Spoofing GPS is surprisingly easy; detecting it is surprisingly hard

GPS security is increasingly implicated in both physical and information security: from steering a super-yacht (or a super-tanker) into pirate-friendly waters to diverting self-driving cars or even unlocking geo-tagged tokens and AR game objectives.

GPS receivers compare timestamped signals from a constellation of satellites, inferring their position through calculations on the lightspeed lag from each signal. Faking the signal from these distant satellites with nearby spoofing stations isn't trivial, but it's not transcendentally hard, either -- and there's plenty of reason to suspect that it will get easier, thanks to faster, cheaper computers, carried by autonomous vehicles (both ground- and air-based).

Detecting a spoofed GPS signal is hard. The computational load associated with cryptographic signatures on the signal is high, and the inability to interact with the sending satellites makes it impossible to use a challenge-response protocol where the receiver generates a random number, signs it with the satellite's public key, sends it to the satellite and then gets it back from the satellite signed with the sat's private key, then sets up a one-time session key.

Other tactics for validating signals involve direction-detection (raising the bar on spoofers, who'd have to physically array their fake base-stations in spatially plausible locations -- think of a cluster of drones) and distortion-detection.

But both of these tactics have easily imagined countermeasures, and both are difficult/costly to implement.

The US military has an encrypted, hardened GPS system for its own use, but that is also potentially vulnerable, and in any event, they're not interested in sharing.

So in Psiaki’s detection scheme, the detector measured the carrier phase for the signals received. If the difference in carrier phase as measured between the detector’s two antennas varied widely from satellite to satellite, it knew the signals had arrived from multiple directions. But if the system detected little or no variance among carrier-phase differences, that meant it was picking up a set of signals coming from a single spoofer.

Early tests looked promising, but the detector was hindered by the off-line computing required to do the signal processing necessary to calculate the variance in carrier phase. The problem was that our original program was written in a programming language that couldn’t communicate in real time with the software used by GPS receivers. However, in April 2014, Humphreys’s team at UT Austin provided a crucial piece of the operational puzzle by demonstrating that a GPS software radio—in which such key components as mixers, filters, and modulator/demodulators are implemented with software rather than hardware—could enable the real-time use of Psiaki’s off-line code with only 6 seconds of delay. The software GPS radio essentially enabled real-time execution of the off-line code via scripting commands, thereby obviating the need for a laborious code translation into a real-time programming language.

At Schofield’s request, we tested this defense in June 2014 on the White Rose while the ship cruised around Italy. One spoofing attack orchestrated by Humphreys duped the ship into thinking it was on an absurd course to Libya, supposedly traveling at a speed above 900 knots (or about 1,000 miles per hour) in a straight line that crossed under Italy and Sicily at a depth of 23 kilometers (or 14 miles) below sea level!

Psiaki’s spoofing detector [pdf] alerted the bridge crew to the deception at the outset of the attack by measuring the carrier phase of seven GPS signals originating from satellites and the spoofer. Just as the attack began, the detector noticed that the variance it expected to see in authentic carrier-phase differences suddenly vanished. The spoofing drag-off to Libya started about 125 seconds into the attack, but Psiaki’s system picked up the attack within the first 6 seconds.

Protecting GPS From Spoofers Is Critical to the Future of Navigation

[Mark L. Psiaki and Todd E. Humphreys/IEEE Spectrum]

(Illustration: James Provost)

(via Dan Hon)