Subscribe

GPS flaw poses serious terrorist threat

Kirsten Doyle
By Kirsten Doyle
Johannesburg, 31 Jul 2013
The White Rose of Drachs super yacht used in the experiment. (Photograph by The University of Texas at Austin)
The White Rose of Drachs super yacht used in the experiment. (Photograph by The University of Texas at Austin)

A flaw in GPS systems could see terrorists hijack commercial airliners, ships and yachts.

Researchers from The University of Texas at Austin successfully spoofed an $80 million, 210-foot yacht in the Mediterranean and took control of its sophisticated navigation system.

Spoofing happens when an individual or program successfully masquerades as another by falsifying data and gaining an illegitimate advantage. Threatpost said in this case, the researchers created a false civil GPS signal that was more local and stronger than the satellites that transmit civil GPS signals.

This proves attackers or terrorists can spoof GPS receivers, making them believe the false GPS signal is the legitimate one.

The experiment was aimed at measuring how difficult it would be to successfully carry out a spoofing attack at sea and determine how easily sensors in the ship's command room could identify the threat.

Captain Andrew Schofield and Todd Humphreys, a GPS expert at the University of Texas, used a small antenna and an electronic GPS "spoofer" that they built for $3 000.

The University of Texas team fed counterfeit radio signals to the yacht, driving the yacht far off course. The team was able to steer the boat left and right. The entire time the team had control of the navigation system, the ship's GPS system reported nothing amiss, and showed the yacht moving along its intended course.

"The ship actually turned and we could all feel it, but the chart display and the crew saw only a straight line," Humphreys said.

"We injected our spoofing signals into its GPS antennas and we're basically able to control its navigation system with our spoofing signals," Humphreys told Fox News.

He said an easy and sinister "spoof" would be "to slowly slide a vessel onto a parallel course. Over time, the compass might read the same heading, but the ship could be far from where the crew thinks it is."

The potential of this flaw has dire and far-reaching consequences. Attackers could steer a ship into treacherous waters, putting it on a collision course with another boat. Effectively, they could shut down ports, or run ships aground.

"With 90% of the world's freight moving across the seas and a great deal of the world's human transportation going across the skies, we have to gain a better understanding of the broader implications of GPS spoofing," Humphreys said.

He said the experiment would work on other "semi-autonomous vehicles" - aircraft, which are now operated, in part, by autopilot systems. "We've got to put on our thinking caps and see what we can do to solve this threat quickly."

Schofield said he was "gobsmacked" by the results, and said he is "sounding a global alarm".

Just over a year ago, Fox News reported on another experiment conducted by Humphreys, in which he was able to feed spoofing signals into a drone's GPS, nearly causing it to fall out of the sky.

This resulted in Humphreys being called before Congress to testify. He also spoke to the FAA, CIA and the Pentagon. Despite the government being aware of this, Humphreys believes it is doing little to address the threat.

However, this recent experiment takes Humphreys' research to new levels, as before, he said he had no idea just how easy it was not only to spoof a ship, but to obfuscate the attack.

Texas congressman Mike McCaul, chairman of the Homeland Security Committee, according to Fox News, said: "It's a very serious homeland security issue that we've asked the secretary to review and look at, and she's never responded to my requests.

"The department seems to be thumbing its nose at it, saying it has no jurisdiction over this issue and not really showing any interest in this issue at all."

McCaul and two other senators have asked the Government Accountability Office to investigate what the Department of Homeland Security's plans are to address this "critical threat to national security".

A draft report which could, depending on the results, trigger more Congressional hearings, is due in August.

Join the military

Uri Rivner, VP of business development and cyber strategy at BioCatch, says: "The bottom line is that the GPS network, which was launched into space by the US, has non-encrypted signals for public use, and encrypted signals for US military use. Russia has a separate satellite network for its own use, and other nations such as China, India and the European Union plan a similar system.

"Today, every non-military GPS receiver can be spoofed - the only thing that is needed is to get close with your spoofing gear to the antenna and over-ride the original signals. This is true for transportation systems as well as personal GPS systems - think of the one on your iPhone or your car navigation gadget.

"The implications are clear - anyone can hijack your GPS for their nefarious deeds, and the only thing you can do at the moment is hope it's a prank rather than a cyber crime, cyber terror or hacktivism attack. Your other course of action is to join the military, as their GPS stream is fully encrypted," Rivner notes.