RING C-UAS
CONTACT US
4 min read

50 SHADES OF GPS HACKING - THE FORGOTTEN SIDE OF NAVIGATION CYBERSECURITY

Featured Image

In the last few years, stories and anecdotes about GPS attacks began emerging in the news and other media. From a friendly feature helping people navigate to a desired destination, GPS (one of four major GNSS constellations) revealed itself to be a building block in many technologies that we use today, embedded in autonomous vehicles, economic infrastructure, telecommunications and more.

An example of mock location app running on Android
An example of mock location app running on Android

GNSS receivers’ unique and important role in numerous technologies makes them a target for hacker attacks, and the variability of the receivers makes the attacks easy to execute. GNSS vulnerability stems from two main sources: Firstly, GNSS signals are transmitted from satellites in space, and by the time signals reach the receiver on the ground, they are weak and easy to override with stronger fake signals. Secondly, the GNSS system is open for public use, and therefore the structure of its signals is known and accessible. In addition to these two sources of vulnerability, rapid technological innovation over the past few years has made it possible for anyone to create and transmit fake GNSS signals. Because of the aforementioned conditions, hacking a GNSS receiver is rather achievable.

Even after understanding that GNSS attacks are attainable, in order to protect receivers  from them, we need to learn more about different kinds of GNSS attacks, what they aim to harm, and what techniques they use. A jamming attack is done by creating "noise" that prevents the receiver from picking up the weak GNSS signal – the result of this attack is the loss of any GNSS information. A meaconing attack is done by using true GNSS signals that are re-radiated in order to create a false location and time.

The third kind of attack – and the most comprehensive one – is spoofing. In this attack, a fake signal is broadcasted to fool GNSS receivers. Spoofing can be carried out with various levels of complexity, affecting the technology used, the ability to detect the attack, and the end result.

Typical spoofing setup involves a laptop with free spoofing software and SDR. 
Typical spoofing setup involves a laptop with free spoofing software and SDR. 

A simplistic spoofing attack is executed with commercial components; in order to perform it, the antenna used to broadcast the false signal should be relatively close to the GNSS receiving antenna. A simplistic attack is easy to detect because the fake signals are not synchronized with the true signals. An intermediate spoofing attack involves creating fake signals that cause the receiver to show the same position and time prior to the attack and, over time, gradually change them to cause the receiver to show the desired location and/or time. An intermediate attack requires more sophisticated software than a simplistic attack, but the heightened complexity pays off since this attack is much harder to detect. Finally, a sophisticated spoofing attack is an enhancement of the intermediate attack, using the same components and tools and achieving the same goal. The main difference between a sophisticated attack and an intermediate attack is the use of real-time ephemeris data and perfect alignment of the time and phase of the signal, making it almost impossible to detect.

An autonomous vehicle sensor fusion system unable to detect incoming fake GPS signal generated by a nearby SDR
An autonomous vehicle sensor fusion system unable to detect incoming fake GPS signal generated by a nearby SDR

Although GNSS receivers are vulnerable and there are many ways to hack and attack them, most GNSS systems are not manufactured with built-in anti-spoofing capabilities. Even in the anti-spoofing realm, solutions differ based on the features of the signal, the type of attack, and the purpose or end goal. For instance, the purpose of a solution can either be detecting the spoofing in real time (and alerting the user that the signal is not trustworthy) or mitigating the spoofing and providing another reliable positioning method.

Today, most GNSS security solutions solely focus on detection. GNSS systems carry out consistency checks for irregularities indicating hacking – positioning, timing, signal power and other sources of information are checked. Signal Quality Monitoring detects spoofing by examining the correlation function between the GNSS signal and local replica and checking their symmetry. In other cases, detection is done by cross-referencing GNSS information with other sensors or systems like the Inertial Navigation System (INS) or communication system, sometimes even using this information to mitigate the spoofed signal.

Real time detection of incoming replay spoofing attack 
Real time detection of incoming replay spoofing attack 

More sophisticated detection solutions involve encryption of the true GNSS signal in order to distinguish it from the false one. At first, a secret code was embedded in the signal, but this method didn't prove itself against meaconing, intermediate spoofing, and sophisticated spoofing. The next steps of encryption were to encrypt the complete navigation message, encrypt the spreading code used for ranging, and finally fully encrypt spreading codes as applied for the GPS P(Y) code and the Galileo PRS signal. Each level of encryption is more difficult to create and requires more intricate hardware, but provides better detection against all forms of spoofing attacks.

The Pyramid GNSS, Regulus Cyber's anti-spoofing solution, is the first ever software based solution that detects and mitigates spoofing attacks. The Pyramid GNSS detects an attack, alerts the user in real time, blocks the fake signal so all connected systems will not be affected by it, and provides alternative PNT while the attack is ongoing. In addition to being affordable and easy to install, the Pyramid GNSS is the ultimate solution, combining all the best protective features in order to defend GNSS receivers from a variety of spoofing attacks. 

Regulus’ Pyramid GNSS filtering fake signals in red from authentic signals in green, mitigating the attack
Regulus’ Pyramid GNSS filtering fake signals in red from authentic signals in green, mitigating the attack