20200807 1 GNSS-AIS - DEF CON CON 28/DEF CON Safe Mode... · 2020. 8. 9. · torpedo guidance (rejected by Navy until 1960s!) • Now used in Bluetooth, WiFi, mobile phones, and GPS

GNSS/AIS Spoofing

Gary C. Kessler, Ph.D., CISSPDEFCON

07 August 2020

Navigation Systems

(c) Gary C. Kessler, 2017-2020 1

Integrated Navigation System

(c) Gary C. Kessler, 2017-2020 2

Global Navigation Satellite Systems

(c) Gary C. Kessler, 2017-2020 3

• Major GNSSs– BeiDou-2 (aka COMPASS; China)– Galileo (EU)– GLONASS (Russia)– GPS (U.S.)– NAVIC (India)– QZSS (Japan)

• Commonly employ 18-30 MEO satellites over several orbital planes– Altitudes range from 12-15K miles

(19-23K km)– Periods range from 11-14 hours

Regional

Space and User Segments

(c) Gary C. Kessler, 2017-2020 4

GNSS Antenna

GNSS Receiver

GNSS Satellites

To other user equipment

Space Segment

User Segment

Control Segment

(c) Gary C. Kessler, 2017-2020 5

Space Segment Overview

(c) Gary C. Kessler, 2017-2020 6

• A GNSS receiver determines position by trilateration– Passive range finding– Transmitted signal at 50 W,

arrives at 10-16 W• Transmits in UHF L-band– Frequency sharing using

CDMA– Each satellite assigned unique

pseudorandom noise (PRN) sequence

As An Aside…• Code-Division Multiple Access (CDMA) is based upon frequency-

hopping spread spectrum technology, invented in 1942 to aid USN torpedo guidance (rejected by Navy until 1960s!)

• Now used in Bluetooth, WiFi, mobile phones, and GPS

(c) Gary C. Kessler, 2017-2020 7

George Johann Carl Antheil Hedwig Eva Maria Kiesler(aka Hedy Lamarr)

Why Four Satellites?

• Satellites travel at 2.5 miles/sec (4 km/sec)

• Trilateration error can be 1 mile (1.6 km)

• Fourth satellite allows receiver to correct its clock drift (bias) to reduce pseudorange error to a 3 ft (1 m)

(c) Gary C. Kessler, 2017-2020 8

NOTE: Satellites have cesium clocks, receivers do not!

GPS Background

• NAVSTAR, the Global Positioning System– Joint project of USAF and USN in late-1960s;

now managed by U.S. Space Force– First GPS satellite launched in 1978– Civilian GPS products widely available in the 1990s

• Civilian precision degraded by introducing controlled timing errors, aka Selective Availability (SA); removed by Executive Order in 2000

– Standard Positioning Service (SPS) for civilians– Precise Positioning Service (PPS) for U.S. and allied military

• GPS constellation has 31 satellites, requires 24 for 95% up-time– Satellites orbit Earth twice/day

(c) Gary C. Kessler, 2017-2020 9

GPS Transmissions

• GPS satellites transmit 37,500-bit navigation messages on each frequency at 50 bps– 12.5 min. for message to be received by a ground station

• Navigation messages contain:– GPS date, time, and week number– Satellite status and health– Ephemeris (position and velocity) data– Clock bias parameters– Almanac (coarse ephemeris data all GPS satellites, allows

receivers to know which satellites are available for tracking)

(c) Gary C. Kessler, 2017-2020 10

GLONASS Transmissions

• 7500-bit superframe transmitted at 50 bps(2.5 minutes to get to Earth)

• Superframe composed of 5 1500-bit frames• Each frame composed of 15 100-bit strings– Strings 1-4 carry immediate data for the sending satellite;

i.e., ephemeris data, clock and frequency offsets, and status

– Strings 5-15 carry non-immediate data; i.e., the almanac for the other satellites• Frames I-IV each describe five satellites• Frame V describes four satellite

(c) Gary C. Kessler, 2017-2020 11

GPS L Band

• GPS transmits signal on carrier frequency modulated by combining1navigation message with a PRN code– Each PRN code is unique to one satellite

• L1 band uses two PRN codes2– Coarse/acquisition (C/A) code supports the SPS, freely available to the

public; referred to as L1C– Precision (P) code supports military PPS; encrypted and is referred to

as P(Y)-code, which provides better interference and spoofing resistance for military GPS

• L2 band originally used the P(Y)-code only– Intended exclusively for military applications– Newer GPS satellites also transmits C/A-code on L2 (L2C)

• Newest GPS satellites use L5 band for third civilian code

(c) Gary C. Kessler, 2017-2020 121. Navigation_message ⊕ PRN_code2. PPS signal is 90𝚘 out-of-phase from SPS

The Importance of GPS

(c) Gary C. Kessler, 2017-2020 13

Maritime equipment that uses GPS as a data input

On ships• GPS & DGPS* positioning• ECDIS• AIS• Gyro• Radar• Digital Selective Calling• Vessel data recorder• Dynamic positioning• Surveying

With aids to navigation• ATON deployment• DGPS* corrections• AIS• ATON position monitoring• Synchronized light

Adapted and modified from Grant et al. (2008).

* DGPS decommissioned in the U.S. in 2020.

Importance of GPS Timing

• Many devices obtain their time from GPS satellites– All digital telecommunications systems, including the North American

mobile phone network and digital telecommunications carriers– Power grids– Some Network Time Protocol (NTP) servers on the Internet– Any system relying on GPS positioning, such as Enhanced 911

(emergency) triangulation– Aviation transportation systems– Maritime transportation systems

• Timing disruptions do not need to be large to have big effects; a 1 nanosecond (10-9 second) error in timing can cause a 1 foot (30 cm) positioning error

• Another possible attack vector?

(c) Gary C. Kessler, 2017-2020 14

GPS Issues• USCG issues GPS jamming alert (01/2016)– Many reports in summer 2015 of GPS jamming or

disruption– Multiple outbound vessels from a non-U.S. port

suddenly lost GPS signal reception– Impact: Various alarms and loss of GPS input to ship's

surface search radar, gyro units, and ECDIS– Result: No GPS data for position fixing, radar over

ground speed inputs, and gyro speed input; and loss of collision avoidance capabilities on the radar display

– GPS came back after approx. 6 nm (11 km)– Advice from USCG: Trust but verify

(c) Gary C. Kessler, 2017-2020 15

Case Study: GPS Spoofing Test

• U. Texas, Austin team spoofed GPS signals to a yacht in the Mediterranean Sea (06/2013)– "Attacker" sent faint, slowly increasing GPS signals to

yacht, until they eventually overwhelmed legitimate GPS signals

– "Attacker" sent false location to ship, causing it to reroute itself to obtain proper location

– Shipboard instruments did not detect attack or any irregularities with nav system

• UT employed cheap, COTS equipment– Civilian GPS uses unencrypted communications links

(c) Gary C. Kessler, 2017-2020 16

(c) Gary C. Kessler, 2017-2020 17[1:37]

Spoofing on the High Seas

Case Study: Black Sea, 2017

• Mass GPS spoofing in Black Sea (06/2017)– Master of 37.5K ton tanker ATRIA off Russian

port of Novorossiysk reported that his GPS showed him at Gelendzhik Airport, 20 nm (37 km) away

– AIS traces from at least 20 nearbyships showed them to be at thesame location

– GPS misdirection attack thoughtto be Russian e-warfare

(c) Gary C. Kessler, 2017-2020 18[0:52]

(c) Gary C. Kessler, 2017-2020 19

44°14.000'N037°43.100'E

Case Study: Eastern Med., 2018

• Lost or erratic GPS signals, accuracy issues, and other GPS signal interference reported in:– Cyprus (Mar, Nov)– E. Med region (Mar-May)– Haifa (Nov)– Jedda Port (Oct)– Port Said & Suez Canal

(Mar, Jul, Oct, Nov)

(c) Gary C. Kessler, 2017-2020 20

Case Study: Mediterranean, 2019

(c) Gary C. Kessler, 2017-2020 21

Russia and GNSS Hacking

• Center for Advanced Defense Studies (C4ADS)reports that Russia has been manipulatingGNSS signals since at least 2016 (04/2019)– Report based on satellite data gathered by the

International Space Station (ISS), detecting9,883 suspected spoofing incidents at 10 globallocations connected to Russian military

– Target areas included Black Sea, Crimea, the Russian Federation, and Syria– Study found 1,311 civilian ships fed wrong positional coordinates from a

range of civilian satellite networks, including 2017 incident in the Black Sea

• Because GNSS spoofing technology to now so cheap, this type of attack likely to spread to other countries, terrorist groups, criminals, and even lone operators

(c) Gary C. Kessler, 2017-2020 22

Case Study: STENA IMPERO

• UK-flagged oil tanker seized by Iran in Strait of Hormuz (07/2019)– Iran claims that IMPERO violated international law– Seen as retaliation for British seizure of Iranian

vessel for violating EUsanctions

• Analysis of AIS dataindicative of GPSspoofing

(c) Gary C. Kessler, 2017-2020 23

(c) Gary C. Kessler, 2017-2020 24

Case Study: Port of Shanghai

• Strange GPS/AIS readings at Port of Shanghai (07/2019)– "Upon arriving to dock…, U.S. flagged MV [MANUKAI]

master checked ECDIS at the AIS to see if their berth was clear. Another ship on the berth appeared to be in the channel making 7 kn SOG, but then disappeared from AIS. A few minutes later she was back and at the dock, then underway again, 5 kn, 2 kn, 0 kn, in the channel, then back at the dock, then gone. This pattern repeated multiple times. It turned out the other ship was actually all fast the entire time." From USCG NavCen (07/17)

(c) Gary C. Kessler, 2017-2020 25

Case Study: Port of Shanghai [2]

• As 700 ft. MANUKAI approached its own berth, both GPS units and AIS transponder failed

• C4ADS reports that spoofing started in 2018– 300 spoofing events on 17JUL2019 alone– Shanghai data showed spoofed signals making ships

appear to move around every few minutes to different locations on eastern bank of Huangpu River, in patterns of rings

(c) Gary C. Kessler, 2017-2020 26

"Crop circle" in Shanghai

(c) Gary C. Kessler, 2017-2020 27

Circle Spoofing in Iran

(c) Gary C. Kessler, 2017-2020 28

Pt. Reyes Circle Spoofing

(c) Gary C. Kessler, 2017-2020 29

Pt. Reyes: Actual Ship Positions

(c) Gary C. Kessler, 2017-2020 30

GPS Spoofing Without a GPS Device

• Can spoof GPS information by transmitting bogus NMEA messages with GPS location, autopilot, fix, and other position and navigation data– See https://gpsd.gitlab.io/gpsd/NMEA.html

• $GPGLL,2911.585,N,8046.181,W,015030,A,*22– Geographic position message (lat/long data)– Latitude, longitude: 29°11.585' N, 080°46.181' W– Time that fix was taken: 01:50:30 UTC– Data active– Checksum: 0x22

(c) Gary C. Kessler, 2017-2020 31

https://gpsd.gitlab.io/gpsd/NMEA.html

GPS Fix Data• $GPGGA,123519,4807.038,N,01131.000,E,1,08,1.3,545.4,M,46.9,

M,,*4C

– GPS [$GP] Geographic position message (fix data) [GGA]– Time of fix: 12:35:19 UTC– Latitude, longitude: 48°07.038' N, 011°31.000' E– Fix quality: 1 (GPS SPS mode)– Number of visible satellites: 8– Horizontal dilution of position: 1.3– Altitude (above mean sea level): 545.4 meters [M]– Height of geoid (MSL) above WGS84 ellipsoid: 46.9 meters [M]– Time (seconds) since last DGPS update: (null)– DGPS station identifier: (null)– Checksum: 0x4C

(c) Gary C. Kessler, 2017-2020 32

Spoofing GPS With SDR

• Spoofing GPS signals is inexpensiveand simple– The GPS civilian signals are not

encrypted (L1C, L2C, L5)– Software-defined radio (SDR) can be

used to transmit on L1 frequency (1575.42 MHz)– It is easy to write a program that can produce

NMEA $GP sentences and transmit via SDR• Many open source tools available for GPS

spoofing(c) Gary C. Kessler, 2017-2020 33

GNSS Spoofing Mitigation

• Several methods can detect/mitigate GPS/GNSS spoofing1. Detect signal distortion at the instant that the bogus signal

overpowers the legitimate signal2. Detects that the bogus signal is coming from a different

direction than the legitimate signals3. Correlate the encrypted signal to ensure that it is authentic;

even though the civilian unit cannot read the encrypted signal, it can ensure that it present

4. Employ a GNSS receiver that can monitor multiple constellations• U-2 pilots reportedly use BeiDou, Galileo, GLONASS, and GPS• Raymarine GA150 includes built-in GPS/GLONASS receiver

(c) Gary C. Kessler, 2017-2020 34

Automatic Identification System

• AIS is a tracking system used by ships and VTMS– Provides a vessel with situational awareness about surrounding

traffic• AIS provides ship's unique

identifier, position, course,speed, and more

• Data can be displayedon a screen, ECDIS, ormobile app

• AIS design initiated by USCGafter 1989 wreck of theEXXON VALDEZ

(c) Gary C. Kessler, 2017-2020 35

Side Note: AIS Requirements

• Defined in 2002 SOLAS, Chapter V,Regulation 19 and 33 CFR 164.46

• In general, AIS is required on:– All vessels ≥300 gross tons travelling

internationally– Commercial power vessels ≥65 ft (20 m)– Commercial towing vessels ≥26 ft (8 m) or >600

horsepower– Power vessels certified to carry >150 passengers

• Warship exemption

(c) Gary C. Kessler, 2017-2020 36

(c) Gary C. Kessler, 2017-2020 37

AIS Communication Protocol

• AIS defined in ITU-R Recs. M.585-7 and M.1371-5– Transmits at

161.975 and 162.025 MHz, using self-organized time division multiple access (SOTDMA)

– NMEA 0183, 2000, and OneNet protocols

(c) Gary C. Kessler, 2017-2020 38

AIS Security Weaknesses

• TrendMicro (11/2013, 02/2017) reported a number of vulnerabilities in the AIS protocol– Lack of message integrity– Lack of timing integrity– Lack of authentication– Lack of validity

• If compromised, AIS communications can be hijacked to create fake vessels, or trigger false SOS or collision alerts

(c) Gary C. Kessler, 2017-2020 39

AIS Hack Scenarios (1)

• Closest point of approach (CPA) spoofing: Attacker fakes a possible collision with a another ship, triggering a CPA alert; could lead the victim ship off-course to hit a rock, run aground, or go to where the attacker is waiting

• AIS Search and Rescue Transmitter (AIS-SART) spoofing:Attacker generates false distress beacon to lure victim ship into hostile/attacker-controlled area

• Fake weather forecasts: Attacker could send dynamic weather information via AIS, causing a ship to divert their course

(c) Gary C. Kessler, 2017-2020 40

AIS Hack Scenarios (2)

• DoS: Cause vessels to increase the frequency of their AIS updates, resulting in all nearby shore facilities and vessels to be flooded with data

• Frequency hopping attack: Attacker sends commands reserved for port authority to shift victim's AIS to transmit on a specific frequency that is blank; effectively shuts off their AIS, making them "invisible" to all but the attacker

• Ghost vessels: Attacker can create what appears to be real vessel at any global location

• Data diddling: Hacker can modify ship information, e.g., name, location, course, cargo, type of ship, speed, etc.

(c) Gary C. Kessler, 2017-2020 41

(c) Gary C. Kessler, 2017-2020 42

AIS Attack Vectors(from Balduzzi et al., 2014)

AIS Information Leakage"[The Committee] agreed that the publication on the world-wide web or elsewhere of AIS data transmitted by ships could be detrimental to the safety and security of ships and port facilities and was undermining the efforts of the Organization and its Member States to enhance the safety of navigation and security in the international maritime transport sector.

The Committee condemned the regrettable publication on the [web] of AIS data transmitted by ships and urged Member Governments, subject to the provisions of their national laws, to discourage those who make available AIS data to others for publication on the [web] from doing so.

In addition, the Committee condemned those who irresponsibly publish AIS data transmitted by ships on the [web], particularly if they offer services to the shipping and port industries."

IMO Maritime Safety Committee, December 2004

(c) Gary C. Kessler, 2017-2020 43

http://www.imo.org/en/OurWork/Safety/Navigation/Pages/AIS.aspx

(c) Gary C. Kessler, 2017-2020 44https://www.marinetraffic.com/

Aggregator Sites

(c) Gary C. Kessler, 2017-2020 45

FindShipapp

(c) Gary C. Kessler, 2017-2020 46http://www.findship.co/

Real-Time Tracking

(c) Gary C. Kessler, 2017-2020 47https://www.vesselfinder.com/

https://www.vesselfinder.com/

Build Your Own AIS Receiver...

(c) Gary C. Kessler, 2017-2020 48

Raspberry Pi with dAISy Hat

...And Display With Open Source Software

(c) Gary C. Kessler, 2017-2020 49

AIVDM Message Example (1)

(c) Gary C. Kessler, 2017-2020 50

AIVDM Message Example (2)

(c) Gary C. Kessler, 2017-2020 51

Some Tools…

• timestamp_data.pl– Acquire AIS data from a TCP/UDP socket

• play_ais.pl– Send AIS data to a TCP/UDP socket

(c) Gary C. Kessler, 2017-2020 52

DEMO: Replay and Ghost Ship

(c) Gary C. Kessler, 2017-2020 53

Summary and Conclusion

(c) Gary C. Kessler, 2017-2020 54

Are These Problems Real?

• While not all of these vectors are easily vulnerable to attack today, be wary of those who say that the risks are overstated

(c) Gary C. Kessler, 2017-2020 55

If an elderly but distinguished scientist says that something is possible, he is almost certainly right; but if he says that it is impossible, he is very probably wrong.

Arthur C. Clarke

Hoping for the best is not a plan...

(c) Gary C. Kessler, 2017-2020 56

See Rule 27(f)…

Contact Information

Gary C. Kessler, Ph.D., CCE, CISSPUSCG 50GT Master/Assistance Towing

mobile: +1 802-238-8913e-mail: [email protected]: gary.c.kessler

https://www.garykessler.net

© Gary C. Kessler, 2019-2020 57

Acronyms and Abbreviations (1)AIS Automatic Identification SystemATON Aids to navigationbps Bits per secondCAN Controller Area NetworkCCTV Closed-circuit televisionCDMA Code Division Multiple AccessCFR Code of Federal Regulations (U.S.)COTS Commercial, off-the-shelfDGPS Differential Global Positioning SystemDoS Denial-of-serviceEIA Electronic Industry Alliance (nee Association)ECDIS Electronic Chart Display and Information SystemEU European UnionGbps Gigabits (billions or 109 bits) per secondGLONASS

Globalnaya Navigazionnaya Sputnikovaya SistemaГлобальная навигационная спутниковая система

GNSS Global Navigation Satellite SystemGPS Global Positioning SystemIEEE Institute of Electrical and Electronics EngineersINS Integrated Navigation SystemIPsec Internet Protocol SecurityITU-R International Telecommunication Union,

Radiocommunication sectorkbps Kilobits (thousands or 103 bits) per second

kn Knots (nm/hour)LAN Local area networkLE Law enforcementLRIT Long range identification and trackingMEO Medium Earth orbitMitM Man-in-the-MiddleNAVIC Navigation Indian Constellationnm Nautical milesNMEA National Maritime Electronics AssociationPRN Pseudorandom noiseQZSS Quasi-Zenith Satellite SystemROT Rate-of-turnSDR Software-defined radioSOG Speed over groundSOLAS International Convention for the Safety of Life at SeaTEU Twenty-foot equivalent unitUHF Ultra high frequencyUSAF U.S. Air ForceUSB Universal serial busUSCG U.S. Coast GuardUSN U.S. NavyUTC Coordinated Universal TimeVTMS Vessel traffic management systemW WattWGS84 World Geodetic System 1984 standard

(c) Gary C. Kessler, 2017-2020 58