We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

GPS Spoofing: low-cost GPS emulator

00:00

Formal Metadata

Title
GPS Spoofing: low-cost GPS emulator
Alternative Title
Low cost GPS simulator: GPS spoofing by SDR
Title of Series
Number of Parts
109
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
It is known that GPS L1 signal is unencrypted so that someone can produce or replay the fake GPS signal to make GPS receivers get wrong positioning results. There are many companies provide commercial GPS emulators, which can be used for the GPS spoofing, but the commercial emulators are quite expensive, or at least not free. Now we found by integrating some open source projects related to GPS we can produce GPS signal through SDR tools, e.g. USRP / bladeRF. This makes the attack cost very low. It may influence all the civilian use GPS chipset. In this presentation, the basic GPS system principle, signal structure, mathematical models of pseudo-range and Doppler effect will be introduced. The useful open source projects on Internet will be shared with attendees. Speaker Bios: HUANG Lin is a wireless security researcher, from Unicorn Team of Qihoo 360 China. Before entering Qihoo, she worked for telecom operator Orange, for 9 years, as a wireless researcher. Her interests include the security issues in wireless communication, especially the cellular network security, and also other problems in ADS-B, GPS, Bluetooth, Wifi, and automotive electronics. Twitter: @huanglin_bupt She is one of the earliest users of USRP in China, and keeps active in SDR/USRP research and development since 2006. She contributed to several UMTS/LTE soft base station projects, e.g. Open Air Interface. In 2009, She wrote one free e-book for GNU Radio training, which is very popular in China. YANG Qing is the team leader of Unicorn Team in Qihoo 360 Technology Co. Ltd. He has rich experiences in wireless and hardware security area, including WiFi penetration testing, cellular network interception, IC card cracking etc. His interests also cover embedded system hacking, firmware reversing, automotive security, and software radio. He is the first one who reported the vulnerabilities of WiFi system and RF IC card system used in Beijing subway.
EmulatorComputer hardwareGoodness of fitLevel (video gaming)BitMultiplication signRight angleExecution unit
Principal ideal domainTelecommunicationWordSystem programmingGame theoryPlastikkarteComputer hardwareWireless LANPhysical systemPenetrationstestAreaInformation securityCellular automatonComputer networkFirmwareSoftware-defined radioWhiteboardInformation securityVideoconferencingStatistical hypothesis testingPlastikkarteComputer hardware
Information securityLecture/Conference
Information securityMoment (mathematics)VideoconferencingLecture/Conference
Game controllerMetropolitan area networkFamilyComputer simulationLecture/Conference
Computer animationLecture/Conference
Lecture/Conference
Information securityThetafunktionPhysical systemMultiplication signCharge carrierLecture/Conference
Digital electronicsComputer hardwareInformation securityPower (physics)Computer hardwareTable (information)Physical systemInterior (topology)Connected spaceComputer fileSharewareRow (database)Computer animation
Position operatorInformationComputer hardwareInterface (computing)Cartesian coordinate systemConditional-access moduleStatistical hypothesis testingRight angleMultiplication signAndroid (robot)Social class
SharewareDisk read-and-write headVideoconferencingStatistical hypothesis testingComputer programTracing (software)
InternetworkingSharewareStatistical hypothesis testingPartition (number theory)Right angle
InternetworkingEmulatorProduct (business)CoprocessorLevel (video gaming)
Motion captureInformation securityView (database)VideoconferencingLevel (video gaming)Universe (mathematics)Internet service providerLimit (category theory)
Software-defined radioTransmitterComplete metric spaceCodierung <Programmierung>InternetworkingOpen sourceSoftwareCASE <Informatik>Software-defined radioFlow separationQuicksortAreaEmulatorSoftwareSoftware developerVideo gameServer (computing)VideoconferencingOpen sourceProjective planeDigital photographyLink (knot theory)TransmissionskoeffizientDifferential equationCompilation albumGoodness of fit
EmulatorPhysical systemInformationRange (statistics)Nichtlineares GleichungssystemMessage passingWeb pageWordData structureNichtlineares GleichungssystemComputer simulationTransmissionskoeffizientMessage passingPropagatorMultiplication signBitVideoconferencingCurveLengthWeb pageWordStatistical hypothesis testingSatelliteFrame problemDistance1 (number)MereologyVariable (mathematics)Dimensional analysisData structureBit rateInsertion lossDifferent (Kate Ryan album)Line (geometry)Slide ruleInformationSurfaceCodeComputer animation
InformationBuildingChord (peer-to-peer)InformationDisk read-and-write head
WebsiteStandard deviationFormal grammarSoftware-defined radioComputer programOpen sourceReal-time operating systemWebsite
SoftwareCodeSimulationData structureMessage passingMultiplication signComputer fileSoftwareSoftware-defined radioState of matterCodeMessage passingData structureCodePhysical systemElectric generatorSequenceMereologyWaveformSatelliteSpectrum (functional analysis)Frame problemLatent heatComputer programBit
CalculationData transmissionSoftwareMultiplicationData transmissionSatellitePropagatorMultiplication signEmulatorLength
CodeWaveformFunctional (mathematics)WaveformMultiplicationPropagatorComputer fileSoftwareWaveStatistical hypothesis testingDirect numerical simulationSoftware-defined radio
TransmissionskoeffizientSoftware-defined radioRight angleSoftwareStatistical hypothesis testingUniform resource locatorGoogle EarthReal number
MereologyDoppler-EffektMereologyCodeMultiplication signEndliche ModelltheorieDoppler-EffektOpen sourceWaveformSatelliteExtension (kinesiology)BitPhase transitionDifferent (Kate Ryan album)Task (computing)Matter waveView (database)Sampling (statistics)Form (programming)WaveCharge carrierComputer animation
SimulationSatelliteChainRight angleHoaxDifferent (Kate Ryan album)Statistical hypothesis testing
MathematicsParameter (computer programming)Theory of everythingPoint (geometry)Multiplication signRun time (program lifecycle phase)Statistical hypothesis testingVulnerability (computing)Android (robot)
Parameter (computer programming)MathematicsOrbitParameter (computer programming)Multiplication signTask (computing)Computer fileOrbit
Position operatorMultiplication sign6 (number)Right angle
SharewareOffice suiteAreaSharewareFunctional (mathematics)VideoconferencingStatistical hypothesis testingPhysical systemAreaOffice suite
Position operatorAreaStatistical hypothesis testingAreaMenu (computing)Vulnerability (computing)
Position operatorLogic gateSharewareAreaProxy serverTime zoneStatistical hypothesis testingHoaxVideoconferencingUniform resource locatorAreaVulnerability (computing)Time zoneMereology
Position operatorSharewareAreaProxy serverTime zoneStatistical hypothesis testingArea
SharewareSpywarePosition operatorAreaPresentation of a groupStatistical hypothesis testingDrum memorySlide rule
Open sourceSoftware-defined radioComputer hardwarePortable communications devicePlane (geometry)Cellular automatonPhysical systemPhysical systemOpen sourceComputer hardwarePlanningMultiplication signSoftwareDisk read-and-write headCellular automatonMessage passing
Digital signalCivil engineeringCellular automatonComputer networkMultiplicationAsynchronous Transfer ModeMessage passingUsabilityInformation securityPhysical systemComputer simulationCivil engineeringMessage passingoutputConnected spaceElectronic signaturePoint (geometry)SatelliteOnline helpMultiplication signComputer hardwareSoftware-defined radioHoaxRange (statistics)CodeResultantStudent's t-testProjective planeCartesian coordinate systemMultiplicationBimodal distributionDifferent (Kate Ryan album)Extension (kinesiology)SoftwareSoftware engineeringCellular automatonLevel (video gaming)Power (physics)AlgorithmPresentation of a groupPositional notationService (economics)Statistical hypothesis testingStatistical hypothesis testingTime zoneEmulatorSensitivity analysisImplementationInformation securityPhysical systemDigitizingSet (mathematics)TwitterFrequency
Transcript: English(auto-generated)
everybody doing? Oh, come on, that's not very enthusiastic. There are bars, you know, you can go get some beer, get that enthusiasm level back up a little bit. Yeah? All right. So our next talk is going to be about GPS. For the kids in the crowd, GPS didn't used to be
something that was on everybody's phone all the time. Used to be you had to get this big honking unit. I had one that I used for fishing that took like eight double A batteries and the battery had run out after four hours. It was crazy. Now we've got these things everywhere. So GPS is more important to all of our lives and this is going to be
really interesting to see what shenanigans we can pull with this. Let's give our next speakers a big hand. Thank you everybody. Good afternoon. Now we'd like to share with you our work on the GPS spoofing by SDR2s. We come from Qifu 360. We are
team focusing on the radio security and hardware security. During our research, we created and produced many tools and devices for both attack and defense purpose. As a
vendor of Defcon 23, we bring some of our tools here to share with you. So welcome to visit our booth. Uh I'm Yang Qing, uh the team leader of Unikong team. I'm interested
in Wi-Fi testing and uh NFC card cocking. Uh this is Hong Lin. She is a earlier USRP user in China and keep using it uh research tool. Since that time, she wrote one book
about Jinyu radio which were popular in China. Uh firstly, let's see a piece of film uh which come from uh the film uh interstellar. Sorry. Yeah. Okay. Can I show
you one more? Okay. We do more. Sorry, wait a moment. Uh in this beginning of the
story, the man is uh driving a car and following the drone. Finally, he got out the control to the drone. Today, we will share with you a simulator stor-story about the
defense tooling attacker. Uh finally, he control the drone. Uh as we all know, on the-
thank you, thank you. Uh actually uh this uh is uh first time use English to
speech, so you know uh too terrible. Uh as as we all know, on the c-c-carrier frequency, 1575, 4, uh sorry, .42 megahertz. Uh GPS has a C signal that is only for
civilian uh u- usage. Uh it doesn't need uh ose- ose- authentication, so reply attack on
can support GPS system. Uh we firstly try the reply attack. We use the uh one USRP B210, plus one uh ampere and uh and one BRC security. So BRC security is use the sup-
sup- supply power to the GPS activity atini- atina. This picture show the hardware connection. We use the demo to record the GPS signal in a file. Uh in the left picture, there's a recorder system on the out ground. Then the signal was replied from the file to
air by another hardware named BladeRF, uh this black one. Uh the cell phone Nexus 5 received the replied signal and it successful go to 3D fix. The red picture is the
interface of the GPS test class. One Android application, you can see that the time at the right down corner in 1542, which is the GPS signal's time. The time is the right up
corner is different if you see it. It is 69, which is the correct time. Now reply attack was the pro- pro- a very simple attack method. But re- re- replay attack needs to
record the sing- GPS signal. At the real position, if you want to generate a GPS signal for any position, it is not confusing. Let me see this video can play. Oh yes. Uh
this video is uh very interesting. Uh this star trace GPS signal is generated out by our program. Now let's discuss about this how to generate a self-defined GPS signal. We
generate a signal to start the log- logo. Sorry, uh replay. Left in last week,
we generate a GPS position. Uh right is be- Beijing position. Uh finally, it will be a star.
If you search GPS emulator or GPS spooling, you can find some pro- products which can generate GPS signal. They are not very expensive, but at least several thousand dollars. Uh
for example, I like- like we will have the GPS tool, which needs around 6,000 dollars. And the Navy says, a small American company pro- provides the GPS emulator be- designed on USRP. Its price is also around 5,000 dollars. So most of the famous
lab about the GPS spooling is the radio navigation lab from University Taxi at Austin.
In 2000- uh 2012, Professor Tolden, the team leader of the latest lab, gave a TD talk about how to fool GPS. This talk firstly attracted the population attention to GPS security. In the next year, after that, his team short-spoping a yacht in the sea. In 1214, they
successfully pulled out a drone. But we are not uh- navigation uh- expert- purpose. How can
we do GPS spooling? As- as the our guests, we have a several SDR ports. USRP, Blade RF, and HIC-RF. They are all popular tools in SDR area. For sort of a- source- for
software, we searched on Instagram. The first link tell us many open source pro- project about the GPS. So second one is a very good GPS receiver software beyond- uh- based on the GNG radio. We found most of the projects uh- GPS receiver and a few uh- transmitters.
The last one is uh- open source project about the GPS emulator de- developed by Jia Yue. Unfortunately, this project not uh- finished. The compilation is around several- seven- sev- seventeen percent. Finally, we decided to complete the Jia Yue
transmitter code. DIY or GPS emulator. Okay. Now let my partner Lin to introduce the technology details about the GPS spooling. Please Lin.
Hello everyone. Okay now um- let me uh- briefly introduce uh- uh- uh- uh- uh- uh- the basic principle of GPS system. There will some mathematical knowledge. Will be a little boring. But we'll insert some videos. Okay. Okay. See this picture. The long
curve in this picture is the Earth's surface. One GPS receiver is here. Suppose it can
receive four GPS satellites in the sky. The signals are transmitted by the satellites at the same time T0. And the signals go through different paths and they arrive at the receiver. The arriving time is different because the distance that the signal passed is
different. Okay so all the signals with different delays uh- mixed together and received by the GPS receiver. Now let's see some equations. Look at the first line.
Multiplying the delay time and the light speed is length of propagation path. For the left part the delay time equals the arriving time minus T0. And then equals the receiving
time plus delay 1 and minus T0. Here T means the time of receiver starting to receive. Okay for the right part. The path length equals the distance between the satellite and the receiver. The position of satellite is told by the GPS message. Okay now this
equation has four unknowns. The three dimensions, the three dimension position of satellite XYZ. The clock of the receiver which is not an accurate clock so it is also an
unknown value. Four unknowns need four equations. So one satellite gives one equation. That's why a GPS receiver needs to see at least four satellites. Okay. Um in the
four equations what are the known variables? The green part is the delays are calculated by the receiver. And the positions of the satellites and the T0 are all
derived from the GPS messages. So the key information that the GPS signal tells the receiver is when and where. Okay. And this slide shows you the structure of GPS messages. The bit rate of GPS messages is very low. Only 15 bits per second. The duration of one bit
is 20 milliseconds. And 30 bits make up one word. 10 words make up one word. The subframe, five subframes make up one page. And finally 25 pages make up the whole message which lasts 12.5 minutes. Okay. Let's see the key information. Where are
them? When is located in the head of each subframe. And the information where is inserted in subframe two and three. Called as ephemeris. Okay we have introduced the
principle. Now let's start building the signal. Firstly we need to get the ephemeris data. There are two methods. One is to download the data from website. By this way you can only get
yesterday's data. Another method is receiving the lead data from air. You can use an open source program. GNSSSDR to receive the real time GPS signal and gather fresh and
ephemeris data. This shows the received ephemeris data, the fresh data by GNSSSDR. You may not see it clearly enough. Here the time is 2015, February 18 because I ran the software at
that time. Now it's the ephemeris data file. This is the code we are using to generate the GPS signal. It's made lab code. The ephemeris data is ready. It is loaded firstly.
Secondly the program will calculate which satellite is visible in the sky. And thirdly it
generates the telegraph message. This is the code we are using to generate the GPS. This picture shows the message structure. We need to insert all the message bits into the
frame structure following the specification of GPS system. This part is are the codes generating the message. Sub-frame 1 to 5 are generated one by one. Now the messages
are still bit sequences. We should convert them to wave forms. GPS signal is BPSK modulated and with the spectrum spreading. Let's look at the principle picture again. We should
emulate the multiple satellite signals. So we need to model the signal propagation delay. The emulator software must calculate the transmission time from every satellite to the receiver. How to calculate the transmission time? We could know the coordinate of the
satellite according to the ephemeris data. But the satellite keeps moving in the sky and our earth is also rotating. So it's not easy to calculate the path length. Anyway we
don't want to go to very deep details here. This function is used to calculate the delays from multiple propagation paths and combine the signals into one wave form. So finally we generate the GPS signal and save it to a data file. We'll firstly verify it by
software. I firstly verified the signal by the GNSSDR software. It's great. The
latitude and the longitude are totally the same as I said. And then I moved to test over air. One blade RF is used as transmitter and the USRP is a receiver running with the GNSSDR software. Right? The signal over air is also correct. I can see the position
is same as I said. This picture shows the position in Google earth. Here is the location of our company. I'm very excited and start trying to spoof the real cell phones. Well,
unfortunately I failed. Which part is not perfect? I checked my code for a long time. I find I didn't perfectly model the Doppler effect. What's Doppler effect? When the signal
source is going far away from you and the wave form will be a little longer. When the signal source is going towards you, the wave form will be a little shorter. So at the receiver
side it uses the same sampling rate to sample both the two wave forms. The carrier faces and bit code faces are different. From another view to see Doppler effect, we can imagine the delay will be longer and longer if the satellite moving far from the receiver.
And the delay will be shorter and shorter if moving towards you. The wave form extension or shortening must be smooth. Okay? The face changing must be continuous. This is not an easy task. After adding the Doppler effect, we tried spoofing the cell phones
again. Try cell phone again? Yes. Great. It's okay now. Look at the signal strength. The signal from different satellite have the same signal strength. Is it strange? Right? Because
it's a fake GPS signal. Thank you. Actually we can also send them differently. It
is the test on Nexus 5 cell phone. How about Samsung Note 3? It's also spoofed successfully. Oh, sorry. The cell phone shows it located at Nam To Lake in Tibet, but it's
in Beijing actually. How about iPhone 6? Yeah. Sorry. We also tested iPhone 6. iPhone 6 positioning is much slower than other Android phones. But finally it is also located at
Nam To Lake. And another interesting point is if you enable the time auto setting, the cell phone clock will be reset at the run time, the time you give it to it. This is another important vulnerability. Time means spoofing. So we began to think that, okay, you may find
our GPS spoofing test, the date we set is always February 14, 2015. This is because the
ephemeris data file we use is gotten at that date. Okay? Can we set any time to this spoofing signal? The answer is yes. You can use the same orbit data from the same ephemeris file, but only change the time parameters. So in fact, we don't need to
download or generate the fresh ephemeris data file. We just use the same one. That's okay. See these pictures? This is an example. A cell phone in future time. On July 14, we
tested the date of the DEF CON 23. Here are the screen shots. It was changed to a future
time. Interesting, right? Okay. Now, I think you will feel a little boring. Here is a video demo. Except the cell phone spoofing, we also tested other devices. For example,
the navigation system in cars. Let's see this video. Yes. This is a common car. We transmit the signal by USRP. Now it is located in our office area. We start
transmitting our signal. Yes. Now it found the GPS channels and position is fixed.
Let's see where it is now. Thank you. So how about other devices with GPS
positioning function? Well, the next one is drones. So another spoofing target is drones. As
we all know, drones have auto navigation capability. They can fly according to the destinations that people set. Many drones have the forbidden area policy. The purpose is to avoid the risk from drone to people or to some critical facilities. So for example, the
drones engine will keep off when it detects the position is in the forbidden area. So can you imagine the story? What will happen? The first vulnerability is about bypassed
drones no-fly zone. The forbidden area policy can be bypassed. The video shows that the drone was at a forbidden location in Beijing. We give it a fake position in Hawaii. Then it was unlocked and can fly up. We give it a position, then it fly up. Is it too quick? Let's
see it again. We give it a position at Hawaii and the drone flies up. Thank you. Well, the next example is more interesting. If the drone is flying in a permitted area and we
give it a forbidden position, what will happen? Okay. The drone is flying. This is the
camera's view. We give it a forbidden position. Is that falling down? Yeah. Thank you. I
have a presentation by Michael Robinson. The title of his presentation is knocking my neighbor's kids, crudy drone offline. They will also force land to commercial drones by
sending GPS signals. I read his slides this morning. And the method he uses is to disrupt the GPS signal by sending noisy signal. So the method is different with us. Okay. So let's listen to his presentation, too, this Sunday. Okay. That's all about the, well, simple
method of GPS spoofing. Everyone only needs open source software and SDR hardware such as USRP, blade RF and head drive. They can realize GPS spoofing. This attack is very, very
low cost. Then how about the influence? It can influence the portable devices like the cell phone, the pass tracers, the navigation system in every convenience can be spoofed,
including cars, yards, even planes. And the timing system is in cellular base station and financial trading system also can be spoofed. So we think it's a big risk, needs everybody to
notice. So how to defend this attack? Usually GPS has highest priority in the positioning system. Cell phone is spoofed, even it has cellular network connection. So we
think at the application layer we suggest to jointly consider multiple positioning results, the GPS position, cellular position and also Wi-Fi position. If the device has multimode GNSS chips like the GLONASS and Beidou, it's better to joint consider all the
results together. At the GPS receiver chip set level, we propose the chip set manufacturer to use some algorithms to detect spoofing. Professor Todd's team has published several papers
about spoofing detection. People who are interested can read them as a reference. If we want to settle this matter finally, the GPS message must be upgraded. For example, at
GPS, digital signatures into the extensible GPS civil navigation telegraph that will be finally resolved this problem. So every receiver must be firstly checked this signature.
Anyway, GPS is still a great system. It provides service globally. It is very low cost and the chip set has very small size and the important point is it keeps updating so we believe security issue will be solved in future. Finally, I will say thanks to guys who
gave me great help and not our team members. Thanks to Jialing Wei who is a graduate student of Beihang University majoring in radio navigation. He launched the GPS simulator project. His code is also available on GitHub. But I want to let you notice that
this is not a completed emulator. We think it has low risk to measure it here. Secondly, thanks to who is a senior IOS radio frequency software engineer at Apple. He is also
a senior for SDR amateur. He gave me important guidance. Thank you to both guys. Thank you all. Thanks for your attention to our presentation. Does anyone have question? Range? Depends
on the hardware. If we use something like that, although the power is very small, but you know, the sensitivity of GPS signal is very, very low. So it is quite easy to make your fake
GPS trends much higher than GPS sensitivity. Yeah. If there are any more questions, could you line up right where I'm standing and use the microphone to ask your question?
Sorry. Great talk. I was wondering if you thought about using this to fuzz the implementations that people have on various chips by sending completely invalid data that would potentially do interesting stuff. Well, I didn't get your point. Please, simple.
Definitely be interesting to see how these GPS receivers respond to data that doesn't make any sense that might do various things. Okay. Okay. Thank you. Hi. You mentioned that it
could be fixed with digital signatures, but can't you spoof the GPS signal with just capturing and playing with the time offsets and playing with it. So I think digital signatures is not going to fix the problem. What do you think on this? You mean the
anti-spoofing method? At which layer? Because each satellite is transmitting the same thing and you don't have to change inside, but you just need to play with the time differences and you can just record it and replay it with the different time offsets and
you can still spoof even if the digital signatures are used. Well, you may add chips.
Okay. Thank you very much.