Slashdot Mirror

← Back to Stories (view on slashdot.org)

GPS Spoofing With $3000 Worth of Equipment and a Laptop

Posted by timothy on from the james-bond-villains-go-frugal dept.

First time accepted submitter svartbjorn writes "Todd Humphreys and a team from the University of Texas proved the concept that a terrorist could take over the navigation of a ship or even a plane, making it appear to the crew that the ship was moving along a straight line course when in fact it was changing course under the control of the device. This raises some serious issues for this being used for terrorist purposes."

13 of 180 comments (clear)

  1. Now by memnock · · Score: 4, Funny

    the feds will require all laptops to be registered and have a remote kill switch installed. Can't let the terrorists win!!

    --
    "To stop the terrorists."
    1. Re:Now by CODiNE · · Score: 3, Funny

      Even better, we can add handprint recognition to knives so they only work for the registered owner.

      --
      Cwm, fjord-bank glyphs vext quiz
  2. OMG TERRORIST by Spy+Handler · · Score: 5, Insightful

    terrorists could do this, terrorists could do that, they can KILL YOU in so many ways! Run for your lives! Or better yet, submit to your federal overlords via TSA DHS who will keep you safe!

    Actually no, fuck the terrorists, they're third world noobs living in mud huts and the best they could do in 12 years of trying realyl hard is to hijack a few planes with knives. You have more to fear from your own government than any terrorist.

    Over and out

  3. Gyros by BetterSense · · Score: 4, Interesting

    This is why ships still have gyros. GPS is too handy not to use, but I'm pretty sure most large oceangoing vessels also have navigation gyros. The question then is, what happens when GPS gets spoofed...does the system/crew assume the GPS is broken or the gyro broken?

    1. Re:Gyros by the_other_chewey · · Score: 5, Funny

      This is why ships still have gyros.

      So the only vessels at risk are those with 100% vegetarian crews.
      It's probably not too much of an issue then...

    2. Re:Gyros by Rich0 · · Score: 5, Insightful

      In the case of airliners, it is usually full inertial navigation. Usually three independent inertial systems which continual comparison. The navigation system uses all the inertial systems as inputs, usually 1-2 GPS systems as input, and also radio navigation beacons (not very precise, but good enough for anything but landing). The GPS mainly provides long-term stability to the inertial systems, which are the direct reference.

      Any area navigation system used in an aircraft for navigation in non-visual conditions has to meet a number of standards, which include the ability to measure its own performance/inaccuracy. I'm not sure if the spoofing in this article would defeat that - it isn't enough to give a false position - you need to give a false position which looks very accurate, and which drifts from the real position slowly enough that if the aircraft has inertial navigation it will consider the change plausible.

      Even then, you'll also have to jam all the local radio navigation beacons which is going to be noticed most likely. If the aircraft tunes a radio beacon and gets inconsistent values from every station it tunes (automatically) it will probably report a navigation failure to the crew who will take it into account (and you'd be surprised how well a plane can do with nothing but the magnetic compass, good wind reports, and dead reckoning).

      If you did manage to confuse the plane it really would only be a problem low to the ground in fairly mountainous terrain, unless you can keep it up for hours to get it way off course (and the crew will notice when they can't tune stations that are supposed to be in range and ATC will surely notice until they go entirely to ADS-B - and in the case of international flight the air defense identification zones surrounding many countries including the US will have active radar for obvious reasons). Most actual landings use ILS, which is completely independent of GPS - the aircraft won't really descend enough to hit buildings until it is on the ILS glideslope which is guaranteed to be clear. Only an actual GPS-based runway approach would get the plane low enough to hit something unless there are mountains nearby.

      So, an attack would be hard to pull off against an airliner. Small planes do not have so much redundancy, but their GPS units still try to evaluate position accuracy and generate warnings (which pilots are trained to heed) when they believe they are having problems.

      All that aside, GPS signals really need to have authentication embedded. That said, they would still be vulnerable to replay attacks if the main signal could be jammed and the receiver did not have a sufficiently accurate clock to spot replays (it would have to be VERY accurate over fairly long periods of time).

  4. Which signal? by KDN · · Score: 4, Interesting

    What they don't say is whether he is spoofing the CA signal, which is publically known and documented, the P signal, which is encrypted, and best I can recall, is not publically known, or the WAIS signal, which I have no bleeping idea.

  5. A more technical explanation by Anonymous Coward · · Score: 4, Informative

    Old news. If you want a less sensationalistic, more technical discussion of how this is done, see this article http://www.gpsworld.com/drone-hack/.

    In brief:
    1) Yes, it's possible but there are a lot of issues that make it less than practical
    2) It's a non-issue for military positioning systems, which use encrypted, time-stamped signals.
    3) Experts are already aware of the problem and are working on solutions.

  6. Re:but there's this new thing called a knife! by anagama · · Score: 4, Insightful

    And you know what? That entire problem was solved by putting locks on the door. For the 110% solution, the Feds no longer tell people to comply with hijacker's demands.

    Everything else, the gutting of the Constitution -- that's just gravy for our rulers.

    --
    What changed under Obama? Nothing Good
  7. Re:Tomorrow Never Dies by ebno-10db · · Score: 4, Funny

    Awesome, we can make James Bond movies happen!

    On Slashdot you can easily find the know-how to do everything in a James Bond movie, except get the girl.

  8. Re:It's news worthy but isn't at the same time ... by EmperorArthur · · Score: 4, Informative

    Ahh, but you can sign those packets the GPS satellites are sending. The US military uses encrypted GPS to prevent precisely this kind of attack. It also allows them to use their selective denial system to cut off part of the world without affecting their own systems. Ask the Russians about what their latest trip into Georgia taught them about their reliance on GPS.

    So, yes the US can fix it, and should. Every country that is working on their own GPS alternative should as well.

    Software defined radio is changing the world. It's bringing the price to capture signals down to a $20 USB TV tuner, and the price to send signals to a few thousand dollars. Not bad for something that used to require millions in fab costs to build transmitter ASICS.

    --
    So lets pretend that we've just completed writing this code, as opposed to having just completed sabotaging it -Altera
  9. Re:It's news worthy but isn't at the same time ... by profplump · · Score: 5, Insightful

    What are you talking about? There are all sorts of things you can do to mitigate such attacks.

    For one, you can sign GPS data without encrypting it. Old equipment can use the plain-text data without issue. New equipment can optionally verify the signature, if that makes sense in the particular application. If your systems does choose to verify the signature it can choose to ignore bad signatures, to warn the user, to throw out the lone bad signal, to throw out the whole fix calculation, etc. There's nothing technically complicated about that at all.

    Another approach is to cross-verify this data. Planes and boats have inertial guidance (along with accelerometers, magnetometers, altimeters, etc.), which can easily be compared against each other to determine if one system is providing inaccurate data. And several of those systems require no external reference, making them quite difficult to hack. Combining all that data, throwing out the bits that don't match, and calculating a best-fit solution is pretty common even in low-end position/orientation systems, and I have to assume it's bog-standard in things like planes (or could be if it's not). Even cars have access to a lot of other data (wheel speed, engine speed, compass, etc.) that can be used for similar purposes.

    And there are simple signal-based protections you can apply, that raise the complexity of an attack without requiring any modification to the broadcast signal. For example, you could use multiple antennas to ensure you're only listening for signals from the right slice of sky. You could track changes in signal level. You could track bitstream synchronization. None of that would prevent a local radio from overpowering the real system, but it would help you catch the switchover.

    Not to mention you could provide some absolute reference via out-of-band tracking and comm. -- a system on the ground gets an actual fix based on radar/etc., and every minute or two sends out that fix with a timestamp via a non-GPS comm system. The on-board position tracker could then validate that external fix against its internal fix at the same time, and take appropriate action if there's a mismatch. This wouldn't stop short-term/small-delta attacks, as the data isn't instant and has some margin of error, but it would prevent long-term/large-delta attacks.

    And you can do all of those at the same time -- together that's a lot of protection. I also suspect there are a lot of other things you could do to mitigate such attacks; this is just the list of things I could name of without any research or consideration.

    It's also worth noting that removing autonomous course tracking (not even actual driving, but the whole navigation solution, as human pilots use the same navigational systems the computer does) does not solve this problem. It's not technically complicated to construct a sextant/stopwatch/etc. that gives false readings to misdirect whatever form of navigation the crew might undertake, even with no computers in sight.

  10. Re:It's news worthy but isn't at the same time ... by tibit · · Score: 5, Informative

    What you claim as facts is a bunch of made up rubbish, sorry. First of all, what do you mean by tokenisation of communication? If you mean that tokens = packets than that's insane, so let's hope you mean something lese. Why the heck do you even need to talk about tokenisation?

    If you like a doofus imply that encryption makes things less reliable, then that's just borderline clinical insane. Protip for the clueless: it's precisely the encryption of GPS's P-code that makes it pretty much spoof-proof. These days there are P(Y)-code receivers that don't need the hand off word (HOW) from C/A code. To accomplish that feat, they use optical correlators that perform the Fourier transform needed for fast correlation of the very long P(Y) code with the incoming signal in order to detect where in the sequence the code is, without using HOW. There's no one spoofing that.

    While spoofing is somewhat theoretically possible, it'd require a fairly gargantuan effort. You'd need a station with a bunch (dozen) of fairly large (IIRC ~10m diameter) dishes tracking the individual satellites. And you'd need stations all around the globe so that you would have continuous coverage of all the satellites - the number of stations would be in the dozens, too. You could then receive good signal from each satellite individually, signal good enough to just read the P(Y) code without doing the correlations. As I've said, that's pretty crazy, and no single nation could pull it off since you really need to install equipment all over the world, and it's not stuff that fits in a suitcase. Oh, and of course you'd need to collect all those signals, put them through signal processing to recode them with fake data, and then transmit that in real time to the location where you intend to spoof stuff. I'm pretty damn sure the military receivers don't like date rollbacks, so it's not like you could record stuff last year and transmit this year.

    Alas, GPS signal's encryption utilizes a stream cipher and not public key cryptography. But they do use public key crypto for key management. If it's ever found out how to break the cipher to extract the key, they may simply re-key the receivers more often - presumably the key extraction won't be an overnight thing. Now of course PKC is not the hardest thing to implement, far from it, as it can be done even on tiny 8 bit microcontrollers. But even RSA is still state of the art public key crypto, so you can get pretty good results without making it complicated. No need for complications, really.

    So, you're just full of it. Where on Earth did you learn all this crap, or are you on some purposeful disinformation campaign?

    --
    A successful API design takes a mixture of software design and pedagogy.