CyberWire Daily - Spoofing ships, jamming drones: how GPS manipulation confuses and compromises. [T-Minus: Space-Cyber Briefing]
Episode Date: June 7, 2026GPS constellations have become foundational in modern society supporting everything from navigation to financial services, making the impacts of GPS disruptions all the more concerning. As reliance o...n these systems have grown, so too have efforts by threat actors to disrupt them through techniques such as jamming and spoofing. As these attacks have become more effective, they are becoming increasingly common, especially in conflict zones where disruption and confusion can prove exceedingly valuable. Key sources: Information about GPS Jamming What is GPS Spoofing? GPS jamming: The invisible battle in the Middle East Like what you heard? Be sure to subscribe to our free Signals and Space Briefing, our Sunday newsletter covering the intersection of cybersecurity and space. Subscribe at: https://thecyberwire.com/newsletters/signals-and-space Is there a topic or person you’d like to hear on our show? You can send your questions and feedback to space@n2k.com. You can also fill our our audience survey: https://www.surveymonkey.com/r/NJYCN2P T-Minus: Space-Cyber Briefing is a production of N2K CyberWire. N2K is your nexus for discovery and connection for people, technology, and ideas shaping the future of secure innovation. Learn how at n2k.com. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Maybe that's an urgent message from your CEO,
or maybe it's a deep fake trying to target your business.
Dopple is the AI-native social engineering defense platform
fighting back against impersonation and manipulation.
As attackers use AI to make their tactics more sophisticated,
Dopple uses it to fight back.
from automatically dismantling cross-channel attacks to building team resilience and more.
Doppel, outpacing what's next in social engineering.
Learn more at doppel.com.
That's D-O-P-P-E-L.com.
Yeah, I remember when I was researching, when I first started this job a few years ago,
I remember I pitched to my boss at the time, Brandon Carp.
And I said, you know, Brandon, I really want to research GPS spoofing.
I'm fascinated about this.
And so in my naivete, I started calling a bunch of companies that sell to the U.S. government anti-GPS spoofing technology.
And I was like, can you tell me how this works?
I'm pretty sure I'm going to list somewhere now.
Who are you?
Welcome.
I'm Maria Varmazas, and you're listening to T-minus space cyber briefing.
In this show, we examine the evolution of cybersecurity in the global and orbital infrastructure that powers, protects, and
connects our lives.
Greetings, friends. Thank you for joining me today.
Last week on this show, we explored why attacks against GPS and similar space systems
matter in a cybersecurity context. Reminder, global navigation satellite systems like GPS are a key
dependency for much of our critical infrastructure. And so this week, we're all about
the how. How do attacks against GPS signals typically work? Well,
Producer Ethan Cook joins me again to explore a few of the different attack types that we might
typically encounter. Let's do this.
Hey, Ethan, good to see you again. I'm back. Yeah, you're back. A long time, no see.
We're back for GPS, part two.
GPS part two. I mean, honestly, we're probably going to have part three, four, five later.
It's a separate ending, by the way. We're just an iterative process.
Well, it's, it is so crucial. And you said it brilliantly in the last episode about,
about it is only going to become more important to how modern technology infrastructure works,
and it is vastly underappreciated for what a cornerstone technology it is right now.
I certainly, I will raise my hand in that one.
I don't think I appreciated how much we use it in our modern lives outside of the obvious.
I think that's the story of most technologies.
I think we're all like, man, this is so helpful.
And when it goes down, we're like, this is the worst thing in the world.
And then you realize, man, that's what it was 10 years ago.
Yeah, it's that XKCD comment.
of the entire internet being held up by that one guy in Finland or whatever,
which I have been told by all my friends who know this stuff,
that that is completely true.
I think that that one guy in Finland also can sometimes be GPS.
Yes.
Yes.
Do we realize how much is actually really dependent on this being accessible
and the signals being correctly interpreted and all that kind of thing?
When the phrase GPS hacking gets thrown around,
at least when I started this job a few years ago,
I thought we literally meant hacking the GPS satellites, which I think the U.S. Space Force is like,
I'd like to see you try.
It would be very difficult.
It would be extraordinarily difficult.
And they're like, bring it on, we're ready for you.
So that's not, but that's not really what is meant.
It's a lot more ground focused and a lot more, I think the best way to describe it, at least from what I saw,
was confusing signals rather than overpowering signals rather than trying to take down networks.
That's exactly it.
That surprised me a lot.
I really thought it was like, oh, you know, the Space Force is just going,
bing, bing, bing, like, and I'm sure they are, genuinely,
staving off all these attacks against the actual satellites
and the ground stations that they use.
But, like, yeah, they're in the military.
They're handling their own thing.
For the rest of us, it is exactly that, like, just that phrase we love,
the signal and the noise.
This is literally that situation of, like,
these signals being blasted out in a spherical radius from the GPS satellites,
We monkey with those signals as they hit the ground because they're very weak.
They've gone through atmosphere, potentially weather impacts, bounced off walls, you know, gone through buildings.
It's not something that is easy.
If we're trying to get GPS from inside a house, you're just like, nope, not getting it.
Yeah, those are really weak signals by the time they get here.
So they are really easy to mess with or fake or overwhelm.
And that is essentially what it is.
Why don't we go through maybe some of the frequent attacks.
against GPS signals.
So we call them sort of shorthand hacking GPS,
but again, it's really attacks against the signals
as they arrive on the ground.
So what is your understanding of GPS signal jamming?
So it feels kind of obvious
when you say it out loud
in that you're jamming the signal, right?
You are, you're killing the legitimate signal
by, you know, oftentimes overpowering it
so the legitimate signal cannot go through.
Yeah.
Use cases for that would be, okay,
I don't want the signal to accurately find where I am.
Taking that to a real-world example, because I think when you talk about attacks, it's really hard to conceptualize impacts unless you have real-world examples.
The Ukraine war.
There has been multiple use cases confirmed at this point that military drones, use GPS signals to make sure that they're going to hit the intended target accurately and on time.
So if there is a tank or fortification or building that I'm trying to hit as an attacker, I'm using a GPS signal to guide that drone to the correct target.
Yeah. Now, GPS jamming can be used to counter that. It's an emerging front. It's something that I think really has popped up as a mainstream as drones have become more popular in the Ukraine front. And I'm sure it is taking place in Iran as well, where you confuse and you overpower the GPS signals that are guiding that drone. And the drone doesn't know where it's going anymore.
Yeah. It's still going to hit somewhere and explode, but it's likely not going to hit the thing that it was meant.
to hit. And obviously, that doesn't negate its damage or reduce any casualties. You know, the logic behind it,
from a defensive perspective, is it's not hitting the main target. So maybe it's hitting the building
and still causing structural damage, but it's not going to cause the whole building to collapse.
Or it's not going to hit the tank head on. It's going to bounce off. And maybe the tank suffers some
mechanical damage, but the whole tank isn't imploded. So that's kind of the logic there.
That's exactly right on. The way that I think of it for jamming is the GPS
signal as it hits the earth is like a bird gently chirping. And then if you're jamming,
you've got a foghorn. And you're trying to hear that chirping bird, but all you can hear is the
freaking foghorn. And it's just like literally looking for that signal through the noise.
Something that I found fascinating years ago when I was learning about this initially was that a lot of GPS
jammers used to be, and I'm sure they still are if you know where to look, very unsophisticated
like Bluetooth devices. You could just plug into your car's cigarette lighter if you still have one.
There was a guy who did just that and got massively fine and I'm pretty sure also arrested.
It makes sense.
Yeah, but this was back in 2013, and he operated a GPS jammer from his car sitting outside
of Newark Airport in New Jersey, specifically to mess with the,
the signals that the airplanes are dependent on,
which is a humongously dangerous thing.
I mean, he was not the only one.
This was just the headline that stuck out on my head,
but, you know, it is not a sophisticated attack.
No.
It's not hard.
Highly illegal.
We do not come after us.
We have warned you.
Don't do this.
It's incredibly dumb if you do.
Yeah.
And the equipment is extremely low cost.
So it makes sense why, especially in war zones,
this is like one of the first things that people do,
is your GPS is not going to do anything good for you.
And as sort of dark as this is to say,
one of my favorite websites to sort of track
how this actually looks like on a global scale
is this website called gpsjam.org.
And it's this really fascinating resource.
Sometimes I just go there just to,
this sounds weird just to just look around.
Yeah, it's just basically uses open source information
based on information from commercial planes
about how accurate the information is that they're getting.
And you can see really easily
where the contested zones are.
I'm looking at it right now as we're talking.
Yeah, Ukraine lit up, Iran lit up,
the Strait of Hormuz, forget it.
But also looking near,
I'm looking near Estonia right now.
Estonia and the Baltics in general are just bright red,
so is a whole bunch of the Baltics.
I mean, to make sense.
They're very close to two conflict zones.
Exactly.
So there are other spots like I think I'm looking at Myanmar as well,
even on the U.S. border with Mexico.
There are some red spots there.
So whether or not that is intentionally being jammed or it is jammed from other factors, this website can't tell us that.
Delineate between intentional or like atmospheric incidents or something.
Or just like just heavy traffic or something.
Yeah, the creator of this website, they mentioned that this is GPS interference as he can map it based on open source information.
So don't try to extrapolate necessarily intent, although in some cases it's obvious.
Yes.
Like in conflict zones.
So surprise that, you know, Ukraine, not a good, not a good.
surprise there that GPS may be unreliable. Correct. Yeah. And also near the border with Turkey
on the Black Sea, also very, very contested there. So it also has a historical record, which, again,
can be fascinating looking back in time to see how bad were certain spots with GPS interference.
So jamming is unsophisticated and sort of table stakes, I think, for a lot of modern warfare at this
point. But sometimes it's also used in petty crime. It is accessible to dumb basic criminals who are
just trying to mess with people. I'm sure would scale up the punishment when they inevitably get
caught. Yeah, so definitely don't do it near airplanes. Good heavens. So now that we've spent some time
on GPS jamming, let's take a quick break. When we come back, we're going to talk about GPS jamming's
much more interesting and shall we say, sophisticated cousin? And that would be GPS spoofing. Stay with us.
us.
Ethan, I want to, you take the glory on this one.
Explain GPS spoofing.
So if, you know, for your cyber professionals out there,
if you know what map or Mac address or IP,
you know, address spoofing is, same concept, right?
We are taking our signal.
We would be displayed as and manipulating it intentionally
to show a different thing.
A great real-world example where this is happening already
is in the straight of four moves.
A lot of both.
going through there. Well, maybe not as much as it used to be, but a lot of boats should have used to be going through there. But, you know, we use GPS signals. Boats use them to make sure that we, and airplanes, too, to make sure we aren't colliding with each other because these are massive vehicles, especially boats that are hauling very, very expensive precious cargo. If we were to have a collision, not only would that be an environmental disaster, but it would be a significant financial loss. We saw what happened in the Suez Canal a couple years ago when that one boat got stuck in the side.
Yes, the ever something.
Yeah, I can't remember the company.
It was a weird name.
Shutting down a key choke point like that is pretty big.
Now, that was a legitimate example of just someone deciding to by accidentally steer into a canal, a wall.
But I think in the Strait of Hormuz example, you have reports that a bunch of boats are being shown on land in perfect circles, which anyone who knows how a boat works,
they don't travel over land.
Crazy stuff.
I was not familiar with that.
Thank you for clarifying.
Yeah, it's revolutionary.
This is why I went to college.
Yeah.
And so anyone who looks at the map goes out,
aha, ha, ha, that's obviously not correct, right?
But I think when you boil that down to actual real world impacts,
the answer is, okay, let's say it's night time on a foggy day on the sea by the
Strait of Hormuz, and you really can't see a boat.
And you're having to go through to deliver the oil or go pick up oil and you go, oh, uh-oh, we have now slammed into another boat.
Or you have now slammed into a, because maybe your address is being also jam simultaneously, so you don't know where you are either.
You have now slammed into a seabed that you can't get out of, right?
And you take that to a logical conclusion.
It is dramatically impactful.
It could shut down trade lanes.
it could shut down.
Effective communications,
human life factor
is absolutely something
that needs to be talked about.
These are real world impacts
that have significant costs to them.
Yeah.
The consequences are especially catastrophic
for spoofing.
The straight-of-form is a fantastic example.
I remember not that long ago
when smugglers were all over in the news,
like pirates were all over in the news.
One of the ways that I think they were also evading notice
was by spoofing their own signal
and being like, yep,
We're definitely not where you think we are.
We're not in the middle of X, Y, and Z.
We are, you know, 800 miles to the west,
and you're never going to be able to see or find us.
Yeah, in fact, we're on the ground.
You don't even worry about it.
Yeah.
You mentioned drones a little earlier.
That's another huge problem because drones also are, you know,
key in modern warfare.
Yeah.
And if you completely redirect where the drone's going to go,
not just confuse it, but just like send it elsewhere.
Or tell it to actually, hey, you're in the,
airspace of an airport which will force it to land.
I didn't know that one. Yeah, yeah. If you tell a drone, actually you're in airport airspace,
they will go, well, time for me to go down to the ground immediately. So, I mean,
drone operators know that, but like that is a frequent way of kind of trying to mess with them
and disrupt their operations. So spoofing is much more sophisticated. It is not, it is not easy
to broadcast out a different signal that has bad information in it. So this is usually
something we see the military doing. I was going to say, when I was doing my research, jamming was a much
more readily available topic to find information on and cover. Spoofing the pretty much what I got,
which is this is highly illegal. We will not tell you even how it remotely functions. And if you do
it, it is a significant punishment. Yeah, I remember when I was researching, when I first started
this job a few years ago, I remember I pitched to my boss at the time, Brandon Carp. And I said, you know,
Brandon, I really want to research GPS spoofing.
I'm fascinated about this.
And so in my naivete, I started calling a bunch of companies that sell to the U.S.
government anti-GPS spoofing technology.
And I was like, can you tell me how this works?
You're like, uh, excuse me.
Who are you?
I swear, this is for legitimate purposes.
So obviously nobody told me anything.
Because that no one was going to do that.
Of course.
And I stupidly even tried.
As I said, I'm on a list somewhere if I wasn't already.
But it was a dumb question to even ask, but I was genuinely curious.
So the answer is, Maria, if you want to find out, go join the military.
So that's...
And work your way to the top, too.
They work my way to the top, like, yeah.
And there's a flavor of spoofing that I keep finding a reference to.
Have you heard of this one called meekening?
I have not.
But I love the name.
Yeah.
It's a great name.
Yeah.
I saw mention of it, and I'm going, that's fascinating.
So instead of trying to broadcast a different fake signal it says, actually, I'm
Over there, it just captures the legitimate GNSS signal
and then just rebroadcast it with a slight delay
or modification at a higher signal strength.
So it's spoofing, but like a flavor of spoofing.
And the receiver, whoever they are,
that signal looks extremely legit to them.
It doesn't look like it's been messed with.
But it's slightly off, just enough.
It's just off enough that it could probably evade a quick glance, essentially.
because the signals are legit
but just like mistimed.
We'll go into the point on the timing
emulation that we talked about last episode.
Yes, and how insidious this could be.
Yeah.
But there are lots of,
if you're in the military or the government,
there are lots of vendors
that will sell you solutions for this
and that is not our lane.
But these problems are only getting more
and more insidious
and the consequences are more and more catastrophic
as we become increasingly dependent on GPS.
The really interesting thing to me
is because specifically GPS is such an old technology.
The signals are not encrypted.
No.
So I know forward thinking the idea is one day these signals will be more spoof resilient
because they will be encrypted.
And some of the GNSS systems and other parts of the world have better signal.
I would imagine because they're newer as well.
Yeah.
Easier to have security forward mindsets when you invented them are about your networks 20 years later.
Yes, that's exactly it.
And we got into it a little bit with my interview with Dr. Sean Gorman, but some of the work that was being done to try and make GPS more resilient, especially in the ground systems, unfortunately, was recently canceled because it was over budget and behind schedule.
Yeah, yeah, 10 years behind schedule and double the costs.
The military likes that give you a long leash for off time and overpriced projects, but that was a crazy one.
Yeah, even they said no to that one. Yeah, they've got their limits. So the line from the Space Forces,
they've got these incremental improvements that they're working on
to make sure that at least for their things,
things are more secure
and they can ensure the fidelity of the signal
that they're receiving and interpreting.
But yeah, GPS is speaking specifically about GPS.
It's an older system.
And satellites are being incrementally replaced over time,
but it's not a wholesale thing.
It's just kind of one in, one out.
Maybe one day we'll have fully encrypted signals from GPS.
It would be nice, but it's not tomorrow.
No. It's not in the next five years.
No, no. So I think the advice for a cybersecurity professional knowing that like pretty much everything in modern society, there are a lot of flaws in this technology that can be easily exploited is just knowing, in my opinion, where the heck it's being used? What are your dependencies in your environment for GPS? I feel like it begins and ends really right there.
I think it's a risk management factor. It is something that you should be aware of if you're, if you're, if you're, if you're,
let's say finances where you're prone to it or it could be impactful.
But it is not something that you as an individual or even as an organization can make and, you know, really shake up and fix.
This is kind of a thing that you have redundancies in place to account for if something goes wrong.
But you aren't sitting here being like, oh, let me buy the latest solution that fixes this.
That's not.
You know, the average infosec professional is not going to be.
No.
Securing GPS.
That's the Space Force's job.
that's the thing you cross and hope for that we got good people there yeah exactly best men and women working on that so uh so just knowing that your dependency and managing that risk as best you can planning around the fact that it is not infallible that's really the the takeaway of it in advice there as far as i'm concerned but uh i'm i'm curious if there's any other thoughts you have on that yeah i think um it kind of reinforces the conversation that these are technologies that because especially with the modern world as we continue to advance
these are not something that we can just hope they don't get attacked.
It's already being attacked.
These are things that already people are trying to exploit and successfully do.
All the time.
And we should not rest on the laurels of let's hope it gets better or hope that we can just deal with this.
This is something that I think a proactive approach of we need to address, we need to talk about,
we need to get governments invested in wanting to increase these,
even if previous attempts haven't necessarily been successful.
Yeah.
Don't let that kind of be the dying point.
Let that be the initial point of a conversation of like, okay, we need to learn why this didn't work previously in our last attempt, correct that, and make sure we have reasonable timelines and cost expectations and address this now.
Yeah, that's a federal government procurement right there.
Oh, yeah.
That's a whole other show, but I know that's a lot of your world also.
So that's a good point.
It's a headache world.
Yeah, no, that understatement of the century right there.
As we're talking through, and as I was listening to you talking about GPS,
a lot of this reminds me of just discussions about how the internet came to be.
And they said, well, maybe we'll let civilians start using this and not just like a few universities.
I mean, they never could have anticipated what it would be common.
And same thing was happening with GPS.
When Clinton was like, hey, guys, everyone's, it's free for everyone.
You know, I'm go crazy.
I don't think the logical conclusion is, well, what are the modern implications of drone warfare for this?
What's a drone?
Exactly.
None of this was anticipated
and it's been successful
beyond the United States military's
wildest dream, I'm sure.
And it's what an incredible legacy.
Again, they're not paying me to say that.
It's just kind of amazing.
The internet and GPS,
like what they've ended up becoming.
They weren't meant for civilian use
to begin with.
So they weren't built with, you know,
the idea of thousands of millions
of literally billions of us
trying to poke holes in them all this time.
And yet that's what we're doing
because we're human beings.
So we have to kind of just do the best we can with these flawed because they're made by humans systems.
So yeah, know your dependencies and your risk exposure.
And that's about it.
Yeah, I think well said.
Yeah, thank you.
All right.
Well, Ethan, thanks again for joining me.
Thank you for having me.
Of course.
Come on back next time.
Always.
And that's T-minus space cyber briefing brought to you by N2K Cyberwire.
If you like what you heard today, you will also enjoy our newsletter, signals and space.
You'll get research and notes pulled together by our producer Ethan Cook and me, along with this week's top space cyber news stories.
Subscribe by visiting the cyberwire.com slash newsletters.
That's newsletters with an S.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing cybersecurity landscape.
If you like this show, please share a rating and review in your podcast app.
Please also fill out the survey in the show notes or send an email to space at n2K.com.
We're proud that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector,
from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies.
N2K helps cybersecurity professionals grow, learn, and stay informed.
As the next is for discovery and connection, we bring you the people, technology, and
ideas shaping the future of secure innovation. Learn how at n2k.com. Thank you for listening to T-minus.
I am your host, Maria Vermazes. The show is produced by Ethan Cook and Liz Stokes.
We are mixed by Elliot Peltzman and Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Ibin with content strategy by Mayon Plout. Peter Kilphy is
our publisher, and we will see you next week.