77 comments

[ 4.0 ms ] story [ 140 ms ] thread
You will be relieved to know that the military is on top of this and regularly trains for GPS jamming scenarios https://www.ofcom.org.uk/spectrum/information/gps-jamming-ex...
If you RTFA, you'll note that jamming is different than spoofing. And no it doesn't make me feel relieved that the military "is on top of this". Whose military? Why should we trust them? State actors with the capability to spoof GPS signals can do much harm to even their own citizens.
It's not comforting, indeed.

But you should know that the various space-based positioning systems (GPS, GLONASS, BeiDou etc) are deployed and administered by the respective governments of their countries of origin. They were invented for the military and can be selectively disabled or degraded for civilian users.

Does anyone think it's possible for non-governments to stand up replacements for these systems, from either a technical or legal / political perspective?

It'd be very easy to make a law outlawing high-resoluton satellite positioning systems. All lawmakers would need to claim is it was a national security issue that terrorists could use blah blah.

From a technical perspective it's not hard at all, but corporations are probably leery of launching (no pun intended) such a business.

> If you RTFA, you'll note that jamming is different than spoofing.

Military GPS signals (P-code and future M-code) are encrypted, so spoofing is somewhat less of a concern for the military. See https://en.wikipedia.org/wiki/GPS_signals#Precision_code and https://en.wikipedia.org/wiki/GPS_signals#Military_.28M-code...

Outside of the military, both academia and industry are well aware of the potential for spoofing of civilian GNSS signals and have been developing proof of concept attacks and countermeasures for quite some time. See, for example, http://gpsworld.com/inexpensive-hack-spoofs-gps-in-smartphon... and https://www.ion.org/publications/abstract.cfm?articleID=1478...

In the case of using the encrypted GPS I would guess that spoofing would look like jamming. Basically if you were getting a GPS signal and it wasn't encrypted correctly you would consider it invalid but you're probably not seeing the real satellites because you're seeing the spoof signal. The net result being you are seeing no GPS signal you can trust. That reduces down to the previously solved problem of operating with no GPS at all.
Whose military?

If you "RTFA" you will observe that OFCOM is the UK regulator.

the plot of Tomorrow Never Dies wasn't that far fetched after all?
awesome.... exactly my thought :)
many NATO guided bombs, missiles and drones rely on GPS navigation

There are separate code sets for civilian and military GPS, and the latter should only be availability to US military equipment manufacturers. What I wonder is whether that means some NATO equipment will be misdirected by spoofing attacks and other will not, or if the attackers actually are able to spoof both types of signal.

> if the attackers actually are able to spoof both types of signal.

Interestingly, the military GPS signal is encrypted using what is called the A/S "anti-spoof" code. Which was deployed in the '70s. So you know they've been thinking about it for quite some time.

Practically speaking: Assuming one can shield the spoofer receiver from its own transmitter there's no real reason why a spoofer can't set up a receiver at one location and rebroadcast the encrypted signal as received there. If rebroadcast at sufficient power it would easily overpower the true signal, and would indicate the spoofer position rather than true position everywhere it was the strongest signal. Sort of like if you just moved everyone's antenna to the spoofer location using a very long antenna cable.

It would be very interesting to know what military receivers do to mitigate such an attack. I haven't seen anything in open literature. I suppose it would be (rightfully so) classified technology.

Is this really possible? I don't know much technical details about GPS, but I thought a large component was time-based. If my understanding is correct, wouldn't rebroadcasting fail because the times didn't match correctly?
The question is: match with what?

Part of the GPS calculation is to figure out what time it is. There is no reference needed other than what the satellites broadcast. If you are rebroadcasting the entire GPS signal it includes all of the satellites, and will be self-consistent.

Also, in the case of a rebroadcast it need not be delayed by more than something on the order of a microsecond or so.

If the receiver has some sort of out-of-channel time reference that is accurate to nanosecond levels I suppose that could be used as a check, but that sort of thing takes an atomic clock and doesn't fit in a wristwatch.

Also, in the case of a rebroadcast it need not be delayed by more than something on the order of a microsecond or so.

That only works if the spoofer is very close by.

One microsecond is 1000 feet. (Recall the "Grace Hopper nanosecond" as a start.) So, if the spoofing signal rebroadcast originates 5 miles away, that's 26 microseconds of delay right there.

If the receiver has some sort of out-of-channel time reference that is accurate to nanosecond levels I suppose that could be used as a check, but that sort of thing takes an atomic clock and doesn't fit in a wristwatch.

You're way off in your accuracy estimate.

Oven controlled crystal oscillators have been around for at least 50 years. Probably a lot more. And they're dirt cheap. All they are is some temperature stabilization around an ordinary crystal oscillator. Quoting from the (always highly accurate) :) Wikipedia:

The short term frequency stability of OCXOs is typically 1x10−12 over a few seconds, while the long term stability is limited to around 1x10−8 (10 ppb) per year by aging of the crystal https://en.wikipedia.org/wiki/Crystal_oven#Accuracy

An OCXO isn't practical in a tiny drone or a wristwatch, but it's highly practical in any military instrument that weighs more than a few pounds.

> That only works if the spoofer is very close by. One microsecond is 1000 feet. (Recall the "Grace Hopper nanosecond" as a start.) So, if the spoofing signal rebroadcast originates 5 miles away, that's 26 microseconds of delay right there.

I made a mistake in ambiguously referring to two things: processing delay at the spoofer, and speed-of-light based time difference between spoof signal and direct broadcast at the receiver.

However, I'm not aware of any crystal based clocks that are suitable for high dynamic range G environments that would be easy to use as an independent reference for any reasonable amount of time. They all suffer in shock/vibration conditions, and need external conditioning to maintain longer term stability. Maybe the military has 'em, but I guarantee they cost a lot more than a GPS rec.eiver

They all suffer in shock/vibration conditions

Interesting. I didn't know that.

There's a comment on another thread that someone just made: https://news.ycombinator.com/item?id=15007006

And now you can buy a genuine atomic wristwatch.

Here's a few sentences from the linked website: In each atomic physics unit is a small vessel of Caesium 133, an oven to heat it to 130°C, a laser to excite the atoms and a microwave resonator that resonates at the hyperfine transition frequency of the atoms, 16,546,737,186,000 vibrations per hour, with an accuracy of one 5 parts in 10-11. https://www.hoptroff.com/pages/about-us

The same shock/vibration limitation probably applies to it. Still, it exists! I think. I wouldn't spend that much money to find out if it was real.

Some links you might find interesting:

https://www.microsemi.com/products/timing-synchronization-sy...

http://www.oewaves.com/media-events/item/50-oewaves-to-devel...

http://www.gps.gov/governance/advisory/meetings/2016-05/lutw...

https://www.darpa.mil/program/micro-technology-for-positioni...

I haven't seen much (haven't been looking either tho) since the Micro-PNT program which was in 2008. Sometimes that means that things are getting interesting, other times it's a dry hole. I'm interested in any later developments if you know of them.

>Is this really possible? I don't know much technical details about GPS, but I thought a large component was time-based.

Yes, it's possible mostly because you can drown out the weak signals coming from satellites with much stronger terrestrial ones.

There is also a new generation of GPS planned that will help mitigate future attacks, but it's getting delayed like crazy: https://en.wikipedia.org/wiki/GPS_Block_IIIA

Also, see this article on how it's technically feasible: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20pre...

At its core, GPS works by having each satellite continually broadcast the current time. By observing the time-of-flight differences from multiple satellites (at least 4), the receiver can then compute its position and the current time.

There's a lot more to it, of course, in terms of how it's encoded and how you know where the satellites are and such, but that's the basic principle.

Note that the receiver itself doesn't know what time it is until it gets a position lock from the satellites. Receivers can have onboard clocks, which helps them calculate their position and the time more quickly than starting up with no idea of the time at all, but it's just a helper, not a requirement. Even if you have one, the onboard clock will necessarily be much less accurate than the ones on the GPS satellites, so any (reasonable) delta will be assumed to be clock drift, not spoofing.

So, if I set up a receiver at point A, then rebroadcast the signals I receive to your receiver at point B, and your receiver is blocked from getting the true signals at B, your receiver will think it's at point A. It will also think that the current time is behind, by whatever the rebroadcasting delay is, but it won't have any way of knowing that's wrong.

As far as mitigation goes, if your receiver was running before the spoof signal started to arrive then you could easily notice that things had suddenly gone crazy. I think military equipment that depends on GPS also has backup inertial navigation systems which would quickly show any divergence, and allow it to continue without GPS input (albeit at reduced accuracy).

>there's no real reason why a spoofer can't set up a receiver at one location and rebroadcast the encrypted signal as received there

I can't really see this working if you have an inertial navigation backup system. It would be easy to detect the large error in GPS position and just ignore the GPS.

You'll need two alternatives to GPS to be able to tell whether it's a malfunction in GPS, or the inertial nav. e-loran is such a third alternative.
Only if you assume they're equally likely to fail. Since INS is much less susceptible to spoofing and ought to have a fairly low nominal failure rate, in wartime it might be reasonable to assume disagreements are due to spoofing.
Also, I believe most airliners have 2 or 3 INS systems, so it would be easy to see (or detect) if one of them has failed.

It seems unlikely that all the gyros would silently fail...that would only happen if the gyros tumbled, or power failure to the gyros, but there would presumably be an error indication in either of those situations. (Also, these days they use ring laser gyros, which don't tumble or stop spinning).

Speaking of which, are RLGs actually difficult to manufacture or is the military intentionally stopping them from getting into civilian hands? Even the best cell phone sensor fusion seems to result in an obnoxiously shitty map experience.
The power requirements for even the most miniature RLGs is still pretty large relative to cell phone peripherals, and they are still physically pretty large. DARPA has had focus efforts in the MEMs arena for more than a decade now, including atomic clocks and optical systems but its not stuff you can put in a square mm of silicon and feed with a couple of microamps.
Huh, I'd have guessed the opposite: that a laser, optics, and a piezo vibrator would be easy to integrate, while a MEMS gyroscope would be much harder. I ask anyone who gives the slightest hint of familiarity with the field because I suspect that my surface-level understanding is just missing the juicy photonics challenge that's roadblocking integration.

The alternative hypothesis of military heel-dragging (similar to the case of bolometers) is much less exciting, but verifying it would at least allow me to stop poking around :)

Phones use MEMS sensors, which are much cheaper than laser gyros. I'm not sure if google maps uses the accelerometer, or just the GPS and compass.

In my experience, phone maps work well if the device has a good GPS signal. It's just the compass that gives a shitty experience. I wish google would ignore the compass and just use GPS direction when you're moving. They used to do this, but now they seem to rely in the inherently crappy compass for direction.

> Phones use MEMS sensors, which are much cheaper than laser gyros

Yes, but why? To my surface-level understanding, RLGs sound like they would be easier to integrate.

> It's just the compass that gives a shitty experience.

Yep, that's my experience too, and that's why I'd be ecstatic to hear that the compass was being replaced by a RLG (which could be re-locked to true North every time GPS got a decent movement vector).

Then again, I half suspect that something is FUBAR'din the current compass stack. I have one of those fluxgate-magnetometer current probes at work and can report that everywhere I've used it I have seen magnetic field vary as a high-SNR continuous function of direction, yet my phone's maps app has a ton of lag, hysteresis, and jankiness when rotating in the same damn field. Maybe we just need to wait for the cheap compasses to get better.

This is kind of fun, so to play some more: suppose the spoofing platform is mobile; say, a UAV that starts out very very near the target of the spoofing, and gradually moves away at a rate designed to confuse such a check.

You can see why military stuff gets expensive. The world gets complicated when folks are actively trying to screw with you.

Large commercial ships already have INS backups and it can be spoofed just fine using carry-off attack. Spoofed signal gradually diverges from the correct signal and inertial navigation can't spot the difference.
Detection 1: Constantly run HFDF on all GPS frequencies. You know where your own transmitters live. Process of elimination.

Detection 2: Compare GPS velocity vector to INS velocity vector. For fixed installations, have two receivers spaced some distance apart and compare GPS location.

Detection 3: Measure the time delay between GPS and your RTC. With a GPS disciplined RTC, drift should be low enough to make this viable.

Detection 4: Look for jumps in GPS location or time.

Mitigation 1: Send black vans, soldiers, or missiles as appropriate to rogue transmission locations determined by HFDF or the encoded position of spoofed signal.

Mitigation 2: Frequency-agile and mobile GPS substitutes almost certainly have a prominent role in EW strategy. Of course, as you note, the details have to be classified, but it's pretty easy to speculate what form the overall strategy will take.

You're talking about a GPS repeater. Such systems are commercially available to rebroadcast a GPS signal within a building where the signal wouldn't penetrate, but require a license to operate, IIRC.

As for countermeasures, well, whoever's holding the receiver is bound to get suspicious if they move and the reported position doesn't. :) Jokes aside, there is work being done integrating other sensors (inertial, compass, gyro, etc.) to do dead reckoning to detect errors in the position and motion reported by the GNSS receiver.

As an aside, "GPS" technically refers only to the positioning system operated by the United States. The generic term is "GNSS" (global navigation satellite system) and encompasses GPS, GLONASS, Galileo, Beidou, etc.)

> there is work being done integrating other sensors

Integrated navigation systems GPS/INS are already default in many critical civilian systems. They sell these systems as a single package.

These systems are still vulnerable against satellite-lock takeover where the spoofer who starts with repeating the correct signal and diverges from it gradually.

I don't know that any military equipment relies on GPS. They use it preferentially, but have other things they can fall back to. JDAMs, for example, have an inertial navigation system in addition to GPS. I'm sure that these weapons have the ability to detect spoofing by seeing that GPS is diverging significantly from the INS output. The weapon is less accurate without GPS so spoofing (or just plain jamming) could be used to reduce its accuracy somewhat, but probably couldn't be used to make it hit a completely different target.
There are several types of spoofing attacks and it's possible to use spoofing as type of jamming attack against military GPS units from a distance where pure jamming is not effective. Older receivers require lock into C/A code before moving to encrypted P(Y). The new M-code attempts to solve some of these issues.

The simplest form of GPS spoofing sends made up signals that misdirects the GPS receiver. Military equipment is protected against these kinds of attacks with authenticated signals. Carry-off attacks (satellite-lock takeover) start with broadcasting perfectly synced repeat of the original signal. This kind of attack can be used to make munitions and missiles to lose their signal lock in critical time.

It's also possible that there are multiple weaknesses and bugs in the military receivers that can be exploited.

Iranians were somehow able to trick RQ-170 drone to land on Iran.

When Iranians captured U.S. Navy patrol boat it was because there was mysterious navigation error.

Reminds me of the Iran–U.S. RQ-170 incident, when a CIA drone was captured by Iranian forces; one of the leading theories was GPS spoofing, although naturally Lockheed Martin denied that it was vulnerable to such a simple (for a nation state) attack.
Time to break out from storage: sextant, compass, paper map, ...
The Navy was a couple years ahead of you, they've already started training officers to navigate by non-electric means: http://www.npr.org/2016/02/22/467210492/u-s-navy-brings-back....
The fact that they stopped at all astonishes me. In a military context, it's certainly conceivable that a ship would take some kind of battle damage that would disable its electronic nav systems.

Middies also used to learn how to sail with canvas, did they stop that, too?

GPS goes wonky near the Kremlin, as every tourist knows.
This is fairly old news. Reports are a year or two old and suggest that Russian security uses GPS spoofing anywhere V. Putin may be located, presumably as a defense against drone type attacks or surveillance. The spoofed location is often an airport. The black sea spoofing could be related to a visit to e.g., Sochi.

Alternatively Russia could be deploying the spoofers on ships now, which would seem to have offensive implications as well as defense.

(sorry, no links)

Sounds like a semi-reliable Putin Detector could be set up if you wanted to...
It would also be fairly short-lived in battle, since the spoofer is broadcasting its own location in a highly accurate "place ordnance here" manner.
More likely it is broadcasting the position of the satellite it is spoofing, with altered timing.

edit: that doesn't prevent other means of locating the source of an rf signal

You can't spoof the encrypted signal by simulating a satellite, you have to capture the real signal and rebroadcast it as an overpowering signal so targets can't get the direct broadcast at their location.

This means that everyone who is getting the overpowered signal will compute the same location, which will be the antenna of the spoofer.

Let's think through that. In order to spoof GPS, you need to overpower the true GPS signal with your own. You put some transmitters in a location, and anyone attempting to get a GPS fix while in that location gets spoofed data and the wrong location.

Now, if you're close enough to get the spoofed signal, you're close enough to see Putin's entourage and know he's probably nearby. If you're not close, you don't get spoofed. So I'm uncertain of the utility of this Putin Detector.

GPS signal is very weak, it would not take much to overpower the signal from a good distance I think.
Yes, but the opponent will only see a largish region, probably [a few 1000 km big UPDATE: from other comments here, it seems the region can be much smaller], where the GPS is off and the opponent would usually already know his location to that precision.

Still it might be a worth-while excersise for the NSA -- not so they can target Putin. But to provide one more signal for when he makes some unexpected, hush-hush trip to some central Asian republic or some-such.

Can attest this. Area near Kremlin is spoofed to Vnukovo airport for several years already. There were reports about putin's dacha spoofed to the nearest aiport too.

I really do not know about reasons and efficacy. Professional grade multi-gnss receivers can easily filter this crap out, at least they could 5 years ago...

It is probably made against civilian drones. Otherwise there would be a lot of people flying over Kremlin just for fun and annoying security guards.
But is it only Kremlin spoofing? I been to wisit DC/White House hoods many time and every time I had problem using google or apple maps. Signal was all over the place.
Here is a CNN report on it http://money.cnn.com/2016/12/02/technology/kremlin-gps-signa...

They spoof no-fly zones to trick the drones that abide by them. It's hard to image building or retrofitting a surveillance or weapon drone and leaving limiters in place.

I first heard about it on a running forum but I cannot find the link. Apparently, joggers were getting an extra 20 km on their runs because of the spoofing.

Where is the proof that Russia is behind this?
Where is the proof that Russia is behind all this?
On the map probably. If you wanted to do this, it wouldn't be handy to do it in a country or for a country that actively scans for radio spoofing, jamming or illegal use of radio bands. Considering that out of all the countries nearby only one or two would have the means it's not hard to figure out would would want to do this.
Not only old news as suggested in other comments, but not hard to do either; IIRC, this was done 1 or 2 DEF CONs ago, not only for GPS, but also for older systems that use radio beacons (Aircraft? not sure..) and A-GPS (spoofing GSM radios).
Yes! That's the one I was looking for. I guess going for 2014 or older wasn't going to get me the 2015 presentations ;-)

It is pretty effective in illustrating how easy it is to break such a system. Easy as in, you don't need a big nation state actor to do this.

Funnily enough I have a legitimate use for this: correcting GPS drift in a location with poor GPS availability. I would love to carry around a Raspberry Pi with an attached SDR that let me fine tune the signal so it's accurate versus showing me across the street, down the block or aimlessly wandering in circles.
That is laughable and doesn't provide any kind of military utility. What is the value of spoofing GPS by putting everyone into the same point, with zero inferred velocity and acceleration vectors, while other data sources like inertial will easily tell the supposed victim this is all wrong?

Also, M-code can't be affected this way because it is encrypted, and military grade GPS receivers use virtual directed beams so they are next to impossible to simply jam, either.

M-code encryption doesn't protect against rebroadcast, which is what this attack seems to be. And beam-forming has its own limitations which can be fairly easily overcome by signal strength. It may be that military mitigation involves defining a carefully circumscribed envelope of signal strength, checks against inertial references, alternative time sources, etc. But it's not trivial or laughable.
M-code contains time and ephemeris data, yes? (Since it's supposed to be "autonomous".) It seems like it would be quite easy to detect replay attacks.
The receiver likely doesn't have an accurate enough clock to reliably detect a quick (a tiny fraction of a second) replay attack if it can't hear the original transmitters due to intentional interference; most GPS systems would treat any differences between internal time and the time from the GPS data as a sign that their clock is drifting and needs to be adjusted, and it should be that way because their clock is inaccurate and drifting.
Let's see: if the transmitter of spoofing signal is 3km away from the received (less than meaningful minimum - 3km distance is easily covered on inertial alone with no precision loss) it means 1us error. On 30km, 10us error. Is that really hard to have clock that precise on a receiver?
Yes, it is quite hard - standard oscillators used in electronics can easily drift up to a second a day (we don't notice because many devices update their time from GPS signal or cell data), and even really good ones will still drift for a millisecond quite quickly and it definitely can't rely on accuracy measured in us.

For getting such an accuracy, IIRC, at the very least you'd need a temperature-controlled environment (so, not feasible in mobile devices) because the standard approaches will be slightly faster/slower depending on temperature.

There are atomic clocks that weigh only about 35 grams. They cost $15K though, so probably too expensive for munitions, except nukes, but fine for aircraft and ships, and probably for some land vehicles. Having ±5.0E-11 accuracy and <1E-11 @1000s short term stability. So enough for any aircraft sortie or ship action in a region of probable GPS spoofing (precise enough for days).

Even OCXO will be enough given short duration of stay in a spoofed environment (typical OCXO will give you 50 seconds, but it is more than enough time to be within 300 meters from a spoofer, unless you are on foot). Or 500 seconds within 3000 meters, which is same speed - 6 m/s - which you have to maintain to be able to filter out spoofing. Several times more in practice because these are all RMS, not max errors. But 30 m/s is 5 sigmas which is military (nuclear, to be precise) definition of 'safe', so all aircraft/munitions are safe, and ships are big and expensive enough to justify $15,000 atomic clock.

Wow! Thank you for the detailed description. I didn't realize atomic clocks had become so small. After searching, I see you can even buy rubidium clocks with similar accuracy for around $1000 in single quantities! Very impressive.
The takeaway I get from this is that whenever the Kremlin is attacked, they'd rather the nearby Airports take the hit.

I guess then no one will leave, and no one will come in.

Isn't it the other way? You're in your garden in Moscow but the GPS says you're thr airport. A missile heading for the airport will think "I'm on target!" as it lands on your head.
I feel like this also tips the hand of someone trying to track Vlad down. All you have to do is set up gps devices in/around major Russian areas (Sochi, Moscow), and when you start seeing anomalies, he's probably nearby.
We may soon see 'inertial navigation system (INS)' to supplement GPS.

I wonder if the cost of producing/maintaining it could be lowered significantly enough using new sensors developed for use in smartphones and such.

Typical Americans. Tomorrow they will write that Russia is a third world gasoline-station-country without any technology or weapons with dumb people and is unable for anything. Pure cognitive dissonance.
I guess we could go back to navigating by the stars. Alternatively we could go back to using LORAN... way less expensive than satellites and more robust with modern micro controller technology. With their output power they would be hard to scramble the frequencies by wattage output flooding on the same frequency. If they also used timed frequency hopping they could further protect it.
You don't just need signing, because that can be replayed. You need distance bounding protocols to stop replay, but that requires interactive communication.
I wonder if this played any role in the recent Navy accident. It seems there were multiple safeguards which failed, but it would be very interesting if there were GPS issues as well.

http://www.cnn.com/2017/06/16/politics/us-navy-destroyer-col...

Unlikely. The ACX crystal was traveling in a straight line for hundreds of miles before the collision. Just before the collision she made a slight turn to port in order to navigate a narrow straight. Her trajectory was entirely consistent with her destination. There's no indication she didn't know exactly where she was. (And I mean that literally: the ship knew where it was. The evidence indicates that the crew was asleep.)

Reference: http://blog.rongarret.info/2017/06/theres-something-very-odd...

Wasn't this part of the plot to "Tomorrow Never Dies"?