One of the most significant innovations of the last 50 years is the Global Positioning System (GPS). I was first introduced to GPS when I joined Stanford Telecommunications, Inc. (STel) in 1978. STel made some of the first GPS receivers in the world, and one of its founders (Dr. Jim Spilker) was a key contributor in developing the GPS signal format. GPS, along with its augmentations and evolutionary upgrades, has been a part of my career for more than 40 years.
Initially conceived as a navigation and timing system for the military, GPS has now affected our lives in ways that its developers could never have imagined. Today, GPS is used in precision agriculture, timing for cellular phone systems, golf, E911 emergencies, generating cryptographic keys for financial transactions, tracking continental drift, watching magma reservoirs bulge under volcanoes, measuring atmospheric weather parameters, and navigation of self-driving cars (to name just a few applications). Without a doubt, GPS (and similar systems provided by other nations) has been a boon to human civilization and supports a large and diverse array of applications.
Unfortunately, as our reliance on GPS has grown, so too has our sensitivity to its corruption. Simple failure or loss of signal is well-known, and most engineers and users are familiar with these impairments. But what of signal “corruption” – so-called “spoofing”, and malicious cyber attacks designed to create false reports of position or time? Forty years ago, many engineers and most users thought such attacks against GPS were either physically impossible, or so technically challenging that they could be safely ignored. Those people were wrong.
As early as the 1990’s, the Department of Defense was looking for ways to spoof (fool) civilian GPS receivers that might be in the hands of an enemy. I remember considering a bid on such a study contract (I declined to submit a bid).
In 2012, Tyler Nighswander and his colleagues, at Carnegie Mellon Univ. and Coherent Navigation, successfully demonstrated several devastating internet- and software-based attacks against GPS receivers – in one case, permanently disabling a GPS receiver using nothing but a spoofed data message that the receiver accepted as genuine.
In 2017, at an industry conference in Portland, Oregon, an accidental spoofing event was linked to an unshielded simulator. It affected numerous cell phones, including one type that experienced a “time error” that invalidated various internet security certificates.
UT professor Todd Humpreys has successfully spoofed small UAVs as well as an $80M superyacht, causing them to be led astray (note: these demonstrations were performed with safety protocols in place, and yacht officers were aware and ready to take manual control if needed). The necessary spoofing hardware was relatively low-cost.
Assisted-GPS (A-GPS) and differential data links – a key element of many high-accuracy applications we all rely on daily (including location-enabled cell phone apps and aircraft navigating in the national airspace) — provide a “back door” for malicious actors if they can pose as the authorized provider of the assistance and/or correction data.
As we become more dependent on GPS, its vulnerabilities become more glaring and the consequences of a malicious attack become greater. A multi-layered defensive strategy is needed. Luckily, industry and Government agencies are starting to wake up to the threat.
For the receiver manufacturers, more rigorous software testing is needed to ensure that malicious attacks are identified by the receiver operating system and rejected. For the GPS industry as a whole, working with Government agencies, there is a need for operating and performance standards emphasizing data integrity and authentication. The legacy GPS navigation message does not contain any meaningful authentication features for the GPS downlink signals accessible by the civilian community, and no way to introduce such features (although the military P(Y) code could potentially be leveraged as a watermark in special cases). On the other hand, the modernized signals (which are now available on many GPS satellites) contain protocol features that could be leveraged to introduce several useful authentication features (although they are not used that way today). By working together to standardize and implement authentication features for GPS’s civil signals, some of the most significant vulnerabilities to GPS can be addressed – and we can prevent a potentially devastating attack (or sequence of attacks) on a par with 9/11.
Beyond the spoofing of a “victim” GPS receiver and the impact of such an attack on the host vehicle or user, there is the issue of validating a GPS report from a user – for example, a position report from an aircraft in flight, or a ship at sea, or an E911 call from a cellular user in distress. While some data links used to report a location may be encrypted for privacy – such as cellular data links — there is no special feature that ensures the underlying GPS data is truthful. This opens another back door for malicious actors who might be interested in e.g. spoofing a traffic management system or faking the true location of a vehicle (with the cooperation of the vehicle operator) to mask a crime. Typical crimes of this sort can include relatively minor crimes such as evading road taxes, or more serious crimes such as illegal fishing in protected waters or smuggling. As with the spoofing of a “victim” receiver discussed above, there are known techniques that can be applied to identify common methods of deception and increase our confidence in the underlying data – we have only to take the initiative to apply them.
Over the coming decade, I expect the GPS industry and Government agencies to take a stronger position in protecting the integrity of the GPS broadcast signals, the assisted- and differential data links that are integral to many of today’s applications, and GPS position reports generated by users. While many useful ideas and technologies are already known, more innovation is certainly possible and expected. In my opinion, this will be an area of intense research and development; and potentially, a fruitful domain of new intellectual property.