IoT location services accept client-reported GPS coordinates at face value, yet spoofing is trivial with consumer-grade tools. Existing spoofing detectors output a binary decision, forcing system designers to choose between high false-deny and high false-accept rates. We propose a graduated trust gate that computes a multi-signal integrity score and maps it to three actions: PROCEED, STEP-UP, or DENY, where STEP-UP invokes a stronger verifier such as a zero-knowledge proximity proof. A session-latch mechanism ensures that a single suspicious fix blocks the entire session, preventing post-transition score recovery. Under an idealized step-up oracle on 10,000 synthetic traces, the gate enables strict thresholds (theta_p = 0.9) that a binary gate cannot safely use: at matched false-accept rate (11%), the graduated gate maintains zero false-deny rate versus 0.05% for binary, with 5 microseconds scoring overhead. Real-device traces from an Android smartphone demonstrate the session-latch mechanism and show that a nearby mock location (~550 m) evades theta_p = 0.7 but is routed to step-up at theta_p = 0.9. Signal ablation identifies a minimal two-signal configuration (F1 = 0.84) suitable for resource-constrained scoring layers.

翻译：物联网位置服务默认接受客户端报告的GPS坐标，但使用消费级工具即可轻松实施欺骗。现有欺骗检测器输出二元决策，迫使系统设计者在高误拒率与高误纳率之间取舍。我们提出一种分级信任门控机制，计算多信号完整性评分并将其映射为三种动作：继续执行、升级验证或拒绝访问，其中升级验证会调用更强验证器（如零知识邻近证明）。会话锁定机制确保单个可疑定位即阻断整个会话流程，杜绝转换后的评分恢复。基于10,000条合成轨迹的理想化升级预言机测试表明：该门控机制支持二元门控无法安全使用的严格阈值（θp=0.9）。在匹配误纳率（11%）条件下，分级门控保持零误拒率（对比二元门控的0.05%），且评分开销仅5微秒。基于安卓智能手机的真实设备轨迹验证了会话锁定机制，并表明附近模拟位置（~550米）可规避θp=0.7的阈值，但会被导向θp=0.9时的升级验证。信号消融实验确定了适用于资源受限评分层的最小双信号配置（F1=0.84）。