Yacht hijacking shows the potential power of GPS spoofing
- By Kevin McCaney
- Aug 01, 2013
A professor from the University of Texas at Austin recently used GPS spoofing to take control of a 65-meter, $80 million super yacht in the Ionian Sea to once again illustrate the potential risks of relying on Global Positioning System signals for navigation.
Todd Humphreys, an assistant professor at UT-Austin, and students from the university’s Radionavigation Laboratory used a $2,000, custom-made spoofing device to fool the yacht’s navigation system into going off course, by sending a slowly amplifying signal that gradually became stronger than the civil GPS signals the ship was using.
In a video, the team showed how the deception — which was done with the permission of the yacht’s owner — worked. One of Humphrey’s students sent faint counterfeit signals to the onboard navigation system that grew in strength until the student had control; the stealthy takeover was achieved without setting off any alarms aboard ship. The “attacker” then sent a fake signal showing a three-degree change in course. The ship’s navigation system corrected for the change, thereby deviating from its actual course and heading in the course the attacker intended.
Jamming GPS signals is the more commonly known threat (North Korea regularly jams South Korea’s GPS signals), but Humphreys and other researchers have been raising the alarm about spoofing’s potential. Last year, he and his students showed officials from the Homeland Security Department and the Federal Aviation Administration how they could use GPS spoofing to take control of drone aircraft in flight, with a kit that cost $1,000.
And spoofing could be used against any system that relies on unencrypted GPS signals, including commercial aircraft and motor vehicles. After the drone demonstration last year, at the White Sands Missile Range in New Mexico, Humphreys said spoofing could be used to direct aircraft into each other or into buildings.
The yacht attack wasn’t especially easy. Humphreys told Ars Technica that his team spent a year or two making sure their signals were aligned perfectly with what the ship’s receivers would expect. But it does show what’s possible. “You just need to have approximate line of sight visibility,” Humphreys told Ars Technica. “Let’s say you had an unmanned drone. You could do it from 20 to 30 kilometers away, or on the ocean you could do two to three kilometers.”
At the moment, spoofing seems to be rare in the real world, although it may have been used in December 2011 when Iran captured a U.S. RQ-170 Sentinel spy drone. An Iranian engineer reportedly among the team studying the captured drone told the Christian Science Monitor that Iran used a combination of GPS jamming and spoofing to gain control.
According to the engineer, jamming GPS signals forced the drone into autopilot mode, after which Iran was able send spoofed signals to get the drone to land, thinking it was back at its home base. If that’s indeed what happened — Iranian claims of high-tech success have drawn skepticism in the past — then it was a feat more difficult than what Humphreys’ team accomplished. Unlike civilian planes, military aircraft use encrypted GPS signals, but a GPS expert told Wired that jamming the signal could force an aircraft to switch from the encrypted, P(Y), code to unencrypted, C/A code, making spoofing more likely.
So what technology exists to prevent spoofing?
In a post on the UT Austin Radionavigation Lab’s website, Humphreys and two of his grad students, Kyle Wesson and Daniel Shepard, note that a number of techniques have been tried, including using multiple antennas, which can provide strong protection but which is also vulnerable to a coordinated attack.
One method gaining momentum as a practical approach, the authors write, is navigation message authentication (NMA), a technique that would encrypt the navigation message so that a receiver could verify its authenticity and that could be implemented without significant changes to the GPS Interface Specification. Galileo GNSS, Europe’s version of GPS, is considering implementing NMA.
The UT Austin team also plans to evaluate vestigial signal defense -- an approach in which a receiver constantly scans for signs of trouble -- as a practical noncryptographic approach.
Another possibility is eLORAN, an update of the obsolete LORAN (Long Range Navigation) system. LORAN, which dates to World War II, used low-frequency radio signals from fixed positions on land to aid navigation, but it was overtaken by GPS and phased out in North America a couple years ago.
eLORAN (the “e” stand for enhanced) uses long-wave radio signals and is seen as a complement to GPS, and a hedge against GPS jamming and spoofing. The U.K. has been testing eLORAN and plans to beginning deploying it in 2014, with all U.K. ports equipped with the technology by 2019.
Kevin McCaney is a former editor of Defense Systems and GCN.