Editor’s Note: Logan Scott, a GPS signal expert and a consultant specializing in radio frequency signal processing and waveform design for communications, navigation, and other systems, wrote this report following an incident at the ION GNSS+ 2017 conference in which spoofing by a GNSS signal generator affected numerous smartphones.
Date of Occurrence: September 28, 2017
Location: Portland Convention Center, Exhibition Hall, ION GNSS+2017 Conference
Narrative Description: Starting around 10 am, numerous smartphones began exhibiting abnormal behavior. Some phones showed no effect while others were profoundly impacted to the point where texting, email, etc., would not work. All phones did retain the ability to operate in voice modes. That afternoon, finally recognizing that a spoofing event was in progress, I borrowed a Chronos model CTL3520 directional jamming detector from the NavtechGPS booth (Booth 318), and used it to find and identify the spoofing source within a couple of minutes; it was a GNSS simulator. The simulator had six coaxial output ports, one of which was attached to a “device under test”. The remaining five ports were not properly terminated but had plastic caps over them allowing energy leakage sufficient for phones to lock onto the false signal set for a two booth block radius. The signal generator was set to produce signals for January 12, 2014, with a location set to a location in Europe.
In subsequent interviews I learned that both Android and Apple iPhones were affected but a select phone type (S2) was much more adversely affected since they were alone in buying into the 2014 date. Affected users had carriers that included all the majors: Verizon, AT+T, and T-Mobile, and, cellular coverage was available in the exhibition hall. WiFi coverage was also available with good strength.
Affected phones of several types bought into the incorrect position but I did not receive any reports of them yielding to incorrect time. Nonetheless, recovery was slow. In the screenshot above, my phone was still showing incorrect position in Europe 1.5 hours after exposure. This was discovered after a train ride to downtown Portland when I needed walking directions. Exposure to real signals corrected the problem after about 4 minutes. The long acquisition time was possibly due to faulty almanac and position obtained from the leaky GNSS signal generator. Similar position (but not time) problems were described by several other model phone users.
Affected phones (S2) from one manufacturer experienced much greater impact. Their phones bought into the incorrect time of January 12, 2014 as well. This led to numerous security failures possibly related to invalidated security certificates. Attempts to access email led to “server error” and “invalid attachment” errors. Text message errors and ancient text messages began to appear. Power cycling and hard resets performed in the exhibition hall did not cure the problem. One individual contacted his carrier (T-Mobile) and they sent a time update command to his phone which apparently rejected the command. He went to a service center where after two hours of struggle, they wiped his phone and reinstalled firmware to get to a “factory fresh” state. Another individual was able to manually update time on his S2 phone but only with a bit of ingenuity. Specifically, there was no year entry on the “set date” screen so he rolled time, day by day, all the way through 2014, 2015, 2016 and most of 2017 and then entered the correct time. His phone then recovered. Yet another affected S2 user having an older version of the operating system lost access to his Gmail account and was unable to recover while in the exhibit hall but was able to recover by going outside to clear sky and rebooting the phone.
Observations: This was by no means a sophisticated spoofing attack. It was an accident and there wasn’t even an antenna on the spoofing source which would have extended range considerably. The fact that many affected phones actually read the 50 bps ephemeris stream from the faulty signal generator is evidenced by the fact that some got the date so wrong. This would not have been the case if they were using A-GPS ephemeris from the carrier network.
The fact that this event occurred indoors where no real satellites could be seen (I think) may have made this a more damaging incident. Nonetheless, there were sundry clues available to affected phones that GNSS signals were not trustworthy. Known good time and approximate location was available to many of the phones from authenticated sources (e.g., cellular basestations). The basestation authentication process used in 3G/4G cellular systems is intended to establish the provenance of basestation signals to mobile units. Information derived from such sources could have been given a higher trust than signals from non-authenticated sources such as GPS and GLONASS.
That said, there are vulnerabilities in basestation authentication that need consideration in developing comprehensive trust models. In this particular case, too much trust was afforded GNSS signals and not enough to the cellular basestation time but this is by no means a universal truth. If instead, this had been an IMSI-catcher scenario, type S2 phones might have been better situated to detect the presence an IMSI-catcher and prevent a trackable response or a man in the middle attack. Trust models are not just a question of black and white.
Continuing, the presence of numerous WiFi access points should also have been a clue. WiFi position is a well known and widely used location determination technique. During my train ride, my phone likely saw hundreds of access points geolocated to Portland but it didn’t use this information. Yes, WiFi positioning can also be spoofed but a major discrepancy between WiFi derived position and GNSS derived position should raise suspicions.
Finally, the fact that time moved backwards over 3 years and position shifted by more than 5,000 miles in a few minutes as determined by GNSS should raise suspicions that something is not quite right. This was an extreme case but even a jump of 1/1000 second is very suspicious.
Conclusions: This spoofing event took place in a venue teeming with some of the world’s leading experts on satellite navigation and timing. Spoofing was a major topic of the technical agenda. Yet, it took a few hours for any of us to recognize what was happening. Real world spoofing is unexpected, confusing and the effects can be very strange. Signals based penetration testing is needed in order to understand and correct for any observed deficiencies and to better establish national policy objectives.