Reading this again I wasn't as complete as I should have been.
Any introduction of a false timing signal whose time offset from the existing measurements is greater than the local clock's uncertainty can be flagged as false.
If your previous reported satellite time is Sp, previous local time is Lp, local time uncertainty is U, current local time is Lc = Lp + Ld±U, and current reported satellite time is Sc = Sp + Sd, then, roughly speaking,
if Sd > (Ld + U) or Sd < (Ld - U), the reported signal is a spoof.
So the original spoof signal as well as any subsequent spoof signals are subject to the stricter constraints offered by your higher-accuracy local time source.
Again I don't think you understand what I meant. The spoofed signal will start with an offset of exactly 0.
This offset will progressively increase in a way that is undistinguishable from an offset caused by receiver moving slightly left, for example.
That being said, the main source of error in GPS signals isn't the time-keeping of the receiver, but rather atmospheric interference and rounding errors in computations.
I understand what you mean. The fact remains that having a local and accurate source of time reduces the ability for an attacker to move a target off course through spoofing.
At each frame the attacker has to add to the error in the victim's position. By limiting how much error the attacker can add at each frame, you limit how much damage the attacker can do.
There are other systems involved here, including accelerometers and gyros, that together with a kalman filter allow the moving system to estimate the state, read values, and output new states based on a combination of those inputs. Less uncertainty in time allows for more precise predictions and more rejection of invalid inputs.
Read the link in my original post if you don't believe me:
"If GPS is disrupted or jammed, a CSAC could provide precise time to the GPS receiver to enable rapid recovery or to protect receivers from GPS spoofing, a condition where false GPS signals are broadcast to fool GPS receivers with erroneous information. The hope is that the Soldier wouldn't even know that his GPS is being jammed," Olson said. "
There is no error. The error produced is completely indistinguishable from the plane turning left or right.
I mentioned gyros and accelerometers in my first comment. They are the only thing that can at all help with advanced spoofing attacks. They are not sufficient. If they were sufficient, there would be no use for GPS to begin with.
This chip can only help against primitive attacks. It can help if the GPS signal is being jammed with nonsense signals by allowing the navigation system to lock back into the correct signal more quickly.
In the case of a sophisticated attack, the navigation system will not be able to detect the spoofing at all. The error induced by the spoofing will be completely indistinguishable from gyro drift.
That is to say, in the RQ-170 incident, the attacker was limited in the amount of error that could be added each frame by the gyros and accelerometer. Now, the attacker is still limited by the gyros and accelerometer, there is no change to the amount of error that can be added over time.
This chip can help against unsophisticated attacks. It cannot do anything at all for sophisticated attacks like those that allowed the capture of the RQ-170.
Let us have a thought experiment to ascertain this. Imagine a drone with an unphysically perfect clock. The drone receives time from 4 satellites and uses this time delta to calculate the distance from all four satellites.
Now let us imagine an attacker which overpowers this time signal. Initially, the signal is exactly the same as before the jamming. The signal at time t is such that it is exactly equal to that if the drone was turning left at exactly half of the gyro drift rate.
How would you be able to detect that this signal is incorrect? The answer is, it is impossible.
You may claim that the clock will be able to detect errors in the time by the spoofer. However, there is inherent noise in the time signal from GPS due to numerical errors in the predicted orbit of the satellites as well as interference from the ionosphere. The stochastic component of this noise is equal to more or less 3 meters. So the time is error in the date signal from the GPS is already of the order of 1/(100 000 000) seconds, meaning that any clock with better than that is not useful for discriminating against sophisticated attacks (but still useful against unsophisticated attacks).
I don't want to carry this on forever, but I will add this: the interference from the ionosphere is large, yes, but the difference in error is related to geographic location. For example, the error from the ionosphere at two points on the earth 5m apart is very similar. This is why things like CORS base stations and GNSS post-processing work. The range limit on those that NGS uses is 70km. This can be extended to the error from one frame of the solution to the next. The same is true of other error sources: the a priori error is large, but the error from one moment to the next for a receiver is small, for orbital elements, atmospheric noise, satellite clock error, etc.
For the issue of the gradually-increasing-error type of attack you mention, this article restates the point I've been driving at[0]. Their example is not chip-scale, but in all other respects it's the same. Note that they separately describe using a source of location-truth, but they still describe a method for spoofing attack detection that just relies on a cesium clock.
This[1] article is a good read, too, though their setup was GNSS-only, no IMU. They detect spoofs down to 2m (the shortest distance tested) with CSACs, but do not detect spoofs at that distance with classical receiver clocks.
Again, this doesn't completely remove the potential for spoofing attacks, it just reduces them. I don't have numbers on the actual limits in position change over time that would be detectable. But the principle for detecting gradual spoofed shifts is valid.
(and yes, I did look up these articles to respond.. not sure what that says about my time-management, but it's an interesting topic :)
From article [0]:
"Certain spoofing attacks work by producing and broadcasting a falsified version of the GPS signal, but at a slightly greater power, which tricks a GPS receiver into locking onto the spoofed signal. Once the receiver has locked onto the spoofed signal, the false signal gradually phases out of sync with the GPS signal, causing the GPS receiver to report a false PNT, one dictated by the spoofer. The incremental phase out makes the spoofing attack very difficult to detect.
...
For a trusted input, TADA uses an atomic clock frequency. In simple terms, for each second measured by the incoming GPS timing signal, TADA counts the number of frequency cycles generated by a cesium clock. If the incoming GPS signal is valid, TADA will count exactly the expected number of Cesium frequency cycles. But if TADA measures a higher or lower number of timing signals than expected, it will display the difference. A difference outside the acceptable margin of error will prompt TADA to alert its users that the GPS timing signal is possibly being spoofed."
Any introduction of a false timing signal whose time offset from the existing measurements is greater than the local clock's uncertainty can be flagged as false.
If your previous reported satellite time is Sp, previous local time is Lp, local time uncertainty is U, current local time is Lc = Lp + Ld±U, and current reported satellite time is Sc = Sp + Sd, then, roughly speaking,
if Sd > (Ld + U) or Sd < (Ld - U), the reported signal is a spoof.
So the original spoof signal as well as any subsequent spoof signals are subject to the stricter constraints offered by your higher-accuracy local time source.