GNSS Access is the Mainstay of Modern World

In the wake of increasing spoofing and jamming attacks, all sectors dependent on GNSS could be at risk, but that does not mean that we are at risk, explains Guy Buesnel, PNT Security Technologist at Spirent Communications.

What are the reasons for increasing spoofing and jamming attacks, and what’s the economic impact of such attacks?

This is a tricky question to answer. Of the many reasons, availability and reduced cost of equipment is one of the main reasons. The technology revolution has resulted in low-cost systems such as software-defined-radios (SDRs). The code to program SDRs is available online, and even someone with practically no knowledge of GNSS can quickly build a system capable of transmitting fake signals for less than £500. The increasing commercial applications are leading to more GNSS interference and spoofing — often collaterally. The use of GNSS to monitor activities is driving some sections in society to take counter measures to protect their privacy.

Then there are criminal activities — sophisticated criminals are always on the lookout for high-valued opportunities and routinely use high-tech solutions if it gives them an edge. GNSS jamming and spoofing can give them a big advantage at a relatively low cost. For example, criminals try to defraud service providers such as Uber using GPS spoofing to create fake rides, or extend a short trip. In 2018, I took a taxi in London and noticed a cigarette lighter jammer plugged in the front of the cab. I asked the driver why he was using it, and he told me that he is trying to stop other Uber drivers from meeting up with their rides at the train station. As far as the economic impact of such attacks is concerned, while it is difficult to come up with a definite number, a 2017 UK government report estimated the cost to the economy of a five-day GNSS outage at £5.2 billion.  

Different sectors use GNSS in different ways. Does that mean we are all at risk?

We have seen several incidents of GNSS spoofing and jamming over the past few years — in the Black Sea in 2017, when over 100 commercial ships were affected, showing positions close to an airport which was on land and, in some cases, 20nm away from the actual position. Then there was the China “crop circle spoofing” case in 2019, when ships entering the port of Shanghai were affected by spoofing at the Huangpu river’s mouth. Recently, the US DoT Maritime Administration issued a revised Maritime Advisory 2020/016, warning mariners of multiple instances of significant GPS interference being reported worldwide. Such interference results in lost or inaccurate GPS signals, affecting bridge navigation, GPS-based timing, and communications equipment. The satellite communications equipment may also be impacted.

Over the last year, areas from which multiple such instances have been reported include the eastern and central Mediterranean Sea, the Persian Gulf, and multiple Chinese ports. We have also seen an increase in the number of GPS interference-related incidents reported by commercial aviation flight crews. In the UK, we even had an instance where a UAV crash was probably caused by interference — reports stated that “reversion to ATTI mode had been caused due to a mismatch between the aircraft’s GPS derived heading and its magnetic compass heading data”. This manufacturer attributed the incident to signal interference, which affected the magnetic compass.

All sectors dependent on GNSS for precise positioning or timing data are at risk , especially from collateral effects. There are targeted attacks that can cause collateral effects on a large scale, but there have been incidents on a small scale as well — attempts to spoof drones in war zones, or border patrol applications — in networks where the precise timing from GNSS is used for accurate transaction auditing. I have met hackers who sell high-value Pokemon GO accounts at inflated prices. They collect high-value monsters using sophisticated GNSS spoofing setups at home. These low-level or unstructured hackers rarely consider whether their activities could have an impact elsewhere.  Another instance of this sort of collateral damage could come from a user who installs a low powered jammer in their vehicle to prevent someone from tracking them. This kind of activity often has significant impact on other users outside their vehicle.

Resilience and robustness are two terms that are widely used, and often used interchangeably in the PNT community. Are these significantly different?

In the US, the term “resilience” is defined by a presidential directive, it’s a good definition that highlights the need for affected systems to recover following a disruptive incident. Evidence suggests that sometimes a system doesn’t recover fully following a spoofing attack, but yet may resist an attack for longer, or to a higher power level than another system. Knowing your system is important to understanding these two aspects — resistance and recovery are independent attributes.  The key question is how to value them in a meaningful way.

There are targeted attacks that can cause collateral effects on a large scale, but there have been incidents on a small scale as well — attempts to spoof drones in war zones, or border patrol applications — in networks where the precise timing from GNSS is used for accurate transaction auditing

Please tell us about your GNSS spoofing study. How will it help the commercial sector to prevent ‘zero-day exploits’?

In a nutshell, it’s the first time that there has been a study of receiver behavior under a simple spoofing/meaconing scenario. Our study took a simple but relevant set of meaconing (GPS signals are transmitted with a time delay) scenarios. It exposed three commercially available GNSS receivers that are in wide use today to these scenarios. The objective was to understand whether there were any common features evident in the behavior of the receivers, and if there were, whether there were any aspects of that behavior that could be used for detection or mitigation. It’s clear from our work that developing a test framework with these kinds of test scenarios is vital for evaluating device and system behavior. 

A ‘zero-day exploit’ is when an attack on a system occurs on the very day when a vulnerability is discovered. With spoofing, even if a system is not a target, even if the attack does not fully succeed in taking over a receiver, we see that receivers exposed to a mixture of faked and authentic GNSS signals behave in unexpected and unpredictable ways. Exposing systems and devices to simulated spoofing and interference helps to understand how they might behave under stress in the real world, which gives developers an opportunity to set up detection and mitigation schemes to protect against this kind of vulnerability.

Can your proposed spoofing test frameworks be used to drive improvements in the assessment of safety of systems?

A suitable test methodology that allows the comparison of equipment and systems in terms of performance and resilience will be the key. The need for quantitative test data in any risk assessment is critical and will help to deliver cost-effective systems that are much more robust and resilient to threats. Knowing your system, how and where GNSS is used, understanding system dependencies, understanding the likely threat environment, testing and evaluating against real-world threats, and repeating the process at regular intervals is important. Because the threat environment continues to evolve.