Introduction GPS and other GNSS signals are fragile and attractive targets for spoofing. A determined attacker can inject counterfeit satellite-like signals and cause receivers to report wrong time or position. You do not need military-grade equipment to detect many common spoofing modes. This tutorial walks you through a low-cost, practical toolkit and a set of detection heuristics you can implement with widely available hardware and open-source software. The techniques here are intended for research, hardening hobby projects, and operator awareness. Always obey local laws when working with RF gear.

Why low-cost detection works Many civilian spoofing attempts are detectable not because they are poorly engineered but because they create inconsistencies in observable receiver metrics. Examples include sudden identical signal strength across many PRNs, Doppler and code-phase contradictions, improbable simultaneous CN0 jumps, or abrupt clock/time discontinuities. By pulling raw observables out of a receiver or by passively monitoring the GNSS RF band with an SDR you can instrument checks that flag these anomalies long before an application blindly trusts an NMEA sentence. The Texas Spoofing Test Battery (TEXBAT) and other public datasets are commonly used to evaluate detection algorithms and show how practical metrics expose spoofing patterns.

What you will need (budget oriented)

  • Single-board computer: Raspberry Pi 4 or similar (USD 35 to 100). Use this as the data logger and processing host.
  • Cheap GNSS module with raw output support: u-blox M8/M9 series module or a module that exposes RAW or RXM messages. These give you pseudorange, Doppler and sometimes carrier phase. Prices vary; evaluation boards and dev kits are commonly available.
  • Active patch GPS antenna (L1, multiband preferred) with SMA. Expect USD 15 to 80 depending on quality.
  • SDR for RF monitoring: RTL-SDR V3 (USD ~25) for basic spectrum monitoring, or a slightly higher-end SDR (Airspy, ADALM-PLUTO, HackRF) if you plan more advanced capture or multi-channel work. RTL-SDR can be used to demonstrate spectrum-level indicators and to feed GNSS-SDR front ends.
  • Optional coherent multi-antenna SDR (Ettus B210 or similar) if you want direction-of-arrival checks. This costs more but enables AoA-based detection. Open-source GNSS-SDR forks demonstrate multi-antenna AoA processing with coherent SDRs.
  • Cabling, USB power, microSD card, small waterproof box if you deploy outdoors.

Software stack (open-source and proven)

  • Receiver raw tools: For u-blox use u-center (or libublox/ubx parsing) to capture RAWX, RXM/MEASX messages. These expose code phase, Doppler and pseudorange for each satellite and are essential for the metric checks described later.
  • SDR front end and GNSS SDR: GNSS-SDR or GNSS-SDRLIB and RTKLIB can decode signals from RTL-SDR/other SDRs and provide observables and position solutions for lab experiments. There are step-by-step examples showing RTL-SDR feeding GNSS-SDR to produce a position fix.
  • Data analysis: Python with numpy/pandas/matplotlib for plotting observables and implementing detection heuristics. Use saved binary captures and raw message logs for replay and offline analysis.
  • Datasets for testing: TEXBAT provides recorded spoofing scenarios you can replay into GNSS-SDR or your processing pipeline to validate detectors.

Basic measurement and logging setup 1) Ground-truth and clocks: Start with a known-good baseline. Place the antenna in an open sky location and record several minutes of normal operation to profile typical CN0, Doppler, pseudorange residuals, and the receiver clock drift. Having an IMU or a second positioning source (Wi-Fi, local map, or known static mount) helps confirm real movement vs spoofed movement. 2) Raw observables: Enable and log RAWX/RXM or equivalent messages from your u-blox module. Log at the highest rate the module supports. Save: PRN, pseudorange, carrier phase (if available), Doppler, and CN0. These fields are the core inputs to the detectors below. 3) RF-level monitoring: Use RTL-SDR to continuously capture power spectral density around L1 and adjacent bands and to compute a running average CN0 proxy from the SDR demod output or from decoded GNSS-SDR outputs. Spectrum-level alarms detect high-power jamming and gross anomalies. 4) Time sync: Keep the Pi clock synced from a separate reliable source where possible so log timestamps are trustworthy. If you do not have external time, at least track the receiver clock offset reported by the module.

Detection heuristics you can implement now The following are straightforward checks that work well against many public spoofing scenarios. They require only raw observables and some simple thresholds or comparisons.

1) CN0 distribution check Spoofers often transmit signals with similar power for many satellite PRNs. Compute the standard deviation of CN0 across tracked satellites. A very low standard deviation while overall CN0 is high is suspicious. Also watch for a synchronous CN0 increase across all PRNs. This is a cheap and fast detector.

2) Doppler and Doppler residual check Compare the measured Doppler shifts against predicted Doppler calculated from ephemeris and a plausible receiver velocity. A cluster of Doppler measurements that do not match predicted values or that move in lock-step across PRNs is a classic sign of a single local transmitter impersonating multiple satellites.

3) Code-phase and correlator fine-structure If you can access correlator outputs (via SDR-based processing or advanced receiver logs), look for multiple correlation peaks per PRN or two distinct code-phase peaks that persist. Algorithms that decompose correlator taps can reveal authentic and spoof peaks coexisting. Academic work and open toolkits have used correlator-domain sparse decomposition to flag such cases.

4) Time and position jump detection Track the receiver solution and receiver clock offset. Sudden small steps in reported position or time that cannot be explained by dynamics or IMU data are high-value alarms. Some spoofers attempt takeover by slowly walking a receiver away from its true location; others inject a fast step. Both are detectable if you monitor the derivative of position and time.

5) PRN/Doppler consistency checks Look for duplicated PRN IDs that have identical code phase, identical Doppler, and identical CN0 across many samples. Real satellites have unique Doppler profiles and differing SNR dependent on geometry. Identical or near-identical observables across multiple PRNs is suspect.

6) Cross-sensor corroboration If you have an IMU, compare GNSS-derived velocity and position deltas to inertial estimates. If they diverge beyond expected IMU error, raise an alarm. The SemperFi research demonstrates that tight fusion with inertial short-term stability can recover true signals or at least flag spoofing during a takeover.

AoA and spatial checks with two antennas (optional, more capable) If you can afford a coherent two-channel SDR or a dual-input front end you can implement a simple direction-of-arrival check. Authentic GNSS satellites arrive from different azimuth/elevation angles. A local spoofer will usually appear to come from a single or similar direction. Several open-source GNSS SDR forks provide 1-PPS and AoA processing examples with two antennas separated by a half-wavelength for L1. This is a more definitive test, but it requires coherent sampling and careful antenna spacing.

Putting it together: a minimal detection pipeline (practical script outline)

  • Step A: Continuously log RAWX/RXM from the u-blox module into timestamped CSV or binary files.
  • Step B: Simultaneously run an SDR-based monitor to compute a rolling PSD and a CN0 proxy. Store rolling windows (10 s, 60 s).
  • Step C: Every second compute the following metrics: CN0 mean and std, Doppler residual rms, number of satellites with identical code-phase sign within a small tolerance, position/time delta from previous solution, and IMU-vs-GNSS delta if available.
  • Step D: Score the window with simple weighted thresholds. Example weights: CN0-std low + Doppler residual large + identical-code count > 1 => raise Spoof Alarm. Log alarms and persist full raw buffers for later forensic analysis.

Testing and validation Replay TEXBAT scenarios through your processing chain to validate detectors and tune thresholds. TEXBAT provides a range of subtle and aggressive spoofing cases that allow you to refine both sensitivity and false alarm suppression strategy. Use GNSS-SDR or a similar SDR receiver to feed the recorded waveform into your pipeline and verify that your alarms trigger on the spoofed runs while staying quiet on clean recordings.

Limitations and caveats

  • Stealthy, high-end spoofers that capture authentic signals, align carrier phase and power, and then perform a takeover at very low SNR margin are hard to detect with single-antenna metric checks. Advanced multi-antenna AoA or cryptographic authentication are needed to raise the bar.
  • RTL-SDR based setups are excellent learning tools and good for spectrum-level alarms, but RTL-SDR thermal and front-end limitations make them unsuitable for forensic correlator-level analysis in some cases. For deep correlator inspection and coherent multi-antenna work use higher-grade SDRs.
  • False alarms happen. Urban multipath, reflecting surfaces, and nearby legitimate re-radiation can mimic some spoofing symptoms. Always corroborate with inertial or alternative position/time sources.

Operational hardening recommendations

  • Do not rely on a single GNSS receiver for safety-critical decisions. Use sensor fusion: IMU, odometry, vision, or network time sources.
  • Keep a log buffer of raw observables and RF spectrum around GNSS bands so that after an event you can perform a forensic replay and deeper analysis.
  • If you detect spoofing and your application needs to remain safe, gracefully switch to a degraded but safe navigation mode or lock to an internal clock rather than follow suspect GNSS time.
  • Consider commercial GNSS anti-spoofing sensors if you need certified, low-maintenance protection for critical infrastructure. They are more expensive but offer integrated classification and response options.

Where to go next

  • Run TEXBAT replays against your pipeline and iterate on thresholds.
  • Explore SemperFi and related research to understand INS-assisted recovery strategies and how successive interference cancellation can be used to preserve authentic peaks under attack.
  • If you want AoA detection, study the multi-antenna GNSS-SDR examples that add 1-PPS and coherent sampling support to infer arrival directions.

Final note on ethics and law Monitoring RF is generally lawful, but transmitting on GNSS bands is illegal in many jurisdictions and extremely dangerous. All work described here should be passive unless you have explicit, lawful authorization to perform active tests in a controlled lab. Never transmit spoofing or jamming signals in the wild.

Summary of practical takeaways

  • With under a few hundred dollars you can build a detection rig that catches many real-world spoofing attempts by combining raw receiver observables, SDR spectrum monitoring, and simple heuristic detectors.
  • Record raw data, test with public datasets such as TEXBAT, and corroborate GNSS with independent sensors for operational robustness.