 Today we're going to be discussing GNSS vulnerabilities, also known as GPS system, that we all come to rely on every single day. There's a few different classes of vulnerabilities. The most common one that you typically see in the news is GPS poofing. That's essentially locating somebody in a location or a time other than where they actually are. Typically, the news articles and news headlines cover changing location, but changing time is actually a lot more common than the attacks that you typically see and can actually lead to a lot more issues in the real world. Then we obviously have GPS jamming. It's a much simpler attack and simply what it means is the denial of the ability to receive accurate and consistent GPS signal. And of course they actually see cyber attacks against the infrastructure that actually broadcasts and retransmit the GNSS signal. And the rebroadcast of GNSS signal is something that we're going to touch upon in the next few slides. So a quick breakdown. Typically when you talk about GPS, we just talk about the birds, the satellites, but the ground control tower is a very important element. Without the constant ground correction to the GPS satellites, the accuracy would start to degrade. The first week or so, you might not even notice the difference. Within two to three weeks, the accuracy could be down to a few hundred feet. Then it would drift to miles and eventually you would lose the ability to accurately calculate your GPS position. You've seen electronic attacks against the actual ground control systems. You've seen attempts at people actually trying to control the birds, which are typically controlled by the U.S. Air Force. In the next two slides, you're going to see some data. We do run a worldwide monitoring network. The data that we're going to show you is highly sanitized. We did scrub the data from the most sensitive sensors. I actually pulled it out of my data set. So if you happen to be one of our clients and a confidential facility, your data is not going to be in here. So this is a rough breakdown of where sensors are. The grayed out areas either does not have sensors or doesn't have sensors. We're going to disclose the dark areas. We do have sensors and we do have attacks that we detected. The red areas is where we have the largest number of attacks. As you can see, one of the slides we're taking, we have 799 attacks that were detected within the time window within the United States. Moving over to South Korea, we saw 1200 active attacks happening in that region. That's primarily because of some of their neighbors. Not to point fingers, but North Korea and China. So what is an attack? What does it look like? The most typical jamming attack is what we call the sawtooth signal. This is what a low-end jammer would generate. Either this or that. So you could actually see that this is a clock-controlled radio where this was just oscillator controlled. These are the low-end jammers, fairly unsophisticated. Now this is actually one of my favorite ones. That's actually a duty cycle radio. What it does is it actually waits for the GPS broadcast from the satellite and it syncs its transmit with the same time as the broadcast. So it actually allows its own radio to cool down and perfectly jam the GPS signal. So it's actually using the GPS signal to sync its own clock to conduct the jamming attack, which is pretty funny because you have a GPS controlled GPS jammer. So the source for some of our captures, so that's a GSS 200. The one that was actually hijacked by my company are the GSS 100s. And it's a GPS jamming detector. As I mentioned, we have a worldwide network of them. What it does is it has an antenna that measures the time of arrival of the signal, the angle of arrival, and the direction of arrival of the signal. They're placed in stationary locations to have a network coupling. And what we do is by us knowing where the GPS satellites are located and the signal to be exposed at any given time, we compare it with the signal we're actually receiving. So we're able to measure RF interference and we're able to detect spoofing events because we know where the signal should be coming from and what it should look like and we measure the differential between that. Now, why is this important? Because when GPS signal gets hijacked, that kind of stuff happens. And that's a USQR 107, one of our most advanced spy drones at the time. That was hijacked by Iran. So the spy electronics and the board up there are very advanced. However, and it had a fairly effective, is that an issue? Thank you. It has a fairly dense navigation system. However, if the navigation, sorry, if the command control system was jammed, it would fall back to the GPS system. So what they run there is they jam the command control signal from our bunkers in Nevada and then they broadcast the fake GPS signal telling the drone that it was actually located over its base where it was launched from. And the drone went into auto land mode. The reason the bottom is covered up is because they actually got the elevation for the area wrong. And when the landing, they tore off the landing gear. So getting back to jamming. We have the RF jamming, which is simple denial of the signal. That's the saw to signal that you saw. You have the L1 signal, L2. And as I mentioned, I love the air research that can touch upon mass casualty events. You have the L5, which is a safety of life. If a civilian aircraft was to go for a landing and is using GPS assist, L5 is the signal of a trust. It broadcasts at roughly three times the power of the L1, L2 signal. It has more reach. It is a more accurate signal. When you're talking about RF jamming, where this is simple radio jamming, it's also possible to RF protocol jamming. You could actually broadcast a signal that looks a lot like the GPS signal, but it actually sends characters of the wrong length, wrong type. You could broadcast a signal to make one of the signals appear to be less accurate. So for example, if a GPS broadcast is claiming to have 14 for the accuracy, you could actually broadcast a signal that would make the accuracy appear to be 50 feet, 200 feet. And obviously more data for the aircraft, you could actually give the aircraft more confidence in the signal. You could take a signal that claims to be 30 foot accurate or 10 meter accurate and actually tell it that it has a two centimeter resolution, which is not realistic, but you as a human is not the one that's interpreting the signal. Your onboard system is what's interpreting it. And obviously, you could place it to be somewhere else. So a quick breakdown. That's what the GPS satellite network would look like at any given time. The green dots going down would be updates from the ground control stations, sending a ledger update to the birds in the sky. And the GPS works by trial iteration, meaning your device gets at least three signals from at least three birds or any ground station assist. The more signal, the more data points you're receiving, the more accurately you're able to look at yourself on the ground. This is where your ground reception unit would see. You have the signal strength from a number of birds. And you have your exact date and time, altitude, signal quality indicator and the indication of how accurately it can position yourself. So as you see, it's a 2D fix, meaning it's actually a vehicle GPS and an airborne unit. This gets really fun because people will do anything the Jerry GPS tells them. People will drive down boat ramps. People will actually drive right off the docks. People will drive deep into the desert over on paved roads because their GPS tells them in a nice soothing voice, make a left. Continue 20 miles. Autonomous airborne platforms will do the same thing. By spoofing the signal you can actually locate them in a different grid. There was an event last year where the military was conducting GPS jamming test. There was a 500 mile radius. No go zone. It wasn't a no go zone. It was an area where civilian aircraft and civilian user advised that GPS would be unavailable. The advisories and no time advisories went out over three weeks in advance. Everyone knew that GPS jamming event was going to be in progress. A civilian airliner was still relying on the GPS for some reason the pilot wasn't paying attention. He ended up 20 miles off course and there was a actually FAA near collision warning that went out because he didn't have GPS signal. It was just not an accurate GPS signal. You do see GPS spoofing happening with ships. The most common occurrence we've actually seen is off the coast of Africa where we do see a lot of pirate activity. We do see pirates conducting GPS jamming attacks, GPS spoofing attacks, and AIS ship hijacks. So ships have a system that's built with the radio. It's supposed to prevent collisions. Ship constantly broadcasts using protocol called APRS automatic position reporting system. The ship's name, direction, speed of travel, and pirate to actually jam those broadcasts when they attack the ships. The nearby ships don't have an accurate fix on that ship. They have the last location before jamming occurred. They also hijack the AIS radios of the ships they captured and pretend to be a legitimate vessel so they can get close to the ship before they start their attack. Now if you're a pirate, you could simply cause a vessel to run into a hazard and then you could steal the crew, steal the cargo. And if you're a malicious government, you can even steal U.S. sailors. Again, not a real unfortunate incident. The culprit was once again Iran. The U.S. crew claims the GPS put some safely international waters. The Iran claims that the U.S. vessel was within Iran's territorial waters. There's a good chance that Iran was lying, as usual. However, there's distinct possibility that there was GPS spoofing happening and that in fact both sides are claiming that they were where they were and actually do believe that. I did quite a bit of research. If you saw my blackout presentation, you actually went as far as hunting down some of the sources of GPS jamming. So these are some of the stats that we gathered. This was for the United States, Northeast region, California area, as well as an area of England around London. One of my, one of the interesting areas is households. We've seen civilians with high-power GPS jammers. Some of those jammers are actually not just GPS jammers, but they're also cell phone jammers. They are wide-band radios. It's very common for them to actually have four radios built in on board. So they're typically jamming cell phone GPS and Wi-Fi. In the United States, we do have a number of laws. They make it a federal felony to conduct this kind of jamming. And they do carry consequences, including actually a fairly lengthy prison term and very high fines. I'm not going to bore you with reading through all of that, but you definitely shouldn't do it. If you do capture U.S. government attention, you're going to win a date with this gentleman. He is a federal agent. He does investigate the source stuff. I do get to work with him closely, unfortunately. How easy are they to obtain? Well, very easy. It does ship to the United States and it costs less than a lot of company lunches. Now, this is a bad boy. This is the kind of stuff that UC military unit is deploying. These can actually be mounted as recon pods and helicopters, an aircraft that could be dropped in somewhere before an assault. There's a 320-watt unit from what I recall. Just one problem. That one is actually also a Chinese jammer that's for sale. A little bit more expensive, but still fairly affordable. The price code I got for it was, I believe, either $1,800 in bulk or $2,200 as a single unit sample. This is car hacking village talk. So going back to cars. The GPS that you have in your vehicle shows you traveling down a road. It shows you a nice, neat little line. What it is is actually a sweet little line. There's a concept called GPS trip. If you have a proper GPS that actually maps you on the grid, you'll see that there's a lot of jitter. If you're getting an actual GPS signal, I mentioned accuracy. What you see is a line moving back and forth and actually drawing almost a circle. That circle is the accuracy of your current GPS position. Which means if you have a GPS that is plotting you accurately, even though you're traveling in one direction, you're going to see some jitter. For example, in that case, we had 270-meter accuracy, but if you're traveling in open ocean, that's perfectly acceptable. As long as you know that the yoke of the yacht was not moving. Any questions? Do you have recommendations on the best defense when not blindly trusting the system, not blindly trusting the GPS, and actually thinking about where your GPS is showing you. If you know that you're supposed to be driving 287, getting onto northbound ramp, your GPS telling you to get on the southbound ramp, don't blindly trust your GPS. There's a few things that the government can actually do to track down the sources of jamming. So there is, as I mentioned, there are several worldwide networks that do detect GPS jamming, but not a lot happens to actually track down the offenders. And it is fairly trivial to do. Yes, so we actually have seen attacks against the satellite network and against the ground stations before actually trying to attack the connected infrastructure that controls the satellite network. We do see some fairly advanced attacks against the car head units where people are actually creating malicious GPS file updates for vehicles. We've seen a number of attacks against Subaru's about two months ago where there were buffer flows in the head units. People could load it up through USB drive. We see a number of attacks against some of their competitors as well. Great question. So by actually having more than one GPS receiver and synchronizing the antennas or using hacker, sorry, not hacker, I'll play that off with an array. If you place it at a known location, at a known angle, you can actually monitor the GPS signals in an area. And as I mentioned, there's the GPS drift. Once the drift either changes significantly or you start getting a perfect signal, that could be a pretty good indicator of an attack. Also on the ground level, if you're working with software defined radio, GPS looks like background noise. You actually need to use the time signal to go back and pick GPS out of the line noise. Once you start getting a GPS signal that actually comes out outside the range of ambient noise, that's a pretty good indicator of actually a malicious transmitter being nearby. Yes. Can you say anything about that? I have not done any research about that, primarily because I'm in the United States and I care about the US GPS network. But we are looking at Neptune systems, et cetera. Primarily I'm going to be looking at attacks against the Russian systems, primarily because, well, they're an enemy. So there's a number of solutions for that, doing solutions. So there are Blade RF setups that I've seen that are pretty good at it. You do need a fairly beefy computer to be able to do that. A simple Raspberry Pi is not really going to be enough. But with a small nook, you can make remote nodes that are sufficiently powerful. The organization I work for actually creates GPS simulators that you could use in your lab for legitimate testing. They crank out roughly double the power of what you would typically see of a GPS cell in the bottom. If somebody were to get their hands on one and a decent RF amp and the correct antenna, you could definitely create your own little macro environment, hypothetically. Yes, back. That was one week. And that was taken two weeks before my blackout slides were due. Yes. So we have GPS simulators and GPS emulators. Even so, our simulators, what we could do is, typically, if you'll drive around an area and you'll record the GPS data. And what we could do is we could sync it up with a real-time clock and play it back with the current timestamp. I don't know if you could do it with Galileo, but you could definitely do a playback, just as a raw RF. So I'm familiar with the news articles. Our network needs a stationary position. We don't have anything on board the ships. However, some governments, well, many governments have the hardware to do GPS spoofing and GPS jamming, and there are legitimate reasons for doing it. So I have no data at all about that event. So I have exactly the same news articles that you do. Yes. That's an accent question. Yes, I did forget to touch those points. You've seen the tax against data centers. Data centers, the process, financial transactions. Data centers that are known to deal with Bitcoin and crypto ledger. They typically have GPS antennas in the roof and they're using it for log consistency. And you see people conducting jamming and spoofing attacks to try and affect financial transactions of stocks, bonds, and as I mentioned, ledger transactions. People actually set up hardware or bring vehicles onto the parking lots of those data centers. Any more questions? Yes. There are multiple locations, but primary one is at Cheyenne Mountain. We're the home of U.S. Space Command. So if everything is working correctly, typically that actual space command is based there. And we have a number of stations that are very broadcast signal. And some of the attacks we've seen are obviously more isolated areas where the response times would be slower. What people do is they park their hardware. So the satellites know where the updates should be coming from and where the ground base stations are. They park their hardware near the legitimate uplink point and they try to match the uplink path of the legitimate station. And they try to broadcast a stronger signal where they try and play timing games where they'll point their zoom and try to track the satellite first before the ground station. So there's been talk about, in the non-crypto bus, signed a GPS signal, something similar to MCode like what the military is doing. There was supposed to be a role in 2014 and 2016. Now it's 2018. I think before we have more UAVs in civilian space, we need to do something about our trust in the GPS signal. We do need a more reliable GPS signal that we can trust because we are going to see drones in civilian space. We are going to see drone deliveries. Yes, question back. So using a number of networks actually would help. And the systems you're describing up, do you believe they have a ground element just like the Lorentz system did? The ground element gives you a hard point that you can actually control. It gives you a much more RF output than the bird that's hundreds of miles up in the sky. So I actually do like that idea. Some of the specs did call for ground stations like Lorentz but I'm not sure what they're actually going to implement. I do believe I owe the room to the next speaker. If you want to catch me outside with any more questions, and we're going to be in a car hacking village via the table.