Novel attacks severely disrupt GPS gear used by the military, private industry.
Scientists have devised a series of novel and inexpensive attacks that can severely disrupt mission-critical global positioning systems relied on by the military and a variety of industrial players, including airlines, mining companies, and operators of hydroelectric plants and other critical infrastructure.
Unlike previous GPS attacks, the one developed by a team of scientists from Carnegie Mellon University and a private navigation company exploits software bugs in the underlying receivers. That allows the attacks to be stealthier and more persistent than earlier exploits, which primarily relied on signal jamming and spoofing. Prototype hardware that cost only $2,500 to build is able to cause a wide variety of GPS devices within a 30 mile radius to malfunction. Because many of those devices are nodes on special networks that make GPS signals more precise, the attacks have the effect of disrupting larger systems used in aviation, military, and critical infrastructure.
The PCSS, or phase-coherent signal synthesizer, that they developed simultaneously receives and transmits civil GPS signals. It carries out many of the same things done by spoofers used in earlier GPS attacks. But instead of merely providing false information designed to compromise the accuracy of the GPS readings, it includes data that exploits weaknesses in the firmware of nearby receivers, many of which use the Internet to share their readings with other machines. The success of the PCSS is the result of an almost complete lack of authentication in the devices that send and receive GPS signal.
One attack described in the paper is able to completely disable a Trimble NetRS. The $19,000 device is the single most popular receiver used for so-called differential GPS networks. Such networks are used for fine-tuning and correcting signals, and include the Continuously Operating Reference Station (CORS) and Networked Transport of RTCM via Internet Protocol (NTRIP) systems.
The "middle-of-the-earth" attack works by instructing the PCSS to set a satellite's semi major axis to zero. That causes NetRS receivers as far away as 30 miles to use the number as a divisor when calculating the satellite's orbit. As a result, the device goes into an endless reboot loop that persists even after the incorrect data is no longer supplied.
"Our findings suggest despite the fact that GPS is an unauthenticated broadcast protocol, current receivers treat any incoming signal as guaranteed correct," the scientists wrote in a research paper. "Worse, receivers often run full OSes with network services. Together, the possibility of RF [radio frequency] and ethernet attacks creates a large attack surface."
Journey to the Center of the Earth
In all, the scientists devised attacks that worked on the NetRS and eight other GPS receiver models, including those used by consumers, aviation pilots, and operators of industrial equipment. One such attack had devastating consequences for the Arbiter 1094B Substation Clock used as an accurate time source for equipment in electrical power stations. It used the PCSS to set the time one week beyond the current week but otherwise include all other data sent in a navigation message.
More
Good news for the world just keeps on coming.Scientists have devised a series of novel and inexpensive attacks that can severely disrupt mission-critical global positioning systems relied on by the military and a variety of industrial players, including airlines, mining companies, and operators of hydroelectric plants and other critical infrastructure.
Unlike previous GPS attacks, the one developed by a team of scientists from Carnegie Mellon University and a private navigation company exploits software bugs in the underlying receivers. That allows the attacks to be stealthier and more persistent than earlier exploits, which primarily relied on signal jamming and spoofing. Prototype hardware that cost only $2,500 to build is able to cause a wide variety of GPS devices within a 30 mile radius to malfunction. Because many of those devices are nodes on special networks that make GPS signals more precise, the attacks have the effect of disrupting larger systems used in aviation, military, and critical infrastructure.
The PCSS, or phase-coherent signal synthesizer, that they developed simultaneously receives and transmits civil GPS signals. It carries out many of the same things done by spoofers used in earlier GPS attacks. But instead of merely providing false information designed to compromise the accuracy of the GPS readings, it includes data that exploits weaknesses in the firmware of nearby receivers, many of which use the Internet to share their readings with other machines. The success of the PCSS is the result of an almost complete lack of authentication in the devices that send and receive GPS signal.
One attack described in the paper is able to completely disable a Trimble NetRS. The $19,000 device is the single most popular receiver used for so-called differential GPS networks. Such networks are used for fine-tuning and correcting signals, and include the Continuously Operating Reference Station (CORS) and Networked Transport of RTCM via Internet Protocol (NTRIP) systems.
The "middle-of-the-earth" attack works by instructing the PCSS to set a satellite's semi major axis to zero. That causes NetRS receivers as far away as 30 miles to use the number as a divisor when calculating the satellite's orbit. As a result, the device goes into an endless reboot loop that persists even after the incorrect data is no longer supplied.
"Our findings suggest despite the fact that GPS is an unauthenticated broadcast protocol, current receivers treat any incoming signal as guaranteed correct," the scientists wrote in a research paper. "Worse, receivers often run full OSes with network services. Together, the possibility of RF [radio frequency] and ethernet attacks creates a large attack surface."
Journey to the Center of the Earth
In all, the scientists devised attacks that worked on the NetRS and eight other GPS receiver models, including those used by consumers, aviation pilots, and operators of industrial equipment. One such attack had devastating consequences for the Arbiter 1094B Substation Clock used as an accurate time source for equipment in electrical power stations. It used the PCSS to set the time one week beyond the current week but otherwise include all other data sent in a navigation message.
More