Forgot your password?
typodupeerror
Security IT

Researchers Find Crippling Flaws In Global GPS 179

Posted by samzenpus
from the where-in-the-world dept.
mask.of.sanity writes "Researchers have developed attacks capable of crippling Global Positioning System infrastructure critical to the navigation of a host of military and civilian technologies including planes, ships and unamed drones. The novel remote attacks can be made against consumer and professional-grade receivers using $2500 worth of custom-built equipment. Researchers from Carnegie Mellon University and Coherent Navigation detailed the attacks in a paper. (pdf)"
This discussion has been archived. No new comments can be posted.

Researchers Find Crippling Flaws In Global GPS

Comments Filter:
  • Misleading Summary (Score:5, Informative)

    by KeithIrwin (243301) on Sunday December 09, 2012 @10:05PM (#42238391)

    The paper isn't really about attacking GPS infrastructure. It's about attacking GPS receivers. Some of these receivers may be part of other sorts of infrastructure. I was at CCS when the paper was presented. It's all about sending fake GPS satellite signals to receivers to exploit bugs in the software in the receivers. The work is interesting and includes attacks which can desynchronize the clocks on some devices and there was one device you could essentially brick by telling it at the satellite was at radius 0 (center of the earth) resulting in a divide by 0 overflow. I liked the paper and thought it was neat, and it could do serious damage to particular systems which rely on GPS if they have the right type of flaws in their software to be exploited by this attack, but it was not an attack against the GPS satellites or anything like that.

    • by KeithIrwin (243301) on Sunday December 09, 2012 @10:09PM (#42238421)

      Err, I just meant divide by 0 error, not overflow. The fun bit of that attack is that the reason it effectively bricks it is that the divide by zero error crashes it and it reboots, but it logs its data into flash, so as soon as it finishes rebooting, it starts reprocessing the stored data, thus it reads the 0 again and crashes and it just gets stuck in a loop like that forever. It's a fairly fun and clever paper.

      • I'm pretty certain that this is how Ian has intercepted and captured at least two US drones - including one of the "stealth" variety.

        Remember CDMA networks, as developed by Qualcomm, were the product of a couple Iranian researchers, living and working in the US.

        The Iranian ability to redirect America's cutting edge of battlefield technology back into the face of the aggressor is something that may well take the ignorant by surprise, should it happen.

        But I'd rather more so, if they didn't manage the feat - e

    • by fermion (181285)
      So that is interesting. Some GPS receivers have software errors that all bad input to brick them. It is no surprising because on thing that too many automated systems do not protect against is malicious input. This is, however, the sort of thing that be handled by a software update, if a GPS is capable of such a thing.

      I guess win one for smartphones.

      • by drinkypoo (153816)

        Modern consumer-type GPS receivers are all updateable, but not all will receive updates of course. Old school units might actually use windowless EPROMs (for cost-saving) and might not be upgradable by any reasonable means (short of desoldering...)

    • by ne0n (884282) on Sunday December 09, 2012 @10:38PM (#42238605) Homepage
      If it was news you'd see it on Carver Media first. We saw this attack used in 1997 to start open hostilities between China and Britain. Luckily we had a man in the area and he managed to stop it before anybody went nuclear.
    • How much do you know about the workings of GPS? I ask because I wonder if there is anything in the current implementation that would prevent adding a digital signature to the tracking signals without breaking compatibility with existing devices?

      Basically if the packet isn't signed, we just ignore it. I imagine for mission critical devices (e.g. commercial aircraft relying on IFR) they could upgrade the devices rather quickly. Consumer devices would of course be screwed in the current generation, but I don't

      • by Heretic2 (117767)

        They've been working on a GPS replacement for awhile, I would be surprised if it wasn't already fielded by the military.

        • They've always been phasing in new birds to replace older ones, each with a new set of features, pretty much non-stop since they started, using the old ones as spares until they were retired. I believe the phase 2 birds rolling out before the phase 1 deployment even had the full intended coverage. Most civilian implementations probably have a limited feature set (all we really need is mapping) but I don't know if there is any kind of packet signing.

          • by Hes Nikke (237581)

            All consumer GPS can do is get the date, and current position. They use other sensors and/or multiple readings to get your heading and speed. This information is then fed into mapping software that is already on the device that may or may not rely on more data off the internet. I'm unsure of what military features they may have aside from getting better fixes on your location, but clinton removed some/all consumer restrictions on fix resolution in the 1990s.

      • by X0563511 (793323)

        The "long" signal intended for military use requires a substantial key to decode. It's not jam-proof, but it should be spoof-proof.

        Of course, that all depends on the key remaining secret...

        I imagine the drone that was landed via GPS spoofing merely didn't have the equipment for the long signal. It's supposedly a pain in the ass to deal with.

      • by BitZtream (692029)

        The feature is already there. Military receivers have the ability to authenticate and reject bogus signals.

    • by Guignol (159087)
      "Researchers Find Crippling Flaws In Global GPS" is misleading ?
      Oh I see the flaw is not really in the global GPS system, thanks a lot for your post, I don't even have to read the fucking TFA thanks to you
      (I had mod points for you but you are already at +5 (twice) so...)
      • by KeithIrwin (243301) on Monday December 10, 2012 @05:09AM (#42240273)

        Well, thanks for the kind words anyway. Honestly, I thought that modding up my second comment (which was mostly just meant as an error correction) was excessive. If I'd known it would've been modded up, I might've not made it as I don't want to be a karma whore. But, oh well, I guess I shouldn't look a gift horse in the mouth.

  • Well, duh. (Score:4, Interesting)

    by girlintraining (1395911) on Sunday December 09, 2012 @10:07PM (#42238411)

    This isn't news. The GPS signal is very, very weak. It's actually right at the noise floor and using some rather ingenious encoding to resolve the signal. The signal itself is fully-documented for consumer equipment. Given the weak signal strength and the protocol having no encryption or validation to speak of, of course jamming is possible; Receiver selectivity dictates it'll lock on to the strongest signal, the root square law dictates that just about any terrestrial source with line of sight will be stronger than the one in space. The only problem to work out then is processing; You have to figure out where the receiver is now, and then figure out where you want it to be, and adjust all the signals it could receive from the GPS satellites simultaniously to cause it to (falsely) lock on to the new position. And considering that the timing needs to be in fractions of a millisecond to have any value at all, you need to be very exact.

    Most of the equipment is dedicated to computing what the signal needs to be.... the actual transmitter is dirt cheap.

    • Spoofing the signals to make receivers mistake their position isn't the point of this report. It's the potential to brick the receivers which is new.

      • by sabri (584428) * on Monday December 10, 2012 @12:49AM (#42239315)

        It's the potential to brick the receivers which is new.

        Which is why I find it interesting that 60% of the authors of the paper (3 out of 5) are employees of a commercial entity that.... creates "coherent" navigation equipment.

        Perhaps it's just one big advertisement for their solutions?

        • Re: (Score:2, Interesting)

          by Anonymous Coward

          Or maybe they did, you know, actual research for their solutions, and rather than being selfish cunts about it, decided to actually publish their results and contributing to the research community instead of hiding everything and smashing everything that competes with it down by using vaguely written patent applications? As hard as it may be for slashdot to believe, governments and corporations can occasionally do something right.

    • Re:Well, duh. (Score:5, Interesting)

      by tylerni7 (944579) on Sunday December 09, 2012 @10:30PM (#42238557) Homepage
      I don't think you looked at the paper really. GPS spoofing and jamming are nothing new (as is mentioned in the paper). The new aspect is that there are software attacks that can be done on the receivers. For example, one of the divide by zero errors will cause a denial of service attack on some receivers. This is vastly different from jamming, because the DoS continues even after the transmitter is shut off. Jamming would obviously stop as soon as the transmitter is turned off. That is the new, exciting, and dangerous part of all this.
      • by sjames (1099)

        Exactly. Exploiting a software bug will place much lower demands on the attacker for results nearly as useful.

      • by Anonymous Coward on Monday December 10, 2012 @12:05AM (#42239063)

        A new software attack to disable GPS functionality? - Apple maps was released months ago.

      • by ceoyoyo (59147)

        A hammer does this effectively as well. The difference is that with the hammer attack, a firmware flash with updated software can't fix the problem.

        The GPS makers, particularly the ones who make military and infrastructure systems, are going to have to be a little more careful about bugs in their code.

    • by AK Marc (707885)
      Satellite runs as close to the noise floor as possible. I've used some equipment that runs with SNR in the negatives (noise above signal).
    • by Anonymous Coward on Sunday December 09, 2012 @10:42PM (#42238639)

      Up until about 3 years ago we in North America had another electronic navigation system in-place and operational: LORAN C.

      The loran system -though not as precise as GPS- was in many respects much more difficult to jam. Upgrades were planned that would have improved the loran system; instead, in a spectacular case of "penny wise-pound foolish" the sysetm was turned off, and its infrastructure (think 'some of the tallest antenna masts ever built' ) quickly dismantled/destroyed.

      http://en.wikipedia.org/wiki/LORAN [wikipedia.org]
      From Wikipedia:
      "In November 2009, the U.S. Coast Guard announced that the LORAN-C stations under its control would be closed down for budgetary reasons after January 4, 2010 provided the Secretary of the Department of Homeland Security certified that LORAN is not needed as a backup for GPS.[19]

      On 7 January 2010, Homeland Security published a notice of the permanent discontinuation of LORAN-C operation. Effective 2000 UTC 8 February 2010, the United States Coast Guard terminated all operation and broadcast of LORAN-C signals in the USA...

      [In the quoted Wikipedia article, the following paragraph was placed BEFORE the above]
        Originally completed 20 March 2007 and presented to the co-sponsoring Department of Transportation and Department of Homeland Security (DHS) Executive Committees, the report carefully considered existing navigation systems, including GPS. The unanimous recommendation for keeping the LORAN system and upgrading to eLORAN was based on the team's conclusion that LORAN is operational, deployed and sufficiently accurate to supplement GPS. The team also concluded that the cost to decommission the LORAN system would exceed the cost of deploying eLORAN, thus negating any stated savings as offered by the Obama administration and revealing the vulnerability of the U.S. to GPS disruption.[18]"

      end of quoted Wikipedia material

      Loran and its technological successor E-loran are still available in some more enlightened parts of the world (see linked article)

      Note that I am a USian. The above is NOT one of my country's
      more shining (dare I say 'brighter') decisions.

      • Yup, rather dumb move, saving peanuts compared to most budgets, but the US Coastguard ran it, and they're really strapped for cash.

        Shame, since as well as the benefits you note, the infrastructure was successfully used to broadcast data to augment GPS accuracy. This would perhaps been a more convincing arguement for keeping it in place, since it's true that in recent years usage was reported to have dropped considerably.

      • They know the cost of everything but the value of nothing. Unless its related to re-election campaigns.

      • by Muad'Dave (255648)

        At least it will allow the government to clean up the maritime charts by removing the LORAN-C TD lines that clutter them up.

        http://www.loran-history.info/Atafu/LoranChart-Atafu.jpg [loran-history.info]
        http://img641.imageshack.us/img641/7070/clipimage002it.jpg [imageshack.us]

      • The loran system -though not as precise as GPS- was in many respects much more difficult to jam.

        If you'd read the article, you'd have realized that it wasn't about jamming the GPS signal. It's about sending false data to GPS units in order to attack them directly and cause crashes, brick the receivers, etc. Loran being more difficult to jam does not mean that Loran systems would be any less vulnerable to the types of attacks discussed in the article.

      • by ceoyoyo (59147)

        LORAN was a great system, but I'm not sure the decision to shut it down is as shortsighted as you imply. LORAN wouldn't be used much now that GPS receivers are so widespread and cheap. It would still be useful as a backup on ships but if someone wanted to run a ship aground using GPS jamming they could also jam LORAN. There's no reason to think LORAN receivers wouldn't have similar software bugs as GPS receivers. Either way, the appropriate backup for GPS, LORAN or both is a navigator who knows what he'

  • What a nonsense (Score:3, Insightful)

    by angel'o'sphere (80593) on Sunday December 09, 2012 @10:08PM (#42238413) Homepage Journal

    Planes and Ships don't rely on GPS.

    If you have a license to pilot any of them, you have learned how to navigate without.

    • Re:What a nonsense (Score:5, Informative)

      by MichaelSmith (789609) on Sunday December 09, 2012 @10:13PM (#42238443) Homepage Journal

      Well okay but I work in air traffic control and there is a high level of relience on positonal information from GPS.

      • Re:What a nonsense (Score:4, Interesting)

        by Kagato (116051) on Monday December 10, 2012 @12:39AM (#42239265)

        True, but it's a daily problem for ATC in some parts of the world. North Korea jams GPS around ICN on a regular basis. Even EWR had a GPS issue for some time. They figured a trucker was using a GPS jammer to block the logger on the truck. Every time the truck would drive near the airport it would create a hassle.

      • Just wait until ADS-B/NextGen rolls out.

        • Pretty much here in Australia. I have taken to hanging out beside runway 16/34 at Tullamarine in Melbourne, recording MODE-S data. Anything medium or heavy with a normal turbine engine has ADS-B. Many turboprops do and some rotorcraft. But I also found out that tulla is a great place to pick up garbage data, probably from the maintenance facilities. I got one track with lat=0.0,lon=0.0

          • Thats what I mean. You dont rely on it. You use it. you are aware and educated enough to recognize flaws and use other means to navigate.

    • Planes especially very much rely on GPS, it's at the heart of all navigation systems in airliners. Even most private GA pilots use handheld ones if it's not part of the panel, unless they are intentionally flying by railroad tracks and highways. I believe LORAN was shut down a few years ago. The US Navy considers sextant use so useless that it was dropped from required study at the Academy some years ago, although it may still be taught as an elective.

      GPS is also at the heart of many military precision g

      • GPS is also at the heart of many military precision guided missiles and shells.

        They also don't use civilian GPS receivers and employ anti-spoofing technology in every single deployment. No missile relies entirely on GPS.

      • You are a really misinformed troll.
        The missinformed troll is you.
        I did not debate the usefulness of GPS or its wide adoption. I debated the word rely. If I rely on something it implies I'm helpless without it. Which is not the case.
        If you only know about sextants (and that they are no longer used - which I doubt) then you don't know much about navigation, especially on ships.

        GPS is also at the heart of many military precision guided missiles and shells. Every one knows that, so you can safely assume I know

      • by BitZtream (692029)

        Pilots (in America) are required by law and are certified by written test to KNOW how to navigate WITHOUT GPS.

      • by ceoyoyo (59147)

        Airliners don't rely on GPS. They use it, because it's convenient, but they don't rely on it. If GPS fails airline pilots are quite capable of using land based radio navigation aids (yes, they still exist, no they are not LORAN), inertial navigation or dead reckoning. I believe general aviation pilots qualified for visual flight rule must still be able to navigate without instruments (thus visual flight rule) and instrument flight rule pilots must first be VFR qualified. The US navy might have eliminate

    • Right.. Not like the FAA is trying to move to a new way of tracking planes using GPS or anything.. (http://www.faa.gov/nextgen/implementation/programs/adsb/) Or that Alaska Air already uses it on all its planes..

      • Using it, does not mean you rely on it ...
        Relying on it means: if it is broken you are completely lost and don't know what to do and where to go.
        This is simply not the case.

    • Planes and Ships don't rely on GPS.

      They don't HAVE to use it but in actual practice they most certainly do rely heavily on GPS. It's the best system available so of course they rely on it.

      If you have a license to pilot any of them, you have learned how to navigate without.

      Just because people are trained to do without GPS in case of problems doesn't mean they don't rely on it in actual daily practice.

      • The word rely implies: "you can not without".

        However they can. That was my point, so the TFA is either wrong or the summary is wrong.

        E.g. my body functions rely on a working pancreas for insuline (or on insulin injections). I can not live without insulin. Hence I rely on it.

        Just because people are trained to do without GPS in case of problems doesn't mean they don't rely on it in actual daily practice.
        As a navigator on a ship you are required to crosscheck your positions with non GPS means.
        That is either si

    • by dj245 (732906)
      Having gone to a maritime school, a lot of my friends are on the bridge of large ships. A lot.

      They can go without it, but GPS is so easy, convenient, and reliable that they basically rely on it. Shooting the stars with a sextant is relegated to trainees and practicing for the various exams which are required to be promoted to second mate, first mate, and finally master.
      • So they don't use landmarks, no signals like lighthouses no depthsfinders etc?

        How exactly should it work to drive by GPS?

        You don't plot your course on a map? Or if you do and your GPS tells you you are left, you steer more right?

        That means you don't use a compass to define your heading? You don't know what the "missdirection" of your compass is in your sailing area? You don't know the influence of your ship/boat on your compass?

        Sorry, to pilot a boat with GPS only is simply retarded. Regardless how convenie

  • by PvtVoid (1252388) on Sunday December 09, 2012 @10:08PM (#42238417)
    What the fuck is with the science press in Britain / Australia about the word "boffins"? Why does every single science article, without fail, have to have some supposedly clever pun or alliteration around the word? (Extra points for using the word astro-boffins [theregister.co.uk].)

    I've gotten to the point that if I see the word "boffins" in a science article, I immediately click away. Please make it stop!
    • I don't know, I can't imagine el Reg without the gratuitous use of the word. It fits the tone of the tech rag quite nicely, I think.
    • Why is that any different to researcher or expert or scientist? They are just as useless or even less useful terms

      It is an Australian article using "Australian English" or "British English" ... the term is well understood to define an academic/researcher with a very strong but narrow focus in a typical theoretical area.

      It is no more problematic than terms like futurist (who has a broader focus) or your typical engineer/scientist labels (for those who are more problem solving focused).

    • by grcumb (781340)

      What the fuck is with the science press in Britain / Australia about the word "boffins"?

      Because if it didn't exist, the tech pundits wouldn't know how to tell the gurus from the wonks.

      Vocabulary: Get used to it.

    • by Inda (580031)
      Fuck yeah bro!

      We should'll use words like, you know, axed, irregardless, regift, and toileting.

      Those limies and convicts should speak like they know the good words like, you know, compartmentalize, operationalize, overexaggerate, professionalization, rationalize, utilize

      Make them special people talk good, ya'll.
  • by holophrastic (221104) on Sunday December 09, 2012 @10:09PM (#42238423)

    heh, "unnamed" drones.

  • by PPH (736903) on Sunday December 09, 2012 @10:17PM (#42238469)
    Also known as a HARM [wikipedia.org] target.
  • by viperidaenz (2515578) on Sunday December 09, 2012 @10:21PM (#42238491)
    Some poor bugger drives to the wrong destination.

    GPS isn't trusted. It's already known to be hackable.
    It would be news if they hacked the anti-spoofing [wikipedia.org] system the military has been using for the last 6 years
  • Novel attack... demoed at TEDxAustin back in February and posted online for everyone to see ;-) http://www.ted.com/talks/todd_humphreys_how_to_fool_a_gps.html [ted.com]
    • by tylerni7 (944579)
      The TEDxAustin talk you mentioned is focused on GPS spoofing to make a receiver think that it is somewhere else. Spoofing in that sense has been around for a long time, and while it is very cool and everything, it isn't what is novel about this paper/attack.
      This paper goes from just making a GPS receiver think it is located somewhere else to actually exploiting software vulnerabilities in GPS receivers to cause them to crash and things like that. The attacks are related, but the position based spoofing i
  • send in 007

  • Isn't this exactly why the P-Code is encrypted in the military signal? Spoofing the C/A data has been a known vulnerability in the system since day 1. The rest of the problems are simply bad programmers. That's not a limitation or vulnerability in the GPS system - it's a problem with the receiver manufacturers and the BS test & validation done by the civilian side of the government when they put those receivers in the CORS stations. I saw the code in some of the old reference receivers (in the 90s) - it
  • For me "middle of the earth" attack was a new and interesting idea... otherwise this paper would have read a heck of a lot better had the hyperbole been left at home.

    The contorted attempt to say changing time is not "spoofing" or including offtopic segways such as hacking web servers and perl CGI scripts was a little too much to stomach.

    No mention at all of RAIM and similiar technologies.

  • Geez, these guys were unable to find $50 GPS jammers on Alibaba?
  • is what the Navy and the rest of the Military/Covert Ops use they are sorely misled. In fact, general researchers would be required to have top secret classified clearance and most certainly would not be publishing their findings. NASA has several levels of GPS solutions. We lowly consumers use very old tech for GPS/GIS.
  • Are receivers for other global positioning systems like Galileo and GLONASS also vulnerable to these attacks? If so, is it too late (or even possible in theory) to fix the problem in those systems, given that they aren't fully online or in widespread use yet?
    • by ceoyoyo (59147)

      You can fix the problem in your GPS receiver by plugging it into your computer and flashing the firmware. Or buying another one, if the company ever stops being lazy and fixes their software bug.

      GPS receiver software has bugs just like any other computer system. Who woulda thought?

  • I can't fucking believe it. Do you mean to tell me that if you have a receiver tuned to a certain frequency, and you have a transmitter on that same frequency, then you can transmit information from the transmitter to the receiver?

    Top it off though! If you have not one but two - TWO transmitters, and one is vastly more powerful than the other, then you can get the receiver to receive the stronger one over the weaker one?

    Completely fucking amazing, if you ask me. I had no idea you could do something like tha

  • Bump keys [wikipedia.org] can be used to unlock just about any door, and yet crime statistics remain in line and have even been dropping in many parts of the world since the Internet has raised their profile in recent years.

    This would be more interesting if someone were droning my neighborhood, but some of the hacks took days, not minutes to perform (and as others pointed out, affects individual receivers, not the entire system). Hardly a James Bond villain level of manipulation.

    • Almost. The manipulation is irrelevant.

      Proper summary should be, "In other news, shitty software is shitty." THAT aspect is interesting, largely because few people realize how shitty most of it is, nor where that shittiness is found, vs. where we expect that shittiness should not be. That you can brick a receiver with a divide by zero in a cached almanac... the genius pool at $GPSCO being of THAT quality may be news to most.

  • And now we can say it wasn't our fault...

Memory fault -- brain fried

Working...