11 August 2020

How Vulnerable Is G.P.S.?

By Greg Milner

In the cool, dark hours after midnight on June 20, 2012, Todd Humphreys made the final preparations for his attack on the Global Positioning System. He stood alone in the middle of White Sands Missile Range, in southern New Mexico, sixty miles north of Juárez. All around him were the glowing gypsum dunes of the Chihuahuan Desert. In the distance, the snow-capped San Andres Mountains loomed.

On a hill about a kilometre away, his team was gathered around a flat metal box the size of a carry-on suitcase. The electronic machinery inside the box was called a spoofer—a weapon by another name. Soon, a Hornet Mini, a drone-operated helicopter popular with law-enforcement and rescue agencies, was scheduled to appear forty feet above them. Then the spoofer would be put to the test.

Humphreys, an engineering professor at the University of Texas at Austin, had been working on this spoofing technology for years, but he was nervous. Witnessing the test that morning was a group of about fifteen officials from the Federal Aviation Administration, the Department of Homeland Security, and the Air Force’s 746th Test Squadron. They were Humphreys’s hosts, but they very much wanted him to fail. His success would mean a major reckoning for the entire G.P.S. system—and, in turn, for the effectiveness of some of the country’s principal military and defense systems. Drones, which rely on G.P.S. to navigate, are an increasingly indispensable part of our security apparatus. Demand for them is growing elsewhere, too. There are now over a million more recreational drones in the sky than there were just four years ago. Sales of high-precision commercial-grade drones—for everything from pipeline inspections to 3-D mapping—increased more than five hundred per cent during the same period.


When D.H.S. had first contacted Humphreys a few months earlier, the department was worried about one kind of G.P.S. vulnerability in particular—a disruption to the system called jamming. By transmitting interference, jammers are able to overwhelm a G.P.S. signal and render a drone’s receiver inoperable. There’s no great mystery about how jamming works, but D.H.S. approached Humphreys because it wanted to test the technology in action: Would he be interested in helping with a demonstration?

Humphreys accepted the invitation right away, then told the officials that he wanted to focus on a different, more sophisticated threat. In 2011, Iran had made headlines by successfully capturing a C.I.A. drone about a hundred miles from the border with Afghanistan. No one had been sure how the seizure happened: jamming could disorient a drone but not take it over. Humphreys suggested that Iran had succeeded by spoofing the signal—not just interfering with it but actually replacing it with a phantom G.P.S. signal. Tricked into trusting the false system, aircraft could then be commandeered and captured. “Let’s try something more ambitious,” Humphreys told D.H.S. He would see whether he could down a drone.

Humphreys, now forty-five, has a gee-whiz fascination with the scientific world that can make him seem younger than he is. He’s earnest and telegenic; you can imagine him hosting a PBS kids’ show that launches a million stem majors. A Utah native, Humphreys had planned to be a patent attorney. But, as an intern at nasa’s Jet Propulsion Laboratory, he listened to a nasa lawyer discussing an upcoming patent and realized that he wanted to be the one inventing things, not approving the inventions. “I thought, Why would I want to be on his side of the table? He’s just taking notes,” Humphreys told me. Humphreys got interested in G.P.S. while he was an engineering grad student at Cornell. He’d been studying software-defined radio—the processing of radio waves by computer software, rather than traditional hardware—and began to wonder whether his research could be used to build a brand-new kind of G.P.S. receiver.

G.P.S. is owned by the Department of Defense, operated by the Air Force from a heavily secured room at a base in Colorado, and available for free to anyone in the world. There are twenty-four active G.P.S. satellites, orbiting at twenty thousand kilometres, each one emitting a radio signal that contains a timecode and a description of the satellite’s exact position. By measuring the transmission time of the signal, a G.P.S. receiver determines its distance from the satellite. If the receiver does this simultaneously with the signals of at least four satellites in its line of sight, it can extrapolate its position in three dimensions. During the roughly sixty-seven milliseconds the signal takes to reach us, it grows exceedingly faint. The task of receiving the signal and extracting its informational component is often compared to trying to read using a light bulb in a different city.

The core technology of this system has remained the same since the first G.P.S. satellite was launched, in 1977, but its uses have proliferated at an astonishing speed. Although the Air Force oversees satellites that transmit signals, once those signals are broadcast into the world, they belong to everyone. Because G.P.S. is a “passive” system—meaning it merely requires a user to receive a signal, not transmit one—it can handle infinite growth. The number of G.P.S. receivers could double tomorrow without affecting the underlying infrastructure at all. From improving maps to measuring the minute movement of tectonic plates, people have devised more ingenious uses for the G.P.S. signal than the system’s original architects could ever have imagined. Humphreys is one such innovator.

Test day at White Sands was the first time Humphreys’s team had used the spoofer outside the lab: because transmitting a fake G.P.S. signal is illegal, they had never even done a full dress rehearsal. For Humphreys, who made money in college as a magician at children’s parties, it felt like premièring a difficult trick without any practice. Around two A.M., the Hornet appeared, hovering forty feet above the missile range. Humphreys spoke a code word into his handheld radio: “Lightning.” Up on the hill, his students switched on the spoofer. Gradually increasing its power, they directed the bogus signal toward the Hornet, which appeared to hesitate in midair, as if encountering an invisible obstacle. The spoofer was, in essence, whispering lies in the drone’s ear, feeding it inaccurate information about its location. Convinced that it had drifted upward, the drone tried to correct, beginning a steep dive toward the desert floor. Just as it was about to crash into the ground, a manual operator grabbed the controls, pulling the Hornet out of its nosedive. Humphreys’s team let out a celebratory whoop over the radio.

“We were the only ones clapping,” he told me recently. His hosts looked grim. When Humphreys wasted no time spreading the word about the spoofer’s achievement, they were even more displeased. “I’m told I’ll never be invited back,” he said. “They probably thought I’d do a sleepy presentation in an academic journal. But I was looking to communicate to the world what I thought was an alarming situation.”

Since the G.P.S. program began, in 1973, its satellite signals have been a source of controversy. It was the brainchild of an Air Force colonel named Bradford Parkinson, who, disillusioned by the indiscriminate air campaigns of the Vietnam War, imagined G.P.S. as a way to improve the accuracy of precision bombing. Parkinson’s research team designed two versions of the G.P.S. signal, one for civilian use and another, with tighter security protocols and more precise readings, for the military. But when the first G.P.S. satellites were launched, it quickly became clear that the civilian signal was more accurate than its architects had intended. And shrewd scientists discovered that although the military signal’s informational content was heavily encrypted, picking up the radio signal itself wasn’t difficult. It was like gleaning information about a sealed letter by looking at the envelope’s postmark.

In the nineties, the Pentagon intentionally corrupted the civilian signal—a practice known as “selective availability”—hoping to thwart terrorists or other bad actors who might otherwise use the signal to launch precision attacks on U.S. assets. But here, too, users found workarounds, and an order from President Bill Clinton, which took effect in 2000, halted the Pentagon’s program. G.P.S. could now be used to its full potential.

Soon, the civilian G.P.S. industry was flourishing. By the middle of the decade, Garmin, a leading consumer-G.P.S. company, posted more than $1.6 billion in sales. Car units were proliferating at an annual rate of more than a hundred and forty per cent. The in-car G.P.S. boom gave way, of course, to the smartphone boom: G.P.S. was now something you carried with you always. But the explosive growth of the civilian G.P.S. market also incentivized attempts to corrupt the signal. These days, pocket-sized G.P.S. jammers go for a few hundred dollars each on the Internet and offer an easy out for anyone worried about, say, a surveilling employer. A few years ago, so many truck drivers on the New Jersey Turnpike were using jammers to thwart their bosses’ tracking programs that spillover interference eventually disrupted the G.P.S.-based landing system at Newark Liberty International Airport.

G.P.S. is now crucially important for reasons that are unrelated to providing geolocation. Because the G.P.S. clocks are synchronized to within nanoseconds, the network’s signals are used to unify time-dependent systems spread over large areas. G.P.S. time helps bounce calls between cellular towers, regulate power flows in electrical grids, and time-stamp financial trades on the major exchanges. If a spoofer were to feed erroneous information that confused the clocks in even a few nodes of these systems, the damage could be widespread: as time errors multiply, communications systems could fail, wrongly apportioned power flows could result in blackouts, and automated trading programs could yank themselves out of the markets, causing crashes. And those are just a few scenarios. We still have not figured out exactly how to safeguard a technology that is so crucial yet so porous.

In 2001, the Department of Transportation released a report warning that G.P.S. could become a “tempting target” for enemies of the U.S. The joint study was the first official acknowledgment that spoofing was a real and significant threat. Humphreys heard about the report while at Cornell. The worst-case spoofing scenario it described seemed like something he could do himself—in fact, like something he could do better himself.

Humphreys suspected that these early, crude attempts at spoofing would be easy to detect and thwart. The real threat, he thought, would come from software-defined spoofers, which would be more powerful and more subtle. Traditional receivers rely on G.P.S. chips, which makes them fast but relatively inflexible: you can only change the physical hardware so much. By relying on code instead, software-defined receivers can be infinitely adaptable. Humphreys set about trying to build one. The finished model took years to perfect—“a real beast,” Humphreys called it—partly because he couldn’t perform any real tests on it without breaking the law. He began work on the spoofer at Cornell and finished it with the help of his students at the Radionavigation Laboratory at the University of Texas. It was this same device, contained in the metal luggage-like box, that took down the Hornet in White Sands.

In the months following this début demo, Humphreys kept testing the spoofer, generating an ever-longer list of its capabilities: it could override the timing systems used by mobile-phone networks, electrical grids, and trading programs. The initial good news was that Humphreys probably had one of the only software-defined spoofers in the world. For a few years, the F.B.I. regularly visited his office to insure that he was keeping his creation secure. Humphreys was happy to comply—he didn’t want the technology spreading any more than the F.B.I. did—but, by 2016, code for software-defined G.P.S. spoofers was appearing online, at security conferences, and at hacker conventions.

Then, as if to underscore the problem, in February, 2016, a software malfunction at the G.P.S. Master Control Station, in Colorado, caused a thirteen-microsecond clock error in some of the satellites. The glitch took hours to fix, during which the infected satellites spread the timing pathogen across the world. The worst catastrophes were avoided (“World dodges G.P.S. bullet,” proclaimed the trade journal GPS World), but computer networks crashed and digital broadcasts (including the BBC’s) were disrupted. Systems engineers couldn’t help but imagine—and fear—that the nightmare they’d barely avoided could soon become real.

The final experiment Humphreys conducted with his spoofer was something of a lark: the owner of a sixty-five-metre super-yacht invited him to try to commandeer its journey across the Mediterranean, from Monaco to Greece. Standing on the upper deck, Humphreys’s team aimed the spoofer at the ship’s antennas, leading the vessel hundreds of metres off course. The experiment was harmless but proved to be a harbinger of some of the most mysterious uses of spoofing.

Four years later, in June, 2017, a French oil tanker, the Atria, sailed across the Mediterranean, through the Bosporus strait, and into the Black Sea. As the ship approached the Russian city of Novorossiysk, the captain, Gurvan Le Meur, noticed that the ship’s navigation system appeared to have lost its G.P.S. signal. The signal soon returned, but the position it gave was way off. The Atria was apparently some forty kilometres inland, shipwrecked at the airport in Gelendzhik, a Russian resort town.

Le Meur radioed nearby vessels, whose captains reported similar malfunctions in their navigation systems: all in all, twenty other ships had been “transported” to the same inland airport. Meanwhile, something similar had been happening in Moscow—this time to Uber customers, not ship captains. Passengers taking short trips discovered that their accounts were charged for drives all the way to one of the city’s airports, or even to locales thousands of miles away.

The activity attracted the interest of the Center for Advanced Defense Studies (C4ADS), a Washington-based think tank focussed on security issues. Using data from ships, which are required by maritime treaties to continuously broadcast their location, researchers discovered that the spoofing problem was much larger than anyone had realized. According to a report released in March of 2019, there were ten thousand spoofing incidents at sea between February 2016 and November 2018, affecting about a thousand and three hundred vessels. Similar data are harder to come by for land vehicles, but C4ADS used heat maps from fitness-tracking smartphone apps to confirm that drivers near the Kremlin and in St. Petersburg encountered similar spoofing.

Once they had logged where and when the spoofing incidents occurred, researchers cross-referenced this information with the travel schedule of the Russian President, Vladimir Putin. On a fall afternoon in 2017, six minutes before Putin gave a speech in the coastal town of Bolshoy Kamen, a nearby ship’s G.P.S. coordinates showed it jumping to the airport in Vladivostok. In 2018, when Putin attended the official opening of a bridge across the Kerch Strait, at least twenty-four ships in the area reported their location as Anapa Airport, sixty-five kilometres away. What was going on? It seemed increasingly likely that the President’s security detail was travelling with a portable software-defined spoofer, in the hope of protecting Putin from drone attacks.

The strange specificity of the spoofing—the relocation of ships and vehicles to airports—has a cagey explanation. Most drones contain geofencing firmware, which prevents them from entering designated areas, including the world’s major airports. If a drone senses that it’s near an airport, either because it actually is or because spoofed G.P.S. coordinates make it believe that it is, it will either return to its starting point or simply down itself.

For one of the world’s most prominent politicians, spoofing may not seem like an unreasonable precaution. In August, 2018, a speech by the Venezuelan President, Nicolás Maduro, was interrupted when a pair of drones detonated above one of Caracas’s largest thoroughfares. A few days later, French secret-service agents destroyed a mysterious drone that flew too close to the summer home of the French President, Emmanuel Macron. But for those who’ve fallen prey to spoofing incidents—the befuddled captains at sea, the overcharged passengers in Moscow—it may be difficult to accept that they are merely collateral in attempts to shield a head of state. And the same technology that might seem like a strategic security system in some circumstances contains within it an ominous potential for subterfuge.

Humphreys served as a contributor and adviser for the C4ADS study, and he had a feeling the Black Sea spoofing was even more extensive than the report revealed. To test his hunch, he sought out data from the International Space Station, which collects G.P.S. signals in the upper atmosphere; as it orbited Earth, it would give Humphreys a direct line of sight to the Black Sea. He obtained data from three different orbits in 2018, which he sat down to study that winter, while on sabbatical in his wife’s home town, in the Canary Islands.

Unlike the noisy surface of the planet, which is dense with radio signals, the upper atmosphere is a quiet zone, where trespassing frequencies stand out; Humphreys could instantly detect the interference in the Black Sea data. Where were the phantom signals coming from? Humphreys knew that, as the space station passed overhead, the spoofed signal created a kind of Doppler effect. It was a simple clue, familiar to most urban dwellers: Imagine driving a car toward a crime scene that you can hear—sirens, megaphones—but not see. You’ll know when you’re getting close, because of the sudden increase in the pitch of these ambient noises. In much the same way, Humphreys could use the changes in the spoofer’s signal to begin to surmise where it was coming from. When he crunched the numbers, he came up with two possible locations: a forest in Romania and somewhere in Syria. He recalculated using data from another space-station recording and this time concluded that the signal was originating from either the German countryside or, again, somewhere in Syria. When Humphreys checked the exact locations, the two sets of Syrian coordinates were identical: the Khmeimim Airbase, a site on the coast associated with Russian military activity in the country. Further calculations narrowed the source of the interference to a transmitter in the base’s northwest quadrant.

The phantom signals Humphreys spotted were unlike anything he’d ever seen before, combining elements of both jamming and spoofing. Like jamming, these signals didn’t transmit actual coordinates. But they were more than just noise—like spoofing, they convinced receivers to recognize false G.P.S. signals. Humphreys calls this “smart jamming” and considers it a new front in the G.P.S.-signal wars. If an authentic signal is a light bulb thousands of miles away, the Syrian fake is a high-wattage spotlight filling your field of vision, blinding you to everything.

A commercial jetliner flying thirty thousand feet above a smart jammer would encounter a signal ten billion times more powerful than an ordinary, authentic G.P.S. signal. Even for an airplane just coming over the horizon, with the farthest line-of-sight path to the transmitter, the smart-jammer signal would be five hundred times more powerful than the real one.

What Humphreys discovered coming from Khmeimim is the most aggressive G.P.S. disruption device to date. “It’s the most potent example of jamming I’ve ever seen,” Humphreys said. “I call it my Jack Ryan moment.” In January, 2018, the airbase was attacked by a swarm of thirteen drones carrying explosives. Somehow, the attack was thwarted; Humphreys posits that a smart jammer repelled the attack with the assistance of anti-aircraft munitions.

G.P.S. interference will likely be a way for America’s foes to fight in conflicts that they could not win conventionally. The civilian uses of G.P.S. have long outnumbered the military applications, but G.P.S. is still part of just about every American weapons system. “This is us getting our first taste of what it’s like to go up against a serious adversary in electronic warfare,” Humphreys said. “I don’t think Russia has shown all its cards yet.”

In July of last year, the captain of a container ship registered in the U.S. noticed something strange with his navigation system as he entered the port of Shanghai. The ship’s G.P.S. placed the vessel several kilometres inland. When Humphreys and C4ADS heard of the incident, they doubted that it was an isolated event. “We looked at more data, and, by golly, we saw the same thing popping up in areas around China’s coastline,” Humphreys said. Three hundred other ships had been subject to spoofing in Shanghai on the same day, and thousands of others in the same year. What was unusual about the Shanghai spoofing was that the vessels, rather than being “transported” to the same fake location, were all reporting different coordinates. Further analysis by Bjorn Bergman, at the watchdog group SkyTruth, showed a similar pattern in twenty other locations in China.

Humphreys admits that he isn’t sure what explains this new approach to spoofing—or who is behind it. Some have hypothesized that petroleum smugglers and sand thieves may be using the technology to sneak into ports more or less invisibly. Bergman has suggested that the Chinese government is involved in the spoofing; Humphreys says the pattern is widespread enough that it is certainly aware of the activity. Whoever is responsible hasn’t been especially careful—and may not care about being found out. “It really seems like they sent in the junior-varsity team for this one,” Humphreys said.

But is there any incentive to work harder? The kind of software-defined spoofer Humphreys revealed at White Sands is now much easier to obtain; you don’t have to be a mastermind to pull off a spoofing attack. And the ease with which amateurs can cause major disruptions should make us worry about what the experts are capable of. Humphreys predicts that the next significant spoofing attacks will target G.P.S.-enabled clocks—and could come from state or non-state actors.

“We’re seeing a general consensus that G.P.S. is wonderful, but we’ve got to cut our habit,” Humphreys told me. The signature precision of the system seems to be giving way to blurry, unnerving chaos. But what might a viable alternative look like? Over all, G.P.S. remains a remarkably robust system. Its major vulnerability is the weakness of the signal itself. One fix would be to rebuild the system with a stronger signal by using satellites much closer to us. But this change would require many more satellites to provide global coverage: seven hundred, compared with the current baseline of twenty-four. “Government control of G.P.S. has been a real benefit to all of humanity, the fact that it rains down free from above, with no contract or subscription fees, but I don’t think the G.P.S. program has the funds to expand to low-Earth orbit,” Humphreys said.

We may be witnessing the first stage of the death of G.P.S. as we know it. For several years, G.P.S. was the world’s only complete global navigation satellite system. Its only real competition was Russia’s glonass, which ranked a distant second. Today, China has implemented the Beidou satellite system, and the European Union has been developing another, called Galileo. But these systems work on similar principles to G.P.S. and have the same vulnerabilities.

The answer could eventually be some kind of public-private partnership. Humphreys predicts that companies maintaining hundreds of low-Earth-orbit networks—such as Elon Musk’s SpaceX and Amazon’s Project Kuiper—will eventually become a key component of the G.P.S. ecosystem, picking up the slack in the event of malfunctions or attacks. The new system will be just like G.P.S. as we know it—with one major exception. “It’ll be a pay service, no question,” Humphreys said. “But maybe that’s a decent insurance policy.”

No comments: