Understanding GPS Data Spoofing

Global Navigation Satellite System (GNSS) spoofing is a cybersecurity attack that provides fake position, navigation, and time (PNT) information. A GNSS spoofing attack is easy and inexpensive to create, and a hacker can take control of a GNSS receiver remotely and usually without detection. Also, it can influence critical functions, such as time-sync, speed control, steering, navigation, location, privacy, and more.Spoofing attacks can produce conflicting data and incorrect system actions. Some failures can create time-sync position and velocity, and fleet-level and telematics problems. Automotive, aviation, and maritime spoofing may confuse the person or crew steering and cause deliberate misdirection, inconvenience, delays, accidents, damages, and jeopardize cargo and lives.Recently, I talked with Roi Mit, CMO of Regulus Cyber, to learn more about the spoofing situation. Regulus provides GNSS spoofing detection and protection to organizations requiring location reliability.

What’s behind GPS location spoofing and are there any recent example of these attacks?

The GPS system is an open signal without any encryption. This means any hacker can easily record and transmit this signal. This is true for all types of telecom technologies, including smartphones. GPS spoofing has occurred multiple times already. Some attacks are mobile-related, including spoofing used by UBER drivers to trick the app. A 2017 incident in a Miami conference affected all of the phones. Teenagers can even spoof their phones for Pokémon Go.

How does spoofing work and what are the incentives for it?

The spoofing signal is transmitting a fake satellite signal with more power than the one coming from space, essentially overpowering the real signal. This means that GPS location information can be controlled by a hacker. The typical device used to perform spoofing attacks is an SDR (software-defined radio).

As in any cyberattack, there are multiple incentives, both financial and criminal. Motives for hacking GPS include fun (cheating at Pokémon Go, a location-based game), an alibi (spoofing a mobile phone to change evidence), theft (spoofing a ride-sharing app to catch rides out of your reach), kidnap (spoofing a VIP\celebrity phone, so they can’t be tracked), and terror (spoofing multiple vehicles causing a mass accident).

What industries/applications depend on GPS locations?