GPS Spoofing: low-cost GPS emulator
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Alternative Title |
| |
| Title of Series | ||
| Number of Parts | 109 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/36387 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
00:00
EmulatorComputer hardwareGoodness of fitLevel (video gaming)BitMultiplication signRight angleExecution unit
01:05
Principal ideal domainTelecommunicationWordSystem programmingGame theoryPlastikkarteComputer hardwareWireless LANPhysical systemPenetrationstestAreaInformation securityCellular automatonComputer networkFirmwareSoftware-defined radioWhiteboardInformation securityVideoconferencingStatistical hypothesis testingPlastikkarteComputer hardware
02:08
Information securityLecture/Conference
02:45
Information securityMoment (mathematics)VideoconferencingLecture/Conference
03:45
Game controllerMetropolitan area networkFamilyComputer simulationLecture/Conference
04:22
Computer animationLecture/Conference
04:56
Lecture/Conference
05:24
Information securityThetafunktionPhysical systemMultiplication signCharge carrierLecture/Conference
06:23
Digital electronicsComputer hardwareInformation securityPower (physics)Computer hardwareTable (information)Physical systemInterior (topology)Connected spaceComputer fileSharewareRow (database)Computer animation
07:02
Position operatorInformationComputer hardwareInterface (computing)Cartesian coordinate systemConditional-access moduleStatistical hypothesis testingRight angleMultiplication signAndroid (robot)Social class
07:49
SharewareDisk read-and-write headVideoconferencingStatistical hypothesis testingComputer programTracing (software)
08:55
InternetworkingSharewareStatistical hypothesis testingPartition (number theory)Right angle
09:47
InternetworkingEmulatorProduct (business)CoprocessorLevel (video gaming)
10:28
Motion captureInformation securityView (database)VideoconferencingLevel (video gaming)Universe (mathematics)Internet service providerLimit (category theory)
11:16
Software-defined radioTransmitterComplete metric spaceCodierung <Programmierung>InternetworkingOpen sourceSoftwareCASE <Informatik>Software-defined radioFlow separationQuicksortAreaEmulatorSoftwareSoftware developerVideo gameServer (computing)VideoconferencingOpen sourceProjective planeDigital photographyLink (knot theory)TransmissionskoeffizientDifferential equationCompilation albumGoodness of fit
12:23
EmulatorPhysical systemInformationRange (statistics)Nichtlineares GleichungssystemMessage passingWeb pageWordData structureNichtlineares GleichungssystemComputer simulationTransmissionskoeffizientMessage passingPropagatorMultiplication signBitVideoconferencingCurveLengthWeb pageWordStatistical hypothesis testingSatelliteFrame problemDistance1 (number)MereologyVariable (mathematics)Dimensional analysisData structureBit rateInsertion lossDifferent (Kate Ryan album)Line (geometry)Slide ruleInformationSurfaceCodeComputer animation
16:26
InformationBuildingChord (peer-to-peer)InformationDisk read-and-write head
16:54
WebsiteStandard deviationFormal grammarSoftware-defined radioComputer programOpen sourceReal-time operating systemWebsite
17:24
SoftwareCodeSimulationData structureMessage passingMultiplication signComputer fileSoftwareSoftware-defined radioState of matterCodeMessage passingData structureCodePhysical systemElectric generatorSequenceMereologyWaveformSatelliteSpectrum (functional analysis)Frame problemLatent heatComputer programBit
19:17
CalculationData transmissionSoftwareMultiplicationData transmissionSatellitePropagatorMultiplication signEmulatorLength
20:03
CodeWaveformFunctional (mathematics)WaveformMultiplicationPropagatorComputer fileSoftwareWaveStatistical hypothesis testingDirect numerical simulationSoftware-defined radio
20:47
TransmissionskoeffizientSoftware-defined radioRight angleSoftwareStatistical hypothesis testingUniform resource locatorGoogle EarthReal number
21:18
MereologyDoppler-EffektMereologyCodeMultiplication signEndliche ModelltheorieDoppler-EffektOpen sourceWaveformSatelliteExtension (kinesiology)BitPhase transitionDifferent (Kate Ryan album)Task (computing)Matter waveView (database)Sampling (statistics)Form (programming)WaveCharge carrierComputer animation
22:48
SimulationSatelliteChainRight angleHoaxDifferent (Kate Ryan album)Statistical hypothesis testing
23:27
MathematicsParameter (computer programming)Theory of everythingPoint (geometry)Multiplication signRun time (program lifecycle phase)Statistical hypothesis testingVulnerability (computing)Android (robot)
24:24
Parameter (computer programming)MathematicsOrbitParameter (computer programming)Multiplication signTask (computing)Computer fileOrbit
25:17
Position operatorMultiplication sign6 (number)Right angle
25:47
SharewareOffice suiteAreaSharewareFunctional (mathematics)VideoconferencingStatistical hypothesis testingPhysical systemAreaOffice suite
27:14
Position operatorAreaStatistical hypothesis testingAreaMenu (computing)Vulnerability (computing)
27:55
Position operatorLogic gateSharewareAreaProxy serverTime zoneStatistical hypothesis testingHoaxVideoconferencingUniform resource locatorAreaVulnerability (computing)Time zoneMereology
28:26
Position operatorSharewareAreaProxy serverTime zoneStatistical hypothesis testingArea
29:00
SharewareSpywarePosition operatorAreaPresentation of a groupStatistical hypothesis testingDrum memorySlide rule
30:25
Open sourceSoftware-defined radioComputer hardwarePortable communications devicePlane (geometry)Cellular automatonPhysical systemPhysical systemOpen sourceComputer hardwarePlanningMultiplication signSoftwareDisk read-and-write headCellular automatonMessage passing
31:27
Digital signalCivil engineeringCellular automatonComputer networkMultiplicationAsynchronous Transfer ModeMessage passingUsabilityInformation securityPhysical systemComputer simulationCivil engineeringMessage passingoutputConnected spaceElectronic signaturePoint (geometry)SatelliteOnline helpMultiplication signComputer hardwareSoftware-defined radioHoaxRange (statistics)CodeResultantStudent's t-testProjective planeCartesian coordinate systemMultiplicationBimodal distributionDifferent (Kate Ryan album)Extension (kinesiology)SoftwareSoftware engineeringCellular automatonLevel (video gaming)Power (physics)AlgorithmPresentation of a groupPositional notationService (economics)Statistical hypothesis testingStatistical hypothesis testingTime zoneEmulatorSensitivity analysisImplementationInformation securityPhysical systemDigitizingSet (mathematics)TwitterFrequency
Transcript: English(auto-generated)
00:01
everybody doing? Oh, come on, that's not very enthusiastic. There are bars, you know, you can go get some beer, get that enthusiasm level back up a little bit. Yeah? All right. So our next talk is going to be about GPS. For the kids in the crowd, GPS didn't used to be
00:21
something that was on everybody's phone all the time. Used to be you had to get this big honking unit. I had one that I used for fishing that took like eight double A batteries and the battery had run out after four hours. It was crazy. Now we've got these things everywhere. So GPS is more important to all of our lives and this is going to be
00:40
really interesting to see what shenanigans we can pull with this. Let's give our next speakers a big hand. Thank you everybody. Good afternoon. Now we'd like to share with you our work on the GPS spoofing by SDR2s. We come from Qifu 360. We are
01:09
team focusing on the radio security and hardware security. During our research, we created and produced many tools and devices for both attack and defense purpose. As a
01:26
vendor of Defcon 23, we bring some of our tools here to share with you. So welcome to visit our booth. Uh I'm Yang Qing, uh the team leader of Unikong team. I'm interested
01:45
in Wi-Fi testing and uh NFC card cocking. Uh this is Hong Lin. She is a earlier USRP user in China and keep using it uh research tool. Since that time, she wrote one book
02:02
about Jinyu radio which were popular in China. Uh firstly, let's see a piece of film uh which come from uh the film uh interstellar. Sorry. Yeah. Okay. Can I show
03:06
you one more? Okay. We do more. Sorry, wait a moment. Uh in this beginning of the
04:07
story, the man is uh driving a car and following the drone. Finally, he got out the control to the drone. Today, we will share with you a simulator stor-story about the
04:21
defense tooling attacker. Uh finally, he control the drone. Uh as we all know, on the-
05:36
thank you, thank you. Uh actually uh this uh is uh first time use English to
05:44
speech, so you know uh too terrible. Uh as as we all know, on the c-c-carrier frequency, 1575, 4, uh sorry, .42 megahertz. Uh GPS has a C signal that is only for
06:11
civilian uh u- usage. Uh it doesn't need uh ose- ose- authentication, so reply attack on
06:21
can support GPS system. Uh we firstly try the reply attack. We use the uh one USRP B210, plus one uh ampere and uh and one BRC security. So BRC security is use the sup-
06:41
sup- supply power to the GPS activity atini- atina. This picture show the hardware connection. We use the demo to record the GPS signal in a file. Uh in the left picture, there's a recorder system on the out ground. Then the signal was replied from the file to
07:07
air by another hardware named BladeRF, uh this black one. Uh the cell phone Nexus 5 received the replied signal and it successful go to 3D fix. The red picture is the
07:24
interface of the GPS test class. One Android application, you can see that the time at the right down corner in 1542, which is the GPS signal's time. The time is the right up
07:41
corner is different if you see it. It is 69, which is the correct time. Now reply attack was the pro- pro- a very simple attack method. But re- re- replay attack needs to
08:00
record the sing- GPS signal. At the real position, if you want to generate a GPS signal for any position, it is not confusing. Let me see this video can play. Oh yes. Uh
08:24
this video is uh very interesting. Uh this star trace GPS signal is generated out by our program. Now let's discuss about this how to generate a self-defined GPS signal. We
08:45
generate a signal to start the log- logo. Sorry, uh replay. Left in last week,
09:28
we generate a GPS position. Uh right is be- Beijing position. Uh finally, it will be a star.
09:48
If you search GPS emulator or GPS spooling, you can find some pro- products which can generate GPS signal. They are not very expensive, but at least several thousand dollars. Uh
10:03
for example, I like- like we will have the GPS tool, which needs around 6,000 dollars. And the Navy says, a small American company pro- provides the GPS emulator be- designed on USRP. Its price is also around 5,000 dollars. So most of the famous
10:31
lab about the GPS spooling is the radio navigation lab from University Taxi at Austin.
10:41
In 2000- uh 2012, Professor Tolden, the team leader of the latest lab, gave a TD talk about how to fool GPS. This talk firstly attracted the population attention to GPS security. In the next year, after that, his team short-spoping a yacht in the sea. In 1214, they
11:13
successfully pulled out a drone. But we are not uh- navigation uh- expert- purpose. How can
11:24
we do GPS spooling? As- as the our guests, we have a several SDR ports. USRP, Blade RF, and HIC-RF. They are all popular tools in SDR area. For sort of a- source- for
11:42
software, we searched on Instagram. The first link tell us many open source pro- project about the GPS. So second one is a very good GPS receiver software beyond- uh- based on the GNG radio. We found most of the projects uh- GPS receiver and a few uh- transmitters.
12:05
The last one is uh- open source project about the GPS emulator de- developed by Jia Yue. Unfortunately, this project not uh- finished. The compilation is around several- seven- sev- seventeen percent. Finally, we decided to complete the Jia Yue
12:27
transmitter code. DIY or GPS emulator. Okay. Now let my partner Lin to introduce the technology details about the GPS spooling. Please Lin.
12:43
Hello everyone. Okay now um- let me uh- briefly introduce uh- uh- uh- uh- uh- uh- the basic principle of GPS system. There will some mathematical knowledge. Will be a little boring. But we'll insert some videos. Okay. Okay. See this picture. The long
13:12
curve in this picture is the Earth's surface. One GPS receiver is here. Suppose it can
13:21
receive four GPS satellites in the sky. The signals are transmitted by the satellites at the same time T0. And the signals go through different paths and they arrive at the receiver. The arriving time is different because the distance that the signal passed is
13:43
different. Okay so all the signals with different delays uh- mixed together and received by the GPS receiver. Now let's see some equations. Look at the first line.
14:05
Multiplying the delay time and the light speed is length of propagation path. For the left part the delay time equals the arriving time minus T0. And then equals the receiving
14:23
time plus delay 1 and minus T0. Here T means the time of receiver starting to receive. Okay for the right part. The path length equals the distance between the satellite and the receiver. The position of satellite is told by the GPS message. Okay now this
14:49
equation has four unknowns. The three dimensions, the three dimension position of satellite XYZ. The clock of the receiver which is not an accurate clock so it is also an
15:07
unknown value. Four unknowns need four equations. So one satellite gives one equation. That's why a GPS receiver needs to see at least four satellites. Okay. Um in the
15:26
four equations what are the known variables? The green part is the delays are calculated by the receiver. And the positions of the satellites and the T0 are all
15:41
derived from the GPS messages. So the key information that the GPS signal tells the receiver is when and where. Okay. And this slide shows you the structure of GPS messages. The bit rate of GPS messages is very low. Only 15 bits per second. The duration of one bit
16:06
is 20 milliseconds. And 30 bits make up one word. 10 words make up one word. The subframe, five subframes make up one page. And finally 25 pages make up the whole message which lasts 12.5 minutes. Okay. Let's see the key information. Where are
16:30
them? When is located in the head of each subframe. And the information where is inserted in subframe two and three. Called as ephemeris. Okay we have introduced the
16:49
principle. Now let's start building the signal. Firstly we need to get the ephemeris data. There are two methods. One is to download the data from website. By this way you can only get
17:06
yesterday's data. Another method is receiving the lead data from air. You can use an open source program. GNSSSDR to receive the real time GPS signal and gather fresh and
17:20
ephemeris data. This shows the received ephemeris data, the fresh data by GNSSSDR. You may not see it clearly enough. Here the time is 2015, February 18 because I ran the software at
17:45
that time. Now it's the ephemeris data file. This is the code we are using to generate the GPS signal. It's made lab code. The ephemeris data is ready. It is loaded firstly.
18:09
Secondly the program will calculate which satellite is visible in the sky. And thirdly it
18:22
generates the telegraph message. This is the code we are using to generate the GPS. This picture shows the message structure. We need to insert all the message bits into the
18:44
frame structure following the specification of GPS system. This part is are the codes generating the message. Sub-frame 1 to 5 are generated one by one. Now the messages
19:06
are still bit sequences. We should convert them to wave forms. GPS signal is BPSK modulated and with the spectrum spreading. Let's look at the principle picture again. We should
19:23
emulate the multiple satellite signals. So we need to model the signal propagation delay. The emulator software must calculate the transmission time from every satellite to the receiver. How to calculate the transmission time? We could know the coordinate of the
19:46
satellite according to the ephemeris data. But the satellite keeps moving in the sky and our earth is also rotating. So it's not easy to calculate the path length. Anyway we
20:05
don't want to go to very deep details here. This function is used to calculate the delays from multiple propagation paths and combine the signals into one wave form. So finally we generate the GPS signal and save it to a data file. We'll firstly verify it by
20:29
software. I firstly verified the signal by the GNSSDR software. It's great. The
20:41
latitude and the longitude are totally the same as I said. And then I moved to test over air. One blade RF is used as transmitter and the USRP is a receiver running with the GNSSDR software. Right? The signal over air is also correct. I can see the position
21:07
is same as I said. This picture shows the position in Google earth. Here is the location of our company. I'm very excited and start trying to spoof the real cell phones. Well,
21:27
unfortunately I failed. Which part is not perfect? I checked my code for a long time. I find I didn't perfectly model the Doppler effect. What's Doppler effect? When the signal
21:47
source is going far away from you and the wave form will be a little longer. When the signal source is going towards you, the wave form will be a little shorter. So at the receiver
22:01
side it uses the same sampling rate to sample both the two wave forms. The carrier faces and bit code faces are different. From another view to see Doppler effect, we can imagine the delay will be longer and longer if the satellite moving far from the receiver.
22:27
And the delay will be shorter and shorter if moving towards you. The wave form extension or shortening must be smooth. Okay? The face changing must be continuous. This is not an easy task. After adding the Doppler effect, we tried spoofing the cell phones
22:46
again. Try cell phone again? Yes. Great. It's okay now. Look at the signal strength. The signal from different satellite have the same signal strength. Is it strange? Right? Because
23:06
it's a fake GPS signal. Thank you. Actually we can also send them differently. It
23:23
is the test on Nexus 5 cell phone. How about Samsung Note 3? It's also spoofed successfully. Oh, sorry. The cell phone shows it located at Nam To Lake in Tibet, but it's
23:42
in Beijing actually. How about iPhone 6? Yeah. Sorry. We also tested iPhone 6. iPhone 6 positioning is much slower than other Android phones. But finally it is also located at
24:04
Nam To Lake. And another interesting point is if you enable the time auto setting, the cell phone clock will be reset at the run time, the time you give it to it. This is another important vulnerability. Time means spoofing. So we began to think that, okay, you may find
24:33
our GPS spoofing test, the date we set is always February 14, 2015. This is because the
24:42
ephemeris data file we use is gotten at that date. Okay? Can we set any time to this spoofing signal? The answer is yes. You can use the same orbit data from the same ephemeris file, but only change the time parameters. So in fact, we don't need to
25:04
download or generate the fresh ephemeris data file. We just use the same one. That's okay. See these pictures? This is an example. A cell phone in future time. On July 14, we
25:33
tested the date of the DEF CON 23. Here are the screen shots. It was changed to a future
25:40
time. Interesting, right? Okay. Now, I think you will feel a little boring. Here is a video demo. Except the cell phone spoofing, we also tested other devices. For example,
26:01
the navigation system in cars. Let's see this video. Yes. This is a common car. We transmit the signal by USRP. Now it is located in our office area. We start
26:31
transmitting our signal. Yes. Now it found the GPS channels and position is fixed.
26:48
Let's see where it is now. Thank you. So how about other devices with GPS
27:11
positioning function? Well, the next one is drones. So another spoofing target is drones. As
27:21
we all know, drones have auto navigation capability. They can fly according to the destinations that people set. Many drones have the forbidden area policy. The purpose is to avoid the risk from drone to people or to some critical facilities. So for example, the
27:43
drones engine will keep off when it detects the position is in the forbidden area. So can you imagine the story? What will happen? The first vulnerability is about bypassed
28:02
drones no-fly zone. The forbidden area policy can be bypassed. The video shows that the drone was at a forbidden location in Beijing. We give it a fake position in Hawaii. Then it was unlocked and can fly up. We give it a position, then it fly up. Is it too quick? Let's
28:42
see it again. We give it a position at Hawaii and the drone flies up. Thank you. Well, the next example is more interesting. If the drone is flying in a permitted area and we
29:08
give it a forbidden position, what will happen? Okay. The drone is flying. This is the
29:21
camera's view. We give it a forbidden position. Is that falling down? Yeah. Thank you. I
29:49
have a presentation by Michael Robinson. The title of his presentation is knocking my neighbor's kids, crudy drone offline. They will also force land to commercial drones by
30:02
sending GPS signals. I read his slides this morning. And the method he uses is to disrupt the GPS signal by sending noisy signal. So the method is different with us. Okay. So let's listen to his presentation, too, this Sunday. Okay. That's all about the, well, simple
30:31
method of GPS spoofing. Everyone only needs open source software and SDR hardware such as USRP, blade RF and head drive. They can realize GPS spoofing. This attack is very, very
30:48
low cost. Then how about the influence? It can influence the portable devices like the cell phone, the pass tracers, the navigation system in every convenience can be spoofed,
31:05
including cars, yards, even planes. And the timing system is in cellular base station and financial trading system also can be spoofed. So we think it's a big risk, needs everybody to
31:24
notice. So how to defend this attack? Usually GPS has highest priority in the positioning system. Cell phone is spoofed, even it has cellular network connection. So we
31:46
think at the application layer we suggest to jointly consider multiple positioning results, the GPS position, cellular position and also Wi-Fi position. If the device has multimode GNSS chips like the GLONASS and Beidou, it's better to joint consider all the
32:11
results together. At the GPS receiver chip set level, we propose the chip set manufacturer to use some algorithms to detect spoofing. Professor Todd's team has published several papers
32:25
about spoofing detection. People who are interested can read them as a reference. If we want to settle this matter finally, the GPS message must be upgraded. For example, at
32:40
GPS, digital signatures into the extensible GPS civil navigation telegraph that will be finally resolved this problem. So every receiver must be firstly checked this signature.
33:01
Anyway, GPS is still a great system. It provides service globally. It is very low cost and the chip set has very small size and the important point is it keeps updating so we believe security issue will be solved in future. Finally, I will say thanks to guys who
33:25
gave me great help and not our team members. Thanks to Jialing Wei who is a graduate student of Beihang University majoring in radio navigation. He launched the GPS simulator project. His code is also available on GitHub. But I want to let you notice that
33:45
this is not a completed emulator. We think it has low risk to measure it here. Secondly, thanks to who is a senior IOS radio frequency software engineer at Apple. He is also
34:01
a senior for SDR amateur. He gave me important guidance. Thank you to both guys. Thank you all. Thanks for your attention to our presentation. Does anyone have question? Range? Depends
34:29
on the hardware. If we use something like that, although the power is very small, but you know, the sensitivity of GPS signal is very, very low. So it is quite easy to make your fake
34:48
GPS trends much higher than GPS sensitivity. Yeah. If there are any more questions, could you line up right where I'm standing and use the microphone to ask your question?
35:00
Sorry. Great talk. I was wondering if you thought about using this to fuzz the implementations that people have on various chips by sending completely invalid data that would potentially do interesting stuff. Well, I didn't get your point. Please, simple.
35:21
Definitely be interesting to see how these GPS receivers respond to data that doesn't make any sense that might do various things. Okay. Okay. Thank you. Hi. You mentioned that it
35:41
could be fixed with digital signatures, but can't you spoof the GPS signal with just capturing and playing with the time offsets and playing with it. So I think digital signatures is not going to fix the problem. What do you think on this? You mean the
36:02
anti-spoofing method? At which layer? Because each satellite is transmitting the same thing and you don't have to change inside, but you just need to play with the time differences and you can just record it and replay it with the different time offsets and
36:21
you can still spoof even if the digital signatures are used. Well, you may add chips.
36:45
Okay. Thank you very much.