Dumb question, but how does this deal with security? Can't anyone broadcast valid but malicious data on 1575.42 MHz? (e.g. to crash planes/missiles etc)
Yes, and there are moves in the next generation to add cryptographic signatures to the satellite streams. Someone could still jam it, but they couldn't spoof it.
One security measure effective against a simple class of GPS spoofing is to check against the satellites' epheremi.
For example, if your RX tells you that bird #7 is part of your location fix, but it knows from prior valid ephemeris data that that bird is currently below your horizon, the bogosity indicator will flash red. Ditto with certain pull-off spoofing methods.
it's already illegal to cause a plane to crash, regardless of the mechanism used, and the legality of the mechanism generally has no bearing on its effectiveness...!
but, gps (or other gndss) spoofing or jamming is effective, and i think that commercially available jammers simply broadcast reasonably broad spectrum noise around that frequency, which can overwhelm nearby recievers; although the article describes how noise rejection is performed, it has its limits. spoofing is more difficult, but still possible, including simple re-broadcast attacks using data received at another location, however i believe these things are non-trivial for military receivers due to countermeasures like beam steering?
EDIT: found wiki from some quick googling https://en.wikipedia.org/wiki/Spoofing_attack#Global_navigat...