GPS Security and principles

The safety of GPS is not a new topic.

The most famous example would be the 2011-Year-old Iranian hijacking of American drones [1]. December 4, 2011, the United States, a RQ-170 unmanned aircraft, flying in Iranian airspace. Instead of shooting it down, the Iranian military used some sort of GPs deception to make the plane land in Kashmar, north-eastern Iran. The intact drone provides the Iranian military with an excellent specimen of research and technology and military secrets.

Since then, the research on GPS deception has become more and more hot.

What is the basic principle of the GPS system?

The GPS satellite constellation consists of 24 satellites [2]. 24 satellites are evenly distributed across 6 orbital planes, with 4 satellites on each orbital surface. The distribution of satellites has been cleverly designed to ensure that at least 4 satellites can be observed at any point in the world, at any time. Why must we have 4 satellites? GPS positioning is achieved by ranging. GPS receivers measure the distance between each satellite to it, the distance is equal to the speed of light multiplied by time, which constitutes an equation. The location of the satellite is known, the three-dimensional location of the receiver is unknown, and the time is unknown, so there are 4 unknowns altogether. So we need 4 equations to solve the 4 unknowns.

So why can GPS receivers be spoofed?

GPS satellite through the constant broadcast signal, tell the receiver, where they are. This is a one-way broadcast signal, and after the space to the ground so far from the transmission, the signal has become very very weak. At this point, if there is a GPS simulator, next to the receiver, pretending to be a satellite, then the simulator signal can easily cover the real GPS signal. Just like the picture below, the receiver can only hear that loud.

Used to be a GPS simulator is not an easy thing, the GPS signal has a complex format, the launch method. A commercial-grade GPS simulator sells up to millions of yuan. One simple way to do this is to "replay attacks," which is to record a GPS signal and then play it again, just like the example in the following figure.

However, with the continuous development of software radio technology, as well as rich open source code is constantly emerging. Now, attackers can already find almost ready-made open source code, with software radio equipment, can launch GPS signal, arbitrary location, any time, the genuine!

What are the consequences?

The Wireless Navigation Laboratory (3), led by Professor Todd Humphreys at Texas State University in Austin, is a very leading team in the field of GPS security research. In 2012, Professor Todd Humphreys a TED speech [4], calling for public attention to GPS security; in 2013, the team successfully deceived a yacht and changed course [5];2014 years, they managed to deceive an unmanned aircraft and control its flight position [6].

In addition to disrupting the positioning system, GPS spoofing can disrupt timing systems, change communication base stations, and financial trading systems for timing information. It is said that such a time lag, you can seize the opportunity in the transaction to profit from [7]. In military applications, this attack will have more serious consequences. 1996, China's two missile launch failure suspected of GPs by the U.S. military to tamper with [8].

Here, I would like to introduce the difference between GPS civilian signals and military signals.

GPS satellite in 1575.42MHz launch of 1.023MHz bandwidth signal, is the civilian signal, open to the world, the standard is completely public [9]. Each chip manufacturer may design the GPS chip according to this standard, uses in each kind of electronic equipment.

GPS satellite in the 1227.60MHz launch of the 10.23MHz bandwidth signal, is the military signal. This signal uses a high intensity of encryption measures that only the U.S. military can use. Cracking is not impossible, but very complex, it is difficult to achieve deception attacks. In other words, other than the U.S. military, other people can only use very open civilian GPS signal.

Here, we go back to the beginning of the example, why Iran can hijack the use of the U.S. "military" GPS signal of the drone? There is expert analysis that [10], Iran may have been able to cheat on unencrypted civilian signals by suppressing the 1227.6MHz signal, allowing the drone's positioning system to retreat back to the civilian signals of 1575.42MHz.

Today, there are only four satellite navigation systems worldwide: The United States GPS system, the European Galileo Galileo system, the Russian Glonass GLONASS system and China's Beidou system.

At present, China still has a large number of equipment still using GPS positioning, large to communication base station, ship aircraft, small to mobile phones and all kinds of things networking equipment. The thresholds for GPS spoofing attacks have become so low that they have to worry about the security of these systems. In the case that cannot change the GPS chip, it is suggested that the developer should combine the cellular network positioning, WiFi location and other information in the application layer, and make a comprehensive judgment to avoid the possible consequence of locating timing errors.

Finally, with more technical details on Low-cost GPS spoofing attacks, 360 Unicornteam will be presented in a speech at the DEFCON23 conference this summer.

Note : More wonderful tutorials Please pay attention to the triple computer tutorial section, triple Computer office group: 189034526 welcome you to join