Experimental Analysis of Intentional Radio-Frequency Attacks on GNSS-based Time Synchronization for Communications Networks

Accurate and reliable time synchronization in telecommunication networks is fundamental to ensure the superior performance of upcoming and next-generation paradigms of mobile communications, such as 5G New Radio (NR). In a modern network infrastructure, sub-microsecond synchronization requires a large number of reliable clocks such as Rubidium (Rb) and Cesium (Cs) atomic oscillators, technologies that are too expensive to be deployed throughout multiple network nodes. To overcome the cost problem, atomic clocks are being replaced by less-expensive GNSS receivers that provide a specific synchronization signal, the Pulse Per Second (1-PPS), that can be exploited to distribute time synchronization across the network at more sustainable costs. However, GNSS receivers expose the network to the growing risk of radio-frequency attacks, thus introducing a significant security flaw. This thesis research sought to determine the effects of intentional radio frequency interference on GNSS State-of-the-Art timing receivers, with the aim of assessing the reliability of the generated 1-PPS. Jamming, meaconing and spoofing attacks were investigated singly or in combination of two or more as options against the GNSS receivers under test. Specific test procedures were designed to intentionally disrupt the activities of the receiver and to observe the effect on the 1-PPS generation. Generally, they focused on four periods, the first with no interference applied, the second with mild interference, the third with high levels of interference to cause maximum damage, and the fourth post-interference period during which the return to normal operation was assessed. High-power jamming signals completely disrupted the normal operation of the receiver, while in the case of low-power jamming levels, the receiver's interference mitigation algorithm was able to effectively detect and compensate for them. Meaconing proved to be the most effective method to introduce a delay in the 1-PPS generation, since the receiver erroneously interprets the delayed signals as caused by the multipath effect. Finally, simplistic spoofing signals are completely blocked by the receiver, and when their power level exceeds a certain threshold the receiver classifies them as interference, and completely stops its operation. Throughout the tests, the target receiver proved to be an excellent time keeping source, able to satisfy stringent synchronization requirements. It also performed with excellent interference mitigation capabilities, but ultimately was defeated by meaconing and its own algorithms.