What Is GPS Spoofing and How Do You Defend Against It?

OKTA

GPS spoofing is when a counterfeit radio signal is transmitted to a receiver antenna to counteract and override a legitimate GPS satellite signal. It is often a form of cyberattack perpetrated by bad actors attempting to steer goods or people off course.

GPS spoofing can be used to steal shipments, send boaters into the hands of pirates, or project a false location.

Global positioning system, or GPS, technology is a standard part of many businesses and used by many consumers.

Using GPS can help individuals to navigate from one point to another. It is common practice for shipping and individuals relying on the technology to reach a specific destination.

Companies and individuals can take measures to protect against GPS spoofing, including using decoy antennae and keeping GPS-enabled equipment offline when connectivity is not necessary. Practicing good cyber hygiene can also help to protect against GPS spoofing.

Defining GPS spoofing

In short, the word “spoofing” means faking. With GPS spoofing, “fake” information is sent to a receiver while overriding the actual information.

GPS spoofing involves a radio transmitter near a target that interferes with the actual GPS signals being transmitted. GPS signals are often weak and transmitted through satellites. A stronger radio transmitter can be used to override the weaker signal and send illegitimate coordinates and information to the receiver.

GPS spoofing can then send people off course or say that someone is somewhere that they are not.

GPS is one of the global navigation satellite systems (GNSS) used in the world. Along with delivering location information, it is also used to keep accurate time. These functions can also be disrupted through spoofing or jamming.

Impacting businesses and individuals alike, GPS spoofing can interfere with smartphone apps and location data as well as involve cyberattacks on network systems and critical infrastructure that relies on GPS data.

How does GPS spoofing work?

The U.S. GPS system is made up of 31 satellites known as Navstaropens in a new tab that broadcast PRN codes to both civilians and the U.S. military. The codes sent to the military are encrypted. Civilian PRN codes are not and are published in public databases. This makes them vulnerable to cyberattack.

A hacker will first determine which of the GPS satellites will be nearby based on its orbit. From there, the hacker will then use the public PRN code to make a new code for each satellite. These signals are broadcast to the nearby satellites and gradually increased in strength until the receiver grabs hold of the spoofed codes. The attacker can then input false coordinates to the receiver.

Different types of GPS spoofing

GPS spoofing sends false data to a receiver to divert traffic, goods, or people with falsified information. When done on a large scale, such as by a state-sponsored actor, GPS spoofing can involve expensive equipment and expert operators.

Russia, for example, has potentially engaged in nearly 10,000 spoofing casesopens in a new tab, sending out false location data to civilian ships, to prevent drones from approaching President Putin and to safeguard sensitive sites. This type of spoofing involves equipment capable of sending spoofing signals potentially 500 times stronger than the authentic GNSS.

GPS spoofing can also be done with commercially available, cheap, and portable equipment too, including using software-defined radios running open-source software. With this type of spoofing, a broadcast antenna is used to point at a target’s GPS receiver to override the GPS signals provided by nearby buildings, aircraft, or ships.

Spoofing devices can also be carried onto airplanes by a passenger or deployed by a drone. These devices are small and handheld, inexpensive, and can be used very close to a target.

Cyberattacks are also possible forms of GPS spoofing, often involving smartphone apps that interfere with the phone’s legitimate location data.

The harms of GPS spoofing

GPS spoofing can be detrimental for both companies and individuals alike. Potential issues can have global implications. Some of the industries most vulnerable to GPS spoofing include shipping companies, construction companies, and rideshare and taxi companies.

These are some hazards of GPS spoofing:

• Misdirecting cargo shipments to alternate locations to steal the shipments: Often, shippers use GPS-enabled locks to ensure that they are only opened when they reach their destination, but GPS spoofing can unlock these.
• Hijacking a boat for piracy purposes: This can include large cargo ships, cruise ships, yachts, and private boats that rely on GPS coordinates to navigate the seas.
• Interfering with GPS at airports: This can cause a plane to go off course or have to attempt a “blind” landing, putting everyone on board at risk.
• Moving assets from construction sites: Construction equipment is often expensive and involves high-value items that are protected through GPS asset tracking systems. These systems can be spoofed to send equipment to false locations where it is stolen.
• Taxi and rideshare operators falsifying locations for profit: Ride share apps often rely on “surge” pricing during peak times, and drivers can use GPS spoofing to place themselves in these locations for financial gain. It can also allow them to incorrectly report their location in order to commit criminal acts while on the clock.
• Sending people on “fake” dates: Dating apps are commonly used to set up dates, and GPS spoofing can send a potential date into a dangerous location or into the hands of a predator.
• Misdirecting cars: Drivers and cars often use GPS to reach a destination. When this information is spoofed, they can be sent off course. This is especially concerning when considering the vulnerability of fully autonomous self-driving cars.
• Disrupting the universal time source: Financial companies, power utilities, and telecommunication companies all use the GNSS universal time source. If this is spoofed, it has the potential to crash financial markets, cause power blackouts, and disrupt the communication grid.
• Disrupting services through mobile apps and websites: Location data is used by many of these sites and apps to verify customer identities. When spoofed, it can give false information and deny someone access.

Ways to protect against GPS spoofing

Companies can use a variety of techniques to protect against GPS spoofing, including cryptography, direction-of-arrival sensing, and signal distortion detection.

• Cryptography: With cryptography, organizations encrypt the satellite codes coming and going. Only those with access to these codes can read the coordinates. This is similar to the way military encryption works.

This is not always an effective method on its own in the civilian sector, however, since it requires distribution of the “key” to unlock the encrypted data. Since that key has to be widely distributed, it is therefore vulnerable to hackers.

• Direction-of-arrival sensing: Spoofers are typically in one static place when attempting an attack, which means that the false signals they send are coming from only one place. This can be spotted through direction-of-arrival sensing since legitimate GSP data is transmitted from multiple satellites at once.
• Signal distortion detection: This method involves the addition of more signal-processing channels and hardware that can track the signal’s amplitude profile with a higher level of accuracy.

When a GPS signal is spoofed, it will initially send both the original signal and the false one, which can create a small “blip.” If this can be detected at the beginning of the spoof before the original signal is dropped off and the “drag off” to the false one has occurred, the attack can potentially be stopped.

The Department of Homeland Securityopens in a new tab (DHS) provides the following tips for protecting businesses against GPS or GNSS spoofing attacks:

• Obscure or hide your real antennas. Make sure they are not visible to the public by installing barriers or putting them in a place where they will not be seen.
• Choose the location of your antennas carefully. They will need a clear view of the sky, but it can be wise to ensure that they are blocked from public locations and nearby buildings.
• Install decoy antennas. Make these antennas clearly visible and put them at least 300 meters away from your real ones.
• Add redundant antennas. Having more than one antenna in a slightly different location can help companies to spot potential issues quickly.
• Use blocking antennas. These work to protect against jamming and interference. They can also lower the risk for spoofing attacks.
• Use backups. Inertial sensors can help to determine actual position and cesium, or rubidium clocks can work as backup timing systems when GPS is down. Backup systems that do not rely on GPS are helpful in the event of an issue.
• Practice good cyber hygiene. When not needed for network connectivity, GPS receivers and associated equipment should be kept offline. Two-factor authentication should be in place, passwords changed often, and updates and patches installed regularly. Virus protection, firewalls, and cyber defense practices should all be implemented.

Benefits of GPS spoofing

While GPS spoofing does create a lot of potential risks and vulnerabilities to consumers and businesses, it can also have some legitimate and beneficial purposes too.

GPS tracking involves location sharing, which can be a privacy concern. For this reason, GPS spoofing techniques can be used to hide the actual location of a person or product. There are many GPS spoofing apps and products on the market for just this purpose.

GPS spoofing is also used by security companies wishing to protect high-value targets or individuals. Spoofing techniques are regularly used by consumers who wish to “trick” a system into thinking they are somewhere where they are not, such as in the case of location-based smartphone games and apps. These can often be downloaded for free from the app store on a smartphone.

Additional resources

• Resource product listopens in a new tab for GPS spoofing protection from Homeland Security Systems Engineering and Development Institute (HSSEDI)
• Information on the PNT (Positioning, Navigation, and Timing) Programopens in a new tab and resources provided through DHS
• A GPS Receiver Whitelist Development Guideopens in a new tab from DHS, which is a free resource for device developers

References

GPS Is Easy to Hack, and the U.S. Has No Backupopens in a new tab. (December 2019). Scientific American.

Russia ‘Spoofing’ GPS on Vast Scale to Stop Drones From Approaching Putin, Report Saysopens in a new tab. (March 2019). NBC News.

News Release: DHS Publishes Two Free Resources to Protect Critical Infrastructure From GPS Vulnerabilities.opens in a new tab (October 2021). Science and Technology Directorate.

Responsible Use of GPS for Critical Infrastructureopens in a new tab. (December 2017). Homeland Security Systems Engineering and Development Institute (HSSEDI).

Positioning, Navigation, and Timing (PNT) Program.opens in a new tab (January 2022). Science and Technology Directorate.

GPS Receiver Whitelist Development Guideopens in a new tab. (July 2021). U.S. Department of Homeland Security (DHS).

 

 

 

(How GPS jamming and spoofing affects ELDs

GPS Jamming

• What it does: A GPS jammer emits a radio signal that overpowers and blocks the weak signals from GPS satellites. This causes the ELD’s location tracking to go offline.
• How it creates false logs: An ELD without a GPS signal is unable to accurately track a truck’s movement. In the event of a lost GPS signal, a driver may be able to manually log their status as “off-duty” or “sleeper berth” while still driving, enabling them to exceed their legal driving hours.
• The consequences: A loss of GPS signal is easily identified by roadside inspectors, who can issue out-of-service orders and require manual paper logs. 

GPS Spoofing

• What it does: A GPS spoofer broadcasts a fake GPS signal to trick the ELD into thinking the truck is in a different location. According to freight data experts, spoofing can be done with fake ELD devices or apps found online.
• How it creates false logs: A driver or carrier can make it appear that a truck is parked at a terminal or at home while the driver is actually on the road. This allows drivers to hide excess driving time by making it look like they took a required break.
• The consequences: Some ELD data providers have identified cases of spoofed locations using corroborating video evidence. This activity can lead to severe penalties, including fines and criminal charges. 

Other ELD manipulation tactics

While GPS manipulation is a major tactic, regulators have identified other methods used to falsify ELD data:

• Ghost drivers: Creating “dummy” driver accounts to assign driving hours and avoid violations.
• E-log forgery services: Organized, often foreign-based, services that offer 24/7 support to monitor and retroactively alter driver records.
• Altering logs via back-end access: Some carriers make edits to driver logs from a back office, and in some cases, without leaving an obvious record of the change.
• Unplugging devices: Drivers can simply unplug or deactivate the ELD to halt the recording of data.
• Improper use of “personal conveyance”: Drivers can incorrectly use the personal conveyance status—driving the vehicle for personal, non-work reasons—to mask excess driving hours.)