On August 21st, 2017, in the early morning hours of local Japanese Standard Time, the Arleigh-Burke class destroyer USS John McCain collided with the Alnic MC, a huge 30,000 ton tanker, off the coast of Singapore.  This latest mishap was an embarrassing continuation of a series of at-sea collisions between commercial shipping vessels and U.S. warships leading many to suspect that something more was happening with ship navigation in the crowded shipping lanes of the South China Sea.

CHANGI NAVAL BASE, REPUBLIC OF SINGAPORE, U.S. Navy photo by Mass Communication Specialist 2nd Class Joshua Fulton/Released

In the aftermath of the collision, several news outlets openly speculated that there may have been some sabotage of GPS or other navigation systems to have caused such a preventable accident.  In the information age, the first thing people began to suspect was that their tools were faulty.

It’s relatively new ground for us. This is the first time we have sent a team from our cyber command here in Washington, Commander of 10th Fleet. Sent a team over there to pull as much data from that ship as possible that records data, to see if there were any interruptions or disruptions that were abnormal. I would also offer to you that just about every three-letter agency in Washington, D.C., has looked to see if there were indications of an intent or a potential acknowledgement of a cyber attack. We have seen — I have personally not seen any evidence of that. But we are not stopping there.”  –VADM Bill Moran to Congress

The thing is, this shouldn’t be new ground to anyone in the military.

Spoofing of GPS signals has been a demonstrated capability for quite some time.  In mid-2013, Professor Todd Humphreys from the University of Texas conducted a live test in the Ionian Sea against an $80M target, the “White Rose of Drachs” superyacht.  During the spoofing attack, Humphreys was able to convince the yacht to change course to correct course.  The problem was that the information is was acting on was fake.

That’s what’s so sinister about the attack that we did. There were no alarms on the bridge.” –Prof. Todd Humphreys

What’s more troubling is that there has been little movement to address this glaring vulnerability until newer GPS satellites with authenticated transmissions can be brought online.  And the problems do not end there.  In 2012, researchers at Carnegie Mellon University were able to show that attacks against GPS receivers can further compromise not just the calculation of position, but can corrupt the proper software functioning on the device:

Our findings suggest despite the fact that GPS is an unauthenticated broadcast protocol, current receivers treat any incoming signal as guaranteed correct. Worse, receivers often run full OSes with network services. Together, the possibility of RF and ethernet attacks creates a large attack surface.” –Tyler Nighswander et al., GPS Software Attacks