
Report deems Russia a pioneer in GPS spoofing attacks - collapse
https://www.zdnet.com/article/report-deems-russia-a-pioneer-in-gps-spoofing-attacks/
======
codesnik
GPS is routinely spoofed in area around Kremlin, for a couple of years
already, to a great annoyance of drivers and runners. Coordinates are replaced
by those from Vnukovo airport. It seems they try to prevent operations of
consumer grade drones, many of them refuse to fly near known airports.

~~~
lucb1e
I would like to think that, having done research on GPS spoofing and being
generally interested in GPS, I would have heard of this before if it were
routinely done anywhere in the world. It sounds like you don't have this from
an online source but from first-hand experience. Did anyone write this up? Is
there local news about it perhaps?

~~~
Kavu
I did not dig up for a detailed technical write up, but have a plenty media
sites mentions (sorry for original Russian content):

Just news, mentioning this, back to 2016
[https://lenta.ru/articles/2016/11/07/gpsoff/](https://lenta.ru/articles/2016/11/07/gpsoff/)

Nice write up, also from 2016
[https://meduza.io/feature/2016/10/19/teleportatsiya-iz-
kreml...](https://meduza.io/feature/2016/10/19/teleportatsiya-iz-kremlya-vo-
vnukovo-pochemu-gps-navigatsiya-v-tsentre-moskvy-rabotaet-so-sboyami)

News from Jan, 2018 [https://snob.ru/news/156463](https://snob.ru/news/156463)

Nov, 2018
[https://www.vedomosti.ru/politics/news/2018/11/12/786188-kre...](https://www.vedomosti.ru/politics/news/2018/11/12/786188-kreml-
otvetil-gps)

Hope that helps!

P.S. And yes, I personally see this behaviour near Kremlin. It's almost
impossible to order a taxi nearby.

~~~
lucb1e
Wow, this is really happening. I'm surprised to hear this, very interesting,
thanks!

~~~
twistiti
You can also check [1]: "through a collaboration with researchers from The
University of Texas at Austin, we expose the use of GPS spoofing in active
Russian combat zones, particularly Syria, for airspace denial purposes. This
is a capability scarcely reported in the public domain. Using data from a
scientific sensor on the International Space Station (ISS), we are able to
identify ongoing activity that poses significant threats to civilian airline
GPS systems"

\- works best on desktop though

[1]
[https://www.c4reports.org/aboveusonlystars](https://www.c4reports.org/aboveusonlystars)

------
ccnafr
To be fair, the report is authored by an US entity. I'm sure if they could
have studied US operations without losing their funding they would have found
similar deployments by US forces, albeit, I think not as widespread. The US
has always seemed to have better tech, and GPS spoofing is cheap, from what
the article states, which makes it ideal for the cash-bootstrapped Russian
military.

~~~
wongarsu
> The US has always seemed to have better tech

While the US can spend a lot more on its military and has a corresponding
lead, the US is mostly focused on offensive technology (like its carrier
groups). Russia, being geographically much closer to "enemy" territory, has a
much bigger focus on defensive capabilities and excels in many areas. For
example the Russian S400 air defense system is usually seen as superior to the
American Patriot system.

With GPS spoofing being mostly a defensive technology it seems exactly like
the thing Russia would focus on and the US would neglect.

~~~
blackflame7000
S400 is no where near as good as our Aegis system. I know because I worked on
it. The patriot missile did have some spectacular fails though where an anti-
missile became confused and shot right into the ground

[https://m.youtube.com/watch?v=YS4i2InVB-Y](https://m.youtube.com/watch?v=YS4i2InVB-Y)

Although I will give the Russians props for possibly being the first nation to
land the missile back in its own tube.
[https://youtu.be/gNNkRuSw_0Q?t=52](https://youtu.be/gNNkRuSw_0Q?t=52)

~~~
SiempreViernes
You worked on both the Aegis and the S400? That seems a _bit_ implausible.

Or do you mean you worked on one of them and therefore can compare them
(without experience of the other)?

~~~
m0zg
Then there's also S500 now, which can shoot down anything that flies,
including stealth planes, ballistic missiles, hypersonic planes, and LEO
satellites. This is a typical example of asymmetric warfare. The US spends 1.5
trillion building a super plane, Russians spend 1/1000th of that building the
thing that can make use of such a plane a costly proposition (even if it can't
_reliably_ shoot it down), and offers it for export eventually, too.

~~~
ndesaulniers
Which one they use for shooting down passenger planes over Ukraine?

~~~
edaemon
MH17 was shot down by a Buk missile system, which is a less sophisticated
medium-range system.

------
nickstefan12
GPS spoofing is a big part of the Bond movie “Tomorrow Never Dies”. Funny that
in a movie it seemed totally fake, something invented for the plot, and yet
here I see it’s a real thing.

Interesting how truth can be too much for fiction sometimes.

------
Causality1
One thing the Manning leaks taught me is that if it can be done, it is being
done. GPS spoofing is demonstrably effective at a variety of tasks including
straight-up stealing military drones, therefore it is being done across the
globe.

~~~
atemerev
Aren't military drones using the military GPS profile with encrypted messages?
Those cannot be easily spoofed, AFAIK.

~~~
jhayward
Full-blown spoofing, ie, being able to generate a 'valid' _sui generis_ GPS
signal is effectively ruled out by encryption.

However a replay attack that uses a valid signal received at some other locate
re-broadcast at a second place is not affected by encryption. You can imagine
lots of clever ways to use a re-broadcast attack to draw a drone off course.

~~~
duxup
>However a replay attack that uses a valid signal received at some other
locate re-broadcast at a second place is not affected by encryption.

That seems like a pretty obvious and absurd sort of vulnerability.

~~~
wongarsu
Sure, but one that's almost impossible to defend against it. Any viable
defense has to happen on the client side with something like an antenna array
to distuingish broadcasts from space from replay attacks, or a clock accurate
enough to detect that the broadcasted time is off by dozens of microseconds
and thus has to be a replay.

------
ohadron
Wouldn't it be possible to mitigate some of the effect of these spoofers using
on-board navigation system with an IMU?

Or it least allow for it's detection?

~~~
Nokinside
You can make spoofing harder. Most of these spoofing attacks target off-the-
self drone GSP, and don't work against adversary who plan against them.

If you want to spoof more expensive gear, like those used in commercial
shipping, you do it gradually. You start by transmitting the correct
coordinates and then gradually start to increase the difference between
correct and false coordinates. When done gradually, IMU can't detect GPS
spoofing.

Unfortunately many otherwise good navigation systems are not doing even the
bare minimum to detect spoofing. It's not the cost. Spoofing protection has
not been priority.

~~~
i_am_proteus
This has been demonstrated on commercial shipping using the exact technique
you described:

[https://news.utexas.edu/2013/07/29/ut-austin-researchers-
suc...](https://news.utexas.edu/2013/07/29/ut-austin-researchers-successfully-
spoof-an-80-million-yacht-at-sea/)

------
atemerev
Would it be possible to upgrade GPS satellites so the signal would contain
digital signatures, while retaining backwards compatibility? GPS uses NMEA
data messages, which are plaintext.

Perhaps there is some reserved field, or usually ignored message, that can be
used to insert digital signatures. The DoD will keep the master key, so the
signatures could be easily verified, but spoofing them would be nearly
impossible.

~~~
heavenlyblue
Look here:
[https://news.ycombinator.com/item?id=19652414](https://news.ycombinator.com/item?id=19652414)

Tl;dr: nope.

~~~
atemerev
All modern digital signature systems protect against replay attacks (by
signing sequential counters, timestamps or other state information, or using
cypher block chaining).

~~~
jhayward
All of those things require some alternate source of ground truth, e.g., a
trusted clock.

There is no such thing in GNSS systems. They _are_ the ground truth. There is
no way to combat a replay attack without some second source which would
obviate much of what a GNSS delivers.

~~~
atemerev
GPS time is monotonously increasing. If you ignore all messages with
timestamps lower than the last one received, and check their digital
signatures, you should be protected against replay attacks at least until the
next cold restart (or GPS time counter reset, which is once in 20 years).

There are other possibilities (CTR/CFB encryption modes, relying on increasing
counter and/or previous messages contents).

Or am I missing something? Could you please describe the attack vector with
these assumptions?

~~~
jhayward
TLDR: you essentially never see repeated time stamps.

GPS time is broadcast in the very low bit rate (50 BPS) NAV message, once
every 6 seconds. In between the receiver counts at the chip rate (1023 kHz)
just counting signal transitions.

A rebroadcast attack happens at the speed of light. A signal is received at
Moscow airport and is beamed to the Kremlin via some alternate transport path.
At the Kremlin the signal is broadcast immediately at higher power than is
possible for the direct signal. This happens at the speed of light.

There is nothing you can do about this without access to a clock that is at
least as precise as the GPS satellite's multi-million-dollar onboard clock,
which you then somehow keep correctly synchronized at all times.

There are some things that can be done to detect rebroadcast in the RF domain
by looking at time of arrival across an antenna array, but again, that's not
going to happen in a cell phone or wrist appliance.

There are some techniques that are used to discern direct path signals from
multipath ones which involve tracking the lower power level signals, but
rebroadcasters make sure they are radiating enough power to put that technique
outside the dynamic range of the receiver.

~~~
pps43
Back of the envelope. The distance between Vnukovo airport and Kremlin is 30
km, speed of light is 300,000 km/s, time delay is 10^-4 seconds. Let's say it
takes the moving car 100 seconds to get from outside the jamming area to
inside. So receiver clock has to drift less than that. A year is pi * 10^7
seconds, so in a year receiver clock should drift by less than pi*10^(7-4-2),
or approximately 30 seconds. My wristwatch can do better.

~~~
jhayward
Now please explain, in terms of how GPS receivers operate, how that
information helps you defeat spoofing.

~~~
pps43
GPS receiver determines its position by measuring the distances to GPS
satellites. Those distances are calculated from time delays. To get the
delays, the receiver should know the exact time. Its own clock is not stable
enough to do it, so our receiver has to determine exact time by monitoring one
more satellite than is strictly necessary, and calculating the time from that.

Now if this "exact" time suddenly jumps (compared to internal clock), it
probably means that the signal is not coming directly from the satellites, but
relayed from Vnukovo.

------
sigsergv
They have mobile jammers, when Putin visits some place GPS devices there start
showing near airport instead of actual location.

One guy claims he found building with the jammer:
[https://www.youtube.com/watch?v=yiy2Mt79M1c](https://www.youtube.com/watch?v=yiy2Mt79M1c)
(device and process is described in [1], russian), he uses self-made “radar”
[2].

[1]: [https://habr.com/ru/post/337608/](https://habr.com/ru/post/337608/) [2]:
[https://habr.com/en/post/332746/](https://habr.com/en/post/332746/)

------
zw123456
If I understand it correctly, the spoofing works by replaying the original
signal delayed in time but at a higher power so the receiver selects your
better spoofed signal. I wonder if it would be possible for the receiver to
compute what the appropriate signal level should be and if it is too strong
that could be a way of detecting if you are receiving a spoofed signal ?

~~~
angott
You could technically do this, but such a technology is too expensive to
incorporate in civilian use receivers that have to retail for a couple bucks.

Military receivers used by the USA and NATO allies can easily detect spoofing
because they listen for signals on separate frequencies reserved for military
use, with higher precision. On these frequencies, all traffic is encrypted
using a private key that only the DoD has access to (in theory). In this case,
it is easy to detect spoofing because your enemy cannot encrypt signals using
the DoD's private key (they just don't have it). If the receiver is unable to
decrypt the incoming signal (key mismatch), it knows there is something fishy
going on. I would also speculate there are additional countermeasures which
are not publicly available.

~~~
gsich
Just jam the other frequencies.

------
hamilyon2
GPS is permanently jammed/spoofed around Kremlin. It is tough to drive there
if you are not local.

~~~
chupasaurus
No trying to advocate the devil, but

Kremlin is trianle-like shaped, there's river from one side with bridges at
the ends (so it could be counted as a tunnel), Red Square from another
(pedestrian only unless you're a member of Victory Parade, one-way streets
aside), the third side is surrounded by Mokhovaya street which has 5
intersections with others and you can get to the one you'd want if you've
skipped your turn.

------
anonymousDan
Would these kind of attacks be made redundant by Galileo?

~~~
michaelt
TLDR: no.

GPS spoofing can be done as a replay attack; record the signal at the airport,
rebroadcast at the Kremlin louder than the direct satellite signal and voilà,
your receiver says you’re at the airport.

As it’s just a replay attack of the original signal, encryption can’t help.

~~~
woodruffw
> As it’s just a replay attack of the original signal, encryption can’t help.

Couldn't this be mitigated by added a nonce or using CBC within the
cryptosystem? Replay attacks are well understood; I'd be surprised if any
(eventual) proposal for signed/encrypted GPS didn't include something to
defend against them.

~~~
jhayward
As I loosely explained in another comment, you essentially never see repeats.
The replay happens at the speed of light, and time stamps are broadcast once
every 6 seconds at 50 BPS.

The receiver sees the rebroadcast because it captures the receiver's RF chain
by being the strongest signal.

------
mistermann
Am I the only one that finds it odd how people read and accept this capability
without question, yet don't give the slightest thought to why super
sophisticated Russian* state-sponsored Twitter trolls didn't bother to use a
VPN to spoof their identities?

* So the media claims as a fact. Twitter itself has actually made no such claim of certainty that the "Russian trolls" are _actually_ Russian, rather they've only said that the accounts are _possibly_ linked, but good luck finding a news article or internet forum reader that will acknowledge this fact. This Wired article is about the only one I've come across that is truthful:

[https://www.wired.com/story/how-americans-wound-up-on-
twitte...](https://www.wired.com/story/how-americans-wound-up-on-twitters-
list-of-russian-bots/)

As an example of how sloppy and misleading (intentionally or not) this problem
(of reporting allegations or suspicions as if they are fact) is, Wired itself
made the very same mistake in an article linked from that one:

[https://www.wired.com/story/congress-asks-tech-to-face-
hard-...](https://www.wired.com/story/congress-asks-tech-to-face-hard-truths-
about-russian-meddling/)

 _While Facebook bore the brunt of Senators ' questioning, Twitter revealed
some staggering statistics about Russia's organic reach on its platform last
year. In just two and a half months, Russian bot accounts tweeted 1.4 million
times, yielding 288 million impressions. The fact that such coordinated
campaigns went unchecked underscores the value Twitter has put on free
speech._

"Russian bot accounts tweeted" is a statement of fact, but the actual fact is
the accounts are only _suspected_ of being Russian

Ironically, in the very same article, they go on to acknowledge the
uncertainty involved:

 _Facebook and other platforms used their technological prowess during the
campaign to identify malicious actors and advertisers that might be connected
to foreign entities, but those tools can miss the mark._

One can hardly blame the technically unsophisticated general public from
taking what it reads in respectable news outlets at face value, but it's
rather depressing (or, extremely interesting, from a mass
psychology/epistemological perspective, if you're more of a half glass full
type of guy like me) that not only politicians _but also technically
sophisticated people_ seem to be no better in this particular case.

</beatingadeadhorse>

~~~
igivanov
>people read and accept this capability without question

These days most negative statements about Russia are accepted at face value.

~~~
mistermann
Of course, and this is to be expected considering the intelligence and human
nature of the general public. But the behavior/beliefs _on this specific
topic_ (at least) of people on relatively much smarter forums like HN is
_identical_ to that of the general public.

Here we have a situation where people of above-average intelligence,
especially technically, passionately believe something of a technical nature,
and _will not question it_. _That 's_ the part I find absolutely fascinating
within the context of the whole "fake news" discussion.

------
infocollector
Thwart GPS Spoofer using $10 (RTLSDR) -
[https://patents.google.com/patent/US20170090006A1/en](https://patents.google.com/patent/US20170090006A1/en)

------
stevespang
In the Balkans war, Russia was caught selling GPS spoofers to our adversaries,
average price $20 to $30K. US military simply installed downward seeking GPS
signal seekers on smart bombs, problem solved. Then of course, adversaries
installed GPS spoofers near hospitals, Chinese embassy, unethical targets,
typical of rogue nations and despots.

------
huhwatnow
Time to update the odds that the two accidents involving navy destroyers in
the Malaga straits, weren't ?

Mind you this does not automatically implicate Russia, just because one report
calls them pioneers doesn't mean other countries don't posses the capability
and China has more concrete issues with US naval presence there than Russia.

~~~
vbezhenar
It would be crazy to operate ships solely with GPS data.

~~~
huhwatnow
I'm sure the navy is aware of the threat and has standing procedures to
prevent it - afaic high-ranking officers were sacked precisely because those
weren't being properly followed. A huge container ship in a space as tight as
the Malaga strait otoh probably has no procedure to deal with GPS being
abruptly and subtly spoofed or even a way to detect it.

