A few weeks ago, I blogged about how researchers led by Professor Todd Humphreys of the University of Texas at Austin Radionavigation Laboratory successfully demonstrated that a drone with an unencrypted GPS system could be taken over by a person wielding a $1,000 GPS spoofing device (pdf). Recently, I was fortunate to be able to speak with Professor Humphreys about GPS spoofing and its implications not only on UAVs, but other systems like financial systems (pdf) that use GPS for tasks such as data time stamping.
Below is the transcript of my conversation with Professor Humphreys. The interview took place on the 29th of June 2012, and is lightly edited for clarity.
Charette: Hello, I’m Bob Charette, the editor of IEEE Spectrum magazine’s Risk Factor blog. Today, I’m speaking with Professor Todd Humphreys, who directs the Radionavigation Laboratory at the University of Texas-Austin, where, among other activities, software-defined GPS receivers are developed as a platform for GPS innovation. His recent focus has been on defending against intentional GPS spoofing and jamming.
Welcome, Professor Humphreys, and thank you for spending the time with me this morning.
Humphreys: Hi Bob, good to be here.
Charette: Recently, you and your team of researchers demonstrated how a drone using a commercial, unencrypted GPS system could be spoofed by someone using about a $1,000 worth of equipment. Professor Humphreys, could you tell us what GPS spoofing is, why your demonstration came about, and what you were able to show?
Humphreys: Sure. Well GPS spoofing takes advantage of the fact that the civilian GPS signals, as you mentioned, are unencrypted and unauthenticated; so, whereas the military GPS signals have an encryption code overlaid on them, the civilian ones do not and never have. So you can consider this one of the most popular, global unauthenticated protocols in the world. A spoofing attack is one where you generate signals that are functionally indistinguishable from the authentic signals coming down from the satellite, so that when a receiver takes in your signals and the authentic signals it can't tell the difference and you raise the power of the counterfeit signals sufficiently to take control of the GPS receiver. At that point it does your bidding. You can induce any kind of position or time that you wish.
So, why did we do this? We ended up wanting to demonstrate this concept, this vulnerability in sort of a dramatic way by capturing a drone that was being guided by a GPS-based navigation system. We did so by purchasing our own drone. No one would lend us a drone because they knew it was going to be a risky endeavor and we generated fictitious GPS signals, captured the drone and brought it down.
Charette: Now, what are some of the implications of your demonstration? We know that the FAA has been told by Congress to basically open up the U.S. skies for UAVs and commercial drones across U.S. airspace within the next few years so given that you’re able to do this capturing by GPS spoofing, what are some the implications and some of the worries that you’ve shown with your demonstration?
Humphreys: You know, originally we got interested in this because we read the stories about the Iranian capture of a U.S. drone back in December. That at first was a curiosity, but when in February the U.S. Congress mandated that the FAA bring in drones by 2015 in the National Airspace, our curiosity turned into an imperative. We decided that there were implications that needed to be made apparent to the whole community because if we are going to bring these civilian drones into the National Airspace with navigation systems based on unencrypted and unauthenticated GPS, well then that was a safety hazard. We wanted to demonstrate that so that perhaps in these three years before the 2015 landmark date when the drones will be welcomed in, we can prepare and fix this problem.
Charette: Okay. Now, the Association of Unmanned Vehicle Systems International (AUVSI) put out a statement in response to your demonstration that states in part that, "The industry is well-aware of so-called ‘spoofing’ and is already advancing technologies, such as Selective Availability Anti-Spoofing Module (pdf) – to prevent it. This technology is already in use by the military to thwart GPS spoofing abroad and we expect it will transition to civilian unmanned aircraft in the coming years to protect aircraft flying in the National Airspace. Meanwhile, some unmanned aircraft also have alternate navigation systems, such as radio links and backup inertial systems, which will provide redundancy to GPS."
The statement goes on to say that there is always a controller ready to intervene in case of problems. Do you have any comments on their statement and their position?
Humphreys: Sure. Well, I like to make clear from the very beginning that I am a big fan of drones and I'm looking forward to the time when I can get Chipotle burritos delivered to my doorstep with a drone and other takeout foods, other great efficiency boosts to the national economy, etc. So I am not an enemy of drones as they come onto our national stage. I simply want the adoption of drones, the incorporation of drones, to be done safely.
As far as the SAASM receivers being used in civilian drones, these are the SAASM-type receivers that are typically used in military context. I don't think it's likely that will see SAASM military-grade receivers incorporated into civilian drones. These have been a huge logistical headache for the military. You have to re-key them every few months and you have to keep them only in a trusted community. I don't see them proliferating among civilians.
And what about redundancies on UAVs that can help protect against any kind of GPS sabotage or GPS hacking like we've done? I believe that is a good way forward; unfortunately most of the drones today don't have a sufficient sense of paranoia about their GPS readout, so they don't double-check things. We shouldn't also be lolled into any kind of false sense of security here to the extent that you depend on GPS, to the extent that you use it in any way - civilian GPS - you are vulnerable to a spoofing attack. So even though you might have other sensors against which are cross-referencing GPS, those sensors tend to drift in the case of inertial sensors or altimeters, etc. We tend to always go back to GPS as the bedrock against which we compare these drifts and estimate biases. So if an attack is carried out slowly, under the drift rate of your inertial measurement package, for example, then it can still be effective and dangerous. So I would caution against too much optimism in what we can do by just cross-checking against our sensors.
Charette: And I am assuming that if you put in some of these, what would be considered military-grade systems that the cost of these commercial drones would skyrocket fairly quickly anyway.
Humphreys: Oh yes. And the high cost militates against some of the wonderful uses of smaller drones. The drone that we purchased, for example, has a very small u-blox chip that is used as its GPS receiver. It’s a beautiful chip, wonderful and cheap and low power and very powerful, very effective; it just happens to have a vulnerability to GPS spoofing.
Charette: Right. Now it’s also interesting when I was doing some background research into the story is that it's not only for drones, it’s also for aircraft, and vehicle navigation systems. But I also read some research that said that GPS spoofing could also affect smart grids and even financial markets. Could you talk just a little bit about that?
Humphreys: Well sure. One of the little-known facts about GPS is that it's used for timing almost as much as it's used for positioning. And in our critical national infrastructure, we've got GPS there helping to synchronize different nodes and networks, synchronize the power grid, synchronize financial transactions and time-stamp those transactions. So, here we have GPS antennas hanging out in the clear in the open because we need a clear view of the sky and the timing on those receivers can be manipulated by a spoofing attack. We’ve demonstrated this here in our laboratory. We’ve even demonstrated this last week at White Sands where from about a kilometer away, we move the timing off on a GPS device that is used to synchronize so-called phasor measurement units in the power grid. And this was just as easy as it was to do in the laboratory.
Charette: I’m not sure if I'm happy to hear that or not, to be honest. But, it again it is a major worry. If you had to sum up what you would like see happen to address this GPS spoofing issue that you’ve demonstrated, what would like to see in the next year? For instance, what concrete actions could the FAA or others really take to address this issue?
Humphreys: Bob, I see two ways of going forward. There’s a grass-roots type approach where operators and users of GPS can come up with clever ways, as we've talked about before, to cross-check the GPS readout with other sensors. They can look for signal-processing receiver-autonomous technique for examining the signals coming into their devices and determining whether they believe they are authentic or not, but there isn't anything foolproof there.
The closest thing we've got to foolproof would be to persuade the GPS Directorate of the Air Force to actually alter the civilian GPS signals coming down from the satellite to add an overlay, a digital signature overlay on those signals, or to modify the spreading codes in such a way you don't ruin the connection with all deployed GPS receivers so it’s backward-compatible, but you allow newer GPS receivers to authenticate the origin of those signals. The trouble is the GPS Directorate is actually willing to look into this but they need funds. If they get a requirement but it doesn't have any funding behind it, then they don’t feel it’s their responsibility to pay for it. My view is that the Department of Homeland Security is the right the agency to step up and say, “We will fund this. This is going to be on our dime. The GPS Directorate can go ahead and carry it out, but we will make the sacrifice to fund it.”
Charette: Do you think that is realistic in the financial environment that we’re in or are we going to have to wait for something bad to happen before people are going to take action, do you think?
Humphreys: Well, you know we are pushing forward here at the laboratory with the grass-roots approach. I guess that expresses my lack of optimism that we will get a top-down fix on this. We wrote several papers on what the top-down fix could look like; how we could add digital signatures to the civilian signals and we did a deep dive into showing how powerfully that protects your signals from a spoofing attack. We were happy to do that, we just got those papers accepted to be published in peer-reviewed journals, but we're not so optimistic that that’s going to happen so were looking for the receiver-autonomous approach, where you know, we’ll just do it ourselves.
Charette: Right. Well again, we’ve been speaking with Professor Todd Humphreys, Director of the Radionavigation Laboratory at the University of Texas-Austin and I want to thank you for speaking with us today.
Humphreys: Thanks, Bob.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.