You are on page 1of 5

Security

Spoofing the Gps On


Satellite Phones
It is believed that Pakistani intelligence agencies are assisting the terrorists in
Kashmir by ‘spoofing’ the signals of Thuraya satellite phones that the terrorists
use, so as to mislead Indian intelligence agencies about their actual location.
This article examines whether this is possible or not, and if possible, what
countermeasures can be taken to detect or thwart spoofing

neering professionals, here I present a


concise overview of the subject.

Spoofing: more serious


than jamming
The popular belief and media per-
ception is that powerful transmitters
have been set up across the Line of
Control and the international border
dividing India and Pakistan, blanking
out signals from the Thuraya phones
used by terrorists. This is not correct.
The strength of the GPS signal on the
earth’s surface averages -160 dBW.
While many GPS receivers leave large
space for signal dynamics, enough
power space is left for the GPS signals
to be overridden. One does not require
powerful transmitters to be set up by
a nation for that—even low-power
transmitters would do the job.
Spoofing is completely different
from jamming. A spoof is defined as
 Dr N.C. Asthana to track the location of such satellite a malicious signal that overpowers
phones by making the in-built GPS of the authentic signal and misleads the

T
he Indian media, citing govern- the satellite phone give out deliberately receiver to use a forged signal for
ment sources, claims that Paki- wrong coordinates of the handset. further processing. Spoofing could be
stani intelligence agencies are Should it be correct, this is a very seri- done to gain access to services that are
assisting the terrorists in Kashmir by ous matter because it will be difficult restricted to a certain geographic area
‘spoofing’ the signals of the Thuraya to interdict such terrorists in the first (such as a particular game broadcast)
satellite phones that the terrorists use. place and also Pakistan can easily deny or to hide the location of a shipment
Since intelligence agencies supposedly that its soil is being used for assisting that is being remotely tracked. It could
monitor the terrorists’ use of satellite the terrorists. also be used by an employee to cheat
phones, it is believed that the purpose Since spoofing is a complex sub- his employer of his true location or by
of such spoofing is to make it impossi- ject and little is known about it even a criminal who is being tracked by the
ble for the Indian intelligence agencies amongst most communication engi- law and does not want the tracker to

6 6 • D e c e m b e r 2 0 1 0 • e l e c t ro n i c s f o r yo u w w w. e f y m ag . co m
Security
It can simultaneously track twelve
coarse/acquisition (C/A) channels and
generate eight C/A spoofing channels.
The hardware required for this type
of spoofer is neither very costly nor
difficult to procure but the technical
knowledge required must be of a high
order. The Cornell experiments were
widely reported in the media and led
to a great deal of speculations.
there are four GPS observables
that can be directly measured by a GPS
receiver: the GPS message, code rang-
es, fractional phase ranges and Dop-
pler shift. In a GPS receiver, pseudor-
andom noise (PRN) code correlation is
performed at a high frequency to re-
know his correct location. from several vendors could be used as move the PRN code. The received GPS
The objective of jamming is to spoofers. For use as a spoofer, the RF signal is passed through a high-pass
simply interrupt the availability of output of the signal generator is ampli- filter to remove navigation data. After
GPS signals in space at the receiver. fied and transmitted, possibly using a the navigation message is removed, the
In-band or out-of-band harmonic RF directional antenna. In this case, the resulting signal is the Doppler-shifted
transmissions could mask the weak transmitted signals are not phase- and carrier. The Doppler-shifted carrier
GPS spread-spectrum signals. The frequency-matched to the GPS signals is then passed to a phase-locked loop
effect is to corrupt the signal at the re- being received from satellites in the (PLL) and compared with a receiver-
ceiver so that no valid GPS signal can locality, and the navigation data does generated carrier to get the fractional
be decoded by the receiver. not replicate the currently active navi- phase offset.
Spoofing is more serious than gation data. The GPS message can be spoofed
jamming because jamming causes the Although a receiver could be because PRN code is available to the
service to degrade in performance, fooled by this approach, particularly if public. The PRN code ranges of C/A
while spoofing takes control of the user the target receiver is first jammed and code and P-code are direct observa-
receiver. Jamming is a low-tech meth- forced to reacquire, the spoofing sig- bles. One chip of C/A code range will
od and at best, a prank. It would not nal generated in this fashion typically cause 300km ambiguity. The range
serve the purpose of terrorists or those looks like noise—rather than a usable measurement for C/A code is the
assisting them. They must mislead the signal—to a receiver tracking it. basic observation of GPS receivers
agencies intercepting the calls, which GPS receiver spoofer. Spoofers and it is derived from the time shift
falls in the realm of spoofing and could in this category are coupled to a GPS of the receiver PRN sequence and the
be done in two ways: misleading the receiver. The GPS receiver tracks satel- PRN sequence that is multiplexing the
GPS receiver and misleading the loca- lite signals at a location and decodes incoming signal. This time shift, how-
tion server. the navigation data. The spoofer then ever, can be controlled by spoofing
generates a signal that mimics the in-
Misleading the GPS cident satellite signals in all respects.
receiver Conceivably, a spoofer could add a cal-
This involves an attacker providing culated offset to each satellite signal to
the receiver with a misleading signal, compensate for a specified geometric
fooling the receiver to use fake signals offset to the target GPS antenna. The
in space for positioning calculations. spoofer is also able to vary the strength
The receiver produces a misleading of the constituent signals so that they
position solution. appear at the target antenna having the
Two basic configurations are pos- same relative strengths as the authentic
sible: GPS signal generator and GPS signals.
receiver spoofers. Cornell University’s GRID dual-fre-
GPS signal generator. GPS signal quency software-defined GPS receiver
generators that are readily available is an example of this type of spoofer.

6 8 • D e c e m b e r 2 0 1 0 • e l e c t ro n i c s f o r yo u w w w. e f y m ag . co m
Security
uncertainty, a spoofing signal is identi-
Countermeasures to Receiver-end Spoofing fied.
Method Test statistic Function Limitation For a spoofer to defeat the algo-
Method 1 Absolute signal power Limit the spoof signal Antenna attitude and envi- rithm as implemented, the spoofing
power ronment related system must emulate the expected car-
Method 2 Signal power changing rate Detect stationary spoof Antenna attitude and envi- rier-phase deltas between the pair of
station ronment related antennae for all satellites in track. this
Method 3 Relative signal strengths on Detect spoofing on single Affected by ionosphere geometry can’t be emulated for several
all carriers carrier refraction satellites if the spoofer is limited to one
Method 4 Range rate Bound the phase and code Related to GPS receiver’s transmitting antenna.
range rate moving direction A spoofer with two separate points
Method 5 Doppler shift Detect spoof that uses one None of transmission might be able to defeat
transmitter to spoof all the algorithm. However, this would
satellites
also require the spoofer to know the
Method 6 Correlation peaks Correlate L1/L2 binary Low performance on geometry of the GPS antenna array,
message Y-code
locate a matched transmitter antenna
Method 7 GPS signal after removing Recover authentic data Requires low spoof/au- very close to each GPS antenna, and
all navigation data thentic signal power ratio
deal with multipath, signal leakage
Method 8 Range differences: phase/ Identify signal source Needs to be L1/L2 receiver and self-interference problems.
code, L1/L2
Method 9 Ephemeris data Verify ephemeris data None Why is spoofing the
including satellite position military GPS difficult?
Method 10 Signal power and data Jump detection None
While the GPS P-code is heavily en-
crypted and thus is hard to spoof, the
not need to avoid cross-checking at the of the VMS after disabling the antenna civilian GPS signal (the C/A code),
spoofed receiver, the position solution and opening the VMS box. There are is easy to spoof because the signal
can be forged in advance and then also sophisticated GPS signal simula- structure, spread-spectrum codes and
the pseudo-range model used again tors available for about $126,700 that modulation methods are open to the
to get a time sequence of the spoofed could be connected to or radiated to- public. This could make you think of
pseudo-range. wards the VMS unit. a frightening scenario where terror-
In one possible application of this ists mislead the GPS of GPS-guided
sort of spoofing, consider spoofing of Countermeasures to missiles and bombs so that they hit an
the vessel monitoring system (VMS). receiver-end spoofing unintended target, thereby precipitat-
The VMS (typically employing GPS As a one-way broadcast system, GPS is ing a crisis.
today) records the voyage of the vessel not immune to spoof attack, except the Manipulating the military GPS is,
and automatically provides the data to Y-code whose encryption algorithm is however, much more difficult. Con-
the fisheries monitoring centre of the unavailable to civilian users. a spoof siderable research has been carried out
EU member state where the vessel is can never be detected using check in this regard. Security design of the
registered as well as the member state matrices, like the CRC check, in the M-code signal is based on next-gener-
in whose waters the vessel is fishing. digital domain. However, it’s possible ation cryptography and other aspects,
Naturally, the data can be used to de- by cross-checking the observables, in- including a new keying architecture.
tect passage into waters for which the termediate measurement and position- The modulation of the M code signal
vessel is not licensed. ing solutions. is a binary offset carrier signal with
In this case of spoofing, the intent Various countermeasures to receiv- subcarrier frequency of 10.23 MHz and
of the operator would be to log a fic- er-end spoofing are summarised in spreading code rate of 5.115 MHz, de-
tional voyage that does not disclose the table. We could also use angle-of- noted as BOC(10.23,5.115) or BOC(10,5)
illegal fishing activities. In such a arrival discrimination. It uses a dual- modulation; the spreading code transi-
situation, all the spoofer has to do is antenna receiver based on observation tions are aligned with square-wave
to disconnect the GPS antenna and of L1 carrier differences between mul- subcarrier transitions. Spreading and
attach a local GPS signal generator tiple antennae referenced to a common data modulations employ biphase
instead. oscillator. If the expected delta phase modulation, so that the signal occu-
Simple GPS fraud kits are avail- measurements do not agree with the pies one phase quadrature channel
able for about $2535 that could feed expected phase profiles within bounds of the carrier. The spreading code is a
spoofed signals into the RS-232 port set by the expected noise and attitude pseudorandom bitstream from a signal

7 0 • D e c e m b e r 2 0 1 0 • e l e c t ro n i c s f o r yo u w w w. e f y m ag . co m
Security
protection algorithm, having no appar- cell. The SET provides the identifica- One source of the orbital data is
ent structure or period. tion of the cell (cell-ID) to the SLP. The the International GNSS Service (IGS).
The baseline acquisition approach SLP determines which satellites are in This is used to determine the location
uses direct acquisition of the M code view from the approximate location of the satellites for the given time.
navigation signal, obtaining process- and provides to the SET assistance data The spoofer calculates the range of
ing gain through the use of large cor- for those satellites. each satellite in view of the desired
relator circuits in the user equipment. The assistance data types sent to location and uses that as the basis
The M code signal has been designed the SET depend on the mode of A- for determining the pseudo-range
for autonomous acquisition, so a re- GPS. In handset-based A-GPS, the measurements. The measurements
ceiver can acquire the M code signal SLP generally provides the navigation are generally converted into pseudo-
without access to C/A code or Y code model, ionosphere model, reference ranges by simulating a clock error and
signals. time and reference location. The hand- introducing other errors such as the
set uses this information to lock onto ionosphere, troposphere and other
Misleading the location the satellites and calculate a location. random errors.
server It then returns the location to the SLP. The key piece of information that
Typically, in a system, the location In handset-assisted mode, the SLP the spoofer needs to provide to the SLP
server (LS) is a secure user plane
location (SUPL) platform (OMA-AD-
SUPL). It may be a serving mobile loca-
Spoofing is more serious than jamming because
tion centre (SMLC) in a GSM network jamming causes the service to degrade in
(3GPP TS 23.271), a standalone SMLC performance, while spoofing takes control of the
(SAS) in a UMTS network (3GPP TS user receiver
23.271) or another type of network
node. The SUPL location platform provides the acquisition assistance is the cell-ID. From that, the SLP will
(SLP) is a network entity on the Inter- and the reference time for the handset look up the coverage area of the cell
net that is used to facilitate location. to lock onto the satellites and return and calculate the assistance data. This
The user-plane location protocol (ULP) the measurements to the SLP. The SLP coverage area will also use that as the
is an HTTP-based protocol, used be- invokes the position calculation func- initial location estimate for the position
tween the SLP and the SUPL-enabled tion in order to calculate the location calculation function (PCF). The cell-ID
terminal (OMA-TS-ULP). The SLP of the handset. is also often used for location assur-
has a connection to a global naviga- The spoofer must provide GPS ance on the SLP. For the spoofer, one
tion satellite system (GNSS) reference measurements that result in the LS way of knowing the cell-IDs is to log
server in order to retrieve and cache calculating a location that is desired cell-IDs against locations and build up
assistance data. by the spoofer (or attacker). For the a database over time.
Location requests are initiated ei- network-initiated case, once the LS
ther from the SUPL-enabled terminal (SLP) determines the location of the Countermeasures to
(SET), which is known as a SET-initi- handset, the location is provided to location server spoofing
ated transaction, or from the network, the network entity that requested it. This kind of spoofing can also be
which is known as a network-initiated If the LS is trusted by the recipient of detected by the server. A server with
transaction. A network-initiated re- the location, the location is considered anti-spoofing capability will be able
quest is made by a location-based to be valid even though it may not be. to detect the measurements being
application (LBA), which sends a The aim of the spoofer is to con- spoofed. Some of the obvious signs on
request to the SLP for the location of a vince the LS to provide the location the server of spoofing are:
particular handset. The SLP performs that the attacker desires. The attacker 1. Clock error: The receiver clock
the messaging with the SET and de- does this by falsifying (or spoofing) the error is very small—less than 1x10-10
termines the location before returning measurement data such that the loca- second.
that location to the LBA. tion provided by the LS is effectively 2. Residuals: The residuals calculat-
When an A-GPS location fix is predetermined by the attacker. ed as part of the least squares process
required, the SLP calculates the GPS In order to spoof his location, the are very small.
assistance data that is specific to the spoofer needs the satellite ephemeris. 3. Uncertainty ellipse: The uncer-
approximate location of the SET. When The ephemeris may be from a request tainty ellipse is very small (less than
the SET is in a cellular network, the to the SLP for assistance data. Alterna- one metre of uncertainty).
approximate location generally comes tively, the ephemeris may come from A more clever spoofer will manipu-
from the coverage area of the serving another source such as the Internet. late the measurements by introducing

w w w. e f y m ag . co m e l e c t ro n i c s f o r yo u • D e c e m b e r 2 0 1 0 • 7 1
Security
some random errors to each measure- Thuraya satellite. and huge quantities of arms, ammuni-
ment. He will also manipulate all the The position of the target is known tion and communication equipment
measurements by a fixed amount in to be within GPS accuracy (typically recovered from them, how is it that
order to simulate a handset clock error. 10-20 metres under current conditions). not even a single Thuraya phone of
He may also send a subset of satellite A GIS mapping software is integrated the required modifications has been
measurements instead of the complete with the system to plot the location of recovered yet?
set of satellites in view. the target set. There is a good reason as to why
Each receiver is independently the handset cannot be recovered. If it
Architecture of satellite tunable to any spot beam of the is accepted that Pakistani intelligence
telephone communication Thuraya network. The interception agencies are spoofing the Thuraya
interception systems system monitors L-band link from sets so that their location may not be
Monitoring systems are commercially the mobile to the satellite and C-band known and hence the complicity of
available. These systems log the loca- feeder link from the satellite to the Pakistan in the affair may be denied,
tion of Thuraya handsets operating earth station. Since the power trans- why would they run the risk of giving
within user-selected spot beams and mitted by the mobile handset on the such sets to the terrorists? They know
the telephone numbers with which uplink is very low and so difficult it well that terrorists may be killed and
they communicate. to monitor, the system monitors this the phones recovered from them. In
Thuraya has a pair of signaling information on the C-band downlink that case, spoofed phones would make
channels. one is transmitted at L-band (satellite to earth). It automatically for an incontrovertible evidence of
their complicity, thereby defeating the
very purpose of the entire exercise. The
Location server spoofing, in any case, is not easy to risk is not worth the trouble.
accomplish as both the hardware and the technical There is little which can be done to
knowledge required are not easy to come by prevent dynamic spoofing of the LS, if
at all it is being done. Spoofing can be
by the satellite and received by all maps the uplink RACH control chan- detected at the server but getting the
Thuraya phones in the spot beam. This nel and the appropriate TCH channel original signal is difficult or at least
signaling channel is called broadcast of the suspect’s handset at the C-band not worth the effort. It therefore makes
common control channel (BCCH). In to appropriate L-band downlink chan- little sense to cry about it.
addition to BCCH, access-grant con- nel of the target spot beam. After that, All the commercially available
trol channel, paging-control channel, it is only a matter of deciphering the interception systems use proprietary
frequency-correction channel and basic cipher algorithms used on Thuraya technologies. These have therefore
alerting channel are time-division- network. not been subjected to peer-reviewed
multiplexed on the same carrier. research in which the functioning
The other signaling channel is Spoofing: Is it practical? of their systems and sub-systems is
called random-access control channel Location server spoofing, in any case, systematically analysed for the pos-
(RACH). It provides access to the net- is not easy to accomplish as both the sibility of the unintended introduction
work for Thuraya phones. All Thuraya hardware and the technical knowl- of such errors. In all probability, the
phones within the spot beams transmit edge required are not easy to come time-variable GPS coordinates which
bursts at L band on the RACH chan- by. It is difficult to believe that the the intelligence agencies are suppos-
nel. The satellite relays these bursts to terrorists or the Pakistani intelligence edly getting and which they think are
PGW at the C band. agencies have this level of technical due to dynamic spoofing, are to be at-
The interception systems typically know-how. Further, the costs in- tributed to hitherto unknown measure-
use a scanning technique to identify volved also need to be kept in mind. ment errors or system errors in their
C-band downlink frequencies for spot The immense cost would not really be interception systems. 
beams of interest. These channels can worth the trouble.
subsequently be monitored to record In any case, in spite of the popu- The author is a Ph.D. in physics and an IPS of-
the position of mobiles operating lar belief, so far not a single Thuraya ficer posted as the Inspector General of Police
within that spot beam and capture de- set has been recovered that could be (Operations), CRPF, in Kashmir. He has consider-
tails of the telephone numbers that the stripped and analysed to prove that able experience in communications intelligence,
mobiles contact. The scanning process it is spoofed or its hardware has been having worked in the Intelligence Bureau for nearly
a decade. The current subject is one with which
is performed once in 24 hours, as the modified to mislead the LS. he is, as IG of CRPF in Kashmir in-charge of the
frequencies used are dynamically al- But given that scores of terrorists operations of 28 battalions, involved on a daily
located and changed periodically by have been killed by the security forces basis

7 2 • D e c e m b e r 2 0 1 0 • e l e c t ro n i c s f o r yo u w w w. e f y m ag . co m