CyberWire Daily - Driving GPS manipulation. [Research Saturday]
Episode Date: October 13, 2018Researchers at Virginia Tech investigate possible ways to manipulate GPS signals and send drivers to specific locations without their knowledge. Gang Wang is Assistant Professor of Computer Scienc...e at Virginia Tech, and he joins us to share his team's findings. The original research can be found here: https://people.cs.vt.edu/gangwang/sec18-gps.pdf Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security. Thank you. specific apps, not the entire network. Continuously verifying every request based on identity and
context. Simplifying security management with AI-powered automation. And detecting threats
using AI to analyze over 500 billion daily transactions. Hackers can't attack what they
can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com security.
So as you might know, GPS is one of the most important global positioning system
we're using today. That's Gong Wang. He's an assistant professor of computer science at Virginia Tech.
The research we're discussing today is titled
All Your GPS Are Belonged to Us
Towards Stealthy Manipulation of Road Navigation Systems.
There are over a billion GPS devices
that depend on the GPS signals
to locate themselves in different places all over the
planet. So for example, when you wanted to travel to a new city and I wanted to go certain places,
what you really do is to open your smartphone and set the destination. And then it comes of
navigation route. So the GPS help the navigation system to keep track of where you are and try to navigate
step by step to your final destination.
So there are over millions of users who are using GPS every day.
So that's why we start to look at, hey, how it is possible, whether it is possible to
launch attack against our GPS and manipulate
the on-road navigation system, and how can we prevent this type of attacks from happening
in practice. So let's go through just some of the basics here. Can you describe to us,
how does the GPS system work? At a very high level, so GPS depends on the satellites that are running around our planet.
So a GPS device, for example, your smartphone, receives the GPS from multiple satellites
and calibrate the GPS signal reading so that it can uniquely position yourself to a coordinate
on this kind of location system.
So you know where you are and it's based on the GPS coordinates.
So you're receiving multiple signals and it kind of triangulates your position based on
the timing of those signals. Is that a simplified way to view it?
Yeah, that's correct.
And there are two flavors of GPS, I suppose. I mean, there's the consumer version and the
military version, and one of them is encrypted, right?
consumer version and the military version, and one of them is encrypted, right?
That's correct. GPS has a civilian GPS, which is mostly the GPS devices we're using today,
and there's a military version. The military version, as you might expect, have a much higher level of security. They have encryption, the authenticated sources, but for most of the
civilian GPS we're using, it is completely
encrypted and has a lack of authentication mechanism, which makes it vulnerable to spoofing.
One additional note is that civilian GPS is not just used by consumers like you and me,
but actually used by most of the infrastructures like PowerGrade. So they don't have the privilege to use the
military version. They still have to use the civilian version of the GPS.
Now, GPS spoofing attacks have happened prior to your research. Can you describe to us
what have other people done there? That's true, right? So a GPS signal,
especially the civilian GPS signal, can be manipulated because there's a lack of authentication, there's a lack of encryption.
Previously, researchers have tried to spoof devices or GPS devices in the free space.
So, for example, one researcher tried to spoof a GPS device on the boat, on the ship, and try to steer the navigation of the yacht.
And then there's other researchers try to spoof GPS on the drones, try to change it
as kind of a flying route in the air.
So the big differences between spoofing in the free space and spoofing on the road navigation
system is that on the road, we have
much more constraints. So there's certain things you cannot do. For example, if you just spoof a
GPS randomly, you can easily create a route that instructs the car to turn right where there's no
right turn at that moment. So you can easily create physically impossible routes, which is not
a problem in the free space. Right. So if you're out on the ocean or in the sky, there's no points
of reference to indicate that maybe you're, that something's wrong with the directions that you're
getting and you can turn anywhere. That's correct. Right. All right. So let's dig in here. What were
you setting out to do here with the research?
Walk us through it.
It's pretty complicated and clever stuff.
So in order to understand how feasible it is to manipulate a road navigation system,
we actually take multiple steps to understand the problem basically step by step.
In the beginning, so we came up with this idea of how can we manipulate the navigation
without even alerting users. I can give a very quick example here. So if you wanted to
randomly spoof a GPS location and by setting the current device's location to a random place,
that caused problems because, as I said, this can
easily create a route that does not match what a user sees. So for example, when the users in the
car are looking at a completely straight road, and the fake route you created using the spoofing
techniques might have a right turn right in front of her. And if that right turn instruction is triggered,
then the user gets immediately alerted. They say, hey, what I see is not the same with what is
illustrated on the map. There must be something going wrong. So instead, we design a searching
algorithm to search the map overlay or map network and try to find a fake route that matches with what user sees in
the physical world. So for example, the end result is that even when a user is driving on the main
street, he thought he was driving on the Fifth Avenue because when there's an instruction to
ask him to turn right, there's exactly a right turn waiting there on the main street.
So that's sort of the high-level idea of it.
So one of the things that it's relying on is the fact that someone would likely not be very familiar with the area in which they're driving.
So they might not be cross-checking street names and things like that.
That's correct.
So the searching algorithm will be able to find a
road that match the shape of the fake road, which means the right turn matches right turn and
there's a highway and hopefully there's another highway we can match against it. But there's
certain things we cannot match. For example, if the real road has a gas station nearby, but on the map, the alternative fake route does not have a gas station, that could be a potential signal to give this attack away.
So a user might be able to see it.
So the reason, based on our testing, it shows that a user is not easy to detect this is exactly because of what you said. When people are driving using GPS, they're typically driving in unfamiliar areas.
So for example, if you commute from home to work, it's actually pretty common for you
to ignore the GPS, just choose the route you're already familiar with.
However, if you travel in a new city that you've never been before and you actually heavily rely on the
GPS navigation to navigate to your destination. Again, because you're not familiar with the area,
you rely on GPS. So at that moment, rarely can a user have enough attention span to cross-check
whatever on the road and on the map. So because everything happens in real time,
you have to watch out the traffic,
and usually the only thing you can focus on
is whether the GPS should tell you to turn right or not.
And because of that, it's actually hard to spot
while in practical scenarios.
Yeah, and I suppose this is something
that people aren't really primed to look out for.
I think in general, we trust the GPS is going to be reliable.
That's correct.
If there's some familiarity on the road and you could spend extra time to check whether the road sign matches what is shown on the map, actually this risk could be significantly reduced.
on the map, actually this risk could be significantly reduced.
Now, take us through what exactly did you do in the physical real world to be able to spoof the GPS signal?
So this is actually one of the fun part of this project.
You know, although we sort of described how the algorithm works, so everything is still
in the simulation stage.
So my collaborators and I think about taking this to the next level.
So we try to understand whether this is actually physically possible. So the way we do it is to
build a very low cost portable spoofer. So the spoofer is actually in total just cost $200-ish
and include a software defined radio, which is the main device to generate
the fake GPS signal.
And we have a Raspberry Pi, which is kind of, you can think of that as a mini computer
that we can program and we can remote control through the cellular network.
And then there's a portable power, which is really small, can hold the portable device for several hours or even days.
And then there's a TAN to try to control the power of the signal based on our need.
So in total, all those kind of devices put together cost exactly $223.
Everything is widely available online and nothing is restricted.
And all the software and hardware is actually all open source projects.
So this basically means anyone can build a spoof like this.
And it's small, too. This is the kind of thing where theoretically, I mean, you could see someone be able to, you know, in a James Bond kind of way, stick this to the inside wheel well of a car or something like that?
Yeah, so we actually try to use
some kind of standard object
to illustrate how big it is.
So what we did is we put a pen beside of it
and actually it looks exactly like the size of a pen.
Of course, it's a square shape.
So this is something you can really
put in your pocket if you want.
Yeah.
So take us through, I mean, you successfully take over the GPS signal.
You convince the GPS receiver that you are the satellite constellation.
Then what happens?
So before I talk about that part, I want to say that it actually takes us quite some efforts to receive
the approval to do this type of experiment. Actually, in the US, there's very strict
restrictions from performing any kind of spoofing experiment in the outdoor space. So we actually
have to rely on some of the collaborators outside of US to perform the actual experiments.
So once we start the spoofer,
and the spoofer can slightly increase the signal strength
so that from the GPS device point of view,
there's multiple sources,
and there's one source has slightly different power,
and their default setting is basically fall back
to some higher power devices.
So once our devices take over
the lock of the targeted GPS device,
now we actually can set
arbitrary GPS locations
for that device.
For example,
we want the targeted smartphone
to be set on Times Square.
We can do that
by changing the parameters
in our spoofer
so that the signal will tell the GPS device that, hey, you are in the Times Square.
So then once we can control their GPS signals, the next thing is basically carefully tuning the algorithm to generate the fake GPS signal so that we can trigger the navigation system to generate a fake route.
And what happened is that the driver potentially would follow the step-by-step navigation
triggered by the fake GPS signal and all the way driving to the wrong destination
compared to his original one. So as an attacker, you might also can set up a predefined location to say,
hey, I want this driver to drive to that particular location.
And this is highly feasible given our experimental results.
Now, do you need to know their originally intended destination in order for this to work?
Or does that just make it easier or if it's harder
if you don't have that? So if you know the exact location that the targeted driver wanted to drive
to, that will make the attack much easier. To be more precise, it is easier for us to carefully
control the GPS signal so that there's a precise turn-by-turn navigation trigger at the right time. So if you don't know the exact
location, there's actually a trade-off here. So for example, if you know some rough destination
or rough checkpoint that this victim will bypass for sure, you can steal around this algorithm,
but the trade-off is that the algorithm will be effective before this victim arrives at a checkmark or the rough location that you thought.
If after that victim bypassed that checkmark, you can no longer run that algorithm anymore.
Now, does your system keep track of its own location?
How does it know how it's doing along the way?
And is it able to adjust? If the driver
makes a wrong turn, for example, or passes a turn, would the system be able to adapt to that?
Oh, that's a very good question. So suppose the driver failed to follow one instruction
through this attack. So because the attacking algorithm is around in real time, the algorithm will be able
to adjust to all the five generate a new alternative route so that we can adjust the
GPS spoofing signals accordingly. This is actually very expected behavior because even when there's
no attack, we miss entrances for highways or we miss the right turn all the time on the other hand the
second question you mentioned is very interesting so you were saying that how do you keep track of
your loan location so as a spoofer because this fake gps signal was generated by the spoofer
the spoofer actually can tell which signal is correct and which signal is
incorrect. So there's always a mechanism that allows the spoofer to lock on the correct GPS
signal without being interfered by the signal they generated. And so is the spoofer generating
its signals based on the actual GPS signals? That's correct. You have to be able to know where the targeted driver is
and also where you are
so that you can generate the fake GPS signal accordingly.
So because you can imagine the attacking scenario
could be we just stick the spoofer
on the bottom of the victim's car
and then we remote control it.
So at that point, the spoofer's GPS location is actually the real location of the car.
Now, you also did some simulation experiments to see how susceptible people would be to this.
Tell us, how did you do that and what did you learn?
So this is actually part of the FUN study.
that and what did you learn? So this is actually part of the fun study. So because previously we talk about a simulation, a real world of measurements, but none of them have real people
or real users involved. And part of the attack we design is to see whether human users or human
drivers can detect the discrepancies between the real road and the fake road illustrated on the map.
So we actually end up doing a user study.
So we recruited 40 people in the lab.
Now, in order to do this type of user study, there's a very kind of tricky setup.
You cannot tell that, hey, we wanted to do an attack on you and see whether you can detect it,
because people would basically detect it.
So what we have to do is to apply some deception in the beginning.
This is actually a very standard approach for most of the psychology experiments in a user study.
So the reason is that you want to make sure that the user is not prepared for what is happening
and then you can capture their real reactions.
So what we did is we framed the user study as a usability study. So we said, hey, we
build a driving simulator and we want to invite you to come here to assess how
realistic the simulator is. So the setup is like this. So we set up a big screen to simulate what people see on the road.
And we modified a driving simulator engine, which is supposed to train how people drive and how people drive trucks, actually.
And then we designed this driving game where the participant is supposed to deliver a package from location A to location B.
Then we let them drive to finish the task.
What we didn't tell the user is that during this experiment,
we actually simulate the spoofing attack by changing the software setting without notifying them.
So they actually experience what it's like when this attack happens on this kind
of driving simulation game. And we tell how well they can actually recognize the attack.
The result is actually surprisingly good. So 95% of the participants did not spot the attack
through multiple driving sessions. So I would consider this attack is stealthy enough for people to recognize effectively.
So interestingly, the two people who actually recognized the attack tells us how they did it.
One user said he actually recognized there are some discrepancies between the road he actually looked at
and also the road on the map because he thinks he's driving on the highway,
but in fact, everything looks like a local way on his front view.
So that's how he tells, oh, there must be something wrong with it.
Then he stops the car and asks us, what's going on?
Is this software has some bugs?
I think that's when we stop the experiment and explain everything.
So after all the experiments,
we actually perform some user survey interviews.
But most importantly,
we tell the participant everything about this experiment
since we already captured their reactions
and whether they detected the attack.
So this is a part of the user consent process.
So users are allowed to withdraw their data
if they think they don't want to put the data in this study.
So luckily, none of the users actually withdraw their data.
They're surprisingly happy to learn this GPS spoofing attack
and how it happens.
Now, in the real world, how practical do you think something like this would be?
Do you think we might see people actually utilizing something like this?
It is actually hard to say.
I think spoofing a GPS signal, spoofing a GPS device is considered as a crime.
So it depends on whether the attacker wanted to take the risks to pull off the attack
and what the attack purpose is. I can imagine that for most attackers who don't want to take
this risk, there's probably some holdback. But when the incentive is high enough, it is really
hard to predict. So for example, right now, GPS devices are integrated with many autonomous systems, including self-driving cars.
And some of the cars are really, really expensive.
So what if there's an attacker who wants to steal their car by automatically navigating the car to a location that the attacker predefined and wanted to steal their car or hijack the car?
That's a possibility.
So for example,
there are very expensive drones. What if they're dedicated attackers and try to steer their drone
out of the safe area and again, try to steal their drone? So, so far, most of the experiment is done
within the civilian applications. I think there's more severe implications of this type of attack in other more
critical domains like, you know, power grid and other critical infrastructures or even in military.
But so far, we don't have access to any of those. So it is hard for me to give any comments on that.
Yeah. Are there possibilities of systems that depend on GPS to kind of cross-check, to make sure that what they're reading is correct?
I know, for example, the Russians have their own version of GPS.
Could a system possibly check in and make sure that both systems align and look for some sort of consensus?
That's exactly right. So there's dedicated GPS hardware or chips that already
integrated some of the cross-tracking mechanisms. For example, as you said, there are just more than
one GPS satellites. Actually, multiple countries launched their GPS satellites for many, many years.
One possible solution or one feasible solution is to cross-check multiple GPS sources to make sure the reading is correct.
The trade-off here is that it does require special hardware and more expensive hardware.
So, for example, if you build a self-driving car and you want it to be actual careful, then you should definitely just use the dedicated new chips that have this kind
of anti-spoofing mechanisms. But as I said in the very beginning, there are already over billions
of GPS devices out there running on the non-secure mechanism, and it's hard to replace all of them
at once. It's extremely high cost. Now back to this cross-checking idea. Even if you cross-check
multiple signals, that does not mean that it's completely secure for very obvious reasons.
So if the attacker is able to build multiple radios and synchronize those different radios
at the same time, there's a possibility to generate multiple GPS signals
that try to mimic each individual GPS information sources. So at that time, it's again become a very
hard problem to tell which is real and which is fake. So fundamentally, the solution is limited
because the GPS signal has no authentication mechanism and is hard to tell the real ones with the fake ones.
Now, suppose that someone had access to the military version of this. Would that be immune to this sort of attack?
I would think so. In the ideal world, I would say if we can change the civilian GPS completely to the encrypted and
authenticated version, I think the problem will go away. So there has been a lot of discussions
over the last 10 years, 20 years, to talk about the possibility of upgrading our GPS.
But unfortunately, it's feasible in theory, but it's really hard to pull it off in practice due to the extremely high cost to replace all the software and hardware on your GPS receivers that is running every day.
Yeah, so it would be, I guess, a slow turnover as the new devices came online and the old ones were retired.
That's the hope, but it's probably going to take many, many years.
Yeah. So one additional comments I have is that right now, my colleague and I and our students are trying to develop some
low-cost defense mechanism that hopefully does not require additional hardware and hopefully only
software-level manipulation sort of improvement to achieve a similar level of a defense.
This is ongoing work.
I don't have a clear answer which one works or which one doesn't work,
but hopefully we have some new results to share with you in the near future.
Our thanks to Virginia Tech's Gong Wong for once again joining us.
The research is titled, All Your GPS Are Belonged To Us,
Towards Stealthy Manipulation of Road Navigation Systems.
We'll have a link in the show notes.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. Thank you. Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, And I'm Dave Bittner.
Thanks for listening.