GPS Spoofing With $3000 Worth of Equipment and a Laptop 180
First time accepted submitter svartbjorn writes "Todd Humphreys and a team from the University of Texas proved the concept that a terrorist could take over the navigation of a ship or even a plane, making it appear to the crew that the ship was moving along a straight line course when in fact it was changing course under the control of the device. This raises some serious issues for this being used for terrorist purposes."
OMG TERRORIST (Score:5, Insightful)
terrorists could do this, terrorists could do that, they can KILL YOU in so many ways! Run for your lives! Or better yet, submit to your federal overlords via TSA DHS who will keep you safe!
Actually no, fuck the terrorists, they're third world noobs living in mud huts and the best they could do in 12 years of trying realyl hard is to hijack a few planes with knives. You have more to fear from your own government than any terrorist.
Over and out
Re:Gyros (Score:5, Insightful)
In the case of airliners, it is usually full inertial navigation. Usually three independent inertial systems which continual comparison. The navigation system uses all the inertial systems as inputs, usually 1-2 GPS systems as input, and also radio navigation beacons (not very precise, but good enough for anything but landing). The GPS mainly provides long-term stability to the inertial systems, which are the direct reference.
Any area navigation system used in an aircraft for navigation in non-visual conditions has to meet a number of standards, which include the ability to measure its own performance/inaccuracy. I'm not sure if the spoofing in this article would defeat that - it isn't enough to give a false position - you need to give a false position which looks very accurate, and which drifts from the real position slowly enough that if the aircraft has inertial navigation it will consider the change plausible.
Even then, you'll also have to jam all the local radio navigation beacons which is going to be noticed most likely. If the aircraft tunes a radio beacon and gets inconsistent values from every station it tunes (automatically) it will probably report a navigation failure to the crew who will take it into account (and you'd be surprised how well a plane can do with nothing but the magnetic compass, good wind reports, and dead reckoning).
If you did manage to confuse the plane it really would only be a problem low to the ground in fairly mountainous terrain, unless you can keep it up for hours to get it way off course (and the crew will notice when they can't tune stations that are supposed to be in range and ATC will surely notice until they go entirely to ADS-B - and in the case of international flight the air defense identification zones surrounding many countries including the US will have active radar for obvious reasons). Most actual landings use ILS, which is completely independent of GPS - the aircraft won't really descend enough to hit buildings until it is on the ILS glideslope which is guaranteed to be clear. Only an actual GPS-based runway approach would get the plane low enough to hit something unless there are mountains nearby.
So, an attack would be hard to pull off against an airliner. Small planes do not have so much redundancy, but their GPS units still try to evaluate position accuracy and generate warnings (which pilots are trained to heed) when they believe they are having problems.
All that aside, GPS signals really need to have authentication embedded. That said, they would still be vulnerable to replay attacks if the main signal could be jammed and the receiver did not have a sufficiently accurate clock to spot replays (it would have to be VERY accurate over fairly long periods of time).
Re:A more technical explanation (Score:2, Insightful)
Old news. If you want a less sensationalistic, more technical discussion of how this is done, see this article http://www.gpsworld.com/drone-hack/ [gpsworld.com].
In brief:
1) Yes, it's possible but there are a lot of issues that make it less than practical
2) It's a non-issue for military positioning systems, which use encrypted, time-stamped signals.
3) Experts are already aware of the problem and are working on solutions.
What issues make it less than practical? I read the article and I didn't see any major problems with doing it, nor did the authors.
As for "experts are already aware of the problem and are working on solutions", it reminds me of the last scene in the 1st Indiana Jones movie, where the Ark of the Covenant is being put into a seemingly endless warehouse. "Don't worry Dr. Jones, we have top people working on it". "Who?" asks Jones. "Top people".
Yes, it is possible to fix, but does that mean it isn't worth paying attention to? It hasn't been fixed yet. I also didn't find the article Slashdot linked to to be terribly sensationalistic.
Re:but there's this new thing called a knife! (Score:5, Insightful)
And you know what? That entire problem was solved by putting locks on the door. For the 110% solution, the Feds no longer tell people to comply with hijacker's demands.
Everything else, the gutting of the Constitution -- that's just gravy for our rulers.
Re:It's news worthy but isn't at the same time ... (Score:5, Insightful)
What are you talking about? There are all sorts of things you can do to mitigate such attacks.
For one, you can sign GPS data without encrypting it. Old equipment can use the plain-text data without issue. New equipment can optionally verify the signature, if that makes sense in the particular application. If your systems does choose to verify the signature it can choose to ignore bad signatures, to warn the user, to throw out the lone bad signal, to throw out the whole fix calculation, etc. There's nothing technically complicated about that at all.
Another approach is to cross-verify this data. Planes and boats have inertial guidance (along with accelerometers, magnetometers, altimeters, etc.), which can easily be compared against each other to determine if one system is providing inaccurate data. And several of those systems require no external reference, making them quite difficult to hack. Combining all that data, throwing out the bits that don't match, and calculating a best-fit solution is pretty common even in low-end position/orientation systems, and I have to assume it's bog-standard in things like planes (or could be if it's not). Even cars have access to a lot of other data (wheel speed, engine speed, compass, etc.) that can be used for similar purposes.
And there are simple signal-based protections you can apply, that raise the complexity of an attack without requiring any modification to the broadcast signal. For example, you could use multiple antennas to ensure you're only listening for signals from the right slice of sky. You could track changes in signal level. You could track bitstream synchronization. None of that would prevent a local radio from overpowering the real system, but it would help you catch the switchover.
Not to mention you could provide some absolute reference via out-of-band tracking and comm. -- a system on the ground gets an actual fix based on radar/etc., and every minute or two sends out that fix with a timestamp via a non-GPS comm system. The on-board position tracker could then validate that external fix against its internal fix at the same time, and take appropriate action if there's a mismatch. This wouldn't stop short-term/small-delta attacks, as the data isn't instant and has some margin of error, but it would prevent long-term/large-delta attacks.
And you can do all of those at the same time -- together that's a lot of protection. I also suspect there are a lot of other things you could do to mitigate such attacks; this is just the list of things I could name of without any research or consideration.
It's also worth noting that removing autonomous course tracking (not even actual driving, but the whole navigation solution, as human pilots use the same navigational systems the computer does) does not solve this problem. It's not technically complicated to construct a sextant/stopwatch/etc. that gives false readings to misdirect whatever form of navigation the crew might undertake, even with no computers in sight.