
Ships fooled in GPS spoofing attack suggest Russian cyberweapon - ohjeez
https://www.newscientist.com/article/2143499-ships-fooled-in-gps-spoofing-attack-suggest-russian-cyberweapon/
======
jhayward
This is fairly old news. Reports are a year or two old and suggest that
Russian security uses GPS spoofing anywhere V. Putin may be located,
presumably as a defense against drone type attacks or surveillance. The
spoofed location is often an airport. The black sea spoofing could be related
to a visit to e.g., Sochi.

Alternatively Russia could be deploying the spoofers on ships now, which would
seem to have offensive implications as well as defense.

(sorry, no links)

~~~
roywiggins
Sounds like a semi-reliable Putin Detector could be set up if you wanted to...

~~~
jhayward
It would also be fairly short-lived in battle, since the spoofer is
broadcasting its own location in a highly accurate "place ordnance here"
manner.

~~~
subway
More likely it is broadcasting the position of the satellite it is spoofing,
with altered timing.

edit: that doesn't prevent other means of locating the source of an rf signal

~~~
jhayward
You can't spoof the encrypted signal by simulating a satellite, you have to
capture the real signal and rebroadcast it as an overpowering signal so
targets can't get the direct broadcast at their location.

This means that everyone who is getting the overpowered signal will compute
the same location, which will be the antenna of the spoofer.

------
anovikov
That is laughable and doesn't provide any kind of military utility. What is
the value of spoofing GPS by putting everyone into the same point, with zero
inferred velocity and acceleration vectors, while other data sources like
inertial will easily tell the supposed victim this is all wrong?

Also, M-code can't be affected this way because it is encrypted, and military
grade GPS receivers use virtual directed beams so they are next to impossible
to simply jam, either.

~~~
jhayward
M-code encryption doesn't protect against rebroadcast, which is what this
attack seems to be. And beam-forming has its own limitations which can be
fairly easily overcome by signal strength. It may be that military mitigation
involves defining a carefully circumscribed envelope of signal strength,
checks against inertial references, alternative time sources, etc. But it's
not trivial or laughable.

~~~
wyager
M-code contains time and ephemeris data, yes? (Since it's supposed to be
"autonomous".) It seems like it would be quite easy to detect replay attacks.

~~~
PeterisP
The receiver likely doesn't have an accurate enough clock to reliably detect a
_quick_ (a tiny fraction of a second) replay attack if it can't hear the
original transmitters due to intentional interference; most GPS systems would
treat any differences between internal time and the time from the GPS data as
a sign that _their_ clock is drifting and needs to be adjusted, and it should
be that way because their clock _is_ inaccurate and drifting.

~~~
anovikov
Let's see: if the transmitter of spoofing signal is 3km away from the received
(less than meaningful minimum - 3km distance is easily covered on inertial
alone with no precision loss) it means 1us error. On 30km, 10us error. Is that
really hard to have clock that precise on a receiver?

~~~
PeterisP
Yes, it is quite hard - standard oscillators used in electronics can easily
drift up to a second a day (we don't notice because many devices update their
time from GPS signal or cell data), and even really good ones will still drift
for a millisecond quite quickly and it definitely can't rely on accuracy
measured in us.

For getting such an accuracy, IIRC, at the very least you'd need a
temperature-controlled environment (so, not feasible in mobile devices)
because the standard approaches will be slightly faster/slower depending on
temperature.

~~~
anovikov
There are atomic clocks that weigh only about 35 grams. They cost $15K though,
so probably too expensive for munitions, except nukes, but fine for aircraft
and ships, and probably for some land vehicles. Having ±5.0E-11 accuracy and
<1E-11 @1000s short term stability. So enough for any aircraft sortie or ship
action in a region of probable GPS spoofing (precise enough for days).

Even OCXO will be enough given short duration of stay in a spoofed environment
(typical OCXO will give you 50 seconds, but it is more than enough time to be
within 300 meters from a spoofer, unless you are on foot). Or 500 seconds
within 3000 meters, which is same speed - 6 m/s - which you have to maintain
to be able to filter out spoofing. Several times more in practice because
these are all RMS, not max errors. But 30 m/s is 5 sigmas which is military
(nuclear, to be precise) definition of 'safe', so all aircraft/munitions are
safe, and ships are big and expensive enough to justify $15,000 atomic clock.

~~~
wyager
Wow! Thank you for the detailed description. I didn't realize atomic clocks
had become so small. After searching, I see you can even buy rubidium clocks
with similar accuracy for around $1000 in single quantities! Very impressive.

------
krona
Reminds me of the Iran–U.S. RQ-170 incident, when a CIA drone was captured by
Iranian forces; one of the leading theories was GPS spoofing, although
naturally Lockheed Martin denied that it was vulnerable to such a simple (for
a nation state) attack.

------
oneplane
Not only old news as suggested in other comments, but not hard to do either;
IIRC, this was done 1 or 2 DEF CONs ago, not only for GPS, but also for older
systems that use radio beacons (Aircraft? not sure..) and A-GPS (spoofing GSM
radios).

~~~
samstave
[http://www.rtl-sdr.com/spoofing-gps-locations-with-low-
cost-...](http://www.rtl-sdr.com/spoofing-gps-locations-with-low-cost-tx-
sdrs/)

~~~
technofiend
Funnily enough I have a legitimate use for this: correcting GPS drift in a
location with poor GPS availability. I would love to carry around a Raspberry
Pi with an attached SDR that let me fine tune the signal so it's accurate
versus showing me across the street, down the block or aimlessly wandering in
circles.

------
ge0rg
_many NATO guided bombs, missiles and drones rely on GPS navigation_

There are separate code sets for civilian and military GPS, and the latter
should only be availability to US military equipment manufacturers. What I
wonder is whether that means some NATO equipment will be misdirected by
spoofing attacks and other will not, or if the attackers actually are able to
spoof both types of signal.

~~~
jhayward
> if the attackers actually are able to spoof both types of signal.

Interestingly, the military GPS signal is encrypted using what is called the
A/S "anti-spoof" code. Which was deployed in the '70s. So you know they've
been thinking about it for quite some time.

Practically speaking: Assuming one can shield the spoofer receiver from its
own transmitter there's no real reason why a spoofer can't set up a receiver
at one location and rebroadcast the encrypted signal as received there. If
rebroadcast at sufficient power it would easily overpower the true signal, and
would indicate the spoofer position rather than true position everywhere it
was the strongest signal. Sort of like if you just moved everyone's antenna to
the spoofer location using a very long antenna cable.

It would be very interesting to know what military receivers do to mitigate
such an attack. I haven't seen anything in open literature. I suppose it would
be (rightfully so) classified technology.

~~~
jdavis703
Is this really possible? I don't know much technical details about GPS, but I
thought a large component was time-based. If my understanding is correct,
wouldn't rebroadcasting fail because the times didn't match correctly?

~~~
jhayward
The question is: match with what?

Part of the GPS calculation is to figure out what time it is. There is no
reference needed other than what the satellites broadcast. If you are
rebroadcasting the entire GPS signal it includes all of the satellites, and
will be self-consistent.

Also, in the case of a rebroadcast it need not be delayed by more than
something on the order of a microsecond or so.

If the receiver has some sort of out-of-channel time reference that is
accurate to nanosecond levels I suppose that could be used as a check, but
that sort of thing takes an atomic clock and doesn't fit in a wristwatch.

~~~
PhantomGremlin
_Also, in the case of a rebroadcast it need not be delayed by more than
something on the order of a microsecond or so._

That only works if the spoofer is very close by.

One microsecond is 1000 feet. (Recall the "Grace Hopper nanosecond" as a
start.) So, if the spoofing signal rebroadcast originates 5 miles away, that's
26 microseconds of delay right there.

 _If the receiver has some sort of out-of-channel time reference that is
accurate to nanosecond levels I suppose that could be used as a check, but
that sort of thing takes an atomic clock and doesn 't fit in a wristwatch. _

You're way off in your accuracy estimate.

Oven controlled crystal oscillators have been around for at least 50 years.
Probably a lot more. And they're dirt cheap. All they are is some temperature
stabilization around an ordinary crystal oscillator. Quoting from the (always
highly accurate) :) Wikipedia:

 _The short term frequency stability of OCXOs is typically 1x10−12 over a few
seconds, while the long term stability is limited to around 1x10−8 (10 ppb)
per year by aging of the crystal_
[https://en.wikipedia.org/wiki/Crystal_oven#Accuracy](https://en.wikipedia.org/wiki/Crystal_oven#Accuracy)

An OCXO isn't practical in a tiny drone or a wristwatch, but it's highly
practical in any military instrument that weighs more than a few pounds.

~~~
jhayward
> That only works if the spoofer is very close by. One microsecond is 1000
> feet. (Recall the "Grace Hopper nanosecond" as a start.) So, if the spoofing
> signal rebroadcast originates 5 miles away, that's 26 microseconds of delay
> right there.

I made a mistake in ambiguously referring to two things: processing delay at
the spoofer, and speed-of-light based time difference between spoof signal and
direct broadcast at the receiver.

However, I'm not aware of any crystal based clocks that are suitable for high
dynamic range G environments that would be easy to use as an independent
reference for any reasonable amount of time. They all suffer in
shock/vibration conditions, and need external conditioning to maintain longer
term stability. Maybe the military has 'em, but I guarantee they cost a lot
more than a GPS rec.eiver

~~~
PhantomGremlin
_They all suffer in shock /vibration conditions_

Interesting. I didn't know that.

There's a comment on another thread that someone just made:
[https://news.ycombinator.com/item?id=15007006](https://news.ycombinator.com/item?id=15007006)

 _And now you can buy a genuine atomic wristwatch._

Here's a few sentences from the linked website: _In each atomic physics unit
is a small vessel of Caesium 133, an oven to heat it to 130°C, a laser to
excite the atoms and a microwave resonator that resonates at the hyperfine
transition frequency of the atoms, 16,546,737,186,000 vibrations per hour,
with an accuracy of one 5 parts in 10-11._
[https://www.hoptroff.com/pages/about-
us](https://www.hoptroff.com/pages/about-us)

The same shock/vibration limitation probably applies to it. Still, it exists!
I think. I wouldn't spend that much money to find out if it was real.

~~~
jhayward
Some links you might find interesting:

[https://www.microsemi.com/products/timing-synchronization-
sy...](https://www.microsemi.com/products/timing-synchronization-systems/time-
frequency-references/chip-scale-atomic-clock)

[http://www.oewaves.com/media-events/item/50-oewaves-to-
devel...](http://www.oewaves.com/media-events/item/50-oewaves-to-develop-an-
all-optical-integrated-micro-primary-atomic-clock-ao-impac-for-darpa)

[http://www.gps.gov/governance/advisory/meetings/2016-05/lutw...](http://www.gps.gov/governance/advisory/meetings/2016-05/lutwak.pdf)

[https://www.darpa.mil/program/micro-technology-for-
positioni...](https://www.darpa.mil/program/micro-technology-for-positioning-
navigation-and-timing)

I haven't seen much (haven't been looking either tho) since the Micro-PNT
program which was in 2008. Sometimes that means that things are getting
interesting, other times it's a dry hole. I'm interested in any later
developments if you know of them.

------
fooker
GPS goes wonky near the Kremlin, as every tourist knows.

------
radicaldreamer
I wonder if this played any role in the recent Navy accident. It seems there
were multiple safeguards which failed, but it would be very interesting if
there were GPS issues as well.

[http://www.cnn.com/2017/06/16/politics/us-navy-destroyer-
col...](http://www.cnn.com/2017/06/16/politics/us-navy-destroyer-collides-
with-merchant-ship-japan/index.html)

~~~
lisper
Unlikely. The ACX crystal was traveling in a straight line for hundreds of
miles before the collision. Just before the collision she made a slight turn
to port in order to navigate a narrow straight. Her trajectory was entirely
consistent with her destination. There's no indication she didn't know exactly
where she was. (And I mean that literally: the ship knew where it was. The
evidence indicates that the crew was asleep.)

Reference: [http://blog.rongarret.info/2017/06/theres-something-very-
odd...](http://blog.rongarret.info/2017/06/theres-something-very-odd-about-
uss.html)

------
jorblumesea
I feel like this also tips the hand of someone trying to track Vlad down. All
you have to do is set up gps devices in/around major Russian areas (Sochi,
Moscow), and when you start seeing anomalies, he's probably nearby.

------
dba7dba
We may soon see 'inertial navigation system (INS)' to supplement GPS.

I wonder if the cost of producing/maintaining it could be lowered
significantly enough using new sensors developed for use in smartphones and
such.

------
banku_brougham
Time to break out from storage: sextant, compass, paper map, ...

~~~
jdavis703
The Navy was a couple years ahead of you, they've already started training
officers to navigate by non-electric means:
[http://www.npr.org/2016/02/22/467210492/u-s-navy-brings-
back...](http://www.npr.org/2016/02/22/467210492/u-s-navy-brings-back-
navigation-by-the-stars-for-officers).

~~~
yborg
The fact that they stopped at all astonishes me. In a military context, it's
certainly conceivable that a ship would take some kind of battle damage that
would disable its electronic nav systems.

Middies also used to learn how to sail with canvas, did they stop that, too?

------
stevefeinstein
The takeaway I get from this is that whenever the Kremlin is attacked, they'd
rather the nearby Airports take the hit.

I guess then no one will leave, and no one will come in.

~~~
netsharc
Isn't it the other way? You're in your garden in Moscow but the GPS says
you're thr airport. A missile heading for the airport will think "I'm on
target!" as it lands on your head.

------
ericcumbee
Wasn't this part of the plot to "Tomorrow Never Dies"?

------
blibble
the plot of Tomorrow Never Dies wasn't that far fetched after all?

~~~
bald
awesome.... exactly my thought :)

------
knackery
Where is the proof that Russia is behind all this?

~~~
oneplane
On the map probably. If you wanted to do this, it wouldn't be handy to do it
in a country or for a country that actively scans for radio spoofing, jamming
or illegal use of radio bands. Considering that out of all the countries
nearby only one or two would have the means it's not hard to figure out would
would want to do this.

------
gaius
You will be relieved to know that the military is on top of this and regularly
trains for GPS jamming scenarios
[https://www.ofcom.org.uk/spectrum/information/gps-jamming-
ex...](https://www.ofcom.org.uk/spectrum/information/gps-jamming-exercises)

~~~
stuff4ben
If you RTFA, you'll note that jamming is different than spoofing. And no it
doesn't make me feel relieved that the military "is on top of this". Whose
military? Why should we trust them? State actors with the capability to spoof
GPS signals can do much harm to even their own citizens.

~~~
lfam
It's not comforting, indeed.

But you should know that the various space-based positioning systems (GPS,
GLONASS, BeiDou etc) are deployed and administered by the respective
governments of their countries of origin. They were invented for the military
and can be selectively disabled or degraded for civilian users.

Does anyone think it's possible for non-governments to stand up replacements
for these systems, from either a technical or legal / political perspective?

~~~
jdavis703
It'd be very easy to make a law outlawing high-resoluton satellite positioning
systems. All lawmakers would need to claim is it was a national security issue
that terrorists could use blah blah.

From a technical perspective it's not hard at all, but corporations are
probably leery of launching (no pun intended) such a business.

