Low cost SDR-based GPS spoofing!

Oh, crap. Better pick up one of these:

$_57.JPG
 
RotorDude said:
What next? :hairraise: :yikes:
Click to expand...

denverpilot said:
ADS-B.
Click to expand...

I wonder if this could create major issues with the current FAA plan to rely on GPS almost exclusively. I know eLoran is in the works, but that could take years.
If creating a DIY GPS spoofer becomes as trivial as the current SDR ADS-B receiver, it might rival lasers as a nuisance, with potentially far worse consequences.

spoofed_gps.jpg
 
RotorDude said:
I wonder if this could create major issues with the current FAA plan to rely on GPS almost exclusively.
Click to expand...


There is no plan to "rely on GPS exclusively" when you dig into the standards docs. ADS-B is an add-on to radar and can not replace things radar does that it can't, mainly because the data can be spoofed.

It'll take an expensive upgrade to ADS-B many years hence to add encryption and non-repudiation protection. That will require a key store run by government(s), and a secure delivery method that will only allow a single transmitter to contain a single private key. Or a way to register a public key paired to a private one in each unit.

It'll probably also require the same tech on the data bus between the GPS and the ADS-B transmitter, judging by the concerns lately about "non-certified GPS sources".

Without those pieces in place, the data coming from any unknown ADS-B transmitter is as likely to be fake as real.

The 2020 mandate has no provision for anything like that, so don't expect ADS-B to be primary any time soon. Unless they're totally insane.

For the record, it's possible to generate false primary and secondary radar targets also, but the barrier to entry in both knowledge level and technology cost is much higher.

Costs will continue to fall on both technologies but ADS-B is always going to be cheaper and simpler to grok for even a low level software writer. Especially with the amount of source code already available to look at for examples on the receiving side.

Seeing that she's a wireless security engineer wasn't a surprise. She knew all the basic concepts of twiddling the same types of common SDR code bases to muck with WiFi, Cellular, etc. ADS-B is no particular stretch for someone doing that daily.

A few of those "someones" publish their work as open source, and it's out there for even a poor coder to figure out. (One of the pluses and minuses of open source.)
 
denverpilot said:
There is no plan to "rely on GPS exclusively" when you dig into the standards docs. ADS-B is an add-on to radar and can not replace things radar does that it can't, mainly because the data can be spoofed.

It'll take an expensive upgrade to ADS-B many years hence to add encryption and non-repudiation protection. That will require a key store run by government(s), and a secure delivery method that will only allow a single transmitter to contain a single private key. Or a way to register a public key paired to a private one in each unit.

It'll probably also require the same tech on the data bus between the GPS and the ADS-B transmitter, judging by the concerns lately about "non-certified GPS sources".

Without those pieces in place, the data coming from any unknown ADS-B transmitter is as likely to be fake as real.

The 2020 mandate has no provision for anything like that, so don't expect ADS-B to be primary any time soon. Unless they're totally insane.

For the record, it's possible to generate false primary and secondary radar targets also, but the barrier to entry in both knowledge level and technology cost is much higher.

Costs will continue to fall on both technologies but ADS-B is always going to be cheaper and simpler to grok for even a low level software writer. Especially with the amount of source code already available to look at for examples on the receiving side.

Seeing that she's a wireless security engineer wasn't a surprise. She knew all the basic concepts of twiddling the same types of common SDR code bases to muck with WiFi, Cellular, etc. ADS-B is no particular stretch for someone doing that daily.

A few of those "someones" publish their work as open source, and it's out there for even a poor coder to figure out. (One of the pluses and minuses of open source.)
Click to expand...

I may be missing something, but my point had little if any to do with ADS-B, and was focused only on GPS. The FAA has added tons of GPS approaches and is effectively phasing out most of the others. Enroute navigation by VOR waypoints is also dying out. Yes, some ILS's will remain, but everything is moving to GPS, pretty much.
Now consider what happens when a kid/nut/terrorist uses a home-brewed SDR GPS spoofer like the one in the article to mess up the LPV approaches at his nearby airport, or enroute navigation overhead his house.
The GPS system, as neat and practical as it is, is insecure and extremely vulnerable to spoofing or jamming. As I noted above, eLoran may be down the road as backup, but still very far off.
 
So here is a picture of that Lin Huang chick that wrote the article. I would totally hit that.

1f0421b.jpg
 
denverpilot said:
There is no plan to "rely on GPS exclusively" when you dig into the standards docs. ADS-B is an add-on to radar and can not replace things radar does that it can't, mainly because the data can be spoofed.

It'll take an expensive upgrade to ADS-B many years hence to add encryption and non-repudiation protection. That will require a key store run by government(s), and a secure delivery method that will only allow a single transmitter to contain a single private key. Or a way to register a public key paired to a private one in each unit.

It'll probably also require the same tech on the data bus between the GPS and the ADS-B transmitter, judging by the concerns lately about "non-certified GPS sources".

Without those pieces in place, the data coming from any unknown ADS-B transmitter is as likely to be fake as real.

The 2020 mandate has no provision for anything like that, so don't expect ADS-B to be primary any time soon. Unless they're totally insane.

For the record, it's possible to generate false primary and secondary radar targets also, but the barrier to entry in both knowledge level and technology cost is much higher.

Costs will continue to fall on both technologies but ADS-B is always going to be cheaper and simpler to grok for even a low level software writer. Especially with the amount of source code already available to look at for examples on the receiving side.

Seeing that she's a wireless security engineer wasn't a surprise. She knew all the basic concepts of twiddling the same types of common SDR code bases to muck with WiFi, Cellular, etc. ADS-B is no particular stretch for someone doing that daily.

A few of those "someones" publish their work as open source, and it's out there for even a poor coder to figure out. (One of the pluses and minuses of open source.)
Click to expand...

Just for the record, the SDR "spoofer" isn't capable of spoofing GPS, just ADS-B. Spoofing GPS while possible, isn't easy and requires matching the spoofed receiver's position initially (ironically this is made a little easier by ADS-B). Plus you can only do this with one airplane within range of your spoofing transmiter and every other airplane in the vicinity will either lose GPS lock completely or "jump" to the same spoofed position.
 
gismo said:
Just for the record, the SDR "spoofer" isn't capable of spoofing GPS, just ADS-B. Spoofing GPS while possible, isn't easy and requires matching the spoofed receiver's position initially (ironically this is made a little easier by ADS-B). Plus you can only do this with one airplane within range of your spoofing transmiter and every other airplane in the vicinity will either lose GPS lock completely or "jump" to the same spoofed position.
Click to expand...

Not sure why people are focusing on ADS-B...
This article is about GPS spoofing, nothing to do with ADS-B.
See the Forbes article here and the presentation here.
This is all about creating false GPS signals from fake satellites and transmitting it via low cost SDR.
The Iranians presumably used expensive gear to bring down that drone, here the idea is to use low cost readily available hardware and software to create fake GPS signals.
 
RotorDude said:
Not sure why people are focusing on ADS-B...
This article is about GPS spoofing, nothing to do with ADS-B.
See the Forbes article here and the presentation here.
This is all about creating false GPS signals from fake satellites and transmitting it via low cost SDR.
The Iranians presumably used expensive gear to bring down that drone, here the idea is to use low cost readily available hardware and software to create fake GPS signals.
Click to expand...
Oops, you're right, that presentation was about generating false GPS signals and generating a seemingly valid position solution for a cellphone.
I guess I should have read the original linked presentation instead of replying to the subsequent posts.

OTOH, I suspect that spoofing a distant aircraft's WAAS GPS receiver would be a bit more challenging on several fronts. And WRT the Iranian drone takedown, I find that story to be hard to believe given that the military uses encrypted GPS signals.
 
gismo said:
Oops, you're right, that presentation was about generating false GPS signals and generating a seemingly valid position solution for a cellphone.
I guess I should have read the original linked presentation instead of replying to the subsequent posts.

OTOH, I suspect that spoofing a distant aircraft's WAAS GPS receiver would be a bit more challenging on several fronts. And WRT the Iranian drone takedown, I find that story to be hard to believe given that the military uses encrypted GPS signals.
Click to expand...

Good point regarding WAAS, I think the Chinese group did not spoof that part, or at least I can't find that in their presentation. OTOH, as I understand it, WAAS data comes from an extra satellite broadcast on the same frequency as all the rest, not encrypted in any special way, and it's essentially a list of error corrections, which presumably could be set to 0 or some low value. So it would probably be easier to create than the rest of the spoofing job, which they seem to have mastered if you read their presentation.
Regarding the military encryption aspect, I don't know enough about this, but can only assume that if the GPS signals are jammed (overwhelmed) by false signals that seem like real but lack the encrypted part (which our civilian units don't use), this could cause an autonomous aircraft to use this signal as "better than nothing" (the other option would be to self-destruct, I suppose). I know the drones are claimed to have inertial nav capabilities, but we know as bottom line that the Iranians seem to have captured that drone pretty much intact, and it's unlikely they used a big butterfly net. :)
(In any case the encryption aspect is irrelevant to civilian aviation.)
 
You must log in or register to reply here.
Back
Top