Spoofed GPS

Estonian Hackers

Consider this fictional story: a near-peer state employs a ‘hacker’ team in Estonia to spoof military GPS and mislocate receivers by 500 meters during critical operations… 

They could use a small botnet hosted on compromised NHS computers to target mobile phone mast controllers in areas of UK military operations. Once hit, the software-defined radio in the base stations can be reprogrammed to broadcast GPS signals alongside the mobile phone carriers. 

Through this attack, the near-peer state gains control of the GPS signal. Instead of jamming GPS receivers, they are left to work as expected most of the time but are 500 meters out during critical operations. This avoids immediate suspicion but can still cause substantial damage. 

Botnets

A botnet is a collection of compromised computers infected with malware allowing remote control. Botnet owners usually control infected machines through methods such as IRC (Internet Relay Chat) to commands malicious activities such as DDoS attacks or bulk-send phishing emails. 

Military GPS Encryption: The P(Y) and c/A codes

It’s possible to spoof un-encrypted civilian GPS signals, but military GPS receivers have exclusive access to use the encrypted P(Y)-code to communicate with satellites.

This code consists of a series of ones and zeroes generated at a rate of 10.23 million bits per second, ten times the frequency of civillian c/A codes. It is so complicated that at first, the signals would appear to be noise. When the P(Y) code is encrypted, it’s called “Y-code” and only military receivers with the encryption key can receive it.                       

Cyberwarfare: The Captured U.S. RQ-170 Drone

Although very uncommon, military GPS has been successfully exploited before. In 2012  a US  RQ-170 Sentinel UAV (unmanned aerial vehicle) was captured by Iran’s Revolutionary Guards flying over the country’s airspace. Iran claims to have spoofed the drone’s GPS system with false coordinates, fooling it into landing prematurely near the city of Kashmar in northeastern Iran. 

How was it done? Avoiding decryption

"If they could overcome the sorts of of crypto systems that would protect this drone, they would not waste their time on surveillance drones. They would be breaking into banks."
John Pike
satellite expert and president of Globalsecurity.org

Despite their bold claims, the notion that Iran could have cracked the the p(Y) encryption should be faced with skepticism.  In fact, it is possible that Iran could have captured the US drone without it.

GPS satellites transmit on two legacy radio frequencies – the C/A code transmitted on L1, and the P(Y) on both L1 and L2. If the Iranians were able to jam the encrypted military code and force the drone into autopilot, then the drone could default to the C/A code for GPS updates and directions. Without encryption, it would be much easier for Iran to spoof the C/A code and fool the drone into accepting a spoofed position.

Cyber- Beyond Shutting Things Down

Cyber warfare should be viewed as much more than shutting down computers. For example Wannacry was used to extort money, despite shutting down over 300,000 computers in the process. We will cover more examples in future blog posts.

 

Leave a Comment

Your email address will not be published. Required fields are marked *