Spoofed GPS

Battlefield Intelligence, Communication Systems, Cyber Security / By

Estonian Hackers

Not all cyber attacks have to destroy or disable.

A near-peer state could employ a ‘hacker’ team in Estonia. The team has the use of a botnet on compromised UK NHS computers. This botnet could be used to attack a software-defined radio on a mobile-phone mast in a military area of operations, and programme it to broadcast spoof GPS signals.

Through this attack the near-peer state gains control of the GPS signal. Instead of jamming the GPS receivers which would alert users, they are left to work as expected most of the time but are gradually drifted out of real position during critical operations.
 
At no point are the attackers using network systems that are controlled by, or defended by, the military but they can still impact military equipment and performance.
 
Is this realistic?

Botnets

A botnet is a collection of compromised computers infected with malware allowing remote control. Botnet owners usually control infected machines through methods such as IRC (Internet Relay Chat) to commands malicious activities such as DDoS attacks or bulk-send phishing emails. 

botnet

Military GPS Encryption: The P(Y) and c/A codes

It is possible to spoof un-encrypted civilian GPS signals, but military GPS receivers have exclusive access to use the encrypted P(Y)-code to communicate with satellites.

This code consists of a series of ones and zeroes generated at a rate of 10.23 million bits per second, ten times the frequency of civillian c/A codes. It is so complicated that at first, the signals would appear to be noise. When the P(Y) code is encrypted, it’s called “Y-code” and only military receivers with the encryption key can receive it.                       

Cyberwarfare: The Captured U.S. RQ-170 Drone

Although very uncommon, military GPS has been successfully exploited before. In 2012  a US  RQ-170 Sentinel UAV (unmanned aerial vehicle) was captured by Iran’s Revolutionary Guards flying over the country’s airspace. Iran claims to have spoofed the drone’s GPS system with false coordinates, fooling it into landing prematurely near the city of Kashmar in northeastern Iran. 

How was it done? Avoiding decryption

"If they could overcome the sorts of of crypto systems that would protect this drone, they would not waste their time on surveillance drones. They would be breaking into banks."
John Pike
satellite expert and president of Globalsecurity.org

Despite their bold claims, the notion that Iran could have cracked the the p(Y) encryption should be faced with skepticism.  In fact, it is possible that Iran could have captured the US drone without it.

GPS satellites transmit on two legacy radio frequencies – the C/A code transmitted on L1, and the P(Y) on both L1 and L2. If the Iranians were able to jam the encrypted military code and force the drone into autopilot, then the drone could default to the C/A code for GPS updates and directions. Without encryption, it would be much easier for Iran to spoof the C/A code and fool the drone into accepting a spoofed position.

Cyber- Beyond Shutting Things Down

Cyber warfare should be viewed as much more than shutting down computers. For example Wannacry was used to extort money, despite shutting down over 300,000 computers in the process. We will cover more examples in future blog posts.