The Lost Beast
On December 4th 2011 a stealth Unmanned Aerial Vehicle (UAV) on patrol near the Iran-Afghan border went dark. The next day, Iranian state television released video of the RQ-170 Sentinel drone, seemingly undamaged and in possession of the Iran Revolutionary Guard. Nicknamed the “Beast of Kandahar” after it was spotted on an airport runway in Kandahar, Afghanistan, the drone was used to monitor Osama bin Laden’s compound before the raid
According to an Iranian engineer, an electronic warfare team jammed the beast's comm link, then tricked it to land in Kashmar rather than its Afghanistan home base using a technique called GPS spoofing that the world has rarely seen in practice.
GPS spoofing is an attack which attempts to take control of a target GPS receiver by forcing it to lose its lock on genuine GPS satellite signals and instead interpret the attacker's spoofed GPS signal as legitimate. This usually involves overpowering ambient satellite signals.
Humphreys et al (2008) provides a classification of GPS spoofing attacks into three categories of increasing complexity and cost, which is supplemented with additional research.
Simplistic Attack
The simplest attack is also the cheapest. An attacker uses a GPS signal simulator attached to a power amplifier and an antenna to broadcast constructed GPS signals. Alternatively, a record-and-replay device allows for capturing, delaying, and resending genuine signal to extend the victim’s apparent distance to the satellite.
The principle advantage and drawback of this category is its simplicity, making it easy to perform but also easy to detect. GPS signal simulators and record-replay devices are commercially available, can cost anywhere from $4k to $400k, and will do most of the work for you, but are also very bulky objects that stand out like a sore thumb.
Since these devices are limited, the only attack modes possible with these devices are jamming, forcing re- acquisition of satellite signal over to the simulator, and altering time to destination estimates.
Intermediate Attack
All intermediate attacks involve using a device which both receives and spoofs signal, the most simple being an RX antenna, an amplifier, and a TX antenna. These receiver-spoofers are synchronized with the existing satellite signal and are inconspicuously small.
Humphreys' (2008) device can even match the phase (<10ns), power, and noise density of ambient signal, and with modification can implement security code estimation.
Intermediate attack devices are not commercially available, so these attacks have high overhead. A GPS user is not likely to encounter them, but without angle-of-arrival discrimination or additional hardware, receivers are defenseless against them.
Sophisticated Attack
The most advanced attack requires setting up multiple intermediate attack devices, all phase-locked and mounted to the target receiver's antennas. This thwarts or mitigates all known defenses except cryptography, but is much more rare, costly, and complex than intermediate attacks.
Todd Humphreys and His Blue Box
Thirty miles off the coast of Italy in June 2013, a 213-foot $80 million private yacht called "The White Rose of Drachs" apparently began drifting a few degrees to port. The captain made a correction to steer them back on course, but in reality sent the ship drifting starboard.
Todd Humphreys and his UT Austin team, on the upper deck of the yacht, had successfully implemented a multi-device GPS spoofing demonstration without triggering any onboard alarms and using only a laptop and a blue box the size of a briefcase. The previous year another team under Humphreys successfully spoofed a commercial UAV while dismayed FAA and DHS officials looked on.
The ease and increasing frequency of such attacks and demonstrations adds urgency to the need for effective defenses. While simple attacks may be deterred with small software changes, complex attacks will need long-term structural changes. Some of the most promising options are presented below.
Observables
The easiest defense against simple attacks is to modify the receiver software to discriminate between legitimate and spoofed signal. Monitoring the pseudorange, phase, signal strength, lock loss, and others prevents signal simulators and record-replay device attacks from succeeding.
NMA with SCER defense
The most promising infrastructure defense consists of modifying the signal structure to interleave digital signatures within the nav data stream to authenticate data origin. Humphreys et al (2014) presents a model for navigation message authentication (NMA) combining elliptic curve crypto and a relatively untested method called TESLA. This model demonstrates not only NMA but also SCER detection which guards against most kinds of attacks.
Known Receiver Formation
A costly but very effective option, this defense involves setting up several receivers in a known static formation. The receivers exchange their individual GPS locations and check if the calculated locations preserve the original formation. If one or more receivers can be made mobile, it protects against everything but multi-antenna nulling attacks. This requires no modification of infrastructure, and is fairly trivial for technical end-users, but is impractical for nontechnical end-users because of the significant overhead to set it up.
If possible, all three defenses should be implemented, but realistically only the first is likely to become widespread in the next decade. Ultimately any changes to GPS technology will be slow in developing, which may mean that only a very serious and successful attack will shock commercial and military manufacturers into adopting necessary spoofing defenses.
To learn more about current GPS spoofing studies, read the research of the UT Austin Radionavigation Lab.