Tagged: spoofing

Testing the Mayhem Firmware on a HackRF Portapack

The Portapack is an add on for the popular HackRF SDR which allows the HackRF to be used portably without a PC. Recently the cost of this hardware duo has come down to below US$150 due to low cost Chinese clones now being available on the market. Generally the clones are of good quality too.

Once you have the hardware it is possible to install third party custom firmware such as "Mayhem" on the Portapack which enables many features such as the ability to receive and transmit various different types of RF protocols. Back in 2018 we did a review of Mayhems predecessor which was known as the "Havok" firmware. More recently Tech Minds did a video overview of Mayhem.

Now over on his blog A. Petazzoni has started a new blog series which aims to introduce the basics of the Mayhem firmware, including installation and some hands on testing with RF spoofing, denial-of-service (DoS) and replay attacks. Currently only his first post is out, and in the post he show how to install Mayhem onto the Portapack, then goes on to briefly overview some applications such as RF replay attacks, replicating wireless remote controls, receiving and transmitting POCSAG, receiving and transmitting ADS-B, and creating a jammer.

Obviously a lot of what you can do with a Portapack and the Mayhem firmware is extremely illegal and very dangerous, so please do be careful with what and where you transmit especially if you are new to RF hobby. These signals should remain in your test area only, and not leak out into the wider environment.

[Also seen on Hackaday]

HackRF Portapack transmitting a spoofed pager message.

Running a Tesla Model 3 on Autopilot off the Road with GPS Spoofing

Regulus is a company that deals with sensor security issues. In one of their latest experiments they've performed GPS spoofing with several SDRs to show how easy it is to divert a Tesla Model 3 driving on autopilot away from it's intended path. Autopilot is Tesla's semi-autonomous driving feature, which allows the car to decide it's own turns and lane changes using information from the car's cameras, Google Maps and it's Global Navigation Satellite System (GNSS) sensors. Previously drivers had to confirm upcoming lane changes manually, but a recent update allows this confirmation to be waived.

The Regulus researchers noted that the Tesla is highly dependent on GNSS reliability, and thus were able to use an SDR to spoof GNSS signals causing the Model 3 to perform dangerous maneuvers like "extreme deceleration and acceleration, rapid lane changing suggestions, unnecessary signaling, multiple attempts to exit the highway at incorrect locations and extreme driving instability". Regarding exiting at the wrong location they write:

Although the car was a few miles away from the planned exit when the spoofing attack began, the car reacted as if the exit was just 500 feet away— slowing down from 60 MPH to 24 KPH, activating the right turn signal, and making a right turn off the main road into the emergency pit stop. During the sudden turn the driver was with his hands on his lap since he was not prepared for this turn to happen so fast and by the time he grabbed the wheel and regained manual control, it was too late to attempt to maneuver back to the highway safely.

In addition, they also tested spoofing on a Model S and found there to be a link between the car's navigation system and the automatically adjustable air suspension system. It appears that the Tesla adjusts it's suspension depending on the type of road it's on which is recorded in it's map database.

In their work they used a ADALM PLUTO SDR ($150) for their jamming tests, and a bladeRF SDR ($400) for their spoofing tests. Their photos also show a HackRF.

Regulus are also advertising that they are hosting a Webinar on July 11, 2019 at 09:00PM Jerusalen time. During the webinar they plan to talk about their Tesla 3 spoofing work and release previously unseen footage.

GPS/GNSS spoofing is not a new technique. In the past we've posted several times about it, including stories about using GPS spoofing to cheat at Pokémon Go, misdirect drivers using Google Maps for navigation, and even a story about how the Russian government uses GPS spoofing extensively.

Some SDR tools used to spoof the Tesla Model 3.
Some SDR tools used to spoof the Tesla Model 3.

Extensive Russian GPS Spoofing Exposed in Report

Recently a US non-profit known as the Center of Advanced Defense (C4ADS) released a report titled "Exposing GPS Spoofing in Russia and Syria". In the report C4ADS detail how GPS and Global Navigation Satellite Systems (GNSS) spoofing is used extensively by Russia for VIP protection, strategic facility protection and for airspace denial in combat zones such as Syria. Using simple analysis methods that civilians can use, they were able to detect multiple spoofing events. 

GNSS spoofing involves creating a much stronger fake GNSS signal that receivers lock on to, instead of the actual positioning satellites. The fake signal is used to either jam GNSS signals, or report an incorrect location of the spoofers choice.

In the report, C4ADS mention how they used AIS data to identify 9,883 instances of GNSS spoofing which affected 1,311 commercial vessels since the beginning of February 2016. AIS is a marine vessel tracking system similar to the ADS-B tracking system that is used on aircraft. It works by broadcasting on board GPS data to nearby ships for collision avoidance. Although they don't appear to mention their AIS data sources, sites like marinetraffic.com collect and aggregate AIS data submitted by volunteer stations. By looking for anomalies in the collected AIS data, such as ships suddenly appearing at airports, they are able to determine when GNSS spoofing events occurred. 

An airport is chosen by Russia as the spoofed location presumably because most commercial drone manufacturers do not allow their drones to fly when their GPS shows them near an airport. This prevents commercial drones from being able to fly in spoofed areas.

C4ADS Research shows GPS spoofing detected via AIS data
C4ADS Research shows GPS spoofing detected via AIS data

Using AIS data, the researchers were also able to determine that the Russian president uses GNSS spoofing to create a bubble of protection around him. During a visit to the Kerch Bridge in annexed Crimea the researchers found that some vessels near his location suddenly began appearing at a nearby airport. Similar events were detected at multiple other visits by the Russian president.

Another interesting method they used to determine GNSS anomalies was to look at position heatmaps derived from fitness tracking apps. These phone/smart watch apps are often used by runners to log a route and to keep track of distance ran, speeds etc. The researchers found that runners going through central Moscow would sometimes suddenly appear to be at one of two Moscow airports. 

In a previous post we showed how Amungo Navigation's NUT4NT+ system was used to detect and locate GPS anomalies at the Kremlin. The C4ADS report also notes how several other Russian government facilities also show signs of GPS anomalies. Of interest, from photos they also saw that the Kremlin has an 11-element direction finding array which could be used to locate civilian drone controllers.

Finally, in the last sections they show how C4ADS and UT Austin used a GPS receiver on board the International Space Station (ISS) to monitor a GPS spoofer at an airbase in Syria. Using Doppler analysis they were able to determine the location of the spoofer and confirm that it is likely the cause of multiple complaints of GPS interference by marine vessels in the area.

C4ADS and UT Texas determine the location of a GPS spoofer in Syria via ISS GPS data
C4ADS and UT Texas determine the location of a GPS spoofer in Syria via ISS GPS data

The BBC also ran a story on this which is available here.

Developing an Alternative To GPS with a HackRF

The Aerospace Sextant System
The Aerospace Sextant System

The LA Times recently ran a story that discussed how vulnerable GPS is to malicious spoofing. This has been well known for a number of years now with researchers having been successful at diverting a 80-million dollar yacht off it's intended course 5 years ago. We've also seen GPS spoofing performed with low cost TX capable SDRs like the HackRF. For example we've seen researchers use GPS spoofing to cheat at "Pokemon Go" an augmented reality smartphone game and to bypass drone no-fly restrictions.

The article in the LA times also discusses how a group of researchers at Aerospace Corp. are testing GPS alternatives and/or augmentations, that improve resilience against spoofing. The system being developed is called 'Sextant', and it's basic idea is to use other sources of information to help in determining a location.

Other sources of information include signals sources like radio, TV and cell tower signals. It also includes taking data from other localization signals like LORAN (a long range HF based hyperbolic navigation system), and GPS augmentation satellites such as the Japanese QZSS which is a system used to improve GPS operation in areas with dense tall buildings, such as in many of Japans cities. More advanced Sextant algorithms will possibly also incorporate accelerometer/inertial data, and even a visual sensor that uses scenery to determine location.

Most likely a key component of Sextant will be the use of a software defined radio and from the photos in the article the team appear to be testing Sextant with a simple HackRF SDR. While we're unsure of the commercial/military nature of the software, and although probably unlikely, hopefully in the future we'll see some open source software released which will allow anyone to test Sextants localization features with a HackRF or similar SDR.

Aerospace Corp. Testing Sextant with a HackRF
Aerospace Corp. Testing Sextant with a HackRF

Spoofing GPS Locations with low cost TX SDRs

At this years Defcon 2015 conference researcher Lin Huang from Qihoo 360 presented her work on spoofing GPS signals. Qihoo 360 is a Chinese security company producing antivirus software. Lin works at Qihoo as a security researcher where her main job is to prevent their antivirus software and users from becoming vulnerable to wireless attacks. Her research brought her to the realm of GPS spoofing, where she discovered how easy it was to use relatively low cost SDRs like a USRP B210/BladeRF/HackRF to emulate GPS signals which could allow a wireless attacker to manipulate the GPS on smartphones and cars.

Previous attempts at GPS spoofing have all used more expensive custom hardware. One attempt in 2013 allowed university researchers to send a 213-foot yacht off course, and it is suspected that hackers from the Iranian government have used GPS spoofing to divert and land an American stealth drone back in 2011.

In Lin’s presentation she shows how she was able to trick a smartphone into thinking it was in a different location. In addition she writes how this method could be used to trick the phone into changing it’s time, as many smartphones will periodically refresh the clock accuracy by using GPS satellites. She also shows how she was able to bypass a DJI drones forbidden area no fly zone policy. DJI drones come with a feature where the engines will not power up if the on board GPS detects that it is in a no drone fly zone. By spoofing the GPS she was able to get the drone to power up inside a no fly zone in Beijng.

Lin Huangs presentation can be downloaded from the defcon media server (pdf). An article on Lin and her research into GPS spoofing has also been run on Forbes.com.

Spoofed GPS logs on a smartphone
Spoofed GPS logs on a smartphone