Global problems

Global problems

The Global Positioning System (GPS) is now in regular use in a variety of industries – in applications where an organisation needs to keep track of vehicles or goods. These include the emergency services (police, fire, and ambulance), marine and aircraft navigation, cargo security and vehicle tracking.

The system is operated by the US Department of Defense (DoD) and is based on a constellation of 27 satellites (24 active and three standby) in six separate orbits. GPS reached full official operational status on July 17, 1995. A GPS receiver continuously monitors GPS signals from the nearest satellites – locking on to the signals from several satellites simultaneously. Usually, signals from four or more satellites are needed to determine position on the Earth’s surface. The process uses a kind of triangulation, where the location of the each satellite, plus the time it takes the radio signal to reach the GPS receiver, is used to determine the exact location of the GPS receiver.

However, either the question is never asked – or assumptions are made about – security. High tech equals high security, doesn’t it? Well, any one who has ever used a PC connected to the Internet knows that technology is mostly insecure – unless very particular steps are taken to protect it.

There are actually two forms of GPS signal broadcast by each satellite. One (the secure one) is retained exclusively for military use. The civilian GPS signals – the only ones available to commercial organisations – are neither encrypted nor authenticated. This makes them relatively easy to counterfeit.

The US Department of Transportation (DOT) has warned of vulnerabilities and looming problems associated with over-reliance and over-confidence in civilian GPS. However, few GPS users appear to be paying attention. Plans are underway to upgrade the existing GPS system, though this will not significantly improve security for most users.

A typical GPS radio signal has a strength of about 0.0000000000000001 (1x10-16) Watts at the Earth’s surface. This is roughly equivalent to seeing a 25-Watt light bulb in Tokyo from Los Angeles. An adversary, such as a cargo thief, can easily block the signal by breaking off the GPS antenna, or covering it with metal. He can also jam the weak satellite signals using a radio transmitter at the same frequency, but having greater strength. Jamming equipment is inexpensive to make, and instructions are available on the Internet.

This threat of jamming is however not the greatest security risks, because the GPS receiver (and user) will be aware that the GPS satellite signals are not being detected and will be alerted to the fact that there is a problem.

A more sophisticated form of attack involves sending out false GPS signals so that a receiver thinks it is located somewhere it is not. This “spoofing” is carried out using a GPS satellite simulator. The simulator produces fake “satellite” signals that are stronger than the real signals coming from a real satellite. Most current GPS receivers happily accept these stronger signals while ignoring the weaker, authentic signals.

GPS satellite simulators are readily available for around £20 - 40k. They are legitimately used to test new GPS products. Someone who wishes to use a GPS satellite simulator to spoof, for example, a GPS cargo tracking system needs to understand very little about electronics, computers, or even GPS itself – and everything needed is available freely on the Internet.

The suppliers of GPS tracking systems often stress the levels of encryption used to secure the transmissions from receivers back to head office. However, this is meaningless if the raw data on which the transmission is based (the GPS-derived location) is itself faulty.

Though there are few reports of successful spoofing so far, it is surely only a matter of time before a large “heist” results from such activity. Watch this space!