Slashdot Mirror

← Back to Stories (view on slashdot.org)

GPS Spoofing With $3000 Worth of Equipment and a Laptop

Posted by timothy on from the james-bond-villains-go-frugal dept.

First time accepted submitter svartbjorn writes "Todd Humphreys and a team from the University of Texas proved the concept that a terrorist could take over the navigation of a ship or even a plane, making it appear to the crew that the ship was moving along a straight line course when in fact it was changing course under the control of the device. This raises some serious issues for this being used for terrorist purposes."

25 of 180 comments (clear)

  1. Now by memnock · · Score: 4, Funny

    the feds will require all laptops to be registered and have a remote kill switch installed. Can't let the terrorists win!!

    --
    "To stop the terrorists."
    1. Re:Now by CODiNE · · Score: 3, Funny

      Even better, we can add handprint recognition to knives so they only work for the registered owner.

      --
      Cwm, fjord-bank glyphs vext quiz
  2. OMG TERRORIST by Spy+Handler · · Score: 5, Insightful

    terrorists could do this, terrorists could do that, they can KILL YOU in so many ways! Run for your lives! Or better yet, submit to your federal overlords via TSA DHS who will keep you safe!

    Actually no, fuck the terrorists, they're third world noobs living in mud huts and the best they could do in 12 years of trying realyl hard is to hijack a few planes with knives. You have more to fear from your own government than any terrorist.

    Over and out

    1. Re:OMG TERRORIST by icebike · · Score: 2

      It's pretty tricky, really. You have to simulate at least 4 satellites' signals, compensating for their orbital movement at the position where you want to tell your target it's located.

      But its just numbers and time. That's all the GPS receiver knows about. It knows nothing actual orbits or movements. Just precise time and epheremis numbers.
      The signals would be trivial to generate with a computer.

      GPS jammers are even easier. I was approaching a tractor trailer in Utah one moment, and the next the GPS was in a "Recalculating" frenzy and I was jumping from Montana to Iowa and points in between. After I was half a mile away from the rig everything was back to normal. Apparently some long-haul truckers don't like to be tracked. The thing was, the GPS didn't say it lost signal, it indicated I was suddenly in specific locations hundreds of miles away.

      --
      Sig Battery depleted. Reverting to safe mode.
    2. Re:OMG TERRORIST by interkin3tic · · Score: 2

      This has always been evident to anyone with half a brain, yet it hasn't stopped the insanity. So perhaps we can use the paranoia of terrorism to do good things.

      I don't know really anything about GPS. I've heard the military has one or two better systems which are barred from civilian use, but aren't that hard to use. Maybe we could use "OMG TERRORISM!" as an excuse to demand it for everyone. Alternatively, if military grade GPS is vulnerable to the same attack here, then it seems like that could have actual security implications. "Oh no, a plane is off course" is less of a threat than "Oh no, a cruise missile is off course" but maybe no one gave a shit until they mentioned terrorism.

      Anyway, I think we should be using the constructed threat for actual important things, for instance, getting regulation on antibiotic use. The brits are starting to use terrorism as a reason why we need to clamp down on antibiotic abuse. A tool is only as good or as evil as the person using it. "We have to protect against the terrorists" has been used mainly to justify writing big checks to the military industrial complex, and ideally the voters would, as you suggest, grow brains and relax about terrorists. In the meantime, we could use the tool for good.

  3. Gyros by BetterSense · · Score: 4, Interesting

    This is why ships still have gyros. GPS is too handy not to use, but I'm pretty sure most large oceangoing vessels also have navigation gyros. The question then is, what happens when GPS gets spoofed...does the system/crew assume the GPS is broken or the gyro broken?

    1. Re:Gyros by the_other_chewey · · Score: 5, Funny

      This is why ships still have gyros.

      So the only vessels at risk are those with 100% vegetarian crews.
      It's probably not too much of an issue then...

    2. Re:Gyros by Rich0 · · Score: 5, Insightful

      In the case of airliners, it is usually full inertial navigation. Usually three independent inertial systems which continual comparison. The navigation system uses all the inertial systems as inputs, usually 1-2 GPS systems as input, and also radio navigation beacons (not very precise, but good enough for anything but landing). The GPS mainly provides long-term stability to the inertial systems, which are the direct reference.

      Any area navigation system used in an aircraft for navigation in non-visual conditions has to meet a number of standards, which include the ability to measure its own performance/inaccuracy. I'm not sure if the spoofing in this article would defeat that - it isn't enough to give a false position - you need to give a false position which looks very accurate, and which drifts from the real position slowly enough that if the aircraft has inertial navigation it will consider the change plausible.

      Even then, you'll also have to jam all the local radio navigation beacons which is going to be noticed most likely. If the aircraft tunes a radio beacon and gets inconsistent values from every station it tunes (automatically) it will probably report a navigation failure to the crew who will take it into account (and you'd be surprised how well a plane can do with nothing but the magnetic compass, good wind reports, and dead reckoning).

      If you did manage to confuse the plane it really would only be a problem low to the ground in fairly mountainous terrain, unless you can keep it up for hours to get it way off course (and the crew will notice when they can't tune stations that are supposed to be in range and ATC will surely notice until they go entirely to ADS-B - and in the case of international flight the air defense identification zones surrounding many countries including the US will have active radar for obvious reasons). Most actual landings use ILS, which is completely independent of GPS - the aircraft won't really descend enough to hit buildings until it is on the ILS glideslope which is guaranteed to be clear. Only an actual GPS-based runway approach would get the plane low enough to hit something unless there are mountains nearby.

      So, an attack would be hard to pull off against an airliner. Small planes do not have so much redundancy, but their GPS units still try to evaluate position accuracy and generate warnings (which pilots are trained to heed) when they believe they are having problems.

      All that aside, GPS signals really need to have authentication embedded. That said, they would still be vulnerable to replay attacks if the main signal could be jammed and the receiver did not have a sufficiently accurate clock to spot replays (it would have to be VERY accurate over fairly long periods of time).

    3. Re:Gyros by RalphSleigh · · Score: 2

      Apparently

      http://en.wikipedia.org/wiki/Doppler_Velocity_Log
       
      So like an optical mouse for ships?

      --
      Come as you are, do what you must, be who you will.
  4. Iran already did this by Anonymous Coward · · Score: 2, Interesting

    They already did this trick to snag an american drone. Old news.

  5. but there's this new thing called a knife! by raymorris · · Score: 2

    Imagine what terrorists could do with a knife!
    Hint - 9/11

    Meanwhile, the government IS, admittedly, tracking of your phone calls and emails. Have you called your Congressman yet? Posted on their Facebook page?

    1. Re:but there's this new thing called a knife! by anagama · · Score: 4, Insightful

      And you know what? That entire problem was solved by putting locks on the door. For the 110% solution, the Feds no longer tell people to comply with hijacker's demands.

      Everything else, the gutting of the Constitution -- that's just gravy for our rulers.

      --
      What changed under Obama? Nothing Good
  6. Which signal? by KDN · · Score: 4, Interesting

    What they don't say is whether he is spoofing the CA signal, which is publically known and documented, the P signal, which is encrypted, and best I can recall, is not publically known, or the WAIS signal, which I have no bleeping idea.

  7. A more technical explanation by Anonymous Coward · · Score: 4, Informative

    Old news. If you want a less sensationalistic, more technical discussion of how this is done, see this article http://www.gpsworld.com/drone-hack/.

    In brief:
    1) Yes, it's possible but there are a lot of issues that make it less than practical
    2) It's a non-issue for military positioning systems, which use encrypted, time-stamped signals.
    3) Experts are already aware of the problem and are working on solutions.

  8. Well, obviously by russotto · · Score: 2

    There's a reason the encryption on the P(Y) signal is part of a system called "anti-spoofing". The potential to spoof the C/A code was understood from the beginning, and it getting cheaper is expected as well.

  9. Still many unanswered questions by dwillden · · Score: 2

    How close were they? Sounds like they were on the ship. Can this attack be performed by technologically unskilled "terrorists" from a distance or might the captain get suspicious of the small ship following at less than 100 meters. Or will the pirates have to board the ship to do this. Just because it can be done by highly educated professional researchers who do nothing but try to find ways to do this does not mean terrorists can do it. Yes the Iranians did it with a drone but do we know exactly how they did it, did they have to fly in close proximity to it? Or build a network of vastly overpowered GPS ground stations to overpower the satellite signals?

    --
    I'm too lazy to compose a creative sig.
  10. Ship or Plane???? by l0ungeb0y · · Score: 2

    a terrorist could take over the navigation of a ship or even a plane,

    Put a few dozen of these between LA and Long Beach and you can create traffic jams that will cripple a fundamental portion of the manufacturing supply chain to the US by sending tourists and GPS addicted drivers to the wrong off ramps, causing them to get back on, thereby blocking access to the main arterials and causing miles of gridlock and congestion preventing vital shipment from getting to and from the Ports in a timely manner. And just how long would it take for the DoT or local authorities to realize that a week long Carmageddon was maliciously manufactured?

  11. Re:Tomorrow Never Dies by ebno-10db · · Score: 4, Funny

    Awesome, we can make James Bond movies happen!

    On Slashdot you can easily find the know-how to do everything in a James Bond movie, except get the girl.

  12. Archaic Tools by Bucc5062 · · Score: 2

    There is this strange device called a...what was it a gain...oh a compass. The cool device that relies on something pretty hard to spoof, Earth's magnetic field as I remember. Ships and airplanes still carry a compass on board (well I know airplanes do) as backup to all that electronic stuff, because every now and then the power goes out and pilots are trained to fly and navigate by compass. They also cross check (or they should) the modern equipment with the analog to validate the primary instruments.

    Just because someone says they can do something does not mean its really viable or will work well. Still waiting on flying cars, long lasting batteries, and fusion power plants so this type of drama news is not even close to registering on the danger meter.

    --
    Life is a great ride, the vehicle doesn't matter
    1. Re:Archaic Tools by ebno-10db · · Score: 2

      Fusion power? That's 20 years off.

  13. It's news worthy but isn't at the same time ... by oztiks · · Score: 2, Interesting

    To say that I didn't know this was possible until now would be far from the truth.

    As an avid Air Crash Investigation fan, both my wife and myself watch this show on a regular basis. I surmised this was possible a number of years ago. I also thought the concept of spoofing transponders on Cars when we eventually started adapting this technology to Cars was also going to pose similar issues as well and funnily enough it was something that did make the news (don't remember the article now but it did make Slashdot) but was done so to trump autonomous driving, for whatever political agenda.

    In all honesty, there is NO WAY to step around this problem unless you get rid of autonomous driving/piloting all together. Because of some simple facts

    a) You can't tokenise any form of communication because it then deems the process unreliable
    b) You can't encrypt it for the same reason
    c) You can't in anyway make it COMPLICATED again for the same reason
    d) You can't get rid of it because it makes flying unsafe.
    e) It's a security hole that cannot be patched, fixed or resolved. Period.

    Also the fact that this is a pretty common and is a widespread issue, which only really just made POC now is an absolute joke.

    1. Re:It's news worthy but isn't at the same time ... by EmperorArthur · · Score: 4, Informative

      Ahh, but you can sign those packets the GPS satellites are sending. The US military uses encrypted GPS to prevent precisely this kind of attack. It also allows them to use their selective denial system to cut off part of the world without affecting their own systems. Ask the Russians about what their latest trip into Georgia taught them about their reliance on GPS.

      So, yes the US can fix it, and should. Every country that is working on their own GPS alternative should as well.

      Software defined radio is changing the world. It's bringing the price to capture signals down to a $20 USB TV tuner, and the price to send signals to a few thousand dollars. Not bad for something that used to require millions in fab costs to build transmitter ASICS.

      --
      So lets pretend that we've just completed writing this code, as opposed to having just completed sabotaging it -Altera
    2. Re:It's news worthy but isn't at the same time ... by profplump · · Score: 5, Insightful

      What are you talking about? There are all sorts of things you can do to mitigate such attacks.

      For one, you can sign GPS data without encrypting it. Old equipment can use the plain-text data without issue. New equipment can optionally verify the signature, if that makes sense in the particular application. If your systems does choose to verify the signature it can choose to ignore bad signatures, to warn the user, to throw out the lone bad signal, to throw out the whole fix calculation, etc. There's nothing technically complicated about that at all.

      Another approach is to cross-verify this data. Planes and boats have inertial guidance (along with accelerometers, magnetometers, altimeters, etc.), which can easily be compared against each other to determine if one system is providing inaccurate data. And several of those systems require no external reference, making them quite difficult to hack. Combining all that data, throwing out the bits that don't match, and calculating a best-fit solution is pretty common even in low-end position/orientation systems, and I have to assume it's bog-standard in things like planes (or could be if it's not). Even cars have access to a lot of other data (wheel speed, engine speed, compass, etc.) that can be used for similar purposes.

      And there are simple signal-based protections you can apply, that raise the complexity of an attack without requiring any modification to the broadcast signal. For example, you could use multiple antennas to ensure you're only listening for signals from the right slice of sky. You could track changes in signal level. You could track bitstream synchronization. None of that would prevent a local radio from overpowering the real system, but it would help you catch the switchover.

      Not to mention you could provide some absolute reference via out-of-band tracking and comm. -- a system on the ground gets an actual fix based on radar/etc., and every minute or two sends out that fix with a timestamp via a non-GPS comm system. The on-board position tracker could then validate that external fix against its internal fix at the same time, and take appropriate action if there's a mismatch. This wouldn't stop short-term/small-delta attacks, as the data isn't instant and has some margin of error, but it would prevent long-term/large-delta attacks.

      And you can do all of those at the same time -- together that's a lot of protection. I also suspect there are a lot of other things you could do to mitigate such attacks; this is just the list of things I could name of without any research or consideration.

      It's also worth noting that removing autonomous course tracking (not even actual driving, but the whole navigation solution, as human pilots use the same navigational systems the computer does) does not solve this problem. It's not technically complicated to construct a sextant/stopwatch/etc. that gives false readings to misdirect whatever form of navigation the crew might undertake, even with no computers in sight.

    3. Re:It's news worthy but isn't at the same time ... by AmiMoJo · · Score: 2

      And yet it didn't seem to work very well with that drone the Iranians captured through GPS spoofing. The problem seems to be that if you jam the encrypted signal the receiver falls back to the unencrypted one. Presumably the drone had inertial guidance as well, but clearly the system needs a bit of work.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    4. Re:It's news worthy but isn't at the same time ... by tibit · · Score: 5, Informative

      What you claim as facts is a bunch of made up rubbish, sorry. First of all, what do you mean by tokenisation of communication? If you mean that tokens = packets than that's insane, so let's hope you mean something lese. Why the heck do you even need to talk about tokenisation?

      If you like a doofus imply that encryption makes things less reliable, then that's just borderline clinical insane. Protip for the clueless: it's precisely the encryption of GPS's P-code that makes it pretty much spoof-proof. These days there are P(Y)-code receivers that don't need the hand off word (HOW) from C/A code. To accomplish that feat, they use optical correlators that perform the Fourier transform needed for fast correlation of the very long P(Y) code with the incoming signal in order to detect where in the sequence the code is, without using HOW. There's no one spoofing that.

      While spoofing is somewhat theoretically possible, it'd require a fairly gargantuan effort. You'd need a station with a bunch (dozen) of fairly large (IIRC ~10m diameter) dishes tracking the individual satellites. And you'd need stations all around the globe so that you would have continuous coverage of all the satellites - the number of stations would be in the dozens, too. You could then receive good signal from each satellite individually, signal good enough to just read the P(Y) code without doing the correlations. As I've said, that's pretty crazy, and no single nation could pull it off since you really need to install equipment all over the world, and it's not stuff that fits in a suitcase. Oh, and of course you'd need to collect all those signals, put them through signal processing to recode them with fake data, and then transmit that in real time to the location where you intend to spoof stuff. I'm pretty damn sure the military receivers don't like date rollbacks, so it's not like you could record stuff last year and transmit this year.

      Alas, GPS signal's encryption utilizes a stream cipher and not public key cryptography. But they do use public key crypto for key management. If it's ever found out how to break the cipher to extract the key, they may simply re-key the receivers more often - presumably the key extraction won't be an overnight thing. Now of course PKC is not the hardest thing to implement, far from it, as it can be done even on tiny 8 bit microcontrollers. But even RSA is still state of the art public key crypto, so you can get pretty good results without making it complicated. No need for complications, really.

      So, you're just full of it. Where on Earth did you learn all this crap, or are you on some purposeful disinformation campaign?

      --
      A successful API design takes a mixture of software design and pedagogy.