Researchers have developed three attacks capable of crippling Global Positioning System infrastructure critical to the navigation of a host of military and civilian technologies including planes, ships and unmanned drones.

The scenarios developed include novel remote attacks via malicious GPS broadcasts against consumer and professional- grade receivers which could be launched using $2500 worth of equipment.

A 45-second crafted GPS message could bring down up to 30 percent of the global GPS Continuously Operating Reference Stations (CORS), while other attacks could take down 20 percent of NTRIP networks, security boffins from Carnegie Mellon University and firm Coherent Navigation wrote in a paper. (pdf)

The stations provide global navigation satellite system data to support "safety and life-critical applications", and NTRIP is the protocol used to stream that data online.

Together, attack scenarios created "serious ramiﬁcations to safety systems".

"Until GPS is secured, life and safety-critical applications that depend upon it are likely vulnerable to attack," the team of four researchers said.

Author Tyler Nighswander told SC that little was preventing attackers from replicating their custom spoofing hardware to launch the attacks.

"The good news is that as far as we know, we are the only ones with a spoofing device currently capable of the types of attacks," Nighswander said.

"The bad news is that our spoofer would not be prohibitively expensive and complicated for someone to build, if they had the proper skillset.

"It's difficult to put an exact likelihood on these attacks happening, but there are no huge [roadblocks] preventing it at the moment."

Attacks were conducted against seven receiver brands including Magellan, Garmin, GlobalSat, uBlox, LOCOSYS and iFly 700.

Trimble was working with researchers to push out a patch for its affected products, Nighswander said.

Attacks included location spoofing in applications used by planes, cars, trucks and ships to prisoner ankle bracelets, mobile phone towers, trafﬁc lights, and SCADA systems.

It could also crash receivers used for applications from surveying to drone navigation, reset clock and open remote root shells on receivers.

Previously suggested long-term ﬁxes involving adding authentication to civilian signals or new directional antennas were important, but were not useful in the short term due to their potential lengthy deployment cycles.

The researchers said an Electronic GPS Attack Detection System (EGADS) should be deployed which could flag the noted data-level attacks, and an Electronic GPS Whitening System (EGWS) which could re-broadcast a "whitened signal" to otherwise vulnerable receivers.

The researchers said their work differed from existing GPS jamming and spoofing attacks because it detailed a larger attack surface "by viewing GPS as a computer system". This included analysis of GPS protocol messages and operating systems, the GPS software stack and how errors affect dependent systems.

"The overall landscape of GPS vulnerabilities is startling, and our experiments demonstrate a signiﬁcantly larger attack surface than previously thought," the researchers wrote.

Attacks

The GPS data level attacks caused more damage than previous spoofing attacks and were able to trigger a remote crash of high-end professional receivers.

A second attack targeted the GPS receiver software stack, in some cases triggering another remote wipe. Vulnerabilities in the stack were present because like other critical hardware systems, receivers were treated as devices, not computers, and were rarely patched.

The third attack exploited the fact that high-level software and systems trusted GPS navigation solutions. This demonstrated how remote GPS-level attacks can ﬂow up the stack to dependent software.

It demonstrated new remote attacks against latent bugs which depend on time and date.

"For example, we show that we can permanently de-synchronise the date of Phasor Measurement Units used in [a] smart grid. We also show we can cause UNIX epoch rollover in a few minutes, and year 100,000 (the ﬁrst 6-digit year) rollover in about two days."

Generating input over radio frequency was difficult: "In particular, in order to test data-level GPS attacks via RF, we need to be able to generate and broadcast our own GPS signal just like a real satellite.

"Further, receivers have antennas that can distinguish if there are multiple signals, making it potentially possible for a receiver to detect spooﬁng. Finally, receivers are literally boxes with no programmable API."

Researchers built a "hybrid receiver and satellite in a box", or specifically a novel GPS phase-coherent signal synthesiser (PCSS) to provide more capability than previously used kit, and slashed thousands of dollars off the price tag.

It received live GPS signals and produced malicious signals in a way that would not be detected by GPS satellites.