Our global society relies on the civilian GPS for our communications networks, transportation of goods, power distribution, financial transactions and emergency response, using precise location information and time synchronization. Unfortunately, the GPS system was not designed for this purpose. The civilian GPS has dangerous security vulnerabilities which now leave our global society at risk of serious disruption at any moment.
Jon Warner of Argonne National Laboratories set out to examine GPS security one Saturday afternoon. Jon is part of the Vulnerability Assessment Team (VAT), a small group whose goal is to uncover flaws in our systems so that they can be fixed. “We try to think like the bad guys,” Jon said, “so that we can plug the holes they might use.”
To test out GPS security, Roger Johnston, head of the VAT, challenged the team to demonstrate how to steal a cargo truck and get away with it. Cargo trucks generally contain a GPS tracking device which relays position and speed information to a central office. This enables freight companies to track their drivers’ locations and ensure that trucks are on course. If a truck veers off course, it sets off an alarm at headquarters. If an attacker could falsify or “spoof” GPS information, he or she could hijack the truck and steal the cargo without being noticed.
Based on this, Jon developed two cargo truck hijack test scenarios:
1) Hijack the truck, and then use GPS to send a false position signal to headquarters. Headquarters would see that the truck had stopped, but once the fake GPS signal was deployed, they would think the the truck was back en route.
2) Send a counterfeit signal before ever hijacking the truck. This way, even if the driver panicked and sent an alert, the attacker could make it appear that the truck was at a different location. This would require that the attacker disrupt and spoof the truck’s GPS signals from a distance, without close range contact.
Demo: “Hijacking” the Truck
“It does not take a great deal of time or effort to spoof a GPS signal,” said Roger. The GPS system consists of 24 to 32 satellites orbiting the earth, which relay microwave signals to the ground. GPS receivers on the ground can use these signals to determine absolute position and precise timing information.
“If the adversary controls the signal that the truck is receiving, then the false position calculated by the receiver will be relayed to headquarters regardless of the encryption algorithms or communication protocols used. In other words, garbage in, garbage out.”1
Jon used a desktop computer attached to a GPS satellite simulator to create a fake GPS signal. Portable GPS satellite simulators can fit in the trunk of a car, and are often used for testing. They are available as commercial off-the-shelf products. You can also rent them for less than $1K a week– peanuts to anyone thinking of hijacking a cargo truck and selling stolen goods.
In his first experiments, Jon placed his desktop computer and GPS satellite simulator in the cab of his small truck, and powered them off an inverter. The VAT used a second truck as the victim cargo truck. “With this setup,” Jon said, “we were able to spoof the GPS receiver from about 30 feet away. If our equipment could broadcast a stronger signal, or if we had purchased stronger signal amplifiers, we certainly could have spoofed over a greater distance.”
During later experiments, Jon and the VAT were able to easily achieve much greater GPS spoofing ranges. They spoofed GPS signals at ranges over three quarters of a mile. “The farthest distance we achieved was 4586 feet, at Los Alamos,” said Jon. “When you radiate an RF signal, you ideally want line of sight, but in this case we were walking around buildings and near power lines. We really had a lot of obstruction in the way. It surprised us.” An attacker could drive within a half mile of the victim truck, and still override the truck’s GPS signals.
The GPS spoofing attack consisted of three parts, as detailed in the VAT’s initial 2002 paper:2
1) “The existing GPS receiver signal lock must be broken.” Initially, Jon thought that the adversary would have to “wait until the target truck drove under a bridge, forest cover, or some similar type of obstruction” to break the real GPS signal. During later experiments, Jon discovered that if his fake GPS signal was strong enough, it would also function as a jammer, overriding the real signal from distances over 4,000 feet without any need for physical disruption. “Our GPS satellite simulator was strong enough that it just overrode the regular signal.”
2) “The GPS tracking device in the target truck must be locked onto the counterfeit signal.” The receiver simply accepted the strongest signal, which was coming from Jon’s GPS simulator.
3) “The final step is to continue broadcasting the fake GPS signal.” This could be accomplished from the attacker’s truck, driving nearby. Even better, portable GPS simulator equipment could simply be placed inside the hijacked truck.
Protecting Against GPS Attacks
“We’ve come up with seven different ways to detect if the incoming signal is real,” said Jon. “These won’t stop the spoofing, but they would at least let you know that you’re being spoofed.” Below are a few simple remediations that the VAT suggested:3
1) Signal Strength
The signal strength of a normal GPS signal on the surface of the earth is fairly low: about -163 dBw. The signal coming from a GPS simulator is much higher. Unusually high GPS satellite signals should be considered suspect.
2) Signal Consistency Across Multiple Satellites
Normally, the signal strength of GPS satellites varies. Using a GPS simulator, engineers can typically simulate 10 or 24 satellites. This is used legitimately by engineers who build GPS satellite receivers for
phones, surveying devices, time synchronizing devices, and other equipment. However, by default GPS simulators send out the same signal strength for all satellites. As a result, the fake signal strength is much more consistent than in real life.
Simulated GPS signals have unusually low noise levels. If the GPS receiver detects a nice, crisp, clean signal, that should raise red flags.
4) Satellite Numbers
Each GPS satellite is numbered. “If we were sitting in the parking lot,” said Jon,” our GPS receiver might see GPS satellites 1, 2, 3, 4, 5 and 6. #24 might be on the other side of the earth.” A GPS simulator might not send the correct satellite numbers for a given location. “I’ve done this before, and sent satellite signals for Australia when I was in New Mexico.”
The VAT estimates that implementing these strategies would greatly enhance GPS security, at minimal cost. “It’s mostly a software solution,” commented Jon. “It amazes me that right now, if you look at
any receiver, it doesn’t compare the signal from moment to moment. If the GPS signal shoots up in the next second, the receiver won’t pick up on that.”
Satellites for the military GPS include authentication, meaning that receivers can verify through cryptographic exchange that the signal they are receiving is from a real GPS satellite. Civilian GPS doesn’t include that, but if it did, this would enable appropriately equipped receivers to verify that a GPS signal is legitimate.
“Back in the 70s,” Jon reflected, “Civilian GPS was more of an afterthought. It wasn’t really designed with security in mind. The military set it up to be nice. Nobody knew that it would take off like
this. Just like the Internet– it was completely unexpected.”
1J. Warner and R. Johnston, “A Simple Demonstration That the Global Positioning System (GPS) Is Vulnerable to Spoofing,” Journal of Security Administration, in press (2003). (page 5)
2J. Warner and R. Johnston, “A Simple Demonstration That the Global Positioning System (GPS) Is Vulnerable to Spoofing,” Journal of Security Administration, in press (2003). (page 7)
3J. Warner and R. Johnston, “GPS Spoofing Countermeasures,” http://www.homelandsecurity.org/bulletin/Dual%20Benefit/warner_gps_spoofing.html, (December 2003).