By Roi Mit, Regulus Cyber | Linkedin | Twitter | YouTube | Facebook
Over the last decade, GNSS/GPS spoofing has evolved from an unsubstantiated possibility to a serious reality. Spoofing is a form of interference in which fake GNSS/GPS signals are broadcasted to receivers, overtaking the true signals and resulting in position, timing, and navigation errors. As far as we know, most GNSS spoofing events from the past are attributable to military or scientific sources. Each of the following 10 events has revealed serious vulnerabilities in systems we rely on for transportation, navigation, and life as we know it.
- Iran-U.S. RQ-170 Incident
On December 5, 2011, Iranian forces commandeered a U.S. Lockheed Martin RQ-170 Sentinel stealth drone flying about 140 miles from Iran’s border with Afghanistan. The Iranian government announced that the drone was spoofed and “brought down with minimal damage” by a cyber warfare unit.
The U.S. initially denied that the drone had been captured, instead claiming that it experienced a technical malfunction and possibly crashed near the Iranian city of Kashmar. However, Iranian authorities later broadcasted a video showcasing the downed craft, which appeared to be intact. The video corroborated Iran’s claims that the drone was indeed deliberately hacked rather than retrieved after an accidental crash.
President Obama said in a White House press conference that he asked Iran to return the drone to the United States. Iranian officials reportedly scoffed at this request, maintaining that it would be foolish to return a surveillance craft used to covertly spy on their regime. The drone was allegedly monitoring Iran’s nuclear facilities when it was brought down.
“No one returns the symbol of aggression to the party that sought secret and vital intelligence related to the national security of a country,” said General Hossein Salami, an Iranian military official.
The U.S. continued to play down the severity of the spoofing incident after conceding that Iran possessed the barely-blemished craft. “It was not good for the US when the drone went down in Iran, and not good when the Iranians grabbed it,” said Joe Lieberman, then chairman of the Senate homeland security committee. “I don’t have confidence at this point that they are really able to make a copy of it.”
However, by May 2014, Iranian officials claimed that the drone had been successfully copied. “Our engineers succeeded in breaking the drone’s secrets and copying them. It will soon take a test flight,” an Iranian military officer said during a video broadcast.
The Iran-U.S. RQ-170 incident is a stain on U.S. military history. As consequences continue to unfold from this decade-old case of real-world spoofing, cyber security for unmanned aerial vehicles continues to rise in importance.
Iran has engaged in other instances suspected GPS spoofing attacks, such as the July 2019 incident, in which a a ship diverted off course into Iranian waters (if this sounds familiar – it is also the main storyline in “James Bond – Tomorrow Never Dies” 1997 movie)
- Mass spoofing attack on Black Sea ships
Over 20 ships operating in the Black Sea were affected by an alleged mass spoofing attack between June 22 and 24, 2017. The ships reported that their GPS navigation incorrectly placed them at airports many miles away from where they were sailing offshore.
One vessel sent the following message to the U.S. Coast Guard Navigation Center:
“GPS equipment unable to obtain GPS signal intermittently since nearing coast of Novorossiysk, Russia. Now displays HDOP 0.8 accuracy within 100m, but given location is actually 25 nautical miles off.”
Information provided by the ship’s captain, including photos of his navigation displays and paper charts, later confirmed that this interference was indeed an external incident rather than a problem with individual GPS units.
The Resilient Navigation and Timing Foundation contacted maritime analytics company Windward Ltd. to investigate the GPS disruption in the Black Sea. According to Windward cofounder Matan Peled, Windward experts identified two more instances of mass GPS interference in 2017. In each instance, marine GPS receivers were tricked into thinking that they were at Russian airports.
“Most interestingly, all 3 locations involve airports – Gelendzhik Airport and Sochi International Airport near the Black Sea, and St. Petersburg Airport near the North Sea. Windward also found that some of the vessels that mistakenly appear in Sochi Airport were really located near Gelendzhik, about 200km away. Even yesterday, the 25th of September, 2 vessels appeared at Sochi Airport, 20km from their actual positions near the Sochi harbor” Peled said in a Resilient Navigation and Timing Foundation press release.
Although some evidence suggests Russia is behind the spoofing attack – possibly to prevent aerial surveillance of the border via drones – the true source of the GPS disruption remains unknown.
“We don’t know where all these false signals are coming from, or the motivation behind them,” Peled said. “From a safety perspective, it is fortunate that they seem to be providing obviously false information… More subtle errors caused by spoofing could lead to tragic accidents.”
- Mysterious GPS interference centered around the Kremlin
Starting in early 2016, Muscovites and visitors to Moscow began complaining of GPS malfunctions near the Kremlin, Russia’s government headquarters. Social media users reported their mobile phone GPS location jumping to Vnokovo airport, nearly 20 miles away from central Moscow. The interference was especially noticeable with the rise of Pokémon Go, an augmented reality gaming app that hit peak usage in summer 2016.
Russian blogger Grigory Bakunov chose to investigate these strange occurrences himself by riding a segway around central Moscow for three hours with a backpack full of GPS and GLONASS devices. Bakunov mapped GPS and GLONASS interference (in blue and red respectively). His completed map indicated that the interference was centred around the Kremlin.
Bakunov said that the alleged transmitter inside the Kremlin is powerful enough to spoof civilian GPS signals and jam military ones. As with the Black Sea incident, experts have speculated that the Kremlin is using GPS spoofing to prevent drones from flying overhead.
The Russian Federal Protective Service declined to comment on the GPS signal interference.
- First successful drone spoofing performed by University of Texas team
In June 2012, a University of Texas at Austin research team successfully spoofed a drone for the first time. Assistant Professor Todd Humphreys and his students commandeered the unmanned aerial vehicle (UAV) as part of a demonstration for the U.S. Department of Homeland Security in White Sands, New Mexico.
Humphrey’s research team hacked the UAV with self-designed hardware and software. In addition to raising concerns about civilian drone regulation, the demonstration gave credibility to the Iranian claim that a U.S. RQ-170 drone was spoofed.
“I think this demonstration should certainly raise some eyebrows and serve as a wake-up call of sorts as to how safe our critical infrastructure is from spoofing attacks,” Department of Defense (DoD) Aviation Policy Analyst Milton R. Clary said in a University of Texas at Austin press release.
- Following drone demonstration, University of Texas researchers steer multimillion dollar yacht off its course
One year after Todd Humpreys and his research team spoofed a UAV, the University of Texas at Austin professor led another team to steer a yacht off its course. The $80 million private yacht was hacked using the world’s first recognized GPS spoofing device, a piece of hardware about the size of a briefcase created by Humpreys and his team.
“I didn’t know, until we performed this experiment, just how possible it is to spoof a marine vessel and how difficult it is to detect this attack,” Humphreys said in a press release.
The experiment took place as the 213-foot yacht traveled across the Mediterranean Sea from Monaco to Greece. Two graduate students, Jahshan Bhatti and Ken Pesyna, used their spoofing device to broadcast false GPS signals from the ship’s upper deck to its antennas. Once the researchers covertly established a connection to the vessel’s GPS receivers, they were able to turn it slightly off its original course. GPS tracking in the command room showed the yacht traveling along a straight line despite the maneuvers made.
The University of Texas yacht experiment unearthed cybersecurity vulnerabilities in the maritime industry, which are especially pertinent considering the high cost of marine vessels and the enormous role they play in international trade.
“The surprising ease with which Todd and his team were able to control a (multimillion) dollar yacht is evidence that we must invest much more in securing our transportation systems against potential spoofing,” said Chandra Bhat, director of the Center for Transportation Research at The University of Texas at Austin.
- Regulus Tesla Spoofing Experiment
Regulus Cyber spoofed a Tesla Model 3 off the road during a test drive using Navigate on Autopilot (NOA). NOA is a GNSS-dependent feature that allows the high-tech Tesla Model 3 to make turns and change lanes without driver confirmation.
To spoof the Model 3’s automatic navigation system, the Regulus research team transmitted fake satellite coordinates to an antenna mounted on the roof. The fake coordinates corresponded to a location 150 meters before a highway exit. The Model 3 reacted almost instantly after the spoofed signal took hold. Thinking it was merely 500 feet away from a highway exit, the car suddenly decelerated, activated the right turn signal, and steered off to an emergency exit. The driver was taken by surprise – by the time he grabbed the wheel, it was too late to correct the car’s position and get it back on the highway smoothly.
Regulus Cyber CTO and co-founder Yoav Zangvil noted that the Tesla experiment exposed cybersecurity risks to advanced driver-assistance systems (ADAS) and autonomous vehicles. “As dependency on GNSS is on the rise, there’s a real need to bridge the gap between its tremendous inherent benefits and its potential hazards. It’s crucial today for the automotive industry to adopt a proactive approach towards cybersecurity,” he said.
Reliance on ADAS and autonomous driving technology is certainly on the rise, opening the door for dangerous scenarios involving unsecure GNSS/GPS.
- “Ghost ships” circle off San Francisco coast
Data analyst Bjorn Bergman discovered nine ships broadcasting false GPS signals from Point Reyes, just north of San Francisco, California. In truth, the ships were thousands of miles away in locations as diverse as the Norwegian Sea, Eastern Mediterranean, and Nigerian coast.
Bergman presented his findings at the Resilient Navigation and Timing Foundation’s annual meeting on May 5, 2020. He told attendees he was unsure of the origins of the interference. “It could just be some weird malfunction in the AIS system or it could be more significant with GPS manipulation of some sort occurring,” Bergman said.
AIS tracks over Point Reyes from the nine affected ships. Source: SkyTruth
Commenting on Bergman’s discovery to Newsweek, Professor Todd Humphreys said that the circles over Point Reyes indicate deliberate GPS spoofing.
“Fast forward to 2020 [and] what I think we’re witnessing with the strange patterns…is the emergence of commodity off-the-shelf spoofing devices,” he said to Newsweek. “If I’m right and cheap spoofers are now for sale, you can bet a lot more ‘GPS crop circles’ will show up in the coming months and years, with negative implications for ships, aircraft, and ordinary turn-by-turn directions.”
- GPS interference near Chinese ports
Preceding the discovery of “ghost ships” near Point Reyes, Bergman and his colleagues at SkyTruth investigated similar GPS interference at over 20 Chinese coastal sites. A November 2019 article by MIT Technology Review was among the first to report on the strange GPS data, which showed ships moving in “crop circles” up to a few miles away from their actual positions.
Source: SkyTruth
Crop circles were also visible on Strava’s Global Heatmap, which tracks biking, running and other forms of exercise by Strava users. The fitness app’s faulty data confirmed the existence of an underlying GPS problem rather than a malfunction of the automatic identification system (AIS) onboard ships.
Most interference sites were oil terminals and government installations, suggesting that spoofing could be a security or anti-surveillance measure used to conceal crude oil shipments. According to Bergman, manipulation was still ongoing in four cities (Shanghai, Dalian, Fuzhou, and Quanzhou) as of May 2020.
- Planes experience positioning errors moments before takeoff at Hannover airport
A GPS repeater had the potential to cause disaster at Germany’s Hannover Airport in 2010. GPS repeaters are used to receive satellite coverage while indoors – this particular one was being used to run tests on business jets inside an airport hangar less than 1000 meters from the runway threshold. Due to interference from the repeater, taxiing planes began to misperceive the location of the runway threshold, experiencing warning alarms and positioning alerts.
Investigators found that the high-powered repeater was operating illegally. It was far too close to the runway threshold, causing GNSS interference at a range of several hundred meters. This situation was extremely dangerous – some airplanes use GNSS/GPS to calculate ground level, so spoofing spells disaster for takeoffs and landings. In the aviation industry, GNSS/GPS accuracy can truly mean life or death.
- Accidental GNSS Spoofing affects multiple mobile phones in a conference
The so-called Portland Spoofing Incident happened in the Portland Convention Center at the 17th annual ION GNSS+ Conference on September 28, 2017. Conference attendees began noticing malfunctions with their mobile phones in the morning – for some, both texting and email were disabled. Many confused conference-goers saw their phone date and time reset to sometime in January 2014 and their current location reset to Toulouse, France.
After a few hours of confusion, GPS experts were able to diagnose the problem by using a Chronos model CTL3520 directional jamming detector borrowed from the NavtechGPS booth. The culprit? A GNSS simulator used for a demonstration at another booth. The GNSS simulator had 6 output ports, 5 of which were sealed with plastic caps. Despite the plastic caps – and despite the fact that the GNSS simulator had no antenna – the signal disrupted phones tens of meters away.
The process of restoring the correct date, time, and location on attendees’ phones was frustrating to varying degrees. Most phones recovered after a few minutes of exposure to open sky outside the exhibition hall. Some people manually reset timing by flipping the date over a thousand times. One person even had to initiate a factory reset and wipe their phone of data.
The accidental nature of the Portland Spoofing Incident highlights the feasibility of real-world spoofing, especially within an indoor location such as the convention center. Even with a building full of the world’s most prominent GNSS/GPS specialists, it took hours to recognize the problem as spoofing and eventually rehabilitate the affected devices.
In conclusion: Though choosing the 10 most significant GNSS spoofing events might be straightforward now – since the history of GNSS spoofing is relatively young – it is sure to be a challenge in the future. As the world grows increasingly dependent on GNSS technology, and as spoofing hardware becomes cheaper and more accessible, we can expect an uptick in spoofing incidents. Criminal spoofing cases will likely climb onto this top 10 list.
Preventative measures against GNSS spoofing are necessary if we want to feel safe and secure in years to come – this is why Regulus Cyber offers software and hardware spoofing defense solutions customizable to any GNSS industry. Regulus Cyber’s Pyramid GNSS technology is designed to detect and mitigate real-world spoofing attacks in automotive, maritime, telecommunications, mobile phones, electronic monitors, and more. To read more about Pyramid GNSS or watch a product animation, click here: https://www.regulus.com
Sources:
- https://www.ae.utexas.edu/news/todd-humphreys-research-team-demonstrates-first-successful-uav-spoofing
- https://news.utexas.edu/2013/07/29/ut-austin-researchers-successfully-spoof-an-80-million-yacht-at-sea/
- https://money.cnn.com/2016/12/02/technology/kremlin-gps-signals/
- https://www.themoscowtimes.com/2016/10/21/the-kremlin-eats-gps-for-breakfast-a55823
- https://insidegnss.com/spoofing-incident-report-an-illustration-of-cascading-security-failure/
- https://www.gps.gov/governance/advisory/meetings/2017-11/scott2.pdf
- https://www.heise.de/newsticker/meldung/GPS-unter-Beschuss-Jamming-und-Spoofing-nehmen-zu-4038137.html?seite=2
- https://rntfnd.org/wp-content/uploads/Day-2-Plenary-Panel-HICKLING.pdf
- https://www.maritime-executive.com/editorials/mass-gps-spoofing-attack-in-black-sea
- https://www.gpsworld.com/spoofing-in-the-black-sea-what-really-happened/
- https://rntfnd.org/wp-content/uploads/GPS-Spoofing-Patterns-Press-Release.1-26-Sep-17-RNT-Foundation.pdf
- https://www.cnn.com/2014/05/12/world/meast/iran-u-s-drone-copy/index.html
- https://www.washingtonpost.com/world/2019/06/22/this-isnt-first-time-us-iran-feuds-have-involved-drone/
- https://www.militaryaerospace.com/computers/article/16715072/iranus-rq170-incident-has-defense-industry-saying-never-again-to-unmanned-vehicle-hacking
- https://www.theguardian.com/world/2014/may/11/iran-drone-us-copied-captured-spy