GPS is routinely spoofed in area around Kremlin, for a couple of years already, to a great annoyance of drivers and runners. Coordinates are replaced by those from Vnukovo airport. It seems they try to prevent operations of consumer grade drones, many of them refuse to fly near known airports.
I would like to think that, having done research on GPS spoofing and being generally interested in GPS, I would have heard of this before if it were routinely done anywhere in the world. It sounds like you don't have this from an online source but from first-hand experience. Did anyone write this up? Is there local news about it perhaps?
That does not happen all the time though. I would say geolocation works nicely pretty much all the time.
Not sure why it's not possible to order a taxi, since you're not supposed to provide your own coordinates but rather a point where you want to be picked up.
You can also check [1]:
"through a collaboration with researchers from The University of Texas at Austin, we expose the use of GPS spoofing in active Russian combat zones, particularly Syria, for airspace denial purposes. This is a capability scarcely reported in the public domain. Using data from a scientific sensor on the International Space Station (ISS), we are able to identify ongoing activity that poses significant threats to civilian airline GPS systems"
there are a number of videos on youtube of people operating handheld android, ios and dedicated gps devices near the kremlin, showing the location displayed on the screen to be many dozens of km away. this will have a similar effect on a $1000 DJI drone.
"That's what I found out: somewhere inside the Kremlin there is (and probably is moving) a powerful transmitter. It simulates the operation of the GPS and GLONASS satellite at L1 frequencies and makes noise at L2 and L5 frequencies. "
(Spoofs civilian, blocks military)
He thinks the airport is chosen randomly, not to geo-block drones which is a bit of a strange idea.
"These coordinates can be entered directly or selected from the list offered by the device manufacturer. It so happened that in these lists for Russia appear only the centers of large cities and Airports. As you understand, Vnukovo is the first alphabetically located airport in the Moscow region. And in this version I also believe, of course."
To be fair, the report is authored by an US entity. I'm sure if they could have studied US operations without losing their funding they would have found similar deployments by US forces, albeit, I think not as widespread. The US has always seemed to have better tech, and GPS spoofing is cheap, from what the article states, which makes it ideal for the cash-bootstrapped Russian military.
While the US can spend a lot more on its military and has a corresponding lead, the US is mostly focused on offensive technology (like its carrier groups). Russia, being geographically much closer to "enemy" territory, has a much bigger focus on defensive capabilities and excels in many areas. For example the Russian S400 air defense system is usually seen as superior to the American Patriot system.
With GPS spoofing being mostly a defensive technology it seems exactly like the thing Russia would focus on and the US would neglect.
S400 is no where near as good as our Aegis system. I know because I worked on it. The patriot missile did have some spectacular fails though where an anti-missile became confused and shot right into the ground
Although I will give the Russians props for possibly being the first nation to land the missile back in its own tube.
https://youtu.be/gNNkRuSw_0Q?t=52
Then there's also S500 now, which can shoot down anything that flies, including stealth planes, ballistic missiles, hypersonic planes, and LEO satellites. This is a typical example of asymmetric warfare. The US spends 1.5 trillion building a super plane, Russians spend 1/1000th of that building the thing that can make use of such a plane a costly proposition (even if it can't _reliably_ shoot it down), and offers it for export eventually, too.
Just like the SR-71 that flew over Russia with impunity because they couldn't hit it if their countries life depended on it. Oh, yea and we built that almost 50 years ago and you still couldn't hit it today. There are stories of Russias MiG aircraft just falling out of the sky when attempting to reach the altitude of the SR. Russians then built the Stainless steel Mig 25 which was then of course stolen and revealed just how bad the Russians are with metallurgy.
I don't see why the US would want to spoof GPS, given that it runs the constellation, and can just re-enable encryption of high precision data ruining it for everybody but the US Military.
GPS spoofing is a big part of the Bond movie “Tomorrow Never Dies”. Funny that in a movie it seemed totally fake, something invented for the plot, and yet here I see it’s a real thing.
Interesting how truth can be too much for fiction sometimes.
One thing the Manning leaks taught me is that if it can be done, it is being done. GPS spoofing is demonstrably effective at a variety of tasks including straight-up stealing military drones, therefore it is being done across the globe.
Full-blown spoofing, ie, being able to generate a 'valid' sui generis GPS signal is effectively ruled out by encryption.
However a replay attack that uses a valid signal received at some other locate re-broadcast at a second place is not affected by encryption. You can imagine lots of clever ways to use a re-broadcast attack to draw a drone off course.
Sure, but one that's almost impossible to defend against it. Any viable defense has to happen on the client side with something like an antenna array to distuingish broadcasts from space from replay attacks, or a clock accurate enough to detect that the broadcasted time is off by dozens of microseconds and thus has to be a replay.
A detailed solution that addresses all of the stakeholder's equities in the PNT space would be welcome.
It is, however, a very long-standing issue that has been addressed by some of the best minds in physics and technology, with many billions of dollars available to them.
It depends on the quality of the IMU but yes. All US military systems use ultra-high precision IMUs and will only accept GPS corrections within the (classified) error margins of their inertial measurements. US military-grade IMUs lose precision very slowly, it is an area where they have a huge technology lead over everyone else so (ironically) they are less dependent on GPS than anyone else that might use GPS. Access to state-of-the-art IMU technology is very strictly controlled by the US.
GPS was created in part to allow the US to measure the world precisely enough in peacetime that they have an accurate model to feed their IMUs in wartime. It was never designed to be a robust navigation system even though everyone commonly uses it that way.
You can make spoofing harder. Most of these spoofing attacks target off-the-self drone GSP, and don't work against adversary who plan against them.
If you want to spoof more expensive gear, like those used in commercial shipping, you do it gradually. You start by transmitting the correct coordinates and then gradually start to increase the difference between correct and false coordinates. When done gradually, IMU can't detect GPS spoofing.
Unfortunately many otherwise good navigation systems are not doing even the bare minimum to detect spoofing. It's not the cost. Spoofing protection has not been priority.
You can (should) throw more sensors with different characteristics at a Kalman filter for enhanced results in the presence of noise. The wiki page is actually excellent https://en.wikipedia.org/wiki/Kalman_filter
In the example presented some of the inputs could include direction finding to local broadcasters, a GLONASS receiver, a heading indicator and distance traveled odometer if we're talking a road vehicle, and many other things limited only by your imagination and resources at hand.
In another thread discussing BLE, you mentioned your profile contained your email addr. I checked your profile and couldn't find it -- maybe it's not made public? Would love to follow up. My email is in my profile.
The first acura nav systems were totally gps-free. They used gyros, compass, and speed data from the car, and managed to do pretty well. I imagine a similar system on top of gps and perhaps even cell/wifi/radio data to get near seamless coverage with civ tech.
It depends on what you are doing. ICBMs predate GPS, so for anything flying you can fall back to the old way of comparing terrain height to known maps. This is reliable and a widely-implemented technique (at least in weaponry).
If that's not an option you can use an IMU, but because of errors adding up over time IMUs aren't all that great if you can't calibrate from time to time. Satellites do it by looking at stars, if you're a car you might look at the streets and compare them to maps.
The only things that really have fundamental problems without GPS are ships and anything that flies over water. In any other application GPS is used because it's cheap to implement and reliable, not because it's the only way to do it.
Except that "store the last known location" logic breaks ferries, towing, and other movement of the car while it's off. You need an override, or some way of deciding that, yes, this new and different location is actually sane.
And in the case of a ferry, the user is expecting to have accurate location and nav instructions very quickly after key-on as they leave the port in the new place, so that mechanism needs to make its decision pretty fast.
Would it be possible to upgrade GPS satellites so the signal would contain digital signatures, while retaining backwards compatibility? GPS uses NMEA data messages, which are plaintext.
Perhaps there is some reserved field, or usually ignored message, that can be used to insert digital signatures. The DoD will keep the master key, so the signatures could be easily verified, but spoofing them would be nearly impossible.
All modern digital signature systems protect against replay attacks (by signing sequential counters, timestamps or other state information, or using cypher block chaining).
All of those things require some alternate source of ground truth, e.g., a trusted clock.
There is no such thing in GNSS systems. They are the ground truth. There is no way to combat a replay attack without some second source which would obviate much of what a GNSS delivers.
GPS time is monotonously increasing. If you ignore all messages with timestamps lower than the last one received, and check their digital signatures, you should be protected against replay attacks at least until the next cold restart (or GPS time counter reset, which is once in 20 years).
There are other possibilities (CTR/CFB encryption modes, relying on increasing counter and/or previous messages contents).
Or am I missing something? Could you please describe the attack vector with these assumptions?
TLDR: you essentially never see repeated time stamps.
GPS time is broadcast in the very low bit rate (50 BPS) NAV message, once every 6 seconds. In between the receiver counts at the chip rate (1023 kHz) just counting signal transitions.
A rebroadcast attack happens at the speed of light. A signal is received at Moscow airport and is beamed to the Kremlin via some alternate transport path. At the Kremlin the signal is broadcast immediately at higher power than is possible for the direct signal. This happens at the speed of light.
There is nothing you can do about this without access to a clock that is at least as precise as the GPS satellite's multi-million-dollar onboard clock, which you then somehow keep correctly synchronized at all times.
There are some things that can be done to detect rebroadcast in the RF domain by looking at time of arrival across an antenna array, but again, that's not going to happen in a cell phone or wrist appliance.
There are some techniques that are used to discern direct path signals from multipath ones which involve tracking the lower power level signals, but rebroadcasters make sure they are radiating enough power to put that technique outside the dynamic range of the receiver.
Back of the envelope. The distance between Vnukovo airport and Kremlin is 30 km, speed of light is 300,000 km/s, time delay is 10^-4 seconds. Let's say it takes the moving car 100 seconds to get from outside the jamming area to inside. So receiver clock has to drift less than that. A year is pi * 10^7 seconds, so in a year receiver clock should drift by less than pi*10^(7-4-2), or approximately 30 seconds. My wristwatch can do better.
GPS receiver determines its position by measuring the distances to GPS satellites. Those distances are calculated from time delays. To get the delays, the receiver should know the exact time. Its own clock is not stable enough to do it, so our receiver has to determine exact time by monitoring one more satellite than is strictly necessary, and calculating the time from that.
Now if this "exact" time suddenly jumps (compared to internal clock), it probably means that the signal is not coming directly from the satellites, but relayed from Vnukovo.
Why not? Is the original signal is somehow not going through? If it does, it does not matter the other is stronger. It will arrive later with the same timestamp.
They have mobile jammers, when Putin visits some place GPS devices there start showing near airport instead of actual location.
One guy claims he found building with the jammer: https://www.youtube.com/watch?v=yiy2Mt79M1c (device and process is described in [1], russian), he uses self-made “radar” [2].
If I understand it correctly, the spoofing works by replaying the original signal delayed in time but at a higher power so the receiver selects your better spoofed signal. I wonder if it would be possible for the receiver to compute what the appropriate signal level should be and if it is too strong that could be a way of detecting if you are receiving a spoofed signal ?
You could technically do this, but such a technology is too expensive to incorporate in civilian use receivers that have to retail for a couple bucks.
Military receivers used by the USA and NATO allies can easily detect spoofing because they listen for signals on separate frequencies reserved for military use, with higher precision. On these frequencies, all traffic is encrypted using a private key that only the DoD has access to (in theory). In this case, it is easy to detect spoofing because your enemy cannot encrypt signals using the DoD's private key (they just don't have it). If the receiver is unable to decrypt the incoming signal (key mismatch), it knows there is something fishy going on. I would also speculate there are additional countermeasures which are not publicly available.
Kremlin is trianle-like shaped, there's river from one side with bridges at the ends (so it could be counted as a tunnel), Red Square from another (pedestrian only unless you're a member of Victory Parade, one-way streets aside), the third side is surrounded by Mokhovaya street which has 5 intersections with others and you can get to the one you'd want if you've skipped your turn.
Well, GPS was spoofed for Russians during the Georgia conflict. Dudes didn't know how far into Georgia they advanced because of that, as well as multiple cases of friendly-fire. The main reason behind GLONASS...
GPS spoofing can be done as a replay attack; record the signal at the airport, rebroadcast at the Kremlin louder than the direct satellite signal and voilà, your receiver says you’re at the airport.
As it’s just a replay attack of the original signal, encryption can’t help.
> As it’s just a replay attack of the original signal, encryption can’t help.
Couldn't this be mitigated by added a nonce or using CBC within the cryptosystem? Replay attacks are well understood; I'd be surprised if any (eventual) proposal for signed/encrypted GPS didn't include something to defend against them.
As I loosely explained in another comment, you essentially never see repeats. The replay happens at the speed of light, and time stamps are broadcast once every 6 seconds at 50 BPS.
The receiver sees the rebroadcast because it captures the receiver's RF chain by being the strongest signal.
Am I the only one that finds it odd how people read and accept this capability without question, yet don't give the slightest thought to why super sophisticated Russian* state-sponsored Twitter trolls didn't bother to use a VPN to spoof their identities?
* So the media claims as a fact. Twitter itself has actually made no such claim of certainty that the "Russian trolls" are actually Russian, rather they've only said that the accounts are possibly linked, but good luck finding a news article or internet forum reader that will acknowledge this fact. This Wired article is about the only one I've come across that is truthful:
As an example of how sloppy and misleading (intentionally or not) this problem (of reporting allegations or suspicions as if they are fact) is, Wired itself made the very same mistake in an article linked from that one:
While Facebook bore the brunt of Senators' questioning, Twitter revealed some staggering statistics about Russia's organic reach on its platform last year. In just two and a half months, Russian bot accounts tweeted 1.4 million times, yielding 288 million impressions. The fact that such coordinated campaigns went unchecked underscores the value Twitter has put on free speech.
"Russian bot accounts tweeted" is a statement of fact, but the actual fact is the accounts are only suspected of being Russian
Ironically, in the very same article, they go on to acknowledge the uncertainty involved:
Facebook and other platforms used their technological prowess during the campaign to identify malicious actors and advertisers that might be connected to foreign entities, but those tools can miss the mark.
One can hardly blame the technically unsophisticated general public from taking what it reads in respectable news outlets at face value, but it's rather depressing (or, extremely interesting, from a mass psychology/epistemological perspective, if you're more of a half glass full type of guy like me) that not only politicians but also technically sophisticated people seem to be no better in this particular case.
Of course, and this is to be expected considering the intelligence and human nature of the general public. But the behavior/beliefs on this specific topic (at least) of people on relatively much smarter forums like HN is identical to that of the general public.
Here we have a situation where people of above-average intelligence, especially technically, passionately believe something of a technical nature, and will not question it. That's the part I find absolutely fascinating within the context of the whole "fake news" discussion.
In the Balkans war, Russia was caught selling GPS spoofers to our adversaries, average price $20 to $30K. US military simply installed downward seeking GPS signal seekers on smart bombs, problem solved.
Then of course, adversaries installed GPS spoofers near hospitals, Chinese embassy, unethical targets, typical of rogue nations and despots.
Time to update the odds that the two accidents involving navy destroyers in the Malaga straits, weren't ?
Mind you this does not automatically implicate Russia, just because one report calls them pioneers doesn't mean other countries don't posses the capability and China has more concrete issues with US naval presence there than Russia.
This does not follow. The US Navy uses very high-precision inertial navigation systems, networks of them embedded throughout the ship and measuring position independently in fact (think wisdom of crowds). External corrections are only accepted within the very small aggregate drift error. Spoofing GPS will do almost nothing to a US Navy ship, that isn't how they navigate. Hanlon's Razor applies.
The US military is very, very good at exotic inertial measurement technology, doubly so for a platform like a ship with few power/weight limitations. It is a cornerstone of their technology advantage.
I'm sure the navy is aware of the threat and has standing procedures to prevent it - afaic high-ranking officers were sacked precisely because those weren't being properly followed.
A huge container ship in a space as tight as the Malaga strait otoh probably has no procedure to deal with GPS being abruptly and subtly spoofed or even a way to detect it.
