Investors
Spirent Logo
Positioning

‘Circle spoofing’ is on the rise

By:

AdobeStock 133683861-1240x600 control panel of a crude oil tanker

Find out more about circle spoofing and the vulnerabilities inherent in unprotected position, navigation and timing (PNT) systems.

At first glance, SkyTruth’s discovery is reminiscent of other recent ‘circle spoofing’ incidents, such as those reported in China in 2019 and in Iran earlier this year. Sky News has even tried to connect these incidents with instances where ships actually did start sailing in circles, rather than just seeming to.

However, closer scrutiny suggests these incidents have very different causes.

The Chinese and Iranian incidents do seem to have been caused by some kind of RF signal spoofing. We know that because multiple receivers in the same location were affected in the same way.

In China, the circle effect was visible both in the AIS data from multiple vessels and on heatmaps from fitness tracking apps like Strava. In Iran, heatmap data from Strava seems to corroborate the initial report of a circle-spoofed receiver in downtown Tehran.

Circle Spoofing Blog Image 1 Strava heatmap from Tehran, showing circle spoofing pattern. Image courtesy of Dana Goward

Strava heatmap from Tehran, showing circle spoofing pattern. Image courtesy of Dana Goward

These effects are consistent with the presence of an RF device broadcasting a series of spoofed location signals, affecting every vulnerable receiver within range.

Spirent recreates circle spoofing in the lab

In fact, we at Spirent have been able to recreate the effect using simulated signals in our PNT test lab, and we found that commercially-available receivers are vulnerable (see image below).

Circle Spoofing Blog Image 2 Observed receiver behaviour in Spirent’s circular motion spoofing scenario.

Observed receiver behaviour in Spirent’s circular motion spoofing scenario. Image credit: Spirent

In this test, we simulated live-sky ‘truth’ signals at a location in London, and then introduced simulated spoofing signals describing a circular motion centred in the true position as if they were being transmitted from a device on top of the building in the centre.

As we increased the power of the spoofing signals, we found that the receiver under test locked on to them rather than the truth signals, and started displaying a circular trajectory consistent with the spoofed signals.

This clearly shows the vulnerability of some commercial receivers to spoofing attacks – even when (and this must be stressed) they are not the intended target of the attack, but simply collateral damage from being in the wrong place at the wrong time.

Why spoof in circles?

The reasons for the circle patterns have been much discussed in the industry. In our view there could be two reasons behind it:

Distraction: The attacker may wish to make it seem that the spoofing device is at the centre of the circle – as many people have surmised – when in fact it may not be. In this case, the purpose of the circle would be to mask the true location of the spoofer.

Alarm-gaming: The circle may describe a spoofing trajectory that can be set within an alarm threshold based on Horizontal Position Error (HPE). That way, the radius of the circle can be set to a level that fails to trigger an alarm, even though the target receiver is reporting a position that has no basis in reality.

Quotes

The rise of software-defined radios (SDRs) has made spoofing easy for cyber-criminals, and we know that nation states are adding sophisticated spoofing equipment to their electronic warfare arsenal.

Receiver developers and integrators should take spoofing seriously

With incidents like this on the rise in China, Russia and now apparently also Iran, receiver developers and integrators should be taking GNSS signal spoofing seriously as a threat.

The rise of software-defined radios (SDRs) has made spoofing easy for cyber-criminals, and we know that nation states are adding sophisticated spoofing equipment to their electronic warfare arsenal.

Spirent has recently published an in-depth paper on how to evaluate and combat the risks from GNSS spoofing. Read it here.

Did RF spoofing cause ships to ‘teleport’ to California?

And what of the weird location anomalies that SkyTruth has picked up? While various theories have been put forward, we believe there isn’t enough data to say definitively what’s causing these strange ‘teleporting’ effects. It’s entirely possible that it is not down to RF spoofing, but to individuals hacking the NMEA data stream that feeds into the AIS system from the GPS receiver.

AIS works very well as a global vessel tracking system, but it does have a downside. The location data it receives and broadcasts is formed of unencrypted NMEA messages, which are relatively easy to intercept and alter. This presentation by Dr Marco Balduzzi at BlackHat Asia 2014 shows how vulnerable AIS is to attack. (In true hacker style, he even demonstrates how he can manipulate data to make a vessel’s track spell out ‘PWNED’)

Circle Spoofing Blog 3 Vessels of different kinds appear to teleport to California

Vessels of different kinds appear to teleport to California. Image courtesy of SkyTruth

The fact that ships from many countries (and of many kinds, from ferries to tugs) all reported a location off the coast of California is perhaps more suggestive of someone ‘playing’ with AIS data than of many people carrying out short-range RF signal spoofing attacks – especially as some displacements lasted for as long as 16 days. But it’s unclear who would want to hack AIS data in this manner, and for what purpose.

Take steps to evaluate and protect PNT systems

Whatever the cause of these latest incidents, they serve to highlight the vulnerabilities inherent in unprotected position, navigation and timing (PNT) systems.

Whether the hacking is done at the RF level or the application level, systems integrators should be aware of the evolving threat landscape and, if necessary, take steps to protect receivers and systems from intended or unintended attacks.

Spirent can help with any aspect of your PNT testing, including RF environmental assessments, testing of receiver vulnerabilities to RF spoofing and full analysis of results. Contact us to discuss how we can help.

To find out more about the effects of spoofing, and how you can mitigate against it in your systems, read our recent white paper.

Have a question for spirent ?
Get in touch with an expert

All BlogsSecurityNetworksService AssuranceWirelessPositioningspirent.com
Guy Buesnel
Guy Buesnel

cphys, frin, product manager – gnss vulnerabilities

Guy has more than 16 years experience in working on Robust and Resilient Position Navigation and Timing, having started his career as a Systems Engineer involved in developing GPS Adaptive Antenna Systems for Military Users. Guy has been involved in GPS and GNSS Receiver System Design with the aim of designing a new generation of Rugged GNSS Receivers for use by Military and Commercial Aviation Users. Guy is a Chartered Physicist, a Member of the Institute of Physics and an Associate Fellow of the Royal Institute of Navigation