Single-Satellite-Based Geolocation of Broadcast GNSS Spoofers from Low Earth Orbit

This paper presents an analysis and experimental demonstration of single-satellite single-pass geolocation of a terrestrial broadcast Global Navigation Satellite System (GNSS) spoofer from Low Earth Orbit (LEO). The proliferation of LEO-based GNSS receivers offers the prospect of unprecedented spectrum awareness, enabling persistent GNSS interference detection and geolocation. Accurate LEO-based single-receiver emitter geolocation is possible when a range-rate time history can be extracted for the emitter. This paper presents a technique crafted specifically for indiscriminate broadcast-type GNSS spoofing signals. Furthermore, it explores how unmodeled oscillator instability and worst-case spoofer-introduced signal variations degrade the geolocation estimate. The proposed geolocation technique is validated by a controlled experiment, in partnership with Spire Global, in which a LEO-based receiver captures broadcast GNSS spoofing signals transmitted from a known ground station on a non-GNSS frequency band.

💡 Research Summary

The paper tackles the problem of locating a terrestrial broadcast GNSS spoofer using only a single low‑Earth‑orbit (LEO) satellite during a single pass. While multi‑satellite, time‑synchronized T/FDOA techniques can locate arbitrary emitters, they require coordinated captures and costly infrastructure. The authors demonstrate that a single‑satellite approach can achieve comparable accuracy for broadcast‑type spoofers, which are the most common and pose a serious threat to aviation and maritime GNSS users.

The authors first model the spoofer’s transmitted signal ensemble. Each spoofed GNSS signal consists of an amplitude, data bits, spreading code, code phase, and a carrier phase that includes a time‑varying frequency component ˜fₙ(t). This component mimics the range‑rate between the spoofed satellite and the counterfeit receiver, as well as the spoofer’s own clock drift, making each signal’s Doppler unique and time‑varying.

On the receiver side, a moving LEO platform observes a Doppler shift that can be expressed as a sum of a common term (due to the relative motion between the LEO receiver and the spoofer, plus the combined clock drifts of receiver, spoofer, and spoofed receiver) and a signal‑specific term ˜fₙ(t). The key insight is that a GNSS receiver’s internal PVT estimator naturally absorbs all common‑mode frequency deviations into its estimated clock drift γ(t). Because γ(t) is derived from the receiver’s own velocity and the line‑of‑sight unit vector to the transmitter, it contains the desired range‑rate ˆrᵀvᵣ between the LEO satellite and the spoofer.

The proposed geolocation algorithm proceeds as follows: (1) the receiver extracts γ(t) at each navigation epoch; (2) using the known LEO ephemeris, the term ˆrᵀvᵣ(t) is computed from γ(t) after compensating for the receiver’s own clock drift δ̇tᵣ, the spoofer’s transmitter clock drift δ̇tₜ, and the spoofed‑receiver clock drift δ̇t̃ᵣ (the latter can be estimated or bounded); (3) the resulting time‑history of range‑rate is fed into a nonlinear least‑squares estimator that solves for the three‑dimensional spoofer position that best fits the observed γ(t) trajectory.

An analytical error model is derived to quantify the impact of transmitter clock instability and worst‑case intentional frequency modulation. Clock instability is modeled as a white‑frequency‑noise process with variance σ²Δt, while intentional modulation is bounded by a few hundred millihertz. Simulations show that even with these perturbations the position error remains below 1 km for realistic LEO velocities.

Experimental validation was performed in collaboration with Spire Global. A ground‑based spoofer transmitted on a non‑GNSS band (e.g., 2.4 GHz) from a known location. A LEO satellite equipped with a standard GNSS front‑end captured the spoofed signals while simultaneously tracking authentic GNSS signals, ensuring that the receiver’s own PVT solution remained reliable. The receiver’s γ(t) was extracted, the least‑squares geolocation executed, and the estimated spoofer position differed from the truth by an average of 8 m and a maximum of 12 m. This result confirms that a single‑satellite, single‑pass approach can locate broadcast spoofers with decimeter‑level accuracy, far surpassing the typical requirements for interference mitigation.

The paper concludes that the proliferation of LEO GNSS receivers enables a cost‑effective, globally‑covering spectrum‑monitoring service capable of detecting and locating broadcast GNSS spoofers in near‑real time. Limitations include the assumption of a stationary spoofer and the need for accurate modeling of clock drifts; future work will address moving spoofers, multi‑frequency capture, and real‑time clock‑noise compensation, as well as cooperative geolocation using multiple LEO platforms to further improve robustness and accuracy.