Customer Service Center

Description A new research paper suggests that 95% of drivers would not notice if their sat-nav GPS had been spoofed – until it was too late. How much do you trust your in-car satnav system?  According to a recent experiment by Virginia Tech, the University of Electronic Science and Technology of China, and Microsoft Research, people place so much faith in turn-by-turn voice instructions that they don’t notice if those instructions start to take them down the wrong route – and into possible danger. In a paper enjoyably titled All Your GPS Are Belong to Us: Towards Stealthy Manipulation of Road Navigation Systems, the team of security researchers reveal how they developed a low-cost GPS spoofing device that can remotely compromise a smartphone-based navigation app, forcing it to issue voice instructions that could take drivers into dangerous areas – without the driver noticing. 95% of drivers fooled by spoofing hack Importantly, the research team didn’t just develop a working spoofer; they also tested it (in simulated conditions) with 40 unsuspecting drivers – and found that all but two of them followed the “wrong” route without question.  With spoofing becoming a cheap and relatively easy method of hacking GNSS-based devices, this raises serious issues not just for human drivers relying on satnav systems, but also for passengers in self-driving cars, who are even more likely to leave the job of wayfinding to the vehicle. Ghost routes in the machine The hack, in this case, is based on a combination of cheap hardware components, a clever algorithm, and a human frailty: the tendency of drivers to place their trust in turn-by-turn voice instructions when driving in an unfamiliar city.  The algorithm is designed to analyse driving routes in a city and scour the geometry of adjacent streets to find other routes that would produce the same turn-by-turn instructions. Importantly, it can do this either in advance of carrying out an attack or in real time during the attack. The sub-$250 hardware setup then uses a software-defined radio to broadcast a false GPS signal to the satnav system in the target vehicle, erroneously placing it in a slightly different location from its true position, at the start of one of these “ghost” routes.  The satnav app will then issue turn-by-turn instructions that are correct for the intended route, but which, because the GPS position has been slightly altered, take the driver along different streets – potentially luring the vehicle, its occupants and its contents to an unsafe destination.  Illustration showing a “ghost route” used to divert a driver using GPS spoofing (Zeng, Liu, Chu, et al, All Your GPS Are Belong to Us: Towards Stealthy Manipulation of Road Navigation Systems, 2018) Hack works best on unfamiliar roads It’s an attack that requires certain conditions to work well. It’s more suited to dense urban areas: in the countryside it becomes difficult to find plausible “alternative” routes that produce the same turn-by-turn instructions.  It also only works when the driver isn’t familiar with the area they’re driving in (in a familiar place, it’s easy to tell when you’re being sent the wrong way), and with drivers who don’t pay a lot of attention to real-world cues like road signs and street names.  And it also only really works with satnav systems whose display presents a “first person” view of the road: a bird’s-eye view will quickly reveal that the route isn’t the one the driver intended to take. Spoofing is effective within a 50-meter range There are also some limitations around the physical capabilities of the spoofer. The researchers show that it can successfully fool a smartphone, but only within a certain range. The limit for this particular build appears to be around 50 meters, beyond which the spoofed signal risks being ignored by the target device.  However, as the researchers point out, a 50-meter range makes it perfectly possible to place the spoofing device in a vehicle following the target vehicle, or even on an overhead drone. It doesn’t have to be placed inside (or under) the target vehicle to be effective.  We know from first-hand experience that smartphones are highly susceptible to spoofed location signals. During the ION GNSS+ conference in September 2017 a leaky GPS signal generator (not a Spirent simulator) caused phones to display a date of 2014 and a location somewhere in Europe. The ease with which the phones locked on to the false signal, without raising any kind of alarm, was quite eye-opening. Would a criminal really use this kind of hack? Even given the limitations of this particular spoofing setup, it’s not hard to imagine scenarios in which it could pay off for a determined criminal.  My immediate thought was of someone hiring a car at an airport and driving into the city. In an unfamiliar car, in an unfamiliar city, they’re likely to rely heavily on satnav instructions – making them a sitting target for an attack like this.  We’ve already seen cargo thieves using GPS jammers to commandeer containers, and car thieves using them to steal cars. We’ve also seen incidents where people using GPS-based apps have been (deliberately or inadvertently) drawn to dangerous locations, including Pokémon GO players lured to a deserted parking lot and set upon by muggers, and a Hearthstone player drawn to a non-existent meetup event in a location where he felt unsafe.   It’s not a huge leap of the imagination to imagine a criminal using the kind of spoofing equipment developed by the authors of this paper to follow an expensive car or cargo shipment, divert it to a secluded location, and avail themselves of the vehicle or its contents.  Smartphone manufacturers take note GPS spoofing is getting cheaper and easier, and this paper shows that road navigation systems aren’t immune to it.   With drivers routinely using GPS-based apps for navigation, this is a vulnerability that needs to be addressed – particularly as we move towards higher levels of vehicle automation and autonomy. Makers of smartphones and other in-vehicle navigation systems should therefore be including this kind of attack in any risk assessments they carry out.  What’s the solution? The researchers offer several ideas for mitigating against this kind of spoofing attack – not all of them, by their own admission, eminently practical. Encrypting the civilian GPS signal and building roadside location-verification infrastructure are both expensive, long-term solutions – and of no use for the millions of existing devices already using the unencrypted signals.  Using other sensor inputs – like WiFi and accelerometers – to cross-check and verify location seems like a good solution, until you remember that these are also susceptible to interference and drift.   The researchers’ preferred solution – using inbuilt cameras and computer vision to verify the digital map location against observable landmarks – only works if the camera can reliably see outside the vehicle. That isn’t likely to be the case with a smartphone, although it might be part of an effective solution for self-driving cars. Trust, but verify – aka “look out of the window” In the end, as this hack relies on human flaws, including excessive trust in system-generated data and a tendency to offload cognitive work to machines, the most effective approach might simply be to educate drivers to “trust, but verify” the instructions they get from their satnav.  Of the 40 drivers who took part in the test, the two who detected the attack did so because they noticed that the road they were driving on was wider than the one shown on the map display. In maritime circles, cross-checking data from electronic navigation systems with the real environment is known as “looking out of the window” – and drivers might just have to learn to do it more often. Stay up to date with GNSS vulnerabilities Threats to GNSS-based position, navigation and timing (PNT) systems are evolving all the time. To stay up to date with the latest news on GNSS vulnerabilities, join the growing community in the GNSS Vulnerabilities LinkedIn Group. This was taken from a Blog written by Guy Buesnel who is a "PNT Security Technologist - Robust Positioning Navigation and Timing" at Spirent ​https://www.linkedin.com/pulse/gps-spoofing-attack-sends-38-drivers-wrong-way-possible-guy-buesnel/