GPS: Infrastructure and Technical Vulnerabilities
James J. Torrence
Introduction
The Global Positioning System (GPS) is an essential part of modern society with its uses ranging from navigating during a road trip to synchronizing clocks on a phasor measurement unit (PMU). Similar to the proliferation of networked devices, the spread of GPS-related technology has outpaced its security. Equipment that relies on GPS coordinates is highly susceptible to being spoofed, jammed, or the subject of malicious interference. The Supervisory Control and Data Acquisition (SCADA) infrastructure on which society relies to function is highly dependent on GPS technology that is not secure. The inherent insecurity of GPS-dependent systems and GPS itself mean that there are a number of vulnerabilities which, if exploited, could result in catastrophic losses of money, the destruction of equipment, or potentially even the loss of human life. Leaders and decision-makers need to understand the risks of using GPS to ensure they have plans in place to continuously verify the technology as opposed to becoming blindly reliant and thus even more likely to be the victim of a malicious actor. In order to better understand the risks contemporary society faces from the use of GPS technology, it is first necessary to understand the origin of GPS, modern examples of GPS spoofing with commercially available equipment, and the role GPS plays with regard to time synchronization in SCADA infrastructure. Once one understands this information, one can then look into the ways in which he/she uses GPS in his/her organization and develop methods for verifying GPS information.
GPS Background
GPS “is a satellite-based navigation system that was developed by the U.S. Department of Defense (DoD) in the early 1970s” (El-Rabbany, 1). GPS relies on satellites for navigation and is a half-duplex system which means users/devices interacting with GPS only receive data from the GPS satellites and do not transmit any information. During its creation, it was determined that “GPS satellites would broadcast two different types of signals, a precise military signal and a so-called clear access or C/A signal” (Humphreys, 2). The military signal was initially encrypted to afford the DoD a strategic advantage for its armed forces (GPS for military use continues to be encrypted). The C/A signal on the other hand, was (and is) “freely accessible to all” (Humphreys, 3) and its usage has grown exponentially since its inception.
GPS initially consisted of 24 operational satellites with “four satellites placed in each of six orbital planes” (El-Rabbany, 2) to ensure constant coverage for both civilian and military users. The system was designed to ensure that between six and ten satellites were always visible during the shift of the earth and normal satellite movement in orbit. GPS achieved full operational capability in 1995, and since then the number of GPS satellites (and thus the number of satellites in each orbital plain) have increased (El-Rabbany, 2) and made coverage even more ubiquitous. Though GPS was operational in 1995, there was an intentional degradation of the C/A signals (the publicly available signal for non-military users) that created errors in accuracy (Humphreys, 2012). In 2000, a presidential order was given to discontinue the intentional degradation of the C/A and “instantaneously, every GPS receiver across the globe went from errors the size of a football field to errors the size of a small room” (Humphreys, 2012). Prior to the degradation being lifted, GPS couldn’t be used for accurate navigation (outside of the sea, and other places with large open spaces) in vehicles, for walking, or anywhere that required exact coordinates because it couldn’t pinpoint locations. The modern GPS for civilian has evolved since 2000 and resulted in a “firestorm of innovation” (Humphreys, 2012).
The innovation of GPS-related technology in both location and timing has resulted in GPS being “built deeply into our national infrastructure” (Humphreys, 2012) and controlling SCADA infrastructure, navigation systems (from car to airplane), and timing for finance transactions taking place all over the world (this is not an all-inclusive list). The same properties that make GPS so effective, easy to innovate, and embedded in our daily lives also create major vulnerabilities:
The problem is that the same transparency and predictability that have made civil GPS signals so wildly popular all across the globe give rise to a dangerous vulnerability. Transparency and predictability make the civil GPS signals easy to imitate—to counterfeit. The fact is that civil GPS signals are like Monopoly money: they have a detailed structure but no built-in protection against forgery (Humphreys, 2012).
GPS Spoofing
The GPS is a half-duplex system which means a device/navigation system needs to receive information from a satellite in order to approximate its location. There was a hypothesis at the onset of GPS usage that there would be a way to provide fake location data with more power than that provided by the GPS which meant that a device/navigation system could be tricked into thinking that the fake location data was in fact real GPS data. This technique is called GPS spoofing which is “a method of attacking a Global Positioning System receiver with the goal of having the targeted receiver compute an erroneous navigation solution, an incorrect time, or both” (O'Hanlon et al., 2013). Todd Humphreys, an assistant professor at the University of Texas and a leading GPS expert, showed that the hypotheses about GPS spoofing were indeed correct in two different experiments in which he and his team hijacked the GPS signals of a cruise ship and a drone.
Between June and July of 2013, a cruise ship named “White Rose of Drachs” was operating in the Ionian Sea. The captain of the eighty-million-dollar superyacht gave permission to Humphreys and his team to attempt and spoof its GPS signal, but the captain didn’t know just how easy it would be. For the experiment, Humphreys and his team decided to send out the fake signals onboard the ship, though it would easily be possible (with the right amount of power) to do it from a remote location. They purchased around two-thousand dollars-worth of commercial equipment to create a fake location transmitter that could provide enough power to match, and eventually supersede the power of a legitimate GPS signal (Farivar, 2013). As previously discussed, “all GPS signals are sent from satellites to Earth without any authentication or encryption” (Farivar, 2013), so all that needed to happen to overtake the yacht was to “fool the on-board receiver into listening to [Humphrey’s] fake signal, rather than the authentic one” (Farivar, 2013). The team steadily increased the power of their GPS spoofing device until it was recognized by the ship (they could tell by when the ship began to drift off of its legitimate GPS signal to the GPS signal provided by Humphreys and his team). It only took between two and three times the power output of a regular GPS signal to overtake the ship, which is far less than the capability of commercial jammers (the implication from that information is that GPS signals could easily be jammed with commercial jamming devices). What makes this demonstration all the more disconcerting is that “those on board could tell that the yacht had made a pronounced turn in direction” (Goodman, 192) but that “inside the ship’s command room all the screens responsible for its navigation showed the vessel to be traveling in a straight line” (Goodman, 192).
The particular GPS spoof is worrisome because an onboard group of people were able to use commercially available devices to effectively take control of a ship. It is even more worrisome that this could be done from a drone or remote location which makes it a potential venue for a terrorist in the future. In this case, the only way for a leader to verify that the GPS coordinates and real coordinates are real is to use a sextant (or other nautical navigation tools). But the ubiquity of GPS means that some of the skills that were formerly required to navigate complex terrain have diminished and people are almost completely reliant on technology for their navigation. Without any backup navigation plan, ships are completely at the mercy of technology that is unencrypted, unauthenticated, and easily spoofed by passengers with equipment one could get in two hours if ordered on “Amazon Now”. Humphreys and his team demonstrated their skills on a different occasion, but instead of a ship they showed how it is possible to take over a commercial drone.
In 2012 Humphreys and his students at the University of Texas turned their attentions to the implications of commercial drones or unmanned aerial vehicles (UAVs) and the usage of C/A GPS. The team realized that “the vast majority of civil UAVs depend on civil GPS for navigation” (Humphreys, 2012) and that GPS is “fundamental to the sensor suite” (Humphreys, 2012) of UAVs in all aspects of their operation. The decision to focus on UAVs was (and is) important because of the availability of commercial drones, and the potential for organizations to use drones as carriers to deliver everything from letters to large packages (Amazon has conducted numerous widely publicized tests on using drones for deliveries). With the understanding that drones have the potential to do both harm and good for society, in 2012, Humphreys and his students set forth to answer the following question: “Does the dependence of UAVs on civil GPS make them susceptible to hijacking via GPS spoofing?” (Humphreys, 2012)
The question posed by Humphreys caught the attention of the Department of Homeland Security (DHS) who was interested in understanding how (and when) drones could be incorporated into national airspace along with the risks posed by having more drones constantly in the air. Humphreys and his team took advantage of the drone fervor and “proposed to DHS an experiment” (Humphreys, 2012) where he and his team “would attempt to commandeer a civilian UAV by GPS Spoofing” (Humphreys, 2012). DHS was very intrigued and accepted their proposal so long as Humphreys and the University of Texas provided the equipment. They selected an eighty-thousand-dollar drone as their UAV test subject, The Hornet Mini, because its “sensor suite and flight control system are representative of those in much larger commercial UAVs.” (Humphreys, 2012). After procuring the drone and rehearsing at the university, Humphreys and his students went to White Sands Missile Range in New Mexico to perform the tests in front of DHS personnel.
The drone was compromised by Humphrey’s team in a matter of minutes at a distance half a mile away from the drone’s location. His team setup a GPS spoofing device developed in the classroom on the top of a hill half a mile away from the testing site (Humphreys, 2012). Then, once they were setup, a UAV was flown at fifty feet above the ground by a ground control operator (Humphreys, 2012). Like Humphrey’s and his team would do a year later with the luxury yacht, they “began transmitting weak counterfeit GPS signals toward the hovering UAV” (Humphreys, 2012) to eventually overpower the GPS signal and take control of the drone. Once they were in control of the drone they “[induced] a false upward drift to the UAV’s perceived location” (Humphrey’s, 2012) and then “fooled the UAV’s flight controller into commanding a dive” (Humphrey’s 2012). The experiment was cut short before the drone crashed since it was an ethical spoof and not malicious.
This case represents an advanced level of GPS spoofing, but one that was still developed through the use of commercial technology. Drones are increasing in sales and domestic use, and in the not too far future it is more than possible that delivery services will be using drones instead of vehicles. If a large number of drones are constantly in the air, it means that the number of threat vectors to people and property (both physically and digitally) will also increase. These drones could be potentially hijacked from reasons ranging from stealing one’s package, to being used as an attack vessel against attack people, places, or things. The notion that every drone in the sky could be easily controlled within a half-mile radius (and further with more power) through the use of commercial software (this process would also be shared on the internet so it would become relatively easy for a common person to hijack a drone) is frightening and should make the government (and drone manufacturers) think twice about drone regulations, and their usage of C/A GPS.
In the case of a cruise ship it is easier for a leader to build a backup navigation plan because the tools exist (whether they are use or not is a different story) and there are people on board of a ship, but with drones it is not so simple. One of the major questions leaders have to ask is: how can we verify the information that the GPS is supplying is legitimate, and that our drone is in fact in a certain location? Potentially this is where the internet of things could come into play where a drone would be able to verify its signal by pinging devices in close proximity to triangulate its location which could then verify its GPS coordinates…This paper does not in fact aim to solve this problem, but to make sure leaders and those running drone operations with C/A GPS understand that GPS spoofing is a major threat and that it would be in their best interest to develop a way (and a time-interval) to verify their GPS coordinates to ensure they are not the victim of a malicious actor.
GPS spoofing is a major concern for ships and drones (as the aforementioned examples have shown), but it can be a threat to almost any industry:
To date, GPS spoofing attacks have occurred on numerous occasions around the world. Think of the impact on just one industry: global cargo. According to Cargo Security International, cargo theft costs business $25 billion annually, and 90 percent of global cargo crosses the world’s seas. GPS is a critical component in ensuring the right goods get to the right place at the right time (Goodman, 192).
Along with providing coordinates, GPS also provides synchronous timing which, like coordinates, has the potential to be disrupted and/or spoofed.
GPS & Timing
Before the proliferation of interdependent networked devices, “the consequences of power disruption were annoyance and some economic cost” (Shepard et al., 2012). But, now that everything is connected and relies on information provided over a network, the results of a power disruption could be disastrous and range from major power outages to generator explosions (amongst other negative consequences). Power generation systems used to each have their own internal timing, and “operated without an external time reference” (Shepard et al., 2012). But, SCADA infrastructure has transitioned to relying on external timing references to better control their networks with synchronized time. The shift to synchronized time makes monitoring, optimizing, and controlling SCADA systems more efficient and more centralized, but it also means that the “potential for catastrophic cascading failures increases if proper control measures are not implemented” (Shepard et al., 2012). PMUs are an essential part of the power grid, and their reliance on synchronized timing could be exploited by malicious actors.
“PMUs rely on GPS to provide accurate, synchronized time across the power grid” (Shepard et al., 2012) which means they could be the victim of a spoofing attack using the same type of methods Humphreys and his team used on the yacht and on the drone. There were multiple tests conducted on the vulnerabilities of PMU synchronized timing, and it is evident that “GPS spoofing poses a threat to the integrity of synchrophasor measurements” (Shepard et al. 2012) because “a spoofer can introduce a time offset in the time reference receiver that provides the timing signal for a PMU without having physical access to the receiver itself” (Shepard et al., 2012). The unsettling part is that the timing offset induced in the time reference receiver can occur in as little as eleven minutes without any physical access to the receiver itself.
PMUs are increasingly becoming a bigger part of SCADA system control, and the worry is that one could externally spoof the GPS of a PMU to “falsely trip a generator” (Shepard et al., 2012) which could “lead to a cascade of faults and a large scale blackout” (Shepard et al, 2012). Power failures can result in large economic losses for organizations, potentially large costs for the power supplier if the timing offset of a PMU receiver results in physical damage, and could effectively cripple certain areas (depending on the size of the power grids that are taken out) effectively cutting them off from the rest of society. Reliance on external timing has absolutely made the control of power grids more efficient and easier to monitor, but the interdependency of power grids on synchronous timing means that PMU timing spoofing could spell a disaster.
Networked systems cannot continue to outpace their security because there will be more vulnerabilities that can possibly be addressed. It is obvious that the unencrypted, unauthenticated information provided by C/A GPS is resulting in a number of flaws that even the best risk reduction measures cannot address.
Leaders in positions of influence need to understand that there need to be plans in place to address these risk concerns. Like the drone and the yacht, it is evident that another method of both verifying GPS data and, in this case, providing timing need to be in place to ensure that a GPS spoofing attack or GPS malfunction does not result in disastrous consequences. When generators had internal timers they were harder to manage and control, but when one failed it did not bring down an entire power grid. Leaders have a responsibility to implement control measures with PMUs to verify GPS data and to recognize the signs of a spoofing attack so that they can potentially isolate SCADA infrastructure damage and/or loss of services.
Conclusion
The post-2000 innovations with regard to the use of C/A GPS has made a lot of previously difficult tasks easier to complete; driving to a specific location, navigating a vessel on the ocean, operating a drone, and providing synchronized timing to SCADA infrastructure has saved time, prevented accidents, and made life easier for a number of people. The problem that now exists is the opportunity cost of GPS-related conveniences is a decrease in security. C/A GPS is unauthenticated and unsecure which means all of the systems that use C/A GPS could easily be spoofed and/or jammed with readily available commercial technology. This does not mean that GPS usage should be discontinued, but the onus is now on leaders to develop measures to verify the integrity of GPS signals on which their organizations rely (whether it is a GPS manufacturer, someone that runs a power grid, or a car manufacturer that uses GPS navigation…To name a few examples) to be successful. It is no longer acceptable to claim ignorance when it is a known fact that GPS is not secure. The inherent insecurity in systems that rely on GPS will be easier to exploit as hardware and software becomes cheaper and the only way leaders can ensure due diligence is to find a way to authenticate the GPS signals on which they rely. The technology that underlies GPS will not change in the near future, so leaders are left with burden of GPS security if they continue to rely on GPS for navigation and synchronous timing.
References
El-Rabbany, A. Introduction to GPS: The Global Positioning System. London: Artech House,
2001.
Farivar, C. (2013, July 29). Professor fools $80M superyacht's GPS receiver on the high seas.
Retrieved from: http://arstechnica.com/security/2013/07/professor-spoofs-80m-superyachts-gps-receiver-on-the-high-seas/
Goodman, M. (2015). Future Crimes: Inside the Digital Underground and the Battle for Our
Connected World. New York: Anchor.
Humphreys, T. (2012, July 8). Statement on the Vulnerability of Civil Unmanned Aerial Vehicles
and Other Systems to Civil GPS Spoofing. Retrieved from http://rnl.ae.utexas.edu/images/stories/files/papers/Testimony-Humphreys.pdf
O'Hanlon, B. W., Psiaki, M. L., & Humphreys, T. E. (2013). Real-Time GPS Spoofing Detection
via Correlation of Encrypted Signals. Retrieved from: http://radionavlab.ae.utexas.edu/images/stories/files/papers/rt_spoof_detection.pdf
Olson, P. (2015, August 7). Hacking a Phone's GPS May Have Just Got Easier. Retrieved from:
http://www.forbes.com/sites/parmyolson/2015/08/07/gps-spoofing-hackers-defcon/
Sathyamoorthy, D., Faudi, M., Fitry, M.A. (2012, September) Evaluation of the Effect of Radio
Frequency Interference on Global Positioning System (GPS) Accuracy via GPS Simulation. Defence Science Journal, 62(5) p. 338-347. doi: 10.14429/dsj.62.1606
Shepard, D., Humphreys, T, Fansler, A. (2012, March). Evaluation of the Vulnerability of Phasor
Measurement Units to GPS Spoofing Attacks. Sixth Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection. Retrieved from https://radionavlab.ae.utexas.edu/images/stories/files/papers/spoofSMUCIP2012.pdf