GPS receivers are vulnerable to attacks like spoofing, in which they can be tricked into tracking fake GPS signals. Here's how the bad guys do it - and how to stop them
All forms of communications networks have security issues, and GPS is no different. A report from the US Transportation Department's Volpe National Transportation Systems Center in 2001 identified spoofing as a potential threat to civil GPS receivers, in which a GPS receiver is fooled into tracking counterfeit GPS signals. More sinister than intentional jamming, spoofing deceives the targeted receiver, which cannot detect a spoofing attack and so cannot warn users that its navigation solution is untrustworthy.
The Volpe report noted the absence of any off-the-shelf defense against civilian spoofing at the time. Seven years later, not much has changed.
We recently canvassed four manufacturers of high-quality GPS receivers. They revealed that they were aware of the spoofing vulnerability but had not taken steps to equip their receivers with even rudimentary spoofing countermeasures. The manufacturers expressed skepticism about the seriousness of the threat and noted that countermeasures, if required, had better not be too expensive.
An internal memorandum from the MITRE Corporation recommends several techniques to counter spoofing, from discrimination of amplitude, time-of-arrival, angle-of-arrival and polarization to consistency of navigation inertial measurement unit (IMU) cross-check and cryptographic authentication. Their effectiveness varies widely, however, and in some cases require additional hardware, adding to the cost of receivers. Cryptographic authentication is arguably the most secure solution, but would require modification of the civil GPS signal structure, making it an unlikely short-term solution.
Our goals here are to assess the spoofing threat and develop and test practical and effective countermeasures. To advance these goals we found it necessary to go through the exercise of building a civil GPS spoofer to explore the range of practical spoofing techniques and discover which aspects of spoofing are hard and which are easy to implement in practice. With this information, we can more accurately assess the difficulty of mounting an attack, and receiver developers can prioritize their defenses by choosing countermeasures that are effective against easily implementable spoofing techniques.
Initial threat assessment
The spoofing threat can be roughly divided into simplistic, intermediate, and sophisticated spoofing attacks for threat analysis.
Simplistic Attack via Simulator. As far as we know, all stand-alone commercial civilian GPS receivers available today are trivial to spoof. One simply attaches a power amplifier and an antenna to a GPS signal simulator and radiates the RF signal toward the target receiver.
Despite the ease of such an attack, it has some drawbacks. One is cost: the price of modern simulators can reach $400,000. Simulators can be rented for less than $1,000 per week, making them accessible for short-term mischief, but long-term use remains costly. Size is another drawback. Most GPS signal simulators are heavy and cumbersome. If used in the simplest attack mode, situated close to a target receiver's antenna, a signal simulator would be challenging to plant and visually conspicuous. Of course, if the custodian of the target receiver is complicit in the spoofing attack - as is the case, for example, with the fishing vessel skipper who spoofs the onboard monitoring unit to fish undetected in forbidden waters - the conspicuousness of the signal spoofer is irrelevant.