Threat Simulation Required?

GPS World will host a webinar this Thursday, March 19, on the merits of using simulated jamming, spoofing and interference scenarios to prepare GNSS receivers for the brave new world of coping with adverse signal effects. It’s clear that users need to still operate commercially and individually, even when they get hit by extraneous interference — intended or otherwise — in a world where cigarette-lighter jammers, engineering “lash-up” spoofers, and badly designed commercial gear can ruin a person’s day.

Recently, I had a conversation with Guy Buesnel, market segment manager, GNSS Vulnerabilities, at Spirent Communications. He wanted to alert me to the concept that jamming and spoofing is at a stage where Internet hacking was many years ago. Hacking has progressed from the typical loan student in his bedsit or studio apartment pounding on a keyboard to break down banking or other institutional firewalls, to nowadays, where focused groups mount hacking attacks on targeted agencies or companies lasting days, weeks, even months. Huge effort is currently being applied to defending against these and future focused attacks.

Buesnel’s point is that organized attacks on GNSS may be coming, and coming soon. Individuals and groups are already self-jamming to prevent detection — organized car and truck thieves wanting to avoid location of stolen assets, or truck drivers wanting to prevent their employers knowing their whereabouts — using easily obtained “personal cigarette lighter” or even professional-looking jammers (see figure below). Jamming GPS L3 at 1381.05MHz might awaken U.S. Department of Defense (DOD) interest as it’s used by the Nuclear Detonation (NUDET) Detection System Payload (NDS), and L4 at 1379.913 MHz is currently only  used for studies on additional ionospheric corrections.

Handheld anti-tracking GPS (L1, L2, L3, L4, L5) 2-watt jammer. Photo: Tony Murfin

But Buesnel warns that organized spoofing could soon start to happen, and happen frequently. And it could be argued that spoofing is more dangerous than jamming, because a user or someone monitoring a user might not know for some time that their position information has been compromised. Long enough, perhaps, for an unwary user to get into potentially serious trouble, especially in a higher speed, fuel-restricted application like an aircraft or a small boat running some distance offshore.

GNSS is already embedded into the critical infrastructure of utility providers, and also telecoms, financial and transport sectors for timing/synchronization or positional data, and the growth in vehicle automation will soon see GNSS being used for even more safety-critical applications. The security of GNSS is already of huge importance and a “GNSS hacking attack,” like those experienced by Internet users, could achieve significant disruption across a host of operational segments. Precise GNSS timing is already essential for time stamping some transactions and used extensively for cell-site synchronization, so significant damage could occur if timing information were to be compromised.

While an intentional spoofing attack has yet to be confirmed — except under conditions such as that drone spoofing demonstration and then the White Rose luxury yacht spoofing trials, both by University of Texas/Cockrell School of Engineering graduate students — unintentional spoofing has indeed been reported. GNSS repeaters radiating at higher power levels than actual GNSS signals can be the source of such spurious signals. The result can be that GNSS receivers may acquire and track the higher power repeater signals, and the receiver position becomes that of the repeater. Use of GPS repeaters in unsuitable locations, such as for production tests in an open workshop, have been reported. The risk is that GNSS signals could extend outside the building and affect users, so GPS receivers could be spoofed and tricked into reporting an incorrect position.

White Rose 213-foot luxury yacht. Photo: Tony Murfin

For more than 20 years, the information security community has debated publishing the methods used by hackers and others to expose and attack vulnerabilities within products. Initially, things were kept hidden and were only shared between groups of hackers or IT administrators. However, online hacker forums quickly distributed knowledge — often including sample code. This allowed everyone from security researchers and IT administrators to hackers to learn about the vulnerabilities of applications and critical systems. It would seem that both researchers and hackers alike have broken the spell, and now it’s easy to spread the word about backdoors and weaknesses in firewalls, critical applications and the like.

Fast forward, and we are now in the age of mass-market access to jammers of all kinds through offshore websites — even if it’s illegal to operate such devices. However, it’s also illegal to hack the Department of Defense, but that has not prevented hackers in the past from assaulting and penetrating all sorts of secure DoD computing facilities. So, let’s just assume that the individuals who get a kick out of creating mayhem may eventually turn to something new — and the age of jamming and spoofing for fun may be upon us.

All is not lost, however. Just as applications for finding and killing viruses have become more robust, and new “antidotes” and warnings are now automatically downloaded to your PC even as they are created, and huge amounts of effort are now being applied to creating the most robust firewalls, so the designers of GNSS receivers are working hard to immunize their systems against anticipated attacks. And simulator/replay manufacturers such as Spirent Communications, IFEN, Spectracom and Racelogic are developing and fielding ready-made spoofing and jamming capabilities and scenarios with which manufacturers can test and qualify their receivers — which you may well hear about during the coming GPS World webinar on March 19.

Nevertheless, some people in the industry are urging members of the GNSS community to act more cooperatively and report spoofing and jamming incidents/attacks for their own good. It seems that the industry only collaborates in the face of a major common threat — take the ultra wideband and LightSquared episodes where the response was virtually unanimous. While most GNSS manufacturers in the meantime tend to maintain a very proprietary cover to their field experience and technological solutions, this still leaves customers exposed to product vulnerabilities. The GNSS community now has the advantage that the information security community has been working through these hurdles for the past two decades. Lessons learned include the following:

• Controlled, responsible disclosure and cooperation allows everyone to monitor the threat and how it is being dealt with.
• Without restricted disclosure and preventive solutions, attacks will always take advantage of weaknesses.
• Eventually, disclosure of product vulnerabilities will result in more respect and confidence in manufacturers by users.
• Rapid resolution of issues is essential.

The GNSS community has an opportunity to come together, learn from the information security community, and adopt best practices to secure and protect its customers.

(With grateful thanks to Guy Buesnel and David DeSanto of Spirent Communications!) 

Tony Murfin
GNSS Aerospace