Positioning by satellite is an indispensable part of private life and business. The Global Positioning System (GPS) is one of several networks of global navigation satellite systems (GNSS). It serves primarily to determine the position. But GPS is actually vulnerable. In many of the industries, the GPS technology is used in products and services. Automotive manufacturers use it for their navigation systems, and retailers use customer location data to make personalized offers. Software based service providers offer media based on location data only in the countries, regions in which they want to provide. In addition, satellite systems are also used for accurate time information. For example, financial markets use GNSS as a universal source of time and utilities synchronize energy transfers with it.
GPS is actually a system developed and operated in the USA. However, the acronym is now synonymous with satellite navigation systems in general. Other systems include the EU’s Galileo network, Russia’s GLONASS and China’s BeiDou. Given its many uses, GPS is an attractive destination for scammers and hackers. However, expensive hardware and the necessary technical know-how have hitherto been a hurdle that made large-scale attacks difficult. This has changed in the meantime.
In general there are two use cases:
- Development or security – to reproduce a specific environment with intention of the user. This is not counted as “GPS spoofing” or a crime unless the intention is unfair or unlawful.
- Cheating – for gaining the targets a hacker wants. This is real “GPS spoofing”
In GPS spoofing, the attacker places a radio ringer near a target to disrupt GPS signals. It can prevent data from being sent, or even send wrong coordinates or times. For example, unknown hackers had attacked the Geneva Motor Show in March 2019. They changed the displays of the navigation systems of Audi, Peugeot, Renault, Rolls-Royce, VW, Daimler-Benz and BMW. GPS spoofing can also take the form of malicious smartphone applications that affect a device’s location data. Cyber attacks on networked systems based on GPS data are also possible.
The quick answeris to hack the GPS position to a device from the outside, is about supplanting the real signals of the GPS inhibiting them to send false location data to a device, for example to make it go to a specific point believing that it is actually going to another.
Types of GPS spoofing
In the past, mainly state-sponsored actors were considered capable of manipulating navigation. According to the non-profit Center for Advanced Defense Studies (C4ADS), signal generators that can manipulate GPS signals cost thousands of dollars and had to be run by professionals. A report from the C4ADS (PDF) states that one country has repeatedly manipulated location data in the vicinity of the targets.
Today, GNSS spoofing is also much easier to implement. For less than $300, portable software-defined-radio (SDR) devices with open-source software are available that can interfere with remote GPS data transmission. An attacker may direct such jammers to the GPS receiver of a target, such as affecting signals from nearby buildings, ships or aircraft. The more expensive and powerful the transmitters are, the more diverse the attack possibilities.
For about $ 100 are even smaller variants available, with which the attacker, however, must be very close to the target. They are only slightly larger than smartphones. It would therefore be conceivable to smuggle such equipment in hand luggage in an airplane or distribute it by drone.
# further reading https://arstechnica.com/information-technology/2018/07/a-225-gps-spoofer-can-send-autonomous-vehicles-into-oncoming-traffic/ #
It’s even cheaper to attack the target’s own GPS devices. So there are smartphone apps that can override the correct location data of the device. Some of them are free and have download numbers in the tens of millions. With such applications companies are vulnerable, whose business models rely on smartphone tracking.
Uber, for example, had a problem with drivers who created wrong locations or routes with such apps, hoping to get paid without having traveled the distance. Meanwhile, the car broker uses machine-learning technology to detect suspicious trips. For example, Uber checks to see if the driver’s physical location matches the altitude data.
Further examples of GNSS spoofing
A report in March 2019 by the International Civil Aviation Organization (ICAO) listed satellite services disruptions across the Middle East. Within the last two years there should have been 65 incidents in the region. The US Maritime Administration also issued GPS warnings for the waters off Cyprus, Egypt and Saudi Arabia. Other US Coast Guard reports identify disruptions in Texas, Greece, Spain and China. In this country, Eurocontrol, the European organization for the safety of aviation, recorded more than 800 GPS interference cases (PDF) in the first half of 2018.
In addition to malicious attacks, adverse circumstances also play a role. For example, technical malfunctions or weather-related interference can cause problems for companies using GPS data.
C4ADS reports attacks to hijack car navigation systems or cheat on smartphone games like Pokemon Go. The latter may seem terse at first glance, but it damages the business model of the manufacturer massively. The progress of the game is determined, among other things, by which routes users travel with their smartphones. However, players can buy their milestones, which accounts for much of the free product’s revenue. GPS spoofing can circumvent both.
In Japan, a man tried via GPS spoofing to exploit a bonus point program . The participants are credited with loyalty points in return for each visit to certain stores.
Basically, any company which uses location or timing services is vulnerable. Such services have become commonplace in many applications. Companies use satellite navigation to locate equipment and employees, coordinate just-in-time deliveries to factories, control construction equipment, and optimize agricultural productivity through more targeted fertilization and irrigation. Web pages and mobile applications use location data to provide better services to customers. In the area of physical security, some locking systems use GPS-based geofencing . Furthermore, GNSS plays an increasingly important role in so-called emerging technologies. Location data for autonomous vehicles and drones as well as augmented reality applications form the basis for correct functions.
There are different ways to prevent GPS spoofing. Software & hardware technologies need to be researched more for effectiveness. Also, the consumers need to be aware of GPS spoofing.