Why Drones Can Be Authenticated and Still Spoofed

Name: Is GPS Spoofing Really Solved? A Viewer Pushed Back
Uploaded: 2026-04-28T00:00:00-04:00
Duration: 10 min
Channel: Chad Butler
Description: A viewer claimed OSNMA solved GPS spoofing for commercial drones. I spent a week with the research and the answer surprised me. This video walks through what OSNMA actually fixes, the January 2025 attacks that defeated it, where CHIMERA fits, and the defense-in-depth strategy that actually protects a drone fleet in 2026.

What OSNMA fixes, what it misses, and what to do about it.

By Chad Butler | Published May 14, 2026

Is GPS/GNSS Spoofing Really Solved?

A viewer comment on my last drone safety video claimed OSNMA had solved GNSS spoofing and that I was hyping a threat that no longer matters. He isn't alone. The misconception runs through virtually every industry working on autonomous systems, and it's especially dangerous in the commercial drone and vehicle industry where a wrong location turns into a physical safety incident.

Let me walk you through it.

▶️ Prefer video? Why Delivery Drones Still Can't Trust GPS

A quick clarification. GPS is the US satellite navigation system. GNSS (Global Navigation Satellite Systems) is the umbrella term that also includes Galileo (Europe), GLONASS (Russia), and BeiDou (China). The distinction matters here because OSNMA authenticates Galileo, not GPS.

OSNMA is real progress. It went live July 24, 2025. It's the first civilian GNSS authentication feature in history. The team at the European Union Agency for the Space Programme deserves serious credit for shipping it.

But "solved" is not the right word. It implies OSNMA is secure enough on its own. It isn't.

Six months before OSNMA went operational, researchers had already published four working attacks against the protocol. The most dangerous one defeats authentication while the receiver still reports "authenticated."

This matters because GPS spoofing for delivery drones is not theoretical. A spoofed drone deviates from its flight path. It crashes into people, property, or critical infrastructure. Operators who treat OSNMA as the answer get a false sense of security and inherit liability they don't see.

How we got here

The civilian GPS program was initiated in 1973.

The original engineering team made a foundational call. Two signals would broadcast from each satellite. One for military use, one for civilian use. The military signal was encrypted and authenticated. The civilian signal was openly documented and published so anyone could build a receiver.

That openness was deliberate. It's the reason GPS became the global utility it is today. Every car, phone, and fitness watch that uses GPS does so because the signal is open.

It's also why civilian GPS is unauthenticated, unencrypted, and trivially spoofable.

GPS has added newer civilian signals over the decades (L2C, L5, L1C), but the security model hasn't changed. Civilian signals remain unauthenticated, and the spreading codes are public. Each satellite broadcasts a unique pattern that a receiver listens for to identify the satellite and measure distance. Because those patterns are published, anyone can generate them and transmit a signal that looks legitimate to a receiver.

A software-defined radio is a programmable radio transceiver. You can buy one online for a few hundred dollars. Combine it with open-source code on GitHub and you have a working spoofer for under a thousand dollars total.

This is not a nation-state attack. It's a weekend project for a motivated attacker.

The reason most security teams underestimate this attack is that legal experimentation is heavily restricted. Few people are allowed to actually test it, so the perceived difficulty is much higher than the real difficulty.

Worse, the legal regime cuts the wrong way. The law prohibits testing, but enforcement is light. Honest researchers self-censor while attackers operate unbothered. We've created an "on your honor" system that punishes the people we need on our side.

The pattern is well-established. Every time we discount an attacker's motives or underestimate their access to hardware, it ends badly.

What OSNMA actually solves

OSNMA stands for Open Service Navigation Message Authentication. It's Galileo's answer to the spoofing problem. It went operational July 24, 2025, and it's free for any receiver that supports it.

Here's the mental model.

When you log into your bank, you type a password. The bank checks the password and confirms your identity. OSNMA does the same thing for satellite signals. Each navigation message arrives with proof of identity that your receiver can verify. The signal stays publicly readable because it isn't encrypted. But now the receiver knows the message actually came from a Galileo satellite and not from an attacker on the ground.

Under the hood, OSNMA uses a protocol called TESLA. No relation to the car company. The satellite signs each navigation message with a secret key, then discloses that key a few seconds later. By the time the key is public, the receiver already has the message and signature buffered. Verification happens backward in time. It's clever, and it works for what it was designed to do.

OSNMA prevents an attacker from forging a fake navigation message and detects tampering with satellite position and clock data. That makes basic spoofing considerably harder.

But it leaves four gaps that matter for drones.

It does not stop jamming. The next generation of Galileo, called G2, will include jamming resistance. G2 deployment is now expected to begin in 2027, with twelve satellites planned in total. Full operational coverage is years away.

It only authenticates Galileo. GPS, GLONASS, and BeiDou are still wide open. Cross-authentication for GPS isn't planned until 2028 at the earliest.

There's a startup delay. The Time to First Authenticated Fix is roughly 100 seconds in ideal conditions. Urban environments stretch that to 127 to 266 seconds. For a drone, that's a problem on both ends of a flight. Before takeoff, you're either waiting on the pad or launching with an unauthenticated fix. If anything blocks your signal mid-flight, a building or a canyon, you fly without authenticated location until the receiver recovers. That's another 100 seconds of unauthenticated operation. In the air.

A low-cost attack defeats it. This is the one that changes the conversation. In January 2025, researchers published "Practical Spoofing Attacks on Galileo Open Service Navigation Message Authentication" (arXiv:2501.09246). They demonstrated four distinct attacks using two software-defined radios. Two of them, including a Concatenating Replay attack, were validated against a commercial Septentrio receiver. The TS-Comply Forgery attack, which forges navigation messages that pass authentication and would let an attacker spoof a drone to any location, was demonstrated against a software receiver because the signal-generation toolchain doesn't yet match commercial hardware. The attack is real, and two mid-range SDRs cost under $5,000, putting the gear in reach of a determined hobbyist.

Read that again. A forged Galileo signal passed authentication. Today on a software receiver, soon on commercial hardware once the signal toolchain catches up.

Where CHIMERA fits

GPS has its own answer in development. It's called CHIMERA, short for Chips-Message Robust Authentication.

CHIMERA is more ambitious than OSNMA. It authenticates both the message and the signal timing, which closes the gap the January 2025 research exposed.

The schedule is the issue.

CHIMERA is being tested on a satellite called NTS-3. It was originally planned to launch in 2022. It actually launched in August 2025, a three-year delay. Testing runs through 2026. After that, it has to be built into the next generation of GPS satellites and rolled out across the constellation.

A realistic operational date for CHIMERA on GPS is late 2020s to mid 2030s. Plan for the world we have today, not the one being designed.

Defense-in-depth is the only answer that works in 2026

Some commercial delivery drones in the US use GPS-only receivers. Those won't benefit from OSNMA without a hardware upgrade. And even with OSNMA, the four gaps above mean a single control isn't enough.

The answer is to stack independent layers so any one failure does not bring down position integrity.

Data authentication. Deploy OSNMA-capable receivers across the fleet. This raises the complexity and cost of basic forgery attacks.
Multi-constellation reception. Enable GPS, Galileo, GLONASS, and BeiDou simultaneously. An attacker who wants to spoof you now has to forge four signal sets at once.
Inertial cross-check. Integrate an IMU (inertial measurement unit) so radio-based spoofing has to fight physics. The IMU doesn't care what the radio says.
Receiver-level anomaly detection. Higher-end GNSS chips like Septentrio's mosaic-X5 with AIM-plus flag inconsistencies before they reach the flight controller.
Alternative PNT. PNT is positioning, navigation, and timing. Add at least one non-satellite source. Vision-based landmark tracking, magnetic navigation, or cellular positioning each break the radio dependency.
Behavioral anomaly detection. If the position changes and the other sensors don't agree, flag it. This is the catch-all for failure modes you didn't predict.

The cost reality is reasonable. Based on my own analysis, a budget OSNMA-capable receiver swap runs roughly $300 to $400 per drone. A full anti-spoof stack with multi-constellation, calibrated antennas, and AIM-plus class anomaly detection runs closer to $1,000 per drone. For a fleet of 100, expect $70,000 to $120,000 in capital investment depending on receiver tier and integration engineering.

Cheaper than one incident investigation. Cheaper still than the regulatory and reputational fallout if someone gets hurt.

So, is GPS spoofing solved?

OSNMA is real progress. The team that delivered it earned the win.

But "solved" is the wrong word. Galileo authentication works today, with known limits. GPS authentication is years away. A $5,000 attack defeats OSNMA while the receiver shows "authenticated."

The only thing that protects a delivery drone in 2026 is defense-in-depth.

If you're operating drones, the work to do this quarter is straightforward. Inventory the fleet. Stack the layers. Brief the board. Don't bet a public safety outcome on a single control.

Sources & further reading

Practical Spoofing Attacks on Galileo Open Service Navigation Message Authentication, arXiv:2501.09246, January 2025. Primary research demonstrating four distinct attacks against OSNMA, including the TS-Comply Forgery.
Improving Galileo OSNMA Time to First Authenticated Fix, IEEE Xplore, 2024. Documents the 100-second TTFAF benchmark and optimization options.
EUSPA: From Testing to Operations - Galileo OSNMA Service Now Available to Users, July 24, 2025. Official announcement of OSNMA operational status.

Need help applying this to your fleet?

I take a small number of consulting engagements each quarter to help operators design and execute defense-in-depth strategies for autonomous vehicles, supply chain, and product security. If that fits, reach out at missioninfosec.com/contact.

Subscribe to the Newsletter

Join other product security leaders getting deep dives delivered to their inbox for free every Tuesday.

I agree to terms & conditions provided by the company. By providing my email. I agree to receive email messages from Mission InfoSec.

Frequently Asked Questions

You have questions. We have answers.

What's the difference between GPS jamming and GPS spoofing?

Both attack GNSS, but they work differently. Jamming overpowers legitimate satellite signals with noise so the receiver can't get a fix. The drone knows it's lost and typically responds with a fail-safe like return-to-home, hover, or land. Spoofing is more dangerous. The attacker transmits fake signals that look legitimate, and the receiver accepts them as real. The drone thinks it knows where it is, but the location is wrong. Jamming makes a drone stop. Spoofing makes a drone do what the attacker wants. OSNMA was built to detect spoofing. It does nothing for jamming, which is why the upcoming Galileo G2 generation includes anti-jam capabilities.

Why wasn't civilian GPS encrypted from the start?

The original 1973 program made a deliberate trade-off. The military wanted exclusive use of an encrypted, authenticated signal for warfighting and weapons systems. The civilian signal was published openly so any manufacturer could build a receiver. That openness is the reason GPS became a global utility. It's also the reason civilian GPS is unauthenticated, unencrypted, and easy to spoof. Encrypting the civilian signal would have required key distribution to billions of future receivers, none of which existed yet. The architecture optimized for adoption. Fifty years later, we're paying the security debt.

Don't multi-constellation receivers already solve GPS spoofing?

No, but they help. Multi-constellation reception (GPS plus Galileo plus GLONASS plus BeiDou) means an attacker who wants to spoof you has to forge four signal sets simultaneously and keep them mathematically consistent across constellations. That raises the cost and skill required for a successful attack. But it doesn't solve spoofing. A determined attacker with enough SDR channels can still pull it off. And if your receiver only authenticates one constellation, which OSNMA does for Galileo, the others are still spoofable individually. Multi-constellation is one layer in defense-in-depth, not a complete solution.

Is it legal to test GPS spoofing for research purposes?

In the US, it's heavily restricted. Transmitting on GNSS frequencies without authorization violates the Communications Act and FCC rules, even in a lab setting if the signal can leak. Researchers who want to do this legitimately need an FCC experimental license, an anechoic chamber, or a coordinated test range like White Sands. The result is a regulatory environment that discourages most academic and corporate research while doing very little to stop attackers, who are already willing to break the law. That gap, between what's prohibited and what's actually prosecuted, is part of why the security community underestimates this threat.

Will CHIMERA be vulnerable to the same attacks that defeated OSNMA?

CHIMERA was designed to close exactly the gaps the January 2025 OSNMA research exposed. OSNMA only authenticates the navigation message. CHIMERA authenticates both the message and the signal timing, which makes time-shift forgery attacks like TS-Comply much harder. That said, no protocol survives contact with a determined attacker indefinitely. Until CHIMERA is deployed on the GPS constellation (realistically late 2020s to mid 2030s) and tested in the wild, claims of "spoof-proof" are aspirational. Plan for layered defenses regardless of which authentication standard becomes available.