• United States



Contributing writer

What is GPS spoofing? And how you can defend against it

May 07, 201910 mins
Critical InfrastructureSecurity

The U.S. Global Positioning System, part of a network of global navigation satellite systems (GNSS), is vulnerable to attacks that could disrupt many industries. Here's how it works and what you can do to mitigate its risk.

green pin stuck in a gps device 125434813
Credit: Thinkstock

GPS spoofing definition

GPS spoofing is an attack in which a radio transmitter located near the target is used to interfere with a legitimate GPS signals. The attacker can transmit no data at all or could transmit inaccurate coordinates.

The U.S.-operated Global Positioning System (GPS) is just one of the world’s global navigation satellite systems (GNSSs). Others include Russia’s GLONASS, China’s BeiDou Navigation Satellite System, and the European Union’s Galileo.

GNSS is also used for accurate timing, and attackers can interfere with that function. For example, in March, at the Geneva Motor Show in Switzerland, an attack from an unknown source affected the GPS systems of Audi, Peugeot, Renault, Rolls-Royce, Volkswagen, Daimler-Benz and BMW cars. Instead of showing the accurate location, the cars were reporting that they were in Buckingham, England, in the year 2036.

GPS spoofing is also used to refer to smartphone apps that can affect a phone’s location data, as well as to cyberattacks against networked systems that rely on GPS data.

Types of GPS spoofing

It used to be that GNSS spoofing was primarily the domain of state-sponsored actors. According to C4ADS, signal generators capable of spoofing a GPS signal used to cost thousands of dollars and required expert operators.

These kinds of attacks are still common, with Russia, for example, reportedly frequently interfering with location data near politically sensitive targets such as Syria or Crimea or in the vicinity of Russian President Vladimir Putin. Today, GNSS spoofing can be accomplished with cheap, commercially available and portable software-defined radios running open source software and costing under $300.

In the most common example, an attacker would position a broadcast antenna and point it at the target’s GPS receiver antenna to interfere with GPS signals of nearby buildings, ships, or aircraft. More powerful and expensive transmitters can be used for wide-scale attacks.

A spoofing device can also be deployed via drone or carried onto an airplane by a passenger. The smallest devices are a little bigger than a smartphone and cost around $100. These can be used when the attacker is very close to the target.

Cyberattacks are also possible, where attackers go after the target’s GPS devices. The most common of these are smartphone apps that can override a phone’s legitimate location data. Some of these apps are available for free in mobile app stores, such as this Fake GPS location app for Android, which has more than 10 million installs.

Any company that uses smartphone-based location functionality is vulnerable. Uber, for example, has seen drivers create fake trips using such an app. Uber is now using machine learning to identify suspicious trips, such as those where the elevation data doesn’t match the physical location.

Where has GNSS spoofing occurred?

Last month, a Washington, DC, research group, C4ADS, published a report detailing nearly 10,000 instances in which Russia interfered with satellite navigation of more than 1,300 civilian vessels in ten different locations around Russia, Ukraine, and Syria. Other organizations have also reported widespread examples of interference with GNSS signals.

According to a March report by the International Civil Aviation Organization, GNSS interference has been reported throughout the Middle East, with 65 incidents in the region in the last two years. Eurocontrol has received more than 800 reports of GPS disruption in Europe and surrounding areas during the first half of 2018 alone.

MARAD, the U.S. Department of Transportation agency responsible for maritime transportation, has issued alerts about GPS interference in the seas near Cyprus, Egypt and Saudi Arabia. The U.S. Coast Guard is also collecting reports of GPS problems. For example, in April there was a report of suspected interference near an airport in Texas, and two reports from Egypt. In March, there were reports of “unknown interference” in Greece, Spain and China.

The problem is common enough that a January survey by the Aircraft Owners and Pilots Association reported that more than 64% of pilots said they were concerned about GPS interference. In addition to deliberate and malicious spoofing of GNSS signals, organizations that rely on GNSS must also be prepared for the usual round of technical glitches, interference due to weather events, and other problems. 

Is your company at risk for GPS spoofing?

Two years ago, mostly the defense industry was concerned about GNSS spoofing, says Yonatan Zur, CEO at Regulus Cyber, a company that manufactures GNSS security technology. “But now, there are many more actual attacks,” he says. “People are looking for solutions.”

According to C4ADS, GNSS spoofing has already been used to cheat at Pokemon Go and hijack vehicle navigation systems. In fact, any company that relies on GNSS location or timing services is vulnerable to a GNSS spoofing attack, and GNSS services have become ubiquitous for a wide variety of functions. GNSS is used by companies to locate equipment and employees, enable just-in-time delivery to factories, guide construction machinery, and to improve agricultural productivity by enabling more targeted use of fertilizer and pesticides.

In the financial markets, GNSS is used to provide a universal time source. Telecommunication companies and power utilities also use GNSS to synchronize communications and energy transmissions.

Location data is routinely used by websites and mobile apps to deliver better service to consumers. Media companies such as Netflix and Hulu use location data to deliver media only to regions where they have distribution licenses for the content. In cybersecurity, location data is used to help authenticate user identities.

In addition to increased penetration of the technology in all industry sectors, GNSS is also playing a critical function in emerging technologies such as autonomous cars and drones, and in augmented reality applications. There are also applications for physical security. For example, some companies use GPS-based geo-fencing for physical locks or for digital systems.

“Many trucking companies today are using geo-fencing to keep people from opening the truck until it gets to its destination,” says Zur. “Hijackers are using GPS spoofing to eliminate those locks.” When trucks use GPS signals to track and report their positions, criminals can also use GPS spoofing to hide a truck’s location. “In Brazil, they lose a billion dollars a year from trucks being hijacked, and many of those hijacks are using GPS spoofers.”

How to protect against GPS spoofing

 In the defense sector, where GPS spoofing has been a possibility from the start, there are encrypted versions of the system. In transportation and logistics, there are backup systems, such as ground-based navigation beacons and paper charts.

Since accidental radio interference and weather can also sometimes affect GNSS signals, airline and shipping companies have always needed backups systems. “I don’t know of any cases [of GPS spoofing] that actually caused a plane to go down or a ship to run aground,” says Harrison Van Riper, strategy and research analyst at London-based Digital Shadows. “I don’t want to downplay the actual risk, but it’s not a widespread issue that’s going to be causing a lot of damage. If this was a widespread issue, we would already know about it.”

For many other commercial applications, the military-grade encrypted systems aren’t an option and it can be hard to find a practical alternative to GNSS. The problem is only going to get worse. There are now 6 billion GNSS sensors in use in devices, according to a recent report by the European Global Navigation Satellite Systems Agency. That number is expected to reach 8 billion by 2023.

“GPS touches everywhere we go and everything we do,” says Ray DeMeo, COO at Virsec Systems, a cybersecurity company. “We just take it for granted that it’s there. The idea that someone’s actively hacking it, or forcing it to give false signals, is very scary.”

DeMeo is also worried that the reports we’ve seen so far don’t paint a full picture of what attackers could do. “Can they compromise the satellite grid itself?” he asks. “Everyone is very much on edge.”

The UK Space Agency analyzed the potential disruption that a widespread GNSS outage could cause. Calling it “the invisible utility,” the agency estimated that a five-day outage could cost the UK more than 5 billion pounds.

There’s a new generation of navigation satellites on the horizon that are designed to be more secure, says DeMeo. “But it’s not something that can be fixed overnight.” Until then, other satellite systems can provide location data, though not as accurately as GNSS, as well as other location systems, such as cell phone towers.

For digital threats, such as GPS spoofing apps or cyberattacks, companies should employ basic cybersecurity principles to protect their systems. In addition, as with Uber, machine learning and other analytics can be used to detect suspicious user behavior.

For radio-based attacks, companies can position their antennas so that they are less likely to pick up ground-based signals and to place them where they can’t be seen by the public. The Department of Homeland Security (DHS) also recommends that companies use duplicate antennas, such as on opposite ends of a building or ship. “You can also install a blocking antenna that blocks any signals that are fraudulent or can cause interference,” says Van Riper. He recommends that companies start with the DHS recommendations. “Look through the document and see if there’s anything they can do that’s feasible and within their financial constraints.”

As with digital GPS spoofing, companies can use analytics to detect unusual signals, such as different receivers reporting different data or if there’s a sudden, large and unexpected change in the location or time data. When that happens, companies should be ready to switch to an alternate system until accurate signals are restored.

Vendors are looking to tackle this problem, in both hardware and software, such as Regulus Cyber, an Israel-based technology company that provides hardware to telecoms and OEMs. “GPS is essentially radio,” says Regulus Cyber’s Zur. “It’s very weak, and it’s quite easy today to transmit on the same frequency and confuse receivers.”

However, the fake transmissions will come from a closer location than those from real GPS satellites orbiting in space and, most often, will also come from the ground, not from the sky. Regulus Cyber sells a device that’s built around four antennas and advanced algorithms that can distinguish a fake signal from a real one, he says. Regulus is also working on a chip-based system and hopes to have a prototype ready for testing within a few months. The company is also researching a pure software solution. “It’s a classic machine learning type of project,” Zur says