
A $225 GPS spoofer can send sat-nav-guided vehicles into oncoming traffic - jsoc815
https://arstechnica.com/information-technology/2018/07/a-225-gps-spoofer-can-send-autonomous-vehicles-into-oncoming-traffic/
======
ccnafr
Duplicate:
[https://news.ycombinator.com/item?id=17539465](https://news.ycombinator.com/item?id=17539465)

------
wongarsu
>A $225 GPS spoofer can send sat-nav-guided vehicles into oncoming traffic *

* by fooling the vehicle into driving the wrong way through a one-way street.

That's a serious asterisk. I think there are much more interesting worst-case
applications for this, like kidnapping, randsom, misdirecting emergency
responders etc. Some of those are mentioned by the article, but the headline
just causes doubt and disappointment.

~~~
dsfyu404ed
I agree

Google/Apple/whatever directions send delivery vehicles down roads with under-
height structures all the time and they rarely get can-opened. GPS directions
are inaccurate enough in urban environments that people have to pay enough
attention for this attack to not work very well. People will generally defer
to the local signage when it comes to which lane you need to be in for a turn
and which way you can't drive down a street or how tall a bridge actually is.

------
Robotbeat
A $10 steel bar can derail a train.

~~~
athenot
Really? $10 won't buy you much in terms of steel. You'd probably need a lot
more than just a crowbar. I'm not saying trains are invulnerable to debris on
the tracks, just that they are designed to handle small stuff on the tracks.

~~~
IshKebab
A crowbar is not "small stuff on the tracks". Have you ever seen a train?

~~~
athenot
Yes. They are designed for that stuff. Here's the biggest accident (in France)
from having a large object on the tracks: 80 ton oversized load. Only the
engine car derailled.

    
    
        Trainset involved: 70 (Sud-Est) 
        Service: train 736, Grenoble to Paris 
        Location: PN 74, Voiron
        Injuries: 2 dead, 60 injured
        [Edit: date: 23 September 1988]
    
        A special road transport with a weight of 80 tons became stranded on level
        crossing 74. Train 736, rounding a curve toward the crossing, ploughed into it
        at 110 km/h (68 mph). The large mass of the road vehicle made this crash much
        worse than it might otherwise have been; the engineer and one passenger died,
        and many more were injured when the first trailer was ripped open by debris.
        Only the leading power unit derailed. This wreck, the most violent to date,
        became a reference for the design and crash testing of safety features for the
        next generation of TGV, as embodied by today's Duplex trainsets. These newer
        trains have several deformable sections, at the front and rear of the power unit
        and at the front of the first trailer, to manage and absorb crash energy without
        damage to passenger compartments. Trainset 70 was never returned to service, and
        the trailing unit 23140 became a spare in the Sud-Est fleet.

------
jaimex2
I remember reading the Kremlin has a high powered version of this mocking the
airport co-ordinates so drones would not fly in its airspace.

~~~
lawlessone
>mocking the airport co-ordinates

Sounds very dangerous. If an aircraft was landing in poor visibility they
could use that to make t crash.

~~~
baq
does ILS use GPS?

~~~
SteveNuts
No it's radio waves with directional antennas

------
matthewmacleod
While the whole thing is interesting (mostly because of the design of the
spoofer rather than it being anything else that's new) this headline is
deliberately misleading.

~~~
xPhobophobia
And the conclusion has been the same for a while. GPS-only NAV is very
susceptible to degradation. Blended solutions are the only path forward with
GPS.

------
Nokinside
Obviously sat-nav guided systems should not rely on unprotected satellite
navigation alone. You need complementary systems.

EU's GNSS has PRS (Public Regulated Service) is authenticated and can be used
in sensitive applications for civilian uses. US has GPS modes that are
protected but they seem to be only for military.

There is also Wide Area Augmentation System (WAAS) and European Geostationary
Navigation Overlay Service (EGNOS). They augment GPS/Golnass and Galileo and
provide integrity and more accuracy.

Typically new sat-nav systems have multi-constellation capability and they can
receive from from GPS/GNSS/Golnass. Even new smartphones have that capability.
Of course, if all of them are unprotected, you can spoof them all parallel.

------
detaro
previous discussion:
[https://news.ycombinator.com/item?id=17539465](https://news.ycombinator.com/item?id=17539465)

direct link to paper:
[https://people.cs.vt.edu/gangwang/sec18-gps.pdf](https://people.cs.vt.edu/gangwang/sec18-gps.pdf)

~~~
jsoc815
Thanks, missed the previous post.

------
ourmandave
Could be used on self-driving vehicles like the giant dump trucks in quarries,
or harvesters in corn fields?

What about autonomous trains? Cause that would off the rails.

------
keymone
considering that GPS has civilian and military parts of the signal, are the
messages not signed by, i don't know, U.S. military or something? how come it
is easy to spoof?

~~~
karthikb
The military signal is encrypted and on a different band. Only the military
has access to that signal.

~~~
keymone
right, but they could've went the extra meter and just sign all outgoing
payloads?

~~~
pjc50
I was going to say "GPS predates signing", but it turns out that the first GPS
launch and the invention of RSA signing were in the same year: 1978. Of course
the signing technology was also considered to be subject to US export control
for decades ...

Besides, signing doesn't necessarily help - the easiest way to GPS spoof is
simply to re-broadcast the signals received at a nearby point at higher power,
so the victim receiver thinks it's at that point.

There is recent work on doing this:
[https://web.stanford.edu/group/scpnt/gpslab/pubs/papers/Lo_I...](https://web.stanford.edu/group/scpnt/gpslab/pubs/papers/Lo_IEEEIONPLANS_2010_AuthenticatingAugmentationSystems.pdf)

~~~
keymone
1978 RSA invention is when it happened in public domain, 5 years before that a
guy at GCHQ invented a similar asymmetric scheme, which i'm sure was well in
use by 1978.

replay attack does make sense, but isn't it identified uniquely by time? i
mean the content of the payload is basically very accurate time. if a device
notices the time doesn't change - it can detect spoofing.

~~~
moccachino
You continually receive signals at point A, send them to point B and transmit
them there at higher power.

~~~
keymone
yeah, you're right, it's sort of a brain in the jar problem, isn't it. but it
does seem like it's not that hard to detect because of latency between A and
B, though it would require a pretty accurate clock on GPS device.

~~~
pjc50
No! Differential latency from the satellites is entirely how GPS works, and
there is no way of having an accurate enough clock to be able to spot that
without (a) it being an atomic clock and (b) synced to the satellite time at a
known location.

~~~
keymone
But accuracy of GPS signal is in microseconds, so if you suddenly detect a
change in level of milliseconds (latency between A and B) - that would totally
imply spoofing shenanigans?

~~~
pjc50
Yes, which would manifest as a sudden movement of place detected. What I'm not
sure about is what this looks like as you approach the jammer and its signal
gradually overwhelms some or all of the signals; does it just look like
multipath error.

~~~
keymone
Obviously I don’t know what I’m talking about, but it seems like such attack
is only undetectable by cold gps device that has been offline for longer than
some period of time, long enough to explain time shift by clock drift.

