mgp25
Home Blog Business About
mgp25

Contents

How GPS works and how to spoof GPS signal

 included in RF
   513 words   3 minutes 

How GPS works and how to spoof GPS signal

What is GPS?

GPS or Global Positioning System is a satellite-based navigation system made uo by a constellation of at least 24 satellites. GPS provides continuos real time of position, navigation and timing worldwide despite of any climate adversity.

How does the GPS works?

GPS consists of three segments:

  • The control segment: Which provides a way to control satellites movement, composes satellites ephemeris, tracks the system time and fix it if they need to.
  • The user segment: Which represent all civilian and militar users with their respectives GPS receivers.
  • The space segment: That consists in 21 fully working satellites and 3 spare satellites in case any breaks.

GPS is implemented by distance measurement. This means that every receiver needs to calculate the distance between the satellite and itself, and comparing this value with the ones obtained in the measurement with other satellites, we are able to positionate ourselves in a map. GPS needs to use atomic clocks to avoid any error, a simple deviation of just 1 ms would mean an error of 300 km, and this is why atomic clocks uses a relative frecuency stability of approximately \( { 10 }^{ -12 } \).

How to spoof GPS signal?

To spoof GPS signals we are going to use gps-sdr-sim project project and a USRP B210 as SDR:

For this scenario, we will spoof a path, so the first thing we need to do is to create the path using Google Earth:

We save this path as KML file and open it with SatGen:

This software generates the ECEF user motion file that gps-sdr-sim requires. It also lets the user edit other information related to the user motion.

If you are Linux/MacOS user, you can use wine to emulate it:

Once you are done, you need to set the output frequency to 10 Hz and click on Generate NMEA file.

From gps-sdr-sim/satgen, we convert the NMEA data to user motion CSV format using nmea2um:

1

./nmea2um output_nmea_file user_motion.csv

In the image below you can see a route has been converted from NMEA format to user motion CSV, and later using the gps-sdr-sim tool to convert this file into a file containing the GPS signal with the user motion.

At this step, we have our file ready to be transmitted:

In the next image, you will see an Android device with an app called GPS Test that will monitor GPS status and the signals we receive it. In this case, the GPS is fixed with our custom GPS signal :)

Device thinks we are in the Atlantic Ocean:

Also cars and drones are vulnerable to this type of attack (video):

As part of this research, we also tried spoofing GPS signals in different Apple devices and we found that latest iPhone models has different GPS chip that makes it more difficult to spoof GPS signal, see Jiao Xianjun on spoofing GPS signals for iPhone.

Thanks to HackSmith (cn0xroot).

References

Updated on 2018-08-24
 gpsgnsssdrsoftware defined radio
Back | Home