Blog Editor’s Note: This outstanding guest post first appeared on Linkedin and is courtesy of member Guy Buesnel. Guy’s company, Spirent, is very much concerned with GNSS vulnerability and has recently become a premium RNTF member. Thanks for this great report, Guy!
Guy Buesnel on Linkedin
Talks and behind the scenes chat at the world’s most notorious hacker conference suggest that GPS is the next big cyber attack surface
It’s 5am and I’m standing in a Las Vegas hotel lobby. Very jetlagged, I’m intending to go for a quick stroll before the incredible 40-degree heat kicks in.
To my surprise, I’m not the only one up at this hour. A man walks over and introduces himself as Jeff.
“DEFCON is a 24 hour event – and I’m up practically every hour of every day,” he says.
We fall to chatting and he’s fascinated to learn that I’m a GPS expert. We talk about how the hacking of Pokémon GO has evolved and how people have started using software defined radios (SDRs) to fake constellation signals.
“I was the first person to show how it was possible to hack the Pokémon game,” Jeff says.
He tells me a little about the history of DEFCON, how it has become the huge success it is today. “This year we’ve got electronic badges,” he says. DEFCON badges are collectors’ items and highly-coveted souvenirs. Jeff tells me that last year the conference took over $1m on the door.
A bartender greets him and they spend a few moments catching up. “We get all types here,” says the bartender. “Tourists are especially vulnerable. You guys are too clever to fall for that, cyber security and all that.”
Jeff tells me he has to go, and that he’ll see me around.
“Do you know who that was?” asks the bartender. Seeing that I had no idea at all, he tells me I’ve been talking to none other than Jeff Moss, AKA Dark Tangent, the founder of DEFCON way back in 1993.
The world’s most notorious hacker conference
Only 100 people attended the very first DEFCON, which was organised as a one-off farewell party for a hacker friend a few days before he left the US. It took its name fromthe movie WarGames, and is also a reference to the famous Defence Readiness state used by the US. Following that one-off event, Jeff was convinced by others to host it again, and the rest is history.
DEFCON is known as a hacker conference, but it isn’t just hackers who attend. There are also security professionals, journalists, lawyers, students, government employees, and law enforcement here – all with a common interest in hacking or reverse engineering of new technologies or software.
And, of course, there’s also the odd GPS specialist. I’m here at DEFCON to get some first-hand understanding and inside intelligence of how hackers are exploiting positioning, navigation and timing (PNT) technologies. Back at Spirent, that insight will help us develop test frameworks to help PNT system developers, manufacturers, integrators and users protect against the latest threats from hackers.
GPS spoofing is big on the hacker circuit
And GPS is being talked about a lot this year. In a packed hall I watch a talk on car hacking given by Javier Vasquez Vidal and Ferdinand Noelsche. A big cheer goes up as they pull up a picture of an in-vehicle GPS tracking device that’s used for insurance purposes. They have developed a tool called CAN Badger, which is essentially a reversing tool for vehicles that that allows a user to interact with components and scan the vehicle’s bus (communications network) using several protocols.
Using CAN Badger, they can record and play back CAN data, which lets them spoof their GPS position in order to fool the insurance company system. To illustrate this, they show a video that shows the car driving sedately around a loop, while in real life the vehicle is stationary with only the ignition system switched on .
At this point, two people behind me start speculating that a better way of doing this would be using an SDR to fake satellite signals – they saw last year’s talk by the two Chinese researchers and think it would be an easy matter to build something similar.
They’re not the only ones with an interest in GPS spoofing. While I’m grabbing a sandwich, a hacker called Tyler comes over. He’d seen me talking to Jeff earlier and says he’s read some of my blogs on GPS. I ask him how he knows me. “It was easy to find out,” he says. “There aren’t that many GPS specialists and I found your photo online quite quickly.”
Tyler wants to talk to me about GPS time spoofing and what it might do to mobile phones connected to the LTE network. He tells me I should be speaking here: “You’re an expert, and a lot of people here would be really interested if you gave a talk. GPS is such a hot topic just now.”
DEFCON 24: Definitely not your average conference
I see Jeff again on Friday morning. He has to meet a colleague, he says. “I could give him my badge because I’m probably the only one here that doesn’t need one, but I’d like him to go through the queuing experience”.
And an experience it certainly is. I’d queued for two hours on Thursday morning – marshalled all the way by the famous red tee-shirted DEFCON Goons (all volunteers) – to pay my $240 cash on the door. I’m now the proud owner of a much-coveted DEFCON24 electronic badge, which contains hidden secrets to unscramble. There is intense competition to unravel the secrets of the DEFCON badge, with the winners hoping to obtain the famous Black Badge that entitles you to lifelong free entry to DEFCON.
(At one point I see two hackers who have connected the badge up and are usingWireshark to try and understand what’s going on inside the badge’s processor. “We’ve made some good progress today,” they tell me guardedly.)
The message from Las Vegas: take GPS hacking seriously
As I leave for the airport I notice a sign directing people to the Rio Express shuttle. The Olympic Games are opening in Rio, but I feel like I’ve just been a spectator at the Olympic Games for hacking. The people here aren’t by and large sporty types, but they are definitely supreme athletes of the dark arts.
And judging by what I’ve seen this week, we need to take them seriously. GPS and RF hacking are high on their agenda – and so good risk assessments and a campaign of testing against real world threats to understand system behaviour and mitigate accordingly become ever more vital.