SESSION ID:SESSION ID:

#RSAC

Guy Buesnel

Evolution of Deliberate Threats to Satellite Navigation Systems

MBS-F01

PNT Security TechnologistSpirent Communications plcWith acknowledgement to my colleague David DeSanto for material on responsible disclosure

#RSAC

Why are Satellite Navigation Systems vulnerable?

2

GNSS satellites orbit the earth in Medium Earth Orbits (GPS, GLONASS, Galileo, Beidou)

Transmit navigation messages to surface of Earth at low power (think 40W light bulb on satellite)

Vulnerable to specific threats due to the low RF power of the transmitted signals

Approx 12,550 miles

#RSAC

Overview of specific Satellite Navigation (GNSS) vulnerabilities

3

Overvi

What are the main Satellite Navigation System vulnerabilities?

#RSAC

4

GPS Jamming

“15 of the 19 Critical Infrastructure & Key Resources Sectors have some degree of GPS timing usage”

• Power Grids

• Energy Plants

• Sub-Stations

• Air Traffic

• Maritime

• Logistics

• Transport

• ATMS

• Stock Exchange

• Internet Banking

• Core Optical NW

• Wireless Backhl.

• Broadcasting

• DataCentres

#RSAC

5

Real Life GPS jamming incidents (1)FBI Cyber Division – Private Industry Notification October 2014

Auto thieves shipping vehicles to China used GPS jammers placed in shipping containers in an attempt to thwart tracking of the containers, according to July 2014 information from the National Insurance Crime Bureau.

In 46 reported incidents, the thieves placed one or more GPS jammers in cargo containers with stolen automobiles.

Cargo thieves in North Florida used GPS jammers with a stolen refrigerated trailer containing a temperature controlled shipment

In this incident, the hauling tractors were swapped out by the cargo thieves. The Miami based suspects were ultimately stopped and apprehended by the Florida Highway Patrol in mid-Florida on a routine vehicle stop -the shipment was recovered intact.

Discovered, hidden inside of the trailer’s refrigerator unit, were portable GPS jamming devices hooked unobtrusively to a battery located inside the unit

Real Life GPS jamming incidents (2)

6

Commercial Aviation 2013-2016

Over 70 incidents of GPS jamming reported by pilots through NASA’s Aviation Safety Reporting System (ASRS)One incident – Philadelphia North East Airport (PNE) – FCC Agents seized a GPS jammer from a truck driver and smashed it with a sledgehammer after numerous reports of jammingMarseille Airport (LFML) 2016 – RNAV approaches to RWY 31L/13R and 31R/13L withdrawn due to GPS interference making them unusableManila Airport (NAIA) – Reports of GPS Receiver interference close to Airport by arriving/departing aircraft

Real Life GPS jamming incidents (3)

7

Source: http://www.gps.gov/news/ &http://www.uscg.mil/hq/cg5/cg545/alerts/0116.pdf

“This past summer, multiple outbound vessels from a non-U.S. port suddenly lost GPS signal reception. The net effect was various alarms and a loss of GPS input to the ship’s surface search radar, gyro units and Electronic Chart Display & Information System (ECDIS), resulting in no GPS data for position fixing, radar over ground speed inputs, gyro speed input and loss of collision avoidance capabilities on the radar display.”

#RSAC

8

GPS Jamming trial 2010 – Project STAVOG

1mW Jammer

• False Position

• Autopilot may turn vessel

• No Alarms

• Hazardously Misleading

Information

>1mw Jammer

• Chart Displays Impacted

• AIS incorrect

• Differential GPS failure

• Sat and Voice Comms impact

• Distress System Fail

• Ship Radar and Gyro!

Source: GLA, UK

#RSAC

9

GPS jamming and unexpected behaviour

Michael Robinson – DEFCON 23, August 2015

- Knocking my Neighbor’s Kid’s cruddy drone offline

Demonstrated effect of disrupted (jammed) GPS Signal on a drone…

Noticed that the video feed from the drone started to jitter when he started to jam….

GPS Interference can cause unexpected behaviour in an unprotected system

GPS jamming doesn’t always deny GPS –sometimes it just degrades it to the point where unexpected results occur….

#RSAC

10

How clean is the GPS spectrum today?

Spirent Paignton, UK Spirent San Jose, USGerman Airport JAPAN

#RSAC

11

How easy is it to get hold of a GPS jammer?

#RSAC

12

Replicating GPS Signals - Spoofing

X

Authentic GPS Signals from satellitesFaked GPS Signals

X

True PVTFalse PVT

• Aim of Spoofing (1) – Deceive the receiver into believing it is at a location that is different to its true position or fool it into reporting incorrect timing pulse/information

#RSAC

13

Replicating GPS Signals - Spoofing

• Aim of Spoofing (2) – Send a faked navigation message to the target device with the aim of causing a system or device malfunction

#RSAC

14

Real examples of GPS Spoofing (1)

#RSAC

15

Real examples of GPS Spoofing (2)

• Pokémon GO

From primitive to sophisticated - GPS hacking in six weeks…

#RSAC

16

How easy is it to get hold of a GPS spoofer?

#RSAC

17

Using an SDR as a GNSS Transmitter

• Low-cost Software Defined Radio boards are easy to procure – not designed for “Reverse Radio Hacking” but ideally suited as a platform to do this

• Used with Open Source Code - readily available on the internet for–

• GPS transmitter (spoofer or repeater)• GPS Receiver (legitimate)

• Previous attempts at GPS spoofing have all used more expensive custom hardware

GNSS Segment Errors

18

• January 2016 - For more than five hours, the time broadcast by 15 satellites in the GPS network was 13 (or 13.7)microseconds short of standard Universal Co-ordinated Time (UTC)

• (the data was also months out of date and should have been rejected by receivers…)• “GPS error caused '12 hours of problems' for companies - Thousands of users known to

be affected worldwide – 12 hours of disruption occurred to users world wide including those in the telecoms and broadcast industries…”

• http:w.bbc.co.uk/news/technology-35491962

• 01 April 2014 – All GLONASS satellites started to transmit wrong broadcast messages. The satellite positions derived from these BM were wrong by up to ± 200 kilometres in x, y, z co-ordinates.

• Problems lasted for up to 10 hours. Impact on affected users was severe…• “Bad ephemerides were uploaded to the satellites”…..

#RSAC

19

Mitigation Techniques – Benchmark testing Fixed jammer Moving receiver Receiver moves on a path directly

across jammer location Aim: How close can the tracking

receiver approach the interference source before it starts to lose accuracy? When does the receiver start outputting accurate data again?

DUTInterference

Source

1000m 1000m

DUT

#RSAC

20

Mitigation Techniques

Risk Assessment Test vs threats

Implement mitigation strategy

Detection and characterisation of environment

Test DUT with Scenarios relevant to those Threats

#RSAC

Evolution of GNSS hacking

21

Information Security categories apply to GNSS situation(Source: SANS Institute)

Unstructured Hacker

Structured Hacker

Organised crime/industrial espionage

Insider

Unfunded terrorist group

Funded terrorist group

Nation State

GNSS threat evolution has strong parallels with evolution of Information Security threats (Theunissen, 2014)

Like

ly S

ever

ity

of

impa

ct

Low

Very High

#RSACHistory within the Information Security Community

22

There has been much debate within the community for the past 20 years

Initially, exploits were kept hidden and sharing was limited

The emergence of online forums brought the birth of full disclosure

After several years of full disclosure, a movement began for responsible disclosure

Responsible disclosure, like full disclosure, was also met with some criticism

Nondisclosure has been practiced in recent years by a limited part of the community or by companies trying to profit off of vulnerability research

#RSACPossible framework for GNSS vulnerability reporting

23

To build the best possible reporting framework, there are two options:-

The GNSS community can build its own solution separate from the Information Security community

It can control the reporting structure and leave the system as close to nondisclosure as possible

This may limit product vendor exposure however as outlined this leads to a false sense of security

The GNSS community can leverage the infrastructure put in place by the Information Security community

Responsible disclosure is in fact the correct course of action

This will allow security researchers and product vendors to disclose vulnerabilities publicly

This will lead to community driven support in improving security within the GNSS industry

#RSAC

What you can do after this presentation

24

Next Week –Does your business use GPS for precise time or position information? Find out….

In three months – Find out how many GPS systems your business hasHow many antennas are used? Where are the antennas? Do you have any mechanisms to cope if GPS is degraded or denied in any way?

Within Six months –Determine what real-world threats to GPS pose your organisation the most threat. Start planning an approach to increase your resilience to GPS denial or degradationWork with your appropriate government infrastructure protection group to assure proper preparedness

25

Thank you for your time

guy.buesnel@spirent.com

david.desanto@spirent.com

http://www.spirent.com/Solutions/Robust-PNT

Join the GNSS Vulnerabilities group on LinkedIn to find out more about GNSS jamming and spoofing the discussion

Image source Twitter/SimonOstler as published in Hack.com