*Re-posted with permission, Original post by Guy Buesnel, PNT Security Technologist at Spirent*
Numerous conference-goers’ phones began to exhibit anomalous behaviour. The source was traced to a faulty piece of test equipment in the exhibition hall. The incident has implications for manufacturers and users of smartphones — and simulators.
At 11am PT last Thursday 28th September, just as my colleague Steve Hickling was about to take to the stage at the ION GNSS conference in Portland, he noticed something wrong with his phone.
For one thing, it was displaying the time as 12.32. And it was suddenly incapable of sending or receiving emails, despite the reliable conference Wi-Fi.
“I mentioned it to the audience of my talk,” he says, “as I was supposed to have 20 minutes for my presentation and I realised I couldn’t rely on my phone to time myself.”
A disturbance in the Force
It soon turned out Steve wasn’t the only one. Several delegates came up to us after his talk to say it had happened to them, too.
While they’d been in the exhibition hall, something had caused their phones to behave strangely. Some had started displaying a time and a date in 2014, and some were reporting the wrong location: Toulouse in France, rather than Portland, Oregon. On some phones, old text messages started to resurface. Error messages appeared, email was unreachable, and one phone needed a factory reset.
The affected phones were different makes and models, but all exhibited similar symptoms. As a group of satellite navigation specialists, we recognised the tell-tale signs of a spoofing attack. Somewhere in the conference centre, someone was broadcasting a fake GPS signal – and in the absence of a real signal (GPS is too weak to penetrate far into buildings), the affected phones had locked on to it.
Tracking down the fake signal
Several reports are starting to circulate, talking about the incident – Logan Scott describes it in more detail here: http://www.insidegnss.com/node/5661
I was in a session track during the occurrence and found out about it afterwards, but apparently he was able to track down the source of the signals by using a portable RF interference detector. He reports that he traced the source to a leaky piece of test equipment.
(I’m very happy to confirm it was not – and could not have been, for reasons I’ll explain shortly – my employer Spirent.)
The rise of GPS spoofing
A lot has been written recently about GPS spoofing incidents. If you keep up with the world of GNSS cybersecurity, you’ll know there have been suspected attacks this year and last year in Russia; notably in the Black Sea this summer, and in Moscow and St Petersburg in 2016.
But it was quite something to witness the effects of an attack (albeit an unintentional one) at first hand. It brought a few things home to me, namely:
1. Spoofing is becoming ever easier to do, thanks to the rise of software-defined radio (SDR). A few years ago, if you’d wanted to fake a GPS signal, you would have had to build some specialist hardware for the job. That would not only have been very difficult, requiring advanced RF engineering knowledge, but also very expensive. Now, it’s easy to simulate a GPS (or other GNSS) signal using SDR kit that’s cheap to buy and easy to use. That means we’re highly likely to see many more intentional and unintentional instances of spoofing.
2. Not all GNSS simulators are equal. A GNSS signal simulator is a piece of specialist equipment intended for a specific task: to test how a given device behaves in the presence of a satellite navigation or timing signal. It should never be capable of leaking signal beyond the confines of the test; the manufacturer has a responsibility to design the hardware and circuitry of the simulator in such a way that the simulated signal cannot “escape”.
This is one of the reasons Spirent dedicates so much R&D resource to designing very robust simulators. We’re sometimes criticised for continuing to design specialist equipment for a job that can be done with commodity hardware and software-defined signal generation, but this incident serves to highlight why GNSS testing needs specific, robust hardware.
Not only can a leaky signal cause the kind of collateral damage we saw at ION GNSS, but it also makes the test results unreliable – as the device under test is not receiving the signal at the power levels assumed.
3. Smartphone manufacturers need to wise up to spoofing. One of the most interesting things about this unintentional attack was the way different phones behaved. Some recovered relatively quickly, while others were still displaying the wrong time and location hours later – only rectified by taking the phone outside to acquire the real signal. At least one handset had to have a factory reset.
As spoofing becomes easier to do, and likely to become more prevalent, smartphone manufacturers need to build appropriate safeguards into their RF system architecture. Sometimes it is too easy to afford GPS signals too much trust. Logan Scott surmises In his Inside GNSS article that “ a major discrepancy between WiFi derived position and GNSS derived position should raise suspicions”.
This incident has implications not just for the day-to-day smartphone user (that’s pretty much all of us), but also for any law enforcement agencies that take smartphone location data into account when investigating or prosecuting crimes. A criminal could use spoofing either to create an alibi (by making their smartphone appear to have been somewhere else at the time of the crime) or to frame someone else (by making that person’s phone appear to have been at the scene at the time). That may sound like the plot of a far-fetched thriller, but our experience in Portland suggests it’s entirely conceivable. In fact, something like it may even have happened.
Our responsibility: to protect against GNSS spoofing
In a way, it’s lucky that this unintentional attack took place in a building chock-full of GNSS specialists, at one of the leading global conferences on satellite navigation.
As an industry, we were able to witness the effects of a spoofing incident at first hand, and we can all take lessons from it to ensure that our devices, systems and processes are hardened against this emerging type of GNSS disruption.
As the world becomes ever more reliant on accurate, continuous and reliable navigation and timing signals, it’s yet another reminder that we need to stay constantly vigilant.
Original post link – https://www.linkedin.com/pulse/accidental-gps-spoofing-takes-down-smartphones-ion-gnss-guy-buesnel/