The scenarios developed include novel remote attacks via malicious GPS broadcasts against consumer and professional-grade receivers, which could be launched using $2,500 worth of equipment.
A 45-second crafted GPS message could bring down up to 30 percent of the global GPS Continuously Operating Reference Stations (CORS), while other attacks could take down 20 percent of NTRIP networks, security boffins from Carnegie Mellon University and firm Coherent Navigation have said in a new paper (PDF).
The stations provide global navigation satellite system data to support "safety and life-critical applications," and NTRIP is the protocol used to stream that data online.
Together, attack scenarios created "serious ramiﬁcations to safety systems."
"Until GPS is secured, life and safety-critical applications that depend upon it are likely vulnerable to attack," the team of four researchers said.
Author Tyler Nighswander told SCMagazine.com.au that little was preventing attackers from replicating their custom spoofing hardware to launch the attacks.
"The good news is that, as far as we know, we are the only ones with a spoofing device currently capable of the types of attacks," Nighswander said. "The bad news is that our spoofer would not be prohibitively expensive and complicated for someone to build, if they had the proper skillset. It's difficult to put an exact likelihood on these attacks happening, but there are no huge [roadblocks] preventing it at the moment."
Attacks were conducted against seven receiver brands including Magellan, Garmin, GlobalSat, uBlox, LOCOSYS and iFly 700.
Trimble was working with researchers to push out a patch for its affected products, Nighswander said.
Attacks included location spoofing in applications used by planes, cars, trucks and ships to prisoner ankle bracelets, mobile phone towers, trafﬁc lights, and SCADA systems.
It could also crash receivers used for applications from surveying to drone navigation, reset clock and open remote root shells on receivers.
Previously suggested long-term ﬁxes involving adding authentication to civilian signals or new directional antennas were important, but were not useful in the short term due to their potential lengthy deployment cycles.
The researchers said an Electronic GPS Attack Detection System (EGADS) should be deployed, which could flag the noted data-level attacks, and an Electronic GPS Whitening System (EGWS) which could re-broadcast a "whitened signal" to otherwise vulnerable receivers.
The researchers said their work differed from existing GPS jamming and spoofing attacks because it detailed a larger attack surface "by viewing GPS as a computer system." This included analysis of GPS protocol messages and operating systems, the GPS software stack and how errors affect dependent systems.
"The overall landscape of GPS vulnerabilities is startling, and our experiments demonstrate a signiﬁcantly larger attack surface than previously thought," the researchers wrote.
This story originally appeared on SCMagazine.com.au.