Defending Against GPS Spoofing

It used to be so easy. In the days before smartphones and PCs, if you wanted to know where someone was, you just got on your CB radio and said, “Hey buddy. What’s your 20?” That’s trucker talk, you see, for “please tell me your location.” Ah, the 70s. If you wanted to lie about your location, no one would ever find out.

Location finding is much easier today, at least in theory. Your GPS tells you exactly where you are. But, like almost every good thing given to us by technology, it can be hacked. GPS spooking is a massive threat, one that fortunately has not caused much damage so far. It’s only a matter of time, however.

The GPS Spoofing Risk

Certainly, there have been some very troubling warning shots over the bow, so to speak. A number of experiments have shown how easy it is to trick a GPS system. In 2015, 20 cargo ships in the Black Sea were given false geographic locations by what was assumed to be GPS spoofing. Some of the ships appeared to be on dry land. The four deadly collisions of US Navy vessels with freighters are also suspected of being victims of GPS spoofing, though the Navy has denied this.

The problem stems partly from the nature of GPS. The technology relies on a relatively weak radio signal from a satellite that’s 20,000 kilometers overhead. A stronger, closer radio signal can overpower the satellite and trick a GPS device into displaying fake geographic information. The equipment required to create this fake GPS signal is cheap (around $300) and broadly available. The signal can be transmitted from a nearby car, drone, ship or submarine. Comparable threats also affect Radar and LIDAR, which relies on laser beams.

Who’s at risk? Pretty much everyone. Any GPS-enabled car, plane or boat is vulnerable. Self-driving or semi-autonomous vehicles are particularly exposed. At least on the Black Sea, the ships’ officers knew they were not on dry land. The risks range from nuisances and petty crime to catastrophic cyber war scenarios.

Countermeasures for GPS Spoofing

A number of companies have come to market with solutions to counteract the GPS spoofing threat. Regulus, for example, is approaching the problem through sensor security. The company offers a physical sensor that is external and independent from the system it protects.

Yonatan Zur, CEO of Regulus

“Our sensor can jam spoofing signals,” said Yonatan Zur, Co-Founder and CEO of Regulus. “It also independently verifies location and alerts the user if there is a discrepancy between the actual location and the one perceived by the potentially spoofed GPS.” Zur’s background includes serving as a pilot and squadron leader for Unmanned Aerial vehicles (UAVs) in the Israeli Air Force. This experience helped him understand the nature of the GPS spoofing threat and devise ways to mitigate it.

Regulus is targeting the consumer market though it also has enterprise level solutions. They combine physical sensors with a management suite. “Monitoring and managing these sensors is as important as the sensors themselves,” Zur added. “If you can’t efficiently administer a large number of sensors, you won’t accomplish much even if you can detect GPS spoofing.”

Cyber Policy Impact

The potential spoofing of GPS, LIDAR and Radar needs to be addressed in cybersecurity policies. The military, for sure, would be wise to consider the risks and impacts of the threat and create policies to deal with it. Independent verification technologies like Regulus offer one approach that could be enshrined in policy.

It seems almost irresponsible not to mandate some sort of check on GPS devices and the like. The hacking of monitoring and tracking technologies has been at the heart of some of the most effective cyberattacks. By hacking the monitors, the attacker blinds observers to what is actually happening.

The success of the notorious Stuxnet attack, for example, was based on its ability to fake out the devices monitoring the speeds of Iran’s Uranium-refining centrifuges. To the watchers, it looked as if the centrifuges were operating at normal speed. However, they were actually spinning themselves into self-destruction. If Iran had had a Regulus-like sensor, indecently checking the centrifuge speed, they might have caught the hack earlier. Many observers have pointed out that the US power grid has similar vulnerabilities—with the lethal potential to obscure meltdown-level electrical loads on transformers and power lines.

These risks remain even if we don’t deal with them, but it’s better to address them now, before disaster strikes.

Photo Credit: David Guo’s Master Flickr via Compfight cc