UT researchers hack yacht’s GPS system

Tucker Whatley

A team of UT researchers took control of the GPS navigation system of a yacht in the Mediterranean Sea in June without detection, causing it to veer off-course, in the process of developing anti-spoofing technology.

A group of graduate students under the guidance of aerospace engineering professor Todd Humphreys conducted this experiment to demonstrate the danger to vessels caused by “spoofing,” an electronic attack on a GPS system that tricks it into receiving a attacking signal. According to the researchers, spoofing attacks can be used to cause target ships to become lost, drift into territorial waters of an unfriendly state or even run aground in shallow waters.

“What’s most sinister is that the victim ship can hardly tell it’s being spoofed,” Humphreys said. “So it’s all the dangers you would expect from being led off course without your knowing.”

The team set the ship off course by several degrees with the custom device, which works by first receiving the same satellite signal being used by the victim ship’s GPS and copying its time signature, the code within GPS signals that indicates when a signal was broadcast from its source.  Because the spoofing deviced must receive this same transmission, it must be relatively close to its target to initiate an attack. The device then broadcasts its own signal with the same time signature and gradually intensifies it until it overpowers the original signal. Done correctly, this transition sets off no electronic alarms.

From the deck of the ship, aerospace engineering graduate students Jahshan Bhatti and Daniel Shepard used the spoofer to manipulate the ship’s on-board GPS to falsely indicate the ship was veering a few degrees off-course, causing the crew to try to correct the yacht’s path. By doing so, the crew actually caused the ship to move increasingly further away from its intended path, while the GPS indicated that the ship was then on the correct course.

The group claims they are the first to have demonstrated a true spoofing attack. Bhatti said there have been reports of other attacks on GPS systems but these attacks are easily-detectable, compared to what the UT researchers have accomplished with their spoofing device that went unoticed.

Humprey was inspired by a story of an American drone, that was supposedly tricked the GPS navigation though the claim may have been false. Humphreys and his graduate students to research the possibility of spoofing UAVs and other devices that depend upon GPS. In the summer of 2012, the group set out to test their research publicly for the first time, receiving approval from the Department of Homeland Security.

“We expected them to turn us down flat-out,” Shepard said. “But it turns out our contact at DHS… was really excited about it.”

The group used their spoofing device to take control of a drone that was hovering in midair, fooling its autopilot into making the vehicle dive toward the ground.   

At a presentation of his research in March, Humphreys met Andrew Schofield, master of the White Rose of Drachs who realized that his ship’s navigation system could be vulnerable to a similar type of attack. After the presentation, Schofield approached Humphreys and invited him and his team aboard the yacht to conduct a spoofing experiment.

Shepard said another possible target of spoofing are attacks on infrastructure. Particularly vulnerable is the nation’s power-grid, which is increasingly implementing GPS technology to more accurately meter allocations of electricity across the grid. An attacker could theoretically spoof a single monitoring station to falsify measurements, causing a transmission line to appear to need to be shut down.

“At the very least, this might cause a small-area blackout,” Shepard said. “But if you end up with a perfect storm of conditions, it might be able to cascade into something much larger, like the Northeast blackout in 2005.”

Though spoofing could cause these and other serious problems in the future to institutions that rely on GPS technology, the researchers claim that for the time being, the only groups capable of spoofing attacks are the governments of enemy states.

“It took five PhD students about five years of working on this to get the spoofer to the state it is now,” Shepard said. “At the moment, this is out of reach of your everyday Joe and the majority of terrorist organizations. But a state agency could do this.”

Though spoofing attacks can be both devastating and difficult to detect, there are several ways of defending against attacks, Bhatti said. The most effective means of anti-spoofing would be to include cryptographic signatures within GPS signals to help authenticate the source of a transmission. However, the signal format used by nearly all civilian GPS devices does not allow for digital signatures.

“We want the government to eventually update the signal to have digital signatures,” Bhatti said. “That’s the long-term solution. But of course, this is going to take a long time.”

A more short-term solution, Bhatti said, would be to use two or more antennae in tandem to determine the direction a signal is coming from, which could foil an attack if the attacker uses only one spoofing device. However, most devices don’t have room for multiple antennae, and more-sophisticated attacks could still be successful.

The introduction of new GPS systems will also help defend against spoofing, Bhatti said. Currently, the only fully-operational systems in the world are the American GPS system and the Russian GLONASS. As new systems come on-line in the future, such as the European Union’s Galileo system and China’s COMPASS, devices will able to compare information received by each satellite system against that of other systems. Successful spoofing attacks will have to take all of these systems into account, making attacks more expensive to conduct.

Bhatti says in order to develop these and other spoofing defenses further, they need to continue develop spoofing technology.

“We want to develop anti-spoofing technologies,” Bhatti said. “The only way to do that was to make the spoofer. It’s sort of like a cat-and-mouse game. We build a better spoofer, [then] we build better anti-spoofing.”