Is Russia really rigging GPS signals?
Image credit: Getty images, Image source, Rex features
More than 20 years after the first Global Navigation Satellite System became fully operational, incidents in Russia seem to confirm that the most-used network, the USA’s GPS system, can be spoofed. Given the heavy reliance on GPS by transport, energy networks and even banks, many experts now believe we need systems to combat this interference.
Something curious happened at last year’s Black Sea Tall Ships Regatta. As the international racing fleet sailed past the coast of Russia near Sochi, some of the ships began to notice that their GPS satellite navigation systems were starting to jump in strange ways. “They were giving spurious positions,” explained race director Paul Bishop, “so positions were moving 50 miles in relatively quick succession, making the [data] coming through completely inaccurate.”
Some of the ships’ GPS units placed their location temporarily near Sochi airport, which lies a few kilometres inland.
“It was certainly very curious, but we haven’t had a problem since so hopefully it was a one-off,” said Bishop.
It wasn’t. In June this year, the US Maritime Administration issued a safety alert showing that more than 20 ships had witnessed similar phenomena with their satellite navigation systems while sailing in the same waters.
A vessel reported to the US Coast Guard that its GPS equipment had intermittently been unable to obtain signals since nearing the coast of Novorossiysk, Russia. The ship’s master then discovered his GPS put him in the wrong place – 25 miles inland, at Gelendzhik airport.
The Coast Guard tested GPS signals to make sure nothing untoward was happening; the ship’s master was instructed to check the software updates on his equipment, which he did and confirmed it was working properly. However, he then startled the Coast Guard by telling him that more than 20 other ships in the area had the same problem, with their GPS sending them all to the airport.
A photo of the ship’s GPS information screen convinced navigation experts to conclude this was a fairly clear case of ‘spoofing’. “The nature of the incident is reported as GPS interference. Exercise caution when transiting this area,” the US Maritime Administration said on its website.
The Tall Ships incident was not officially logged, but the one in June 2017 was evidence that Russia has the capability to cause GPS systems to give false readings.
It’s not surprising, then, that there has been speculation as to possible GPS signal interference when the American naval ship USS John S McCain crashed with an oil tanker in the South China Seas in August. It was the second accident involving a large US naval ship in as many months in the same region, the first being the USS Fitzgerald. Seventeen US sailors were killed in the two incidents. The US military has said it is looking into whether the McCain’s computer systems were compromised.
The USS McCain would have used the military GPS, which is separate from the civilian one and much more protected, but what if the oil tanker’s GPS system had been hacked?
“The collision was with a commercial vessel that would have been a great deal more vulnerable,” says Professor David Last, former president of the Royal Institute of Navigation, and one of the world’s leading experts on the subject.
It is unlikely that in the two Black Sea disruptions, Russia was deliberately interfering with GPS. Russian sailors took part in the Tall Ships race and Russian President Vladimir Putin attended the award ceremony.
The fact that in both cases the GPS location showed up as an airport seems to point to something else – Russia has developed its cyber-warfare capacity to cause GPS satellite navigation systems to lie, perhaps to protect its airports from enemy drone and missile attacks.
Indeed, in 2016 Muscovites and foreign journalists began to notice that when they drove around the Kremlin their GPS devices showed their position as Vnukovo airport, around 30 miles away. Experts believe the phenomenon is caused by a Russian secret-services signal intended to disorient devices near the capitol building that navigate via GPS, most likely to protect the Kremlin.
For a long time, western experts thought it would be too complex and expensive for a hacker to build a transmitter capable of interfering with GPS so it could emit false positioning, navigation and timing signals, and that such technology was the domain of thriller writers.
Indeed, the 1997 James Bond film ‘Tomorrow Never Dies’, features a pathological media mogul who hires a cyber terrorist to trick a British frigate into straying into the South China Sea in order to provoke a war between the UK and China.
GPS depends on a network of satellites orbiting the Earth at an altitude of 20,000km. At least four GPS satellites are ‘visible’ at any one time, wherever you are.
Each satellite transmits information about its position and the current time at regular intervals. These signals, travelling at the speed of light, are intercepted by a GPS receiver – such as a ship’s navigation system or a mobile phone – which uses the differential time signals to calculate how far away at least three satellites are, and from this to pinpoint the location using a process of trilateration.
The GPS signal jammer works by sending out its own signal on the same frequency as the GPS unit, a noisy signal that prevents it from receiving or transmitting any useful information, either in bursts of sound or a continuous wave.
One of the system’s drawbacks is the weakness of the signals. “GPS satellites are powered by solar panels as you would expect,” says Dana Goward, president of the US Resilient Navigation and Timing Foundation. “Most satellites store the energy and pulse out transmissions. GPS satellites have to transmit all the time, so the net result is the cosmic hum going on all around space is louder than GPS signals,” he explains.
By the time these signals reach the Earth, they are even fainter. It is then relatively simple to drown them out by emitting a loud noise on the same frequency.
GPS jammers can be bought on the internet and range in size from that of a small cigarette lighter to a suitcase, with a range of a couple of metres to a couple of hundred. You can buy combination jammers that also block mobile phones, all for a few hundred dollars. Customers for these devices are drivers seeking to shut off their employer’s GPS tracker from their vehicle, car thieves and other criminals.
“If you set up a review by a motorway you will get up to 200 hits a month of passing vehicles carrying jammers,” says Last, who is frequently called to be an expert witness in such criminal cases. “It is the same in Europe and the US.”
Although it is not illegal to own such a device in the UK, it is illegal to sell one or to use one. The reason is that they rarely just jam the GPS device required, but can block signals to other GPS users around, endangering the public.
The fact that GPS jammers can be bought openly on the internet shows that most countries are prepared to live with the problem.
A ship’s master or an aeroplane pilot would know immediately if the GPS signal was being jammed as the system would simply stop working or show a position way too far off to be credible, and alternative navigation methods would be used. GPS spoofing, however, is more insidious and far more dangerous.
“One of the dangers of spoofing, for example, is not just going off course but – for ships – crashing into water-borne obstacles,” says Vlad Gostomelskly, managing consultant with Spirent Communications, which makes counter-jammers. Being tricked off course for just a few metres could cause a ship to run aground or puncture its hull, or run into the arms of waiting pirates.
The first person to show how to spoof GPS was Professor Todd Humphreys, an associate professor at The University of Texas’s Aerospace Engineering and Engineering Mechanics department.
In 2012, with a group of brilliant students, he successfully hacked the GPS of a flying drone, steering it around a kilometre off course using a GPS spoofing device they made themselves that cost about $1,000.
Humphreys later successfully sent a luxury yacht off course in the waters of southern Italy, but the expertise to make the technology was so great that no one really expected it to be replicated.
Three years later at the 2015 DefCon hackers’ conference in Las Vegas, Lin Huang and Qing Yan, two young Chinese electronics engineers working for Chinese internet search company Qihoo 360, showed they could spoof GPS using a software-designed radio costing just a few hundred dollars and find the software on the internet, the links to which can still be accessed today.
“Now we had a way accessible to the upper reaches of the hacker community at the very least,” says Last.
Spoofing works like this. In any Global Navigation Satellite System (GNSS) signal, there is a peak inside that corresponds to the authentic positioning and timing signals with tracking points.
If you send a false signal, make a false peak, and then align the two, the tracking points can’t tell the difference and get hijacked by the stronger counterfeit signal and can be sent off course without the captains, pilots, control towers or ships’ masters even realising it.
“If the spoofer signals are stronger than the real signals at receiver end, the receiver locks on to your spoofer and not the satellite,” Last explains.
Goward points out that the Kremlin announced in 2016 it had equipped over 250,000 cell towers with GPS phone-jamming devices as a defence against attack by US missiles, which usually rely on satellite navigation.
“Moscow has been very open about its ability to frustrate US and other forces by disrupting GPS,” he says.
For more than a year now, Russia has been deploying its 1RL257 Krasukha-4 ground-based electronic warfare system on the battlefields of Syria.
When US fighter planes bomb, a list of GPS coordinates of ‘red flag’ targets such as hospitals and schools are checked against those of the operations target, such as an ammunition dump. When pilots are given new targets mid-flight, reconnaissance aircraft transmit the GPS coordinates. It is these signals that are disrupted by the Krashuka-4.
The Organisation for Security and Co-operation in Europe, an international conflict-monitoring group, has reported on several occasions that its drones watching the conflict in eastern Ukraine have been “subject to military-grade GPS jamming”, forcing monitors to scrap missions observing the war below.
The result of Russia’s advances in cyber-warfare and technologies for hacking GPS has given new impetus to develop a ‘bullet-proof vest’ for GPS navigations, says Goward, eliminating its potential to be a single point of failure for critical infrastructure.
As well as the prospect of some malevolent force sending ships crashing in the English Channel, according to a recent report by London Economics, the economic impact on the UK through loss of GNSS for five days would be £5.2bn through direct and indirect channels.
One solution is the eLoran terrestrial navigation system, which operates regionally within an 800-mile radius.
Developed from the Loran navigation systems that go back to the Second World War, using terrestrial transmitters and operating on a low-frequency radio band, eLoran can provide alternative position and timing signals for navigation. eLoran systems can now provide accuracies of between eight and ten metres. Its ±100 nanosecond accuracy at the receiver antenna underscores its unique timing ability, making it equal to GPS or certain atomic clocks.
“eLoran is the opposite in technology but is compatible in use to GPS. You can switch from one to the other seamlessly,” says Last.
While eLoran doesn’t provide altitude data and only works regionally within a range of 800 miles, its powerful low-frequency signals are far less susceptible to jamming or spoofing. The signal from eLoran beacons is 1.3 million times stronger than GPS.
The US dropped its old Loran systems in 1994 when GPS became fully operational, turning off the last transmitter in 2010, but there are now moves in Congress to again develop an eLoran back-up system, which already had support from the previous two US administrations, but has faced obstacles in Congress.
Russia is aiming to establish its own version of eLoran, called eChayka, and South Korea – which has long suffered from GPS jamming – is also developing its own system.
In Europe, a British-led initiative to establish an eLoran system that had already been tried and tested was pulled in 2016 after failing to garner interest from other European countries, which shut down their transmitters. The UK still has one transmitter in Cumbria but eLoran needed those in France, Norway and Denmark as well. They were all shut down.
One of the problems has been the EU’s emphasis on developing its own GNSS, Galileo. “If you jam frequency bands, you jam all the GNSS systems. It is good to have extra ones, but the idea that Galileo can take over when GPS is jammed or spoofed is from cloud cuckoo land,” says Last.
George Shaw, principal development engineer with the General Lighthouse Authority, which was behind the e-Loran project, says there are also moves to establish common standards with Russia.
Russia is keen to develop the Arctic Sea route for shipping, so compatible systems would make sense for trade.
Pressure is also coming from makers of driverless cars. Next year, Norway plans to launch the world’s first ship with no crew.
All financial transactions rely on GPS at the moment for precision timing required by regulators. Substantial damage could be done in a covert cyber-war to the enemy’s economy, without a shot being fired.
The Jamming Spires of Tallinn
By Vitali Vitaliev
“Glushit’ uzhe pozdno” – “Too late to jam” – is the ongoing call-sign of Radio Liberty’s Russian Service, ‘Radio Svoboda’. It is a Prague-based radio station financed by the US government, whose impartial and high-quality radio journalism played a crucial role in the collapse of the USSR.
We, the station’s loyal Soviet listeners, knew only too well that to be able to tune to its heavily jammed – and therefore obviously trustworthy – broadcasts, we had to be fiddling with our short-wave radios at 4am, when the multiple Soviet jamming devices were somewhat less effective. Little did I know then that many years later I myself would be part of Radio Svoboda’s broadcasts as the radio station’s first Australian correspondent.
Much later, I discovered the technological reasons for that short-lasting early-morning relief in jamming. In trying to silence Radio Liberty, the BBC Russian Service, Deutsche Welle, Voice of America and other hostile ‘anti-Soviet’ broadcasts, the USSR used three main types of jamming: electronically generated noise signals, interference (whereby Soviet radio programmes were transmitted on the same frequencies) and the so-called speech-resembling signal. The last two methods would tend to ‘calm down’ a bit during the night, and millions of sleepless Soviet listeners were able to discern the crackling voices of their trusted radio journalists.
Our logic was simple: if the Kremlin was trying to silence all those distant foreign voices, that meant they were telling the truth.
It was only in late 1988, with the advent of glasnost, the Soviet Union stopped jamming Radio Liberty’s and other foreign radio stations’ Russian-language broadcasts.
Yet, jamming of western TV programmes, accessible in some Soviet border areas, continued until late 1991, right up to the USSR’s final collapse. Tallinn, the capital of Estonia – formerly one of the 15 constituent republics of the Soviet Union – with its close proximity to Finland and its capital Helsinki, continued to remain the Soviets’ main jamming hub.
No visitor to Tallinn who would bother to climb up the Toompea Hill for an impressive view of the Old Town and the bay could be spared the sight of two huge radio masts, dominating the cityscape. Everybody knew their main purpose was to send out waves of fuzz on the same frequencies as Finnish and Swedish TV broadcasts, to which many Tallinn residents had clandestinely tuned with the help of crude homemade receivers. The strength of jamming was such that it affected the quality of the official Soviet broadcasts from Moscow. I could testify to that myself after a short stay with distant relatives, who resided in Tallinn’s main street – Parnu Maantee – in 1966. Due to constant thick fuzz on their TV screen, the normally clear territory of the USSR picture of the official daily news programme from Moscow appeared blurred and jumpy, which somehow made it much more trustworthy in our eyes.
My relatives said they were used to the constant interference, caused by two giant jamming towers less than a mile away from their block of flats. Later I learned that so strong was the jamming, it often affected the reception of TV programmes in Finland itself.
Used as they were to the constant presence of the two eyesores in the cityscape, very few residents of Tallinn knew that, in actual fact, there were not two towers, but three, with the third and the most powerful one hidden inside the spire of Tallinn’s tallest and oldest church, St Olaf’s (or Oleviste Kirik in Estonian). When the church was first built in the 12th century, it was officially the world’s tallest structure. The Soviets took it over in 1944, showing little concern for Estonian history and religious values.
The jamming towers are now long gone, and one has a much better view of Tallinn’s beautiful Old Town from the vantage point of the Toompea Hill. The spire of St Olaf’s Church, the city’s tallest structure, still looms above the capital of free independent Estonia. It is good to know that nothing sinister is hidden inside it any longer.
Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.