On the 4th of December, 2011, a Lockheed-Martin Sentinel drone crash-landed in Kashmar, Iran. At the time, many questions were asked about how Iran had managed to commandeer an American drone and force it out of the sky. Experts speculated that the drone was tricked into believing it was at its home base in Afghanistan, as reported by Scott Peterson and Payam Faramarzi of the Christian Science Monitor. In July of 2013, Prof. Todd E. Humphrey and his team at the radio navigation lab at the University of Texas at Austin demonstrated their custom-built platform with the ability to spoof GPS signals.
In a demonstration, they caused an $80M, 65-meter superyacht to alter its course, unable to distinguish the spoofed signal from the authentic one. On August 7th of 2015, two researchers, Yang Qing and Huang Lin, with Chinese security firm Qihoo 360’s Unicorn Team, demonstrated a low-cost GPS satellite-spoofing platform at the 23rd annual DEFCON security conference in Las Vegas, Nevada.
Their platform used easily available hardware and software components to fool a cell phone into incorrectly computing their position and displaying it to the user as well as convincing a drone to enter denied space prohibited by the firmware of the drone system in a technique known as “geo-fencing.” And then, on January 12 of this year, Iranian forces captured two U.S. Navy patrol boats and 10 sailors after they allegedly strayed into Iranian waters. The official U.S. Navy story was that the boats had experienced “mechanical trouble.”
Some in the information security community have openly suggested that this was another demonstration of Iranian GPS spoofing capability.
To understand how GPS spoofing works, it’s helpful to understand a little more about how getting a position fix works in the normal case. GPS is a broadcast-only system. A GPS receiver listens to signals from orbiting satellites and calculates how far it is from each by measuring the time of flight of that signal through space to where it is. More precisely, it measures the difference between the observed times of flight between a multitude of signals from different satellites.
The basic principle is this: A timing pulse is sent from a satellite that arrives sometime later at the receiver. That time represents a certain distance from the satellite. If you imagine a sphere around that satellite that represents the time for that signal to arrive at the receiver, you’re getting it. Each satellite is going to be a different distance from the receiver. Where the spheres that represent that distance from the satellite intersect represents the actual position fix within some margin of error.
Two spheres (representing two satellites) intersecting make a circle where they intersect. Three intersecting spheres (plus the earth) make three circles that intersect to give an actual position in three-dimensional space. So if we know how far we are from each satellite, the only thing needed is to know where each satellite is in space for us to know where the receiver is and compute a position fix. We learn this information directly from each satellite in two parts: the almanac and the ephemeris data.
Both are used to tell receivers about the orbits and other parameters of the constellation. Each satellite for the whole constellation of satellites broadcasts the almanac. This information is very long-lived and is updated every day. The ephemeris data is much more frequently updated, usually every hour or so. When a receiver first powers on, the first thing it must do is download an entire almanac and ephemeris from what is termed a “cold start.” Once this almanac is downloaded, a receiver will then obtain ephemeris data from every satellite it can hear. When this is complete, a position fix can be computed.
The timing and navigation message signals are often referred to as the Coarse-Acquisition Code (or C/A code). These signals are broadcast on the L1 frequency designed for civilian applications.
To spoof a GPS receiver, an attacker must simulate the same signal that an authentic SV (space vehicle) transmits. This always includes the timing and navigation message signals (NAV) that are specific to the satellite an attacker is attempting to spoof, but may include spoofed information regarding the almanac and ephemeris data that a receiver is listening for. One attack method is to simply record an authentic signal captured from a satellite and then replay it with an additional delay.
By altering the observed time-of-flight of the signal, a receiver can be convinced that it’s farther away from a satellite than it actually is. This technique simply requires real-time views of the satellites overhead along with a transmitter that can overpower the signals received directly from the satellite. Another more powerful technique is to directly synthesize a new signal and pretend to be an actual GPS SV.
This latter technique is what Yang Qing and Huang Lin demonstrated. Using widely available software (MATLAB) and a device called a software-defined radio (SDR), they were able to use a regular PC to simulate the messages that an authentic SV transmits. The nominal cost of this entire setup is approximately $1000 USD. GPS spoofing as a technical capability is now well within the budget of a motivated and technically capable team. We can only expect that the availability of this technique will become more widespread as the cost of these devices drops and the knowledge and software required to perform this attack are developed further.
PLGRs, DAGRs, SAASM, and M-Code (Oh my!)
What is sometimes missed in any discussion about GPS signal authenticity and availability is that “military” GPS receivers have been available since the beginning. The older PLGR (Precision Lightweight GPS Receiver) and newer DAGR (Defense Advanced GPS Receiver) have the capability to receive an encrypted version of the NAV messages called the P(Y) code. When this set of messages is unencrypted, it’s called the P-code. Encrypted, it’s called the Y-code.
This introduces an interesting problem: In order for DAGRs and PLGRs to properly decode the Y-code, they must have a key programmed into them. That same key is used for all secured GPS receivers. Properly getting this crypto-key into the hundreds of thousands of individual PLGRs/DAGRs in the field presents a unique key-distribution problem. If a DAGR refuses to give a location because it’s lost the key-fill, or falls back to the unencrypted C/A-code rather than the more secure Y-code, what’s a servicemember going to do?
Might it be to trust the civilian GPS receiver they have on their wrist? To further solve (or complicate) the problem, newer receivers have something called a Selective Availability Anti-spoofing Module (SAASM) integrated into them that’s designed to provide some measure of anti-jam/anti-spoof capability to a DAGR or comparable military application GPS receiver.
This SAASM requires periodic re-keying by one of two methods: “red key”(classified) or “black key” (unclassified) mechanisms. The red-key method requires that secure means be utilized to transport or handle the keying material. The black-key method encrypts the keying material for transit and allows for transmission over unclassified channels, including OTA (over-the-air) re-keying. Once the black key is used to program a DAGR, the keying material is decrypted and programmed into the terminal. The black-key method is a significant improvement to the key-distribution problem associated with military GPS terminals.
Finally, newer SVs will deploy a new GPS signal called the M-code. The future M-Code signals transmitting the MVAV (military NAV) messages are expected to launch in 2017 as part of the GPS III modernization program. In addition to improved anti-jam and anti-spoofing capabilities provided by the MNAV message format that will permit authentication of valid satellite signals, “spot beam” highly directional signals will be available to direct higher-power signals to specific theaters. This should mitigate the effect of localized jamming or spoofing attempts.
While the overall frequencies and modulation formats for this new set of signals that comprise the M-code are known, the formatting and composition of the MNAV message is not. Those new signals will not be available for an undetermined time. In the meantime, most GPS users will be unable to take advantage of these new signals since their terminals will only receive the standard, unauthenticated, easily spoofed L1 signal.