GPS is something that we all use to a greater or lesser extent almost every day, partly powered by its use in smartphones, smartwatches, car navigation systems, etc... but that, personally, took me a long time to learn how it works.
How GPS Works
GPS is an acronym for Global Positioning System and has been with us for several years. It is a satellite-based radio navigation system developed by the United States Department of Defense after World War II and its purpose is to determine the position of any object (a person, a vehicle, etc...) throughout the Earth with different levels of accuracy/error depending on the versions and type of systems used.It works through a network of at least 24 satellites orbiting around the earth with altitudes of approximately 20,000Kms and with orbits distributed in 6 different orbital planes and with inclinations of around 55º with respect to the terrestrial equatorial plane.
The purpose of this configuration is that at any point on the surface of the earth (and at any altitude) there are always at least 4 satellites visible above the horizon (OTH).
The operation of GPS systems and their infrastructure is based on several components or segments: the first is the "space segment" that we have just seen in the previous paragraphs, and at the same time two other segments that are the control and user segments.
The control component is based on 5 ground tracking stations distributed around the globe and connected to a central control station called MCS (Master Control Station). The mission of this component is to track the satellites by calibrating and synchronizing their clocks, as well as updating their orbital positions.
The user component is the last link in the chain and it is basically the GPS device that we use to locate ourselves on the globe, whether it is a watch, a mobile phone, a GPS handheld, a car navigator, boat and plane positioning, etc.
What does GPS Spoofing objectively consist of? Basically, it consists in emitting via radio those "false" GPS coordinates that we want to supplant the genuine signals. To achieve this we will depend logically on the power of emission and/or the proximity to the receiver included in the user segment indicated above to make them take our modified signal ignoring the genuine one and, therefore, locate in the position and/or path/itinerary that we want.
The control component is based on 5 ground tracking stations distributed around the globe and connected to a central control station called MCS (Master Control Station). The mission of this component is to track the satellites by calibrating and synchronizing their clocks, as well as updating their orbital positions.
The user component is the last link in the chain and it is basically the GPS device that we use to locate ourselves on the globe, whether it is a watch, a mobile phone, a GPS handheld, a car navigator, boat and plane positioning, etc.
VERY IMPORTANT!!! Before you continue reading...
At this point and before continuing, you are going to allow me to give you a VERY IMPORTANT disclaimer and we must be clear at all times: the broadcast of any type of radio signal in any scenario or circumstance where there is no prior and explicit legal authorization to do so, is totally prohibited and is a crime punishable by law.
The objective of this article and the techniques shown in it have the sole purpose of divulging technology and for this, as will be seen later in the article, the necessary solutions and resources have been adopted so as not to make any public broadcast to the radio public domain (also called radio space).
The Global Positioning System (GPS) is increasingly used for a wide variety of critical applications and services. These include maritime and air navigation, time synchronization for the utilities, telecommunications, banking and computer industries but also many public safety services such as police, fire, and to an even greater extent emergency, rescue, rescue and ambulance services.
Please, let us be aware of that criticality and let us all be responsible and show the utmost respect for it.
What are we going to use?? (Hardware and software)
Software
The main "magic" we are going to count on for this entry is the GPS-SDR-SIM software, it is a creation of Takuji Ebinuma from Japan and it is a software that generates data streams in the GPS utilization band that can then be converted to RF using software defined radio devices (SDR), such as ADALM-Pluto, BladeRF, HackRF and USRP.
The complete project is in the GitHub of it (hyperlinked above) and the only additional thing we will need to do is to compile it with VisualStudio to be able to use it in Windows (it doesn't require much difficulty, however I will show you the process step by step).
In order to generate the necessary signal, the software requires a GPS satellite constellation through a GPS emission ephemeris file.
The daily GPS broadcast ephemeris file (brdc) is a fusion of the navigation files of individual sites into a single file; this type of file is necessary to generate the mentioned pseudorange and the simulated Doppler for the GPS satellites on view. This simulated range data is then used to generate the digitized I/Q samples for the GPS signal to be broadcast from HackRF.
Where can I get these GPS ephemeris files? NASA helps us with this and offers them to us almost daily at ftp://cddis.gsfc.nasa.gov/gnss/data/daily/ (at least until October 2020, when we will need to register).
Finally we only need the program to communicate from our Windows computer with the HackRF device and transmit the generated file and we will do it with hackrf_transfer.exe which we can compile by ourselves or download the executable already compiled from the Pothosware github.
The complete project is in the GitHub of it (hyperlinked above) and the only additional thing we will need to do is to compile it with VisualStudio to be able to use it in Windows (it doesn't require much difficulty, however I will show you the process step by step).
In order to generate the necessary signal, the software requires a GPS satellite constellation through a GPS emission ephemeris file.
The daily GPS broadcast ephemeris file (brdc) is a fusion of the navigation files of individual sites into a single file; this type of file is necessary to generate the mentioned pseudorange and the simulated Doppler for the GPS satellites on view. This simulated range data is then used to generate the digitized I/Q samples for the GPS signal to be broadcast from HackRF.
Where can I get these GPS ephemeris files? NASA helps us with this and offers them to us almost daily at ftp://cddis.gsfc.nasa.gov/gnss/data/daily/ (at least until October 2020, when we will need to register).
Finally we only need the program to communicate from our Windows computer with the HackRF device and transmit the generated file and we will do it with hackrf_transfer.exe which we can compile by ourselves or download the executable already compiled from the Pothosware github.
Hardware
As emitters of our supplanted GPS signal we will use in HackRF (in the pictures) with the PortaPack on, but it is in conventional operation mode because, due to the preparation of the laboratory, I will not be able to access its screen or controls during the process).
As a receiving device of the GPS signal I'm going to use an Android device, specifically a Nexus 5 which is my "gadget mate" for various tests and experiments.
As a receiving device of the GPS signal I'm going to use an Android device, specifically a Nexus 5 which is my "gadget mate" for various tests and experiments.
In addition, and although more than hardware, it could be considered a "test scenario" as a means of legal compliance for the reasons set out in the previous section and not to infringe the regulations or emit any signal into the radio public domain, it is necessary to use a Faraday box or bag that totally isolates our devices.
In my case I have chosen a bag of expertise that will block the external RF electromagnetic waves and redirect them along the surface of the case itself and acting in the same way on the inside, where we will have our HackRF emitter as well as our Android phone as a receiver thus ensuring that we do not infringe any legal norm in this matter.
In my case I have chosen a bag of expertise that will block the external RF electromagnetic waves and redirect them along the surface of the case itself and acting in the same way on the inside, where we will have our HackRF emitter as well as our Android phone as a receiver thus ensuring that we do not infringe any legal norm in this matter.
We only have to be careful before closing the bag completely to leave out the USB connection cables to our computer to command the HackRF and display the Android phone on our computer screen (in my case I used the SCRCPY solution).
Compiling GPS-SDR-SIM
Once the project is downloaded and extracted to a folder we open Visual Studio and from the initial tasks menu we create a new empty project and then select the option "Console application".
Once the empty project is opened and we see the Visual Studio interface, we must add the files gpssim.c and getopt.c to the "Source files" folder that the solution explorer shows us on the right margin.
Expand the upper options menu of Visual Studio to select "Release" and proceed to compile from the Compile option of the upper options menu.
As a result we will get the executable with the name we have given it in the project (in my case GPS.exe showing off my great creativity...) and some more objects that we must keep in the same folder. To try it out we just have to run from the command line with, for example, the -h option to see the program's help.
Ready! Now we can forget about the compilation and focus on the interesting part of the project!
Once the process is finished we will see how a file with extension .bin with name gpssim has appeared in the folder (unless we have used the option -o in the previous step and we have specified another file name).
From here the limit is imagination... and the globe logically!
Besides being able to define static locations in exact coordinates, gps-sdr-sim can also generate dynamic files, so we can pass as an argument a file with a path defined by ourselves either in a CSV file containing the positions we want centered on the Earth (ECEF), or in a NMEA GGA trace file (there are simulators to generate the specific file with the path we want as for example this one from ATLsoft).
As you can see, it has been relatively easy to create a fraudulent GPS signal and confuse the devices with it, the system is vulnerable and nowadays, except for military communications and some very specific ones that are encrypted, all can be affected by this type of threat.
Of all the possible software solutions for the mitigation of these threats of which I have been able to investigate something and I find them interesting, they go through a system of monitoring and early detection of sudden changes in signal strength, and a monitoring of time jumps in the reception of traces and their analysis to determine their plausibility/viability.
Very interesting is a hardware solution that I have found from the manufacturer Microchip, it is
BlueSky GNSS Firewall and is nothing more and nothing less than a firewall that serves to protect all those infrastructures that may depend on the GPS system. To achieve this, all the GPS signal data received is evaluated and checked in parallel with/from each satellite to ensure compliance, in addition to a parallel analysis of the characteristics of the signal received to detect any anomalies in it. It is a very interesting device that I recommend you to take a look at.
Once the empty project is opened and we see the Visual Studio interface, we must add the files gpssim.c and getopt.c to the "Source files" folder that the solution explorer shows us on the right margin.
Expand the upper options menu of Visual Studio to select "Release" and proceed to compile from the Compile option of the upper options menu.
As a result we will get the executable with the name we have given it in the project (in my case GPS.exe showing off my great creativity...) and some more objects that we must keep in the same folder. To try it out we just have to run from the command line with, for example, the -h option to see the program's help.
Ready! Now we can forget about the compilation and focus on the interesting part of the project!
Creating the signal and broadcasting it with HackRF
As we have mentioned in the software requirements section, something essential that we need is the GPS emission ephemeris file (brdc), for this we only need to access the ftp served by NASA and once inside selected the year, then we go to the "brdc" folder and choose one of the most updated files available (there are several files for each day).
Now that we have everything ready, we just need to decide where we want the GPS device to believe it is, so... Where do you want to travel? I personally feel like going back to the south of Spain on vacation, so let's generate the pseudorange file with the following command:
Where with the option -b we indicate the format in bits of the resulting I/Q, with -e the brdc ephemeris file we just downloaded and with -l the exact static coordinates we want to emulate. Press enter and let it work.
gps.exe -b 8 -e brdc1470.20n -l 36.276173,-6.087545
Now we only need to take the last step: connect the HackRF to our computer and send it the generated file! To do this we will use the hackrf_transfer tool commented in the sections above and the syntax to be used will be
Where -t must be the .bin file that we have just generated with gps-sdr-sim, -f is the frequency in Hz of the emission (we have to adjust it 1.575Ghz which is the frequency of use of the GPS) as well as -s to adjust the sample rate and -a to a value of 1 to activate the RX/TX amplifier of the HackRF and with -x we will be able to adjust the TX VGA gain from 0 to 47 dB (to me personally the best result has always been to leave it at zero).
hackrf_transfer.exe -t gpssim.bin -f 1575420000 -s 2600000 -a 1 -x 0
Now we only have to wait patiently for some seconds/minutes, I like to monitor the GPS activity with a supplementary application and when she indicates me that she has already taken the necessary satellites and gives me the coordinates I check it using google maps.
As I said before at this point is just a matter of patience to check later how from Madrid we have "teleported" to Conil De La Frontera!
As I said before at this point is just a matter of patience to check later how from Madrid we have "teleported" to Conil De La Frontera!
How about we generate another file and cross the puddle this time? "Traveling" has never been so convenient, fast and economical! ;-)
Besides being able to define static locations in exact coordinates, gps-sdr-sim can also generate dynamic files, so we can pass as an argument a file with a path defined by ourselves either in a CSV file containing the positions we want centered on the Earth (ECEF), or in a NMEA GGA trace file (there are simulators to generate the specific file with the path we want as for example this one from ATLsoft).
Possible countermeasures
Of all the possible software solutions for the mitigation of these threats of which I have been able to investigate something and I find them interesting, they go through a system of monitoring and early detection of sudden changes in signal strength, and a monitoring of time jumps in the reception of traces and their analysis to determine their plausibility/viability.
Very interesting is a hardware solution that I have found from the manufacturer Microchip, it is
BlueSky GNSS Firewall and is nothing more and nothing less than a firewall that serves to protect all those infrastructures that may depend on the GPS system. To achieve this, all the GPS signal data received is evaluated and checked in parallel with/from each satellite to ensure compliance, in addition to a parallel analysis of the characteristics of the signal received to detect any anomalies in it. It is a very interesting device that I recommend you to take a look at.
Well, this is it! I hope that the article was not too heavy and you liked it, as always THANK YOU VERY MUCH for the visit and for your time in reading it!
See you next time! Greetings!
See you next time! Greetings!
0 comentarios:
Publicar un comentario