In my capacity as a spectrum monitoring engineer at the Qingdao Radio Monitoring Station, I have encountered numerous interference incidents over the years, but the case I am about to describe stands out as a textbook example of drone spoofing gone wrong. In December 2019, a gas station in the West Coast New District of Qingdao deployed a so-called “unmanned aerial vehicle defense system” that relied on deceptive GPS signals to protect its liquefied natural gas storage tanks from potential drone attacks. However, this drone spoofing device inadvertently caused massive disruption to civilian GPS navigation and mobile communication base stations over an area of approximately 6 square kilometers. The following is a detailed account of how we identified, analyzed, and resolved this case, with a focus on the technical aspects of drone spoofing and its implications.
Background and Impact Overview
On December 26, 2019, the Industrial and Information Technology Bureau of the West Coast New District reported that a large number of Didi ride-hailing drivers had complained about erratic GPS positioning near the Xin’an Street office area. Their phones consistently placed their vehicles at a nearby airport, making navigation impossible. Additionally, the local China Mobile subsidiary reported that nearly 50 base stations in the same region had experienced severe GPS timing and positioning failures, with several base stations dropping out of service entirely. More than 200 customer complaints were logged during the interference period. The bureau had attempted to locate the source but failed, and our station was called in for technical support. The scale of this incident, driven by a single drone spoofing system, is summarized in the table below.
| Metric | Value |
|---|---|
| Affected area | ~6 km² |
| Number of base stations impacted | ~50 |
| Base stations forced offline | Multiple |
| Customer complaints (mobile network) | Over 200 |
| GPS spoofing target location | Local airport (false position) |
| Primary victims | Ride-hailing drivers, mobile network operators |
| Interference source type | Generative GPS spoofing (drone defense system) |
Tracking Down the Spoofer
Between December 27 and 30, 2019, our team deployed three mobile monitoring vehicles and eight technicians, battling 7-grade winds and sub-zero temperatures, to pinpoint the source. The interference was intermittent, with each burst lasting 30 seconds. We discovered that the device emitted a signal that, while not extremely powerful, was highly deceptive. At 20 meters from the suspected unit, the received signal level was only 20 dBμV; right next to it, the level reached 40 dBμV. The device operated across multiple frequency bands – not only the GPS L1 band (1575.42 MHz) but also 2.4 GHz, 5.8 GHz, and 900 MHz – with an actual emission bandwidth of 60 MHz. This broad spectrum capability explains why the drone spoofing system could simultaneously disrupt Wi-Fi, Bluetooth, and other services. The table below summarizes the key measurement parameters observed during the field investigation.
| Parameter | Measured Value |
|---|---|
| Transmission mode | Intermittent (30-second bursts) |
| Received level at 20 m | 20 dBμV |
| Received level at antenna (0.5 m) | 40 dBμV |
| Affected frequency bands | GPS L1, 2.4 GHz, 5.8 GHz, 900 MHz |
| Actual emission bandwidth | 60 MHz |
| Interference type | Generative GPS spoofing (drone spoofing) |
| Location | Gas station (LNG storage facility) |
After exhaustive directional searches and triangulation, we traced the source to a gas station that had installed a UAV defense system disguised as an innocuous junction box. The system was designed to transmit false GPS coordinates that tricked any drone flying nearby into believing it was inside the no-fly zone of a major airport, thereby forcing it to land or return. However, the same drone spoofing signals were strong enough to affect all GPS receivers in the vicinity, including those in smartphones and base stations.
Technical Principles of Anti-Drone Systems and Drone Spoofing
GPS interference can be broadly categorized into two types: suppression (jamming) and deception (spoofing). The case we encountered falls squarely under the latter, specifically a form of drone spoofing known as generative spoofing. To understand the mechanism, let us first examine the mathematical foundations of GPS signal reception.
A genuine GPS satellite transmits a navigation message at a known carrier frequency of L1 (1575.42 MHz). The receiver measures the pseudorange to each satellite by comparing the time of arrival of the signal with the time it was transmitted. The pseudorange $\rho_i$ to satellite $i$ is given by:
$$
\rho_i = c \cdot (t_{rx} – t_{tx}) + \epsilon_i
$$
where $c$ is the speed of light, $t_{rx}$ is the local receive time, $t_{tx}$ is the satellite transmission time, and $\epsilon_i$ accounts for various error sources (ionospheric delay, clock offsets, etc.). A standard GPS receiver solves for its position $(x,y,z)$ and receiver clock bias $b$ by solving a system of equations with at least four satellites:
$$
\rho_i = \sqrt{(x – x_i)^2 + (y – y_i)^2 + (z – z_i)^2} + b
$$
In a suppression or jamming scenario, the attacker transmits high-power noise centered on the GPS frequency, raising the noise floor and making it impossible for the receiver to demodulate the weak satellite signals. The jamming-to-signal ratio (J/S) is often expressed as:
$$
J/S = \frac{P_j G_j G_{rx}}{P_s G_s G_{rx}} \cdot \frac{1}{L}
$$
where $P_j$ and $P_s$ are the jamming and satellite transmit powers, $G_j$ and $G_s$ are the respective antenna gains, $G_{rx}$ is the receiver antenna gain, and $L$ includes path loss. With sufficient J/S, the receiver is blinded.
However, the device we encountered did not jam – it spoofed. Spoofing can be classified into three main subtypes:
- Repeater (mirror) spoofing: The attacker receives real GPS signals, delays them, and retransmits them, causing the target to compute a false position.
- Generative spoofing: The attacker simulates the entire GPS signal structure – including navigation data, C/A code, and carrier – to produce a synthetic signal that matches the target’s expected environment at a chosen false location.
- Trajectory tracking spoofing: The attacker continuously adjusts the spoofed signal to gradually pull the target away from its true path.
The system at the gas station was a generative drone spoofing device. It used real-time satellite ephemeris data (almanac and ephemeris downloaded from the actual GPS constellation) to compute the exact signal parameters that a receiver at the spoofed location would observe. The core technology blocks include:
- Satellite navigation signal simulation engine
- Precise ephemeris decoding and prediction algorithms
- Time synchronization with real GPS time via a local GNSS receiver
- Multi-channel fine power control for each simulated satellite
- PID-based trajectory following to induce gradual deviation (though in this case the target was static)
The mathematical representation of the generated signal for a single satellite $i$ can be expressed as:
$$
s_i(t) = A_i \cdot C_i(t – \tau_i) \cdot D_i(t – \tau_i) \cdot \cos(2\pi f_{L1} t + \phi_i)
$$
where $A_i$ is the amplitude, $C_i$ is the coarse/acquisition (C/A) code chip sequence (1023 chips at 1.023 MHz), $D_i$ is the navigation data bit (50 bps), $\tau_i$ is the deliberately induced code delay corresponding to the false pseudorange, $f_{L1}$ is the carrier frequency, and $\phi_i$ is the carrier phase. The spoofing device sums contributions from multiple satellites (typically 8–12) to create a consistent false position solution.
The critical advantage of generative drone spoofing over jamming is that the target receiver never loses lock; it simply converges to a wrong location. In this case, the false position was set to be inside the no-fly zone of the local airport, which is a common strategy used by commercial drone operators to define restricted areas. The drones would therefore interpret the spoofed GPS as indicating they were inside a prohibited zone and automatically initiate a return-to-home or landing procedure.
However, the device’s signal leaked into the surrounding environment. Because it transmitted with power sufficient to cover a radius of several hundred meters (and because the base stations’ GPS antennas were often poorly shielded), the spoofed signals overwhelmed the authentic satellite signals for any GPS receiver within range. The following table contrasts suppression jamming with the generative drone spoofing encountered in this case.
| Feature | Suppression (Jamming) | Generative Spoofing |
|---|---|---|
| Effect on target receiver | Loss of lock, no position | False position, possible lock on fake signals |
| Signal characteristics | High-power noise or sawtooth | Matched GPS signal structure |
| Detection difficulty | Easy – noise floor rises | Hard – signals appear legitimate |
| Primary threat to drones | Forces immediate landing (no GPS) | Sends drone to wrong location |
| Impact on nearby civilian GPS | Loss of navigation, base station timing fails | False position, base station timing drifts |
| Bandwidth required | Narrow or wide | Narrow (mimics real GPS bandwidth ~20 MHz) |
| Legal status | Illegal in most jurisdictions | Also illegal if used without authorization |
Consequences and Recommendations
The consequences of this drone spoofing incident extended far beyond the intended target (drones). Mobile communication base stations rely on GPS for precise time synchronization – typically to within microseconds – which is essential for handover, time-division duplexing, and lawful interception. When the spoofed signals injected false timing information, the base stations lost synchronization and either dropped calls or went offline. Similar risks apply to other critical infrastructure: port operations use GPS for vessel positioning and container crane alignment; aviation uses GPS for en-route navigation and precision approaches; and financial networks use GPS for transaction timestamps.
Our investigation revealed that the UAV defense system in question was completely illegal under Chinese regulations: it lacked type approval (SRRC certification), had no declared emission parameters, was not registered for sale, and operated without a radio station license. Both the manufacturer and the end user violated multiple laws. The device’s ability to radiate across four frequency bands simultaneously (GPS L1, 2.4 GHz, 5.8 GHz, and 900 MHz) made it a potent multi-spectrum menace. The table below lists the regulatory deficiencies we identified.
| Requirement | Status |
|---|---|
| Type approval (SRRC certification) | Missing |
| Transmission parameter declaration | None |
| Sales registration | Not registered |
| Radio station license | Not obtained |
| Frequency band authorization | Unauthorized use of GPS, ISM, and other bands |
Based on this case, I strongly recommend the following actions to prevent future drone spoofing disasters:
- Mandatory pre-deployment coordination: Any entity planning to install an anti-drone system (whether jamming or spoofing) must first consult with the local radio monitoring authority. A site survey should be conducted to assess potential impact on nearby GPS-dependent infrastructure.
- Strict licensing and testing: All such systems should undergo rigorous type approval that verifies their emission characteristics – not just out-of-band emissions but also in-band spoofing signal authenticity. The authorities should define maximum permissible power levels and require fail-safe mechanisms that disable the device if it exceeds a certain coverage radius.
- Public awareness campaigns: Many operators of critical infrastructure (e.g., gas stations, power plants, prisons) are unaware that even a low-power drone spoofing box can cripple base stations and navigation systems kilometers away. Educational materials must be distributed to emphasize the risks.
- Enhanced monitoring capability: Radio monitoring stations should invest in spoofing detection tools – for example, carrier-to-noise ratio (C/N0) monitoring, cross-checking with inertial navigation, or using multiple low-cost GPS receivers to detect inconsistencies. A simple method involves comparing the received satellite ID list: a spoofer usually transmits all satellites from a single antenna, so the angles of arrival are identical, which is physically impossible for real satellites.
- Legal enforcement: The case highlights the need for stricter penalties for illegal use of drone spoofing equipment. Fines should be proportional to the economic damage caused, and repeat offenders should face criminal charges.
Mathematical Analysis of Spoofing Impact on Base Station Timing
To understand why mobile base stations are particularly vulnerable to drone spoofing, we can model the impact of a false GPS time offset. A typical base station uses a GPS-disciplined oscillator (GPSDO) to steer its internal clock. The base station’s local clock error $\Delta t_{BS}$ is corrected using the GPS time solution. A spoofing device that introduces a pseudorange error $\Delta \rho$ for each satellite will cause the receiver to compute a position error $\Delta \mathbf{r}$ and a clock bias error $\Delta b$. For a static base station, the positioning error is often secondary to the timing error because the base station’s location is fixed and can be averaged out. However, the clock bias error directly translates into a time offset. The pseudorange equation in vector form is:
$$
\boldsymbol{\rho} = \mathbf{H} \cdot \begin{bmatrix} \mathbf{r} \\ b \end{bmatrix} + \boldsymbol{\epsilon}
$$
where $\mathbf{H}$ is the geometry matrix (dimension $n \times 4$). If the spoofer injects a common delay offset $\tau_{spoof}$ to all satellite signals, the solution for $b$ will shift by approximately $c \cdot \tau_{spoof}$. In our case, the spoofer aimed to create a false position at the airport, which is roughly 20 km away from the affected base stations. The corresponding pseudorange offset for a satellite at zenith would be on the order of several tens of kilometers, leading to a clock bias error of tens of microseconds. Even a 1 μs timing error can cause frame misalignment in LTE or 5G systems, resulting in dropped connections. The following equation illustrates the timing sensitivity:
$$
\Delta b = \frac{1}{c} \left( \Delta \rho_{\text{spoof}} – \Delta \mathbf{r} \cdot \hat{\mathbf{e}} \right)
$$
where $\hat{\mathbf{e}}$ is the unit vector from the base station to the satellite. In a well-designed drone spoofing attack, the attacker knows the true base station location and can compensate for geometric effects to specifically target the timing. However, the system we encountered was a generic anti-drone device that did not consider base stations; it just blindly transmitted a false location. Despite this, it still caused massive disruption because the generated pseudoranges were inconsistent with the true geometry, and the base stations’ GPS receivers simply could not distinguish the spoofed signals from the real ones.
Conclusion
The 2019 Qingdao drone spoofing incident serves as a stark warning about the unintended consequences of deploying deceptive anti-drone technology without proper oversight. While protecting critical infrastructure from malicious drones is a legitimate concern, the use of uncontrolled drone spoofing devices can inflict collateral damage far exceeding any security benefit. As GPS has become the invisible backbone of modern society – from ride-hailing apps to cellular networks to financial transactions – any interference with this system must be treated with the highest seriousness. Our successful identification of the spoofer, despite the extreme weather and intermittent nature of the signal, relied on a combination of experienced field techniques, spectrum analysis, and a deep understanding of GNSS vulnerabilities. I urge all stakeholders – regulators, industry, and end users – to work together to establish a framework where drone spoofing technologies can be used safely, or better yet, replaced by alternative countermeasures such as radar-based detection, RF-controlled geofencing, or kinetic interceptors that do not pollute the radio spectrum. The lesson is clear: you cannot fight fire with fire without risking a wildfire.