Monday, November 12, 2012

GPS jamming, spoofing pose dilemmas for criminal justice system and beyond

Grits has recently been thinking about state-level policy implications of recent and pending court decisions regarding GPS tracking by law enforcement, and ran across a few links and informational tidbits I thought I'd pass along related to seldom-considered misuses and vulnerabilities of GPS technology

First off, at Slate this week Ryan Gallagher ponders the implications of GPS tracking technology when used not by law enforcement but by private investigators and private citizens. Texas law, he notes, forbids private citizens from using GPS trackers, but a Texas company would sell you the device and let you do it yourself:
Other PI companies were reluctant to directly help me track the vehicles but instead offered to sell or rent me GPS tracking equipment. This would mean any unlawful use of the tracker would be on my shoulders and not those of a PI. In one instance, even after I informed Texas-based LP Dynamics that I was looking to track two vehicles, one of which had no ownership connection to me, I was offered "2 passive GPS units" for $125 each. A company representative emailed: "Just place on a vehicle, remove when you want and download to your computer to see where they have been." When I later contacted the company for this story, CEO Michael Morrison emailed that "we are a licensed private investigation corporation and not an attorney." Morrison rightly stated that LP Dynamics follows Texas law "to the letter" because the penal code covers only the installation of tracking systems but not the sale of the devices. This could be considered something of a legal loophole.
Next, as increasingly we find GPS embedded in everything - indeed, with Google even experimenting with a driverless car based on real-time GPS - it's disturbing to learn how easily GPS can be spoofed. Last year, Iran spoofed GPS signals to and from a CIA drone to cause it to land in Iran instead of Afghanistan. The Iranians took advantage "of weak, easily manipulated GPS signals, which calculate location and speed from multiple satellites."

Civilian signals appear even easier to exploit. Logan Scott of LS Consulting recently noted on Inside GNSS that:
in June of this year, Todd Humphreys and his team at the University of Texas at Austin demonstrated the controlled capture of a small, civil drone aircraft at White Sands Missile Range using a well-known RF spoofing attack protocol. The significance of this test is not that it demonstrated ground-breaking technology — it didn’t. The significance of the drone exercise resides in the concrete demonstration of how insidious a successful spoofing attack can be. 
Go here to see a video from the UT-Austin scientists detailing exactly how they "hijacked" a drone aircraft, controlling it from up to half a mile away. Explaining the implications of the experiment, Humphreys told a Congressional committee recently that "Civil GPS signals have a detailed structure ... but no built-in defense against counterfeiting or spoofing." See a presentation (pdf) and a recent paper (pdf) from Humphreys and his team on "Assessing the Civil GPS Spoofing Threat." Evaluating the array of potential counterpapers, they summarized the threats thusly:
  • Bad news: It’s straighforward to mount an intermediate-level spoofing attack
  • Good news: It’s hard to mount a sophisticated spoofing attack, and there appear to be inexpensive defenses against lesser attacks
  • Bad news: There is no defense short of embedding cryptographic signatures in the spreading codes that will defeat a sophisticated spoofing attack
Who hasn't seen a movie or TV show where a hacker remotely takes control of some government system - usually security cameras - and alters data viewed by the end user to cover up for illicit activity? This research tells us that the same can be relatively easily done for technologies relying on GPS. Further, there is no way to force "commercial receiver manufacturers to adopt spoofing countermeasures," so whether a particular product is vulnerable to spoofing attacks depends on the skill, foresight and due diligence of the vendor, which most end-users aren't qualified to evaluate. Wired magazine had a story earlier this year exploring potential GPS-related vulnerabilities of global financial systems. Humphreys told Wired that, "So far no credible high profile attack has been recorded but we are seeing evidence of basic spoofing, likely carried out by rogue individuals or small groups." He added, "Whilst the leap to more advanced, untraceable spoofing is large, so are the rewards."

In light of these developments, Scott argues that, "GPS is a double-edged sword; on the one hand, an extraordinarily useful utility that is inexpensive to use, but on the other hand, a system technology that introduces major and often times poorly understood vulnerabilities." The dangers from GPS hacks and/or failures to drones or other GPS-based syatems are myriad::
Routine software and map updates provide opportunities to infect civil GPS receivers with targeted malware. Even if the GPS receiver is working fine, a man-in-the-middle attack may simply inject false positions into the system data stream — in short, lie about position. Cell phone apps for conducting this sort of attack are readily available. To hijack a UAV, an attacker might alter its waypoint database or disrupt its command and control links, while leaving its GPS receiver alone. Just about any component of an integrated system might be suborned, especially if it connects to a network.  
Thinking aloud, criminal justice implications for spoofing technology might include offenders released with GPS tracking anklets. It would be the rare, tech-savvy offender who figured out the how-tos on their own, but once it's been done once, there could be a sea of wannabe script-kiddies itching to follow their lead. Readers are invited to suggest other areas where GPS spoofing might disrupt law enforcement strategies.

Another technological vulnerabilitiy of GPS stems from the use of jamming devices, which Fox News in 2010 said are "Illegal, Dangerous, and Very Easy to Buy." Car thieves in the UK have used GPS jammers to aid in their getaway. Even if GPS jamming is illegal for Americans, other countries or organized crime gangs can disrupt even military-grade GPS signals with relatively simple technology:
North Koreans have used Russian-made, truck-mounted jamming gear near the border to disrupt low-power GPS signals in large swaths of South Korea. By broadcasting powerful radio signals on the same frequencies as the satellites, the jammers drown out the GPS signals. ...

[T]he jamming has occurred three times in the past two years and has coincided with joint U.S.-South Korean military exercises.
Finally, this author identifies more, big-picture vulnerabilities of GPS, many of them stemming from the product's perceived success: It works so well, so consistently, that the mechanics of how it might fail are poorly understood and the security technologies to counter attacks on GPS systems are underfunded and dispersed among an array of jurisdictions. Fascinating stuff. As GPS becomes embedded in systems from transportation to energy to security to finance to communications and an array of consumer products, it's a bit disturbing that preventive techniques for thwarting GPS attacks at present appear rudimentary. So far, I'd say exploitation of GPS vulnerabilities has been limited more by lack of ambition among the criminal class than by the technological difficulties of overcoming this relatively simple technology.


Anonymous said...

No need for expensive gadgetry other than what you already probably own and have in your pocket or purse right now. I tracked my wife simply by leaving my cell phone inside a pocket of her luggage. Worked flawlessly:

Anonymous said...

I think these potential ways to fool a drone about its location will be much more useful to defense lawyers wanting to cast "reasonable doubt" on drone-generated evidence than to people actually wanting to capture or destroy someone else's drones. For instance, if police testify that a drone flew over your backyard and detected the smell of wacky tobaccy, you might want to ask some pointed questions about how the operator can be sure of either where it was or whom it saw.

Gritsforbreakfast said...

9:56, in most cases as I understand it they'd be relying on photos, so I'm not sure that would give defense attorneys much wiggle room. Perhaps under some circumstances.

8:29, I don't have any problem with family members consenting to be tracked by their relatives. That's a far cry from the government doing it without anyone's consent.

ATSAH said...

It seems that these techniques will simply be another argument in favor of keeping already overly expansive federal cell phone location data warrants that lack reasonable suspicion. If its easy to spoof the gps then federal agents will argue for broader powers to track people in real time without a constitutional warrent.