What is the vulnerability of the G.P.S.?
In the cool, dark hours after midnight on June 20, 2012, Todd Humphreys made final preparations for his attack on the Global Positioning System. He stood alone in the middle of White Sands Missile Range in southern New Mexico, sixty miles north of Juárez. All around him were the glowing gypsum dunes of the Chihuahuan Desert. In the distance, the snow-capped mountains of San Andres loomed.
On a hill about a mile away, his team was gathered around a flat metal box the size of a carry-on suitcase. The electronic machinery inside the box was called a spoofer - a weapon by another name. Soon a Hornet Mini, a drone-piloted helicopter popular with law enforcement and rescue agencies, was to appear forty feet above them. Then the spoofer would be put to the test.
Humphreys, an engineering professor at the University of Texas at Austin, had been working on this spoofing technology for years, but he was nervous. That morning, a group of about 15 officials from the Federal Aviation Administration, the Department of Homeland Security and the Air Force's 746th Test Squadron witnessed the test. They were hosts to Humphreys, but they really wanted him to fail. Its success would mean a major toll for the entire G.P.S. - and, therefore, for the effectiveness of some of the main military and defense systems of the country. Drones, which rely on G.P.S. to navigate, are an increasingly indispensable part of our security apparatus. The demand for them is also increasing elsewhere. There are now more than a million recreational drones in the sky than just four years ago. Sales of commercial-grade, high-precision drones — for everything from pipeline inspection to 3D mapping — have grown more than five hundred percent over the same period.
When D.H.S. had first contacted Humphreys a few months earlier, the department was concerned about some type of G.P.S. vulnerability in particular - a system disturbance called jamming. By transmitting interference, jammers can overwhelm a G.P.S. signal and render the receiver of a drone unusable. There's no great mystery about how scrambling works, but D.H.S. approached Humphreys because he wanted to test the technology in action: would he be interested in helping with a demo?
Humphreys immediately accepted the invitation, then told officials he wanted to focus on a different, more sophisticated threat. In 2011, Iran made headlines when it successfully captured a C.I.A. drone about 100 kilometers from the border with Afghanistan. No one had been sure how the crisis had happened: jamming could disorient a drone but not support it. Humphreys suggested that Iran succeeded by spoofing the signal - not just interfering with it, but actually replacing it with a ghost G.P.S. signal. Deceived into trusting the fake system, the planes could then be commandeered and captured. "Let's try something more ambitious," Humphreys told D.H.S. He would see if he could shoot down a drone.
Humphreys, now 45, is fascinated by the world of science, which may make him look younger than he is. He is earnest and telegenic; you can imagine him hosting a PBS kids show that launches a million majors. Originally from Utah, Humphreys planned to be a patent attorney. But, as an intern at NASA's Jet Propulsion Laboratory, he listened to a NASA lawyer discuss an upcoming patent and realized he wanted to be the one who invented things, not approve inventions. “I thought, why would I want to be on his side of the table? He just takes notes,” Humphreys told me. Humphreys became interested in G.P.S. while a graduate student in engineering at Cornell. He was studying software-defined radio - the processing of radio waves by computer software, rather than traditional hardware - and began to wonder if his research could be used to build an entirely new type of G.P.S. recipient.
GPS. is owned by the Department of Defense, operated by the Air Force from a heavily secured room at a base in Colorado, and available free to anyone around the world. There are twenty-four G.P.S. satellites, in orbit at twenty thousand kilometers, each transmitting a radio signal containing a time code and a description of the exact position of the satellite. By measuring the signal transmission time, a G.P.S. receiver determines its distance from the satellite. If the receiver does this simultaneously with signals from at least four satellites in its line of sight, it can extrapolate its position in three dimensions. During the approximately sixty-seven milliseconds it takes for the signal to reach us, it becomes extremely weak. The task of receiving the signal and extracting its informational component is often compared to attempting to read using a light bulb in a different city.
The basic technology of this system has remained the same since the first G.P.S. The satellite was launched in 1977, but its uses have multiplied with astonishing speed. Although the Air Force oversees the satellites that transmit signals, once those signals are broadcast to the world, they belong to everyone. Because G.P.S. is a "passive" system - that is, it simply requires a user to receive a signal, not transmit one - it can handle infinite growth. The number of G.P.S. receivers could double tomorrow without affecting the underlying infrastructure at all. From improving maps to measuring the minute movement of tectonic plates, people have devised more ingenious uses for G.P.S. signal that the original architects of the system could never have imagined. Humphreys is one such innovator.
The test day at White Sands was the first time Humphreys' team had used the spoofer outside of the lab: because the transmission of a fake G.P.S. signal is illegal, they had never even done a full dress rehearsal. For Humphreys, who made money in college as a magician at children's parties, it was like creating a difficult trick without any practice. At around two o'clock in the morning, the Hornet appeared, hovering forty feet above the missile's range. Humphreys spoke a code word into his portable radio: "Lightning." On the hill, his students lit the spoofer. Gradually increasing its power, they aimed the false signal at the Hornet, which seemed to hesitate in the air, as if encountering an invisible obstacle. The spoofer was essentially whispering lies into the drone's ear, giving it inaccurate information about its location. Convinced it had drifted upwards, the drone attempted to correct, beginning a steep dive towards the desert floor. Just as it was about to crash to the ground, a manual operator grabbed the controls, pulling the Hornet from its dive. Humphreys' team let out a celebratory shout over the radio.
“We were the only ones cheering,” he told me recently. His hosts looked grim. When Humphreys wasted no time in publicizing the spoofer feat, they were even more upset. "I was told that I would never be invited back," he said. “They probably thought I would do a sleepy presentation in a college journal. But I was trying to communicate to the world what I thought was an alarming situation.
From the G.P.S. program began in 1973, its satellite signals have been a source of controversy. It was the brainchild of an Air Force Colonel named Bradford Parkinson, who, disillusioned with the indiscriminate air campaigns of the Vietnam War, dreamed up G.P.S. as a way to improve precision bombing accuracy. The Parkinson's research team designed two versions of the G.P.S. signal, one for civilian use and another, with stricter security protocols and more accurate readings, for the military. But when the first G.P.S. satellites were launched, it quickly became clear that the civilian signal was more accurate than its architects had anticipated. And savvy scientists found that although the informational content of the military signal is heavily encrypted, picking up the radio signal itself was not difficult. It was like gathering information on a sealed letter by looking at the seal on the envelope.
In the 1990s, the Pentagon intentionally corrupted the civilian signal - a practice known as "selective availability" - in hopes of thwarting terrorists or other bad actors who might otherwise use the signal to launch precision attacks. on US assets. But there, too, users found workarounds, and an order from President Bill Clinton, which went into effect in 2000, halted the Pentagon program. GPS. could now be used to its full potential.
Soon the civilian G.P.S. the industry was booming. By mid-decade, Garmin, a major consumer-G.P.S. company, achieved a turnover of more than 1.6 billion dollars. Motor vehicles were proliferating at an annual rate of more than one hundred and forty percent. The G.P.S. embedded boom gave way, of course, to the smartphone boom: G.P.S. was now something you always carried with you. But the explosive growth of the G.P.S. civil market also prompted attempts to corrupt the signal. Nowadays, the GPS jammer go for a few hundred dollars apiece on the internet and provide an easy way out for anyone worried about, say, a surveilling employer. A few years ago, so many truck drivers on the New Jersey Turnpike were using jammers to thwart their bosses' tracking programs that ultimately disrupted the G.P.S-based landing system. at Newark Liberty International Airport.
GPS. is now of crucial importance for reasons unrelated to geolocation. Because the G.P.S. clocks are synchronized to nanoseconds, network signals are used to unify time-dependent systems spread over large areas. GPS. the weather helps bounce calls between cell towers, regulate power flows in power grids, and timestamp financial transactions on major exchanges. If a spoofer provided erroneous information that confused the clocks in even a few nodes of these systems, the damage could be widespread: as time errors multiply, communication systems could fail, power flows poorly distributed could lead to crashes and automated trading programs. could withdraw from the markets, causing accidents. And these are just a few scenarios. We still haven't figured out exactly how to safeguard such crucial yet porous technology.
In 2001, the Department of Transportation issued a report warning that G.P.S. could become a “tempting target” for enemies of the United States. The joint study was the first official recognition that identity theft was a real and significant threat. Humphreys heard about the report at Cornell. The worst-case impersonation scenario he was describing seemed like something he could do himself - in fact, something he could do better himself.
Humphreys suspected that these first crude impersonation attempts would be easy to detect and thwart. The real threat, he thought, would come from software-defined spoofers, which would be more powerful and more subtle. Traditional receivers rely on G.P.S. chips, which makes them fast but relatively inflexible: you can only change the physical hardware. By relying instead on code, software-defined receivers can be infinitely adaptable. Humphreys set about trying to build one. The finished model took years to perfect—"a real beast," Humphreys called it—in part because he couldn't perform real tests on it without breaking the law. He began work on the spoofer at Cornell and completed it with the help of his students at the University of Texas Radio Navigation Laboratory. It was this same device, contained in the luggage-shaped metal box, that destroyed the Hornet at White Sands.
In the months since that first demo, Humphreys continued to test the spoofer, generating an ever-growing list of its capabilities: it could replace timing systems used by cell phone networks, power grids, and computer programs. trading. The initial good news was that Humphreys probably had one of the only software-defined spoofers in the world. For several years, the F.B.I. regularly visited his office to ensure that he kept his creation safe. Humphreys was happy to comply - he didn't want the technology to spread more than the F.B.I. done - but, by 2016, the code for the G.P.S. spoofers were popping up online, at security conferences, and at hacker conventions.
Then, as if to underline the problem, in February 2016, a software malfunction at the G.P.S. Master Control Station in Colorado caused a thirteen microsecond clock error in some satellites. The problem took hours to resolve, during which time the infected satellites spread the temporal pathogen across the world. The worst disasters were averted (“World dodges the G.P.S. bullet,” proclaimed the specialist newspaper GPS World), but computer networks collapsed and digital broadcasts (including the BBC) were disrupted. System engineers couldn't help but imagine - and fear - that the nightmare they had barely avoided might soon come true.
Humphreys' latest experiment with his spoofer was something of a lark: the owner of a sixty-five-meter superyacht invited him to try and commandeer his voyage across the Mediterranean from Monaco to Greece. Standing on the upper deck, Humphreys' team pointed the spoofer at the ship's antennae, dragging the ship hundreds of feet away. The experiment was harmless but turned out to be a harbinger of some of the more mysterious uses of identity theft.
Four years later, in June 2017, a French tanker, the Atria, crossed the Mediterranean, through the Bosphorus Strait and into the Black Sea. As the ship approached the Russian city of Novorossiysk, the captain, Gurvan Le Meur, noticed that the ship's navigation system appeared to have lost its G.P.S. signal. The signal soon returned, but the position it gave was far off. The Atria was apparently about forty kilometers inland, wrecked at the airport of Gelendzhik, a Russian resort.
Le Meur radioed nearby ships, whose captains reported similar malfunctions in their navigational systems: a total of twenty other ships had been "carried" to the same inland airport. Meanwhile, something similar had happened in Moscow – this time for Uber customers, not ship captains. Short-haul passengers found their accounts charged for journeys to one of the city's airports, or even to locations thousands of miles away.
The activity attracted interest from the Center for Advanced Defense Studies (C4ADS), a Washington-based think tank that focuses on security issues. Using ship data, which is required by maritime treaties to continuously broadcast their location, the researchers discovered that the problem of spoofing was much larger than anyone had imagined. According to a report published in March 2019, there were ten thousand incidents of spoofing at sea between February 2016 and November 2018, affecting around one thousand three hundred ships. Similar data is harder to find for ground vehicles, but C4ADS used heatmaps from fitness-tracking smartphone apps to confirm that drivers near the Kremlin and in St. Petersburg encountered similar spoofing. .
Once they logged where and when the identity theft incidents occurred, the researchers cross-referenced this information with Russian President Vladimir Putin's travel schedule. On an autumn afternoon in 2017, six minutes before Putin was due to deliver a speech in the coastal town of Bolshoy Kamen, the G.P.S. coordinates showed he was jumping at Vladivostok airport. In 2018, when Putin witnessed the official opening of a bridge across the Kerch Strait, at least twenty-four ships from the region reported their location as Anapa Airport, sixty-five kilometers away . What was happening? It seemed increasingly likely that the president's security detail was traveling with a wearable software-defined spoofer, hoping to protect Putin from drone attacks.
The strange specificity of identity theft - the movement of ships and vehicles to airports - has a cautious explanation. Most drones contain geofencing firmware, which prevents them from entering designated areas, including major airports around the world. If a drone detects that it is near an airport, either because it is or because the G.P.S. the coordinates make it believe it is, it will either return to its starting point or simply go down.
For one of the world's most prominent politicians, identity theft may not seem like an unreasonable precaution. In August 2018, a speech by Venezuelan President Nicolás Maduro was interrupted when a pair of drones exploded over one of Caracas' main thoroughfares. A few days later, French secret service agents destroyed a mysterious drone that was flying too close to the summer residence of French President Emmanuel Macron. But for those who have fallen prey to incidents of impersonation - bewildered captains at sea, overloaded passengers in Moscow - it can be difficult to accept that they are merely collateral in attempts to protect a head of state. And the same technology that may appear to be a strategic security system under certain circumstances contains a disturbing potential for subterfuge.
Humphreys served as a contributor and advisor to the C4ADS study, and he felt the Black Sea usurpation was even more extensive than the report revealed. To test his intuition, he researched data from the International Space Station, which collects G.P.S. signals in the upper atmosphere; orbiting Earth, it would give Humphreys a direct line of sight to the Black Sea. He obtained data from three different orbits in 2018, which he sat down to study that winter while on sabbatical in his wife's hometown in the Canary Islands.
Unlike the planet's noisy surface, which is dense with radio signals, the upper atmosphere is a quiet zone, where intrusive frequencies stand out; Humphreys could instantly detect interference in Black Sea data. Where did the phantom signals come from? Humphreys knew that when the space station passed overhead, the spoofed signal created some sort of Doppler effect. It was a simple clue familiar to most city dwellers: imagine driving a car to a crime scene you can hear - sirens, megaphones - but not see. You will know when you are approaching, due to the sudden increase in pitch of these ambient noises. Similarly, Humphreys could use changes in the signal from the spoofer to start guessing where he came from. When he calculated the numbers, he came up with two possible locations: a forest in Romania and somewhere in Syria. He recalculated using data from another recording from the space station and this time concluded that the signal came from the German countryside or, again, from Syria. When Humphreys checked the exact locations, the two sets of Syrian coordinates were identical: Khmeimim Airbase, a site on the coast associated with Russian military activity in the country. Further calculations narrowed the source of the interference to a transmitter in the northwest quadrant of the base.
The phantom signals spotted by Humphreys were unlike anything he had ever seen before, combining elements of jamming and spoofing. Like the jamming, these signals did not transmit the actual coordinates. But they were more than noise - like spoofing, they convinced receivers to recognize fake G.P.S. signals. Humphreys calls it "smart jamming" and sees it as a new front in the G.P.S signal war. If a genuine signal is a light bulb thousands of miles away, the fake Syrian is a high-powered searchlight filling your field of vision, blinding you to everything.
A commercial airliner flying thirty thousand feet above a smart jammer would encounter a signal ten billion times stronger than a genuine G.P.S. signal. Even for an aircraft coming just over the horizon, with the line of sight furthest from the transmitter, the signal from the smart jammer would be five hundred times stronger than the real one.
What Humphreys discovered from Khmeimim is the G.P.S. disruption device to date. "It's the most powerful example of jamming I've ever seen," Humphreys said. "I call it my Jack Ryan moment." In January 2018, the air base was attacked by a swarm of thirteen drones carrying explosives. Somehow the attack was thwarted; Humphreys postulates that an intelligent jammer repelled the attack using anti-aircraft munitions.
GPS. Interference will likely be a way for America's enemies to fight conflicts they could not conventionally win. Civilian uses of G.P.S. have long outnumbered military applications, but G.P.S. is still part of nearly every US weapon system. "We're getting our first taste of what it's like to face a serious adversary in electronic warfare," Humphreys said. "I don't think Russia has shown all its cards yet."
In July last year, the captain of a US-registered container ship noticed something strange with its navigation system as it entered the port of Shanghai. The G.P.S. placed the ship several kilometers inland. When Humphreys and C4ADS heard of the incident, they doubted it was an isolated occurrence. “We looked at more data and, to be honest, we saw the same thing appear in areas around China's coastline,” Humphreys said. Another 300 ships had been impersonated in Shanghai on the same day, and thousands more the same year. What was unusual about the Shanghai usurpation was that the ships, rather than being "transported" to the same false location, all reported different coordinates. Further analysis by Bjorn Bergman of monitoring group SkyTruth showed a similar trend in twenty other places in China.
Humphreys admits he's not sure what's behind this new approach to spoofing — or who's behind it. Some have speculated that oil smugglers and sand thieves can use the technology to sneak into ports more or less invisibly. Bergman suggested that the Chinese government is involved in impersonation; Humphreys says the pattern is widespread enough that he is certainly aware of the activity. Whoever is responsible has not been particularly careful and may not care about being discovered. “It really looks like they sent the junior-varsity team for this one,” Humphreys said.
But is there an incentive to work harder? The kind of software-defined spoofer Humphreys revealed at White Sands is now much easier to obtain; you don't need to be a mastermind to pull off an impersonation attack. And the ease with which amateurs can cause major disruption should make us fear what the experts are capable of. Humphreys predicts that the next major spoofing attacks will target G.P.S-enabled clocks. - and could come from state or non-state actors.
“We see a general consensus that G.P.S. it's wonderful, but we have to get rid of our habits,” Humphreys told me. The system's characteristic precision seems to give way to hazy, bewildering chaos. But what might a viable alternative look like? Overall, G.P.S. remains a remarkably robust system. Its major vulnerability is the weakness of the signal itself. One solution would be to rebuild the system with a stronger signal using satellites much closer to us. But that change would require many more satellites to provide global coverage: seven hundred, compared to the current benchmark of twenty-four. “Government control of G.P.S. has been a real boon to all mankind, the fact that it rains freely from above with no contracts or subscription fees, but I don't think the G.P.S. program has the funds to expand to low Earth orbit,” Humphreys said.
We may be witnessing the first stage of the death of G.P.S. as we know it. For several years, G.P.S. was the world's only comprehensive global navigation satellite system. Its only real competitor was the Russian glonass, which ranked far behind. Today, China has implemented the Beidou satellite system, and the European Union is developing another, called Galileo. But these systems operate on similar principles to G.P.S. and have the same vulnerabilities.
The answer could possibly be some sort of public-private partnership. Humphreys predicts that companies that maintain hundreds of networks in low Earth orbit — such as Elon Musk's SpaceX and Amazon's Project Kuiper — will eventually become a key part of the G.P.S. the ecosystem, taking over in the event of malfunctions or attacks. The new system will be like G.P.S. as we know it - with one exception. “It will be a paid service, no question,” Humphreys said. "But maybe it's a decent insurance policy."