We have long seen computers being hacked, network devices, IOTs, drones, and what not. Every once in a while, a new technology claiming security prowess creates a wave until a compromise of that technology invalidates the claim. Global Positioning System (GPS) is one technology which has never been looked at through a security lens by the wider audience.
We have become dependent on the GPS for our day-to-day lives. However, it is no longer reliable. Your GPS location can be spoofed by a third person without having to physically access your device or communicating with your device over the network.
“All that is capable of receiving, transmitting or processing data is vulnerable”
Amey Anekar
The concept of GPS spoofing is not novel. It has been conceptualised and written about from a long time. This hypothesis became even more plausible when a research team from The University of Texas at Austin led by assistant professor Todd Humphreys from Cockrell School of Engineering were able to successfully spoof an $80 million private yacht using the world’s first openly acknowledged GPS spoofing device costing a mere $3,000. Below is the demonstration video published by the researchers showing the wild possibilities of GPS spoofing:
Cyber security professionals know how spoofing works and we know the inherent countermeasures that have been put in place to detect and avoid such instances in technologies we touch in our daily lives such as Ethernet, Wifi, GSM, etc. Although the end user is unaware about these mechanisms, cyber security experts acknowledge these countermeasures and are always skeptical about their effectiveness.
A Brief History Of GPS
GPS was built & used by the U. S. military for navigation. These navigation aids provided the military forces considerable advantage over the enemy who were still relying on paper charts, radar, and visual navigation. On land, GPS trackers helped troops navigate enemy territory which had few landmarks.
Ronald Reagan administration in 1983 decided to open up GPS signal access for civilian use because of the rise of civil aviation and the dangers it could run into if it continued to operate without satellite navigation. The incident that prompted this decision from the U. S. government was the take down of the civilian airliner KAL 007 by the Soviet Union when it had entered restricted Soviet airspace.
How exactly does GPS work?
There are 31 GPS satellites that orbit around the earth, constantly broadcasting its location and current time as per an atomic clock, that is onboard every GPS satellite. That’s the reason GPS satellites are also used as a reliable source for time synchronisation in critical systems. Each clock is precisely synchronized with those on the other 30 satellites.
Any GPS receiver detecting signals from one satellite can only calculate roughly how far it is from that satellite. Add signals from a second satellite and it can narrow down its location considerably. A third satellite allows it to locate itself at a given latitude and longitude, and a fourth establishes its elevation and the precise time. Signals from more satellites increase the accuracy. At any given time any location on earth can receive GPS data from six satellites.
What Data does the GPS Signal Contain?
The GPS signal beacons are too complex for expounding in this article. In a nutshell, what the signal contains is the identification of the satellite, its precise location in orbit and the current time as per the atomic clock onboard.
How are GPS signals spoofed?
Putting this out as bluntly as possible: “GPS are vulnerable to spoofing by design and current technology offers no safeguards against it”. So, why exactly are GPS vulnerable to spoofing? GPS receivers on our consumer devices are dumb integrated circuits. The position and time data sent by GPS satellites is very weak, because it has travelled 20,000 KM to reach our phones. There is no way our phones can communicate back with the satellites. So, GPS was designed to be a 1-way communication. GPS standard does not provide any means for the receiver to verify the authenticity of the sender of the data. Hence, an adversary can generate a stronger signal using a GPS simulator to make the GPS receiver believe that it were sent by the satellite. Due to the strong signal that can be generated owing to the physical proximity of the simulator, the GPS receiver ignores data being sent by the satellites which is weaker in orders of magnitude than the spoofed signal. There is no way to verify if the signal is being sent by the GPS satellite from 20,000 KM above earth’s surface or is it being sent by a GPS simulator next door. Although this is true for the GPS we use as civilians, military applications use a secure form of GPS which is protected by encryption and verifies the authenticity of these signals to avoid spoofing. But, this technology is not available for civilian use currently.
GPS signals are complex and it would be fairly difficult for an average engineer to recreate the patterns of codes that are sent by the satellites, such that your GPS device shows an incorrect location. But GPS simulators available on the market to make this job easier. The actual use case of a GPS simulator is to help technology developers actively working with GPS to create a mock GPS for themselves where multiple satellites can be mimicked to send data. Some GPS simulators now even have inbuilt capability to generate spoofed signals for testing resiliency of critical devices such as those used by the military against spoofing attacks.
Is GPS Jamming different from Spoofing?
GPS Jamming is a similar GPS signal interference attack which causes a GPS denial of service. Just like other network jammers, this technique sends noise on the channel on which GPS communicates rendering it useless. This is less dangerous than GPS spoofing, but can be disastrous for critical systems relying on GPS.
Recent Events demonstrating GPS Spoofing
Google Maps acts weird around Kremlin, Russia
Residents around and visitors to Kremlin have reported weird behaviour by Google Maps when around Kremlin, the residence of Russia’s president. All GPS devices in the vicinity of Kremlin show a location 20 miles away, at Vnukovo airport. Experts claim that this spoofing is a countermeasure to thwart unmanned drone attacks which run solely on GPS.
CNN Report: https://money.cnn.com/2016/12/02/technology/kremlin-gps-signals/
Renowned GPS expert Todd Humphrey has suggested similar countermeasures for protecting the White House, however, he says the risk of spoofing civilian aircraft in the process is too high since Reagan National Airport is just five miles off White House.
Ships get lost at sea if Putin is visiting nearby shores
Centre for Advanced Defence Studies (C4ADS), a US-based non-profit organization noticed a strong correlation between GPS spoofing and movement of Putin within Russia. Shipping industry which largely relies on GPS makes the most noise when GPS acts weird. C4ADS correlated such instances with the movements of Putin and found a strong correlation. Plus, it went a step further to analyse publicly available Russian procurement data to reduce that Russian Federal Protective Service (FSO) may have built one such mobile system for the protection of Russian VIPs.
C4ADS detailed report which also shows other instances of GPS spoofing: https://www.c4reports.org/aboveusonlystars
China’s sand mafias evade River police
Ships docking at the port of Shanghai have been reporting GPS anomalies. This is a clear case of GPS spoofing. However, the attack is much more sophisticated here. Unlike other attacks where all devices in the vicinity of the spoofer show the same location, in this attack, the ships near Shanghai port appear to form a circle. Authorities are suspecting that this act is being carried out by China’s sand mafias to extract sand from the riverbed. Indiscriminate mining of sand from rivers has caused severe ecological damage. Thus, China has banned sand mining from some rivers. To evade the river police sand mafias have not resorted to GPS spoofing to fool authorities about their real position.
MIT Technology Review: https://www.technologyreview.com/s/614689/ghost-ships-crop-circles-and-soft-gold-a-gps-mystery-in-shanghai/
Tesla 3 veered off highway to demonstrate GPS Spoofing
In June 2019, a research team from Israel-based Regulus veered a Tesla 3 on autopilot mode off the highway 2.5 KM before its intended exit. This hack was achieved by Regulus using equipment easily procurable from the Internet. Regulus is the creator of Pyramid GNSS, which is a GPS spoofing detection system. With the wild possibilities of GPS spoofing, Regulus is the company to watch for in this space.
Regulus official post: https://www.regulus.com/blog/tesla-model-3-spoofed-off-the-highway-regulus-researches-hack-navigation-system-causing-car-to-steer-off-road/
Author’s Opinion
GPS Spoofing is one the most disrupting hacking possibilities I have come across in my Cyber Security career. One reason being that we have become so dependent on this technology for our day-to-day functioning that we blindly trust what it says and secondly because there is no easy defence currently available against GPS spoofing.
GPS Tech is surviving today and GPS spoofing is not too commonplace because of its inherent complexity and expensive equipment which costs around $ 10,000. But, like every other new technology, GPS simulators will grow in demand and its prices will drop to affordable levels which may culminate into GPS spoofing being so prevalent that relying on GPS can no longer be a viable option.
Companies like Regulus are doing a great job by preemptively building technology to secure GPS. To continue using civilian GPS safely, GPS chip manufacturers should seriously consider embedding spoofing detection, alerting and prevention mechanism into all GPS receivers. Or if the US government allows, military GPS signals may be opened for civilian use. This transition to a secure GPS will take considerable amount of time because GPS receiver chips are not swappable like other peripherals. To install a secure GPS chip will entail replacing the motherboard of the device in question. If we ever reach a phase where GPS spoofing becomes rampant, a more economical approach would be to retire devices with current GPS receivers and use devices with secure GPS chips instead.