Slashdot Mirror
GPS Spoofing With $3000 Worth of Equipment and a Laptop
First time accepted submitter svartbjorn writes "Todd Humphreys and a team from the University of Texas proved the concept that a terrorist could take over the navigation of a ship or even a plane, making it appear to the crew that the ship was moving along a straight line course when in fact it was changing course under the control of the device. This raises some serious issues for this being used for terrorist purposes."
terrorists could do this, terrorists could do that, they can KILL YOU in so many ways! Run for your lives! Or better yet, submit to your federal overlords via TSA DHS who will keep you safe!
Actually no, fuck the terrorists, they're third world noobs living in mud huts and the best they could do in 12 years of trying realyl hard is to hijack a few planes with knives. You have more to fear from your own government than any terrorist.
Over and out
This is why ships still have gyros.
So the only vessels at risk are those with 100% vegetarian crews.
It's probably not too much of an issue then...
In the case of airliners, it is usually full inertial navigation. Usually three independent inertial systems which continual comparison. The navigation system uses all the inertial systems as inputs, usually 1-2 GPS systems as input, and also radio navigation beacons (not very precise, but good enough for anything but landing). The GPS mainly provides long-term stability to the inertial systems, which are the direct reference.
Any area navigation system used in an aircraft for navigation in non-visual conditions has to meet a number of standards, which include the ability to measure its own performance/inaccuracy. I'm not sure if the spoofing in this article would defeat that - it isn't enough to give a false position - you need to give a false position which looks very accurate, and which drifts from the real position slowly enough that if the aircraft has inertial navigation it will consider the change plausible.
Even then, you'll also have to jam all the local radio navigation beacons which is going to be noticed most likely. If the aircraft tunes a radio beacon and gets inconsistent values from every station it tunes (automatically) it will probably report a navigation failure to the crew who will take it into account (and you'd be surprised how well a plane can do with nothing but the magnetic compass, good wind reports, and dead reckoning).
If you did manage to confuse the plane it really would only be a problem low to the ground in fairly mountainous terrain, unless you can keep it up for hours to get it way off course (and the crew will notice when they can't tune stations that are supposed to be in range and ATC will surely notice until they go entirely to ADS-B - and in the case of international flight the air defense identification zones surrounding many countries including the US will have active radar for obvious reasons). Most actual landings use ILS, which is completely independent of GPS - the aircraft won't really descend enough to hit buildings until it is on the ILS glideslope which is guaranteed to be clear. Only an actual GPS-based runway approach would get the plane low enough to hit something unless there are mountains nearby.
So, an attack would be hard to pull off against an airliner. Small planes do not have so much redundancy, but their GPS units still try to evaluate position accuracy and generate warnings (which pilots are trained to heed) when they believe they are having problems.
All that aside, GPS signals really need to have authentication embedded. That said, they would still be vulnerable to replay attacks if the main signal could be jammed and the receiver did not have a sufficiently accurate clock to spot replays (it would have to be VERY accurate over fairly long periods of time).
What are you talking about? There are all sorts of things you can do to mitigate such attacks.
For one, you can sign GPS data without encrypting it. Old equipment can use the plain-text data without issue. New equipment can optionally verify the signature, if that makes sense in the particular application. If your systems does choose to verify the signature it can choose to ignore bad signatures, to warn the user, to throw out the lone bad signal, to throw out the whole fix calculation, etc. There's nothing technically complicated about that at all.
Another approach is to cross-verify this data. Planes and boats have inertial guidance (along with accelerometers, magnetometers, altimeters, etc.), which can easily be compared against each other to determine if one system is providing inaccurate data. And several of those systems require no external reference, making them quite difficult to hack. Combining all that data, throwing out the bits that don't match, and calculating a best-fit solution is pretty common even in low-end position/orientation systems, and I have to assume it's bog-standard in things like planes (or could be if it's not). Even cars have access to a lot of other data (wheel speed, engine speed, compass, etc.) that can be used for similar purposes.
And there are simple signal-based protections you can apply, that raise the complexity of an attack without requiring any modification to the broadcast signal. For example, you could use multiple antennas to ensure you're only listening for signals from the right slice of sky. You could track changes in signal level. You could track bitstream synchronization. None of that would prevent a local radio from overpowering the real system, but it would help you catch the switchover.
Not to mention you could provide some absolute reference via out-of-band tracking and comm. -- a system on the ground gets an actual fix based on radar/etc., and every minute or two sends out that fix with a timestamp via a non-GPS comm system. The on-board position tracker could then validate that external fix against its internal fix at the same time, and take appropriate action if there's a mismatch. This wouldn't stop short-term/small-delta attacks, as the data isn't instant and has some margin of error, but it would prevent long-term/large-delta attacks.
And you can do all of those at the same time -- together that's a lot of protection. I also suspect there are a lot of other things you could do to mitigate such attacks; this is just the list of things I could name of without any research or consideration.
It's also worth noting that removing autonomous course tracking (not even actual driving, but the whole navigation solution, as human pilots use the same navigational systems the computer does) does not solve this problem. It's not technically complicated to construct a sextant/stopwatch/etc. that gives false readings to misdirect whatever form of navigation the crew might undertake, even with no computers in sight.
What you claim as facts is a bunch of made up rubbish, sorry. First of all, what do you mean by tokenisation of communication? If you mean that tokens = packets than that's insane, so let's hope you mean something lese. Why the heck do you even need to talk about tokenisation?
If you like a doofus imply that encryption makes things less reliable, then that's just borderline clinical insane. Protip for the clueless: it's precisely the encryption of GPS's P-code that makes it pretty much spoof-proof. These days there are P(Y)-code receivers that don't need the hand off word (HOW) from C/A code. To accomplish that feat, they use optical correlators that perform the Fourier transform needed for fast correlation of the very long P(Y) code with the incoming signal in order to detect where in the sequence the code is, without using HOW. There's no one spoofing that.
While spoofing is somewhat theoretically possible, it'd require a fairly gargantuan effort. You'd need a station with a bunch (dozen) of fairly large (IIRC ~10m diameter) dishes tracking the individual satellites. And you'd need stations all around the globe so that you would have continuous coverage of all the satellites - the number of stations would be in the dozens, too. You could then receive good signal from each satellite individually, signal good enough to just read the P(Y) code without doing the correlations. As I've said, that's pretty crazy, and no single nation could pull it off since you really need to install equipment all over the world, and it's not stuff that fits in a suitcase. Oh, and of course you'd need to collect all those signals, put them through signal processing to recode them with fake data, and then transmit that in real time to the location where you intend to spoof stuff. I'm pretty damn sure the military receivers don't like date rollbacks, so it's not like you could record stuff last year and transmit this year.
Alas, GPS signal's encryption utilizes a stream cipher and not public key cryptography. But they do use public key crypto for key management. If it's ever found out how to break the cipher to extract the key, they may simply re-key the receivers more often - presumably the key extraction won't be an overnight thing. Now of course PKC is not the hardest thing to implement, far from it, as it can be done even on tiny 8 bit microcontrollers. But even RSA is still state of the art public key crypto, so you can get pretty good results without making it complicated. No need for complications, really.
So, you're just full of it. Where on Earth did you learn all this crap, or are you on some purposeful disinformation campaign?
A successful API design takes a mixture of software design and pedagogy.