Would it be worth going to all this trouble? James Bond's villain clearly believed so. More realistically we can see the potential for disruption that might tempt an enemy nation to launch a spoofing attack. And the damage could be less obvious than a plane or ship going off course – such is the extreme accuracy of the GPS atomic clocks that they are widely used as a source of accurate timing. Every cell tower, for example, has its own GPS receiver, not because it might forget where it is, but to provide a super-accurate time signal for its own transmission purposes.
Some financial high-speed trading systems are so time critical that they rely on GPS time data to determine precisely when trades were made. So criminal – or military – ingenuity might develop ways to generate all sorts of mayhem out of a cleverly targeted spoofing attack.
Do not forget the human factor, either: these systems have served us so well already that it is increasingly tempting to put blind faith in them. The recent MAIB report on the collision between Seagate and Timor Stream identified several human errors, including an oversight that one of the ship's AIS devices was broadcasting a heading 160 degrees out.
We are entering a whole new territory – with little more than a spoofed GNSS to guide us. Maybe.
Analysing and minimising the risk of spoofing
It is perhaps comforting to know that a spoofing attack will demand rather sophisticated technology to generate realistic signals and not be immediately recognised as a fraud. But it remains cold comfort unless there is some way to assess how your GNSS receiver responds to spoof signals, and use that information to devise a counter strategy that increases resilience to interference.
Test beds have been created to provide such test and measurement – the EU's Joint Research Centre has developed one for its Galileo project, for example. But it is only since February 2014 that there has been a commercially available system to test GNSS under laboratory conditions in this way.
Spirent SimSAFE provides a laboratory test bed, incorporating simulators, monitors and computers with software designed expressly for GNSS testing, and that includes testing against possible spoofing attacks.
Basically, the system creates those subtle GNSS signals in a truly realistic manner – taking account of all the factors that can distort their timing and the sort of background noise they struggle against – and transmits them down a cable to the receiving device, rather than through the air. This allows very sensitive monitoring and measurement of the receiver's behaviour under truly realistic GNSS operating conditions, as well as when various spoofing, jamming or other likely attacks are thrown at it.
In practice this could allow a large GNSS user or receiver manufacturer to test devices to see how well they perform, and how vulnerable they are to attack. It also means that device manufacturers now have a means to develop standardised tests against set criteria to improve the performance and reduce the vulnerability of their products. Eventually there will be a set of standard tests which will allow GNSS users to select the best equipment for their application based on the level of protection against jamming and spoofing it offers.
This has important implications for the whole GNSS market, as users can begin to demand equipment that has passed certain tests on an industry standard test bed, and these tests could include a measure of spoofing vulnerability.
Meanwhile, let's hope Elliot Carver doesn't get hold of one first…
- Guy Buesnel is Product Manager – GNSS Vulnerabilities at Spirent Communications
