GNSS-WASP: GNSS Wide Area SPoofing

In this paper, we propose GNSS-WASP, a novel wide-area spoofing attack carried by a constellation of strategically-located synchronized transmitters. Unlike known attacks, which are constrained by the attacker's ability to track victim receivers, GNSS-WASP manipulates the positions measured by all the receivers in a target area without knowing the victim's positions. This allows GNSS-WASP to spoof a swarm of victims to another location while preserving their true formation (i.e., their relative distances). This opens the possibility of advanced attacks that divert entire fleets of vehicles and drones in a large area without the need to track specific victims. As such, GNSS-WASP bypasses state-of-the-art spoofing countermeasures that rely on constellations of receivers with known distances and those that rely on sudden, unpredictable movements for spoofing detection. While previous works discuss the stringent requirements for perfect spoofing of multiple receivers at known fixed locations, GNSS-WASP demonstrates how to spoof any number of moving receivers at unknown positions in a large area with an error that can remain hidden behind the legitimate noise. In addition to extensive simulations, we implement a prototype of GNSS-WASP with off-the-shelf software-defined radios and evaluate it on real GNSS receivers. Despite the error introduced by the proposed attack, GNSS-WASP can successfully spoof two receivers while maintaining their relative distance with an average error of 0.97 m for locations 1000 m away from the reference position. Finally, we also highlight possible countermeasures.