GNSSs are vulnerable to attacks of two kinds: jamming (i.e. denying access to the signal) and spoofing (i.e. impersonating a legitimate satellite). These attacks have been extensively studied, and we have a myriad of countermeasures to mitigate them. In this paper we expose a new type of attack: SpAmming, which combines both approaches to achieve the same effects in a more subtle way. Exploiting the CDMA multiplexing present in most GNSSs, and through a spoofing attack, this approach leads the receiver to lose access to the signal of a legitimate satellite, which would be equivalent to a denial of service; but in this case the existing countermeasures against jamming or spoofing would not allow safeguarding its effectiveness, as it is neither of them. An experimental proof-of-concept is presented in which its impact is evaluated as a function of the previous state of the receiver. Using an SDR-based system developed at the Space Security Centre, the attack is executed against a cold-started receiver, a warm-started receiver, and a receiver that has already acquired the PVT solution and is navigating. Different attack configurations are also tested, starting from a raw emission of the false signal, to surgical Doppler effect configuration, code offset, etc. Although it is shown to be particularly successful against cold-started receivers, the results show that it is also effective in other scenarios, especially if accompanied by other attacks. We will conclude the article by outlining possible countermeasures to detect and, eventually, counteract it; and possible avenues of research to better understand its impact, especially for authenticated services such as OSNMA, and to characterize it in order to improve the response to similar attacks.

翻译：全球导航卫星系统（GNSS）易受两类攻击：干扰（即阻断信号访问）和欺骗（即伪装成合法卫星）。这些攻击已被广泛研究，我们拥有众多缓解措施来应对它们。本文揭示了一种新型攻击：SpAmming，它结合了两种方法，以更隐蔽的方式实现相同效果。该方法利用大多数GNSS中存在的码分多址（CDMA）复用特性，通过欺骗攻击导致接收机失去对合法卫星信号的访问，其效果等同于拒绝服务；但在此情况下，现有的抗干扰或反欺骗措施无法保障其有效性，因为它既非干扰也非欺骗。本文提出了一个实验性概念验证，评估了其影响与接收机先前状态的关系。利用空间安全中心开发的基于软件无线电（SDR）的系统，该攻击针对冷启动接收机、温启动接收机以及已获取位置-速度-时间（PVT）解算并处于导航状态的接收机进行了测试。同时试验了不同的攻击配置，从原始虚假信号发射到精确的多普勒效应配置、码偏移等。尽管该攻击对冷启动接收机尤为有效，但结果表明其在其他场景下同样具有威胁性，特别是在与其他攻击结合时。文章最后将概述可能的检测与应对措施，并探讨未来研究方向，以深入理解其影响（尤其对于OSNMA等认证服务），并通过特征分析提升对类似攻击的响应能力。