
Preventing GPS spoofing is hard, but you can at least detect it - furcyd
https://arstechnica.com/gadgets/2019/09/regulus-cybers-pyramid-gnss-software-detects-gps-spoofing/
======
gruez
>"We've learned how to perceive anomalies between legitimate GNSS signals and
spoofed signals by researching the variations in the satellite signals
protocol and recognizing the inter-relationships between signal parameters,"

Sounds like a cat and mouse game. It only works because current spoofers are
doing it sloppily. It's only a matter of time before the bad guys get their
hands on this and use it to eliminate any discrepancies that the spoofers
have. It doesn't sound like they found something that can't be spoofed.

~~~
amelius
It seems that the GPS protocol is just too simple, and lacks proper security
elements.

An article linked by the article contains an informative section "How GNSS
spoofing works", [1]. Excerpt:

> Effectively, if you can transmit to a GPS receiver, you can speak GPS to it
> and it will trust you. There's no authentication process involved, and you
> might even be able to MacGyver together a working spoofing device out of a
> hacked $15 USB-to-VGA adapter. Granted, you could easily wind up with
> thousands of dollars in fines or even prison time for trying it—but in
> strictly technical terms, there's very little stopping you.

[1] [https://arstechnica.com/cars/2019/06/claims-of-tesla-hack-
wi...](https://arstechnica.com/cars/2019/06/claims-of-tesla-hack-wide-of-the-
mark-we-dig-into-gnss-hacking/)

~~~
GhettoMaestro
Yeah the civilian signal has no cipher / integrity-checking. The military
signals do have those (and it chirps at 10x the rate of the civilian signal).

~~~
amelius
Makes you wonder if nobody considered that an attack of civilian systems could
be used strategically in warfare.

~~~
GhettoMaestro
Oh absolutely they do. That's why they reserve the right to turn off the
civilian signals in an extreme time of war.

In reality would that happen? Probably not. There are multiple GNSS
constellations these days, so just denying GPS is probably not a safe bet (you
can buy civilian uBlox chips for $<50 that are tri-band...)

I love reading about the military aspect of GPS. It is really fascinating the
use-cases they plan for. Hopefully they never actually are used in such an
extreme scenario.

------
rasz
Dead reckoning and sensor fusion are the real answer. Over 20 year old Etak
patent:

"Based on the previous position of the object, the GPS derived position, the
velocity, the DOP(dilution of precision) and the continuity of satellites for
which data is received, the system determines whether the GPS data is
reliable."

~~~
eru
Hmm, I wonder whether this would be a good for a popular article on an
introduction to Kalman filtering?

------
AstralStorm
Wouldn't this be as simple as cross validating the almanac and noticing that
the new satellite is not in the majority vote result?

You can even mark a safe set of ephemeris and almanac or just download it from
internet, like many kinds of GPS software do.

You would have to spoof a whole constellation to break such measure. And it
could be strengthened by discarding signal from satellites that are too close,
preventing the equivalent of Sybil attack. So if you see doubled SATs, you can
mark one or both of them as invalid.

Then you can also check ionosphere map and validate that signal distortion
roughly matches the satellite reported location.

You can also limit the attack by hard capping relative orbital velocity and
instantly rejecting that satellite which is unexpectedly too fast. (You would
have to again spoof a whole constellation, and if you're target has correct
ephemeris data it's all for nothing.)

Maybe I have guessed their solution in a few minutes...

~~~
express_egg
You're generally not wrong, but the things you mentioned make assumptions
about having a data connection (not typically the case for receivers of
interest - power grid, military trying to operate without RF signature, etc),
and there is also an engineering aspect to it: with a big
power/data/computational/financial budget most problems can already be solved.
Solutions that are practical for you phone or a budget receiver are lacking.
Losely organized to your points:

It depends on how the attack is carried out - there are data attacks and
timing attacks (the article is generally terrible and has no info). In a data
attack the navigation message is altered. Like you suggest this is easy to
validate. Note though that most phones (and all new Android phones afaik -
don't know about Apple) use assisted GPS, so they download navigation data
anyways and a data attack would generally be ineffective. Timing attacks use
authentic nav messages, but simulate signal arrival in an altered order, or
replay previously recorded signals.

Whole constellation spoofing is not difficult anymore, especially for state
actors whole can carry out full-sky attacks. You have no real way beyond
correlation/signal strength (which can be attenuated by an attacker) to tell
how far away a signal source is, and if you only have a single (stationary)
antenna you cannot tell the geometry either (i.e. if signals are coming from
multiple sources as expected, or a single antenna).

Multipath is a huge problem, especially in receivers which have linearly
polarized antennas like smartphones. Usually when a receiver tracks GPS
signals it looks for the signal arriving first (because later signals would be
multipath reflections). It is an expensive operation to track multiple
occurences of signals, high end receivers do though.

Ionospheric delay can fluctuate, so I don't think this would be very reliable.
Also you seem to have a hidden assumtion that you should know the true
geometric range to the satellite, which is true for timing receivers.

Wrt velocity, you're not wrong, but it would take a "dumb" attacker to
simulate something unrealistic.

------
infocollector
Here is one way to find out if GPS is spoofed (can handle jammed as well):
[https://patents.google.com/patent/US20170090006A1/en](https://patents.google.com/patent/US20170090006A1/en)
\- They show it using FM, but the method can be generalized to any terrestrial
transmission system. Uses the beloved RTL-SDR.

------
i_am_proteus
Todd Humphreys and his group at UTexas have been doing some remarkable work in
this field:

[https://researchers.dellmed.utexas.edu/en/publications/civil...](https://researchers.dellmed.utexas.edu/en/publications/civilian-
gps-spoofing-detection-based-on-dual-receiver-correlatio)

~~~
express_egg
Piggybacking:

It's really difficult to get ION papers, but they do generally put preprints
on their lab page:
[https://radionavlab.ae.utexas.edu/](https://radionavlab.ae.utexas.edu/)

------
opless
Wouldn't using a 3d direction-finding setup just blow this out of the water?

You're expecting the signal to come from "up" not mostly from the horizon.

Also if you have an almanac already you'd have to spoof each satellites
location.

Granted this would be a good deal more complex to implement...

------
kejaed
Has anyone around here set up a GPS Simulator / spoofer with an SDR with any
success?

~~~
dazhbog
I did with a hackRF and use it in our production line to test the GPS modules
of our PCBs.

Project link [https://github.com/osqzss/gps-sdr-
sim](https://github.com/osqzss/gps-sdr-sim)

~~~
steve19
With an off the shelf antenna, what kind of range can you spoof?

~~~
dazhbog
I use a crappy antenna and I get a few meters, without any amplification. If
it was going further I would use attenuators or a cage.

I have the SDR streaming satellite data for 5min and it then restarts and
retransmitts again. That allows units on the assembly table to get a sat lock
and pass the factory test.

~~~
StavrosK
Does it see the SDR as one satellite, or multiple? I guess you can just spoof
as many satellites as you want, but wouldn't it be rather hard to spoof a
position?

~~~
elfchief
Not the OP, but it'd see it as multiple SVs. Basically you figure out what the
range would be from the SVs to whatever location you want the things to think
they're at, and put out all the signals to make that happen. Spoofing a single
SV is pretty useless, you have to spoof at least enough of them to give you a
position solution.

------
Avamander
It's actually really sad that GALILEO builders didn't build in integrity-
checking into the signal for civilians to be able to rely on it safely.

------
debatem1
Just want to give a about out to the Satelles guys, who are doing some really
neat work on verifiable position and time even deep indoors.

------
tinus_hn
Can’t you just receive data from both GPS and GLONASS and the other systems
and see if they match up?

~~~
TazeTSchnitzel
Then you just spoof those too.

------
nutcracker46
Cat and mouse indeed, but here we see that a GPS spoof can be detected and
spoofs can be made more and more difficult to accomplish.

It will get down to a game of knowing the satellites better and better, in
terms of their clocks, orbits, and drifts in those parameters. With the
increasing precision of augmentation, spoofers will be hard pressed to keep up
and precisely mimic more parameters.

