Tagged: spoofing

Extensive Russian GPS Spoofing Exposed in Report

Recently a US non-profit known as the Center of Advanced Defense (C4ADS) released a report titled "Exposing GPS Spoofing in Russia and Syria". In the report C4ADS detail how GPS and Global Navigation Satellite Systems (GNSS) spoofing is used extensively by Russia for VIP protection, strategic facility protection and for airspace denial in combat zones such as Syria. Using simple analysis methods that civilians can use, they were able to detect multiple spoofing events. 

GNSS spoofing involves creating a much stronger fake GNSS signal that receivers lock on to, instead of the actual positioning satellites. The fake signal is used to either jam GNSS signals, or report an incorrect location of the spoofers choice.

In the report, C4ADS mention how they used AIS data to identify 9,883 instances of GNSS spoofing which affected 1,311 commercial vessels since the beginning of February 2016. AIS is a marine vessel tracking system similar to the ADS-B tracking system that is used on aircraft. It works by broadcasting on board GPS data to nearby ships for collision avoidance. Although they don't appear to mention their AIS data sources, sites like marinetraffic.com collect and aggregate AIS data submitted by volunteer stations. By looking for anomalies in the collected AIS data, such as ships suddenly appearing at airports, they are able to determine when GNSS spoofing events occurred. 

An airport is chosen by Russia as the spoofed location presumably because most commercial drone manufacturers do not allow their drones to fly when their GPS shows them near an airport. This prevents commercial drones from being able to fly in spoofed areas.

C4ADS Research shows GPS spoofing detected via AIS data
C4ADS Research shows GPS spoofing detected via AIS data

Using AIS data, the researchers were also able to determine that the Russian president uses GNSS spoofing to create a bubble of protection around him. During a visit to the Kerch Bridge in annexed Crimea the researchers found that some vessels near his location suddenly began appearing at a nearby airport. Similar events were detected at multiple other visits by the Russian president.

Another interesting method they used to determine GNSS anomalies was to look at position heatmaps derived from fitness tracking apps. These phone/smart watch apps are often used by runners to log a route and to keep track of distance ran, speeds etc. The researchers found that runners going through central Moscow would sometimes suddenly appear to be at one of two Moscow airports. 

In a previous post we showed how Amungo Navigation's NUT4NT+ system was used to detect and locate GPS anomalies at the Kremlin. The C4ADS report also notes how several other Russian government facilities also show signs of GPS anomalies. Of interest, from photos they also saw that the Kremlin has an 11-element direction finding array which could be used to locate civilian drone controllers.

Finally, in the last sections they show how C4ADS and UT Austin used a GPS receiver on board the International Space Station (ISS) to monitor a GPS spoofer at an airbase in Syria. Using Doppler analysis they were able to determine the location of the spoofer and confirm that it is likely the cause of multiple complaints of GPS interference by marine vessels in the area.

C4ADS and UT Texas determine the location of a GPS spoofer in Syria via ISS GPS data
C4ADS and UT Texas determine the location of a GPS spoofer in Syria via ISS GPS data

The BBC also ran a story on this which is available here.

Developing an Alternative To GPS with a HackRF

The Aerospace Sextant System
The Aerospace Sextant System

The LA Times recently ran a story that discussed how vulnerable GPS is to malicious spoofing. This has been well known for a number of years now with researchers having been successful at diverting a 80-million dollar yacht off it's intended course 5 years ago. We've also seen GPS spoofing performed with low cost TX capable SDRs like the HackRF. For example we've seen researchers use GPS spoofing to cheat at "Pokemon Go" an augmented reality smartphone game and to bypass drone no-fly restrictions.

The article in the LA times also discusses how a group of researchers at Aerospace Corp. are testing GPS alternatives and/or augmentations, that improve resilience against spoofing. The system being developed is called 'Sextant', and it's basic idea is to use other sources of information to help in determining a location.

Other sources of information include signals sources like radio, TV and cell tower signals. It also includes taking data from other localization signals like LORAN (a long range HF based hyperbolic navigation system), and GPS augmentation satellites such as the Japanese QZSS which is a system used to improve GPS operation in areas with dense tall buildings, such as in many of Japans cities. More advanced Sextant algorithms will possibly also incorporate accelerometer/inertial data, and even a visual sensor that uses scenery to determine location.

Most likely a key component of Sextant will be the use of a software defined radio and from the photos in the article the team appear to be testing Sextant with a simple HackRF SDR. While we're unsure of the commercial/military nature of the software, and although probably unlikely, hopefully in the future we'll see some open source software released which will allow anyone to test Sextants localization features with a HackRF or similar SDR.

Aerospace Corp. Testing Sextant with a HackRF
Aerospace Corp. Testing Sextant with a HackRF

Spoofing GPS Locations with low cost TX SDRs

At this years Defcon 2015 conference researcher Lin Huang from Qihoo 360 presented her work on spoofing GPS signals. Qihoo 360 is a Chinese security company producing antivirus software. Lin works at Qihoo as a security researcher where her main job is to prevent their antivirus software and users from becoming vulnerable to wireless attacks. Her research brought her to the realm of GPS spoofing, where she discovered how easy it was to use relatively low cost SDRs like a USRP B210/BladeRF/HackRF to emulate GPS signals which could allow a wireless attacker to manipulate the GPS on smartphones and cars.

Previous attempts at GPS spoofing have all used more expensive custom hardware. One attempt in 2013 allowed university researchers to send a 213-foot yacht off course, and it is suspected that hackers from the Iranian government have used GPS spoofing to divert and land an American stealth drone back in 2011.

In Lin’s presentation she shows how she was able to trick a smartphone into thinking it was in a different location. In addition she writes how this method could be used to trick the phone into changing it’s time, as many smartphones will periodically refresh the clock accuracy by using GPS satellites. She also shows how she was able to bypass a DJI drones forbidden area no fly zone policy. DJI drones come with a feature where the engines will not power up if the on board GPS detects that it is in a no drone fly zone. By spoofing the GPS she was able to get the drone to power up inside a no fly zone in Beijng.

Lin Huangs presentation can be downloaded from the defcon media server (pdf). An article on Lin and her research into GPS spoofing has also been run on Forbes.com.

Spoofed GPS logs on a smartphone
Spoofed GPS logs on a smartphone