The University of Texas at Austin reports that a radio navigation research team from UT Austin’s Department of Aerospace Engineering and Engineering Mechanics at the Cockrell School of Engineering this past June set out to discover whether they could subtly coerce a 213-foot luxury yacht off its course, using a custom-made GPS device.
Led by UT Austin assistant professor Todd Humphreys, the team demonstrated that they were able to successfully spoof an $80 million private yacht using the world’s first openly acknowledged GPS spoofing device. Spoofing in this context is s a technique by which a person or program successfully masquerades as another by falsifying data, such as the UT Austin researchers creating false civil GPS signals to gain control of a vessel’s GPS receivers. A UT Austin release explains that the purpose of this experiment was to measure the difficulty of carrying out a spoofing attack at sea and to determine how easily sensors in the ship’s command room could identify the threat.
In a 2010 Naked Scientists interview, Dr. Humphreys observed that the GPS signals civilians have access to are not secure signals, which means they don’t have any encryption or authentication. “So there’s no way for you or me to know for sure where they originate. They might be coming from the satellites, that’s the most likely scenario, but they could also nowadays be coming from someone who is generating counterfeit signals.”
The UT Austin researchers hope their demonstration will shed light on the perils of navigation attacks, serving as evidence that spoofing is a serious threat to marine vessels and other forms of transportation. Last year, Dr. Humphreys and a group of students led the first public capture of a GPS-guided unmanned aerial vehicle (UAV), or drone, using a GPS device created by Humphreys and his students.
“With 90 percent of the world’s freight moving across the seas and a great deal of the world’s human transportation going across the skies, we have to gain a better understanding of the broader implications of GPS spoofing,” Dr. Humphreys says in the UT release. “I didn’t know, until we performed this experiment, just how possible it is to spoof a marine vessel and how difficult it is to detect this attack.”
In June, the team was invited aboard the yacht, called the White Rose of Drachs, while it traveled from Monaco to Rhodes, Greece, on the Mediterranean Sea. The experiment took place about 30 miles off the coast of Italy as the yacht sailed in international waters.
The report explains how from the White Rose’s upper deck, graduate students Jahshan Bhatti and Ken Pesyna broadcast a faint ensemble of civil GPS signals from their spoofing device — a blue box about the size of a briefcase — toward the ship’s two GPS antennas. The team’s counterfeit signals slowly overpowered the authentic GPS signals until they ultimately obtained control of the ship’s navigation system.
Unlike GPS signal blocking or jamming, spoofing triggers no alarms on the ship’s navigation equipment. To the ship’s GPS devices, the team’s false signals were indistinguishable from authentic signals, allowing the spoofing attack to proceed covertly.
Once they gained control of the ship’s navigation system, the team’s strategy was to coerce the ship onto a new course using subtle maneuvers that positioned the yacht a few degrees off its original course. Once a location discrepancy was reported by the ship’s navigation system, the crew initiated a course correction. However, in reality, each course correction was setting the ship slightly off its course line. Inside the yacht’s command room, an electronic chart showed its progress along a fixed line, but in its wake there was a pronounced curve showing that the ship had turned.
“The ship actually turned and we could all feel it, but the chart display and the crew saw only a straight line,” Dr. Humphreys said.
After several such maneuvers, the yacht had been tricked onto a parallel track hundreds of meters from its intended one — the team had demonstrated that they had successfully spoofed the ship, their experiment helping illustrate the wide gap between the capabilities of spoofing devices and what the transportation industry’s technology can detect, Dr. Humphreys observes.
You can watch a YouTube animation of the spoofing attack, titled “Spoofing on the High Seas,” here:
A flickr gallery of photos can be found here:
Dr. Chandra Bhat, director of the Center for Transportation Research at The University of Texas at Austin, believes that the experiment highlights the vulnerability of the transportation sector to such attacks.
Dr. Bhat, an internationally recognized expert in the area of travel demand modeling and travel behavior analysis, and whose research interests include land-use and travel demand modeling, activity-based travel modeling, policy evaluation of the effect of transportation control and congestion pricing measures on traffic congestion and mobile-source emissions, marketing research of competitive positioning strategies for transportation services, use of non-motorized modes of travel, and physical health and transportation, observes that “The surprising ease with which Todd and his team were able to control a (multimillion) dollar yacht is evidence that we must invest much more in securing our transportation systems against potential spoofing.”
It’s important for the public and policymakers to understand that spoofing poses a threat that has far-reaching implications for transportation, Dr. Humphreys says, noting “This experiment is applicable to other semi-autonomous vehicles, such as aircraft, which are now operated, in part, by autopilot systems,” we’ve got to put on our thinking caps and see what we can do to solve this threat quickly.”
Quoted in a January, 2012 The Register article by Lewis Page, who was a bridge watch-keeping officer in the Royal Navy from 1993 to 2001, Dr. Humphreys noted that “So far no credible high profile attack has been recorded but we are seeing evidence of basic spoofing, likely carried out by rogue individuals or small groups.” Lewis notes that Dr. Humphreys “owns the world’s most powerful civil GPS spoofer… that I know about,” and that nav-and-timing scare experts are raising “the fearful possibility that crooks or other miscreants might move on from mere GPS jamming to actual spoofing — in other words the satellite signals would not merely be blotted out but replaced by stronger ones designed to generate false position or time readings,” and the UT Austin researchers have now demonstrated that it can be done. “Whilst the leap to more advanced, untraceable spoofing is large, so are the rewards,” Dr. Humphreys told Lewis. “It’s therefore guaranteed that criminals are looking at this. All it takes is one person to put one together and publish it online and we have a major problem.”
Mr. Lewis notes that “spoofing is actually ridiculously easy: you just buy a simulator of the sort used to test location/timing systems, which can record a load of GPS output data as desired (alternatively an artificial record can fairly easily be generated in a PC, a simple standardized format is used) and then rebroadcast appropriate radio signals, convincing any nearby GPS receiver that it is where and when the simulator record says. This might be used to convince a tracking device in an armoured security van that it was still en route during a robbery, or – as Humphreys points out, rehashing another oft-touted threat – to falsify a time stamp on a financial transaction, allowing nefarious and lucrative misdeeds in the markets.”
It’s important for the public and policymakers to understand that spoofing poses a threat that has far-reaching implications for transportation, Humphreys says in the UT Austin release. “This experiment is applicable to other semi-autonomous vehicles, such as aircraft, which are now operated, in part, by autopilot systems. “We’ve got to put on our thinking caps and see what we can do to solve this threat quickly.”
As part of an ongoing research project, funding and travel expenses for this experiment was supported by UT Austin’s Wireless Networking and Communications Group through the WNCG’s Industrial Affiliates program.