The key issue here is bypassing the time synchronization requirement during the cold start. This has always been a problem with OSNAM, and it's impossible to solve completely. The workaround is clear, the receiver just needs to do an external clock synchronization without relying on GNSS. Something like NTP is more than sufficient for that.

The attack in the paper also assumes that the attacker has complete radio control and can jam ALL the signals. If the receiver gets even one fully authenticated stream from an actual satellite, then the initial timestamp spoofing will fail.

Replay attacks on tracking receivers are not particularly powerful either, they will be apparent within 10-30 seconds.