Professor fools $80M superyacht’s GPS receiver on the high seas

One of the world’s foremost academic experts in GPS spoofing—University of Texas assistant professor Todd Humphreys—released a short video on Monday showing how he and his students deceived the GPS equipment aboard an expensive superyacht.

Humphreys conducted the test in the Ionian Sea in late June 2013 and early July 2013 with the full consent of the “White Rose of Drachs” yacht captain. His work shows just how vulnerable and relatively easy it is to send out a false GPS signal and trick the on-board receiver into believing it.

“What we did was out in the open. It was against a live vehicle, a vessel—an $80 million superyacht, controlling it with a $2,000 box,” he told Ars. “This is unprecedented. This has never been shown in this kind of demonstration. That’s what's so sinister about the attack that we did. There were no alarms on the bridge. The GPS receiver showed a strong signal the whole time. You just need to have approximate line of sight visibility. Let’s say you had an unmanned drone. You could do it from 20 to 30 kilometers away, or on the ocean you could do two to three kilometers.”

In this case, Humphreys' student sent out the spoofed signal from onboard the ship itself. All GPS signals are sent from satellites to Earth without any authentication or encryption. So Humphreys is using a small software radio device to essentially fool the on-board receiver into listening to his fake signal, rather than the authentic one. GPS, in its civilian form, is provided for free, globally, by the American military GPS Directorate. The agency did not immediately respond to Ars’ request for comment.

We be jammin'

Humphreys has warned against the possibility of such attacks for some time now. He even demonstrated at last year’s South by Southwest conference that GPS on board a flying drone could be spoofed too. In October 2012, a Carnegie Mellon team also showed how to exploit existing software bugs to disrupt a GPS receiver rather than simply feed it false information.

“We’re only overpowering by two to three times [what the GPS satellite should produce]. You can’t tell with a signal to noise or jamming to noise detector—it’s very quiet,” Humphreys added. He noted that traditional jammers overpower a bona fide signal by orders of magnitude. “We spent an extra year or two to make sure our signals were aligned [exactly with what the receiver would see]. You might be seeing 10 of them at any given moment. We receive those signals too, and we generate signals that aren’t just perfect replicas, but they're perfectly aligned—it makes the takeover perfectly seamless. There isn’t even a hiccup.”

Humphreys said he could use this same technique on a GLONASS or Galileo navigation system. So what would a worst-case scenario look like for a malicious attack? The Texas professor writes, in an as-yet-unpublished report:

What would a spoofing attack look like in practice? Suppose the spoofer's goal is to run the target vessel aground on a shallow underwater hazard. After taking control of the ship's GPS unit, the spoofer induces a false trajectory that slowly deviates from the ship's desired trajectory. As cross-track error accumulates, the ship's autopilot or officer of the watch maneuvers the ship back into apparent alignment with the desired trajectory. In reality, however, the ship is now off course. After several such maneuvers, the spoofer has forced the ship onto a parallel track hundreds of meters from its intended one. Now as the ship moves into shallow waters, the ECDIS display and the down-looking depth sounder may indicate plenty of clearance under the keel when in truth a dangerous shoal lies just underwater dead ahead. Maybe the officer of the watch will notice the strange offset between the radar overlay and the underlying electronic charts. Maybe, thinking quickly, he will reason that the radar data are more trustworthy than the ship's GPS-derived position icon displayed on the ECDIS. And maybe he will have the presence of mind to deduce the ship's true location from the radar data, recognize the looming danger, and swing clear of the shoal to avert disaster. Or maybe not.

18th century technology to the rescue?

In another as-yet-unpublished paper, Humphreys has written about how to counter his attack vector.

“The most effective defenses that we’ve found are the most costly and the least practical,” he told Ars. “[You’d need to add] digital signatures that would introduce unpredictable features that would make it challenging for a spoofer. It wouldn’t require any new hardware, but it would require some change to the message that they’re sending out, so you can include digital signatures. Unpredictability is the key. Conceptually, it’s fairly straightforward.”

Humphreys also said that for now, it’s hard for a boat captain to know if he or she is being spoofed while at sea.

“There’s not much they can do out in open ocean, at that point, only GPS is available to them,” he said. “Nobody knows how to use a sextant, and the US discontinued the LORAN system two years ago.”

However, eLORAN, a longwave radio, wave-based system, is currently being tested in the United Kingdom—it would not be vulnerable to such signal spoofing.