Faking GPS signals used to be limited to James Bond films and navigation specialists. But a demonstration at DEFCON 23 shows it’s now poised to become a widespread hacking technique. I look at what’s at stake for manufacturers of GPS-reliant devices.
GPS spoofing – the act of broadcasting a fake GPS signal to fool a device into thinking it’s somewhere else, and/or at a different point in time – used to be pretty far down the list of things that manufacturers had to worry about.
While it’s long been technically possible (and was used as a major plot point in the James Bond film Tomorrow Never Dies) the general thinking was that it was too difficult for a hacker to put into practice, since it required expensive equipment and specialist knowledge of GPS.
That all changed last week at DEFCON 23 in Nevada. At one of the hacker convention’s less-reported sessions, Chinese security researchers Huang Lin and Yan Qing showed it’s relatively straightforward to create a low-cost GPS signal emulator using cheap, off-the-shelf components and open source code.
Smartphones, drones and cars are all vulnerable
Using their home-made kit, they showed an audience of more than 600 how they were able to take control of the GPS receivers of a variety of devices, including smartphones, a drone, and a car satellite navigation system.
The effects ranged from tricking the smartphones into displaying a time and date in the future, to causing a drone to drop to the ground in the belief that it had entered a “no-fly zone”, to fooling the car into thinking it was located in the middle of Namco Lake, rather than its actual position in an underground car park.
In none of the attacks did the GPS receiver in the device recognize it was being attacked or emit a warning to this effect.
A new opportunity for hackers
It doesn’t take a lot of imagination to see how this kind of capability could be put to use in the real world by hackers motivated either by curiosity or criminal intent.
Millions of people rely – knowingly or unknowingly – on the GPS in their smartphones for a wide array of tasks, including in-car navigation and even in some cases the authentication of transactions.
The drone in particular was very easily commandeered, which has implications for manufacturers developing UAVs to deliver parcels and medical supplies.
And the car spoofing highlighted an Achilles heel with some in-vehicle satellite navigation systems, which is that when the vehicle is actively searching for a GPS signal where no real ones are accessible (e.g. underground or in a garage), it’s relatively easy to get it to lock on to a fake one.
This may not seem a huge deal in a world where cars are driven by humans, who can clearly see that their vehicle is not in a lake, and conclude that the GPS is playing up. But in a near-future of driverless cars, the implications become more serious. And it will also be of interest to thieves who want to make off with a high-end vehicle while ensuring it’s still broadcasting its location as parked safely in its garage.
Spoofing can be done by non-specialists in satellite navigation
What’s remarkable about these demonstrations is that Lin and Qing are not in any way GPS specialists. Rather, they head up a general cybersecurity research team at Chinese security software company Qihoo 360.
Without any specialist GPS knowledge, and on a budget of less than $1,000, they managed to use existing published research and open source code available on the internet to program a Software Defined Radio that would work as a GPS emulator.
Using these tools, Lin and Qing were able to build up the structure of the GPS navigation messages and program the SDR to download GPS satellite orbit information (called ephemeris data). They admitted that their first prototype failed as they had forgotten to allow for Doppler shift in their model. Having made the necessary adjustments, to loud applause from the audience they showed the results obtained with their emulator.
GPS spoofing is now a real-world threat
If Lin and her team can do this using freely-available code, components and information, and publish their methods, it means the field of GPS spoofing is now open to any hacker inclined to exploit it.
Rather than a largely-academic exercise limited to navigation specialists with considerable knowledge and resources to hand, GPS spoofing is now a real-world threat.
And that threat will grow as our reliance on GPS signals grows, for everything from timestamping financial transactions to directing the operations of driverless vehicles.
Protecting systems and products against GPS spoofing
So what can manufacturers do to protect themselves and their customers?
First of all, they should audit all of their existing products and systems in light of these revelations. The main vulnerability that Lin and Qing were able to exploit is that lots of existing GPS receivers are programmed only to receive signals from the GPS satellite system, and only on one frequency. These demonstrations show how easy it has become to fake signals of a single type on a single frequency.
Today, there are many receivers available that can search for signals on multiple frequencies and from multiple constellations (e.g. GLONASS and/or Beidou in addition to GPS), and some can issue an alert if they receive inconsistent time and location information from these different sources. These receivers should be more resistant to the types of attack demonstrated by Lin and Qing – at least for now.
Manufacturers of GPS-dependent systems should therefore test their existing products to understand how they behave in the event of a spoofing attack, and consider upgrading to multi-constellation, multi-frequency receivers if the results of the tests prove worrying.
For GPS/GNSS chipset manufacturers, if this is not already a priority, the focus should be on building into the receiver the capability to detect spoofing attacks and issue alerts.
All manufacturers of systems that rely on GPS or another civilian satellite navigation system should consider lobbying the appropriate government or space agency to build anti-spoofing measures – such as hard-to-fake digital signatures – into new satellite navigation signals.
Finally, it’s incumbent on all manufacturers to keep pace with developments in GPS hacking and spoofing, which are now likely to evolve quickly.
Now that Lin and Qing have shown that GPS spoofing can be done relatively easily by non-specialists, we are likely to see a similar sort of “arms race” emerging as we’ve already seen in the field of IT security.
Manufacturers will build in new protection measures, and hackers will try to break them. Tracking the evolving capabilities of hackers, and testing systems in light of emerging techniques, will be essential to mitigating risk as our dependence on GPS grows.
Want to read more? We have two white papers discussing GPS threats that you can download now: