Schneier on Security
A blog covering security and security technology.
« Fear of Terrorism Could Cause Psychosomatic Epidemic |
| NSA Snooping on Cell Phone Calls »
September 17, 2008
Jon used a desktop computer attached to a GPS satellite simulator to create a fake GPS signal. Portable GPS satellite simulators can fit in the trunk of a car, and are often used for testing. They are available as commercial off-the-shelf products. You can also rent them for less than $1K a week -- peanuts to anyone thinking of hijacking a cargo truck and selling stolen goods.
In his first experiments, Jon placed his desktop computer and GPS satellite simulator in the cab of his small truck, and powered them off an inverter. The VAT used a second truck as the victim cargo truck. "With this setup," Jon said, "we were able to spoof the GPS receiver from about 30 feet away. If our equipment could broadcast a stronger signal, or if we had purchased stronger signal amplifiers, we certainly could have spoofed over a greater distance."
During later experiments, Jon and the VAT were able to easily achieve much greater GPS spoofing ranges. They spoofed GPS signals at ranges over three quarters of a mile. "The farthest distance we achieved was 4586 feet, at Los Alamos," said Jon. "When you radiate an RF signal, you ideally want line of sight, but in this case we were walking around buildings and near power lines. We really had a lot of obstruction in the way. It surprised us." An attacker could drive within a half mile of the victim truck, and still override the truck's GPS signals.
EDITED TO ADD (10/13): Argonne National Labs is working on this.
Posted on September 17, 2008 at 7:03 AM
• 71 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Oooh movie plot threat potential!
Precis: Lone vaguely eastern European male with shadowy links to Iran (the best bad guys are foreign), armed with a Mac (all movies use Apple's) and a GPS spoofer in his truck. Hijacks aircraft on foggy days and flies them into something heavy, like a nuclear waste facility (eco appeal). Can the fiesty FBI (Keanu Reeves) stop him?
Do I win?!
Of course the FAA are ahead on the curve on this one, see WAAS and LAAS.
they were spoofing satellite signals right? So that the truck receives an invalid signal and thinks they are in someplace different than they actually are?
Thus you are able to send the truck to a place where you could then hijack it easily?
Not a surprise. Everyone has known for a long time that the GPS receivers are susceptible to this. However, what surprises me is that someone wrote about testing it. I'm wondering if they applied for and got the required FCC licenses to operate a mobile broadcasting station on GPS frequencies.
But, in the end, its not a real risk. Stop the truck, order the driver out, cut power to the GPS transmitter, then drive off. Much easier than spoofing.
Spoofing GPS signals to fool Onstar-like systems probably won't be terribly effective, once the vulnerability is known. The systems could be patch to send an alarm when the GPS-calculated jumps by an unreasonable amount, and transmit both the old (last known position) and new positions to the base station.
It might be effective to fool the base station into thinking the truck is still moving, and it's where it is suppost to be.
The most devious attack, I think, is fooling drivers into taking the route you want them to take, by having the GPS navigation system lie to them. This probably means you would need to know their destination. In some cases, such an attack might be feasible, although it's rather complicated and unlikely to happen.
Yes. Here are some examples of places where sat nav has directed people to a standstill, where a robbery would be easy. Like robbing a stage coach the old fashioned way (not the hollywood way).
1. 100ft cliff
2. Manchester (yes really)
3. Wrong way up the carriage way
4. Tram track
5. A toilet (!)
6. A deep ford
Listed in more detail here - http://www.daniweb.com/blogs/entry1242.html
That's the nice thing.....When spoofing you don't WANT to have large jumps: Start by sending the correct signal to the GPS. Let the spoofer slowly lessen the speed and veer the GPS off course at the next exit or crossing by fooling the driver that the car is at the previous or next exit, the one the driver wants to take. After that, the driver's quite sure the GPS is taking him along another route, which is probably the fastest one (wasn't it always before?) and will keep on following the GPS till the spoofer has the driver and car where he wants to have them.
they won't fool anyone except the company or police/govern't tracking a vehicle. those in the vehicle know exactly where they aren't/
@Jeff: finding the GPS device, and cutting the power, may not be easy. There are plenty of places to hide a GPS receiver in a truck, with an integrated backup battery, so cutting all the power and using a new power harness for the critical systems won't work either.
Besides, it the cargo is really valuable, who is to say how many GPS receivers are on board the truck?
I guess you could just wrap the whole truck in tinfoil...
Don't forget that most vehicles these days have a second "GPS" installed by default. It's called your satellite radio.
Most of XM and Sirius's original stuff are military satellites that were declassified after the Berlin Wall fell and the (first) Cold War ended.
@Anonymous: Have you considered the fact that some people use a GPS navigation system in places they don't know very well, or where they have never even been before.
@JF: An attacker may want to have different data on the different receivers (navigation and onstar-like systems) in the truck.
Just a little thought: if you do this, make sure you know where you're going. You don't want the rookie driver relying on his cellphones GPS receiver when he makes the getaway...
No matter where you go, there you are... hey, wait a second...
Wow. While the vulnerability is interesting, getting it to work hijacking a truck is absurd.
To hijack the truck: 1- the truck needs to have GPS, many don't. 2- the driver has to be using the GPS- if he's delivered a hundred times to the location, he probably isn't using it. 3- the attacker needs to know the destination of the delivery, the route the drivers usually take, and an exact similar route close to the real destination that ends in a dead end where they can conduct the hijacking. The hack can only fake the GPS into thinking it's somewhere else, it can't change the maps loaded on the system.
4- the driver not checking the street signs with the GPS to ensure he's actually turning on the correct road. 5- The driver not noticing that he's driving into a dangerous area. Truckers are usually more aware of road signs as they don't want to end up in a cul-de-sac where they'll end up stuck.
It seems it would be simple to fix by having the receiver unit validate the signal by continuously ignoring each visible satellite in turn from the position calculation, and see if that causes a significant, consistent change in position. If it does, show an alert, or simply ignore that satellite (which is likely a fake).
I trust you noticed that this article is about a paper written in 2003.
I can't seem to find what would be the threat that it can cause...
I thought the point of the paper was that you could hijack the truck, disable its GPS device, and then send a decoy with a spoofed signal along the truck's route to give the hijackers time for a getaway, not about changing the directions a driver's GPS gives them?
Who cares about hijacking a truck? All I want is my favorite fishin' spot to myself!
Bruce, where are we going to? What we can to do?
Somebody wearing a GPS ankle bracelet could make good use of this, spoofing his tattler into reporting that he is complying with his house arrest.
Surely changing the position isn't helpful in "redirecting" a truck if you can't also change the map? Unless you have an exactly repeating pattern of roads that will match in more than one location, the driver will note that he is being shown in the middle of a field or something...
However, you could use this method, having already stolen the truck, to get it to report back to base that it is stationary while you are really driving it away.
So, as I read the comments, it spoofs the satellite signal to fool the GPS in the truck or target vehicle. That's silly, especially if you want to hijack it.
I thought this had to do with spoofing the signal that a corporate truck sent back to the company. This would be much better.
To be honest, I have no idea how those work, but I know that truckers and many delivery vehicles have satellite systems that report their position to corporate HQ, which allows the main office the ability to see where they are (screwing around, on time, etc.).
Now, imagine if you could spoof that signal...and then take the truck miles away to loot it at will, all while the company is none-the-wiser.
Of course, one could just stop, off-load it, etc., and then send the truck on its way with another driver, but that takes time and, if you wanted to be low-key, would need to be done on/near the intended route.
@Simon: "Unless you have an exactly repeating pattern of roads that will match in more than one location, the driver will note that he is being shown in the middle of a field or something..."
You've never driven across Kansas, have you?
But in any case, the point of bringing up this article is, I think, is not that there's a plausible or profitable attack on any specific thing. It's that we have a technology that's becoming ubiquitous, which most people think of as being basically self contained, and if not infallible, at least a self-contained black box.
Noticing and understanding and cataloging that kind of feature is what makes the "security mindset" that Bruce has mentioned before. The immediate application isn't so important.
Consider spoofing GPS signals for landing aircraft...for openers.
Bonus movie plot idea: Send the plane load of passengers into the terminal, or a downtown building. Double bonus: Have forty evil-doers ready to do this across the globe at the same time. Then hire Chuck Norris and Bruce Schneier to stop them!
For trucks this is a bit difficult to do.
That being said...
Drawing a ship off course onto a reef would be far more likely.
Think Nag's Head...
@Sam Hill: There are multiple pieces of navigation equipment aboard aircraft, and also ground-based radar sites. Pilots are trained to use all of them, since any one of them can (and often does) go haywire at inconvenient moments. So if you try to spoof GPS into directing a plane into a target, there are going to be VORs and LORANs and ADFs and DMEs and INAVs and radar operators and good ole Mk I eyeballs all saying "this isn't the right place!"
'armed with a Mac (all movies use Apple's)'
Didn't you watch 24? Bad guys always use PCs... Good guys use Macs.
As an attack vector its a pretty flexible one, especially if you produce a working software alternative with a software controlled radio (GNU Radio project prehaps). The question is not what attacks we can think of, it comes down to what attacks the enemy can think of.
I'm with Bruce here in that we can't guard against all attacks, so why bother. Better to deploy better recovery and support options for after the events.
I realise that this in itself isn't an attack in itself, but its an enabler and possibly force amplifier. (and the reverse in defence)
If terrorists can build small model aircraft with bombs and gps control, then this can potentially do a lot more to stop attacks than simple jamming. The control systems generally wouldn't have enough inteilligence to know this type of 'attack' is occuring.
I doubt this will affect military gps signals since as I understand it, they have encryption and so are far harder to spoof. So its only an attack against commercial grade gps systems.
Wrt attack vectors: UAVs and GPS guided munitions use an encrypted, military-only GPS signal, right?
Sounds more useful as a DOS than as an actual attack.
Honestly, this vulnerability should have been honest to anyone with a clue about how GPS works.
The paper lists seven possible countermeasures. The first six could be defeated by corresponding changes in the simulator software. In some cases, the GPS receiver would then have to choose between two or more legitimate appearing signals that indicate different positions. At least the receiver can indicate that it is having a problem with conflicting signals. I can't think of a reasonable way to defeat the seventh countermeasure: a backup inertial sensor.
"...VORs and LORANs and ADFs and DMEs and INAVs and radar operators and good ole Mk I eyeballs..."
I totally understand the multiple backups involved, but I ask you...which of these is connected to the "auto-land" feature on the airbus?
All your R-nav are belong to us.
Besides...it's just a movie plot. ;-)
At least as relevant as positioning, GPS is frequently used by sensitive applications to maintain accurate time on multiple synchronized components. This strikes me as something that would be trivially disrupted with a GPS simulator, and these GPS clocks are typically considered bulletproof as they are inside "all black" networks with no external connectivity -- except the GPS.
Oooh movie plot threat potential!
Already been used in a movie plot, "Tomorrow Never Dies", in 1997.
HA, forget hijacking, this would just be lots of fun given how many drivers today blindly follow the driving directions provided by their GPS - into lakes and rivers, into fields, down RR tracks, etc.
The thing I don't understand about this is that if you spoof the signal of a single satellite, wouldn't the trig come out weird? The receiver locks onto multiple satellites and triangulates your location, so if one says you are 5 miles off of your location I would think it would throw that out.
Best use for this would almost certainly be to abet an inside job. Drive the truck where you want while the GPS reporting equipment says it's still on track. If you could get the size and cost down, it would also be useful for drivers who wanted to make unscheduled stops or to speed without getting docked.
(Depending on crew quality, the spoofing could also be useful for piracy. And of course you get much more range over water.)
> So, as I read the comments, it spoofs the satellite signal to fool the GPS in the truck or target vehicle. That's silly, especially if you want to hijack it.
> I thought this had to do with spoofing the signal that a corporate truck sent back to the company. This would be much better.
Probably the same difference. For systems like OmniTRACS, the first thing that's needed is the onboard GPS to know where it is (or where the spoofer wants it to think it is). There may be oddities in making the uplink point to the right satellite (not sure how this works) but it should be doable.
@Anonymous: This doesn't spoof a single satellite; (btw the correct term is "meaconing") it spoofs the entire CONSTELLATION of satellites - it can pretend to be all 24 of them.
@Sam Hill: Its not far from the movie plot of Die Hard 2 (1990), in which the bad guys had taken over all of the airport's tower systems, and reconfigured the ILS landing system to think sea level was at -200 meters, and crashed a plane into the runway.
"RAIM detects faults with redundant GPS pseudorange measurements. That is, when more satellites are available than needed to produce a position fix, the extra pseudoranges should all be consistent with the computed position."
ah, shouldve read Steve Hoobers comment. RAIM wont defeat this...
My GPS has been fine spoofing all on its own.
After a series of dead-ends, u-turns in the middle of a street, and off-ramp-on-ramp directions because it thought I was somewhere else, I just threw the thing out.
@BMurray - "GPS is frequently used by sensitive applications to maintain accurate time on multiple synchronized components"
Or the GPS is used to drive a time sync box as an NTP server for an entire organization.
You could lag a company into being late with last minute activities before a particular time cut-off. Doesn't have to be much -- 5 to 10 seconds would be enough in some cases.
This would be great on a facility with automated access to points of entry that release the maglocks at set times. Just tell the system that it's 9am at 9pm.
@Sam Hill - "...which of these is connected to the "auto-land" feature on the airbus?"
My guess is the ILS and radar altimeter. Doubt it's the GPS. Even with WAAS, it's not precise enough to land a plane.
Many missiles and even howitzer shells use GPS for percision fire-and-forget targetting.
Presumably a truck-sized GPS-spoofer ought to provide a kind of incoming-missile-shield in these circumstances?
Are the armies of the world onto this?
The main problem is a driver looking at the gps and going 'its wrong, these roads dont exist' when they see strange turnings etc. You would also need to hack their maps for the proper effect.
As for planes, they have other instruments as has been said and tend to report an error if one wanders from the other results. Their gps antenna also faces up - you would need to be flying above them to be able to spoof.
Far more fun could be had with the gps automated tractors. They are often unmanned and you could make them draw crop circles in the fields they are working in
What does the jammer do to the stratum-1 time signal that GPS carries? Can you generate a time error into the system in a way that would confuse a security system that is designed around exact time synchronization?
@Tim: What a cool art form - tractor baiting!
I can easily picture this becoming an event at Black Hat or Defcon or something - you have to make a random tractor do something that looks cool from the air! Bonus points for synchronizing multiple tractors in meaningful ways, like rhythmic gymnastics (tractor botnets). But no Gomez Addams-like head-on collisions; thats not cool. Well, OK its cool to WATCH but shows a lack of class.
A delivery truck heist is mostly harmless, but if you spoof a supertanker with oil or chemicals you can actually make 9/11 look tame...
GPS is more than 20 years old, this problem is even described in a Bond movie (luring a British naval vessel onto Chineese controlled waters), why isn't there some smart and simple security like crypto-signing the data?
"why isn't there some smart and simple security like crypto-signing the data?"
In the case of the MIL GPS signal (10MHz spread spectrum) there supposadly is. In that the PRBS chip signal used to Direct Sequence Spread Spectrum modulate the data signal is supposadly secret...
The solution to the problem is to add a simple inertial based check system and or road "log" system. If the GPS is telling you you are moving in a vector that is significantly different to the vector derived from the wheel, speed, compas and inertial data then flag up an error signal and let a human start doing what they do best...
The above anonymous is mine.
Ho hum time for brain in gear.
Autoland is only permissible with precision approach instrumentation, CAT III and higher. GPS is only certified for nonprecision approaches (i.e. letdown to a fairly high MDA and sight the airfield, else go-around).
This is the same for all aircraft; making this "Airbus vs Boeing" is a surefire marker of Stupid Macho American.
If you have to abduct something, take an oil tanker. At 100$ a barrel, and 1.48 million barrels for a mid-sized tanker such as the Exxon Valdez, your average oil tanker carries is worth 148 million $ of black gold. And they don't drive on roads. You'd need a well-orchestrated criminal enterprise for this, but they would sure welcome a GPS signal simulator.
Another thing that does not drive on roads are fishing vessels. Fishermen don't like their Vessel Monitoring Systems anyway, and some would be delighted to fool it in order to fish with little effort in marine protected areas.
P.S.: The same day that Bruce Schneier published this article, an oil tanker was abducted off Somalia. Read http://citynewsr.com/2008/09/17/... if you do not believe it.
If the Somalis can do it, is there any reason why a more sophisticated criminal enterprise would not? With a bit of luck and some spoofing devices that fool LRIT, SOLAS, and GPS, they could sell the oil to the Chinese, before the company notices that the tanker is not where it is supposed to be. In that aspect, it is also convenient to remember that LRIT positions are based on GPS fixes.
Am I missing something? Don't tell me that this is a security hole so large that one could drive an oil tanker through it.
The flip side of trusting technology too much. GPS logs are increasingly being used in court cases. Suppose the 'attack' is to create an airtight alibi? Or dispute one?
A standard GPS log can be easily created using notepad... no need for gps spoofing equipment.
A team of researchers and I at Cornell and Virginia Tech have been doing research along these lines as well. Our portable GPS signal spoofer is based on a software radio, not on a GPS signal simulator like the one used here. This way, it's harder to detect the spoofing attack, since one can synchronize the spoofing signals to GPS time. We just carried out an attack last week and presented at the ION GNSS conference. More info here:
The spoofer described in this article is relatively crude and would not be effective in many exploits. More sophisticated, relative position offset spoofers can be used to conduct criminal enterprises whilst under position monitoring via GPS without raising the alarm. The US GPS system is wide open for attack and there has been no move to adopt even the most rudimentary protections. The European Galileo system is adopting protective measures but is still in an experimental phase. For more details see:
@ Logan Scott,
In your article you refere to storing the I channel of a spread spectrum signal for which the chip code is unknown.
I'm not quite sure if I understand how you are going to do it but I'm assuming if the unknown chip code is at a rate "r" then you need to sample and store at a rate of "2r" as a minimum so with a 1.023MHz chip rate you would be storing 2.046M samples per second. The signal you would be saving is effectivly an unknown chip signal which would look like AWGN. Therefore you would be essectivly down converting a block of spectrum to baseband and storing it for later use.
Assuming this can be done reliably what is to stop an attacker performing a replay attack using the same technology?
That is they slurp the real GNSS signals into multi channel receivers at a location X, and retransmit them via a wideband link to the spoofing transmitter at location Y.
Any GNSS receiver at Y will see what it would see at location X. Therefore it would report that it is at X and the secret chip code would still decode correctly.
Therefore I do not see what the secret chip code has gained you by way of authentication.
I have gps tracking on verizon cell phones Field Force Manage. Seems to work OK until I let the cat out of the bag. Now the phone I track shows it it taveling around my home up to a mile away and stops for some time at places early in the morning (12am to 4am) Sometimes on a rod and sometimes not. Almost like it is being spoofed to screw with me or hovering around in a helicopter. Wonder why I'm paranoid?
I have a very simple question.When a plane is on autopilot using GPS can be spoofed(meaconing) by third party- in particular by sending delayed, yet wrong signal to plane?
Or, if crash of TU-154M at Smolensk in April 2010 could have been created by meaconing?(spoofing)
Thank for help
Not likely. I do not believe the autopilots on most (if any) commercial aircraft are GPS driven; rather, they rely on other navigational and inertial inputs. This is at least true of aircraft operated by U.S. airlines.
Much ado about nothing! As in the case of PC users, GPS user who have a lot at stack, and have lot too lose if their signals are spoofed, they tend to have varying degree of at least protection if not mitigation. Simply RF carrying the GPS signals using over the shelf simulators are fairly easy to protect against.
It is nearly impossible to spoof commercial ground based users out of its route simply because a vehicle motion is constrained by the road itelf.
Messing up an average Joe's GPS, Phone, PC is peace of cake but why bother?
Just like anitvirus software industry, GPS
companies would like it if they can scare people into their signals being spoofed and offer new anti-spoofing software.
But other than jamming, spoofing a GPS receiver that have at least some degree of checks (RAIM check, in line bit, amplitude check and bunch of other), only very sophisticated spoofing method
can fool a GPS. Also most fixed or attached ground based GPS Antennas null/mask the signals arriving from low elevations.
Lastly Ship and Airpborne navigation is augmented with INS and other navigational instruments. You know people did travel before the invention of GPS!
Spoofing is very well known. If the drone is located, it is prone of the nation, if it is not Somalia or Libya. The trick is two airplanes. First flies above the drone with a directional antenna that transmits in the same line Satellite-Drone. The second plane repeat the genuine GPS signal, which is retransmitted by a laser beam to the first airplane. Changing the position of the second plane, they find out how the drone behaves, and they are able to change the flight direction on their will.
The Iranians eventually used a simple civilian GPS spoofing technique to hijack the CIA's drone after having jammed the military encrypted signal and other radio signals by some cheap Chinese or Russian device mounted on planes flying above and aside the drone to disconnect it from its primary trusted information sources.
This is a classic example that could be used to teach year 1 IT uni students how investing billion dollars to create trusted two-ways encryped communication channels miserably turns into billionaire losses if such technologies are used inside insecure communication protocols.
wher can i buy a gps or omnitrack spoofed so that they cant track me any more....
An attacker could approach the target truck, turn on the spoofer and proceed to hijack the truck to a secret location.
Meanwhile, the truck's GPS will report to HQ the ongoing simulated GPS signal indicating that the truck never stopped but is continuing along its normal route as scheduled.
By the time the truck fails to arrive at its destination, and the cell tower records get searched to discover the truck's true location, the hi-tech attackers will have already transferred the cargo and be long gone.
The attackers could even have some fun with it, sending the cargo owners on a simulated GPS chase from fast food restaurant, to brothel, to Mexican border and beyond.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.