Researchers recently found that there is an easy and cheap way to cripple the infrastructure of Global Positioning System. They built a spoofing device worth $2500 to broadcast a malicious GPS message attacking both consumer- and professional-grade receivers. The results were shocking.
A 45-second crafted GPS message is said to cripple 30 percent of the global GPS Continuously Operating Reference Stations (CORS) while other attacks could cause damages up to 20 percent of Networked Transport of RTCM via Internet Protocol (NTRIP) networks, according to the paper wrote by security researchers of Carnegie Mellon University and firm Coherent Navigation. (please see links at the end of the post for more details about the report)
It does sound like a big threat for the GPS infrastructure and great threat to the security of establishments that depend on the system but researchers assured the public that for now, they are the only ones that have knowledge on how to build a spoofing device. They, however, said that anyone who has a proper skillset and little cash to build the device can definitely pose a grave threat to the infrastructure.
All attacks are said to be targeted on the software layer of GPS receivers and once attackers are successful in their feat, they could cause substantial damage in the form of synchronization errors, system crashes, and even remote wipes of GPS devices. At least, these are the things researchers are positive about. There could be more but let’s just hope researchers like the ones who discovered the recent vulnerabilities could discover them first. Otherwise, the world would be at the mercy of the attackers.
There were six devices tested by researchers that were found vulnerable to the attacks, namely: Garmin, GlobalSat, Magellan, uBlox, Locosys and iFly. There is now a new challenge for these manufacturers to make their receivers better and harder to crack. Researchers suggested they put better data and OS-level defenses to identify untrusted code.
“One immediate best practice would be for GPS receiver manufacturers to build and deploy automated software update mechanisms. At present, users typically must go to the manufacturers home page, download the update, and then transfer it to the receiver. Other recommendations include receivers white-listing programs that can run, and implementing modern OS defenses such as ASLR and DEP.”
[source: research report in pdf]