GPS is vulnerable to spoofing attacks. Here’s how we can defend these important navigation signals.
Just hours before U.S. president Barack Obama delivered his final State of the Union speech in January, two U.S. Navy patrol boats wandered into Iranian waters. The Iranian military intercepted the vessels and captured 10 U.S. sailors, making for an awkward moment as the president took the stage.
The seamen were released the next day, but no military official seemed able to explain why the boats had strayed from their intended path. Defense Secretary Ashton B. Carter simply said the highly trained crew had “misnavigated.” An investigation is still under way.
Without a clear explanation, the incident prompted speculation that Iran had sent false GPS signals to lure the sailors onto another course. It would not have been easy for the Iranians to hijack the GPS system—military GPS signals are heavily encrypted—but the idea wasn’t inconceivable. In 2011, Iran boasted that it had captured a highly classified drone belonging to the CIA by fooling its GPS to make it land in Iran rather than Afghanistan.
Three years before the drone’s capture, one of us (Humphreys) had developed the only publicly acknowledged GPS spoofer that could perform such a feat. A spoofer transmits false GPS signals, which to a navigation system are indistinguishable from real ones. Meanwhile, the other of us (Psiaki) was hard at work on detectors to catch spoofers in the act.
Prodded by the Iranians, the U.S. Department of Homeland Security decided to investigate spoofing soon after the drone incident. The agency invited Humphreys’s group at the University of Texas at Austin to attack a helicopter drone at White Sands Missile Range, N.M., in June 2012. The team’s mission was to force the hovering aircraft to land by sending false positional data to its GPS. The spoofer told the drone it was climbing, causing it to automatically adjust—and nearly crash into the sand.
An operator averted disaster by manually overriding the spoofed autopilot before impact. Still, the White Sands drone hack made national news and rattled lawmakers. Soon after, Humphreys appeared before a U.S. congressional committee concerned with drone safety.
Since then, GPS spoofing has continued to pose a dangerous but poorly understood threat to the trustworthiness of critical navigation systems. To prevent spoofing, we need to understand how antagonists can corrupt GPS signals in the first place. With that knowledge, we must act quickly to develop ways to alert GPS users to these false signals.
The drone demonstration starkly indicated GPS’s vulnerabilities, but we believe that other targets are far more worrisome. Cellphone towers, stock exchanges, and the power grid all rely at least partly on GPS for precise timing. A well-coordinated spoof could interrupt communications, confuse automated financial traders, and inflict crippling power outages. In a worst-case scenario, a spoofer’s operator could overtake airplanes or ships to induce a crash, facilitate a heist, or even kidnap a VIP.
Those and other scenarios concerned Andrew Schofield as he listened to Humphreys present the details of his White Sands drone test at the South by Southwest Interactive conference in 2013. Schofield approached Humphreys after the talk and presented his card, on which his title read “Master of the White Rose of Drachs.” Then he asked, “How would you like to go after bigger prey?”
The White Rose is a 65-meter (213-foot) superyacht that relies on GPS to safely navigate the high seas. The US $80 million vessel, which boasts paintings by old masters and marble-and-gold bathrooms, belongs to a U.K. real estate tycoon. Schofield, the ship’s captain, was offering to take Humphreys out to sea to test whether his trusted ship could be spoofed.
At first, Humphreys thought the offer sounded too good to be true. He spent hours verifying Schofield’s credentials as an experienced seaman and president of the Professional Yachting Association. Still, Humphreys wondered if Schofield had gone over to the dark side. To gauge the captain’s intentions, Humphreys casually mentioned that his spoofer would be equipped with a “poison software pill” to render it useless outside the planned test’s time frame and region. Schofield did not bat an eye and said it sounded like a wise precaution.
Reassured, Humphreys began to plan a Mediterranean voyage [pdf] to test whether the spoofer could generate a sequence of lies that could, quite literally, throw the White Rose off course. The attack would have to be launched in international waters and with the approval of the General Lighthouse Authorities of the United Kingdom and Ireland; otherwise, tampering with GPS signals would be a crime even if done purely for research purposes.
After months of planning, the White Rose set sail in June 2013 from Monaco to Rhodes, Greece. Atop the yacht were two GPS antennas feeding received signals to a pair of standard GPS receivers on the bridge. Also on board was Humphreys’s spoofer [pdf], which contains about $2,000 worth of software and hardware, including a radio-frequency receiver, transmitter, and digital signal-processing chips.
For the first portion of the trip, the yacht’s GPS receivers dutifully logged location information from several dozen satellites, as they would on any voyage. Then, on day two of the cruise, Humphreys’s team replaced the signals being received on the bridge with spoofed ones indicating that the ship was drifting 3 degrees to the left.
How did they do it? In normal operation, GPS receivers deduce their position by calculating their distance from several satellites at once. Each satellite carries an atomic clock and broadcasts its location, the time, and a signature pattern of 1,023 plus and minus signs known as a pseudorandom noise code(or PRN code). These codes identify a signal as originating from, say, satellite A versus satellite B, which is necessary because all GPS satellites broadcast civilian signals on the same frequency.
The patterns that make up PRN codes also repeat over time, and their distinctive arrangements of pluses and minuses enable GPS receivers to use them to determine the signal-transmission delay between a satellite and the receiver. A receiver uses these delays, along with the satellite positions and time stamps, to triangulate its precise location. To get a good fix, a receiver must receive signals from four or more satellites at a time—it can figure coordinates based on just three, but it needs the fourth to synchronize its inexpensive, drift-prone clock with the constellation’s precise atomic clocks.
Overall, 31 navigation satellites make up the commonly used GPS network, which is operated by the U.S. Air Force. These satellites actually broadcast two sets of PRN codes: one for civilians and one for the U.S. military. Civilian PRN codes are unencrypted and published in a public database. Military codes are encrypted in the sense that they follow a pattern that is predictable only if the receiver has access to a secret key. Rather than decrypting these codes, this key lets receivers know what the code will be before it even arrives. Although nonmilitary receivers can pick up the military GPS signals, they can’t anticipate them or use them to calculate their location. For security, the Air Force frequently changes the keys of military signals so that only receivers with an updated key can use the newest ones.
To attack civilian receivers such as those aboard the White Rose, a spoofer’s operator figures out which GPS satellites will be in the vicinity of the target at a given time based on the satellites’ orbits. The spoofer then fabricates the PRN code for each satellite using formulas available in the public database. Next, the spoofer broadcasts faint signals carrying the same codes as all of the nearby satellites at once. The GPS receiver registers these weak signals as though they were part of the stronger, true signals transmitted by those satellites.
Then comes the delicate art of the “drag-off,” in which attackers must gently override the true signals. To do this, the spoofer’s operator gradually increases the power of the false GPS signals until the receiver catches onto these new signals. If the signal increase is too abrupt, the receiver or even the ship’s human navigators might detect something amiss. Once the receiver has latched onto the false signals, the operator can adjust the spoofer and receiver to a new set of coordinates and leave the true signals behind.
Back on the White Rose, crew members noted the apparent—but not actual—3-degree leftward drift that Humphreys’s team had fooled the ship’s receivers into recording at the start of the attack. However, the shift was so slight that the crew assumed it was due to natural forces such as water currents and crosswinds, so they adjusted the vessel slightly to the right. In reality, this corrective maneuver actually took them off course.
As a result of the crew’s actions, the White Rose veered a kilometer from its intended course, unbeknownst to Schofield, before Humphreys called off the spoof about an hour later. The same trick could have been executed for a ship on autopilot, with the navigation system performing the course correction instead of the crew.
Schofield was dismayed, to put it mildly. He and his crew depend on GPS for the safety of all on board—for example, for navigating away from storms and for steering clear of shallows and underwater hazards at night or in fog. Although Humphreys’s spoofer is too sophisticated for the average computer hacker to assemble, this technology is within reach of many countries—there have been rumors of spoofing “in the wild” by North Korea—and even some private individuals.
Fortunately, Psiaki and his students from Cornell University had been forging antispoofing defenses. In fact, Psiaki was testing an early prototype of a spoofing detector at White Sands at the same time that Humphreys’s group attacked the drone. The prototype successfully detected every attack, but only after hours of off-line computation.
Could Psiaki produce a real-time version? If so, Schofield wanted to test it on the White Rose—and soon.
There are three main ways to protect against GPS spoofing: cryptography, signal-distortion detection, and direction-of-arrival sensing. No single method can stop every spoof, but Psiaki’s team has found that combining strategies can provide a reasonably secure countermeasure that could be commercially deployed.
Each GPS satellite [top] transmits a unique code to identify itself to receivers. Each code consists of a distinct pattern [middle]. Receivers use signals from at least four satellites [bottom] to figure a location.
Cryptographic methods [pdf] provide a way for users to authenticate signals on the fly. In one approach, for example, civilian receivers would use PRN codes that are totally or partially unpredictable, similar to those used by the U.S. military, so a spoofer can’t synthesize the codes ahead of time. But to verify each new signal, every civilian receiver would have to carry an encryption key similar to those held by military receivers, and it would be difficult to keep attackers from obtaining such widely distributed keys.
Alternatively, a receiver could simply record the unpredictable part of the signal and wait for its sender to broadcast a digitally signed encryption key to verify its origin. However, this approach would require the U.S. Air Force to revise the way GPS signals are broadcast and manufacturers of civilian receivers to change how those devices are built. It would also require a slight delay, which would mean that navigation updates would not be verified instantaneously.
An easier way to protect civilians would have them “piggyback” off of the encrypted U.S. military signals. Already, military signals can be received and recorded by a civilian receiver even if they cannot be decrypted and used for navigation. Once they record the signals, civilian receivers can observe the noisy trace of a PRN code even if they can’t figure out the actual code. That means these receivers could authenticate a civilian signal by looking for the trace of an encrypted military signal behind it. This strategy relies on a second civilian receiver [pdf] at a secure location to verify what the trace should look like within the signal. Otherwise, a spoofer could generate a fake trace to accompany any civilian signal the operator wished to spoof.
The downside is that all cryptographic techniques are vulnerable to attacks by specialized systems that can intercept any signal, delay it, and rebroadcast it with more power, persuading a receiver to switch from the legitimate signal to the delayed one. Such gear, which is called a meacon, can use multiple antennas to add delays of different lengths. By tuning the lengths, the spoofer’s operator can choose how he or she subverts a GPS receiver.
Another option for defense is distortion detection [pdf], which can alert users to suspicious activity based on a brief but observable blip that occurs when a GPS signal is spoofed. Typically, a GPS receiver uses a few different strategies to track the spike of an incoming signal’s amplitude. When a copycat signal is transmitted, the receiver sees a combination of the original signal and the false one, and this combination causes a blip in the amplitude profile during drag-off.
Distortion detection is a matter of adding more signal-processing channels and, possibly, a modest amount of hardware so that users can track a signal’s amplitude profile with greater precision. This technique looks for unnatural features—an amplitude spike beyond a certain height or width, for example. However, a distortion detector works only if it catches the signal between the beginning of the attack and the end of drag-off—a process that may last just a few minutes.
A final detection method is direction-of-arrival sensing. The original spoofing detector that Psiaki demonstrated at White Sands used this technique, but, as you may recall, it required hours of off-line data processing to detect the spoof. With the White Rose diversion fresh in his mind, Schofield wanted to know if a live version could be installed on the ship.
Direction-of-arrival sensing exploits the fact that a practical spoofer can be in only one place at a time. As we’ve described, a spoofer transmits a false signal for each GPS satellite the operator wishes to imitate. It does this by fabricating the PRN codes for every satellite in the vicinity of a target. The catch is that the spoofer sends all those signals from a single antenna, and they arrive from the same direction. Authentic GPS signals, on the other hand, come from several satellites, and therefore from several angles.
If you could independently sense the direction from which each signal arrived, you could easily determine whether you were being spoofed. To test this idea, Psiaki’s lab recently built a system that uses software and two antennas to apply principles of interferometry to spoofing detection. Specifically, it measures a property called carrier phase [pdf] to discern how a signal varies from one antenna to the next and then determines what that variation says about the signal’s angle of arrival.
Carrier-phase monitoring is a method for counting cycles of Doppler shift in the GPS signal. Doppler shift occurs when a signal emitter is moving relative to a receiver. Think about the classic example of a fire engine moving past you: The siren’s frequency shifts from high to low as it goes by. GPS satellites, too, move relative to a GPS receiver, and that relative movement is different for each satellite.
So in Psiaki’s detection scheme, the detector measured the carrier phase for the signals received. If the difference in carrier phase as measured between the detector’s two antennas varied widely from satellite to satellite, it knew the signals had arrived from multiple directions. But if the system detected little or no variance among carrier-phase differences, that meant it was picking up a set of signals coming from a single spoofer.
Early tests looked promising, but the detector was hindered by the off-line computing required to do the signal processing necessary to calculate the variance in carrier phase. The problem was that our original program was written in a programming language that couldn’t communicate in real time with the software used by GPS receivers. However, in April 2014, Humphreys’s team at UT Austin provided a crucial piece of the operational puzzle by demonstrating that a GPS software radio—in which such key components as mixers, filters, and modulator/demodulators are implemented with software rather than hardware—could enable the real-time use of Psiaki’s off-line code with only 6 seconds of delay. The software GPS radio essentially enabled real-time execution of the off-line code via scripting commands, thereby obviating the need for a laborious code translation into a real-time programming language.
At Schofield’s request, we tested this defense in June 2014 on the White Rosewhile the ship cruised around Italy. One spoofing attack orchestrated by Humphreys duped the ship into thinking it was on an absurd course to Libya, supposedly traveling at a speed above 900 knots (or about 1,000 miles per hour) in a straight line that crossed under Italy and Sicily at a depth of 23 kilometers (or 14 miles) below sea level!
Psiaki’s spoofing detector [pdf] alerted the bridge crew to the deception at the outset of the attack by measuring the carrier phase of seven GPS signals originating from satellites and the spoofer. Just as the attack began, the detector noticed that the variance it expected to see in authentic carrier-phase differences suddenly vanished. The spoofing drag-off to Libya started about 125 seconds into the attack, but Psiaki’s system picked up the attack within the first 6 seconds.
Earlier this year, GPS manufacturer U-blox released the first commercially available spoofing defense for consumer GPS receivers in a firmware update to its M8 line of navigation systems. The company, based in Switzerland, did not announce details about the detection method it has deployed. However, we’re pretty sure that it is distortion detection because that approach is easiest to implement through a firmware update, requiring only some additional signal-processing algorithms.
But distortion-based methods may miss attacks that they fail to catch early. Cryptographic methods are very effective (just ask the U.S. military) but require either substantial changes in how GPS signals are broadcast or an additional high-bandwidth communications link. Architects of Europe’s new global navigation satellite system [pdf], called Galileo, have embraced this approach and have tested the broadcasting of digitally encrypted signals for civilians over their system. Unfortunately, such a system would still be vulnerable to a meaconing attack.
Direction-of-arrival sensing is our method of choice, but it is typically more expensive to implement than distortion detection. The process itself is most effective when executed by multiple antennas, but large arrays can’t easily fit on handheld devices. And partial spoofing can dupe it: If a spoofer targets only one or two GPS signals instead of all signals from every satellite within range, some variance in the carrier-phase difference will persist even after the attack.
In the end, we think the strongest spoofing defenses will probably combine distortion detection and direction-of-arrival sensing. Distortion detection will help during the initial attack phases, while direction-of-arrival sensing provides a second line of defense.
However, we can’t guarantee that any such combination of solutions will be affordable for the average user. Commercial developers must amortize costs over a large number of sales, but most consumers do not need spoofing protection. It’s a safe bet that Iranian agents aren’t interested in frustrating the efforts of U.S. motorists to find trendy new restaurants or drive their children to baseball games.
For those like Schofield who have deep pockets and face real risks, at least one manufacturer already sells a two-antenna receiver that could easily be upgraded to include direction-of-arrival algorithms. That manufacturer might soon be able to market a spoofing-resistant product on the order of $10,000 per unit. Operators of commercial airliners, large ships, and automated stock traders should be willing to pay that kind of money to lock the barn without even knowing whether horse thieves lurk in the neighborhood.
In the meantime, the good news for Schofield is that in order to pull off a spoof, an attacker must be close enough to the target to determine its precise location, log the GPS satellites that the target sees, and transmit false signals to it on a direct line of sight. Fortunately, no vessels beyond the White Rose’s horizon could have executed this hack.
All of this work is just one piece of the larger challenge that faked physical signals pose to cyberphysical security. Might a hacker send a false radar signal to the automatic braking system of a high-end car and bring it screeching to a halt on a packed freeway? The possibilities are significant, growing, and alarming. We think the red-team/blue-team development strategy, in which the red team attacks a system and the blue team defends it, could be useful to others leading missions that deal with sensor deception, as we have found it to be in our work. We will be rooting for the blue teams.
This article appears in the August 2016 print issue as “GPS Lies.”
About the Authors
Mark L. Psiaki is a professor in the Department of Aerospace and Ocean Engineering at Virginia Tech. He recently retired from a career with the Mechanical and Aerospace Engineering faculty of Cornell University, where he began his work on GPS spoofing detection. Todd E. Humphreys is an associate professor in the Department of Aerospace Engineering and Engineering Mechanics at the University of Texas at Austin. FBI agents have visited his lab several times to inquire about his spoofer.
For Vessel Security Information and Event Management solutions visit: http://cyber.aspida.org