“Seen & Heard” is a monthly feature of GPS World magazine, traveling the world to capture interesting and unusual news stories involving the GNSS/PNT industry.
Keeping canoeists afloat
The United Kingdom’s Hire a Canoe company has installed Kinesis trackers on its fleet to manage transport of clients to and from their water sport activities. Real-time traffic updates and live Estimated Time of Arrival calculations help manage riverside customer pickup, while advanced geofencing provides instant notification if a canoe, kayak or paddle board leaves a defined zone during off hours.
Russian company Glonass is investing RUB 4–5 million in a mobile application aimed at pedestrian safety, reports Telecompaper. The app will warn pedestrians using smartphones and headphones of approaching cars, based on an AI collecting data from smart traffic lights. Tests will take place in 2020 in the Samara, Volgograd, Tomsk, Kursk, Tambov and Moscow regions.
Image: Vladimir Obradovic/iStock/Getty Images Plus
GPS spoofing service
Virtual private network (VPN) Surfshark has added GPS Spoofing to its Android VPN. The new optional feature allows users to shield their online presence from unsolicited tracking by giving them the ability to change their device’s physical GPS location. The new feature is for “privacy conscious people” who want “to keep their physical location information only to themselves.” Instead of the user’s location, the app provides one of the Surfshark VPN server locations.
Image: Skytruth
‘Spoofing circles’ appear in China
“GPS spoofing circles” have been discovered at 20 locations along the Chinese coast, according to the non-profit environmental group Skytruth. Of the locations observed, 16 were oil terminals; the others were corporate and government offices. The spoofing in Shanghai resulted in reported positions from ships, fitness trackers and other GPS-enabled devices forming circles some distance from the shore — a phenomenon first observed by the non-profit C4ADS. Professor Todd Humphreys briefed the phenomena at an Institute of Navigation conference in September, and MIT Technology Review published an article about it in November 2019.
As technological advances make GPS/GNSS devices more affordable, our lives are becoming increasingly dependent on precise positioning and timing. Industries such as survey, construction and logistics rely on precise positioning for automation, efficiency and safety.
GNSS time provides the pulsating heartbeat for the backbone of our industry by synchronizing telecom networks, banks and the power grid. A single day of GNSS outage is estimated to cost $1 billion U.S. dollars alone.
GNSS is a reliable system, and to keep it as such, professional GNSS receivers need to be wary of all possible vulnerabilities which could be exploited. Using GNSS receivers that are robust against jamming and spoofing is key for secure PNT (positioning, navigation and timing).
What is GPS/GNSS spoofing?
Radio interference can overpower weak GNSS signals, causing satellite signal loss and potentially loss of positioning. Spoofing, is an intelligent form of interference which makes the receiver believe it is at a false location. During a spoofing attack a radio transmitter located nearby sends fake GPS signals into the target receiver. For example, a cheap software-defined radio (SDR) can make a smartphone believe it’s on Mount Everest!
Figure 1. A cheap SDR can overpower GNSS signals and spoofs a single-frequency smartphone GPS into believing it is on Mount Everest. (Image: Septentrio)
Why GPS spoofing?
Imagine a combat situation. Clearly, the side which uses GPS/GNSS technology would have an advantage over the side which does not. But what if one side could manipulate GPS receivers of their adversary? This could mean taking over control of autonomous vehicles and robotic devices which rely on GPS positioning.
For example, in October 2018, Russia accused the U.S. of spoofing a drone and redirecting it to attack a Russian air base in Syria.
Figure 2. GNSS spoofing could be used to manipulate movement of aerial drones. (Image: Septentrio)
In the last three years, more than 600 incidents of spoofing have been recorded in the seas near the Russian border. These ships appeared to be “transported” to nearby airports.
This type of spoofing might have been introduced as a defense mechanism to ground spy drones. Most semi-professional drones on the market have a built-in geo-fencing mechanism that lands them automatically if they come close to airports or other restricted areas.
Some of the most enthusiastic spoofers are Pokémon GO fans who use cheap SDRs to spoof their GPS position and catch elusive Pokémon without having to leave their room.
Types of spoofing
Spoofers overpower relatively weak GNSS signals with radio signals carrying false positioning information. There are two ways of spoofing:
Rebroadcasting GNSS signals recorded at another place or time (so-called meaconing)
Generating and transmitting modified satellite signals
Spoof-proof: How can you protect your receiver against spoofing?
To combat spoofing, GNSS receivers need to detect spoofed signals out of a mix of authentic and spoofed signals. Once a satellite signal is flagged as spoofed, it can be excluded from positioning calculation.
GNSS receivers can offer various levels of spoofing protection. Let’s compare it to a house intrusion-detection system. You can have a simple entry alarm system or a more complex movement detection system. For added security you might install video image recognition, breaking-glass sound detection or a combination of the above.
Like a house with an open door, an unprotected GNSS receiver is vulnerable to even the simplest forms of spoofing. Secured receivers, on the other hand, can detect spoofing by looking for signal anomalies, or by using signals designed to prevent spoofing such as Galileo OS-NMA and E6 or the GPS military code.
Advanced interference mitigation technologies, such as the Septentrio AIM+, use signal-processing algorithms to flag spoofing by detecting various anomalies in the signal. For example, a spoofed signal is usually more powerful than an authentic GNSS signal.
AIM+ won’t even be fooled by an advanced GNSS signal generator: Spirent GSS9000. With realistic power levels and with actual navigation data within the signal, AIM+ can identify it as a “non-authentic” signal.
Other advanced anti-spoofing techniques such as using a dual-polarized antenna are being researched.
Satellite navigation data authentication
Various countries invest in spoofing resilience by building security directly into their GNSS satellites. With OS-NMA (Open Service Navigation Message Authentication), Galileo is the first satellite system to introduce an anti-spoofing service directly on a civil GNSS signal.
OS-NMA is a free service on the Galileo E1 frequency. It enables authentication of the navigation data on Galileo and even GPS satellites. Such navigation data carries information about satellite location and if altered will result in wrong receiver positioning computation. While currently in development, OS-NMA is planned to become publicly available in the near future. Also GPS is experimenting with satellite based anti-spoofing for civil users with their recent Chimera authentication system.
Figure 3. European Galileo satellites provide an open authentication service on the E1 signal and a commercial authentication service on the E6 signal. (Image: European Space Agency)
Recently, within the scope of the FANTASTIC project led by GSA, OS-NMA anti-spoofing protection was implemented on a Septentrio receiver.
The strongest shield: signal-level GNSS authentication
The Galileo system will be offering Commercial Authentication Service (CAS) on the E6 signal with the highest level of security for safety-critical applications such as autonomous vehicles. The signal level encryption will be based on similar techniques as the military GPS signals. Only the receivers who have the secret key are able to track such encrypted signals. The secret key is also needed to generate the signal making it impossible to fake. CAS authentication techniques are currently being prototyped at Septentrio in collaboration with the European Space Agency.
Spoof-resilient GNSS means reliable precise positioning and timing, and a peace of mind for everyone touched by this indispensable technology.
Autopilot Navigation Steers Car off Road, Research from Regulus Cyber Shows
The Tesla Model S and Model 3 — electric cars built for speed and safety — are vulnerable to cyberattacks aimed at their navigation systems, according to recent research from Regulus Cyber.
During a test drive using Tesla’s Navigate on Autopilot feature, a staged attack caused the car to suddenly slow down and unexpectedly veer off the main road. Regulus Cyber, the first company to deal with smart-sensor security across a wide range of applications including automotive, mobile, and critical infrastructure, initially discovered the Tesla vulnerability during its ongoing study of the threat that easily accessible spoofing technology poses to GNSS receivers.
The Regulus Cyber researchers found that spoofing attacks on the Tesla GNSS receiver could easily be carried out wirelessly and remotely, exploiting security vulnerabilities in mission-critical telematics, sensor fusion, and navigation capabilities.
Regulus Cyber experts traveled to Europe last week to test-drive the Tesla Model 3 using Navigate on Autopilot. An active guidance feature for its Enhanced Autopilot platform, it’s meant to make following the route to a destination easier, which includes suggesting and making lane changes and taking interchange exits, all with driver supervision.
While it initially required drivers to confirm lane changes using the turn signals before the car moved into an adjacent lane, current versions of Navigate on Autopilot allow drivers to waive the confirmation requirement if they choose, meaning the car can activate the turn signal and start turning on its own. Tesla emphasizes that “in both of these scenarios until truly driverless cars are validated and approved by regulators, drivers are responsible for and must remain ready to take manual control of their car at all times.”
Designed to reveal how the semi-autonomous Model S and Model 3 would react to a spoofing attack, the Regulus Cyber test began with the car driving normally and the autopilot navigation feature activated, maintaining a constant speed and position in the middle of the lane.
Although the car was three miles away from the planned exit when the spoofing attack began, the car reacted as if the exit was just 500 feet away — abruptly slowing down, activating the right turn signal, and making a sharp turn off the main road. The driver immediately took manual control but couldn’t stop the car from leaving the road.
The testing revealed another unexpected finding that significantly amplified the threat—a link between the car’s navigation and air suspension systems. This resulted in the height of the car changing unexpectedly while moving because the suspension system “thought” it was driving through various locations during the test, either on smooth roadways, when the car was lowered for greater aerodynamics, or “off-road” streets, which would activate the car elevating its undercarriage to avoid any obstacles on the road.
Yoav Zangvil, Regulus Cyber CTO and co-founder, explains that GNSS spoofing is a growing threat to ADAS and autonomous vehicles. “Until now, awareness of cybersecurity issues with GNSS and sensors has been limited in the automotive industry. But as dependency on GNSS is on the rise, there’s a real need to bridge the gap between its tremendous inherent benefits and its potential hazards. It’s crucial today for the automotive industry to adopt a proactive approach towards cybersecurity.”
The Regulus Cyber testing is designed to assess the impact of spoofing with low-cost, open source hardware and software, the same kind of technology that is accessible to anyone via e-commerce websites and open source projects on GitHub. Taking control of Tesla’s GPS with off-the-shelf tools took less than one minute.
The researchers were able to remotely affect various aspects of the driving experience, including navigation, mapping, power calculations, and the suspension system. Under attack, the GNSS system displayed incorrect positions on the maps, making it impossible to plot an accurate route to the destination.
Tesla’s response on Model S
Prior to the Model 3 road test, Regulus Cyber provided its Model S research results to the Tesla Vulnerability Reporting Team, which responded with the following points at that time:
Any product or service that uses the public GPS broadcast system can be affected by GPS spoofing, which is why this kind of attack is considered a federal crime. Even though this research doesn’t demonstrate any Tesla-specific vulnerabilities, that hasn’t stopped us from taking steps to introduce safeguards in the future which we believe will make our products more secure against these kinds of attacks.
The effect of GPS spoofing on Tesla cars is minimal and does not pose a safety risk, given that it would at most slightly raise or lower the vehicle’s air suspension system, which is not unsafe to do during regular driving or potentially route a driver to an incorrect location during manual driving.
While these researchers did not test the effects of GPS spoofing when Autopilot or Navigate on Autopilot was in use, we know that drivers using those features must still be responsible for the car at all times and can easily override Autopilot and Navigate on Autopilot at any time by using the steering wheel or brakes, and should always be prepared to do so.
“This is a distressing answer by a car manufacturer that is the self-proclaimed leader in the autonomous vehicle race,” Zangvil commented. “As drivers and safety/security experts, we’re not comforted by vague hints towards future safeguards and statements that dismiss the threats of GPS attacks.”
He offers the following counterpoints in response:
Attacks against any GPS system are indeed considered a crime because their effects are dangerous, as we’ve shown, yet the same devices we used to simulate the attacks are legally accessible to any person, online via e-commerce sites.
Taking steps to “introduce safeguards for the future” indicates that spoofing is, in fact, a major issue for Tesla, which relies heavily on GNSS.
In the case of cars, a spoofing attack is confusing in the best case, and a threat to safety in more severe scenarios.
The more GPS data is leveraged in automated driver assistance systems, the stronger and more unpredictable the effects of spoofing becomes.
The fact that spoofing causes unforeseen results like unintentional acceleration and deceleration, as we’ve shown, clearly demonstrates that GNSS spoofing raises a safety issue that must be addressed.
In addition, the spoofing attack made the car engage in a physical maneuver off the road, providing a dire glimpse into the troubled future of autonomous cars that would have to rely on unsecure GNSS for navigation and decision-making.
Given that the trust of the public still has to be earned as the automotive industry moves towards autonomy, the leading players are accountable for a responsible deployment of new technology.
As Tesla clearly stated, drivers are responsible for overriding autopilot under a spoofing attack, so it appears its auto pilot system can’t be trusted to function safely under a spoofing attack.
Because every GNSS/GPS broadcast system can be affected by GNSS/GPS spoofing, the issue is everyone’s problem and shouldn’t be ignored; furthermore, governments and regulators that have a mandate to protect the public’s safety must engage in proactive measures to ensure only safe GNSS receivers are used in cars.
“According to Tesla, they’ll soon be releasing completely autonomous cars utilizing GNSS, which means that, in theory, an attacker could remotely control the car’s route planning and navigation,” Zangvil said. “We’re obligated to ask what steps they’re taking to address this threat, and whether new safeguards will be implemented in its next generation of entirely autonomous cars.”
Although Regulus Cyber researchers tested only the Model S and Model 3, they concluded that the “disturbing vulnerability” of Tesla’s GNSS system is most likely company-wide, as the same chipsets are used across the Tesla fleet.
“Just a few months ago we saw that during a spoofing incident in a car show in Geneva, seven different car manufacturers complained that their cars were being spoofed. This incident proves that many other automotive companies that are working on the next generation of autonomous cars are also vulnerable to these attacks. As an industry, to win public trust and succeed, every car manufacturer should be proactive and prepare against these threats,” Zangvil said.
In a technical report titled GPS Vulnerability released Sept. 15, the Alliance for Telecommunications Industry Standards (ATIS) renewed its call for an eLoran system to support telecom and other critical infrastructure in the United States.
As part of its “Recommendations to Assure Time for Telecom” the report says:
“An eLoran system (or equivalent) should be developed and implemented in the U.S. to provide a near-term alternative to GPS for the telecom system and other critical infrastructure. The physical and cyber security of eLoran transmission stations should be a consideration in their operation.”
ATIS termed its report “a major resource to help better understand and address a formidable telecommunications industry challenge: the vulnerabilities in the Global Positioning System (GPS).”
Requirements for precise time delivery have driven the industry toward the increased use of GPS and GPS-dependent technologies, it says. Yet this dependency has left the industry vulnerable to disruptions and manipulations of the GPS signal.
GPS Vulnerability (ATIS-0900005) provides insight into the sources of the most common problems with GPS and their impacts. The report also covers several mature proposed solutions that would satisfy telecommunications sector timing requirements.
“GPS disruptions have economic, financial and service impacts to carrier network operators, suppliers, cellular services as well as adjacent industries and government agencies that depend on a functioning wireless communications sector,” said ATIS President and CEO Susan Miller. “We believe that our report on this topic will contribute to solutions to help secure the delivery of time — a function critical to many sectors in our economy.”
Known vulnerabilities to deliver GPS time to a system include environmental phenomena, malicious interference and spoofing, incidental interference, adjacent band interference, poor antenna installations and rare but present GPS segment errors.
GPS Vulnerability discusses techniques to address these vulnerabilities as well as alternatives to GPS timing, with the goal of mitigating GPS vulnerabilities for the timing receivers used in the critical infrastructure.
Alternatives covered in the report include Navigational Message Authentication on modernized GPS civil signals, atomic clock time holdover, sync over fiber, eLoran, WWVB, terrestrial beacons and more.
Putin shows taste for spoofing
For several days in June, more than 20 ships reported problems with GPS reception in the Black Sea (see Expert Opinion column, August GPS World). Experts concluded the problems were probably the result of a spoofing attack in the area.
Norwegian journalist Henrik Lied of NRKbeta compared this with accounts of similar episodes near the Kremlin complex in Moscow, where tourists have reported their smartphones showing them at an airport outside the city.
Lied interviewed University of Texas professor Todd Humphreys about his theory that this is an effort to keep drones from flying in the area: “Several of us [researchers in GNSS] have concluded the Kremlin spoofing was likely trying to trigger UAV geo-fencing, which prevents UAVs from flying near airports,” Humphreys said.
A Moscow correspondent for the Norwegian Broadcasting Company reports that these GPS problems only tend to occur when President Vladimir Putin is in town.
Several of the ships spoofed in the Black Sea were sailing in the vicinity of the Russian premier’s Black Sea vacation home. Putin was actually in the area when the incidents occurred. This may indicate that Russian authorities are spoofing wherever the Russian president is located.
Humphreys said, “It’s long been assumed that Russia, China and other nations (including the U.S.) have the technology to carry out a spoofing attack. What’s surprising is Russia’s willingness to use it openly and somewhat indiscriminately. It does fit nicely into what has been called Russian disinformation technology.”
