GPS Spoofing: The Auto Cybersecurity Threat Hiding in Plain Sight

Cybersecurity has become a hot topic for automobiles, but one major threat has been flying under the radar: GPS spoofing. Last summer nearly two dozen ships were hit by these targeted attacks, which attempt to trick a global positioning system into believing it is miles away from its actual location. In this instance, the ships’ global positioning systems were led to believethat they were near Gelendzhik Airport. But in reality the ships were sailing 25 nautical miles away.

Some smartphone users in central Moscow encountered a similar problem in 2016. After coming within a mile of the Kremlin, their Google Maps location switched to the Vnukovo airport nearly 20 miles away. The Uber app was affected in a similar manner; it was unable to locate and service these consumers, who were nowhere near the airport.

Even Pokemon Go, which relies on GPS to locate players and reveal new creatures, has been manipulated. Players intentionally spoofed the app to travel somewhere else within the game world without physically leaving home.

GPS spoofing is not limited to ships, cars, and smartphone apps alone. It is a serious problem that could allow hackers to influence everything from flying drones to stock market trades and ATM withdrawals.

Motor vehicles are particularly vulnerable to GPS spoofing. Few are aware of the risks, which will only get worse as cars become more autonomous. Without a human driver guiding vehicles to each destination, they will require enhanced navigation tools that are far more advanced and more accurate than what is currently available. If those tools are spoofed, the car will not simply list the wrong location—it could physically drive in the wrong direction without alerting its occupants. And without pedals and steering wheels (which are expected to be eliminated by self-driving cars), consumers won’t be able to take over if the GPS is spoofed.

Moving targets

The recent string of violent incidents, in which motor vehicles were used to intentionally harm individuals, can just as easily be caused by GPS spoofing. Malicious threat actors (individuals who wish to negatively impact a security system) could spoof a GPS to execute similar attacks without ever having to step inside a vehicle. This technique could also be used to carry out abductions or to hijack an entire fleet of vehicles. The possibilities are quite broad, so it’s not difficult to imagine other ways for hackers to utilize a spoofed global positioning system.

Most GPS receivers can be fooled without much effort. For example, it is possible to record a genuine GPS signal from one location and transmit that signal to other receivers at a different time. Technically a device should not allow this shift from one time to another. But it is not difficult to trick the GPS into believing the information is accurate. When a more advanced attack is carried out, the current time and spoofed time are perfectly aligned, which makes this technique much more difficult to detect.

Unlike traditional device hacks, GPS spoofing requires a transmitter to be placed within proximity to the target. The transmitters are cheap and Internet-connected and can be purchased fairly easily online. When combined with GPS spoofing software, a threat actor could remotely connect to the transmitter and execute an attack.

Simple hack

With such a low barrier to entry, GPS spoofing is far easier and far less complex than other automotive hacks. Virtually anyone can do it using nothing more than a computer, free software and a $300 kit.

This is an important reality to consider especially since OEMs all over the world are committed to building and deploying autonomous vehicles between 2020 and 2025. Their imminent arrival has greatly increased the necessity to safeguard against GPS spoofing.

In order to preserve the future of mobility and ensure that autonomous vehicles are not hampered by the actions of malicious individuals, every automobile must be secure. Their sensors — including GPS, LiDAR, radar and cameras — are the heart of the autonomous revolution. Despite their immense importance to cars, drones and robots, security remains a problem that has yet to be addressed.

Sensors are prone to different physical attacks that may be launched without hacking into an engine control unit. This could pose a significant danger to any vehicle dependent on sensors. In order to mitigate these risks, security needs to be considered from day one. To mitigate the fast advancing attack vectors, this cannot simply be implemented as a software update after a vehicle is deployed – nor should it be ignored until a car’s GPS has been spoofed. To ensure that every autonomous vehicle is safe, GPS security must be built into them before they leave the assembly line.