

 How to bring down mission-critical GPS networks with $2,500 - owlmusic
http://arstechnica.com/security/2012/12/how-to-bring-down-mission-critical-gps-networks-with-2500/

======
michaelt
What's particularly interesting isn't that they've spoofed a signal, but that
they've demonstrated nontrivial software vulnerabilities that can be triggered
by the spoofed signal.

For example, the GPS system transmits the date as a number of weeks since a
reference epoch, modulo 1024 [1]. This space saving made sense when they
designed the protocol; GPS uses a 50-bits-per-second data link so every bit
counts. The last rollover to week zero happened in 1999, the next one will be
in 2018. Not so rare that you can ignore it, but not so frequent that code
gets battle-tested.

What some receivers do is store a 'last week number seen' and a 'number of
rollovers' in nonvolatile memory, and any time they see the week number lower
than the last one seen, they increment the number of rollovers. So even if the
GPS is kept powered off and its internal clock battery dies, as long as it
gets a signal once every 512 weeks (~10 years) it can pick up the right time.

One of the interesting things they demonstrate is that you can spoof a signal
which fakes the week-number-decrement and this increments the number of
rollovers counter - and not all receivers have any ability to correct for
that.

Another example: The slow GPS data link is used to tell receivers where in
space the satellites are - which it needs to know to calculate the receiver's
position, and to get a head start finding other satellites by knowing roughly
where to look for them. Because the GPS data link is so slow, it can take 30
to 60 seconds for a receiver to get this data as it's a whole 1.5 kilobytes
[2]. Receivers often cache some of this data in nonvolatile memory so they can
perform a 'warm start' where they don't have to wait for all the data to
download. But if you receive spoofed data that triggers a software bug (like a
divide by zero error) and you store that in your nonvolatile memory, the
receiver loads the data, crashes, reboots, loads the data again and the same
thing happens.

This is interesting stuff - most work on GPS spoofing and jamming in the past
has focused on things like replaying signals to send vehicles off course
rather than triggering crash bugs in receiver firmware. The current civilian
GPS signal has no anti-spoofing element to it, so there isn't an easy solution
to this.

[1]
[http://www.colorado.edu/geography/gcraft/notes/gps/gpseow.ht...](http://www.colorado.edu/geography/gcraft/notes/gps/gpseow.htm)
[2] <http://en.wikipedia.org/wiki/GPS_signals#Navigation_message>

------
ColinWright
Also here: <http://news.ycombinator.com/item?id=4896452>

and here: <http://news.ycombinator.com/item?id=4897294>

and here: <http://news.ycombinator.com/item?id=4898843>

and here: <http://news.ycombinator.com/item?id=4903566>

None have any discussion, but they are different reports with different levels
of detail.

------
jessaustin
Isn't GPS supposed to be a military technology? Maybe there's something
they're not telling us about how they really use GPS. However, I'm not
reassured by the wartime durability of any tech that must be protected from
all interference while at peace. Not that we actually have any real enemies
anymore (rustic Muslim goat-and-flammable-underwear aficionados are more
dangerous than the Axis powers were, really?), but if we did why would they
obey the FCC?

~~~
gvb
1) The GPS that we know and love is the Coarse/Acquisition (C/A) code[1] which
is not encrypted and thus is relatively vulnerable to spoofing. Note that
spoofing (as opposed to jamming) even a C/A signal is non-trivial, but
equipment to do that is available[2].

2) The military uses the Precision (P) code which is encrypted and should be
impossible to spoof unless you break the encryption. That is quite unlikely.

3) All radio signals are vulnerable to jamming. In order to jam, you must
transmit, however... which means that your jammer is a beacon that the
military can direction-find on[3]. If you piss off the military too much, they
will turn off your jammer. Permanently.

[1]
[http://en.wikipedia.org/wiki/Global_Positioning_System#Satel...](http://en.wikipedia.org/wiki/Global_Positioning_System#Satellite_frequencies)

[2] <http://www.google.com/search?q=gps+simulator>

[3] <http://en.wikipedia.org/wiki/Wild_Weasel>

~~~
Genmutant
@2) Wouldn't it be possible to reverse engineer a military receiver? Or is it
a changing passcode that must be input manually?

~~~
kevingadd
<http://en.wikipedia.org/wiki/Public-key_cryptography>

~~~
Genmutant
Yeah, but that doesn't help if you have the device which decrypts the signal.
Then you should be able to get the key (which would probably still be fairly
difficult).

~~~
ynniv
A receiver/decrypter only contains the public key, which can't be used to
encrypt a new message. Perhaps you aren't familiar with asymmetric / public
key cryptography?

------
tedchs
Surprise, you can transmit a signal similar to that of a radio transmitter by
also being a radio transmitter. Just wait to be tracked down extremely
promptly by the FCC, or almost worse, a roving band of Amateur Radio engineers
with a van full of direction-finding antennas and a high level of passion for
enforcement who will come nail you to a tree for firing this thing up.

~~~
alanctgardner2
The serious problem with some of these devices is that they're effectively
bricked by having received an invalid signal once. You don't have to sit
nearby to cause this effect, you could drive across the country putting out 30
mile radius bursts of bad GPS signals, and kill a not insignificant portion of
the nation's infrastructure.

~~~
toomuchtodo
Drive? All you have to do is put it in a Pelican case, mark it as "video
equipment", and ship it on a cross country flight in the cargo hold. GPS
receivers are already designed for signals from satellites; picking up
something transmitted every 10-60 seconds from 6 miles up is going to be
_easy_.

Good luck tracking _that_ signal down.

------
lbraasch
Affected manufacturers listed in the first link, not present in the above
link:

"Attacks were conducted against seven receiver brands including Magellan,
Garmin, GlobalSat, uBlox, LOCOSYS and iFly 700."

