pith. sign in

arxiv: 2604.21126 · v2 · submitted 2026-04-22 · 📡 eess.SP

Threat Detection and Resilience Techniques in PRS-Assisted OTDOA 5G Positioning Systems

Thodoris Spanos , Nikolaos Papageorgiou , Samuele Fantinato , Nikos Kanistras , Sergi Duenas Pedrosa , Gianluca Caparra , Vassilis Paliouras This is my paper

Pith reviewed 2026-05-09 22:57 UTC · model grok-4.3

classification 📡 eess.SP
keywords 5G positioningOTDOAPRS securitymeaconing detectionspoofingjammingauthenticationthreat resilience
0
0 comments X

The pith

Spatial and cross-layer techniques detect meaconing in 5G positioning that encryption alone misses, achieving over 90% detection rates.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper develops methods to secure 5G positioning reference signals against manipulation in observed time difference of arrival systems. It demonstrates that encryption and basic authentication stop spoofing and jamming, yet spatial authentication and cross-layer protocols are required to identify meaconing attacks. Using a new simulator for testing, the combined approach yields high detection accuracy and low false positives. Such protections matter for safe operation of autonomous vehicles and industrial systems that rely on precise location data.

Core claim

The work introduces an open-source simulator for modeling 5G positioning channels and injecting threats. It proposes encrypted PRS, angular-based source authentication, and cross-layer handshaking to enhance resilience. Evaluations show encryption, authentication, and tracking counter spoofing and jamming effectively, while the new spatial and cross-layer mechanisms are crucial for meaconing detection, resulting in over 90% attack detection rates with minimal false alarms.

What carries the argument

VeriLoc simulator combined with encrypted PRS, angular-based source authentication (ABSA), cross-layer DL-UL handshaking, position tracking, and signature-extended HMAC authentication.

If this is right

  • Encryption and authentication robustly counter selective PRS spoofing and jamming.
  • Spatial and cross-layer mechanisms are essential for detecting meaconing.
  • Collective use maintains attack detection above 90% with minimal false alarms.
  • These techniques support secure 5G positioning for critical applications.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The open-source simulator could enable testing of additional threat scenarios beyond those evaluated here.
  • Hardware validation in live networks would confirm whether simulation detection rates hold in practice.
  • Adapting the angular and cross-layer checks to other 5G positioning methods could broaden protection.

Load-bearing premise

The channel models and threat injection methods in the simulator accurately represent real-world 5G radio environments and attacker capabilities.

What would settle it

A field experiment in a real 5G network subjecting the system to meaconing attacks and measuring actual detection and false alarm rates.

Figures

Figures reproduced from arXiv: 2604.21126 by Gianluca Caparra, Nikolaos Papageorgiou, Nikos Kanistras, Samuele Fantinato, Sergi Duenas Pedrosa, Thodoris Spanos, Vassilis Paliouras.

Figure 1
Figure 1. Figure 1: Intersection of two hyperbolas for a three-Serving BS [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: VeriLoc system architecture. The main execution function serves as the core simulation engine and comprises three primary modules: a configuration manager, a service provider and threat emulator, and a user terminal. The configuration manager translates the user inputs into the active simulation environment, handling tasks such as parsing the trajectory data and generating the BS topology. The service prov… view at source ↗
Figure 3
Figure 3. Figure 3: Block diagram of the end-to-end VeriLoc system model: transmitter chain, adversary, channel, and receiver processing. [PITH_FULL_IMAGE:figures/full_fig_p004_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: PRS and signature dispersion for KPRS comb ∈ {6, 12}. The PRS utilizes a comb-like frequency structure where ac￾tive subcarriers are spaced by KPRS comb ∈ {2, 4, 6, 12} REs [17]. While in standard operations the empty REs are reserved to allow neighboring BSs to transmit their PRS orthogonally by using distinct frequency offsets, the method in [12] re￾purposes a subset of these REs for authentication. In o… view at source ↗
Figure 5
Figure 5. Figure 5: Downlink-uplink handshaking protocol procedure. [PITH_FULL_IMAGE:figures/full_fig_p006_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Real-world trajectory and VeriLoc simulation model. [PITH_FULL_IMAGE:figures/full_fig_p007_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Performance comparison of encrypted PRS vs. standard PRS signal under different conditions. power standard PRS on the same subcarriers as the encrypted signal. Although the receiver rejects the adversarial waveform as uncorrelated noise, the high-energy injection on the ac￾tive resources significantly degrades the SINR of legitimate signals. Consequently, the spoofer effectively functions as a jammer, comp… view at source ↗
Figure 8
Figure 8. Figure 8: Security evaluation under benign (false-alarm) and [PITH_FULL_IMAGE:figures/full_fig_p008_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: Time-series detection performance under different [PITH_FULL_IMAGE:figures/full_fig_p009_9.png] view at source ↗
read the original abstract

Precise positioning is a key enabler for emerging 5G applications, from autonomous transport to industrial automation. Yet the open physical layer (PL) leaves standard positioning reference signals (PRSs) vulnerable to manipulation. This work addresses the security of downlink observed time difference of arrival positioning (DL-OTDOA) through three contributions. First, we introduce VeriLoc, an open-source system-level simulator designed for realistic channel modeling and PL threat injection. Second, we propose three novel security techniques to enhance resilience and threat detection: encrypted PRS to prevent adversarial waveform synthesis, angular-based source authentication (ABSA), and a cross-layer downlink-uplink handshaking protocol to detect attacks that cannot be mitigated by encryption. Third, utilizing VeriLoc, we evaluate the proposed techniques alongside position tracking and a PRS authentication scheme, which extends the original hash-based message authentication code (HMAC) scheme design to support digital signatures. Simulation results demonstrate that while encryption, authentication schemes, and tracking robustly counter selective PRS spoofing and jamming, the proposed spatial and cross-layer mechanisms are essential for detecting meaconing, collectively maintaining attack detection rates in excess of 90% while keeping false alarm rates minimal.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The paper introduces VeriLoc, an open-source system-level simulator for realistic channel modeling and physical-layer threat injection in 5G PRS-assisted DL-OTDOA positioning. It proposes three techniques—encrypted PRS to block waveform synthesis, angular-based source authentication (ABSA), and a cross-layer downlink-uplink handshake—alongside position tracking and an extended HMAC-based PRS authentication scheme using digital signatures. Simulations claim that encryption, authentication, and tracking suffice for selective spoofing and jamming, while ABSA and the handshake are essential for meaconing detection, collectively yielding >90% attack detection rates with minimal false alarms.

Significance. If the simulator faithfully represents real 5G deployments and attacker capabilities, the work would offer practical, layered defenses for a critical 5G service and provide a reusable open-source tool for the community. The emphasis on distinguishing attack types and the open-source release are strengths. However, the absence of simulator validation against 3GPP models or measurements makes the performance numbers preliminary rather than definitive.

major comments (2)
  1. [Abstract and §5] Abstract and §5 (Evaluation): The central claim of attack detection rates exceeding 90% with minimal false alarms is presented without any description of the number of Monte Carlo trials, statistical methods for rate estimation, exact multipath/shadowing parameters in the channel model, or the precise definition and measurement procedure for false-alarm rates. This information is load-bearing for assessing whether the reported superiority of ABSA and the cross-layer handshake over baseline encryption/authentication is robust.
  2. [§3] §3 (VeriLoc): The assertion of 'realistic channel modeling and PL threat injection' is not accompanied by any calibration, comparison to 3GPP TR 38.901, field measurements, or published attack traces. Because all quantitative results rest on this simulator, the lack of external validation directly affects the generalizability of the finding that spatial and cross-layer mechanisms are 'essential' for meaconing.
minor comments (1)
  1. [Abstract] The abstract and introduction would benefit from a brief comparison of VeriLoc to existing 5G positioning simulators (e.g., ns-3 5G modules or MATLAB 5G Toolbox) to clarify its novel contributions beyond threat injection.

Simulated Author's Rebuttal

2 responses · 1 unresolved

We thank the referee for the thoughtful and detailed comments, which highlight important aspects of reproducibility and validation. We have prepared point-by-point responses to the major comments and will revise the manuscript to address the identified gaps in simulation details and simulator description.

read point-by-point responses

  1. Referee: [Abstract and §5] Abstract and §5 (Evaluation): The central claim of attack detection rates exceeding 90% with minimal false alarms is presented without any description of the number of Monte Carlo trials, statistical methods for rate estimation, exact multipath/shadowing parameters in the channel model, or the precise definition and measurement procedure for false-alarm rates. This information is load-bearing for assessing whether the reported superiority of ABSA and the cross-layer handshake over baseline encryption/authentication is robust.

    Authors: We agree that these details are essential for assessing the robustness and reproducibility of the reported detection rates. In the revised manuscript, we will expand both the abstract and §5 to explicitly state the number of Monte Carlo trials conducted, the statistical methods employed for estimating the rates (including any confidence intervals), the exact multipath and shadowing parameters used in the channel model, and the precise definition and measurement procedure for false-alarm rates (i.e., the rate at which attacks are flagged in the absence of threats). These additions will allow readers to better evaluate the claims regarding the superiority of the proposed mechanisms. revision: yes

  2. Referee: [§3] §3 (VeriLoc): The assertion of 'realistic channel modeling and PL threat injection' is not accompanied by any calibration, comparison to 3GPP TR 38.901, field measurements, or published attack traces. Because all quantitative results rest on this simulator, the lack of external validation directly affects the generalizability of the finding that spatial and cross-layer mechanisms are 'essential' for meaconing.

    Authors: We acknowledge that the current version of §3 lacks an explicit calibration or comparison section. We will revise §3 to include a direct comparison of the implemented channel model parameters against 3GPP TR 38.901, along with a description of how the physical-layer threat injection is realized. Regarding field measurements and published attack traces, these are not available for 5G PRS-based attacks, as such real-world incidents have not been documented in the open literature. We will add an explicit discussion of this limitation, noting that the threat models are derived from established analyses of similar attacks (e.g., GNSS spoofing) adapted to the 5G context. This will clarify the scope and generalizability of the findings. revision: partial

standing simulated objections not resolved
  • Provision of field measurements or published real-world attack traces for 5G PRS threats, as no such data exists in the public domain.

Circularity Check

0 steps flagged

No significant circularity detected

full rationale

The paper's claims rest on simulation outputs from the newly introduced VeriLoc simulator combined with the proposed security mechanisms (encrypted PRS, ABSA, cross-layer handshake) and extensions to existing authentication schemes. No mathematical derivation chain, first-principles prediction, or fitted-parameter result is presented that reduces by construction to its own inputs. The evaluation section reports empirical detection rates (>90%) and false-alarm figures directly from the simulator runs rather than from any self-referential definition, uniqueness theorem, or renamed empirical pattern. Because the central results are generated by independent modeling and threat injection rather than forced by the paper's own equations or prior self-citations, the derivation remains self-contained.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The paper rests on standard wireless channel and positioning models plus the assumption that the simulator faithfully reproduces real attacks; no new physical constants or entities are introduced.

axioms (1)
  • domain assumption Standard assumptions about 5G radio propagation, multipath, and attacker capabilities in downlink OTDOA scenarios
    Invoked to justify the realism of VeriLoc simulations and the effectiveness of the proposed defenses.

pith-pipeline@v0.9.0 · 5544 in / 1309 out tokens · 21898 ms · 2026-05-09T22:57:57.873915+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

39 extracted references · 39 canonical work pages

  1. [1]

    A Tutorial on 5G Positioning,

    L. Italiano, B. Camajori Tedeschini, M. Brambilla, H. Huang, M. Nicoli, and H. Wymeersch, “A Tutorial on 5G Positioning,”IEEE Communica- tions Surveys & Tutorials, vol. 27, no. 3, pp. 1488–1535, 2025

    work page 2025

  2. [2]

    Positioning in 5G Networks,

    S. Dwivedi, R. Shreevastav, F. Munier, J. Nygren, I. Siomina, Y . Lyazidi, D. Shrestha, G. Lindmark, P. Ernstrom, E. Stare, S. M. Razavi, S. Mu- ruganathan, G. Masini, A. Busin, and F. Gunnarsson, “Positioning in 5G Networks,”IEEE Communications Magazine, vol. 59, no. 11, pp. 38–44, 2021

    work page 2021

  3. [3]

    Positioning and Sensing for Vehicular Safety Applications in 5G and Beyond,

    S. Bartoletti, H. Wymeersch, T. Mach, O. Brunnegard, D. Giustiniano, P. Hammarberg, M. F. Keskin, J. O. Lacruz, S. M. Razavi, J. Ronnblom, F. Tufvesson, J. Widmer, and N. B. Melazzi, “Positioning and Sensing for Vehicular Safety Applications in 5G and Beyond,”IEEE Communi- cations Magazine, vol. 59, no. 11, pp. 15–21, 2021

    work page 2021

  4. [4]

    A Survey of 5G-Based Positioning for Industry 4.0: State of the Art and Enhanced Techniques,

    K. Muthineni, A. Artemenko, J. Vidal, and M. N ´ajar, “A Survey of 5G-Based Positioning for Industry 4.0: State of the Art and Enhanced Techniques,” in2023 Joint European Conference on Networks and Communications & 6G Summit (EuCNC/6G Summit), 2023, pp. 120– 125

    work page 2023

  5. [5]

    Invited Paper: Challenges and Opportu- nities in Enabling Secure 5G Positioning,

    A. K. Dutta and M. Singh, “Invited Paper: Challenges and Opportu- nities in Enabling Secure 5G Positioning,” in2023 15th International Conference on COMmunication Systems & NETworkS (COMSNETS), 2023, pp. 498–504

    work page 2023

  6. [6]

    Posi- tioning Security in 5G and Beyond: Model and Detection of Physical Layer Threats,

    G. Focarelli, S. Zanini, I. Palam `a, G. Bianchi, and S. Bartoletti, “Posi- tioning Security in 5G and Beyond: Model and Detection of Physical Layer Threats,”IEEE Transactions on Wireless Communications, pp. 1–1, 2025

    work page 2025

  7. [7]

    Physical Layer Threats to 5G Positioning: Impact on TOA-Based Methods,

    G. Focarelli, S. Zanini, G. Bianchi, and S. Bartoletti, “Physical Layer Threats to 5G Positioning: Impact on TOA-Based Methods,” in2024 IEEE International Conference on Communications Workshops (ICC Workshops), 2024, pp. 926–931

    work page 2024

  8. [8]

    Spoofing Attacks on 5G PRS-Based Positioning,

    L. Crosara, R. Tuninato, F. Ardizzon, G. Caparra, I. Lapin, and N. Laurenti, “Spoofing Attacks on 5G PRS-Based Positioning,” in2025 IEEE 26th International Workshop on Signal Processing and Artificial Intelligence for Wireless Communications (SPAWC), 2025, pp. 1–5

    work page 2025

  9. [9]

    Enhancing Spreading Code Authentication in GNSS: A Statistical Multisignal Approach,

    F. Ardizzon, L. Crosara, S. Tomasin, and N. Laurenti, “Enhancing Spreading Code Authentication in GNSS: A Statistical Multisignal Approach,”IEEE Journal of Indoor and Seamless Positioning and Navigation, vol. 3, pp. 128–141, 2025

    work page 2025

  10. [10]

    5G; Security architecture and procedures for 5G System,

    3GPP, “5G; Security architecture and procedures for 5G System,” 3rd Generation Partnership Project (3GPP), Technical Specification (TS) 33.501, 2024, Release 18

    work page 2024

  11. [11]

    V-range: Enabling Secure Ranging in 5G Wireless Networks,

    M. Singh, M. Roeschlin, A. Ranganathan, and S. Capkun, “V-range: Enabling Secure Ranging in 5G Wireless Networks,” inNDSS, 2022

    work page 2022

  12. [12]

    Enhancing 5G Downlink Positioning Security: Embedding a Novel Authentication Scheme Into Empty PRS Resource Elements,

    T. Spanos, N. Papageorgiou, and V . Paliouras, “Enhancing 5G Downlink Positioning Security: Embedding a Novel Authentication Scheme Into Empty PRS Resource Elements,”IEEE Communications Letters, vol. 29, no. 9, pp. 2188–2192, 2025

    work page 2025

  13. [13]

    Secure 5G Positioning With Truth Discovery, Attack Detection, and Tracing,

    Y . Li, S. Liu, Z. Yan, and R. H. Deng, “Secure 5G Positioning With Truth Discovery, Attack Detection, and Tracing,”IEEE Internet of Things Journal, vol. 9, no. 22, pp. 22 220–22 229, 2022

    work page 2022

  14. [14]

    Surgical Strike on 5G Positioning: Selective-PRS-Spoofing Attacks and Its Defence,

    K. Gao, H. Wang, and H. Lv, “Surgical Strike on 5G Positioning: Selective-PRS-Spoofing Attacks and Its Defence,”IEEE Journal on Selected Areas in Communications, vol. 42, no. 10, pp. 2922–2937, 2024

    work page 2024

  15. [15]

    Your Locations May Be Lies: Selective-PRS-Spoofing Attacks and Defence on 5G NR Positioning Systems,

    K. Gao, H. Wang, H. Lv, and P. Gao, “Your Locations May Be Lies: Selective-PRS-Spoofing Attacks and Defence on 5G NR Positioning Systems,” inIEEE INFOCOM 2023 - IEEE Conference on Computer Communications, 2023, pp. 1–10

    work page 2023

  16. [16]

    VeriLoc 5G Simulator,

    Loctio P.C., University of Patras, T. Spanos, N. Papageorgiou, N. Kanistras, and V . Paliouras, “VeriLoc 5G Simulator,” Mar. 2026. [Online]. Available: https://doi.org/10.5281/zenodo.19051224

    work page doi:10.5281/zenodo.19051224 2026

  17. [17]

    NR Physical channels and modulation (Release 18),

    3GPP, “NR Physical channels and modulation (Release 18),” 3rd Gen- eration Partnership Project (3GPP), Technical Specification (TS) 38.211, 2024, Release 18

    work page 2024

  18. [18]

    Simulation and analysis of device positioning in 5g ultra-dense network,

    Q. Liu, R. Liu, Z. Wang, and Y . Zhang, “Simulation and analysis of device positioning in 5g ultra-dense network,” in2019 15th International Wireless Communications & Mobile Computing Conference (IWCMC), 2019, pp. 1529–1533

    work page 2019

  19. [19]

    Stage 2 functional specification of User Equipment (UE) po- sitioning in NG-RAN,

    3GPP, “Stage 2 functional specification of User Equipment (UE) po- sitioning in NG-RAN,” 3rd Generation Partnership Project (3GPP), Technical Specification (TS) 33.305, 2024, Release 18

    work page 2024

  20. [20]

    Protecting system information from false base station attacks: A blockchain-based approach,

    Z. Wang, B. Cao, Y . Sun, C. Liu, Z. Wan, and M. Peng, “Protecting system information from false base station attacks: A blockchain-based approach,”IEEE Transactions on Wireless Communications, vol. 23, no. 10, pp. 13 920–13 934, 2024

    work page 2024

  21. [21]

    A Network-Based Positioning Method to Locate False Base Stations,

    L. Karac ¸ay, Z. Bilgin, A. B. G¨und¨uz, P. C ¸ omak, E. Tomur, E. U. Soykan, U. G ¨ulen, and F. Karakoc ¸, “A Network-Based Positioning Method to Locate False Base Stations,”IEEE Access, vol. 9, pp. 111 368–111 382, 2021

    work page 2021

  22. [22]

    Study on 5G security enhancements against False Base Stations (FBS),

    3GPP, “Study on 5G security enhancements against False Base Stations (FBS),” 3rd Generation Partnership Project (3GPP), Technical Report (TR) 33.809, 2023, Release 18

    work page 2023

  23. [23]

    WIP: Parrots in the Air: Experimental Validation of Full- Frame Meaconing in 5G Systems,

    G. Focarelli, S. Zanini, I. Palam `a, A. Rivitti, S. Bartoletti, and G. Bianchi, “WIP: Parrots in the Air: Experimental Validation of Full- Frame Meaconing in 5G Systems,” in2025 IEEE 26th International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM), 2025, pp. 118–121

    work page 2025

  24. [24]

    Smart Jamming Attacks in 5G New Radio: A Review,

    Y . Arjoune and S. Faruque, “Smart Jamming Attacks in 5G New Radio: A Review,” in2020 10th Annual Computing and Communication Workshop and Conference (CCWC), 2020, pp. 1010–1015

    work page 2020

  25. [25]

    Empirical evidence concerning AES,

    P. Hellekalek and S. Wegenkittl, “Empirical evidence concerning AES,” ACM Transactions on Modeling and Computer Simulation (TOMACS), vol. 13, no. 4, pp. 322–333, 2003

    work page 2003

  26. [26]

    Randomness properties of stream ciphers for wireless communications,

    B. Y . Zhang and G. Gong, “Randomness properties of stream ciphers for wireless communications,” inThe Sixth International Workshop on Signal Design and Its Applications in Communications, 2013, pp. 107– 109

    work page 2013

  27. [27]

    The Cryptographic Properties of the Autocorrelation Functions for Encryption Algorithm,

    Y . Zhou, A. Zhang, and Y . Cao, “The Cryptographic Properties of the Autocorrelation Functions for Encryption Algorithm,” inInternational Conference on Mechatronics and Intelligent Robotics. Springer, 2018, pp. 314–323

    work page 2018

  28. [28]

    Distinguishing Full-Round AES-256 in a Ciphertext-Only Setting via Hybrid Statistical Learning,

    G. Singh, “Distinguishing Full-Round AES-256 in a Ciphertext-Only Setting via Hybrid Statistical Learning,”Cryptology ePrint Archive, 2025

    work page 2025

  29. [29]

    Keying hash functions for message authentication,

    M. Bellare, R. Canetti, and H. Krawczyk, “Keying hash functions for message authentication,” inAnnual international cryptology conference. Springer, 1996, pp. 1–15

    work page 1996

  30. [30]

    D. R. Stinson,Cryptography: theory and practice. Chapman and Hall/CRC, 2005

    work page 2005

  31. [31]

    Multiple emitter location and signal parameter estimation,

    R. Schmidt, “Multiple emitter location and signal parameter estimation,” IEEE Transactions on Antennas and Propagation, vol. 34, no. 3, pp. 276–280, 1986

    work page 1986

  32. [32]

    ESPRIT-estimation of signal parameters via ro- tational invariance techniques,

    R. Roy and T. Kailath, “ESPRIT-estimation of signal parameters via ro- tational invariance techniques,”IEEE Transactions on Acoustics, Speech, and Signal Processing, vol. 37, no. 7, pp. 984–995, 1989

    work page 1989

  33. [33]

    An introduction to the Kalman filter,

    G. Welch, G. Bishopet al., “An introduction to the Kalman filter,” 1995

    work page 1995

  34. [34]

    Bar-Shalom, X

    Y . Bar-Shalom, X. R. Li, and T. Kirubarajan,Estimation with applica- tions to tracking and navigation: theory algorithms and software. John Wiley & Sons, 2001

    work page 2001

  35. [35]

    An innovations approach to fault detection and diagnosis in dynamic systems,

    R. K. Mehra and J. Peschon, “An innovations approach to fault detection and diagnosis in dynamic systems,”Automatica, vol. 7, no. 5, pp. 637– 640, 1971

    work page 1971

  36. [36]

    Adaptive filtering and self-test methods for failure detection and compensation,

    A. S. Willsky, J. J. Deyst, and B. S. Crawford, “Adaptive filtering and self-test methods for failure detection and compensation,” inJoint Automatic Control Conference, no. 12, 1974, pp. 637–645

    work page 1974

  37. [37]

    A sensor fusion-based gnss spoofing attack detection framework for autonomous vehicles,

    S. Dasgupta, M. Rahman, M. Islam, and M. Chowdhury, “A sensor fusion-based gnss spoofing attack detection framework for autonomous vehicles,”IEEE Transactions on Intelligent Transportation Systems, vol. 23, no. 12, pp. 23 559–23 572, 2022

    work page 2022

  38. [38]

    Evaluation of 5G Positioning Performance Based on UTDoA, AoA and Base-Station Selective Exclusion,

    A. Xhafa, J. A. del Peral-Rosado, J. A. L ´opez-Salcedo, and G. Seco- Granados, “Evaluation of 5G Positioning Performance Based on UTDoA, AoA and Base-Station Selective Exclusion,”Sensors, vol. 22, no. 1, 2022. [Online]. Available: https://www.mdpi.com/1424-8220/22/ 1/101

    work page 2022

  39. [39]

    Study on NR positioning support,

    3GPP, “Study on NR positioning support,” 3rd Generation Partnership Project (3GPP), Technical Specification (TS) 33.855, 2025, Release 16

    work page 2025