Ships fooled in GPS spoofing attack suggest Russian cyberweapon
I guess it would depend on the level of infrastructure available to the
attacker, clock distribution is a reasonably well solved problem isn't it?
There would, I suppose also be the issue of receiver swamping, you could
monitor received signal levels as it's my understanding that the signals
from the satellites are weak enough that they're indiscernible from noise
floor without some rather complex processing?
Authentication via signing could be another feasible way to prevent
spoofing except we are potentially talking about interference from state
actors who may even be the very people who run one of the satellite networks
On 14 Aug 2017 5:51 pm, "Attila Kinali" attila@kinali.ch wrote:
On Mon, 14 Aug 2017 12:09:43 -0400
Tim Shoppa tshoppa@gmail.com wrote:
I think if you are only trying to spoof a single receiver it would be
possible to walk a spoofed time/space code in a way that time moved
without
so obvious of a discontinuity. I'm sure there would be effects a time-nut
could notice still.
Not really. Unless you have a multi-antenna setup (see jim's email),
you have nothing to compare the signal to. Even an ideal reference
clock in your GPS receiver does not help, as the attacker could be
tracking you in such a way that you will never see a discontinuity
in time or position and that all the other sanity checks you do
still don't show anything.
With a two antenna setup, you can already check whether the phases
add up to what you expect them to be, given your position relative
to the satellites position. You do not need 3 antennas as a potential
attacker can spoof the phase of some satellites correctly, but not
of all at the same time. This at least gives you a spoof/no-spoof signal.
With an antenna array you can do some masking of spoofers (ie placing
a null where the spoofer comes from). But this increases the cost and
complexity of the system super-linear with the number of antennas.
Maybe one way to do it, would be to use a single receiver with a stable
reference clock and switch between antennas in short succession. Ie similar
to how the early single channel GPS receivers worked, but for antennas
instead of SVs. But I have no idea how easy/difficult this would be
to do and how well it would work against spoofers.
Attila Kinali
--
It is upon moral qualities that a society is ultimately founded. All
the prosperity and technological sophistication in the world is of no
use without that foundation.
-- Miss Matheson, The Diamond Age, Neil Stephenson
time-nuts mailing list -- time-nuts@febo.com
To unsubscribe, go to https://www.febo.com/cgi-bin/
mailman/listinfo/time-nuts
and follow the instructions there.
Hi Jim,
On 08/14/2017 06:03 PM, jimlux wrote:
And GPS users who care about spoofing tend to use antenna systems that
will reject signals coming from the "wrong" direction. It's pretty easy
to set up 3 antenna separated by 30 cm or so and tell what direction the
signal from each S/V is coming from.
I would expect that as spoofing/jamming becomes more of a problem (e.g.
all those Amazon delivery drones operating in a RF dense environment)
this will become sort of standard practice.
So now your spoofing becomes much more complex, because the sources have
to appear to come from the right place in the sky. (fleets of UAVs?)
You gain maybe 10 to 20 dB, but not much more.
A real protection scheme needs much more tolerance to handle severe
problems.
There is an overbeliefe in such approaches, rather than trying to look
at the system analysis, since when you loose the GPS signal, what do you
do. I get blank stares all too often when I ask that trick question.
Cheers,
Magnus
Wouldn't monitoring the received signal strength and noting any
non-normal increase (or decrease) level change indicate possible
spoofing? The spoofing station would have no way to know what the target's
received signal strength would be.
Ken S
This email has been checked for viruses by AVG.
http://www.avg.com
Hi
On Aug 14, 2017, at 11:38 AM, Clint Jay cjaysharp@gmail.com wrote:
All very true and yes, for a capable programmer and hardware tech it's not
going to be an impossible task.
I would still expect a turnkey solution to exist though as I can see many
applications for not just state actors.
There have been multiple “turn key” solutions out there for at least 10 years now.
It’s a bit like buying a couple hundred pounds of heroin. You just need to know
where to shop ….
Bob
On 14 Aug 2017 4:32 pm, "Attila Kinali" attila@kinali.ch wrote:
On Mon, 14 Aug 2017 10:26:13 +0100
Clint Jay cjaysharp@gmail.com wrote:
That it can "so easily" be spoofed (it's not a trivial hack to spoof and
would, as far as I can see, take good knowledge of how GPS works and
skill
to implement) is worrying and it could have disastrous consequences if
anyone decided to use it for malicious means but I'd be surprised if
there
wasn't a turnkey solution available to anyone who has the funds.
You don't need a turnkey solution. If you start from zero and are working
alone, it probably will take you a month or two to write the code to spoof
GPS L1 C/A. If you start from one of the GnuRadio based GPS simulators,
you can do it in a weekend.
If you want to spoof L2C and L5 as well and also Galileo OS E1/E5,
it will take a bit longer, but not that much, as 90% of the code shared.
Not only is this very simple. All the documentation you need is readily
available and packaged such, that you don't need to know anything about
GNSS systems before you start and it will not slow you down significantly.
(e.g. Pick up the book from Hegarty and Kaplan and you can just write
the code as you read it).
The most difficult part of this is not creating the signals, but figuring
out a way what PRN's and fake position to choose, such that the tracking
loop of the target doesn't go completely bonkers and needs to do a
re-aquisition on all signals. But even that is not that difficult, if
you have some estimate of the target's location. Or you can simply not
care about it, if you have a slow moving target, like a car or a ship,
as the re-aquisition will take less than a minute.
There have been discussions on adding authentication to GNSS services
for quite some time (at least 10 years, probably longer). And it
culminated in the CS and PRS services of Galileo. I.e. they are a
restricted and/or paid-for service. I am pretty sure that this will
change at some point and the OS serivces (including the free services
of GPS) will provide some basic authentication system as well.
In the meantime, people who rely on GNSS heavily have monitoring
facilites that check the on air signals for degradation or spoofing.
As this requires multiple monitoring stations over the whole area
covered, to ensure that no spoofing or jamming attempt goes unnoticed,
this is rather expensive. The only use of this kind of system, that I
am aware of, are airports. And yes, this is not fool-proof. A narrow
beam spoofer pointed at some airplane will go unoticed, as all the
monitoring stations are on the ground.
Attila Kinali
--
It is upon moral qualities that a society is ultimately founded. All
the prosperity and technological sophistication in the world is of no
use without that foundation.
-- Miss Matheson, The Diamond Age, Neil Stephenson
time-nuts mailing list -- time-nuts@febo.com
To unsubscribe, go to https://www.febo.com/cgi-bin/
mailman/listinfo/time-nuts
and follow the instructions there.
time-nuts mailing list -- time-nuts@febo.com
To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts
and follow the instructions there.
In some sense the "jump everyone to the airport 32km away" is a
too-simplistic case because it's too easy to detect.
Let's just arbitrarily place 100nanoseconds as the threshold for detectable
time jump indicating that you're being spoofed. Yes modern timing receivers
do better than that all the time but navigation receivers are not timing
receivers.
The spoofing transmitter would need to know the single target's
3-dimensional location to 100 feet, to avoid detection of a spoofing
attempt, then. This seems possible or even likely, especially in the case
of a spoofing demonstration with slow seagoing vessels, or maybe even road
vehicles known to be traveling on a given highway combined with other
roadside sensors.
After the spoofer had acquired the spoofing target that way, giving it a
false (but not inconceivable) course to the wrong location seems possible.
If you know something about the craft's ability for inertial guidance you
would keep your fake course within those parameters.
So it all gets much easier ifyou can set up the local detection net at key
locations that a spoofing target is likely to travel through. A narrow
strait or a highway intersection. It all gets much harder when you have
multiple targets in your field of view that you want to spoof especially if
you can't follow them closely.
But maybe as long as all the GPS manufacturers are focusing on low
time-to-first-fix, the target GPS will always be too willing to believe a
completely arbitrary location. Us time-nuts don't mind surveying for days.
Real GPS positioining users want the answer much more quickly!
Tim N3QE
On Mon, Aug 14, 2017 at 12:51 PM, Attila Kinali attila@kinali.ch wrote:
On Mon, 14 Aug 2017 12:09:43 -0400
Tim Shoppa tshoppa@gmail.com wrote:
I think if you are only trying to spoof a single receiver it would be
possible to walk a spoofed time/space code in a way that time moved
without
so obvious of a discontinuity. I'm sure there would be effects a time-nut
could notice still.
Not really. Unless you have a multi-antenna setup (see jim's email),
you have nothing to compare the signal to. Even an ideal reference
clock in your GPS receiver does not help, as the attacker could be
tracking you in such a way that you will never see a discontinuity
in time or position and that all the other sanity checks you do
still don't show anything.
With a two antenna setup, you can already check whether the phases
add up to what you expect them to be, given your position relative
to the satellites position. You do not need 3 antennas as a potential
attacker can spoof the phase of some satellites correctly, but not
of all at the same time. This at least gives you a spoof/no-spoof signal.
With an antenna array you can do some masking of spoofers (ie placing
a null where the spoofer comes from). But this increases the cost and
complexity of the system super-linear with the number of antennas.
Maybe one way to do it, would be to use a single receiver with a stable
reference clock and switch between antennas in short succession. Ie similar
to how the early single channel GPS receivers worked, but for antennas
instead of SVs. But I have no idea how easy/difficult this would be
to do and how well it would work against spoofers.
Attila Kinali
--
It is upon moral qualities that a society is ultimately founded. All
the prosperity and technological sophistication in the world is of no
use without that foundation.
-- Miss Matheson, The Diamond Age, Neil Stephenson
time-nuts mailing list -- time-nuts@febo.com
To unsubscribe, go to https://www.febo.com/cgi-bin/
mailman/listinfo/time-nuts
and follow the instructions there.
Sextent, compass, and clock.
Amazingly as posted on time nuts some time ago the Navy and Coast Guard
have re-introduced that training.
On Mon, Aug 14, 2017 at 1:24 PM, Magnus Danielson <
magnus@rubidium.dyndns.org> wrote:
Hi Jim,
On 08/14/2017 06:03 PM, jimlux wrote:
And GPS users who care about spoofing tend to use antenna systems that
will reject signals coming from the "wrong" direction. It's pretty easy to
set up 3 antenna separated by 30 cm or so and tell what direction the
signal from each S/V is coming from.
I would expect that as spoofing/jamming becomes more of a problem (e.g.
all those Amazon delivery drones operating in a RF dense environment) this
will become sort of standard practice.
So now your spoofing becomes much more complex, because the sources have
to appear to come from the right place in the sky. (fleets of UAVs?)
You gain maybe 10 to 20 dB, but not much more.
A real protection scheme needs much more tolerance to handle severe
problems.
There is an overbeliefe in such approaches, rather than trying to look at
the system analysis, since when you loose the GPS signal, what do you do. I
get blank stares all too often when I ask that trick question.
Cheers,
Magnus
time-nuts mailing list -- time-nuts@febo.com
To unsubscribe, go to https://www.febo.com/cgi-bin/m
ailman/listinfo/time-nuts
and follow the instructions there.
Civilian receivers generally do not measure absolute strength but instead
report S/N. The spoofer could fake up a reasonable amount of noise to get a
wimpy S/N with a much stronger signal.
Tim.
On Mon, Aug 14, 2017 at 1:40 PM, ken Schwieker ksweek@mindspring.com
wrote:
Wouldn't monitoring the received signal strength and noting any non-normal
increase (or decrease) level change indicate possible spoofing? The
spoofing station would have no way to know what the target's
received signal strength would be.
Ken S
This email has been checked for viruses by AVG.
http://www.avg.com
time-nuts mailing list -- time-nuts@febo.com
To unsubscribe, go to https://www.febo.com/cgi-bin/m
ailman/listinfo/time-nuts
and follow the instructions there.
The trouble with spoofing location is that in theory every ship is using
more than one method of navigation. They would notice their GPS is acting
up and turn it off.
I'm far from a professional but I've taken the six week class and I'm
reasonably certain I could find a place on the other side of the pacific
ocean with no GPS. The GPS is far easier to use and more accurate but no
one uses just GPS alone, they alway compare several methods.
On Mon, Aug 14, 2017 at 10:12 AM, Clint Jay cjaysharp@gmail.com wrote:
I guess it would depend on the level of infrastructure available to the
attacker, clock distribution is a reasonably well solved problem isn't it?
There would, I suppose also be the issue of receiver swamping, you could
monitor received signal levels as it's my understanding that the signals
from the satellites are weak enough that they're indiscernible from noise
floor without some rather complex processing?
Authentication via signing could be another feasible way to prevent
spoofing except we are potentially talking about interference from state
actors who may even be the very people who run one of the satellite
networks
On 14 Aug 2017 5:51 pm, "Attila Kinali" attila@kinali.ch wrote:
On Mon, 14 Aug 2017 12:09:43 -0400
Tim Shoppa tshoppa@gmail.com wrote:
I think if you are only trying to spoof a single receiver it would be
possible to walk a spoofed time/space code in a way that time moved
without
so obvious of a discontinuity. I'm sure there would be effects a
time-nut
could notice still.
Not really. Unless you have a multi-antenna setup (see jim's email),
you have nothing to compare the signal to. Even an ideal reference
clock in your GPS receiver does not help, as the attacker could be
tracking you in such a way that you will never see a discontinuity
in time or position and that all the other sanity checks you do
still don't show anything.
With a two antenna setup, you can already check whether the phases
add up to what you expect them to be, given your position relative
to the satellites position. You do not need 3 antennas as a potential
attacker can spoof the phase of some satellites correctly, but not
of all at the same time. This at least gives you a spoof/no-spoof signal.
With an antenna array you can do some masking of spoofers (ie placing
a null where the spoofer comes from). But this increases the cost and
complexity of the system super-linear with the number of antennas.
Maybe one way to do it, would be to use a single receiver with a stable
reference clock and switch between antennas in short succession. Ie
similar
to how the early single channel GPS receivers worked, but for antennas
instead of SVs. But I have no idea how easy/difficult this would be
to do and how well it would work against spoofers.
Attila Kinali
--
It is upon moral qualities that a society is ultimately founded. All
the prosperity and technological sophistication in the world is of no
use without that foundation.
-- Miss Matheson, The Diamond Age, Neil Stephenson
time-nuts mailing list -- time-nuts@febo.com
To unsubscribe, go to https://www.febo.com/cgi-bin/
mailman/listinfo/time-nuts
and follow the instructions there.
time-nuts mailing list -- time-nuts@febo.com
To unsubscribe, go to https://www.febo.com/cgi-bin/
mailman/listinfo/time-nuts
and follow the instructions there.
--
Chris Albertson
Redondo Beach, California
HI
Since multi path is a real issue in a mobile environment, defining what an “abnormal”
change is could be quite tricky. A reasonable “spoof” would start with feeding the correct
data and then slowly capture the target (still with correct data). Once he is are “in charge”
signal wise, start doing whatever …. If you are talking about a ship, you have lots of time.
Bob
On Aug 14, 2017, at 1:40 PM, ken Schwieker ksweek@mindspring.com wrote:
Wouldn't monitoring the received signal strength and noting any non-normal increase (or decrease) level change indicate possible spoofing? The spoofing station would have no way to know what the target's
received signal strength would be.
Ken S
This email has been checked for viruses by AVG.
http://www.avg.com
time-nuts mailing list -- time-nuts@febo.com
To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts
and follow the instructions there.
Hi
Consider what your automotive GPS receiver does coming out of a tunnel or out from under
a bunch of trees. It still needs to work correctly in that situation. Same thing with
a big rain cloud “over there”. I don’t think you would want a receiver that went nuts in those cases.
I don’t think the military would want one either.
Bob
On Aug 14, 2017, at 1:49 PM, Tim Shoppa tshoppa@gmail.com wrote:
Civilian receivers generally do not measure absolute strength but instead
report S/N. The spoofer could fake up a reasonable amount of noise to get a
wimpy S/N with a much stronger signal.
Tim.
On Mon, Aug 14, 2017 at 1:40 PM, ken Schwieker ksweek@mindspring.com
wrote:
Wouldn't monitoring the received signal strength and noting any non-normal
increase (or decrease) level change indicate possible spoofing? The
spoofing station would have no way to know what the target's
received signal strength would be.
Ken S
This email has been checked for viruses by AVG.
http://www.avg.com
time-nuts mailing list -- time-nuts@febo.com
To unsubscribe, go to https://www.febo.com/cgi-bin/m
ailman/listinfo/time-nuts
and follow the instructions there.
time-nuts mailing list -- time-nuts@febo.com
To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts
and follow the instructions there.