GPS vulnerability to hacking

'At the next left, you have arrived at the wrong destination.' How vulnerable are we to the loss of GPS signals, and how can we reduce the risk from natural or malicious jamming?

In January 2007 Captain Matthew Blizard, Commander of the US Coast Guard Centre of Excellence for Navigation (NAVCEN), reported the loss of GPS signals in the Port of San Diego. Not only had the navigation equipment for general aviation stopped working but local telephone switches and cellular phone operations were disrupted, and the hospital's mobile paging system went down.

It took Blizard and his colleagues three days to pinpoint the source – a two-hour US Navy training exercise in communications jamming between two ships in the area. When the Navy technicians found problems with the GPS systems on the ship under attack, they stopped the exercise but didn't report the incident beyond their usual channels. No one told the GPS Operations Centre in Colorado (GPSOC) or NAVCEN about the exercise because the jamming was not meant to be in the GPS L-band.

A GPS jamming attack on the ship THV Galatea two years later off Newcastle-upon-Tyne showed some of the more subtle effects of jamming. Under low-power jamming, at about the same level as the real GPS signal, the ship's GPS-driven bridge instruments showed plausible but wrong positions and velocities. No alarms went off to indicate a malfunction. As the jammer power was turned up, all the GPS-fed systems failed including the electronic chart display, the autopilot, the maritime distress safety system, the radar, the gyro-compass and the Automatic Identification System, according to the General Lighthouse Authority who conducted the trial.


If the Royal Academy of Engineering's recent headline-grabbing report 'Global Navigation Space Systems: reliance and vulnerabilities' is anything to go by, such scenarios are becoming more likely because of the availability of cheap GPS jammers. A £40, 10mW device bought off the Internet, for instance, could stop a handheld receiver anything up to 10km away from acquiring a GPS lock. In the US, for example, one truck driver who didn't want his bosses knowing where he was used a jammer in his cab and caused daily interruptions to a GPS navigation system used by Newark airport in New Jersey.

One sign that the RAE's concerns are well founded is that the MoD has this year opened up its GPS jamming trials, which are usually for navigational warfare tests, to academia and industry. QinetiQ will be providing systems to generate a variety of signals for the sessions, which will take place in Sennybridge in the Brecon Beacons, Wales, between May and June.

'We need the hilly terrain so we can keep the jamming signals low. By putting the jammers close to the antennas, we can even operate in two or three different areas at the same time down in a valley,' QinetiQ's business manager Peter Soar told a meeting in March about GNSS vulnerabilities at the UK's National Physical Laboratory.

Reflecting US government concerns about the economic impact of the disruption or loss of GPS signals, the US Department of Homeland Security has just surveyed 15 critical infrastructure sectors and found GPS was essential to 11 of them, although it took many months to reach that conclusion, according to James Calverly, the Department of Homeland Security's director of outreach.

Position and time

GPS signals are used extensively as an accurate timing source (see 'GNSS in brief', below), which was why telecoms and paging networks were affected by the San Diego Port incident. During the 2007 JAMFEST trial held at America's White Sands Missile Range, a series of 30-minute tests on GPS-disciplined quartz and rubidium oscillators showed all of them would have drifted outside the 1x10-11 frequency offset requirements of the Stratum 1 clocks used to synchronise telecommunications systems in less than an hour, under every jamming scenario.

Power distribution networks, banking and financial trading systems, broadcasting and industrial-control networks all use GPS timing in this way too, making them equally vulnerable to unintentional or deliberate (the civilian equivalent of navigational warfare) interference.

'The financial markets, for instance, rely on a globally synchronised time-stamping mechanism to ensure fair trading,' explains the RAE report's author, Dr Martyn Thomas. 'Trading systems might be detecting very small differences in prices between commodities on different exchanges and buying in high volume on one and selling on the other. Since lots of people are in competition trading on different continents, for these activities to work you need to know whose order is getting in first.'

For these reasons, efforts are underway to encourage the use of back-up timing sources and to put in place ways of detecting, locating and mitigating sources of interference.

Back-up plan

The 100kHz terrestrial radio navigation system eLoran (see 'eLoran', below) is a strong contender in the UK and Europe as a systemic timing back-up, according to Dr Sally Basker, president of the International Loran Association. 'GPS is low-power, high-frequency, whereas eLoran is the reverse, which means you get very different failure mechanisms.'

Across the pond, America has just closed down its Loran-C network, which had been used for marine navigation, with no published plans to upgrade it to eLoran.

'If the US does decide to deploy eLoran, it had better get on with it because it has only got a few more months before the federal government sells off the transmitter sites,' says Basker. If Calverly's views reflect US policy, it's not clear that the US government thinks that providing a back-up timing source for a system that was never intended for commercial applications is its responsibility.

Back in the UK, the Technology Strategy Board has funded two related projects, called Gaardian and Sentinel, which use eLoran as part of a terrestrial sensor network for detecting interference to GNSS signals. Timing specialist Chronos Technology is running both projects with the National Physical Laboratory, the General Lighthouse Authority, Ordnance Survey, and the University of Bath as common partners.

The Gaardian project developed the basic capability. The follow-on Sentinel project, which adds the Association of Chief Police Officers, the UK Space Agency, and Thatcham Vehicle Security as partners, will look at how the capability can be delivered to users such as law-enforcement agencies, emergency services, communications networks, the military, and the transport network.

'The vision is to have clusters of probes around critical infrastructure such as harbours, airports and so on,' explains Charles Curry, managing director of Chronos Technology. 'If the system detects an anomalous condition, such that a signal has gone out of standard deviation limits, users can be alerted to the problem in real time and investigate it. We have adaptive thresholds so we can personalise them to the probe's location.'

Space detection

Stuart Eves, director of the Security and Resilience Unit at the new International Space Innovation Centre (ISIC) in Harwell, Oxfordshire, is working with partners Astrium Geo Information Services and Logica to found out whether it is possible to detect GPS interference by intercepting GPS signals with earth observation satellites. Eves has been seconded from Surrey Satellite Technology, which uses GPS to navigate its spacecraft and has been experimenting with other space-based GPS applications.

GPS data reflected from the Earth's surface can, for instance, be detected by satellite and used to map changes in soil moisture because signals peak over rivers and boggy ground. This information is of interest to the military for assessing terrain, but Eves says the same approach could help locate jammers in places where terrestrial monitoring systems are unavailable, for example when UK forces are deployed overseas.

Another idea involves analysing variations in GPS signals as they are refracted through the troposphere (or just the ionosphere). Such changes can be used to recover temperature, pressure, and humidity data but they may also indicate signal interference. 'We are thinking of an alternative weather service but, potentially, this also offers a way to supplement the GPS terrestrial monitoring system. If variations are detected, we can use Earth-observation satellites to ascertain whether it's a man-made interference or some natural phenomenon,' says Eves.

Of course, until there is a major GPS outage, we may not know the extent of our dependency on GPS. Space weather events such as sunspots and solar flares may do the job for us, says Bob Cockshott, location and timing programme director of the UK Technology Strategy Board's Digital Systems Knowledge Transfer Network. 'In 1859 a solar flare known as the Carrington Event electrified transmission cables and set fire to telegraph offices,' he explains. 'That was the limit of the technology then. We don't know enough to be able to predict such events or their effects now.'

Calverly has another idea. 'The RAE study suggests switching off the GPS system for a couple of hours. I suggest we turn it off for two days and see who screams.' *

Further information

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles