6 min read


Featured Image

What has become popularly known as GPS spoofing is becoming easier and easier for hackers. The risk of fraud and serious accidents is increasing. Companies are working on countermeasures.

Düsseldorf: The ship's clock shows 2:36 p.m. local time when unrest breaks out on the bridge of the freighter maneuvering northwards in the Suez Canal on September 29, 2020. The assisted location GPS suddenly shows an error on both receivers. "We switched to the non-assisted GPS, but got the same errors," the ship reports to the US Coast Guard eleven days later. "We restarted the systems, but again achieved the same result."

The incident is similar to the one previously compiled by the U.S. Maritime Authority in the “Maritime Advisory 2020–016-Various GPS Interference” report. In that report, ship crews complained of significant GPS disturbances in the eastern and central Mediterranean. The areas affected were between Libya and Malta, the area around the Egyptian Port Said, the Suez Canal and the waters around Cyprus.

The areas between Hadera (Israel) and Beirut (Lebanon) also experienced lost or inaccurate GPS signals, which usually influence navigation, GPS-based timing, and satellite communication. Further cases were added in the Persian Gulf between September 2020 and March 2021. However, these failures are not caused by technical defects or natural phenomena.

Experts call spoofing the criminal interference with navigation technology, which can be used to fake the wrong locations of trucks, aircraft, and – at worst - self-driving cars. In addition to the American market leader GPS, the European Galileo system, the Russian counterpart Glonass, and China's BDS Beidou are also affected.

Logistics is at risk of damages running into billions. Between February 2016 and early 2020 alone, the U.S. think tank Center for Advanced Defense Studies (C4ADS) counted 9,883 spoofing incidents affecting 1,311 merchant ships. Experts believe that the number of unreported cases is much higher.

"Until a few years ago, it was complicated and costly to manipulate GPS signals," says Jana Wagner, chief analyst at Israeli security firm Regulus. "Today, hardware boxes can be ordered on the Internet for less than 300 dollars." Anyone can download the software for these so-called Software Defined Radios (SDR) from open-source providers.

Accident Risk

The fact that manipulated GPS signals can force freighters to take expensive detours is still considered the least of the dangers. This is because the maritime Automatic Identification System (AIS), which is intended to protect seagoing vessels from collisions, is also controlled by satellite radio. If the data stream breaks down or the system fakes a false location, the risk of an accident increases.

In the summer of 2019, it hit an entire airport. Take-offs and landings at Ben Gurion Airport in Tel Aviv were risky maneuvers for two months because the planes received false information via GPS. As with most spoofing incidents, it was most likely collateral damage. Researchers found the source of the jamming signals to be a Syrian military airport, which is supported by Russian units, located 350 kilometers north of the Israeli metropolis.

Moscow rejected the accusations with little credibility. As long ago as 2017, the police in northern Norway and Finland had reported false GPS data in aircraft and on mobile phones, which were created during the nearby Russian military exercise "Zapad" ("West").

The GPS signals around the Kremlin and the alleged Putin Palace near Cape Idokopas on the Black Sea are also being manipulated on a large scale – apparently to steer attacking drones onto the wrong course in an emergency. In the latter case, however, this also hinders shipping in the eastern part of the Black Sea.

At the same time, targeted interference maneuvers are on the increase. In South and Central America, gangs have recently begun to specialize in piloting truck drivers to remote areas to then rob the trucks. "These incidents are now taking place there on a weekly basis," reports Jana Wagner.

Spoofing also makes the work of freight robbers easier in Europe: Many trucks can only be opened when they are located at their destination via GPS – unless the navigation device simulates the loading dock of the end customer.

The massive falls in acquisition costs are making for widespread use. Whereas in the past entire military installations were used to manipulate satellite radio, a scam app is now sufficient for smaller operations and is often available for as little as 100 dollars. For example, Uber or Lyft taxi drivers have often acquired a second cell phone to simulate a second location on it using fake GPS data. "This brings them extra rides," the U.S. Resilient Navigation and Timing Foundation observed.

The lurking dangers were documented by hackers in a Youtube video in November 2020. In it, they used an external SDR box to force a semi-autonomously controlled Tesla 3 to steer into oncoming traffic and brake to 30 kilometers per hour.

In the end, the vehicle turned as if by magic from a German motorway into a rest area. "With a software-defined radio, this can still work from many kilometers away," warns Regulus expert Wagner.

How robustly driver assistance systems behave against spoofing attacks is currently being tested by the German Federal Office for Information Security (BSI). However, the Bonn authority cannot present a real security solution on request.

Difficult fight against hackers

Goslarer Bornemann AG, a vehicle GPS provider, also refers to these limits. There is "virtually no” complete protection, according to the company. "Although there is technology that can reduce the effect," writes one employee on the company's homepage, "this is, however, cost-intensive and time-consuming and is therefore only used in areas such as the military or aviation." For medium-sized enterprises, it is rather "impractical and not recommended".

Nevertheless, there are attempts at solutions. The British-American security company CRFS prefers to try to track down the deceivers with hardware. Their radio frequency devices under the name "RFeye" reportedly measure the distance to the GPS transmitter and thus check whether the signals come from the satellite or a land-based fraudster.

On the other hand, the start-up Regulus, founded in Haifa in 2016, relies on software solutions after its hardware tests failed. The company founders, Jonatan Zur and Yoav Zangvil, make the programs available to GPS users under license – most recently to Harman, an automotive supplier to Samsung.

Another market is currently opening up in Europe for the two cybersecurity experts, who are financed by two Israeli investment firms with ten million dollars. Since June 2019, the EU has required all newly registered trucks to be equipped with a so-called "smart tachograph", and obligatory retrofitting will begin in 2034.

The device not only records the drivers' driving and rest times, but also records the truck's position data via a global satellite system. However, only if the driver does not manipulate it with his SDR box.

Learn More About Trucking & Telematics Solutions

Article originally written by Christoph Schlautmann, published on Handelsblatt - https://www.handelsblatt.com/unternehmen/dienstleister/satellitennavigation-tarnen-taeuschen-verfahren-manipulierte-gps-daten-werden-fuer-die-logistik-zum-milliardenrisiko/27120628.html?ticket=ST-6526958-9oewYGBExcgpemUoJfGN-ap2

13 min read

GPS Is Easy to Hack, and the U.S. Has No Backup

On August 5, 2016, Cathay Pacific Flight 905 from Hong Kong was heading for an on-time arrival at Manila’s Ninoy Aquino...

1 min read

2 years since the Tesla GPS hack

In June 2019, Regulus Cyber's experts successfully spoofed the GPS system of a Tesla Model 3 vehicle. This experiment...

1 min read


The modern world relies heavily on the accuracy of the position, navigation and timing of the Global Positioning...