51 comments

[ 3.9 ms ] story [ 108 ms ] thread
While the whole thing is interesting (mostly because of the design of the spoofer rather than it being anything else that's new) this headline is deliberately misleading.
> this headline is deliberately misleading.

I see what you did there... ;)

And the conclusion has been the same for a while. GPS-only NAV is very susceptible to degradation. Blended solutions are the only path forward with GPS.
I remember reading the Kremlin has a high powered version of this mocking the airport co-ordinates so drones would not fly in its airspace.
>mocking the airport co-ordinates

Sounds very dangerous. If an aircraft was landing in poor visibility they could use that to make t crash.

does ILS use GPS?
No it's radio waves with directional antennas
(comment deleted)
Airports use ILS with their own guiding antenna arrays and their own frequencies. At least this particular airport should.
The aircraft would have to be within a few hundred foot bubble of Central Moscow in order to receive the spoofed signal. There are already major problems if an airplane picks up that spoofed signal and tries to land based on it.
Could be used on self-driving vehicles like the giant dump trucks in quarries, or harvesters in corn fields?

What about autonomous trains? Cause that would off the rails.

A $10 steel bar can derail a train.
Easier to protect a train line than all the roads in a country (and indeed, they are often protected). No physical trespass required, remote activated.
Except rail lines aren’t protected, and couldn’t feasibly be protected. An autonomous car could easily be protected from this simply by using local sensors for collision avoidance, which I think is the norm, as opposed to what this headline misleadingly (heh) suggests.

Edit: Relevant XKCD. Causing crashes isn’t hard period. https://m.xkcd.com/1958/

In the UK railways are mostly protected. Now, that may be a simple fence, which someone could climb over, but then they may find themselves reported, or caught on CCTV. It's a very obvious, very visible thing to do, and in urban areas railways are indeed protected pretty well. And remote triggering something like that is non-trivial.

Roads are everywhere, most of them completely unprotected, and you don't actually have to physically and visibly interfere with the road.

> In the UK railways are mostly protected.

They aren't protected. We know this from the numbers of deaths that occur each year on the railways.

Is it also easier to protect all train lines in the country? It seems a bit foolish to compare a single train line to all roads instead of all train lines to all roads.
A more generous interpretation of my comment would have been "all trainlines versus all roads".

In the UK there's an order of magnitude more roads than railways. In the US there are two orders of magnitude more.

Should I also interpret this generously and assume that you only counted roads and train lines with the same amount of people traveling on them?
Really? $10 won't buy you much in terms of steel. You'd probably need a lot more than just a crowbar. I'm not saying trains are invulnerable to debris on the tracks, just that they are designed to handle small stuff on the tracks.
A crowbar well-placed/used is sufficient.
A crowbar is not "small stuff on the tracks". Have you ever seen a train?
Yes. They are designed for that stuff. Here's the biggest accident (in France) from having a large object on the tracks: 80 ton oversized load. Only the engine car derailled.

    Trainset involved: 70 (Sud-Est) 
    Service: train 736, Grenoble to Paris 
    Location: PN 74, Voiron
    Injuries: 2 dead, 60 injured
    [Edit: date: 23 September 1988]

    A special road transport with a weight of 80 tons became stranded on level
    crossing 74. Train 736, rounding a curve toward the crossing, ploughed into it
    at 110 km/h (68 mph). The large mass of the road vehicle made this crash much
    worse than it might otherwise have been; the engineer and one passenger died,
    and many more were injured when the first trailer was ripped open by debris.
    Only the leading power unit derailed. This wreck, the most violent to date,
    became a reference for the design and crash testing of safety features for the
    next generation of TGV, as embodied by today's Duplex trainsets. These newer
    trains have several deformable sections, at the front and rear of the power unit
    and at the front of the first trailer, to manage and absorb crash energy without
    damage to passenger compartments. Trainset 70 was never returned to service, and
    the trailing unit 23140 became a spare in the Sud-Est fleet.
10$ is around 10kg of steel. With that, you can make a crude derailer and easily (and I mean it) derail a train.
Stop shopping at the hardware store and go to an actual steel supplier. If you don't need a lot of material then don't be picky and just by a drop to avoid a cut fee (and revise your design for whatever material you get).
(comment deleted)
>A $225 GPS spoofer can send sat-nav-guided vehicles into oncoming traffic *

* by fooling the vehicle into driving the wrong way through a one-way street.

That's a serious asterisk. I think there are much more interesting worst-case applications for this, like kidnapping, randsom, misdirecting emergency responders etc. Some of those are mentioned by the article, but the headline just causes doubt and disappointment.

I agree

Google/Apple/whatever directions send delivery vehicles down roads with under-height structures all the time and they rarely get can-opened. GPS directions are inaccurate enough in urban environments that people have to pay enough attention for this attack to not work very well. People will generally defer to the local signage when it comes to which lane you need to be in for a turn and which way you can't drive down a street or how tall a bridge actually is.

considering that GPS has civilian and military parts of the signal, are the messages not signed by, i don't know, U.S. military or something? how come it is easy to spoof?
The military signal is encrypted and on a different band. Only the military has access to that signal.
right, but they could've went the extra meter and just sign all outgoing payloads?
For what purpose? Risk someone crafting fake signatures?

From what i can understand, this separation of concerns is a safer option

so that no device under any circumstances can be spoofed. what kind of risk is there in crafted signatures if right now you're 100% vulnerable to spoofing without any effort required to produce said signatures?
You could say this about any legacy network. Like the mobile phone network. The designers just didn't think about it/it was expensive/it's expensive to fix/there's legacy hardware.
well if the hardware is advanced enough to do encryption, it is certainly is capable of producing signatures. are GPS satellites not upgradeable? maybe they didn't think about it 40 years ago, but in the last decade - it's about time..
I was going to say "GPS predates signing", but it turns out that the first GPS launch and the invention of RSA signing were in the same year: 1978. Of course the signing technology was also considered to be subject to US export control for decades ...

Besides, signing doesn't necessarily help - the easiest way to GPS spoof is simply to re-broadcast the signals received at a nearby point at higher power, so the victim receiver thinks it's at that point.

There is recent work on doing this: https://web.stanford.edu/group/scpnt/gpslab/pubs/papers/Lo_I...

1978 RSA invention is when it happened in public domain, 5 years before that a guy at GCHQ invented a similar asymmetric scheme, which i'm sure was well in use by 1978.

replay attack does make sense, but isn't it identified uniquely by time? i mean the content of the payload is basically very accurate time. if a device notices the time doesn't change - it can detect spoofing.

You continually receive signals at point A, send them to point B and transmit them there at higher power.
yeah, you're right, it's sort of a brain in the jar problem, isn't it. but it does seem like it's not that hard to detect because of latency between A and B, though it would require a pretty accurate clock on GPS device.
No! Differential latency from the satellites is entirely how GPS works, and there is no way of having an accurate enough clock to be able to spot that without (a) it being an atomic clock and (b) synced to the satellite time at a known location.
But accuracy of GPS signal is in microseconds, so if you suddenly detect a change in level of milliseconds (latency between A and B) - that would totally imply spoofing shenanigans?
Yes, which would manifest as a sudden movement of place detected. What I'm not sure about is what this looks like as you approach the jammer and its signal gradually overwhelms some or all of the signals; does it just look like multipath error.
Obviously I don’t know what I’m talking about, but it seems like such attack is only undetectable by cold gps device that has been offline for longer than some period of time, long enough to explain time shift by clock drift.
It would be fairly easy to rebroadcast continuously, then it's a valid signal, just in the wrong place.

Receiving the same signal over and over would be suspicious, but unless you have some other method to determine time and position, what are you going to do?

Obviously sat-nav guided systems should not rely on unprotected satellite navigation alone. You need complementary systems.

EU's GNSS has PRS (Public Regulated Service) is authenticated and can be used in sensitive applications for civilian uses. US has GPS modes that are protected but they seem to be only for military.

There is also Wide Area Augmentation System (WAAS) and European Geostationary Navigation Overlay Service (EGNOS). They augment GPS/Golnass and Galileo and provide integrity and more accuracy.

Typically new sat-nav systems have multi-constellation capability and they can receive from from GPS/GNSS/Golnass. Even new smartphones have that capability. Of course, if all of them are unprotected, you can spoof them all parallel.