The signals from the Positioning, Navigation, and Timing (PNT) satellites in Medium Earth Orbit (MEO) travel 20,000 km before reaching us: the 50 W emitted are diluted on the solid angle covering the Earth’s surface, and a little power reaches the ground, as we will establish in this document according to the classical calculation of the Friis equation [11] of energy conservation. It is, therefore, excessively easy to saturate the receiver of such signals with a signal emitted from the ground, even less powerful, considering the ratio of distances.
Large-scale jamming is not a fantasy of security specialists: it has been practiced and demonstrated on a large and small scale. Although called a GPS blocker, our presentation aims to demonstrate the impact on a large area of this “blocker” and to make the reader aware of the consequences of turning on this electronic circuit.
Signal blocker: circuit analysis
The term “blocker” in the advertisement for the circuit we have purchased might lead the naive and technically unskilled customer to imagine that the radio frequency signal from the GPS constellation is miraculously canceled in the vicinity of the receiver. Even a destructive interference solution would only be local, excessively complex to adjust, and difficult to implement on the GPS broadband CDMA signal. In practice, we purchased the most despicable signal jammer imaginable: a sawtooth-shaped signal generator (the venerable NE555) biases the adjustment voltage of a microwave oscillator around 1.575 GHz.
As all these components drift terribly with the environmental conditions, and in particular the temperature, in the absence of quartz or frequency control, the swept frequency range is largely superior to the 2 MHz bandwidth of GPS: the triangular signal coming from the NE555 induces a sweep of the microwave oscillator on the range 1.55 to 1.59 GHz. By chance or proximity to Russia, the 1.6 GHz GLONASS band (1602.0-1615.5 MHz) is at the limit of the interference band and is not too much affected by the signal jammer.
Each GPS bit occupies 20 ms (transmission at 50 bps), and each bit is encoded by 20 repetitions of the pseudo-random code that represents each satellite, a code of 1023 bits in length transmitted at a rate of 1.023 Mb/s (thus repeating the code every millisecond). By clicking the NE555 at about 300 kHz, we are in the order of magnitude of the repetition rate of the code identifying each satellite, ensuring that the receiver cannot find the original signal.
Efficiency on cell phones
Does such a trivial device work? The signal processing may work miracles, but if the power of the signal jammer exceeds the power of the information received, the fight is unfair between a satellite at 20,000 km and a jammer a few meters or hundreds of meters from the receiver.
We observe that a cell phone sees its localization capacity handicapped by the signal jammer: the GPS constellation disappears, and only the capacity to exploit GLONASS on this multi-constellation receiver allows us to estimate the the position still. In this experiment, the jammer antenna was unsoldered and replaced by an SMA connector. Despite the absence of the radiating element, the phone was jammed within a few meters of the signal jammer. At what distance is this attack effective if an antenna is attached to the output of the microwave oscillator?
Recommended read
Cell Phone Jammers: How Do They Change Your Life?