A session at DEFCON 25 in Las Vegas showed how easy it’s become to falsify GPS-based time signals. That has far-reaching implications for time-dependent networks.
The DEFCON cybersecurity conference, held every July in Las Vegas, could provide a thriller writer with many years’ worth of plot devices.
In Devon, we’re used to hearing about the crime writer Agatha Christie, who was particular about carrying out scientific research into what was possible. She would have enjoyed one session at this year’s conference which showed how it was possible to construct a compelling false alibi by using a GPS spoofing attack to modify a system timeline.
Let’s do the time warp again
The session presented by New Zealand pen-tester Dave Robinson (aka Karit) showed how, with a cheap software-defined radio programmed to act as a GPS transmitter, he could effectively warp time - making him seem to be somewhere else at a specific time.
It does that by interfering with the way systems acquire and processes GPS signals.
That has serious implications for any system that uses GPS-derived precise time or position data as a critical operational input - including financial trading systems, mobile telecoms networks, digital broadcast networks, transport, utility grids and some large corporate networks.
Precise time comes from GPS
These systems have come to rely on GPS (or sometimes another satellite positioning system) as their de facto source of precise time.
Each GPS satellite carries a set of atomic clocks which broadcast a continuous, ultra-precise time signal to the ground. That time signal is free to use, unlike the alternatives: installing and maintaining your own atomic clocks or subscribing to the precise time signal provided by an organisation like the UK’s National Physics Laboratory or NIST in the US.
All you need is a GPS receiver capable of acquiring it - so a basic commercial GPS chipset has become a very cheap way to obtain very precise time that is traceable to Universal Co-ordinated Time (UTC).
Once you’ve acquired the right time (down to the microsecond level), you can then propagate it through your network using a time transmission protocol and a network of clocks. That allows you to time-stamp fast-moving financial trades, for example, or synchronise data packets between cell towers so your subscribers can enjoy streaming video without glitches.
GPS time is vulnerable
The problem is that GPS time signals are extraordinarily weak, and thus highly vulnerable to disruption. Everyone knows someone who knows someone who’s installed a jammer in their company vehicle to prevent their employer knowing where they are. Those jammers work by drowning out the GPS signal with white noise, so the receiver can’t pick out the signal, and can’t compute the vehicle’s location.
But what Karit was demonstrating was a different type of GPS disruption, known as spoofing. Rather than drowning out the signal, his kit generates a false GPS signal. He then transmits this false signal to a GPS time receiver, which locks on to it because it’s stronger than the true GPS signal.
It is possible for the spoofed receiver to output a false time or position, a solution that differs significantly from reality - causing at best weirdness, and at worst, errors that are not detected, when the false output is regarded as being the truth by the host system.
In these circumstances, the impact can be high and could even include possible power outages or opportunities to commit crimes undetected.
(In fact, this 2015 story about an offender whose GPS-based ankle monitor seemed to provide a cast-iron alibi for a violent crime has interesting echoes of Karit’s demonstration.)
In some ways, this isn’t new. Spoofing is a well-known type of system hack, though it’s more often used to fool a device into believing it’s at a different location, rather than at a different point in time. The augmented-reality game Pokémon GO, for example, has been plagued by spoofers since it launched just over a year ago. And there’s increasing evidence of possible state-sponsored location spoofing in Russia.
A “simple and cheap party trick”
But three things are different about Karit’s spoofing demonstrations.
Firstly, we’re talking about falsifying time rather than location - opening up a whole new attack vector for hackers, and highlighting a poorly-understood vulnerability in time-dependent systems.
Secondly, it’s ridiculously cheap and easy to do. Karit’s kit cost him less than $500, leading him to describe GPS time spoofing as “a party trick - simple and cheap”.
And thirdly, the amount of interest in GPS spoofing was far higher than at previous DEFCONs. When Chinese security researchers Huang Lin and Yan Qing demonstrated the first software-defined spoofing kit at DEFCON 23 in 2015, the number of people who stayed to listen numbered a few hundred. At Karit’s session this year, there were easily 2,000 people in attendance. That’s a lot of people to get the word out about how to create replica GPS signals that can fool host systems.
How to protect yourself
So who should be worried about GPS time spoofing, and what should they do about it? In theory, any system that depends on precise time from GPS is potentially vulnerable - so users and manufacturers of those systems would be advised to conduct a risk assessment to understand the likely impact to the system of a GPS time spoofing attack.
There are several ways to mitigate against an attack, including using multi-constellation or multi-frequency GNSS chips, rather than single-frequency GPS chips, and ensuring that the system is equipped to raise an alert when it detects a glitch in the time signal. Not all systems have these features, so it’s worth investigating yours and taking remedial action if necessary.
Learn more about the latest GPS hacks at INC 2017
I’m going to be exploring the emerging and novel ways that have been developed to hack Position, Navigation and Timing Systems in my keynote address at the Royal Institute of Navigation’s International Navigation Conference 2017 in Brighton from 27-30 November, so do come along to that event if you’d like to learn more.
In the meantime, you can join the GNSS Vulnerabilities LinkedIn Group to stay up to date with new GPS cyberthreats and incidents.