GPS security a concern for university expert
July 26, 2012 // Rick Merritt
After testifying before Congress about security vulnerabilities in civil GPS systems last week, Todd Humphreys is convinced the industry needs a new approach to plugging holes in what he calls “the most popular unauthenticated protocol in the world.”
“There’s a way to add backward-compatible authentication like digital watermarks to GPS signals, and last week I had my best shot at convincing lawmakers to fix the problem at the signal source,” said Humphreys who directs the Radionavigation Laboratory at the University of Texas at Austin.
“I don’t think I will even pursue that anymore because I got a strong sense it is a non-starter,” Humphreys. “No one wants to touch the signals broadcast from the satellites even though all we are asking is to define a new message,” he added.
Only 15 of the 62 possible GPS messages are currently defined. Humphreys and other GPS security experts recommend defining two messages that could automatically authenticate GPS signals.
Even if the U.S. government had the will to make the technical changes, it could take more than five years to implement, Humphreys said. That’s too late given a Congressional mandate opening up the use of civilian drones in the U.S. in 2015.
Humphreys went to Washington DC hoping lawmakers would embrace the cryptographic solution developed in his lab. “We spent two years writing that paper and wanted to hand it to lawmakers as a template free of charge to implement--it will work fairly well,” he said.
The problem is that hackers can readily spoof civil GPS signals. Humphreys’ lab has shown how hackers can use faked GPS signals to take over operation of a drone aircraft, a power grid or a cellular network.
“I don’t want to be an alarmist, but to me it defies reason that we would continue to develop around unauthenticated civilian GPS protocols,” he said. “It seems to be a fairly significant vulnerability like leaving the back door to your house open—the odds are nothing will happen, but you won’t feel good about it,” he said.
With the door to authenticated civilian GPS effectively closed, Humphreys and other researchers are turning their attention to a grassroots campaign. There’s a laundry list of defenses--detailed in his testimony last week--that can be implemented by GPS receivers.
“The first thing engineers can do is pay attention to auto gain controls in receiver front ends that can tell you the power levels of the incoming GPS signals,” said Humphreys.
GPS signals are very weak. Hackers trying to create fake signals to control a system are most likely to use readily available GPS test systems that emit significantly more powerful signals.
An op amp responsible for auto gain control could deliver a GPS signal voltage readout to a baseband chip. The baseband could then do a relatively straightforward calculation to determine whether the signal was coming from a tester or a satellite.
The measure would not detect a more sophisticated GPS spoofer such as the units the Austin lab has developed using software radios based on Texas Instruments’ DSPs.
So far only one company supports auto gain control, but it is too coarse to detect GPS tester signals, he said.
Several other fixes could be implemented at the receiver, such as using multiple antennas. But most of them are not suitable for mobile systems because they require too much physical space.
The fixes do not appear to be on the radar screen for consumer GPS chip makers such as Broadcom and Qualcomm. “They are probably aware of it but they have taken no steps as far as I can tell,” Humphreys said.
Ostensibly, the threat to consumer gadgets such as smartphones and car navigation devices is relatively low. Hackers likely would not be motivated to get the average driver lost on the way to his hotel or weekend party.
However, a GPS hack potentially could be used to compromise other aspects of a device. For example, at the Black Hat conference this week, one security expert will show how hackers could spoof near-field communications signals to access data on a smartphone.
The bigger threat is to “critical national infrastructure gear that typically uses higher end chips that still are not protected,” many of them supplied by NovAtel of Calgary, Canada, he said.
“If you could just build some paranoia using these receiver techniques, we would be leagues ahead of where we are today,” he said.
The Texas lab got interested in the drone problem after Iran broadcast pictures of a U.S. drone spy plane it captured last December. Iranians claimed they used a spoofing attack to capture the drone.
The lab was able to secure funding—and use of a White Sands, New Mexico facility-- from the U.S. Department of Homeland Security to determine the level of vulnerability of civilian drones.
“It was months of hard work,” said Humphreys. “We showed these drones nav systems are hackable by their exposed GPS stream, and once you spoof it, you can have your way with a drone,” he said.
European BLIM4SME project aims to further streamline Bluetooth Low Energy integration
December 12, 2013
Initiated by RivieraWaves and CSEM, the European funded BLIM4SME project will develop miniature wireless modules targeting ...
Additive photolithographic process yields micro flex circuits with 5µm feature resolution
Flexible haptics and capacitive touch combo solution enables more intuitive interfaces
Bosch suggests cars to coast for fuel efficiency
Europe is giving up on leading edge digital chip design
Design-free RF-based wireless charging redefines user experience
December 11, 2013
Although it was established in July 2010, funded by private investors, Israeli startup Humavox has been operating pretty ...
Electromobility, Formula One and the Fatal Consequences of Bad Software Design: The top ten stories of 2013
Brushless DC servo motors integrate field-oriented closed-loop servo control
How green is your code?
- UltraCMOS® Semiconductor Technology Platforms: A Rapid Advancement of Process & Manufacturing
- Managing Electrical Complexity with a Platform Level Approach and Systems Engineering
- 3mm × 3mm QFN IC Directly Monitors 0V to 80V Supplies
- Adaptive Cell Converter Topology Enables Constant Efficiency in PFC Applications
InterviewPerformance monitoring solution helps provide intelligent control of high power systems
A performance monitoring solution designed to enable companies to monitor high power IGBT module systems in locomotive, wind turbine, High Voltage DC and industrial drive applications was unveiled this ...
Filter WizardCheck out the Filter Wizard Series of articles by Filter Guru Kendall Castor-Perry which provide invaluable practical Analog Design guidelines.
Linear video channel
READER OFFERRead more
Internet of Things (IoT) manufacturer Ciseco has launched the Raspberry Pi ‘Wireless Inventors Kit’ (RasWIK), featuring 88 pieces to provide everything a Pi owner needs to follow a series of step-by-step projects or to create their own wireless devices, without the need for configuration or even writing code.
RasWIK has been designed to be highly accessible, demystifying the dark art of wireless and enabling anyone with basic computing skills to begin building wireless devices with a Raspberry Pi. You can create anything from a simple traffic light, to a battery monitor, or even a temperature gauge that sends data to the Xively IoT cloud so billions can access the data.This month, Ciseco is giving away twelve Raspberry Pi Wireless Inventors kits, worth £49.99 each for EETimes Europe's readers to win.
And the winners are...
In our previous reader offer, Farsens was giving away five kits for EEtimes Europe readers to evaluate its FenixVortex, Kineo and X1 wireless, battery free sensor tags.
Lucky winners include Mr A. Neil from the UK, Mr. E. Delvaux from Belgium, Mr Lengal from the Czech Republic, Mr H. Bijlsma from the Netherlands, and Mr G. Pfaff from Germany. All should be receiving their packages soon. Lets wish them some interesting findings with their projects.
December 15, 2011 | Texas instruments | 222901974
Unique Ser/Des technology supports encrypted video and audio content with full duplex bi-directional control channel over a single wire interface.