Spoofing ships, jamming drones: how GPS manipulation confuses and compromises.
Maria Varmazis: Yeah, I remember when I was researching -- when I first started this job a few years ago, I remember I pitched to my boss at the time, Brandon Karpf, and I said, "You know, Brandon, I really want to research GPS spoofing. I'm fascinated about this." And so in my naivete, I started calling a bunch of companies that sell for the US government anti-GPS spoofing technology, and I was like, "Can you tell me how this works?"
Ethan Cook: They're like --
Maria Varmazis: And I'm pretty sure I'm going to live somewhere now. Yeah.
Ethan Cook: -- "Excuse me, who are you?" [laughs]
Maria Varmazis: Welcome. I'm Maria Varmazis, and you're listening to "T-Minus: Space-Cyber Briefing". In this show, we examine the evolution of cybersecurity in the global and orbital infrastructure that powers, protects, and connects our lives. Greetings, friends, thank you for joining me today. Last week on this show, we explored why attacks against GPS and similar space systems matter in a cybersecurity context. Reminder, global navigation satellite systems like GPS are a key dependency for much of our critical infrastructure. And so this week we're all about the how, how do attacks against GPS signals typically work? Well, Producer Ethan Cook joins me again to explore a few of the different attack types that we might typically encounter. Let's do this. [ Music ] Hey, Ethan, good to see you again.
Ethan Cook: Yeah, I'm back.
Maria Varmazis: Yeah, you're back. Long time no see. So -- [laughs]
Ethan Cook: We're back for GPS part two.
Maria Varmazis: GPS part two. I mean, honestly, we're probably going to have part three, four, five. We are --
Ethan Cook: It's never-ending, by the way, you know, we're just getting -- we're just an iterative process.
Maria Varmazis: That's right. [laughs] Well, it's -- it is so crucial. And you said it brilliantly in the last episode about it is only going to become more important to how modern technology infrastructure works, and it is vastly underappreciated for what a cornerstone technology it is right now.
Ethan Cook: Yeah.
Maria Varmazis: I certainly -- I will raise my hand on that one. I don't think I appreciated how much we use it in our modern lives outside of the office.
Ethan Cook: I think that's the story of most technologies.
Maria Varmazis: Is it? [laughs]
Ethan Cook: You know, I think we're all like, "Man, this is so helpful," and when it goes down we're like, "This is the worst thing in the world."
Maria Varmazis: Oh, no.
Ethan Cook: And then you realize that, "Man, this is what it was 10 years ago." [laughs]
Maria Varmazis: Yeah, it's -- that "xkcd" comic of the entire internet being held up by that one guy in Finland or whatever, [laughter] which is -- which I have been told by all my friends who know this stuff that that is completely true. I think that that one guy in Finland also can sometimes be GPS. [laughs]
Ethan Cook: GPS. Yes.
Maria Varmazis: Just like do we realize how much is actually really dependent on this being accessible and the signals being correctly interpreted and all that kind of thing?
Ethan Cook: Yeah.
Maria Varmazis: When the phrase, "GPS hacking" gets thrown around, at least when I started this job a few years ago, I thought we literally meant hacking the GPS satellites, which --
Ethan Cook: No.
Maria Varmazis: -- I think the US Space Force is like, "I'd like to see you try." [laughs]
Ethan Cook: It would be very difficult.
Maria Varmazis: It would be extraordinarily difficult. And they're like, "Bring it on, we're ready for you." So that's not -- but that's not really what is meant.
Ethan Cook: No. It's a lot more ground-focused and a lot more -- I think the best way to describe it, at least from what I saw, was confusing signals rather than -- or overpowering signals rather than trying to take down networks.
Maria Varmazis: That's exactly it. That was -- that surprised me a lot, because I really thought it was like, "Oh, you know, the space horse [phonetic] is just going, "Bing, bing, bing," like -- and I'm sure they are, genuinely, staving off all these attacks against the actual satellites and the ground stations that they use. But like, yeah, they're in the military, they're handling their own thing. For the rest of us, it is exactly that, like just that phrase we love, "The signal and the noise," this is literally that --
Ethan Cook: Yeah.
Maria Varmazis: -- situation of like we're -- these signals being blasted out in a spherical radius from the GPS satellites, we monkey with those signals when -- as they hit the ground because they're very weak.
Ethan Cook: They've gone through atmosphere, potentially weather impacts, bounced off walls --
Maria Varmazis: They're far.
Ethan Cook: -- you know, gone through buildings. It's not something that is easy.
Maria Varmazis: Ever try to get GPS from inside a house, you're just like, "Nope, not getting it." Yeah, those are really weak signals by the time they get here, so they are really easy to mess with, or fake --
Ethan Cook: Yep.
Maria Varmazis: -- or overwhelm, and that is essentially what it is. Look, why don't we go through maybe some of the frequent attacks against GPS signals? So --
Ethan Cook: Yeah.
Maria Varmazis: -- we call them sort of shorthand hacking GPS, but again, it's really attacks against the signals as they arrive on the ground, so. What is your understanding of GPS signal jamming?
Ethan Cook: So it feels kind of obvious when you say it out loud in that you're jamming the signal, right, you are -- you're killing the legitimate signal by, you know, oftentimes overpowering it so the legitimate signal cannot go through.
Maria Varmazis: Yeah.
Ethan Cook: Use cases for that would be, "Okay, I don't want the signal to accurately find where I am."
Maria Varmazis: Yeah.
Ethan Cook: Taking it to a real-world example -- because I think when you talk about attacks it's really hard to conceptualize impacts unless you have real-world examples, the Ukraine war --
Maria Varmazis: Yes. Yep.
Ethan Cook: -- there have been multiple use cases confirmed at this point that military drills use GPS signals to make sure that they're going to hit the intended target accurately and on time. So if there is a tank, or fortification, or a building that I'm trying to hit as an attacker, I'm using a GPS signal to guide that drone to the correct target.
Maria Varmazis: Yeah.
Ethan Cook: Now, GPS jamming can be used to counter that. It's an emerging front. It's something that I think really has popped up as a mainstream as drones have become more popular --
Maria Varmazis: Yes.
Ethan Cook: -- in the Ukraine front, and I'm sure it has taken place in Iran as well, where you confuse and you overpower the GPS signals that are guiding that drone. And the drone doesn't know where it's going anymore.
Maria Varmazis: Yeah.
Ethan Cook: It's still going to hit somewhere and explode, but it's likely not going to hit the thing that it was meant to hit. And obviously that doesn't negate its damage or reduce any casualties. You know, the logic behind it from a defensive perspective is it's not hitting the main target. So maybe it's hitting the building and still causing structural damage, but it's not going to cause the whole building to collapse or --
Maria Varmazis: Yeah.
Ethan Cook: -- it's not going to hit the tank head-on, it's going to bounce off and maybe the tank suffers some mechanical damage, but the whole tank isn't imploded. So that's kind of the logic there.
Maria Varmazis: That's exactly right on. The way that I think of it for jamming is the GPS signal as it hits the Earth is like a bird gently chirping. [birds chirp] And then if you're jamming, you've got a foghorn -- [laughs]
Ethan Cook: Yeah.
Maria Varmazis: -- [foghorn] and you're trying to hear that chirping bird, but all you can hear is the freaking foghorn.
Ethan Cook: Yeah.
Maria Varmazis: And that's -- and it's just like literally looking for that signal through the noise. [ Foghorn, birds chirp ] Something that I found fascinating, years ago when I was learning about this, initially, was that a lot of GPS jammers used to be -- and I'm sure they still are, if you know where to look, very unsophisticated like Bluetooth devices you could --
Ethan Cook: Yeah.
Maria Varmazis: -- just plug into your car's cigarette lighter, if you still have one. There was a guy who did just that and got massively fined, and I'm pretty sure also arrested, in 20 --
Ethan Cook: It makes sense.
Maria Varmazis: Yeah. But this was back in 2013. And he operated a GPS jammer from his car, sitting outside of Newark Airport in New Jersey, specifically to mess with the signals that the airplanes are dependent on, which is a humongously dangerous thing. I mean, he was not the only one. This was just the headline that stuck out in my head. But you know, it was -- it is not a sophisticated attack.
Ethan Cook: No.
Maria Varmazis: It's not hard --
Ethan Cook: Highly illegal. [laughs]
Maria Varmazis: Highly illegal. I -- we -- do not come after us, we have warned you, don't do this.
Ethan Cook: It's incredibly dumb if you do. [laughs]
Maria Varmazis: Yeah. And the equipment is extremely low cost. So it makes sense why especially in warzones this is like one of the first things that people do is your GPS is not going to do anything good for you. And as sort of dark as this to say, one of my favorite websites to sort of track how this actually looks like on a global scale is this website called gpsjam.org. And it's this really fascinating resource. Sometimes I just go there just to -- this sounds weird, just to look around.
Ethan Cook: See where it's at?
Maria Varmazis: Yeah, it just basically uses open-source information based on information from commercial planes --
Ethan Cook: Yeah.
Maria Varmazis: -- about how accurate the information is that they're getting. And you can see really easily where the contested zones are. I'm looking at it right now as we're talking. Yep, Ukraine lit up, Iran lit up, the Strait of Hormuz, forget it. But also looking near -- I'm looking near Estonia right now --
Ethan Cook: Hmm.
Maria Varmazis: -- Estonia and the Baltics in general are just bright red, so is a whole bunch of the Baltics.
Ethan Cook: I mean, it makes sense, they are very close to two conflict zones.
Maria Varmazis: Exactly. So either -- and there are other spots, like I think I'm looking at Myanmar as well, even on the US border with Mexico there are some red spots there. So whether or not that is intentionally being jammed or it is jammed from other factors, this website can't tell us that.
Ethan Cook: Delineate between intentional or --
Maria Varmazis: Yeah. Correct.
Ethan Cook: -- like atmospheric incidents or something.
Maria Varmazis: Or just like just the heavy traffic or something, yeah. The creator of this website they mentioned that this is GPS interference, as he can map it based on open-source information. So don't try to extrapolate necessarily intent, although in some cases it's obvious --
Ethan Cook: Yes.
Maria Varmazis: [laughs] -- like a conflict zone.
Ethan Cook: Surprised that, you know, Ukraine, not a good -- not a surprise there that GPS may be unreliable.
Maria Varmazis: Correct. Yeah, and also near the border with Turkey on the Black Sea, also very, very contested there. So you -- it also has a historical record, which again, is -- can be fascinating looking back in time to see how bad were certain spots with GPS interference. So jamming is unsophisticated and sort of table stakes I think for a lot of modern warfare at this point. But sometimes it's also used in petty crime. It is accessible to dumb basic criminals who are just trying to mess with people, so --
Ethan Cook: I'm sure it would scale up the punishment when they inevitably get caught. [laughter]
Maria Varmazis: Yeah, so definitely don't do it near airplanes, good heavens. So now that we've spent some time on GPS jamming, let's take a quick break. When we come back, we're going to talk about GPS jamming's much more interesting, and shall we say, "sophisticated cousin," and that would be GPS spoofing. Stay with us. Ethan, I want to -- you take the glory on this one. Explain GPS spoofing.
Ethan Cook: So if -- you know, for you cyber professionals out there, if you know what map -- or MAC address or IP, you know, address spoofing is, same concept, right, we are taking our signal we would be displayed as and manipulating it intentionally to show a different thing. A great real-world example where this is happening already is in the Strait of Hormuz. A lot of boats going through there -- well maybe not as much as it used to be, [laughter] but a lot of boats should -- used to be going through there. But you know, we use GPS signals, boats use them, to make sure that we -- and airplanes too, to make sure we aren't colliding with each other, because these are massive vehicles, especially boats, that are hauling very, very expensive precious cargo. If we were to have a collision, not only would that be an environmental disaster, but it would be a significant financial loss. We saw what happened in the Suez Canal a couple years ago when that one boat got stuck on the side of the sea.
Maria Varmazis: Yes, the whatever -- the "Ever" something? Yeah.
Ethan Cook: Yeah. I can't remember the company, but like --
Maria Varmazis: It was a weird name, yeah.
Ethan Cook: -- shutting down a key chokepoint like that is pretty big. Now, that was a legitimate example of just someone deciding to accidentally steer into a canal wall. But I think in the Strait of Hormuz example, you have reports that a bunch of boats are being shown on land in perfect circles, which anyone who knows how a boat works, [laughter] they don't travel over land.
Maria Varmazis: So I --
Ethan Cook: Crazy stuff.
Maria Varmazis: -- was not familiar with that. Thank you for clarifying.
Ethan Cook: Yeah, yeah, it's revolutionary. This is why I went to college.
Maria Varmazis: Yeah. Yeah. [laughs]
Ethan Cook: And so anyone who looks at the map goes like [laughs] "That's obviously not correct," right? But I think when you boil that down to actual real-world impacts, the answer is, "Okay, let's say it's nighttime on a foggy day on the sea by the Strait of Hormuz, and you really can't see a boat, and you're having to go through to deliver the oil or go pick up oil, and you go, "Oh, uh-oh, we have now slammed into another boat," or you have now slammed into a -- because maybe your address is being also jammed simultaneously so you don't know where you are either. You have now slammed into a seabed that you can't get out of, right? And you take that to a logical conclusion, it is dramatically impactful.
Maria Varmazis: Yeah.
Ethan Cook: It could shut down trade lanes, it could shut down effective communications, human life factors. It's absolutely something that needs to be talked about. These are real-world impacts that have significant costs to them.
Maria Varmazis: Yeah. The consequences are especially catastrophic for spoofing. The Strait of Hormuz is a fantastic example. I remember not that long ago when smugglers were all over -- you know, like pilots were all over in the news --
Ethan Cook: Yeah.
Maria Varmazis: -- one of the ways that I think they were also evading notice was by spoofing their own signal and being like, "Yep, we're definitely not where you think we are."
Ethan Cook: "We're not in the middle of X, Y, and Z. We are -- " you know, "-- 800 miles to the west and you're never going to be able to see or find us."
Maria Varmazis: "Yeah, in fact, we're on the ground. You don't even worry about it yet." You mentioned drones a little earlier. That's another huge problem because drones also are, you know, key in modern warfare.
Ethan Cook: Yeah.
Maria Varmazis: And if you completely redirect where the drone's going to go, not just confuse it, but just like send it elsewhere, or tell it to actually, "Hey, you're in the airspace of an airport," which will force it to land.
Ethan Cook: I didn't know that one.
Maria Varmazis: Yeah, yeah. If you tell a drone actually, you're in airport airspace, they will go, "Well, time for me to go down to the ground immediately." So I mean, drone operators know that, but like that is a frequent way of kind of trying to mess with them and disrupt their operations. So spoofing is much more sophisticated. It is not easy to broadcast out a different signal that has bad information in it. So this is usually something we the military doing. [laughs]
Ethan Cook: I was going to say, when I was doing my research, jamming was a much more readily available topic to find information on --
Maria Varmazis: Yeah.
Ethan Cook: -- and cover. Spoofing -- the -- pretty much what I got, which is, "This is highly legal.
Maria Varmazis: Yes.
Ethan Cook: We will not tell you even how it remotely functions, and if you do it, it is a significant punishment.
Maria Varmazis: Yeah, I remember when I was researching -- when I first started this job a few years ago, I remember I pitched to my boss at the time, Brandon Karpf, and I said, "You know, Brandon, I really want to research GPS spoofing. I'm fascinated about this." And so in my naivete, I started calling a bunch of companies that sell to the US government anti-GPS spoofing technology, and I was like, "Can you tell me how this work?" [laughs] And I'm pretty sure --
Ethan Cook: They're like --
Maria Varmazis: -- I'm going to live somewhere now."
Ethan Cook: -- "Excuse me, who are you?"
Maria Varmazis: I was like, "I swear this is for legitimate purposes." So obviously, nobody told me anything, because that -- no one was going to do that.
Ethan Cook: Of course.
Maria Varmazis: And I stupidly even tried, because I said, "I'm on a list somewhere, if I wasn't already." [laughter] But it was a dumb question to even ask, but I was genuinely curious." So the answer is, "Maria, if you want to find out, go join the military." And so -- [laughs]
Ethan Cook: And work your way to the top.
Maria Varmazis: -- they worked my way to the top like -- yeah. And there's a flavor of spoofing that I keep finding reference to. Have you heard of this one called "meekening"?
Ethan Cook: I have not.
Maria Varmazis: Yeah.
Ethan Cook: But I love the name.
Maria Varmazis: Yeah.
Ethan Cook: It's a great name.
Maria Varmazis: Yeah, I saw a mention of it and I'm going, "That's fascinating. So instead of trying to broadcast a different fake signal that says, "Actually, I'm over there," it just captures the legitimate GNSS signal and then just rebroadcast it with a slight delay or modification at a higher signal strength. So it's spoofing, but like a flavor of spoofing. And the receiver, whoever they are, that signal looks extremely legit to them. It doesn't look like it's been messed with.
Ethan Cook: But it's slightly off, just enough.
Maria Varmazis: And it's just off enough that it could probably evade a quick glance, essentially. So -- because the signals are legit, but just like mistimed. That's --
Ethan Cook: Yeah, or going to the point on the time manipulation that we talked about episode.
Maria Varmazis: Yes. and how insidious this could be.
Ethan Cook: Yep.
Maria Varmazis: But there are lots of -- if you're in the military or in the government, there are lots of vendors that will sell you solutions for this, and that is not our lane. But these problems are only getting more and more insidious. And the consequences are more and more catastrophic as we become increasingly dependent on GPS. The really interesting thing to me is because specifically GPS is such an old technology --
Ethan Cook: Yeah.
Maria Varmazis: -- the signals are not encrypted.
Ethan Cook: No.
Maria Varmazis: So I know forward-thinking, the idea is one day these signals will be more spoof-resilient because they will be encrypted and some of the GNSS systems in other parts of the world have better signal acknowledging security.
Ethan Cook: I would imagine because that's because they're newer as well.
Maria Varmazis: Yeah, yeah. And I know --
Ethan Cook: Easier to have security-forward mindsets when you invented them -- or built your networks 20 years later.
Maria Varmazis: Yes, that's exactly it. And we got into it a little bit with my interview with Dr. Sean Gorman, but some of the work that was being done to try and make GPS more resilient, especially in the ground systems, unfortunately was recently cancelled because it was overbudget and behind schedule.
Ethan Cook: Yeah, yeah, 10 years behind schedule and double the costs?
Maria Varmazis: Yeah.
Ethan Cook: The military likes to give you a long leash for off-time and overpriced projects, but that was a crazy one.
Maria Varmazis: Yeah, even they said no to that one. Yeah, they've got their limits. So the line from the space forces, they've got these incremental improvements that they're working on to make sure that at least for their things, things are, you know, more secure and they can ensure the fidelity of the signal that they are receiving and interpreting. But yeah, GPS is -- speaking specifically about GPS, it's an older system.
Ethan Cook: Yep.
Maria Varmazis: And satellites are being incrementally replaced over time but, you know, it's not a wholesale thing, it's just kind of one in, one out. Maybe one day we'll have fully-encrypted signals from GPS, which will be --
Ethan Cook: It would be nice.
Maria Varmazis: It would be nice, but it's not tomorrow. [laughs]
Ethan Cook: No. I get -- it's not in the next five years. [laughs]
Maria Varmazis: No, no. So I think the advice for a cybersecurity professional knowing that like pretty much everything in modern society, there are a lot of flaws in this technology that can be easily exploited is just knowing, in my opinion, where the heck it's being used, what are your dependencies in your environment for GPS. I feel like it begins and ends really right there.
Ethan Cook: I think it's a -- it is a risk management factor.
Maria Varmazis: Yeah.
Ethan Cook: It is something that you should be aware of if you're in, you know, let's say finances where you're prone to it or it could be impactful. But it is not something that you as an individual or even as an organization can make and, you know, really shake up and fix. This is kind of the thing that you --
Maria Varmazis: No.
Ethan Cook: -- have redundancies in place to account for if something goes wrong --
Maria Varmazis: Yes.
Ethan Cook: -- but you aren't sitting here being like, "Oh, let me buy the latest solution that fixes this." That's not how --
Maria Varmazis: You know, the average infosec professional is not going to be --
Ethan Cook: No.
Maria Varmazis: -- securing GPS. That's the Space Force's job, so -- [laughs]
Ethan Cook: That's just the new cross and hope for that we got good people there. [laughs]
Maria Varmazis: Yeah, exactly, best men and women working on that. So yeah, so just knowing that your dependency and managing that risk as best you can, planning around the fact that it is not infallible, that's really the takeaway of it in advice there, as far as I'm concerned. But Ethan, I'm curious if there are any other thoughts you have on that.
Ethan Cook: Yeah, I think it kind of reinforces the conversation that these are technologies that because -- especially with the modern world as we continue to advance, these are not something that we can just hope they don't get attacked. It's already being attacked.
Maria Varmazis: Yep.
Ethan Cook: These are things that already people are trying to explore and successfully do.
Maria Varmazis: All the time. Maria Varmazis: All the time, yep.
Ethan Cook: And we should not rest on the laurels of, "Let's hope it gets better or hope that we can just deal with this." This is something that I think a proactive approach of we need to address, we need to talk about, we need to get governments invested in wanting to increase these. Even if previous attempts haven't necessarily been successful --
Maria Varmazis: Yeah.
Ethan Cook: -- don't let that kind of be the dying point, let that be the initial point of a conversation of like, "Okay, we need to learn why this didn't work previously in our last attempt, correct that, and make sure we have reasonable timelines and cost expectations, and address this now." [laughs]
Maria Varmazis: Yeah, that's federal government procurement right there.
Ethan Cook: Oh, yeah.
Maria Varmazis: That's a whole other show, but I know that's a lot of your world also, so that's good points, though.
Ethan Cook: Yeah, it's a headache world.
Maria Varmazis: Yeah, no, that -- understatement of the century right there. [laughter] As we're talking through and as I was listening to you talking about GPS, a lot of this reminds me of just discussions about how the internet came to be, and they said, "Well, maybe we'll let civilians start using this and not just like a few universities." I mean, they never could have anticipated what it would become and same thing with how --
Ethan Cook: No. I don't think they did with GPS. When Clinton was like, "Hey guys, everyone's -- it's free for everyone, you know, go crazy -- "
Maria Varmazis: Woo-hoo. Yeah.
Ethan Cook: -- I don't think the logical conclusion was, "Well, what are the modern implications of drone warfare for this?"
Maria Varmazis: "What's a drone," yeah.
Ethan Cook: Exactly.
Maria Varmazis: None of this was anticipated, and it's been successful beyond the United States military's wildest dream, I'm sure, and it's what an incredible legacy. Not -- they're not paying me to say that, it's just kind of amazing the internet and GPS like what they've ended up becoming. They weren't meant for civilian use to begin with, so they weren't built with, you know, the idea of thousands of millions of literally billions of us trying to poke holes in them all.
Ethan Cook: Exactly.
Maria Varmazis: So and yet that's what we're doing, because we're human beings. So we have to kind of just do the best we can with these flawed because they're made by human systems. So yeah, know your dependencies and your risk exposure, and that's about it. [laughs]
Ethan Cook: Yeah, I think well said.
Maria Varmazis: Yeah, thank you. All right, well, Ethan, thanks again for joining me and --
Ethan Cook: Thank you for having me.
Maria Varmazis: Of course, come on back next time.
Ethan Cook: Always.
Maria Varmazis: And that's "T-Minus: Space-Cyber Briefing," brought to you by N2K CyberWire. If you like what you heard today, you will also enjoy our newsletter, "Signals and Space". You'll get research and notes pulled together by our producer, Ethan Cook and me, along with this week's top space cyber news stories. Subscribe by visiting thecyberwire.com/newsletters. That's "newsletters" with an "S". We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly-changing cybersecurity landscape. If you like this show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to space@n2k.com. We're proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K helps cybersecurity professionals grow, learn, and stay informed. As the nexus for discovery and connection, we bring you the people, technology, and ideas shaping the future of secure innovation. Learn how at n2k.com. thank you for listening to "T-Minus". I am your host, Maria Varmazis. This show is produced by Ethan Cook and Liz Stokes. We are mixed by Elliott Peltzman and Tre Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben, with content strategy by myON Cloud. Peter Kilpe is our publisher, and we will see you next week.
