTC time solution
under Test (DUT) is progressively more difficult to capture follows precisely the intentions of the adversary. Justification
with decreasing synchronization of the simulated signals, of such behavior is unknown without precise knowledge of
requiring a short jamming burst to make the attack successful the implemented PNT algorithm in the receiver but it shows
Fig. 13. Experimental evidence suggests that the required how remote reference time checking is a valid augmentation
duration of the initial jamming phase is proportional to the towards providing assured PNT.
stability of the GNSS receiver’s local oscillator: the higher the
quality of the GNSS receiver oscillator, the longer jamming Practically, if the GNSS-provided time fails this first check
is required. From Figs. 8a and 8b even at short integration provided by coarse time testing, there is no point for the
time, the detection threshold is set to tens of milliseconds and GNSS-enabled device to proceed with more advanced or pre-
is bound by network latency to a few milliseconds at long cise testing solutions. Specifically, the GNSS-enabled system
integration times (several hundred seconds). This is clear in can reject GNSS time until the test keeps failing and rely on
Fig. 12, where attacks that maintain the initial synchronization its onboard clock for timing.
at take-over below the Roughtime accuracy are not detected. Similarly, NTP/NTS servers provide a check of the time
This is because the detection threshold is set based on the solution but generally, convergence of Network Time requires
measured accuracy of the Roughtime server (which proved multiple interactions. Nevertheless, if connectivity is present
to be better than the standard declared one). Generally, a for a longer period, the NTP/NTS infrastructure can be used
detection threshold that is lower than the accuracy achievable without source tracking to provide multiple redundant time
at the reference time source will not be conclusive on the references that are subject to consensus. In Fig. 15, the test
determination of adversarial manipulation of the GNSS time. with the lowest discontinuity (Tof f = 0.005 s) is repeated as
In such conditions, e.g. Tof f = 0.005 s in Fig. 12, the a reference example to show how detection with NTP/NTP is
deviation caused by the attack is masked by the uncertainty also possible in case of abrupt variations in the GNSS-provided
of the reference. time solution.
It is noteworthy that the initial bias measured with any Such an approach, based on Subsection IV-D, is practical
Roughtime server is invariant for the same network delay, and when several independent time sources are available, and
can be validated based on initial cross-checking against any provides a good estimate of the ”exact time confidence”
other Roughtime server. While the clock bias of the GNSS interval, as shown in Fig. 14. Contrary to the Roughtime one-
receiver follows the one forced by the attacker after the GNSS shot test, the estimate of the ”correct” time interval improves
receiver locks on the spoofed signals, as shown in Fig. 13, with the refinement of the jitter measurement which extended
the drift is (in the short term) unmodified. This is consistent to as many samples are available in the observation window.
 12

0.006
0.0010
attack start 0.004
Receiver time bias [s]

0.0005
0.002
0.0000
0.000

Time offset [s]

−0.0005
0.002
−0.0010
−50 0 50 100 150 200
1.05
×10−6 0.004
Receiver time drift [s/s]

1.00
0.006
attack start 0.008
0.95

0.010
0.90

−50 0 50 100 150 200

0.02
3D fix = 0.005s
0.00
GNSS Lock status

Jamming event 21 14:09 21 14:10 21 14:11 21 14:12 21 14:13

attack start
jamming event Exact time confidence [Link] - S1 local PPS
No Fix Localhost - S1 [Link] - S1 PPS - compound offset
−50 0 50 100 150 200 [Link] - S1
Relative timescale to the start of the attack [s]
Fig. 15: NTP/NTS target servers time check: subtle time skip
Fig. 13: GNSS spoofing attack: the GNSS receiver clock bias detection based on consensus (top). The difference between
is stable even under attack (10 runs). The adversary delays the the mean reference server time and the GNSS receiver time
block transmission of the signals, but the internal clock offset solution shows the detection of a 0.005 s time push (bottom).
(top) does not reflect the same change as the PNT solution.
The clock drift (middle) is the same in the receiver before and
after the attack start. Beyond the short initial jamming event, C. Performance under synchronous attack
a valid PNT solution is provided throughout the entire attach
(bottom). Under attack, the GNSS receiver PPS/Time solution is
manipulated by the adversary and will progressively drift away
from the correct ”true time” belief. This is shown in Fig. 16,
where a 150 µs total adversarial deviation is first applied to
0.0003
the GNSS provided time and then progressively removed until
the GNSS time is again synchronized with the ”true time”.
0.0002 Notably, the scenario tested here is quite advanced: the attacker
0.0001 not only drifts the time to its specific target but also guarantees
that after the attack takes place there is no trace left. This
0.0000
Time offset [s]

requires the adversary to ”roll back” its action and bring back
0.0001 the GPS timescale to the correct value.
0.0002 The total adversarial induced deviation is shown in the lower
part of Fig. 16. The upper part shows how the attack is per-
0.0003
formed: the adversary first introduces the spoofing signals and
0.0004 allows the receiver to be captured by not forcing any deviation
0.0005 in the time solution. After roughly 120 s the adversary steadily
drifts the time solution out of the ”exact time confidence”
0.0005
interval. This is successfully detected by the compounding of
network time providers, only when the total deviation crosses
0.0000 the boundary of the time confidence interval. To quantify how
24 13:15 24 13:20 24 13:25 24 13:30 24 13:35 24 13:40 effective this approach is, it is important to recall how the
[Link] - S1 [Link] - S1 [Link] - S1 time confidence interval is calculated. For each time server’s
[Link] - S1 [Link] - S1 [Link] - S1
[Link] - S1 [Link] - S1 [Link] - S1 time, the width of the single confidence interval depends on
[Link] - S1 [Link] - S1 local_error_ref_driver
[Link] - S1 ρd , (Subsection IV-D) which considers the total error at the
source, the source jitter, and the network delay to the network
Fig. 14: NTP/NTS reference servers time check, where the time reference. Assuming that the time servers are globally
consensus of time is based on the NTPv4 agreement scheme synchronized with each other, the limiting factor becomes the
(top). Difference of consensus time against a local GNSS network latency and the accuracy of the time reference, as all
disciplined reference clock, in benign case (bottom). servers will agree on the same interval.
Even more subtle attacks focus on smaller modifications
 13

0.0003 Allan deviation

Overtake region N=1.45e-03
0.0002
0.0001 Drag off 10 3

0.0000
Time offset [s]

0.0001
0.0002
10 4 B=1.47e-04
0.0003

()
0.0004
0.0005

0.0002 = 150us 10 5
K=7.46e-06
0.0000
24 13:15 24 13:20 24 13:25 24 13:30 24 13:35 24 13:40
Exact time confidence [Link] - S1 local PPS
100 101 102
s
Localhost - S1 [Link] - S1 PPS - compound offset
[Link] - S1
N K B

Fig. 16: NTP/NTS target servers time check: the GNSS- Fig. 17: Allan deviation based on Eq. (11) for GNSS PPS
provided time under attack lies outside the interval of agree- source, target receiver under GNSS spoofing attack.
ment of the reference servers (top). An attack forcing a 150 µs
time shift is successfully detected (bottom).
Clock deviation in Server and Target
×10−7
1.0

0.5
Clock Drift [s/s]

of the time solution and slower drag-out of the victim re-

0.0
ceiver from the legitimate GNSS-provided time. Under these
hypotheses, an attacker can circumvent network-based time −0.5
Target

monitoring, it being either accurate or coarse. Additionally, a −1.0

Reference

×10−7
powerful attacker clogging or delaying the NTP/NTS messages 1.0
consistently with the GNSS spoofing can produce enough la-
Clock Drift delta [s/s]

0.5
tency at the victim system to make the GNSS attack unnoticed
0.0
or deny high-quality network-based time references. In this
case, a filter-based approach is more suitable as it continuously −0.5

tracks the GNSS-provided time against the other time sources −1.0
×10−8
taking into account not only the absolute time of the reference
but also the source time-varying characteristics. The approach
Inter-clock drift [s/s]

presented in Eq. (10) for a local oscillator can be extended to 0

an arbitrary number of reference clocks, either local or remote. −2

Specifically, the parameters for tuning the Kalman filter can be
−4
extracted from the Allan deviation as the covariance expression 13:36 13:38 13:40 13:42 13:44
Time of the day
is known for a generic oscillator [66]. Furthermore, the rate
a which the Kalman estimator and tracking are executed can Fig. 18: Clock drift (top) in different GNSS-disciplined os-
be tuned to comply with the resources available in the system cillators: the GNSS receiver under attack seamlessly follows
and allow for missing measurements, which is important to the force deviation in the clock parameters. Deviation and
consider in case of sudden loss of connection. In particular, the attacker’s pull rate is measured in comparison with a local
main drawbacks of executing the Kalman estimation sparsely hardware clock (middle, bottom).
are increased convergence time and detection latency, where
the latter is defined as the time between the start of the attack
and the first true positive of the hypothesis test based on clock drift in the victim follows the one forced by the attacker
Eq. (10), extended to all references available to the system. Fig. 18, top). The difference against the time reference is used
On the other hand, continuous tracking with a stable local for detection (Fig. 18, middle). The inter-clock drift provides
reference source guarantees that the GNSS-receiver clock information in regards to the attack’s pull rate (Fig. 18,
behaves with the specified parameters. This is seen in Fig. 18, bottom).
where the GNSS-disciplined oscillator is measured against Additionally, a local time reference cannot be tampered with
another reference oscillator. At the start of the attack, the by an attacker that does not have access to the victim device,
adversary mimics the current clock drift and progressively it is immune to adversarial network delay and can be used to
pulls the GNSS receiver away from the correct solution. The provide holdover information during network outage. Fig. 17
 14

shows the Allan deviation of the ensemble between the GNSS- Allan deviation
receiver disciplined oscillator and a local clock, under the same [Link] - S1
spoofing conditions as in Fig. 18. Compared to the benign case [Link] - S1
in Fig. 9, where the GNSS receiver is not under the control [Link] - S1
10 3 [Link] - S1
of the attacker, the Allan deviation difference is clear. [Link] - S1
[Link] - S1
[Link] - S1
D. Latency attacks on the network link [Link] - S1
[Link] - S1

()
Additionally, the attacker can control the link latency by set- [Link] - S1
ting up a clogging attack on the network connection between [Link] - S1
10 4 [Link] - S1
the Internet and the target device. Experimental evidence
shows that it is not necessary to directly clog the receiving
device: inducing latency in the switch the device uses to access
the network is sufficient to cause a significant degradation
in the latency. When cryptographic countermeasures are in
place, a clogging attack is the simplest and most effective 100 101 102
s
way of decreasing the accuracy and availability of a remote
time source. The test is conducted over a commercial 1Gbps Fig. 19: NTP/NTS servers time check under heavy load. The
ethernet connection, with progressively increasing traffic up to local traffic-related latency heavily reduces accuracy, aiding a
the switch’s capacity. During this test, no public server was multi-surfaced attacker.
affected, to avoid service disruption, and all testing was done
on the client side.
?? shows the behavior of a selected Roughtime server If the adversary modifies the PNT solution by applying
under clogging denial of service. While the latency in the slow drifts (e.g. <10 ns/s) the modification is slow enough
communication increases, the Roughtime server timestamps to avoid detection from any of the presented methods. In
do not change in accuracy. This is achieved by the design in such a situation the GNSS-enabled device, given that it is
Roughtime, which only certifies the time at the server, with- provided with a clock that is stable enough or it has access to a
out considering the link latency. Additionally, the increased quality remote reference, instead of estimating the error of the
latency only causes the server to drop requests that time out. current estimate can run a two-point interpolation approach
Even in a challenging network environment, the device is deriving the error estimation parameters from the Kalman
still able to query the Roughtime server despite the almost filter. Intuitively this approach is simple: the receiver saves
saturated link. a sample and checks if the time interval at the GNSS receiver
In comparison, Fig. 19 shows the Allan variance measure- provided timebase and at the remote timebase match after a
ments for the same set of NTP/NTS severs as in Fig. 9, but pre-defined sampling period. This method allows leveraging
under a clogging attack. In this case, there is a considerable long- and short-term stable reference clocks independently.
change in the accuracy of the externally provided time: the This is equivalent to sampling with memory: the GNSS attack
long-term accuracy decreases constantly, as opposed to the action needs to be smooth and constant, or it would be detected
non-clogged case. by the presented methods. The device can test samples at
different intervals (i.e., two samples 1 s apart, two samples
10 s apart, two samples 100 s apart) and estimate the interval
E. Adaptive sampling of remote time sources of time elapsed at the GNSS receiver and the alternative time
At this point, it is interesting to consider if it is necessary to providers. This allows to amplify the effects of the attacker,
test every single PNT update from the GNSS receiver, or if it making the proposed countermeasure more sensitive. A score
would be better to sample-test some of the updates. External is defined based on the number of successful validations of the
network-based time references often limit the frequency at GNSS provided time: at each successful test, the next polling
which a client can perform the synchronization protocol, to interval is extended by the same value. Practically, this causes
guarantee fairness among multiple clients connected to the a linear decrease in the remote sources’ polling frequency,
same server. To the best of our knowledge, most commercial up to a pre-defined threshold. Progressively, the solution is
providers limit the minimum re-synchronization interval to 1 s, monitored more sparsely, effectively saving bandwidth and
dropping requests that happen more often than that, forcing processing power. If at any given sample, the validation test
the client to back-off. Generally, commercial GNSS receivers fails, the adaptive sampling rate is scaled back to the minimum
for civilian use provide a PNT update with a frequency of interval, more closely monitoring the time solution.
1 Hz, which is compatible with the NTP/NTS server rate.
Practically, if the PNT updates happen more frequently than
the server’s allowed re-synchronization rate, the device can F. Security considerations and overheads
still rely on its onboard clock to validate every update, and Based on Subsection IV-D, the GNSS-enabled system can
on the external time source to validate the updates at a slower always trade accuracy for time assurance, where the latter
rate, by decimation. is defined as the level of certainty the system has regarding
 15

both the accuracy and the trustworthiness of the time offset successfully detected in all tests performed, either when the
estimate. This requires careful analysis of the security level time solution was synchronously spoofed by the adversary or
of the remote time sources. Excluding the local reference forced with a step change even in adverse network conditions.
oscillator, which is integral to the GNSS-enabled system and An evaluation of the security properties and overheads
can be assumed trusted, the network-based time references are of secure time transfer and digitally signed remote time
subject to various levels of adversarial control. Cryptographi- references shows that modern platforms can easily rely on
cal enhancements allow network-based time sources to provide secure network-provided time to validate the GNSS solution.
secure and assured time even if the network link is potentially Multiple combinations are possible, by leveraging different se-
adversarial. Roughtime’s use of asymmetric cryptography in- cure remote time providers. When connectivity to remote time
troduces a significantly higher computational cost compared references is not available or attackers controlling the network
to other methods (secureNTP, NTS), but the overall latency communication are present, onboard reference sources allow
is strongly dominated by the network component, while the continuous monitoring of the time part of the PNT solution.
cryptographic information validation only accounts for a small The value of detecting attacks based on consistency with
amount, in particular on modern mobile CPUs. external time source is broadly applicable, not only when
Performance-wise, the main concern is regarding the cryp- the adversary targets the GNSS receiver time. To the best
tographic overhead introduced by the new secure time dis- of the authors’ knowledge, a trauma on the time offset is
tribution system. Overall, it is manageable even by small often present at the take-over stage, even if the latter is
SWAP platforms (e.g., ours presented in Section V) If a smooth. On the other hand, adversaries capable of modifying
GNSS-enabled system is heavily constrained and is incapable the PN part of the GNSS solution, without modifying the
of continuously running a cryptographically secure protocol, time solution cannot be detected by countermeasures based
it can adapt the sampling rate of the remote time sources on time validation. This is true for the method presented here
based on the Allan deviation estimation (Section VI, Sub- or any other time-based countermeasure. In conclusion, this
section VI-E). Stable time reference systems offer similar method can easily be deployed to protect existing receivers
performances at longer sampling rates, which overall reduce from various adversaries, without modifications to its structure.
the average cryptographic overhead.
An advanced adversary could potentially control a GNSS- R EFERENCES
enabled device if operating a colluding time reference server [1] S. Thombre, M. Z. H. Bhuiyan, P. Eliardsson et al., “GNSS threat mon-
without resorting to advanced spoofing. Practically, the at- itoring and reporting: Past, present, and a proposed future,” Navigation,
tacker establishes a time server within the ecosystem that Journal of the Institute of Navigation, vol. 71, no. 3, pp. 513–529, 2018.
[2] M. L. Psiaki and T. E. Humphreys, “GNSS spoofing and detection,”
reports an authenticated time consistent with the attacker’s Proceedings of the IEEE, vol. 104, no. 6, pp. 1258–1270, 2016.
modification of the GNSS receiver time Section III. While [3] I. Fernández-Hernández, V. Rijmen, G. Seco-Granados et al., “A nav-
advanced, this mode of operation is easily defeated by either igation message authentication proposal for the galileo open service,”
Navigation, Journal of the Institute of Navigation, vol. 63, no. 1, pp.
a healthy ecosystem where multiple time servers are available 85–102, 3 2016.
or by further checking. Network-based time references lacking [4] J. M. Anderson, K. L. Carroll, N. P. DeVilbiss et al., “Chips-message
security enhancements are still beneficial for validating the robust authentication (chimera) for gps civilian signals,” in International
Technical Meeting of the Satellite Division of the Institute of Navigation
GNSS-provided time solution, especially when combined with (ION GNSS+), Portland, Oregon, Sep. 2017.
a few trusted sources or when network access is cryptograph- [5] M. T. Gamba, M. Nicola, and B. Motella, “Computational load analysis
ically protected. of a galileo osnma-ready receiver for arm-based embedded platforms,”
Sensors, vol. 21, no. 2, pp. 1–21, 1 2021.
At the current level of implementation, only a handful of [6] L. Cucchi, S. Damy, M. Paonni et al., “Assessing galileo osnma under
servers comply with NTS or Roughtime, making it difficult to different user environments by means of a multi-purpose test bench,
including a software-defined GNSS receiver,” in International Technical
provide ubiquitous secure time distribution. The unprotected Meeting of the Satellite Division of the Institute of Navigation (ION
implementation of NTP is still a valid choice to obtain many, GNSS+), St. Louis, MO, USA, Sep. 2021.
geographically convenient time providers especially when their [7] B. Motella, M. T. Gamba, and M. Nicola, “A real-time osnma-ready
software receiver,” in International Technical Meeting of The Institute
time offset can be validated against a single trusted time of Navigation (ITM 2020), San Diego, CA, USA, Jan. 2020.
provider. [8] M. Götzelmann, E. Köller, I. V. Semper et al., “Galileo open service
navigation message authentication: Preparation phase and drivers for
future service provision,” in International Technical Meeting of the
VII. C ONCLUSION AND F UTURE W ORK Satellite Division of the Institute of Navigation (ION GNSS+), St. Louis,
MO, USA, Sep. 2021.
In this work we improve the method from [13] and provide [9] M. Lenhart, M. Spanghero, and P. Papadimitratos, “Distributed and
a comprehensive evaluation detecting adversarial manipulation Mobile Message Level Relaying/Replaying of GNSS Signals,” in Inter-
national Technical Meeting of The Institute of Navigation (ION ITM),
of the GNSS time, based on onboard and external/remote time Long Beach, CA, USA, Jan. 2022.
source (accessible through the platform that encompasses the [10] G. Seco-Granados, D. Gómez-Casco, J. A. López-Salcedo et al., “De-
GNSS receiver). We examine both the individual performance tection of replay attacks to GNSS based on partial correlations and
authentication data unpredictability,” GPS Solutions, vol. 25, no. 2, 2021.
and combination of three existing components for GNSS [11] M. Motallebighomi, H. Sathaye, M. Singh, and A. Ranganathan,
time-based validation in different scenarios. Our approach “Location-independent gnss relay attacks: A lazy attacker’s guide to
strongly limits the possibility of undetected (asynchronous or bypassing navigation message authentication,” in ACM Conference on
Security and Privacy in Wireless and Mobile Networks (WiSec), ser.
synchronous) simulation-based attacks targeting the GNSS re- WiSec ’23. New York, NY, USA: Association for Computing Machin-
ceiver and, in addition, the network components. Attacks were ery, June 2023.
 16

[12] L. Narula and T. E. Humphreys, “Requirements for secure clock [34] T. E. Humphreys, “Detection strategy for cryptographic GNSS anti-
synchronization,” IEEE Journal of Selected Topics in Signal Processing, spoofing,” IEEE Transactions on Aerospace and Electronic Systems,
vol. 12, no. 4, pp. 749–762, 2018. vol. 49, no. 2, pp. 1073–1090, 2013.
[13] M. Spanghero and P. Papadimitratos, “Detecting GNSS misbehavior [35] M. Arizabaleta, E. Gkougkas, and T. Pany, “A feasibility study and risk
leveraging secure heterogeneous time sources,” in IEEE/ION Position, assessment of security code estimation and replay (SCER) attacks,” in
Location and Navigation Symposium (PLANS), Monterey, CA, USA, International Technical Meeting of the Satellite Division of The Institute
April 2023. of Navigation (ION GNSS+), Miami, FL, USA, Sep. 2019.
[14] A. Malhotra, A. Langley, W. Ladd et al., “Roughtime,” Sep. 2022, work [36] F. Gallardo and A. P. Yuste, “SCER spoofing attacks on the galileo open
in progress. service and machine learning techniques for end-user protection,” IEEE
[15] D. Franke, D. Sibold, K. Teichel et al., “Network time security for the Access, vol. 8, pp. 85 515–85 532, 2020.
network time protocol,” Internet Engineering Task Force, Tech. Rep. [37] K. Zhang, E. G. Larsson, and P. Papadimitratos, “Protecting GNSS
draft-ietf-ntp-using-nts-for-ntp-28, 2020. Open Service Navigation Message Authentication Against Distance-
[16] J. Martin, J. Burbank, W. Kasch, and P. D. L. Mills, “Network Time Decreasing Attacks,” IEEE Transactions on Aerospace and Electronic
Protocol Version 4: Protocol and Algorithms Specification,” RFC 5905, Systems (IEEE TAES), vol. 58, no. 2, pp. 1224–1240, 2022.
Jun. 2010. [38] K. Zhang and P. Papadimitratos, “On the Effects of Distance-decreasing
[17] N. O. Tippenhauer, C. Pöpper, K. B. Rasmussen et al., “On the Attacks on Cryptographically Protected GNSS Signals,” in International
requirements for successful gps spoofing attacks,” in ACM Conference Technical Meeting of The Institute of Navigation (ION ITM), Reston, VA,
on Computer and Communications Security (ACM CCS), New York, USA, January 2019, pp. 363–372.
NY, USA, Oct. 2011, p. 75–86. [39] D. M. Akos, “Who’s afraid of the spoofer? gps/GNSS spoofing detection
[18] A. J. Kerns, D. P. Shepard, J. A. Bhatti et al., “Unmanned aircraft capture via automatic gain control (agc),” Navigation, Journal of the Institute of
and control via GPS spoofing,” Journal of Field Robotics, vol. 31, no. 4, Navigation, vol. 59, no. 4, pp. 281–290, 12 2012.
pp. 617–636, Apr. 2014. [40] S. Lo, Y. H. Chen, D. Akos et al., “Test of crowdsourced smartphones
[19] J. Bhatti and T. E. Humphreys, “Hostile control of ships via false measurements to detect GNSS spoofing and other disruptions,” in The
GPS signals: Demonstration and detection,” Navigation, Journal of the International Technical Meeting of the The Institute of Navigation,
Institute of Navigation, vol. 64, no. 1, pp. 51–66, Mar. 2017. Reston, VA, USA, Jan. 2019.
[20] R. T. Ioannides, T. Pany, and G. Gibbons, “Known vulnerabilities [41] K. D. Wesson, J. N. Gross, T. E. Humphreys et al., “GNSS signal
of global navigation satellite systems, status, and potential mitigation authentication via power and distortion monitoring,” IEEE Transactions
techniques,” Proceedings of the IEEE, vol. 104, no. 6, pp. 1174–1194, on Aerospace and Electronic Systems, vol. 54, no. 2, pp. 739–754, 2018.
Jun. 2016. [42] P. Papadimitratos and A. Jovanovic, “GNSS-based Positioning: Attacks
and Countermeasures,” in IEEE Military Communications Conference
[21] K. C. Zeng, S. Liu, Y. Shulen et al., “All your GPS are belong to us:
(IEEE MILCOM), San Diego, CA, USA, Jan. 2008.
Towards stealthy manipulation of road navigation systems,” in USENIX
Security Symposium, Baltimore, MD, USA, Aug. 2018. [43] M. L. Psiaki, S. P. Powell, and B. W. O’Hanlon, “GNSS spoofing
detection using high-frequency antenna motion and carrier-phase data,”
[22] W. Feng, J.-M. Friedt, G. Goavec-Merou et al., “Software-defined radio
in International Technical Meeting of the Satellite Division of the
implemented GPS spoofing and its computationally efficient detection
Institute of Navigation (ION GNSS+), Nashville, TN, USA, Sep. 2013.
and suppression,” IEEE Aerospace and Electronic Systems Magazine,
[44] S. Jada, M. Psiaki, S. Landerkin et al., “Evaluation of PNT situational
vol. 36, no. 3, pp. 36–52, 2021.
awareness algorithms and methods,” in International Technical Meeting
[23] L. Huang and Q. Yang, “Low-cost gps simulator - gps spoofing by sdr,” of the Satellite Division of The Institute of Navigation (ION GNSS+
in Proceedings of DEF CON23, Las Vegas, NV, USA, Aug. 2015. 2021), St. Louis, MO, USA, Sep. 2021.
[24] T. Leksell, “A comparison of smartphone gps l1 and galileo e1-b/c spoof- [45] H. Sathaye, G. LaMountain, P. Closas et al., “Semperfi: Anti-spoofing
ing resilience,” Master’s thesis, KTH, School of Electrical Engineering GPS receiver for uavs,” in Annual Network and Distributed System
and Computer Science (EECS), 2021. Security Symposium (NDSS), San Diego, CA, USA, Apr. 2022.
[25] “(In)Feasibility of Multi-Frequency Spoofing,” Inside GNSS - Global [46] C. Gioia and D. Borio, “Interference mitigation and t-raim for ro-
Navigation Satellite Systems Engineering, Policy, and Design, June bust gnss timing,” in IEEE International Workshop on Metrology for
2018. AeroSpace (MetroAeroSpace), Naples, Italy, Aug. 2021.
[26] T. E. Humphreys, B. M. Ledvina, M. L. Psiaki et al., “Assessing the [47] K. Zhang and P. Papadimitratos, “Secure Multi-constellation GNSS
spoofing threat: Development of a portable gps civilian spoofer,” in Receivers with Clustering-based Solution Separation Algorithm,” in
International Technical Meeting of the Satellite Division of The Institute IEEE Aerospace Conference. Big Sky, MT, USA: IEEE, March 2019,
of Navigation (ION GNSS), Savannah, GA, USA, 2008. pp. 1–9.
[27] D. S. Maier, K. Frankl, and T. Pany, “The GNSS-transceiver: Using [48] A. Rügamer, T. E. Melgård, W. De Wilde, H. Gerstung, I. Wegmann,
vector-tracking approach to convert a GNSS receiver to a simulator: and D. Schellekens, “Validation of a combined gnss correction and nma
Implementation and verification for signal authentication,” in 31st Inter- l-band service against spoofing,” in IEEE/ION Position, Location and
national Technical Meeting of The Satellite Division of the Institute of Navigation Symposium (PLANS), Monterey, CA, USA, July 2023.
Navigation (ION GNSS 2018), Miami, FL, USA, Sep. 2018. [49] Fugro, “Fugro atomichron: Time synchronisation service,” 2023.
[28] D. P. Shepard, T. E. Humphreys, and A. A. Fansler, “Evaluation of [50] M. T. Arafin, D. M. Anand, and G. Qu, “Detecting GNSS spoofing using
the vulnerability of phasor measurement units to gps spoofing attacks,” a network of hardware oscillators,” in Precise Time and Time Interval
International Journal of Critical Infrastructure Protection, vol. 5, no. Systems and Applications Meeting (PTTI), Monterey, CA, USA, Jan.
3-4, pp. 146–153, 2012. 2016.
[29] T. Humphreys, J. Bhatti, D. Shepard et al., “The texas spoofing test [51] M. T. Arafin, D. Anand, and G. Qu, “A low-cost gps spoofing detector
battery: Toward a standard for evaluating gps signal authentication design for internet of things (iot) applications,” in Great Lakes Sympo-
techniques,” in International Technical Meeting of the Satellite Division sium on VLSI (GLSVLSI17), New York, NY, USA, May 2017.
of the Institute of Navigation 2012, (ION GNSS), Nashville, TN, USA, [52] M. Spanghero and P. Papadimitratos, “High-precision Hardware Os-
2012 2012, pp. 3569–3583. cillators Ensemble for GNSS Attack Detection,” in IEEE Aerospace
[30] X. Jiang, J. Zhang, B. J. Harding et al., “Spoofing GPS receiver clock Conference, Big Sky, MT, USA, Mar. 2022.
offset of phasor measurement units,” IEEE Transactions on Power [53] P. Y. Hwang and G. A. McGraw, “Receiver autonomous signal authen-
Systems, vol. 28, no. 3, pp. 3253–3262, Aug. 2013. tication (rasa) based on clock stability analysis,” in IEEE/ION Position,
[31] F. Zhu, A. Youssef, and W. Hamouda, “Detection techniques for Location and Navigation Symposium (PLANS 2014), Monterey, CA,
data-level spoofing in GPS-based phasor measurement units,” in 2016 USA, Jul. 2014.
International Conference on Selected Topics in Mobile and Wireless [54] A. Jafarnia-Jahromi, S. Daneshmand, A. Broumandan et al., “Pvt
Networking (MoWNeT), Cairo, Egypt, Jun. 2016. solution authentication based on monitoring the clock state for a mov-
[32] Z. Zhang, S. Gong, A. D. Dimitrovski et al., “Time synchronization ing GNSS receiver,” in European Navigation Conference (ENC2013),
attack in smart grid: Impact and analysis,” IEEE Transactions on Smart Vienna, Austria, Apr. 2013.
Grid, vol. 4, no. 1, pp. 87–98, Mar. 2013. [55] M. Spanghero, K. Zhang, and P. Papadimitratos, “Authenticated time
[33] C. Peng, H. Li, J. Wen, and M. Lu, “Research of Intermediate Spoofing for detecting GNSS attacks,” in International Technical Meeting of the
Without Precise Target Information,” in China Satellite Navigation Satellite Division of the Institute of Navigation (ION GNSS+), Online,
Conference (CSNC). Singapore: Springer Singapore, May 2019. virtual, 2020.
 17

[56] K. Zhang, M. Spanghero, and P. Papadimitratos, “Protecting GNSS-

based Services using Time Offset Validation,” in IEEE/ION Position,
Location and Navigation Symposium (PLANS), Online, virtual, 2020.
[57] C. O’Driscol, S. Keating, and G. Caparra, “A performance assessment
of secure wireless two-way time transfer,” in International Technical
Meeting of the Satellite Division of The Institute of Navigation (ION
GNSS+), Online, virtual, Sep. 2020, pp. 3938–3951.
[58] P. Panagiotis and A. Jovanovic, “Method to secure GNSS-based loca-
tions in a Device having GNSS Receiver,” U.S. Patent US8 159 391B2,
Nov. 13, 2009.
[59] M. L. Psiaki, B. W. O’Hanlon, J. A. Bhatti et al., “Gps spoofing detection
via dual-receiver correlation of military signals,” IEEE Transactions on
Aerospace and Electronic Systems, vol. 49, no. 4, pp. 2250–2267, 10
2013.
[60] Y. Perry, N. Rozen-Schiff, and M. Schapira, “A devil of a time: How
vulnerable is ntp to malicious timeservers?” in Network and Distributed
System Security Symposium (NDSS), Reston, VA, USA, Feb. 2021.
[61] O. Deutsch, N. R. Schiff, D. Dolev et al., “Preventing (network)
time travel with chronos,” in Network and Distributed System Security
Symposium (NDSS), Reston, VA, USA, Feb. 2018.
[62] A. Malhotra, I. E. Cohen, E. Brakke et al., “Attacking the network
time protocol,” in Annual Network and Distributed System Security
Symposium (NDSS), San Diego, CA, USA, Feb. 2016.
[63] D. W. Allan, “Time and frequency (time-domain) characterization,
estimation, and prediction of precision clocks and oscillators,” IEEE
Transactions on Ultrasonics, Ferroelectrics, and Frequency Control,
vol. 34, no. 6, pp. 647–654, 1987.
[64] W. Riley and D. Howe, “Handbook of frequency stability analysis,”
2008-07-01 [Link] 2008.
[65] N. time foundation, “Ntp performace metrics,” [Link]
cumentation/4.2.8-series/stats/.
[66] K. R. Brown, “The theory of the gps composite clock,” Proceedings of
the 4th International Technical Meeting of the Satellite Division of The
Institute of Navigation (ION GPS 1991), pp. 223–242, 1991.

Marco Spanghero received his B.S. from Politec-

nico of Milano and an MSc degree from KTH Royal
Institute of Technology, Stockholm, Sweden. He is
currently a Ph.D. candidate with the Networked
Systems Security (NSS) group at KTH, Stockholm,
Sweden, and associate with the WASP program from
the Knut and Alice Wallenberg Foundation.

Panos Papadimitratos (Fellow, IEEE) earned his

Ph.D. degree from Cornell University, Ithaca, NY,
USA. At KTH, Stockholm, Sweden, he leads the
Networked Systems Security (NSS) group and he
is a member of the Steering Committee of the
Security Link Center. He serves or served as a
member of the ACM WiSec and CANS confer-
ence steering committees and the PETS Editorial
and Advisory Boards; Program Chair for the ACM
WiSec’16, TRUST’16, and CANS’18 conferences;
General Chair for the ACM WISec’18, PETS’19,
and IEEE EuroS&P’19 conferences; Associate Editor of the IEEE TMC,
IEEE/ACM ToN and IET IFS journals, and Chair of the Caspar Bowden
PET Award. Panos is a Fellow of the Young Academy of Europe, a Knut
and Alice Wallenberg Academy Fellow, and an ACM Distinguished Member.
NSS webpage: [Link]