CyberWire Daily - The current state of GPS following OCX with Dr. Sean Gorman, CEO of Zephr.xyz. [T-Minus: Space-Cyber Briefing]
Episode Date: May 24, 2026Despite being an indispensable technology, traditional GPS remains vulnerable to exploitation and is needed for an update. In this week's episode, host Maria Varmazis sits down with Dr. Sean Gorman,... CEO of Zephr.xyz, to discuss the current state of GPS. For decades, GPS has been a cornerstone technology for private, public, and military entities; however, through new technological advancements, companies and governments are looking to modernize this technology. Key sources: Next Generation Operational Control Systems. Why GPS III, and what comes after it, still falls short in modern war. Like what you heard? Be sure to subscribe to our free Signals and Space Briefing, our Sunday newsletter covering the intersection of cybersecurity and space. Subscribe at: https://thecyberwire.com/newsletters/signals-and-space Is there a topic or person you’d like to hear on our show? You can send your questions and feedback to space@n2k.com. You can also fill our our audience survey: https://www.surveymonkey.com/r/NJYCN2P T-Minus: Space-Cyber Briefing is a production of N2K CyberWire. N2K is your nexus for discovery and connection for people, technology, and ideas shaping the future of secure innovation. Learn how at n2k.com. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Looking to understand the cybersecurity risks emerging beyond Earth's atmosphere?
In the weekly Signals in Space newsletter, T-minus host Maria Vermazas and producer Ethan Cook connect the dots between terrestrial infrastructure and the growing attack surface in space.
Each week you'll get the latest space cyber headlines, direct access to the week's T-minus podcast conversation, plus everything.
expert insights and resources to help security professionals better understand this rapidly
evolving domain. Space systems are becoming critical infrastructure. Signals in space helps you stay ahead
of the threats shaping the next frontier. Subscribe now to the Signals and Space newsletter.
When it comes to mobile application security, good enough is a risk. A recent survey shows that
72% of organizations reported at least one mobile application security incident last year,
and 92% of responders reported threat levels have increased in the past two years.
Guard Square delivers the highest level of security for your mobile apps
without compromising performance, time to market, or user experience.
Discover how Guard Square provides industry-leading security for your Android and iOS apps
at www.gardsquare.com.
One of the really interesting facets on this
is beginning to understand how the specific jamming and spoof thing
attacks on the cybersecurity and kind of RF security side
are growing and evolving because even a few years ago,
jamming and spoofing were kind of one-off events
that might impact something directly on a military conflict
but wasn't something that most of us saw on a day-to-day basis.
But the current landscape of jamming and spoofing, you know, we're seeing these activities persist over geographies long term.
Welcome. I'm Maria Varmazes, and you're listening to T-minus-based cyber briefing.
In this show, we examine the evolution of cybersecurity in the global and orbital infrastructure that powers, protects, and connects our lives.
Hello, and thanks for joining me today. It is inevitable and inescapable that a show like ours about cybersecurity and space is going to talk,
quite a bit about the global navigation satellite systems,
especially the United States' global positioning system or GPS.
It is the backbone for so much of how our modern world works,
and it has been around for quite some time.
An initiative to modernize GPS operations in cybersecurity called
the Next Generation Operational Control System, or OCX,
was canceled by the U.S. Space Force for being over-budget and behind schedule.
So what does this cancellation mean for GPS and how we use it?
Well, in today's episode, I'm speaking with Dr. Sean Gorman,
who is the CEO of Zephyr to discuss all of these and other concerns
about the secure future of GPS.
Here's our conversation.
I'm Sean Gorman.
I'm one of the founders of SEPER.
We do navigation-powered artificial intelligence,
and that combines positioning, localization,
understanding where a user is and what they're looking at.
And as part of that work,
we've gotten pretty involved in understanding
P&T from a low level,
including some defense work,
which has brought us over into the world of jamming and spoofing.
And also a bit of my background over the years
working for a couple different startups
that have built the PINSTEC,
mostly in the geospatial mapping and positioning space.
Thank you so much for Joel.
running me today. A lot of folks, I think they think they know a lot about GPS and how it works and also
how it can potentially be monkeyed with. And I find often that there are a lot of perceptions that have
to get busted just when starting a conversation like this. I imagine you found the same.
Maybe we just start real simple right there before we dive in much deeper on what exactly,
when we're talking about GPS jamming and spoofing, there are lots of different things that can
happen there. Can you walk us through that just to start? Yeah, definitely. I think,
think one of the big misnomer is that there's just one constellation, that is GPS that runs
positioning on your smartphone, let's say. And typically, GPS is just one constellation of a much
larger set of constellations that are called GNSS or global navigation systems. And that includes
the U.S. is GPS constellation. The Europeans also have a Galileo constellation. The Chinese
have a constellation called Baidu. The Russians have a constellation called Glonass. There's also
regional constellations that Japan and India run.
So there's a whole bunch of satellites up in the sky.
GPS itself is about 32 constellations.
And across all of those constellations, they're all a trusted network, right?
We interconnect with Russian and Chinese constellations on our smartphones, and we trust
the signals across those different constellations.
But that doesn't mean that there are bad actors out there.
Typically, that doesn't happen at the satellite level where the satellites are causing
problem, but there are bad actors at the terrestrial levels. So GPS jammers, which send out big
disruptive, high-frequency jamming signals that disrupt the very weak signals that come from
the satellites way up in space. Those are pretty weak. And so they have really high-powered disruptor
that's operating at the same frequency as those GPS and GNSS signals. It can disrupt it and make it impossible
to position with your phone. And then the other attack that we see,
commonly is spoofing where instead of trying to disrupt that signal, it's trying to fake a signal
and put an artificial signal into your receiver that's much more high power than what's coming
from the satellites with a fake location.
And so instead of showing, you know, I'm in Boulder, Colorado right now, they might fake it and
show me somewhere else, like showing that I'm at the airport, for instance, is a really
common thing because if drones, for instance, or find themselves thinking they're at an airport,
they immediately land and disable themselves.
because they don't want to enter airspace.
So you see a variety of these kind of spoofing things happening along with jamming things.
But that's kind of a high-level breakdown of kind of how these constellations work together
and then how bad actors try to disrupt those constellations.
Yeah, so I wanted to ask, so this is something I actually wasn't entirely aware of, to be honest,
something called OCX.
Can you tell me a little bit about what that is and how that relates to GPS,
or what it was maybe is really more the question?
I should be asking.
So OCX was the next generation ground station that connects to the satellites up in space.
So we think of the GPS satellites, you know, the 32 of them revolving around the Earth.
But you need to get the data from those satellites, or more accurately the ephemorous for where they're located at in space down to these ground stations.
So the ground stations track where the satellites are.
and in order for GPS position to work in general,
you need to not only know,
you're trying to figure out where the receiver is on the ground,
but to do that, you need to know where the satellites are
within a high level of accuracy.
So in order to track where those satellites are,
we have a sophisticated set of ground stations
that track the exact location within a meter or two
of where that satellite is in space.
And so those ground stations become really critical.
So the old ground station system was built in the 1990s,
It was called AEP, but it was this monolithic structure that was built to track all of these satellites.
But as we've been modernizing and putting up the new GPS3 satellites, there's a lot of things that people wanted to do with a more modern ground station system.
And so OCX was this next generation ground system that they spent six or seven billion dollars on to replace the 1990s AEP system with a much more robust, sophisticated set of ground stations to track.
satellite them in space.
And yet, but it got canceled?
Is that my understanding?
What happened there?
Yeah, what ends up, it's really hard to upgrade a massive monolithic system all in one go
and make it completely backwards compatible with the system that was there before.
And so that, that, you know, largely began the problem.
And, you know, you have billions of devices that rely on the system.
And we can't just take all the GPS down to do an upgrade.
So you have to figure out how to upgrade that entire system in place
and make it 100% backwards compatible to all of these devices
that are already out there running on it.
And I think that just ended up being too Herculean of a lift to figure out.
And they kind of came to a dead end on it.
And unfortunately it got canceled.
So now they're trying to figure out how to manage that with the existing AEP system.
But it definitely kind of put an upward bound on how much we can modernize the current GPS system.
So that's all well and good, but what's next then?
What do we see for the future of GPS?
Well, we're going to take a quick break,
and we'll get back into our discussion with Dr. Sean Gorman after this.
Most environments trust far more than they should, and attackers know it.
Threat Locker solves that by enforcing default deny at the point of execution.
With Threat Locker Allow listing, you stop unknown executables cold.
With ring fencing, you control how trusted applications behave,
with Threat Locker DAC, defense against configurations,
you get real assurance that your environment is free of misconfigurations
and clear visibility into whether you meet compliance standards.
Threat Locker is the simplest way to enforce zero-trust principles
without the operational pain.
It's powerful protection that gives CSO's real visibility,
real control, and real peace of mind.
Threat Locker makes zero-trust attainable,
even for small security teams.
See why thousands of organizations choose Threat Locker to minimize alert fatigue,
stop ransomware at the source, and regain control over their environments.
Schedule your demo at Threatlocker.com slash N2K today.
So questions abound there, certainly,
and I'm wondering especially on the resiliency of how we are able to,
for lack of better words, use and digest the signals that we're getting from GPS satellites,
lights. It sounds like we kind of avoided a solution. So what do we do now?
Yeah, I think that's an open question for a lot of people right now that people are trying
to wrap their hands around. I think there's, you know, obviously, you've been patching and
upgrading and dealing with the current architecture for quite a while. And, you know, it is still
a robust system that the globe depends on and operates quite well. But the extent to which we can
modernize that to increase cybersecurity across our GPS system is going to be hampered by
the fact that we can't modernize that ground segment.
And then there's also soft power implications and that, you know, these, there's,
is that GNSS positioning systems offered from a lot of countries.
And it's a big soft power lever for the more countries and industries and technologies
you can get dependent on your positioning system versus a rivals positioning system,
the more soft power you have across the economic and military landscape.
and China's system is much more modern and recent than ours with a much more modern ground segment
and more sophisticated satellites and signals.
And so that's something that's been a concern on the American side for a while of Bidu's growing
advantages within PNP and how we can modernize GPS to keep up and ideally move ahead.
Yeah, so that's a great point there.
I mean, GPS was presumably the first to attempt, you know, GNSS, I think that's correct.
I'm not sure.
Yes.
We invented it.
Yeah, we invented.
It's ours.
Great.
But yeah, we are heavily constrained by 90s-era ground station technology, which is quite a constraint,
although my understanding is it's sort of a patchwork of solutions for trying to ensure
resilience of the fidelity of the signal that you're,
receiving that what you're getting is actually correct and hasn't been spoofed or otherwise
messed with. Is that a correct read of the situation that we're going to have to sort of pull
together a bunch of different solutions to ensure that sort of fidelity or is there
maybe something else coming down the line that may fix a lot of our problems?
Yeah, I think that's correct. It is a patchwork. Although I think it really highlights and probably
moves even more weight to a trend that was already happening, that there is not a silver bullet for
having a sure P&T
globally, both from a defense
and a commercial perspective, that
it probably doesn't
make the most sense to look at one single
constellation as
the path forward. And we already kind of see
that with multi-constellation, GNSS,
but even domestically
within the U.S., I think increasing
we're looking at alternative constellations
that could be leveraged. So Starlink
has an amazing constellation up.
It is
already used effectively for position
and that within Starlink receivers.
Actually, this is just getting turned off, I think, like May 20th,
but you could use like a GRPC call to get the position for your satellite receiver
as determined by Starlink in their constellations using Doppler shift and RTT.
Wow.
And they're turning that off?
Well, they're putting it behind a telemetry API.
It used to be open to anybody.
And so the Iranians were hacking this to guide drone attacks
and also define dissidents.
So it's definitely being exploited in bad ways.
So it's a good thing as being secured.
But it's also testament to the efficacy of an alternative constellation
or what they sometimes call it signals of opportunity to provide positioning.
And so that's generally accurate, I think, within 20 meters,
but probably can do even better than that with some dedicated use.
So the remand is that Starlink and SpaceX are working on positioning systems,
they can be directly leveraged against their constellation.
And this telemetry API,
my assumption is, would be a first step in that direction.
That's fascinating.
Yeah, so you have existing constellations like Starlink,
which are impressive in their scale and scope
that potentially can provide positioning technologies
that are resilient and separate from GPS.
And then you also have dedicated constellations like Zona
that are being built and funded.
it to provide a lower orbit GNSS constellation that is completely separate but operates on the
same frequencies and we'll have the ability, if it all works out, to connect to existing GNSS receivers
and provide their signals as if it's an augmentation or alternative to GPS.
So do we think that the future of GNSS is going to be completely shifting to Leo or is it always
going to be a multi-orbit solution?
I think it'll always be a multi-orbit solution. I think it'll always be a multi-
orbit solution. I mean, there's a lot of good reasons to have GPS and GNSS satellites in
Middle Earth orbit because you need a lot fewer of them to get the position. And, you know,
you can 32 satellites can cover, you know, the Earth really quite well. When you start looking at
a lower Earth orbit, you know, and I'm not sure what Zona's latest numbers are, but at least early
on, it was like 360 satellites are going to be needed to provide global coverage. So you need a much
larger footprint to cover that.
And I think, you know,
Galileo has plans for a combination of
Leo and VO's satellites for
their constellation. China
with Baidu is doing something similar.
So these things do the
multi-orbit approach complement itself quite
well. And I think we'll see that happening
going forward in the future as well,
these blended hybrid multi-constellation approaches.
That's the wonderful thing with GNSS at large is it's
an open interoperable system that works
quite well, even with, you know, global powers that are oftentimes at odds with each other,
yet we still are able to create these constellations that work seamlessly together across, you know,
devices we all have in our pockets. We'll have, or multi-concelation, whether it's your smartphone,
your smartwatch, or your wearable smart glasses, all of those things that are generally using
multi-constallation technologies. One of the really interesting facets on this is beginning to
understand how the specific jamming and spoofing attacks on the cybersecurity and kind of RF security
side are growing and evolving because, you know, even a few years ago, jamming and spoofing were kind
of one-off events that might impact something directly on a military conflict, but wasn't something
that most of us saw on a day-to-day basis. But the current landscape of jamming and spoofing,
we're seeing these activities persisting, persist over geographies long term, you know, whether as
the Baltics with the Russians jamming northern Europe or in Ukraine.
There's an ongoing conflict with jamming on both sides.
In the Middle East, there's persistent jamming happening all along, you know, the areas around
Israel and Iran and the Persian Gulf now up into Turkey.
We see, you know, persistent activity oftentimes in Asia as well, especially Myanmar.
And these things are impacting global aviation, global maritime, as well as
just people's day-to-day activities. You see these kind of funny, not-f funny stories of spoofing
happening in Israel and Lebanon, where, as I said before, we'll spoof locations to airports to
defeat drone attacks. And so, you know, people will be on their driving apps or their dating
apps and all of a sudden they're getting, you know, matched with somebody in a different country
because their locations being spoofed to an entirely different place, oftentimes the Beirut or Cairo airports.
So these kinds of cyber and RF incidents are no longer contained to just military operations
or rapidly bleeding into our day-to-day lives,
and whether that's impacting summer travel because of what's happening in the Persian Gulf currently,
or you get these weird, wonky behaviors on your mobile phone
if you're in a geography that happens to be adjacent to a conflict zone.
You're traveling through it.
Well, this is super fascinating stuff,
and I greatly appreciate your expertise today in speaking with me.
Yeah, definitely. Thanks for having me, and it was lovely getting to share the work the team's been plugging away with its effort.
And that's T-minus space cyber briefing brought to you by N2K CyberWire.
If you like what you heard today, you will also enjoy our newsletter, Signals and Space.
You'll get research and notes pulled together by our producer, Ethan Cook, and me, along with this week's top space cyber news stories.
subscribe to it by visiting
the cyberwire.com
slash newsletters
and look for signals and space.
You know we'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing cybersecurity landscape.
If you like the show,
please share a rating and review in your podcast app.
You could also fill up the survey in the show notes
or send us an email.
Space at n2k.com is that email.
We're proud that N2K Cyberwire is part
of the daily routine of the most influential leaders and operators in the public and private sector,
from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies.
N2K helps cybersecurity professionals grow, learn, and stay informed.
As the nexus for discovery and connection, we bring you the people, technology, and ideas
shaping the future of secure innovation. Learn how at N2K.com.
Thanks for listening to T-minis. I'm your host, Maria Vermazas. The show is produced by Ethan Cook
and Liz Stokes.
We're mixed by Elliot Peltzman and Trey Hester
with original music by Elliot Peltzman.
Our executive producer is Jennifer Ibin,
with content strategy by Mayan Plout.
Peter Kilpe is our publisher.
See you next week.