Skip to content
Naked Security Naked Security

Suspected mass-spoofing of ships’ GPS in the Black Sea

One ship’s navigation system reported that it was actually on land

Imagine alarms ringing out on more than 20 ships located near the Russian port of Novorossiysk in the Black Sea, as their GPS systems suddenly gave them false readings, placing some inland, some at airports, blinking back and forth between accurate positions and pure fiction.

This type of GPS spoofing has been done before, but the incident in the Black Sea, which happened in June, appears to be the first well-documented account of mass-spoofing happening outside the confines of a university experiment.

Four years ago, students using a blue box about the size of a briefcase showed us it was possible to fool the GPS navigation system of an $80 million super-yacht. Their spoofing device – cobbled together for about $1000 – sent counterfeit signals that slowly, subtly overpowered the authentic GPS signals until the ship ultimately came under their control.

Under the direction of University of Texas/Cockrell School of Engineering Assistant Professor Todd Humphreys, the yacht takeover – along with the school’s hijacking of a drone a year earlier – were both designed to shed light on the perils of navigation attacks, serving as evidence that spoofing is a serious threat to marine vessels and other forms of transportation.

Now, with what looks to be real-world spoofing of ships in the Black Sea, Humphreys’ warnings seem prescient.

According to the Norwegian news outlet NRK, the spoofing attack was first reported by Maritime Executive.

Maritime Executive picked up on an unconfirmed report of GPS interference in the Black Sea, posted by the US Dept. of Transportation’s Maritime Administration (MARAD) on 22 June.

This is the report made from one of those ships to the US Coast Guard Navigation Center:

GPS equipment unable to obtain GPS signal intermittently since nearing coast of Novorossiysk, Russia. Now displays HDOP 0.8 accuracy within 100m, but given location is actually 25 nautical miles off…

In fact, the ship’s navigation system reported that it was on land, close to an airport in the Russian city of Gelendzhik. Within a few days, over 20 ships, all in the same area, had reported similar anomalies.

According to Dana Goward, the president of the Resilient Navigation and Timing (RNT) Foundation – a non-profit which, in part, monitors GPS incidents – this wasn’t an isolated incident, though it is the first well-documented account of mass GPS spoofing:

The RNT Foundation has received numerous anecdotal reports of maritime problems with the automatic identification system (AIS), a tracking system used for collision avoidance on ships, and with GPS in Russian waters, though this is the first well-documented public account.

GPS signals going awry near the Kremlin is a well-known phenomenon.

NRK Moscow correspondent Morten Jentoft has posted a short video demonstrating that when he’s near the Kremlin, his cell phone shows that his location has been spoofed to be at an airport that’s over 40 kilometers away (to see English subtitles click on Subtitles/closed captions). Others reportedly claim similar GPS glitches near President Vladimir Putin’s residence at the Black Sea.

GPS is crucial for many applications. The Global Positioning System’s 24 satellites beam down a radio signal to feed positioning information to all manner of vehicles and devices from our phones, to our drones, and to the navigation systems on ships. Those satellites fly in medium Earth orbit, which is more than 20,000 kilometers (12,550 miles) above the planet’s surface. That distance makes the GPS signal strength quite low by the time it reaches the Earth. Given how weak the signal is, it’s not hard to overpower them with stronger signals sent from a hacker’s rig that’s nearer the target.

Since Humphreys’ graduate students spoofed the yacht’s GPS with their $1000 homemade kit, spoofers have gotten a whole lot cheaper. You can ruin a game of Pokémon Go with a HackRF One, for example, for less than $300. It can transmit on frequencies between 1 MHz and 6 GHz, which covers most of the modern radio spectrum, including the frequency used by GPS.

In 2015, fully cognizant of the ease of GPS spoofing, the US Naval Academy opted to reinstate instruction of celestial navigation – that is, navigating by the stars – for the first time in 10 years.

Wired talked to one of the captains of a ship involved in the Black Sea mass-GPS spoofing. Fortunately, he said, his ship can survive without GPS, as it has backup navigation. When the ship’s systems went offline, Gurvan Le Meur told Wired, he relied on radar and dead reckoning.

Le Meur says that every time his ship returns to the same area, his GPS once again gets disrupted. Nowadays, his crew just turns it off on arrival so they don’t have to listen to the alarms.

But for any ships relying solely on GPS, operating on auto-pilot or in conditions that make other forms of navigation difficult, GPS-spoofing can mean they’re literally stumbling around in the dark.

Some experts have interpreted the incident as an intentional attack.

Goward:

What this case shows us is there are entities out there that are willing and eager to disrupt satellite navigation systems for whatever reason and they can do it over a fairly large area and in a sophisticated way. They’re not just broadcasting a stronger signal and denying service this is worse they’re providing hazardously misleading information.


5 Comments

THIS is why the whole concept of autonomous vehicles, whether on land or sea or in the air, is essentially a disaster waiting to happen.

Years ago I got my first Garmin and took it on vacation in Baltimore. It was an immense help in a new city, but I expect we weren’t the only ones to adopt the tech…we laughed at a 3D billboard depicting a car sticking out of the wall saying, “My GPS told me to go straight!” It was a good reminder that GPS (to paraphrase Mr. Miyagi) will never replace one’s eyes, ears, and brain.

However with this news it appears the same fate might befall me, irrespective of how well I can recognize and mitigate my own limitations.

Two things here interference and spoofing. Here is a defence against spoofing.

GPS should be two aerial/receiver coupled with GPS compass (ie relying on two positions to determine ‘North’.

Compare GPS head with gyrocompass head (there will be some NEMA gadget already but a 14 year old could knock one up if there isn’t) and give alarm if they deviate.

Of course one needs another method to replace GPS for position fixing once the alarm is given but I recall us being able to do this without man made satellites for most of my time at sea and I hear tell that they have been doing it since Reverend Nevil Maskelyne’s time too.

Whether it be a cargo ship or a fridge. IoT offers amazing benefits but they are massively susceptible to unscrupulous individuals, organizations or governments. I think people must continue to learn ‘traditional’ skills in the event of such outages.

The trouble is that not everything has a person on board. Economics will push us in the direction of drone cargo ships, trucks, planes etc. Don’t get me started on IoT… we just aren’t ready.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?