GPS World

Tag: Pokémon GO

  • Spoofing in the Black Sea: What really happened?

    Spoofing in the Black Sea: What really happened?

    We’ve heard a lot in the news recently about GPS spoofing, mostly centred on the story of ship spoofing in the Black Sea. Between June 22-24, a number of ships in the Black Sea reported anomalies with their GPS-derived position, and found themselves apparently located at an airport.

    What happened is open to educated conjecture. In this column, I’ll briefly cover the history of spoofing, its basic techniques, some spoofing tests that we conducted, and then return to the infamous Black Sea incident.

    As part of my day-to-day work in navigation warfare, I do a fair amount of work in defensive anti-spoofing. Naturally, in order to test anti-spoof technology, it is necessary to also perform spoofing. It’s a delicate subject and, as with any topic involving defense or national security or critical infrastructure, there’s a balance to strike between responsible disclosure, how much information is released into the public domain, and so on.

    In this article, I will stick firmly to information available in the public domain, lest I be accused of proliferating the threat, but this still gives us enough material to tiptoe around the subject for the benefit of our readers. I could have included more details about the spoofing attacks, but was advised to hold some back — it makes governments nervous. You can read some of the background in an excellent article by Norwegian broadcaster NRK and a Resilient Navigation and Timing Foundation press release. Similar GPS anomalies still continue to occur at various locations.

    Let’s start with basic spoofing background, and we’ll return to the Black Sea incident at the end of the article.

    A brief history of spoofing

    Spoofing isn’t a new threat — it’s been around for decades. But only in recent years has it received so much public attention. As with jamming and anti-jamming technology, and most other topics in the GPS domain, spoofing finds its roots back in the days of Cold War radar. In those times, it was often known as “deception jamming,” where you would transmit fake radar returns to paint an incorrect picture on your adversary’s radar screen.

    When GPS came along, it was understood at the time that the C/A code would be vulnerable to spoofing. It’s an open code, so anyone is free to reproduce it. That is, after all, what a GPS simulator is: a GPS spoofer. We legitimately test our GPS receivers by fooling them with fake signals from a GPS simulator.

    Of course, this is precisely why legacy GPS satellites also transmit the military P(Y)-code, and continue to do so. The P-code offers improved accuracy, and some other benefits, but more importantly, it is modulated with the W encryption sequence to give us the encrypted P(Y)-code. Ever since the anti-spoofing module was set to the “on” state, unless you have the key, you are unable to directly spoof the P(Y)-code. (You can still perform a meaconing attack, though, where you simply record the transmitted satellite signals and retransmit them again. Although this kind of attack can’t be used to impose a particular scenario on a GPS receiver, it might still cause havoc in unwary receivers).

    So. in the early days it can be argued that the spoofing threat was solved. It wasn’t until GPS became ubiquitous in the commercial and civilian domain that spoofing really raised its head again. The fact that the vast majority of GPS receivers in the world relied solely on the unencrypted C/A code became a cause for concern — especially where those GPS receivers were essential to critical infrastructure.

    The threat of GPS spoofing was discussed at many conferences and behind many closed doors and, although most people agreed that spoofing was a theoretical threat, some people argued that in reality it was “simply too hard” to conduct a realistic spoofing attack. And therefore we should not worry ourselves about it.

    It wasn’t until a couple of high-profile demonstrations were carried out by the University of Texas Radionavigation Laboratory that spoofing became front-page news once again. In 2012, the lab staff carried out an exercise at White Sands Missile Range where a GPS-guided drone was spoofed from a distance. The drone was fooled into thinking its altitude was increasing, causing it to compensate by dropping straight down. Then in 2013, the same team demonstrated how an $80 million yacht could be steered off course by means of a spoofing attack.

    These exercises publicly demonstrated that spoofing was indeed a real threat, and could be done. But many people still believed that it was very hard to build the complex equipment necessary to perform the attack, and thus spoofing was out of reach for most potential criminals or terrorists.

    Fast forward another two or three years, to when a new mobile phone game appeared. Pokemon GO became the game craze of the moment, where players would travel around the country with their phones, getting points by collecting creatures in an augmented reality world. It didn’t take long for people to dream up new ways of earning points in the game, without having to go to the effort of traveling around the world.

    What if you could make your phone think it was somewhere else, without ever having to leave your bedroom? And thus, bizarrely, it was a mobile phone game that brought GPS spoofing into the mainstream.

    The rise of the low-cost software-defined radio (SDR) has enabled “spoofing for everyone.” Today, the tool of choice for the casual user is often the HackRF or bladeRF. Couple small SDRs that cost around $200 with open-source GPS simulation software, and you have a basic spoofer. Plenty of websites detail how to perform basic spoofing, and at hacker gatherings, people can present how they spoofed a drone. These may not be the most sophisticated setups, but it’s good enough to do the job in many cases. With a better setup, which I won’t describe here, it’s possible to achieve a much more realistic attack, which will fool even the most shrewd and wary GPS receivers.

    Spoofing basics

    Let’s take a quick look at what it means to spoof GPS. A receiver searches for a satellite over a two-dimensional surface to find a correlation peak, and it must examine a range of Doppler frequencies and code offsets. An example is shown in Figure 1. Once the receiver finds the peak, the satellite is acquired, and it will then track the satellite as it moves and can demodulate the navigation data message.

    When a spoofer comes along, it tries to recreate this peak. By doing so, and usually with little more power than the real satellites, the receiver will begin to track the spoofed signal. Once the spoofed signal is being tracked, the spoofer can begin to manipulate reality by slowly modifying the properties of the signal.

    Figure 1. GPS correlation surface. (Image: Michael Jones)

    A poor spoofer doesn’t always align itself very well with reality, which essentially creates a second peak on the correlation surface. But a gullible receiver can still be fooled by this, and may lock on to false peaks.

    The reality of spoofing and anti-spoofing

    To understand the reality of spoofing and anti-spoofing, we carried out outdoor experiments at one of the Roke Manor trials areas (thanks go to my colleague Mike Wells for letting me use some of his results here).

    In the first experiment (Figure 2), we spoof a commercially available mass-market receiver. The receiver is outside, reporting its correct location at Roke Manor. When we commence the spoofing attack, we are able to take control of the receiver. Once captured, we can then make the receiver appear to follow an arbitrary course. Here we make it wander off into the forest, spelling the word “roke” as it goes.

    Figure 2. Spoofed GPS receiver appears to follow a course, whilst in reality being stationary. (Image: Michael Jones)

    In the next experiment (Figure 3), we place a conventional anti-jam antenna (a CRPA) on the receiver. What we observe, as you might expect, is that the basic CRPA offers no protection against the spoofing attack.

    Figure 3. A GPS receiver is still successfully spoofed when protected by a conventional CRPA. (Image: Michael Jones)

    Now let’s make the experiment more interesting. We’ll move away from the basic commercial receiver, and replace it with a unit that contains not only a GPS receiver, but also a 3-axis accelerometer, 3-axis gyro, 3-axis magnetometer and a barometric sensor. An Extended Kalman Filter (EKF) performs an optimal fusion of the various sensors to yield the position solution.

    The result, when we again try our spoofing attack, is shown in Figure 4. In short, the receiver is still successfully spoofed, despite the additional sensor inputs it offers.

    Figure 4. A GPS receiver with integrated inertial sensors is still spoofed. (Image: Michael Jones)

    Before everyone gets too depressed by the ease at which GNSS, and even GNSS fused with other sensors, can be spoofed, there are answers to this problem. Some decent, modern GNSS receivers contain a whole host of algorithms for detecting and ignoring spoof signals. The issue is that many legacy receivers are still in the field, and these can be extremely vulnerable indeed.

    Another option is to use a more advanced CRPA, which offers anti-spoof capabilities. These adaptive antennas are able to correlate on the spoof signals, and then remove them based on direction of arrival. So, in our final experiment here, we use our commercial mass-market receiver again, and protect it with an anti-spoofing CRPA.

    The result is shown in Figure 5. You can see that the receiver is briefly spoofed, and starts to wander off course. When the anti-spoof is enabled and kicks in, the position quickly drifts back to the true location and stays there. Good job.

    Figure 5. With an anti-spoof CRPA, the GPS receiver detects the spoofer and quickly returns to its true location. (Image: Michael Jones)

    Back to the Black Sea

    Let’s finish by returning to the hot topic of the day. Did spoofing occur in the Black Sea back in June? Or was it a different form of interference? Could it have been a low-level jamming incident, causing the GPS receivers to report misleading information?

    Without resorting to SIGINT (signals intelligence) data, and basing this discussion solely on public domain information and anecdotal evidence, I would say this was almost certainly a spoofing incident. A number of factors lead to this conclusion, and I’ll share some of them.

    • Firstly, it didn’t happen to one ship – it happened to over 20 separate vessels. So it wasn’t a malfunctioning GPS unit; it was an external incident of some kind.
    • Secondly, a large number of ships in the area reported identical or very close locations. This is a symptom of a large-scale spoofing attack. If it was a low-level jamming attack, then any misleading positions reported by vessels would typically have some randomness to them.
    • Thirdly, ships reported that their positions would periodically “jump” from the true location to the incorrect location. Again, this is very typical behavior in some spoofing experiments: For various reasons, GPS receivers may temporarily lose lock on a spoof set of satellites, and then reacquire  the real ones, and vice versa. This causes the characteristic random flipping between two well-defined locations.

    If we accept that a GPS spoofing attack did occur, it brings us to the million-dollar question.

    Who did the spoofing, and why?

    What I’ll do here is a bit of a lightweight analysis exercise using public information and basic physics, and you can formulate your own conclusions.

    Let’s start by placing a ship, located in the Black Sea at 44°14.0’N 037°43.1E, which is the actual position of one of the reported spoofed vessels. For this example, I have placed a representative GPS antenna on the ship’s mast, with its antenna pattern shown.

    Figure 6. Victim ship in the Black Sea, with GPS antenna pattern shown. (Image: Michael Jones)

    To get a rough handle on the scenario, consider the possible propagation of the spoofing signal. As a first-order approximation, let’s assume a standard 4/3 Earth refraction model, with obstruction by terrain. That’s a reasonable assumption at this frequency: Any obscuration by terrain will block the spoof signal. Let’s also initially assume that our GPS antenna on the ship is mounted 38 meters above sea level, and our spoofing equipment is mounted on a mast 20 meters aboveground. From this information, we can plot a map of possible spoofer locations for this particular incident (Figure 7).

    Figure 7. Possible spoofing source locations. (Image: Michael Jones)

    The first thing we might conclude from this is that the spoofing indeed originates from Russian territory, close to the Black Sea coast. To spoof the ship from further afield would require a much higher antenna, or even an airborne antenna. Which, of course, is possible, but then we would also expect vessels over a much wider area to report interference.

    To me, it’s fairly conclusive that spoof GPS signals are being transmitted from this area, to make GPS receivers in the area think they are at an airport. The final question is: “Why would someone do this?” To answer this question, we must resort to educated speculation. Why would you want to spoof GPS receivers into thinking they are at an airport?

    There’s one explanation that fits very nicely: drone defense. Many drones, especially those operated by casual users, have geofencing rules that prevent flights over airports and other restricted areas. So, if you were trying to perform aerial surveillance of the Russian border, your drone may suddenly think it was over an airport, and take action accordingly. The action taken depends, of course, on how the drone is programmed, but often includes “land immediately” or “return to launch point.” Certainly some of the drones we operate will immediately attempt to land if they find themselves in restricted airspace.

    So if your drones are falling into the sea, you now have one idea why.

  • Bring Pokémon to you with a Rohde & Schwarz signal generator

    A team of Rohde & Schwarz engineers have found a new way to hack Pokémon Go, the massively popular app that debuted last month.

    The engineers are generating GNSS data with a Rohde & Schwarz signal generator, and feeding the signal directly into the mobile device, making it possible to collect dozens of Pokemon right in the lab.

    The team produced a video showing the hack, which has received almost 400,000 views on YouTube, and received coverage from Bloomberg and The Verge.

    The Munich-based Rohde & Schwarz team provides the following hardware diagram of the setup:

    Pokemon-setup

    The team also describes the technical details:

    “The setup is a little proof of concept by simulating GPS signals with an HIL — hardware in the loop — interface, which can also be used for a flight simulator or similar applications.

    “A R&S-SMBV100A vector signal generator serves as a source to simulate real-life GNSS RF signals. We use a custom PC software with a joystick controller for the ultimate gaming experience *wink* — it may as well be controlled with a mouse. This software streams HIL commands to the signal generator over a LAN interface and interpolates position and velocity changes. The interpolation will be done according to a desired inertia model — pedestrian/car/plain — we actually used a slow car here with a maximum speed of ~15km/h. This is useful, for instance, if you assume that cars will not make 90° turns.

    “We set the GNSS coordinates of the signal generator to some arbitrary position in the world and start the HIL mode — this will result in a ban if you jump quickly from Moscow to Sydney! You have to wait a reasonable amount of time in between.

    “The signal generator simulates a real-life GNSS RF signal, which is fed indirectly into the mobile phone and to a u-blox M8 GNSS receiver. This is why we use an RF splitter. The losses from antenna to device are roughly 30 dB. We therefore generate a signal of -80 dBm in order to achieve the common GNSS signal strength of -110 dBm at the device. The idea behind the shielding box is to protect the device from the signal from outside. You could also build the setup in a cellar.

    “We use the corresponding u-center v8.11 software, which is connected to the GNSS receiver to visualize our current position using a Google Maps plug-in. The u-blox is connected via USB to the computer.

    “By doing so, we create a closed-loop realtime GNSS simulation with user feedback and interaction.”

  • Pokémon GO: Location-based app leads to accidents

    We have to stop. It’s a Jigglypuff!

    Common sense tells us not to hold a smartphone while driving. But a new game is so addicting, it’s causing people to forget that rule.

    Released July 6 for both Android and iOS, Pokémon GO instantly became the top free app and the top grossing app on Apple’s App Store, shattering social media records and shooting Nintendo stock through the roof. And it hasn’t even been introduced in Europe and Asia yet. (Japan, of course, is the birthplace of Pokémon.)

    The game uses augmented reality to place the coveted virtual monsters (Pokémon) into real-world locations, so users have to travel to add to their collections.

    However, much like in the early days of GPS navigation, when people ended up driving down railroad tracks or into ponds, the Pokémon GO app has led to accidents. Some users are playing the location-based game from inside their vehicles, stopping suddenly, while pedestrians are staring at device screens as they walk through busy cities, sometimes onto private property.

    In the first week:

    • A 28-year-old Auburn, New York, driver ran his vehicle off the road and crashed into a tree.
    • A Massachusetts man woke up to a garden full of wandering Pokémon players after his home  — once a church — had been marked as a “gym” (multi-player battleground).
    • A group of Missouri teenagers were arrested for armed robbery after allegedly using the app to anticipate secluded locations for holdups.

    Police departments around the country are warning that anyone caught using the app while driving or jaywalking could end up with a hefty fine.

    But there’s an upside, too. Gamers are going outside, getting exercise and making new social connections.

    And, apparently, helping police. One 19-year-old Wyoming woman, on a quest to catch a Pokémon from a natural water resource, instead discovered a dead body floating in the Big Wind River.

  • Using GPS, Pokémon GO takes on the world

    Using GPS, Pokémon GO takes on the world

    Nintendo has launched a beta test of a new Pokémon game that takes place in the real world. The beta testing began July 6.

    Using Pokémon GO, gamers travel between the real world and the virtual world of Pokémon with iPhone and Android devices.

    Pokémon GO is built on Niantic’s Real World Gaming Platform for augmented reality. It uses GPS to encourage players to search far and wide in the real world to discover Pokémon. The game allows players to find and catch more than a hundred species of Pokémon as they explore their surroundings.

    Pokemon-Go-2-W
    Players are represented on an augmented reality map of the real world.

    Moving around, the smartphone vibrates when near a Pokémon. When players encounter a Pokémon, they take aim on their smartphone’s touchscreen and throw a Poké Ball to catch it. the player is indicated on a map showing their actual location.

    The game encourages users to explore the cities and towns where they live to capture as many Pokémon as they can. Also, PokéStops are located at interesting places, such as public art installations, historical markers and monuments, where players can collect more Poké Balls and other items.

    Players can also join teams, and “battle” with their captured Pokémon at “gyms” that can be found at real-world locations.

    The Pokémon GO wearable can be removed from the band and worn on a shirt.
    The Pokémon GO Plus wearable can be removed from the band and worn on a shirt.

    The Pokémon video game series has used real-world locations such as the Hokkaido and Kanto regions of Japan, New York, and Paris as inspiration for the fantasy settings in which its games take place. This is the first time the popular game franchise has used the real world as its setting.

    While the game is free to play, Nintendo will be rolling out a $35 wearable that enables play without looking at a smartphone, such as for joggers on their morning run.