Academics say they've mounted a successful GPS spoofing attack against road navigation systems that can trick humans into driving to incorrect locations.

The research is of note because previous GPS spoofing attacks have been unable to trick humans, who, in past experiments, often received malicious driving instructions that didn't make sense or were not in sync with the road infrastructure —for example taking a left on a straight highway.

New research successfully fools humans

But a research team formed from academics from Virginia Tech and the University of Electronic Science and Technology of China, along with experts from Microsoft Research, have come with an improved method of carrying out GPS spoofing attacks that take into account the road layout.

To perform the attack researchers developed an algorithm that works in near real-time, along with a portable GPS-spoofing device that costs about $223, which can be easily attached to a car or put on a vehicle tailing the target's car at distances of up to 50 meters.

Researchers say their algorithm allows an attacker to select an area where they could lure victims.

"The algorithm crafts the GPS inputs to the target device such that the triggered navigation instruction and displayed routes on the map

remain consistent with the physical road network," researchers say. "In the physical world, the victim who follows the instruction would be led to a wrong route (or a wrong destination). "

"On average, our algorithm identified 1547 potential attacking routes for each target trip for the attacker to choose from," the research team said. "If the attacker aims to endanger the victim, the algorithm can successfully craft special attack route that contains wrong-ways for 99.8% of the trips."

Attack worked on 95% of human testers

Academics said they tested their algorithm with traffic simulators but also in the real world, in China and the US.

"38 out of 40 participants (95%) follow the navigation to all the wrong destinations," researchers explained in a paper titled "All Your GPS Are Belong To Us: Towards Stealthy Manipulation of Road Navigation Systems."

The research team says their attacks are possible against any GPS-enabled road navigation system, such as those deployed normal cars, users' phones, couriers, or taxi sharing platforms. The attack is also successful against self-driving cars, for which the risk is even higher, as users are often more trustworthy in these types of vehicles than normal cars.

In fact, this was one of the reasons behind the research, to warn users and vendors that GPS spoofing should be taken seriously for road-based navigational systems.

GPS spoofing attacks have been first detailed in the early 2010s, and they have been deemed dangerous for air and water-based navigational systems, such as those used by planes or boats. Due to their inability to fool drivers, GPS spoofing attacks have been largely played down in the design of GPS-based navigational systems for cars.

In their paper, academics propose basic protections that could be incorporated into such systems to limit the effectiveness of such attacks in the future, especially as the automotive world is moving towards a self-driving future.

Bleeping Computer readers can find out more in the research paper, available for download here, here, and here.