Markus Kuhn, University of Cambridge
Dominic: - Weíve all become used to using GPS satnav units in cars and on phones which can pinpoint where we are. But now, computer scientists have shown how people could fool these systems into lying about their location. Markus Kuhn from the computer laboratory at Cambridge University works on whatís called GPS spoofing. Now Markus, first of all, weíre used to these satnav systems in our cars, but how do they actually work out where we are?
Markus - So, there are 24 satellites in an Earth orbit and they're basically a bit like a speaking clock. They tell us all the time very precisely within a nanosecond what the time is and they also tell us at the same time where exactly within a metre they are located. If you know yourself what the time is, you can find out how much the signal has been delayed. From that, you can calculate how far away you are from the satellites. Then if you know how far away you are from 3 satellites, you can intersect three spheres and know where you are. If you donít know the precise time, you need to forth satellite to resolve the ambiguity and this way, you can calculate by looking at 4 satellites precisely what's your time and what's your location.
Dominic - So, itís a process of triangulation by knowing your distances from 3 or 4 satellites above your head. Now how maliciously can you go about tricking that system?
Markus - So, the GPS signal consists actually of 2 signals. There is a signal exclusively reserved for the US military and there is a public signal. That public signal makes it possible for all of us to enjoy GPS in our smartphones and in our satnavs. However, this signal is highly predictable. I know in advance what these satellites are going to broadcast over the next couple of hours that makes it possible for me to receive it but that also makes it possible for me to synthesis one of these signals. So, I can build a device that creates a fake signal and I can send it out and I can make a GPS receiver believe that itís actually somewhere else or at a different time.
Dominic - So, if we take an example, weíve got cars going past outside the window. If I wanted to trick a satnav in one of those cars into say it's somewhere other than where it is, how could I do that?
Markus - You could send out a signal but the particular applications that I'm worried about are not so much satellite receivers that are elsewhere. There are other applications where the person who owns the satellite receiver may have an incentive in that receiver showing a wrong result because the receiver doesnít quite work in their interest. So, there are systems where a car insurance company gives you a satellite receiver and they charge you an insurance fee based on when and where you have been driving. There are lorry fleet management systems where an employer monitors the performance of their drivers whether they are speeding, whether they are taking unauthorised detours by looking at data from the satellite receivers. And in those situations, itís very tempting for the people who have control over the receiver to just disconnect the antenna and connect instead a little box that creates a spoof signal and makes the receiver believe itís elsewhere.
Dominic - So, what you're saying is if I hire a car, and I know where the GPS receiver is in the car, I would disconnect the antenna; it wouldn't then see the real satellites. If I had a computer next to me that was generating a fake signal, I could then feed that into the receiver and make it think it was somewhere entirely different.
Markus - This may initially sound a bit far fetched, but we have already seen quite a lot of manipulation of a similar older system - tachographs in lorries which records how fast someone has been driving. And police have recovered from lorries little devices inserted into the line between the gear box sensor and the tachograph. With a remote-control key-fob, a lorry driver can easily reduce the speed by 10%, by 20% or simulating a break such that the record is faked. One worry is that over time, as the technology for simulating these signals becomes simple and cheaper, the same thing will be happening with GPS based systems.
Dominic - So, what's your aim in researching techniques like this because I'm guessing at the computer laboratory, your job isn't to find tricks that people can use to basically do insurance fraud?
Markus - So, as security researchers, we see our job in anticipating what sort of problems there will be in a couple of yearsí time and this is important because the innovation with something as big as a satellite navigation system doesnít happen very quickly. These satellites last a bit over 10 years and they have to be replaced over 10 years, and it takes a long time to develop them. So, if you want to make a modification to how the system works, you basically have to start thinking about this 15 years into the future. By that time, there may be a lot of applications that rely on these signals. The signals at the moment are not designed really for security applications.
Dominic - And how could we go about making this more secure? Would it involve people going out and buying new satnav units and replacing satellites?
Markus - So, there are already a couple of techniques that can be used today, but they are mostly used in military systems. You can have not just a single antenna, but you can have several antennas in your GPS receiver and that allows you also to find out for which direction the signals come. If there is someone trying to jam you or trying to confuse you with a spoof, fake, signal you just ignore them and you stick to the directions where you expect the signal to come from the satellites. That isnít really practical in consumer electronics where everything has to be very cheap. You donít have space for more than one antenna in your smartphone and it would be expensive to fit 8 separate antennas around your car. So, what weíre looking at is adding additional information to next generation satellite signals and at the moment, these signals are highly predictable. One technique is that you create a little bit of unpredictability. You send out data that changes randomly and then you can use technologies like digital signatures to verify that this unpredictable data was indeed correct, and also that it arrived exactly at the time at which you expected it. One difficulty with satellite navigation signals is they consist of two things. They consist of data thatís being broadcast about where the satellites are at the moment, and you can use cryptography, digital signatures, in order to protect that data, such that it can't easily be faked. However, in navigation signals, you also have to authenticate the very precise arrival time of the signal. So, you have to get right within a few nanoseconds, when did the signal arrive? And itís possible to build spoofing devices that take the original satellite signal and delay it by a random amount and shift you elsewhere. Itís rather difficult to prevent that sort of technique. There is one suggested technique that makes use of a property of the existing GPS satellite system, namely that if you donít know what the signal looks like, you can't actually receive it. The satellite signal is extremely weak. Itís basically a light bulb worth of transmitter power at 25,000 kilometre altitude and the only way you can receive that signal is by knowing at once what it is. And then you use statistical test to confirm, ďYes, I have actually found the signal where I expected it.Ē If you designed the signal such that you donít tell people in advance what it looks like, you just send out a random signal. No one can receive it. Then a couple of seconds later, you reveal what was the signal that you broadcast and then everyone can go back in their recorded data and search for it and find it. Then what a spoofer who modifies a signal that comes down from the satellite only can do is they would have to delay that signal by a couple of seconds. And with delay of a couple of seconds, you can easily detect by just having a local clock that say, once a week you re-synchronise over the internet. So, thatís one of the 2 or 3 different approaches that are at the moment, being discussed what can go into next generation GPS satellite system. And itís not just GPS: Europe is at the moment launching a system. The Russians have already a system. There's a Chinese system under deployment, so weíll soon have 3 or 4 different operational constellations of satellites.
Dominic - So, in the future, the key to making these systems secure will be to make them unpredictable so that you can't synthesis these signals. Thanks, Markus. That was Markus Kuhn from the computer laboratory at the University of Cambridge.