GPS: jammers, spoofing and vulnerabilities

Dynasty of GPS spoofers at work

I wrote how they hijacked drones , “hacking” their GPS, and stumbled upon a wonderful character - Todd Humpfries - who not only played “drone hijacking”, but also encouraged students to “hijack” a yacht.

GPS Spoofing
Spoofing GPS attack is an attack that tries to trick a GPS receiver into broadcasting a slightly more powerful signal than received from GPS satellites, such as resembling a series of normal GPS signals. These simulated signals are modified in such a way as to force the recipient to incorrectly determine their location, considering it the same as the attacker sends. Because GPS systems measure the time it takes for a signal to travel from a satellite to a receiver, successful spoofing requires the attacker to know exactly where its target is, so that the simulated signal can be structured with proper signal delays.

The GPS spoofing attack starts by broadcasting a slightly more powerful signal that indicates the correct position, and then slowly deviates far to the position set by the attacker, because moving too quickly will result in the loss of signal blocking, and at this point the spoofer will only work as a transmitter interference. One of the versions of the capture of the American drone Lockheed RQ 170 in northeastern Iran in December 2011, is the result of such an attack.

Spoofing GPS has been predicted and discussed in the GPS community before, but no known example of such a malicious spoofing attack has yet been confirmed.

Under the cat are some useful videos with scenarios of GPS attacks, an analysis of the cryptographic solutions used in navigation, detectors of jammers, spoofers, and an overview of several portable GPS jammers that I analyzed in Hackspace.

Performance on TED of the main GPS hijacker, king of spoofing.



Who controls the drone: you or a hacker?


Students are not hunting grandmothers for interest, but for multimillion-dollar yachts

On July 29, 2013, students from the University of Austin, Texas, managed to divert a 213-foot yacht (worth $ 80 million) from the course using the GPS spoofing method.

The main component of the spoofer has become a simulator of GPS-signals. These devices are commercially available and are intended for testing navigation systems. In most countries, they are sold freely and cost from a thousand dollars.
By itself, such a simulator of GPS signals is low-power and operates within a radius of a dozen meters. Therefore, amplifiers that increase the power of a false GPS signal by tens of times became the second component of the spoofer.

During the experiment, all the equipment of the attacking side was on board a yacht sailing in the Mediterranean Sea off the coast of Italy. Figuratively speaking, she was immersed in a cloud of spurious GPS signals, the power of which was greater than the real ones.

At the first stage, Todd launched the process of duplicating real signals from satellites, achieving their full compliance with the characteristics taken into account. Having achieved the merger of both signals, he slightly increased the power of those sent by the spoofer. The navigation system began to consider them basic and filtered real data from satellites as interference. Having gained control, Todd began to gradually distort the calculated location information, taking the yacht north of a given course.


The captain of the yacht became convinced of the effectiveness of the technique when the deviation exceeded three degrees. Then Todd played the final chord. By changing the data for determining altitude, the group leader was able to force the yacht’s navigation computer to “assume” that the ship was under water.

Former Todd mentor, Cornell University professor Mark Psiaki, proposed a protection scheme against GPS spoofing. Now, together with graduate students, he has already implemented the described idea. His group created a modified GPS-receiver with an antenna that changes its position with a certain frequency. Since the satellites are located at a considerable distance from each other, and the false signals come from one close place, the phase of the carrier oscillation in for such a receiver will change in different ways, which will make it possible to recognize fraud.

How to make a portable GPS spoofer yourself (price about $ 2 thousand)

Assessing the Spoofing Threat: Development of a Portable GPS Civilian Spoofer





In the same publication, the author offers 2 options for protection against spoofing: Data Bit Latency Defense and Vestigial Signal Defense

More useful videos

Todd Humphrey has developed a budget option combined with a centimeter accuracy GPS camcorder

[ source ]

The most recent video in June 2015, where Todd talks about the future of GPS (there are footage from his laboratory)


Spoofing, Detection, and Navigation Vulnerability (September 18, 2014)


In this show, Todd looks at several GNSS security scenarios.





Security For and From GPS


Detect and Locate GPS Jamming: Provide Actionable Intelligence

Portable GPS Jammers

Alas, I did not manage to find a real tracker / beacon, so I tested it on a smartphone. Each of these devices "knocked out" satellites at a distance of more than 15 meters in the room.

Articles on Habré about GPS security

From the publication on Habré (2011):

According to GPS World magazine, more than a billion GPS receivers are currently in use in the world, and more than 90% of them are used only to receive accurate time signals.

Interestingly, enthusiasts have already created working samples of a new generation of such devices that can not only jam, but distort GPS signals. Fraudsters can use this in order to carry out some large scams (for example, all orders on the stock exchange are marked with accurate time signals, so that sabotage in the competitor’s network will allow manipulating stock quotes).

The FBI, by a court decision, disabled 3,000 GPS bugs, now can not find them

d In 2012, the U.S. Supreme Court ruled that the use of GPS tracking devices without a warrant was unconstitutional and decided to discontinue this practice. Since the court decision took effect immediately, the Federal Bureau of Investigation was forced to disconnect the reception of a signal from about 3,000 active GPS bugs on the same day.

GPS bug device

I don’t know how in Russia, but in the USA, citizens periodically find tracking GPS devices installed by special services under the bottom of the car. The last time, when the press became aware of this, a student of Arab descent, through inexperience, took the device to the “manufacturer", without having time to thoroughly examine it. A similar device in her car several years ago was found by animal rights activist Katie Thomas. She refused to return it to the FBI, and now dared to give the device for study.

Where is my wagon, sir? GPS tracking security

If the attacker wants to receive a large amount of data on the movement of various objects, then he needs to compromise one of the public servers for monitoring. As practice shows, this is not at all difficult, because most of these web services contain quite trivial vulnerabilities from the OWASP TOP 10 list

Interference tests in the GATE laboratory
The Germans got confused and approached the problem of GPS jammers on a large scale.

As a result of the use of automobile suppressors, the GNSS signals are completely destroyed not only in the car where it is located, but also in closely located ones. This poses a real threat to the future of intelligent transport systems.

The figure shows a test lab where transmitters, monitoring stations and the GATE central point are visible. GNSS jammers were tested in an area close to this central point.

To counter this threat, the University of the Federal Armed Forces, located in Munich, Germany, has acquired several automotive suppressors for laboratory analysis and testing at the GATE (Galileo Test Range) laboratory, which simulates real-world conditions. The measurements were carried out using an experimental software receiver developed at the Institute of Space Technologies and Applications. The receiver allows you to record samples of intermediate frequencies and analyze the effect of interference on the receiver.

The purpose of the study is to understand how the jammer works in order to develop countermeasures. They dug up a bunch of data and did some serious analytics.


The conclusion was this:

The analysis showed that the range of the suppressor is very dependent on the architecture of the receiver. In each scenario, suppressors had a strong effect. It is necessary to take measures against the use of automotive suppressors. Detectors must be placed for accusations of using suppressors. This measure will also allow you to calculate the number of suppressors used. The degradation of GNSS positioning poses a threat to the use of intelligent transport systems designed to improve driving safety. Therefore, the prevention and mitigation of the effect of interference should be the object of research for developers of automotive communications systems. Interference in GNSS systems must be dealt with in the same way as other road hazards.

Analysis, Detection and Mitigation of InCar GNSS Jammer in interference in intelligent transport systems ( PDF )
Car Jammers: Interference Analysis ( translated into Russian ).

So, if you need to steal a car or prevent the use of GPS on a guided missile , get rid of the geotags in the photographs, then GPS jammers are just that.

PS
Thanks to Diktos for the equipment provided.