 to Wicked War Driving with GPS and GLONASS. I'm White Shadow and I'm going to be describing to you GPS, how it works, the data that you receive from GPS satellites, other satellite constellations that provide similar location data, some dongles you can use to receive all of that information and use that in your war-driving efforts. So who am I? I'm a prior staff sergeant from the US Air Force. I was in Space Command which is now called the Space Force. Since getting out of the military I've become a wireless security researcher and some of my public works are SNFARE back in 2017 as well as last year I presented at the DEF CON wireless village with Solstice on some attacks on WPA3OWE. On the picture on the right there you can see that's me and Solstice on stage last year. That's my Twitter profile picture there. So war-driving. Why do people do war-driving? Before becoming a pentester I had this vague understanding of war-driving that you could drive around SNF wireless networks and then kind of plot them out. But why would anyone actually do that? Well once I became a pentester I realized that there is a valuable need for this skill set. Many times clients could set up new wireless infrastructure in their building and they want to measure the signal bleed outside of their building so performing a war-drive for a client may be useful or maybe they're just curious if their neighboring businesses are able to receive their Wi-Fi signal so they may want a wireless pentester to go out and do a war-drive to measure how far the signal goes out and where exactly it can be picked up from. It could also just be done as a hobby. Wiggle.net is a great resource for this. You can see in the bottom right hand corner the picture of Wiggle there it's an open-source database that hobbyists can war-drive and upload their results to and anyone can upload to it and anyone can query it. So you can look up any of the data that has been uploaded there by hobbyist war-drivers that drive around mapping Wi-Fi networks to GPS coordinates. And as I got into war-driving professionally I realized that the research on GPS dongles was extremely lacking. When it came to choosing a GPS dongle to perform war-driving there's basically only one that everyone has used and whenever you ask somebody why they chose that dongle the answer is usually because somebody told me to use it. There really isn't much on it. If you Google it it's really hard to find any information on it. So taking my experience from Air Force Space Command I knew that GPS is an American owned and operated satellite. Specifically Air Force Space Command handles the operations of GPS. A little history on that. Satellite navigation goes back to the 1960s when the Navy had their own satellite. Other branches of the military had their own navigational satellites as well the Air Force and the Army did. In 1968 the DOD made everyone collaborate together and act as one big happy family so the Army satellites were decommissioned and the Air Force and Navy satellites combined into one constellation that was used for navigation up until 1978 when Navstar 1 was launched. So that is the first GPS as we know it today satellite that was launched. Since then 72 have been launched with 24 currently in orbit so they need 24 satellites to maintain worldwide coverage. Now there are additional satellites on orbit. You can see there's 33 up there in orbit about give or take. These are referred to as on orbit spares. These are typically older satellites that get pushed out as newer ones are launched to take their place and these typically don't have the best capabilities so they're typically not in use. GPS is in a MEO orbit or medium Earth orbit. This means that it goes around Earth twice a day so one full orbit every 12 hours. Now there are other orbits out there that people should be familiar with such as Leo low Earth orbit. These are things like the space station which goes around the Earth every 90 minutes so a Leo orbit is about 90 minutes whereas a MEO orbit here is about 12 hours. There's other orbits out there such as HEO a highly elliptical orbit. This is when satellites are have some kind of wonky orbit typically to hang out over a certain position of Earth for a certain amount of time and then go around the Earth again. Then there's also GEO, geostationary or geosynchronous satellites as well and those satellites are out so far from Earth that they're actually in sync with the Earth rotating so they revolve around the Earth at the same rate that Earth rotates. This creates this illusion that these satellites are over a static point of Earth. A common example that everyone would know of this is satellite TV. Whenever the technician came over to set up your satellite TV at home he set up a satellite dish pointed it at a single point in the sky, screwed it in place and then never touched it again because he pointed it at a satellite that is in a static point in the sky. Now GPS uses trilateration to determine the location of an individual. So what is trilateration? It's hard to explain in the three dimensional plane so I'm going to do my best to describe it in the two dimensional plane. Let's say you're somewhere in the US and you turn on a GPS receiver. Well the first satellite sees you and it's going to say you're within its spot being here in this red circle so according to that satellite with just added from that your location is anywhere within this red circle. That's not very valuable that's not very accurate. Now your receiver picks up a second satellite. According to this satellite you are anywhere within this blue circle. Again individually that doesn't make a lot of sense because you could be anywhere but you see where the circles overlap. You can start to see how this is whittling down to where we might be. Now let's say a third satellite sees where you are and you're anywhere within the green circle. We can kind of see that these circles have overlapped at a common point and when you zoom in on that you can see that is how a latitude and longitude is calculated from GPS satellites using trilateration to find you on earth. Now you can use your imagination here to see if I were to continue to draw circles on this map that the area where they overlap would get smaller and thus more precise. So we know GPS needs three satellites for trilateration and there's four satellites visible at all times. Most satellite receivers typically won't provide information until they get that fourth lock from a fourth satellite. Instead of latitude and longitude once you get the fourth satellite you can also calculate altitude and additional things from there. The bottom line is the more satellites you have the more accurate the information is going to be. But what is that information? What is the data that comes down from these GPS satellites? Well I have an example of it here and these are called in-mia messages. I know that's a funny word and I'm going to skip over it and what it is right now but I just want you to look at these messages. Now you can see what I want you to pay attention to are the last three letters of these messages. GGA, GLL, GSA, GSV, RMC. These refer to the type of message that this is. The first two letters of each message indicate which satellite that it came from. So GP indicates that this message came from a GPS satellite. So you can see the different messages that we have here and then at the bottom of the screen you can see those are legitimate in-mia strings coming down from satellites in space and so that's what they look like. That's what the data looks like coming down from space. So being an Air Force Space Command I knew that I was aware of US GPS but then I was also aware that other countries did not want to use US GPS just in case we went to war with them or something like that. They may want to jam GPS so they created their own satellite constellations that do the exact same thing. So this is where Russian GLONASS comes in. So just like US GPS, Russia has their own satellite constellation that does the exact same job. It was originally launched in 1982 since then 27 satellites have been launched 21 of them are in use with 24 total in orbit. So they have about three on orbit spares and they accomplish the same task as GPS which used 24 satellites in orbit with only 21 satellites by using a slightly faster orbital period. Remember when I was talking about a medium Earth orbit, MEO, GPS satellites go around the earth every 12 hours? Well GLONASS goes around a little over 11 hours. So after thinking about Russian GLONASS I started thinking about why wouldn't you want to receive data from both thinking about GPS? At any given time if you're in an empty field on a perfect day with perfect weather you could receive 12 GPS satellites. With GLONASS it's about 6 to 10 given where you are in earth and given the weather conditions and everything. So why wouldn't you want to receive both? While GPS does have worldwide coverage it's coverage around the poles in northern Europe, northern Russia. The coverage there is not that great so GLONASS actually makes up for that. So again it's making up for the areas where GPS is lacking so why wouldn't you want to receive both? They both have worldwide coverage. This is a common misconception that people think that GLONASS receivers are only accurate in Russia, that you can only use a GLONASS receiver in Russia. Well just how GPS or the US military uses GPS to guide ships, planes, and bombs we want those ships, planes, and bombs to have accurate navigation data whether they're in the US or whether they're in Russia or anywhere in the world. The same thing applies to GLONASS. Russia also has ships, planes, and bombs that are navigated by GLONASS and they want that to have accurate navigational data regardless of where they are in the world. So these both of these satellite constellations do work worldwide and as I started looking into it I realized a lot of smartphones have actually started implementing this. I believe the iPhone 7 or the iPhone 8 actually implemented a GPS and GLONASS receiver. So I was sitting there continuing to think about constellations and then I realized that Galileo is another one made by the European Space Agency and it was first launched in 2011 since then 24 satellites have been launched and mainly all their satellites are going through the process of being commissioned to be brought online. You see there's 14 satellites in use but a lot of them are being tested and are being brought online to actually work with the constellation. And again these are MEO satellites as well. And so when you look at all of these satellites and compare it the pictures here and if anyone's curious all these pictures are from Kerbal Space Program but you compare GPS on the left 24 satellites for worldwide coverage versus the satellites on the right and you see how many there are there. The circles on the map of trilateration that you can draw increase numerously. So then I was wondering well how many satellite constellations are there? Well there's several GNSS constellations. Europe has Galileo Japan has QZSS, Russia has GLONASS, India has IRNSS, the US has GPS and China has BEDO and they are all classified under this umbrella term of GNSS global navigation satellite system. Now that's confusing because that's also what GLONASS stands for. However whenever you see GNSS it's referring to all of the satellite constellations. And it's interesting because regardless of where the the satellite constellation originates from they all speak the same language and that language is NMEA. That's that word that I said earlier that I said I would skip over and it stands for National Marine Electronics Association. So this is the standard that defines how data is transmitted in a sentence form from one talker to multiple listeners from one satellite to multiple receivers on the planet at once. And you can see in this screenshot these are NMEA strings or sentences sent from multiple satellites because you can see the last three letters of that message. GSV, GSV, GSV. But the first two indicate which satellite they came from. So GP, GSV came from a GPS satellite. GL, GSV came from a Russian GLONASS satellite. We have two more of these GL messages then we have a GA, GSV message which came from a European Galileo satellite. Then there's this GNRMC. That's another GNSS satellite. There's satellites that I didn't even mention in the previous slide that sit out in a geosynchronous orbit and provide error correction information. And so we can receive all of these things because they speak a common language. So now that we know that GPS is not the only satellite that does location services, we know that they all speak a common language. Well there's got to be dongles out there that could receive all this information, right? So that is what sent me on this quest to buy a bunch of dongles, analyze what they could do, see if I could reconfigure them in ways to receive additional satellite constellations, and then perform some tests with them. So aside from just going to Amazon and buying every GPS and GNSS dongle I could find, these are the software tools that I used. So GPSD, this is what takes the information from your dongle and starts a server that you can connect to with tools like GPSmon to troubleshoot or just view the information or kismet. And kismet will actually correlate that GPS data with the Wi-Fi information it sees so that you can war drive. Now the commands that I've laid out here, GPSD, tick D2, that's the debug level. So you can increase that number or decrease it and that'll change the verbosity of the output. Tick little in is to not wait for GPS lock before querying for messages. So that's important because you want to see those in-mia strings as they're coming down from the dongle without having to wait for it to receive full lock. Then the tick capital in there tells GPSD not to run as a background process and leave it in the foreground. Then I'm specifying my serial device. Then I'm using tick S and 2948 to specify a different port to host GPSD service on. I did this because Cali has a service that it starts on 2947, which is the default for GPSD. So instead of just disabling that, I just got in the habit of starting this on my own port. I'm also using GPS MON to troubleshoot or just to analyze the information coming down from GPSD. And you can do that with GPS MON, tick in, which specifies GPS MON to look for in-mia strings. And then you specify local host and the port that I used in starting GPSD. I also use the uCenter software from uBlocks, which it only works on windows, but it's extremely useful in configuring GPS dongles and GNSS dongles. And I'll get into that a little bit later. And then I also used kismet in this. And it's important to note that you have to go into the kismet config file and uncomment the line where it says that you want to use GPSD. So first up was the BU353S4. This is the dongle that everyone uses. This is the one that everyone recommends that everyone use. And it's GPS only. So on the right side of the screen here, we have output from GPS MON. And I've highlighted some fields here. So on the left, we see PRN. And this number is the designator for each satellite in the constellation. So when it comes to US GPS, you're only going to see numbers between 1 and 32 in this PRN field. Now at the very bottom of that PRN field, you see a number that says 138. That is actually one of the geosynchronous satellites that sits out and provides error correction. Next to the PRN field of highlighted SNN, that's the signal to noise ratio. So that shows you the signal that you're getting from a specific GPS satellite. And then on the far right of that picture, I've highlighted the number of satellites. And it says the number of satellites is seven. You can see that in the signal to noise ratio block that only seven of these satellites there are providing a signal there. So that's most likely why GPS MON is only showing seven satellites. So that's cool. Now in this example, I'm using the older version of Kismet. Sorry if Dragorn is watching, but actually this is a feature request. If I could get this back into the newer version of Kismet because space nerds like to see GPS information like this, you could see on the top right, I'm pulling down the NMEA strings straight from the serial device by just using the cat command and then specifying the serial device. And you can see the NMEA strings coming down from space. But on the left side, after starting up Kismet and everything, it can see the satellites. However, it says I don't have a signal. I don't have a strong enough signal on enough satellite to determine my location. And that's stressful. That's infuriating. When you're trying to perform a war drive, maybe there's bad weather outside or something and you just want to get it done. This isn't going to help anyone just sitting around waiting for lock. So this was what inspired me to look for additional dongles is because I've been in this situation many times on a wireless pen test when I'm waiting on this GPS dongle to lock up so that I can start my war drive or war walk and hurry up and get out of there. But you could see if we just had more satellites in space to lock up on, other than the 32 in the entire GPS constellation, maybe that would make it easier to obtain lock. So when I started talking to people about this, this was one of the first dongles that was recommended to me. Now it's important to note it says GPS slash GLONASS. That slash means or and not both. So you can only configure this dongle to work with GLONASS or GPS and not both. And you can use the uCenter software to configure this. And I've highlighted one of the configuration screen from that on the right here. You can see it has all these satellite constellations that you could actually select. And some of them are grayed out in this example Galileo, Beto, and I M E S are grayed out. But GPS, S B A S and Q Z S S are selectable. And whenever you select a configuration here at the bottom of this configuration menu, there is a send button that you must push to push the configuration to the dongle. And again, in this testing, I found out very quickly that I could only configure this dongle for GPS or GLONASS. So I ended all my testing with that because I was looking for dongles that could do both. Now, I wanted to talk about the uCenter software because it can be a pain to use a pain to learn. And there's not a lot of resources out there on how to use it. Like I mentioned before, it's a windows only piece of software that you can download for free from their website. Once you install it and everything, you launch it and then from the receiver drop-down menu go into connection and then you'll see the COM devices there for you to select your USB dongle. Once you've selected that, you can then go to the view drop-down, go to configuration view, select GNS config, and then you can actually select which satellite constellations you want to receive from. And I mentioned it before, but after you select which constellations you want to receive from, you go down to the bottom and click send. And then that will push the configuration to the dongle. However, you have to save that configuration after you have sent it. So from receiver drop-down menu, go to action and save config. And that will store that configuration in the memory on the dongle. So when you unplug it and then plug it into another computer, that configuration is saved there. Specifically, if you want to only receive GLONASS satellites. So I configured a dongle here to only receive data from GLONASS satellites. In the bottom left-hand corner, you can see that GLONASS is the only constellation that is enabled. In the top left, you can see all the NMEA strings that are coming from GLONASS satellites indicated by the GL in front of every message. And then on the right side, I just have a pretty picture showing the Russian flag next to every satellite that I'm receiving a signal from. Now, once I save that configuration from the use center software, unplug that dongle from my Windows machine and then plug it into my Linux computer and use GPSD and GPS MON to receive information. You can see here in GPS MON, the PRN numbers are now between 65 and 88. That is because those are Russian GLONASS satellites that I'm receiving a signal from. And again, on the right side, I've highlighted that there's seven satellites I'm receiving a signal from. And you can see that from the signal-to-noise ratio there that two satellites aren't reporting a signal. So this is one of the first dongles that I found that could do both. It was advertised as a GNS receiver. It said it could receive all the things. And I wanted to test it out and just buying it and plugging it in to Cali Linux. It worked right out of the box. I was able to hook it up with Kismet after starting up GPSD and then you can see from the output on the left side of the screen there from the GPS Info and Kismet, you can see all the satellites that I'm receiving data from. So one through 32 would be US GPS satellites 65 through 88 are Russian GLONASS satellites. And then 131, 135, 138 are the geosynchronous satellites that provide error correction data. So that's cool, but I want to receive more. And so I found this dongle that receives all of the things, GPS, GLONASS, Galileo, Beto, QZSS. And you can see that in the U-Center software. You can see the first six satellites are US GPS, then the next six satellites, six or seven satellites are Russian GLONASS satellites. Then there is another geosynchronous satellite that provides error correction. And then the final two satellites in that picture are European Galileo satellites. This is the same screenshot, but on the left side, you can see the NMEA data coming down from them. You can see that the very top GL GSA came from a Russian GLONASS satellite. GA GSA come from a European Galileo satellite. GP GSV came from a US GPS satellite. So we are receiving information from all three constellations with a single dongle. What does that look like in GPS MON? GPS MON couldn't even handle all the satellites that it was picking up. So this screen only goes to 11. And you can see on the right side that I picked up at least 15. And then I also showed the sentences block of GPS MON. And in this block, you can see those messages that I was just referencing. GNGGA came from a GNSS satellite. GP GSA came from a GPS satellite. GL GSA came from a Russian GLONASS satellite. So this is a quick way to see how or to see what messages you're receiving and which satellites you're receiving from. So if you were to plug this into Kismet, what would that look like? Again, you can see I have luck on 23 satellites. And again, 1 through 32 is US GPS from there up to 83 is US or Russian GLONASS. And then 309 and 312 are European Galileo satellites. Okay, so big whoop. You found all these GPS dongles. You found some that could pick up other satellites. But what does it mean? What does it mean to war driving? And what does it mean to accuracy in general? So I ran some tests. I set up equipment with each dongle and drove around a neighborhood and let's see the results. So with GPS only using the BU 353, you could see here that yeah, it looks pretty good. I did a little loop over here in this neighborhood to kind of test the precision there. It looks a little off. But I mean, for the most part, it looks like I'm on the road. I wasn't a car. So I was on the street the entire time. So there are some areas where it looks like I was on the sidewalk. But for the most part, this is pretty accurate. Next, I had one of the dongles configured for GLONASS only. So just using Russian GLONASS satellites, it kind of looks like I was off in the grass and driving over people's houses. But for the most part, it still captured the same path. Then we have the GNSS receiver. So this is receiving all the things from GPS GLONASS Galileo. And you can see this actually looks much better. It looks like I'm in more in the center of the road, which is more closer to where I was actually driving. The circle around this tree up here looks a lot better. But let's compare all of them when we overlay them together. So the green lines are going to be GPS. GLONASS is red. And the GNSS receiver is yellow. So for the most part, the tracks all look the same, with GLONASS sticking out a little bit. But let's zoom in on that circle there. So you can see the way I drove this path was I came down through the top of that parking lot and do the lap around the tree and then left out the front entrance there. So with the yellow line, you can see that I actually stayed on the road. With the green line, it shows me off in the grass a little bit. But for the most part, it's fairly accurate. And the red line from just GLONASS only information shows me running off in the grass and driving over cars like a monster truck, which is not what I did. But yeah. So what did we learn from that in a rural area with not much in the way to obscure the sky? It really doesn't matter which dongle you use. They're all fairly accurate for the most part. I mean, it wasn't off by too much if I was plotting Wi-Fi networks. But let's test this again in an area where there are things obscuring the view to the sky. So I drove to downtown Denver and ran the same test. So we can see here GPS. Well, that looks pretty good. There's only a few sections there where I got a little squarely going around the corners of some buildings. But for the most part, that's really accurate. GLONASS only. I don't even know what happened. Clearly, it can't handle an urban environment. But using the GNSS receiver, this was definitely the most accurate. In all the results there, you can see it shows you exactly which street I'm on. And you can see the path that I drove. Let's overlay them all together. And you can see for the most part, GPS by itself was fairly accurate as well. It just got off path a little bit. But yeah, we can zoom in and see that there. That GPS kind of showed that I drove through a building and off through some trees. But for the most part, it stuck close to the road where I actually was. And if we're mapping Wi-Fi networks in something like Wiggle or something like that, this information, it doesn't need to be the most accurate. I mean, if you're sending someone on site to go and attack this Wi-Fi network, they're going to find it if they're within that same area that GPS is kind of saying that we went to. So while it is, and it's not the most accurate, it's still pretty accurate there. So the results here is that the GNSS dongle was the most accurate in all of the war driving results. GLONASS by itself was the least accurate. And the GNSS receiver locked up the fastest. In all of these cases when I was testing this out, what I did was I drove to the starting location, plugged in everything, and then sat there, waited for it to get locked. And then I gave each one 10 minutes to stay stationary before I conducted the drive. And the GNSS receiver locked up instantly every time. And that's simply due to the number of satellites in the sky that it can pull information from. So what do you want to look for when you're looking for a GNSS dongle? First, make sure it's a GNSS receiver. GNSS means that it receives all of the things. The Ublocks chipset is easy to configure with that Ucenter software. Everything is point and click. There are some Python PIP modules to interact with Ublocks chips or chipsets, such as the one seen on the right here, which leads me to the third bullet point of looking at the supported operating system. When you're looking at various dongles, they may say it supports Windows. It may say it supports Linux. You want to make sure that it's going to work with the operating system that you're going to use in your war driving efforts. So this $200 Raspberry Pi hat isn't going to work with a Windows computer. It's important to note that. And I also wanted to note that I'm not telling you to buy the dongle that I used in this. I'm not saying that my research is the end all be all. All I wanted to do was provide enough knowledge to the community to be able to be educated enough to make decisions on what kind of dongles to buy. Now that you know that GPS is not the only satellite out there. You know what kind of data comes down from these satellites. And you know that there are dongles out there that can receive that in me a data and determine location. So now that everyone is educated on this topic, you can go out there and do your own research. This spark fund Pi hat was brought to my attention shortly before this presentation was made. So I didn't have enough time to play around with this and get it working enough to be a part of this presentation. But it's certainly up for anyone. Anyone could do that. I'm not the expert on this. I just wanted to provide my background knowledge, the fundamental knowledge of how GPS works so that everyone else could go out there and make the same kind of decisions that I did. Just buy a bunch of dongles and do the research yourself and try to find out what works best for you. Now that you are armed with all that knowledge and you can go out there and buy your own dongles and you know exactly what's coming down from space to provide your location. Go war drive the world. Wiggles doing a war driving contest with DEF CON this year as part of their wireless CTF. Check it out, sign up, select a block on the world, war drive some access points and collect some points. If you want to continue the conversation with me on war driving, you can find me on Twitter at the Derricott. If you want to see projects that I'm working on, there's my github link.