Global navigation satellite systems (GNSSs) are implementing security mechanisms: examples are Galileo open service navigation message authentication (OS-NMA) and GPS chips-message robust authentication (CHIMERA). Each of these mechanisms operates in a single band. However, nowadays, even commercial GNSS receivers typically compute the position, velocity, and time (PVT) solution using multiple constellations and signals from multiple bands at once, significantly improving both accuracy and availability. Hence, cross-authentication checks have been proposed, based on the PVT obtained from the mixture of authenticated and non-authenticated signals. In this paper, first, we formalize the models for the cross-authentication checks. Next, we describe, for each check, a spoofing attack to generate a fake signal leading the victim to a target PVT without notice. We analytically relate the degrees of the freedom of the attacker in manipulating the victim's solution to both the employed security checks and the number of open signals that can be tampered with by the attacker. We test the performance of the considered attack strategies on an experimental dataset. Lastly, we show the limits of the PVT-based GNSS cross-authentication checks, where both authenticated and non-authenticated signals are used.

翻译：全球导航卫星系统（GNSS）正在部署安全机制，例如伽利略系统的公开服务导航电文认证（OS-NMA）和GPS的芯片报文鲁棒认证（CHIMERA）。这些机制各自工作在单一频段。然而，当下即便是商用GNSS接收机，也通常利用多星座和多频段信号联合解算位置、速度与时间（PVT），从而显著提升精度和可用性。为此，基于已认证与未认证信号混合解算的PVT，研究者提出了交叉认证校验。本文首先形式化定义了交叉认证校验的模型。随后针对每种校验，描述了一种欺骗攻击——即生成虚假信号，使受害方在无察觉的情况下抵达目标PVT。我们解析了攻击者操纵受害方解算结果的自由度与所采用的安全校验机制、以及攻击者能篡改的开放信号数量之间的关系。我们通过实验数据集测试了所提攻击策略的性能。最后，揭示了基于PVT的GNSS交叉认证校验在同时使用已认证与未认证信号时的局限性。