GPS Spoofing
Sep 7th, 2008 by sherri
Our global society relies on the civilian GPS for our communications networks, transportation of goods, power distribution, financial transactions and emergency response, using precise location information and time synchronization. Unfortunately, the GPS system was not designed for this purpose. The civilian GPS has dangerous security vulnerabilities which now leave our global society at risk of serious disruption at any moment.
Jon Warner of Argonne National Laboratories set out to examine GPS security one Saturday afternoon. Jon is part of the Vulnerability Assessment Team (VAT), a small group whose goal is to uncover flaws in our systems so that they can be fixed. “We try to think like the bad guys,” Jon said, “so that we can plug the holes they might use.”
To test out GPS security, Roger Johnston, head of the VAT, challenged the team to demonstrate how to steal a cargo truck and get away with it. Cargo trucks generally contain a GPS tracking device which relays position and speed information to a central office. This enables freight companies to track their drivers’ locations and ensure that trucks are on course. If a truck veers off course, it sets off an alarm at headquarters. If an attacker could falsify or “spoof” GPS information, he or she could hijack the truck and steal the cargo without being noticed.
Based on this, Jon developed two cargo truck hijack test scenarios:
1) Hijack the truck, and then use GPS to send a false position signal to headquarters. Headquarters would see that the truck had stopped, but once the fake GPS signal was deployed, they would think the the truck was back en route.
2) Send a counterfeit signal before ever hijacking the truck. This way, even if the driver panicked and sent an alert, the attacker could make it appear that the truck was at a different location. This would require that the attacker disrupt and spoof the truck’s GPS signals from a distance, without close range contact.
Demo: “Hijacking” the Truck
“It does not take a great deal of time or effort to spoof a GPS signal,” said Roger. The GPS system consists of 24 to 32 satellites orbiting the earth, which relay microwave signals to the ground. GPS receivers on the ground can use these signals to determine absolute position and precise timing information.
“If the adversary controls the signal that the truck is receiving, then the false position calculated by the receiver will be relayed to headquarters regardless of the encryption algorithms or communication protocols used. In other words, garbage in, garbage out.”1
Jon used a desktop computer attached to a GPS satellite simulator to create a fake GPS signal. Portable GPS satellite simulators can fit in the trunk of a car, and are often used for testing. They are available as commercial off-the-shelf products. You can also rent them for less than $1K a week– peanuts to anyone thinking of hijacking a cargo truck and selling stolen goods.
In his first experiments, Jon placed his desktop computer and GPS satellite simulator in the cab of his small truck, and powered them off an inverter. The VAT used a second truck as the victim cargo truck. “With this setup,” Jon said, “we were able to spoof the GPS receiver from about 30 feet away. If our equipment could broadcast a stronger signal, or if we had purchased stronger signal amplifiers, we certainly could have spoofed over a greater distance.”
During later experiments, Jon and the VAT were able to easily achieve much greater GPS spoofing ranges. They spoofed GPS signals at ranges over three quarters of a mile. “The farthest distance we achieved was 4586 feet, at Los Alamos,” said Jon. “When you radiate an RF signal, you ideally want line of sight, but in this case we were walking around buildings and near power lines. We really had a lot of obstruction in the way. It surprised us.” An attacker could drive within a half mile of the victim truck, and still override the truck’s GPS signals.
The GPS spoofing attack consisted of three parts, as detailed in the VAT’s initial 2002 paper:2
1) “The existing GPS receiver signal lock must be broken.” Initially, Jon thought that the adversary would have to “wait until the target truck drove under a bridge, forest cover, or some similar type of obstruction” to break the real GPS signal. During later experiments, Jon discovered that if his fake GPS signal was strong enough, it would also function as a jammer, overriding the real signal from distances over 4,000 feet without any need for physical disruption. “Our GPS satellite simulator was strong enough that it just overrode the regular signal.”
2) “The GPS tracking device in the target truck must be locked onto the counterfeit signal.” The receiver simply accepted the strongest signal, which was coming from Jon’s GPS simulator.
3) “The final step is to continue broadcasting the fake GPS signal.” This could be accomplished from the attacker’s truck, driving nearby. Even better, portable GPS simulator equipment could simply be placed inside the hijacked truck.
Protecting Against GPS Attacks
“We’ve come up with seven different ways to detect if the incoming signal is real,” said Jon. “These won’t stop the spoofing, but they would at least let you know that you’re being spoofed.” Below are a few simple remediations that the VAT suggested:3
1) Signal Strength
The signal strength of a normal GPS signal on the surface of the earth is fairly low: about -163 dBw. The signal coming from a GPS simulator is much higher. Unusually high GPS satellite signals should be considered suspect.
2) Signal Consistency Across Multiple Satellites
Normally, the signal strength of GPS satellites varies. Using a GPS simulator, engineers can typically simulate 10 or 24 satellites. This is used legitimately by engineers who build GPS satellite receivers for
phones, surveying devices, time synchronizing devices, and other equipment. However, by default GPS simulators send out the same signal strength for all satellites. As a result, the fake signal strength is much more consistent than in real life.
3) Noise
Simulated GPS signals have unusually low noise levels. If the GPS receiver detects a nice, crisp, clean signal, that should raise red flags.
4) Satellite Numbers
Each GPS satellite is numbered. “If we were sitting in the parking lot,” said Jon,” our GPS receiver might see GPS satellites 1, 2, 3, 4, 5 and 6. #24 might be on the other side of the earth.” A GPS simulator might not send the correct satellite numbers for a given location. “I’ve done this before, and sent satellite signals for Australia when I was in New Mexico.”
The VAT estimates that implementing these strategies would greatly enhance GPS security, at minimal cost. “It’s mostly a software solution,” commented Jon. “It amazes me that right now, if you look at
any receiver, it doesn’t compare the signal from moment to moment. If the GPS signal shoots up in the next second, the receiver won’t pick up on that.”
Satellites for the military GPS include authentication, meaning that receivers can verify through cryptographic exchange that the signal they are receiving is from a real GPS satellite. Civilian GPS doesn’t include that, but if it did, this would enable appropriately equipped receivers to verify that a GPS signal is legitimate.
“Back in the 70s,” Jon reflected, “Civilian GPS was more of an afterthought. It wasn’t really designed with security in mind. The military set it up to be nice. Nobody knew that it would take off like
this. Just like the Internet– it was completely unexpected.”
1J. Warner and R. Johnston, “A Simple Demonstration That the Global Positioning System (GPS) Is Vulnerable to Spoofing,” Journal of Security Administration, in press (2003). (page 5)
2J. Warner and R. Johnston, “A Simple Demonstration That the Global Positioning System (GPS) Is Vulnerable to Spoofing,” Journal of Security Administration, in press (2003). (page 7)
3J. Warner and R. Johnston, “GPS Spoofing Countermeasures,” http://www.homelandsecurity.org/bulletin/Dual%20Benefit/warner_gps_spoofing.html, (December 2003).
Sherri Davidoff
Interesting article, I’ll think twice before trying to highjack a truck.
So, out of curiousity…
I noticed that you mentioned that
>>quote<<
“We’ve come up with seven different ways to detect if the incoming signal is real,” said Jon.
<>
However you only mentioned 4 of the protection/defense mechanisms. What are the other 3, or did I just miss them, or were they undisclosed?
Curiousity is killing the cat.
[...] Detta ämne diskuteras i en mycket intressant artikel borta hos Philosecurity. Om du är någorlunda intresserad av säkerhet och hur system som inte i första hand utvecklats som en säkerhetsåtgärd kan falera, så rekommenderar jag dig en titt hos Philosecurity. [...]
Hi Jason,
Good question! Jon and Roger detail all seven countermeasures in their paper, “GPS Spoofing Countermeasures”:
http://www.homelandsecurity.org/bulletin/Dual%20Benefit/warner_gps_spoofing.html
I just listed the ones that Jon mentioned over lunch. Cheers– s
Interesting Article!
V, maybe he ment “several”?
Or maybe not.
Regarding way number 4, it is also possible to take ephemeris data from public sources, and broadcast just those SVs that are visible from any location.
It should not be too hard to create software that continually calculates visible SVs, their altitude over horizon, apply the adequate attenuation (models for that do exist) – so, for all effects, creating fake signals quite similar to those real, except for intensity, which is precisely what we want – to have the fake signal override the real, so we can make the receiver think that our is the real thing.
Sorry for all the verbosity.
Here’s a third scenario which is made worse by the proposed solutions:
* A criminal sets up a powerful GPS spoofing device in the middle of a major city.
* The proposed solutions mean that every security truck within range recognises that its GPS signal has been faked and it alerts the driver, who phones the police
* The police are totally overloaded.
* Meanwhile the criminal commits some unrelated crime, such as robbing a bank.
The approach described represents a fairly unsophisticated attack and yet it works well. More sophisticated limpet spoofer attacks and countermeasures are described at: http://sidt.gpsworld.com/gpssidt/article/articleDetail.jsp?id=436920
Jon Warner is part of the Vulnerability Assessment Team (VAT) at Argonne National Laboratory.
For more information about the VAT (current projects, contact information, …) visit the VAT website at: http://www.ne.anl.gov/capabilities/vat/
Spoofing?? All they need to do is place a jammer in the truck. Good luck and good bye to the signal period. These jammers can be purchased today for $200-$300.00
More on the GPS Jammers. Today it depends on what your needing. It’s illegal to posses a Cell Phone Jammer or GPS Jammer. However, you can obtain it and have it flown into Mexico and if you cross the border with it nobody can even recognize the unit!
Secondly, if you have this unit you can pull right up to a truck and kill the cell phone signal and gps signal. They at that point can hijack a truck!
The units are currently sold on the market overseas. In addition, at trade shows right here in the USA (ISC Expo) i’ve had the unit in my hand practically and could of purchased the unit with no problem. However, for me it’s not worth it because I actually have no use for it!
Spoofing sounds ok and creates deception. However, if we are to worry about terrorist or truck hijacking the jammers in my opinion are something to fear more than spoofing!
Spoofing GPS is certainly not trivial! Jamming it is.
Simulating the codes sent by the satellites means knowing those sats that are in view at that particular time, where EXACTLY they are in their orbits, calculating the time and Doppler offsets then applying these to your soffing generator. All of which is done in a GPS simulator / test set, butthese cost an awful lot of money, and anly a few exist,
Conversely, jamming GPS really is trivial squared! At short ranges, its as simple as using an off-the-shelf crystal oscillator module (about £20 in the UK, ratehr less in the US) and a 5V battery. I’ve tested several, and all work to a few metres; great for disabling the GPS tracker in a hire car. A really good medium power GPS jammer can be built by someone with modest amateur (ham) radio construction experience. Such a gizmo is good for jamming out to hundreds of metres to km.
So, for the hijack scenarios described, don’t bother thinking about spoofing the GPS. Attach a jammer to the vehicle, let it drive a few km away so the base station will have lost its location, then go ahead.
R-ECM
Did these idiots ever consider, during their testing that GPS is used for aircraft navigation ? Ever file a NOTAM to indicate that the GPS system would be disrupted for upwards of a mile or more around the testing area ?
This article borders on silly. Not because GPS can’t be spoofed – of course it can – but because it is so irrelevant to trucking. It has all the ingredients of a “good” terrorphobia article – movie-plot threat, photo of a heavy petroleum tanker (presumably a horrible threat to national security) and a few irrelevant graphics.
First a bit of background. I’m a retired engineer (nuke) who spent a year driving an over the road truck just because I’ve always wanted to. I’m also a tinkerer, ham radio operator and former holder of a 1st class commercial radio license.
My tractor was equipped with a Qualcomm satellite information system like the majority of OTR tractors are. It may surprise you to learn that Qualcomm does NOT use GPS for radio-location. GPS is an extra-cost option but my company did not opt for it. I know for sure because I opened both the antenna dome and the control box to look for same. Neither are sealed. I also know because the system frequently reported me to be somewhat distant from my actual location as reported by MY GPS systems.
I can understand why Qualcomm doesn’t use GPS. I provided my own GPS mapping system with two receivers. One, the SiRF-based DeLorme receiver supplied with the Street Atlas software and two, a Trimble unit with a remote patch antenna that I mounted on the same mount that held the Qualcomm dome.
In many areas, around Dayton, Ohio is one I particularly recall, I would go miles at a time without a hint of a signal from either receiver. I discussed this on a GPS experts mailing list and the general consensus was that terrestrial interference, probably a harmonic from broadcast TV, was the problem. As long as I was underway, the Qualcomm, with its actively steered dish, always had contact with the satellite unless I entered a tunnel.
I can understand why Qualcomm offers GPS only as an option and doesn’t rely on it for the company’s core functionality. Too unreliable. GPS, at least consumer grade GPS, is far too easily jammed from innocent sources as it is. The trucking company doesn’t need to know where the truck is within feet. It only need to know that the truck is on the correct route and is in approximately the position the model says it should be.
Now let’s look at the Qualcomm. There are many conditions where the service goes down. Truckstops where many trucks are in close vicinity to each other is a prime example. Mutual interference. The Idle-Aire support structures also effectively shield the Qualcomm dome. The “out of service” light on my terminal stayed on much of my sleep time. If I wanted to hijack my truck, I’d simply go off-duty at a truck stop, wait for the signal to fail, foil the antenna and go. I’d have my entire mandatory 10 hour out-of-service interval to do my thing.
In fact, many truckers already take advantage of this for less nefarious purposes. If they want to go to a nudie bar or casino instead of sleeping during their mandatory down time, they simply wrap the Qualcomm dome in aluminum foil and go. The secret is to use deli foil that has a white paper backing that doesn’t stand out on the dome and perhaps attract a cop’s attention, as straight aluminum foil would.
The Qualcomm interfaces to the truck’s J1708 bus which enables the Qualcomm to report odometer miles, fuel economy, speed and other parameters. For “innocent” spoofs like trips to the casino, the driver has to think about that but since most companies allow up to a 10% “out of route” margin, it’s no big deal. For the nefarious individual or gang, they could not care less since that particular Qualcomm will probably never connect to the satellite again.
I hauled mostly “high value” cargo. That is, trailer contents worth >$1,000,000. Typically consumer electronics and pharmaceuticals. Even then our company did not use trailer trackers and only very occasionally did I detect a customer-owned tracker inside the trailer. The reason is simple. Other security mechanisms that I won’t discuss here are proven to work.
Besides, hijacking is but a very small concern to the trucking industry. Cargo theft IS. Cargo theft can be as simple as bribing a driver to park in a certain spot at the truck stop for his sleep interval and ignore the noises out back. The thieves open his trailer door, back another truck in contact with the target trailer and transfer the cargo. Another common method is to have one of the thieves hire on with a company as a driver.
There is such a driver shortage that if you have a CDL and are breathing, you’re hired. Gin up some fake paperwork (a scanner, printer and a laptop will do the job nicely), stop by your favorite drop lot and grab the trailer of your choice. A trailer in a drop lot has the bills-of-materials right there in a compartment on the front of the trailer. Bad guy driver can simply shop until he finds what he wants, hooks and goes. Depending on the drop lot, he may have to scan the BOM and substitute his “carrier’s” name for the legit one but that’s but another 10 minutes’ work. It’s typical for a legit driver to have to search the lot for half an hour to find his trailer so a guy going from trailer to trailer looking at BOMs isn’t unusual.
Computers in trucks are common now. I carried a laptop, scanner and printer. I scanned every piece of paperwork that went through my hands for my own protection. My company had a bad habit of “losing” paperwork as an excuse for not paying. I could print a copy of the signed-as-received BOM and “un-lose” the paperwork. Using that same hardware for bad purposes required only formulating bad intent.
Here’s an even simpler scenario. Buy or steal a tractor and decal it up to match a major fleet’s tractor. Or just steal a major fleet’s tractor. My company’s tractors were white with little more than the company name, a stripe and the required DOT data. Drive to the drop lot, select your booty and go. “Security” at a typical drop lot consists of recording the truck’s company name and tractor number and sometimes an inspection of the BOM. If an “XYZ Fleet” truck is hooked to a trailer with an “XYZ Fleet” BOM then everything’s good to go.
As Bruce Schneier says, this is just more movie plot make-believe. Sure it’s technically doable but it more resemble Rube Goldberg than a practical scenario. There are dozens, maybe hundreds of ways to achieve the same goal without the expensive hardware or complicated scenario that you postulate. Perhaps before you write another trucking security article, you could actually spend some time around the industry. You know, maybe just sit and chat with drivers in a truck stop or two.
John
I have to disagree, Richard. If a unit goes off line it’s immediately detected and you know within a couple of miles where it’s located from the last report. If spoofed, it can go a few hundred miles in any direction before detection.
nice article, but from a scholarly standpoint, why are all your footnotes “in press” for articles from 2003? Why not use proper full citations?
Why hijack the truck? Just let its fooled GPS guide it to your warehouse and take delivery of the goods there
Thanks For You !!!
By using a device which can Record and Replay GPS RF data, you can play back the right satellite numbers and genuine noise levels from a previous recording, thus making it harder for the GPS engine to detect the spoofing. This kind of GPS Simulator is now available for ~$8000.
I’m a newbie so please forgive me for asking a lame question. I am trying to setup a method that I can send a GPS signal to a wireless device such as for hiking to simulate the device being in another location such as a different country. I see there are simulators out there but most seem to work off of rs232 connections. Does anyone know an off the shelf or easy to understand process of setting something like this up from a laptop ? if so how does the simulator send the fake signals on wireless?
Thanks
Jim