GPS vulnerability to hacking
'At the next left, you have arrived at the wrong destination.' How vulnerable are we to the loss of GPS signals, and how can we reduce the risk from natural or malicious jamming?
In January 2007 Captain Matthew Blizard, Commander of the US Coast Guard Centre of Excellence for Navigation (NAVCEN), reported the loss of GPS signals in the Port of San Diego. Not only had the navigation equipment for general aviation stopped working but local telephone switches and cellular phone operations were disrupted, and the hospital's mobile paging system went down.
It took Blizard and his colleagues three days to pinpoint the source – a two-hour US Navy training exercise in communications jamming between two ships in the area. When the Navy technicians found problems with the GPS systems on the ship under attack, they stopped the exercise but didn't report the incident beyond their usual channels. No one told the GPS Operations Centre in Colorado (GPSOC) or NAVCEN about the exercise because the jamming was not meant to be in the GPS L-band.
A GPS jamming attack on the ship THV Galatea two years later off Newcastle-upon-Tyne showed some of the more subtle effects of jamming. Under low-power jamming, at about the same level as the real GPS signal, the ship's GPS-driven bridge instruments showed plausible but wrong positions and velocities. No alarms went off to indicate a malfunction. As the jammer power was turned up, all the GPS-fed systems failed including the electronic chart display, the autopilot, the maritime distress safety system, the radar, the gyro-compass and the Automatic Identification System, according to the General Lighthouse Authority who conducted the trial.
If the Royal Academy of Engineering's recent headline-grabbing report 'Global Navigation Space Systems: reliance and vulnerabilities' is anything to go by, such scenarios are becoming more likely because of the availability of cheap GPS jammers. A £40, 10mW device bought off the Internet, for instance, could stop a handheld receiver anything up to 10km away from acquiring a GPS lock. In the US, for example, one truck driver who didn't want his bosses knowing where he was used a jammer in his cab and caused daily interruptions to a GPS navigation system used by Newark airport in New Jersey.
One sign that the RAE's concerns are well founded is that the MoD has this year opened up its GPS jamming trials, which are usually for navigational warfare tests, to academia and industry. QinetiQ will be providing systems to generate a variety of signals for the sessions, which will take place in Sennybridge in the Brecon Beacons, Wales, between May and June.
'We need the hilly terrain so we can keep the jamming signals low. By putting the jammers close to the antennas, we can even operate in two or three different areas at the same time down in a valley,' QinetiQ's business manager Peter Soar told a meeting in March about GNSS vulnerabilities at the UK's National Physical Laboratory.
Reflecting US government concerns about the economic impact of the disruption or loss of GPS signals, the US Department of Homeland Security has just surveyed 15 critical infrastructure sectors and found GPS was essential to 11 of them, although it took many months to reach that conclusion, according to James Calverly, the Department of Homeland Security's director of outreach.
Position and time
GPS signals are used extensively as an accurate timing source (see 'GNSS in brief', below), which was why telecoms and paging networks were affected by the San Diego Port incident. During the 2007 JAMFEST trial held at America's White Sands Missile Range, a series of 30-minute tests on GPS-disciplined quartz and rubidium oscillators showed all of them would have drifted outside the 1x10-11 frequency offset requirements of the Stratum 1 clocks used to synchronise telecommunications systems in less than an hour, under every jamming scenario.
Power distribution networks, banking and financial trading systems, broadcasting and industrial-control networks all use GPS timing in this way too, making them equally vulnerable to unintentional or deliberate (the civilian equivalent of navigational warfare) interference.
'The financial markets, for instance, rely on a globally synchronised time-stamping mechanism to ensure fair trading,' explains the RAE report's author, Dr Martyn Thomas. 'Trading systems might be detecting very small differences in prices between commodities on different exchanges and buying in high volume on one and selling on the other. Since lots of people are in competition trading on different continents, for these activities to work you need to know whose order is getting in first.'
For these reasons, efforts are underway to encourage the use of back-up timing sources and to put in place ways of detecting, locating and mitigating sources of interference.
The 100kHz terrestrial radio navigation system eLoran (see 'eLoran', below) is a strong contender in the UK and Europe as a systemic timing back-up, according to Dr Sally Basker, president of the International Loran Association. 'GPS is low-power, high-frequency, whereas eLoran is the reverse, which means you get very different failure mechanisms.'
Across the pond, America has just closed down its Loran-C network, which had been used for marine navigation, with no published plans to upgrade it to eLoran.
'If the US does decide to deploy eLoran, it had better get on with it because it has only got a few more months before the federal government sells off the transmitter sites,' says Basker. If Calverly's views reflect US policy, it's not clear that the US government thinks that providing a back-up timing source for a system that was never intended for commercial applications is its responsibility.
Back in the UK, the Technology Strategy Board has funded two related projects, called Gaardian and Sentinel, which use eLoran as part of a terrestrial sensor network for detecting interference to GNSS signals. Timing specialist Chronos Technology is running both projects with the National Physical Laboratory, the General Lighthouse Authority, Ordnance Survey, and the University of Bath as common partners.
The Gaardian project developed the basic capability. The follow-on Sentinel project, which adds the Association of Chief Police Officers, the UK Space Agency, and Thatcham Vehicle Security as partners, will look at how the capability can be delivered to users such as law-enforcement agencies, emergency services, communications networks, the military, and the transport network.
'The vision is to have clusters of probes around critical infrastructure such as harbours, airports and so on,' explains Charles Curry, managing director of Chronos Technology. 'If the system detects an anomalous condition, such that a signal has gone out of standard deviation limits, users can be alerted to the problem in real time and investigate it. We have adaptive thresholds so we can personalise them to the probe's location.'
Stuart Eves, director of the Security and Resilience Unit at the new International Space Innovation Centre (ISIC) in Harwell, Oxfordshire, is working with partners Astrium Geo Information Services and Logica to found out whether it is possible to detect GPS interference by intercepting GPS signals with earth observation satellites. Eves has been seconded from Surrey Satellite Technology, which uses GPS to navigate its spacecraft and has been experimenting with other space-based GPS applications.
GPS data reflected from the Earth's surface can, for instance, be detected by satellite and used to map changes in soil moisture because signals peak over rivers and boggy ground. This information is of interest to the military for assessing terrain, but Eves says the same approach could help locate jammers in places where terrestrial monitoring systems are unavailable, for example when UK forces are deployed overseas.
Another idea involves analysing variations in GPS signals as they are refracted through the troposphere (or just the ionosphere). Such changes can be used to recover temperature, pressure, and humidity data but they may also indicate signal interference. 'We are thinking of an alternative weather service but, potentially, this also offers a way to supplement the GPS terrestrial monitoring system. If variations are detected, we can use Earth-observation satellites to ascertain whether it's a man-made interference or some natural phenomenon,' says Eves.
Of course, until there is a major GPS outage, we may not know the extent of our dependency on GPS. Space weather events such as sunspots and solar flares may do the job for us, says Bob Cockshott, location and timing programme director of the UK Technology Strategy Board's Digital Systems Knowledge Transfer Network. 'In 1859 a solar flare known as the Carrington Event electrified transmission cables and set fire to telegraph offices,' he explains. 'That was the limit of the technology then. We don't know enough to be able to predict such events or their effects now.'
Calverly has another idea. 'The RAE study suggests switching off the GPS system for a couple of hours. I suggest we turn it off for two days and see who screams.' *
GNSS in brief
Global Navigation Satellite Systems (GNSS) such as GPS, Galileo and GLONASS transmit weak coded signals (less than 100W sent from around 20,000km away) from which position, navigation, and timing services are derived by measuring the time it takes for them to travel to the receiver.
GNSS has also become the main way of receiving Coordinated Universal Time (UTC) because every signal from each satellite includes time of transmission, derived from multiple atomic clocks. It provides time with an accuracy of between 5ns and 100ns and is widely used as a time source by electricity distribution companies, the fixed and mobile telecommunications networks, banking, financial trading and broadcasting.
The navigation signal gives the satellite ID together with information such as time of transmission, range accuracy, clock correction coefficients and orbital ephemeris [position data] to allow the receiver to calculate the satellite position.
A receiver should be able to 'see' at least four satellites to determine position and time. The positional accuracy of GPS is around 5 to 10m. Timing applications can function with a single satellite, although two are preferred for verification.
All the GNSS constellations operate on similar frequencies, ranging from a little below 1200MHz to around 1600MHz. GPS, the most widely used, has three carrier frequencies: L1 at 1575.42MHz, L2 at 1227.6MHz, and L5 at 1176.45MHz.
By the time GNSS signals reach the surface, their strength may be as low as -160dBW (1x10-16) watts, with a spectrum spread out below the noise floor in the receivers.
Interference with this low signal strength can easily defeat signal recovery or overload the receiver circuitry, resulting in loss of the positioning and timing service, poorer accuracy, and believable data that is dangerously wrong in safety-critical applications.
(Source: 'Global Navigation Space Systems: reliance and vulnerabilities by the Royal Academy of Engineering 2011')
Jamming, spoofing, and meaconing
There are three forms of deliberate interference with GNSS signals: jamming, sending false signals (known as spoofing) and delaying and re-broadcasting the signal (meaconing).
Jamming is the most common, the crudest form being transmitting a noise signal across one or more of the GNSS frequencies to raise the noise level or overload the receiver circuitry and cause a loss of lock.
Commercial jammers, which might be used by car thieves, those keen to avoid road tolls, and commercial drivers not wanting to be tracked by their bosses, have become increasingly sophisticated. Most will block GPS, Glonass and Galileo and others will jam all cellphone frequencies as well, using multiple antennas.
Noise jamming can be partially overcome by adaptive antennas and noise filtering in well-designed receivers, but some jammers are now transmitting GNSS codes rather than noise, to bypass the filters.
More sophisticated jamming may be targeted at a specific aspect of critical infrastructure, such as timing systems or a perceived threat of covert tracking. The former will be indiscriminate, more likely to be high power and may occur at a number of locations at once. The latter will be low power and have a similar impact to criminal jamming unless used for any length of time near infrastructure that uses GPS timing – such as a TETRA base station.
(Source: 'Global Navigation Space Systems: reliance and vulnerabilities by the Royal Academy of Engineering 2011')
eLoran is a terrestrial radio navigation system that relies on signals from several 100kHz radio transmitters to determine the location and speed of the receiver. In Europe, there are nine eLoran transmitters: four in Norway, one on the Faroe Islands, two in France, one in Germany and one in the UK.
eLoran has a data channel carrying messages that receivers use to identify the timing of each pulse from each station. Other messages on this channel also correct for the small variations caused by propagation delays. Employing them allows absolute UTC time to be recovered with an accuracy of 50ns. Thus an eLoran timing receiver can serve as a reference clock, a primary source of time, or as an alternative to GNSS; combined GNSS-Loran timing receivers are available commercially.
"How do we balance security with civil liberties and privacy in today's high-tech but violent world? Can our private lives remain truly private?"
- Global Calculator: high life and climate change can co-exist
- BMW cars found at risk of being unlocked by hackers
- I’d like that job – Sarah Doughty, Geographical information systems consultant, Atkins
- BT plans to launch six times faster broadband by 2020
- New search engine more efficient than Google
- Partners of big data research institute named after Turing announced
- What to Specialise in Electronics Engineering?? [03:02 am 03/04/14]
- Britain to have just one remaining coal pit by the end of 2015 [01:11 am 03/04/14]
- LV Generator Star point earthing - UK [08:35 pm 02/04/14]
- East West Rail - the Oxford to Bedford route [07:33 pm 02/04/14]
- Small nuclear power [06:06 pm 02/04/14]
The essential source of engineering products and suppliers.