SlideShare a Scribd company logo

DEFCON 23 - Lin Huang Ging Yang - GPS spoofing

Felipe Prado
Felipe Prado

DEFCON 23 - Lin Huang Ging Yang - GPS spoofing

Technology
1 of 54
Download to read offline
GPS SPOOFING Low-cost GPS simulator HUANG Lin, YANG Qing Unicorn Team – Radio and Hardware Security Research Qihoo 360 Technology Co. Ltd.
Who we are? Unicorn Team •  Qihoo360’s UnicornTeam consists of a group of brilliant security researchers. We focus on the security of anything that uses radio technologies, from small things like RFID, NFC and WSN to big things like GPS, UAV, Smart Cars, Telecom and SATCOM. •  Our primary mission is to guarantee that Qihoo360 is not vulnerable to any wireless attack. In other words, Qihoo360 protects its users and we protect Qihoo360. •  During our research, we create and produce various devices and systems, for both attack and defense purposes. •  We are one of the DEF CON 23 vendors. https://defcon.org/html/defcon-23/dc-23-vendors.html
YANG Qing •  YANG Qing is the team leader of Unicorn Team. •  He has rich experiences in wireless and hardware security area, including WiFi penetration testing, cellular network interception, IC card cracking etc. His interests also cover embedded system hacking, firmware reversing, automotive security, and software radio. •  He is the first one who reported the vulnerabilities of WiFi system and RF IC card system used in Beijing subway.
HUANG Lin •  One of the early USRP users in China. Got the first USRP board in 2005 in Orange Labs •  Authored some tutorials about GNU Radio which were popular in China •  Made great effort on promoting Cloud-RAN technology in China from 2010 to 2013 •  Join Qihoo 360 as a wireless security researcher in 2014
Beginning of the story …
Civilian-use GPS C/A Signal GPS C/A signal is for civilian usage, and unencrypted. Replay attack is a typical GPS spoofing method. Record Replay
Firstly try replay attack •  Hardware •  USRP B210 •  Active GPS antenna •  Bias-tee circuit (Mini-Circuit ZX85-12G-S+) •  LNA (Mini-Circuit ZX60-V82-S+)
Record GPS signal by a USRP B210
Replay the signal by a bladeRF
Success! Record then replay the GPS signal. You can see the cellphone gets the position and timing information from the replayed GPS signal. Nexus 5
If Create any GPS signal rather than Record & Replay…
This is not a replay •  Demo video
Search existing solutions on Internet •  Expensive or at least not free •  NAVSYS ~$5000•  NI LabVIEW ~$6000
Some famous cases of GPS spoofing •  Leading lab: RadioNavigation Lab from Univ. of Texas at Austin (https:// radionavlab.ae.utexas.edu/ ) •  Prof. Todd E. Humphrey and his team •  2012 TED talk: how to fool GPS •  2013: spoof an US$80M yacht at sea •  2014: unmanned aircraft capture via GPS spoofing
We are not navigation experts. How can we do GPS spoofing?
As SDR guys, we have USRP bladeRF HackRF
And we found some source codes on Internet •  This website collects many open source projects about GPS •  http://www.ngs.noaa.gov/gps-toolbox/index.html •  This is a very good GPS receiver software based on GNU Radio •  http://gnss-sdr.org/ •  Most of projects are GPS receivers and few are transmitters. This is a transmitter example: https://code.csdn.net/sywcxx/gps-sim-hackrf •  It’s not finalized !
DIY a GPS Simulator!
Basic principle of GPS system
GPS principle
Mathematics time
Key information in Pseudo-range equations Calculate the delays at receiver WHEN WHERE
Structure of message 1 bit (20 ms) 1 word (600 ms) 1 subframe (6 s) 1 page (30 s) 25 pages – the whole message (12.5 min) x30 x10 x5 x25
Info of WHEN & WHERE Subframe 1 Subframe 2 Subframe 3 Subframe 4 Subframe 5 Time information WHEN Ephemeris WHERE
Start building the signal
Get Ephemeris data •  Method 1 •  Download ephemeris data file from CDDIS website •  ftp://cddis.gsfc.nasa.gov/gnss/data/daily/ •  Here we can only get yesterday’s ephemeris data •  Method 2 •  Use ‘gnss-sdr’ program to receive the real-time GPS signal and get the fresh ephemeris data •  The ‘GSDR*’ files are the decoded ephemeris data, in standard RINAX format.
Decode the fresh ephemeris data •  Software •  Run ‘gnss-sdr’ •  Get the GSDR* file
Matlab code of GPS simulator
Example: structure of Subframe 2
Generate navigation message
Bits " Waveform
GPS principle again Calculate the transmission time
How to calculate transmission time Satellite is moving Earth is rotating Calculate the coordinate according to ephemeris data Calculate the length of signal path NOT EASY
Matlab code of generating waveform
Firstly offline verify the signal by ‘gnss-sdr’ OK
Secondly verify it by transmitting GPS signal file over air by bladeRF
Soft-receiver ‘gnss-sdr’ demod the signal OK
Try to spoof cellphone’s GPS … Failure
Which part is not perfect? Doppler effect
Another challenge: Doppler effect Moving towards receiver Moving far from receiver
GPS principle again Delay will be longer and longer, if moving far from receiver Delay will be shorter and shorter, if moving towards receiver NOT EASY
Try cellphone again •  Nexus 5 GPS chipset •  Satellites are detected as pre-setting. •  Satellite signal strengths are same as we defined. •  3D fixed by simulated signal Bingo!
Bingo! Samsung Note 3 •  Located at Namco Lake in Tibet but the cellphone is actually in Beijing.
Bingo! iPhone 6 •  Namco Lake in Tibet •  iPhone positioning is much slower. •  The cellphone clock was also reset to wrong time if auto- calibration is enabled.
Set any time •  You may find the date we set is always Feb. 14 2015. This is because the ephemeris data file we use is at that day. •  Actually not only space but also time, can be spoofed.
A cellphone in future time We set the time as Aug. 6, 2015 (today is Jul. 14) and position as Las Vegas.
Try to spoof cars •  Demo video: The car, BYD Qin was located in a lake center.
DJI drone - forbidden area policy •  To avoid the risk from drone to people and to critical facilities, drone flying are forbidden in many cities. •  For example, DJI drone’s engine will keep off when it finds the position is in forbidden area. A drone that crashed on the grounds of the White House had evaded radar detection.
Try to spoof DJI drone •  Demo video Disable forbidden area •  The drone is actually at a forbidden location in Beijing. We gave it a fake position in Hawaii, then it was unlocked and can fly up.
Try to spoof DJ drone •  Demo video: Hijack flying drone •  We gave a forbidden position to a flying drone, then it would automatically land.
Lessons – how to anti-spoof •  Application layer •  Now usually GPS has highest priority. Cellphone is spoofed even if it has cellular network connection. •  Use multi-mode positioning, GLONASS, Beidou •  Jointly consider cellular network and wifi positioning •  Civil GPS receiver chipset •  Use some algorithms to detect spoofing •  Civil GPS transmitter •  Add digital signatures into the extensible GPS civil navigation message
GPS is still a great system •  First global positioning system •  Usable for all of the world •  Very low cost, small size… •  It keeps updating so we believe the security issue will be improved in future.
Acknowledgment •  JIA Liwei •  Graduate student of BUAA majoring radio navigation •  https://code.csdn.net/sywcxx/gps-sim-hackrf •  JIAO Xianjun •  Senior iOS RFSW engineer at Apple, SDR amateur •  http://sdr-x.github.io/
Thank you!

Recommended

Paolo Stagno - A Drone Tale: All Your Drones Belong To Us
Paolo Stagno - A Drone Tale: All Your Drones Belong To UsPaolo Stagno - A Drone Tale: All Your Drones Belong To Us
Paolo Stagno - A Drone Tale: All Your Drones Belong To Ushacktivity
 
Sigfox coverage. what you always wanted to know (and were afraid to ask)
Sigfox coverage. what you always wanted to know (and were afraid to ask)Sigfox coverage. what you always wanted to know (and were afraid to ask)
Sigfox coverage. what you always wanted to know (and were afraid to ask)Simple Hardware
 
A Drone Tale by Paolo Stagno - Hacktivity 2018
A Drone Tale by Paolo Stagno - Hacktivity 2018A Drone Tale by Paolo Stagno - Hacktivity 2018
A Drone Tale by Paolo Stagno - Hacktivity 2018Paolo Stagno
 
A Drone Tale by Paolo Stagno - Sec-T 2018
A Drone Tale by Paolo Stagno - Sec-T 2018A Drone Tale by Paolo Stagno - Sec-T 2018
A Drone Tale by Paolo Stagno - Sec-T 2018Paolo Stagno
 
A Drone Tale by Paolo Stagno - Hackinbo 2018
A Drone Tale by Paolo Stagno - Hackinbo 2018A Drone Tale by Paolo Stagno - Hackinbo 2018
A Drone Tale by Paolo Stagno - Hackinbo 2018Paolo Stagno
 
SSTRM - StrategicReviewGroup.ca - Capt. Sylvain Sensors March 2010
SSTRM - StrategicReviewGroup.ca - Capt. Sylvain Sensors March 2010SSTRM - StrategicReviewGroup.ca - Capt. Sylvain Sensors March 2010
SSTRM - StrategicReviewGroup.ca - Capt. Sylvain Sensors March 2010Phil Carr
 
Dev 5 k focus group presentation 2
Dev 5 k focus group presentation 2Dev 5 k focus group presentation 2
Dev 5 k focus group presentation 2Franklin Levy Vargas
 
Sigfox devices travelling between continents is monarch technology usable
Sigfox devices travelling between continents is monarch technology usable Sigfox devices travelling between continents is monarch technology usable
Sigfox devices travelling between continents is monarch technology usable Simple Hardware
 

Recommended

Paolo Stagno - A Drone Tale: All Your Drones Belong To Us
Paolo Stagno - A Drone Tale: All Your Drones Belong To UsPaolo Stagno - A Drone Tale: All Your Drones Belong To Us
Paolo Stagno - A Drone Tale: All Your Drones Belong To Ushacktivity
 
Sigfox coverage. what you always wanted to know (and were afraid to ask)
Sigfox coverage. what you always wanted to know (and were afraid to ask)Sigfox coverage. what you always wanted to know (and were afraid to ask)
Sigfox coverage. what you always wanted to know (and were afraid to ask)Simple Hardware
 
A Drone Tale by Paolo Stagno - Hacktivity 2018
A Drone Tale by Paolo Stagno - Hacktivity 2018A Drone Tale by Paolo Stagno - Hacktivity 2018
A Drone Tale by Paolo Stagno - Hacktivity 2018Paolo Stagno
 
A Drone Tale by Paolo Stagno - Sec-T 2018
A Drone Tale by Paolo Stagno - Sec-T 2018A Drone Tale by Paolo Stagno - Sec-T 2018
A Drone Tale by Paolo Stagno - Sec-T 2018Paolo Stagno
 
A Drone Tale by Paolo Stagno - Hackinbo 2018
A Drone Tale by Paolo Stagno - Hackinbo 2018A Drone Tale by Paolo Stagno - Hackinbo 2018
A Drone Tale by Paolo Stagno - Hackinbo 2018Paolo Stagno
 
SSTRM - StrategicReviewGroup.ca - Capt. Sylvain Sensors March 2010
SSTRM - StrategicReviewGroup.ca - Capt. Sylvain Sensors March 2010SSTRM - StrategicReviewGroup.ca - Capt. Sylvain Sensors March 2010
SSTRM - StrategicReviewGroup.ca - Capt. Sylvain Sensors March 2010Phil Carr
 
Dev 5 k focus group presentation 2
Dev 5 k focus group presentation 2Dev 5 k focus group presentation 2
Dev 5 k focus group presentation 2Franklin Levy Vargas
 
Sigfox devices travelling between continents is monarch technology usable
Sigfox devices travelling between continents is monarch technology usable Sigfox devices travelling between continents is monarch technology usable
Sigfox devices travelling between continents is monarch technology usable Simple Hardware
 
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE
 
Internal and external positioning in mobile and web applications
Internal and external positioning in mobile and web applicationsInternal and external positioning in mobile and web applications
Internal and external positioning in mobile and web applicationsDejan Radic
 
Insite deck
Insite deckInsite deck
Insite deckMichael Kowbel Harvey
 
A million little tracking devices - Don Bailey
A million little tracking devices - Don BaileyA million little tracking devices - Don Bailey
A million little tracking devices - Don Baileyidsecconf
 
Securing Your Wearable Tech Brand
Securing Your Wearable Tech BrandSecuring Your Wearable Tech Brand
Securing Your Wearable Tech BrandSimon Loe
 
BSides Lisbon 2017 - Fantastic Signals and Where to Find Them
BSides Lisbon 2017 - Fantastic Signals and Where to Find ThemBSides Lisbon 2017 - Fantastic Signals and Where to Find Them
BSides Lisbon 2017 - Fantastic Signals and Where to Find ThemLuis Grangeia
 
Playing in a Satellite environment
Playing in a Satellite environmentPlaying in a Satellite environment
Playing in a Satellite environmentChristian Martorella
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014Chong-Kuan Chen
 
Adam w. mosher - geo tagging - atlseccon2011
Adam w. mosher - geo tagging - atlseccon2011Adam w. mosher - geo tagging - atlseccon2011
Adam w. mosher - geo tagging - atlseccon2011Atlantic Security Conference
 
Birds of a Feather 2017: 邀請分享 IoT, SDR, and Car Security - Aaron
Birds of a Feather 2017: 邀請分享 IoT, SDR, and Car Security - AaronBirds of a Feather 2017: 邀請分享 IoT, SDR, and Car Security - Aaron
Birds of a Feather 2017: 邀請分享 IoT, SDR, and Car Security - AaronHITCON GIRLS
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?Zoltan Balazs
 
Wardriving
WardrivingWardriving
WardrivingSumit Kumar
 
Pentest iot - SDR
Pentest iot - SDRPentest iot - SDR
Pentest iot - SDRAries Syamsuddin
 
Laser navigation 2016 technology overview short final
Laser navigation 2016 technology overview short finalLaser navigation 2016 technology overview short final
Laser navigation 2016 technology overview short finalRoberto Navoni
 
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam testsSecurity PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests📡 Sebastien Dudek
 
SDR Basestation with Raspberry Pi
SDR Basestation with Raspberry PiSDR Basestation with Raspberry Pi
SDR Basestation with Raspberry PiJonathan Singer
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
 
FUTURE-PROOFING VEHICLES BY LEVERAGING PERCEPTION RADAR
FUTURE-PROOFING VEHICLES BY LEVERAGING PERCEPTION RADARFUTURE-PROOFING VEHICLES BY LEVERAGING PERCEPTION RADAR
FUTURE-PROOFING VEHICLES BY LEVERAGING PERCEPTION RADARiQHub
 
An event driven campus navigation system on andriod121
An event driven campus navigation system on andriod121An event driven campus navigation system on andriod121
An event driven campus navigation system on andriod121Ashish Kumar Thakur
 
Luiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitchLuiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitchYury Chemerkin
 
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryFelipe Prado
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...Felipe Prado
 

More Related Content

Similar to DEFCON 23 - Lin Huang Ging Yang - GPS spoofing

CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE
 
Internal and external positioning in mobile and web applications
Internal and external positioning in mobile and web applicationsInternal and external positioning in mobile and web applications
Internal and external positioning in mobile and web applicationsDejan Radic
 
A million little tracking devices - Don Bailey
A million little tracking devices - Don BaileyA million little tracking devices - Don Bailey
A million little tracking devices - Don Baileyidsecconf
 
Securing Your Wearable Tech Brand
Securing Your Wearable Tech BrandSecuring Your Wearable Tech Brand
Securing Your Wearable Tech BrandSimon Loe
 
BSides Lisbon 2017 - Fantastic Signals and Where to Find Them
BSides Lisbon 2017 - Fantastic Signals and Where to Find ThemBSides Lisbon 2017 - Fantastic Signals and Where to Find Them
BSides Lisbon 2017 - Fantastic Signals and Where to Find ThemLuis Grangeia
 
Playing in a Satellite environment
Playing in a Satellite environmentPlaying in a Satellite environment
Playing in a Satellite environmentChristian Martorella
 
Birds of a Feather 2017: 邀請分享 IoT, SDR, and Car Security - Aaron
Birds of a Feather 2017: 邀請分享 IoT, SDR, and Car Security - AaronBirds of a Feather 2017: 邀請分享 IoT, SDR, and Car Security - Aaron
Birds of a Feather 2017: 邀請分享 IoT, SDR, and Car Security - AaronHITCON GIRLS
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?Zoltan Balazs
 
Laser navigation 2016 technology overview short final
Laser navigation 2016 technology overview short finalLaser navigation 2016 technology overview short final
Laser navigation 2016 technology overview short finalRoberto Navoni
 
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam testsSecurity PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests📡 Sebastien Dudek
 
SDR Basestation with Raspberry Pi
SDR Basestation with Raspberry PiSDR Basestation with Raspberry Pi
SDR Basestation with Raspberry PiJonathan Singer
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
 
FUTURE-PROOFING VEHICLES BY LEVERAGING PERCEPTION RADAR
FUTURE-PROOFING VEHICLES BY LEVERAGING PERCEPTION RADARFUTURE-PROOFING VEHICLES BY LEVERAGING PERCEPTION RADAR
FUTURE-PROOFING VEHICLES BY LEVERAGING PERCEPTION RADARiQHub
 
An event driven campus navigation system on andriod121
An event driven campus navigation system on andriod121An event driven campus navigation system on andriod121
An event driven campus navigation system on andriod121Ashish Kumar Thakur
 
Luiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitchLuiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitchYury Chemerkin
 

Similar to DEFCON 23 - Lin Huang Ging Yang - GPS spoofing (20)

CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
 
Internal and external positioning in mobile and web applications
Internal and external positioning in mobile and web applicationsInternal and external positioning in mobile and web applications
Internal and external positioning in mobile and web applications
 
Insite deck
Insite deckInsite deck
Insite deck
 
A million little tracking devices - Don Bailey
A million little tracking devices - Don BaileyA million little tracking devices - Don Bailey
A million little tracking devices - Don Bailey
 
Securing Your Wearable Tech Brand
Securing Your Wearable Tech BrandSecuring Your Wearable Tech Brand
Securing Your Wearable Tech Brand
 
BSides Lisbon 2017 - Fantastic Signals and Where to Find Them
BSides Lisbon 2017 - Fantastic Signals and Where to Find ThemBSides Lisbon 2017 - Fantastic Signals and Where to Find Them
BSides Lisbon 2017 - Fantastic Signals and Where to Find Them
 
Playing in a Satellite environment
Playing in a Satellite environmentPlaying in a Satellite environment
Playing in a Satellite environment
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014
 
Adam w. mosher - geo tagging - atlseccon2011
Adam w. mosher - geo tagging - atlseccon2011Adam w. mosher - geo tagging - atlseccon2011
Adam w. mosher - geo tagging - atlseccon2011
 
Birds of a Feather 2017: 邀請分享 IoT, SDR, and Car Security - Aaron
Birds of a Feather 2017: 邀請分享 IoT, SDR, and Car Security - AaronBirds of a Feather 2017: 邀請分享 IoT, SDR, and Car Security - Aaron
Birds of a Feather 2017: 邀請分享 IoT, SDR, and Car Security - Aaron
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
 
Wardriving
WardrivingWardriving
Wardriving
 
Pentest iot - SDR
Pentest iot - SDRPentest iot - SDR
Pentest iot - SDR
 
Laser navigation 2016 technology overview short final
Laser navigation 2016 technology overview short finalLaser navigation 2016 technology overview short final
Laser navigation 2016 technology overview short final
 
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam testsSecurity PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
 
SDR Basestation with Raspberry Pi
SDR Basestation with Raspberry PiSDR Basestation with Raspberry Pi
SDR Basestation with Raspberry Pi
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
 
FUTURE-PROOFING VEHICLES BY LEVERAGING PERCEPTION RADAR
FUTURE-PROOFING VEHICLES BY LEVERAGING PERCEPTION RADARFUTURE-PROOFING VEHICLES BY LEVERAGING PERCEPTION RADAR
FUTURE-PROOFING VEHICLES BY LEVERAGING PERCEPTION RADAR
 
An event driven campus navigation system on andriod121
An event driven campus navigation system on andriod121An event driven campus navigation system on andriod121
An event driven campus navigation system on andriod121
 
Luiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitchLuiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitch
 

More from Felipe Prado

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryFelipe Prado
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...Felipe Prado
 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsFelipe Prado
 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionFelipe Prado
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101Felipe Prado
 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentFelipe Prado
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareFelipe Prado
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...Felipe Prado
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationFelipe Prado
 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceFelipe Prado
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistFelipe Prado
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksFelipe Prado
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityFelipe Prado
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsFelipe Prado
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchFelipe Prado
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...Felipe Prado
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksFelipe Prado
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationFelipe Prado
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncFelipe Prado
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesFelipe Prado
 

More from Felipe Prado (20)

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got ants
 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryption
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101
 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a government
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interface
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud security
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portals
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitch
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devices
 

Recently uploaded

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 

Recently uploaded (20)

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

DEFCON 23 - Lin Huang Ging Yang - GPS spoofing

  • 1. GPS SPOOFING Low-cost GPS simulator HUANG Lin, YANG Qing Unicorn Team – Radio and Hardware Security Research Qihoo 360 Technology Co. Ltd.
  • 2. Who we are? Unicorn Team •  Qihoo360’s UnicornTeam consists of a group of brilliant security researchers. We focus on the security of anything that uses radio technologies, from small things like RFID, NFC and WSN to big things like GPS, UAV, Smart Cars, Telecom and SATCOM. •  Our primary mission is to guarantee that Qihoo360 is not vulnerable to any wireless attack. In other words, Qihoo360 protects its users and we protect Qihoo360. •  During our research, we create and produce various devices and systems, for both attack and defense purposes. •  We are one of the DEF CON 23 vendors. https://defcon.org/html/defcon-23/dc-23-vendors.html
  • 3. YANG Qing •  YANG Qing is the team leader of Unicorn Team. •  He has rich experiences in wireless and hardware security area, including WiFi penetration testing, cellular network interception, IC card cracking etc. His interests also cover embedded system hacking, firmware reversing, automotive security, and software radio. •  He is the first one who reported the vulnerabilities of WiFi system and RF IC card system used in Beijing subway.
  • 4. HUANG Lin •  One of the early USRP users in China. Got the first USRP board in 2005 in Orange Labs •  Authored some tutorials about GNU Radio which were popular in China •  Made great effort on promoting Cloud-RAN technology in China from 2010 to 2013 •  Join Qihoo 360 as a wireless security researcher in 2014
  • 5. Beginning of the story …
  • 6. Civilian-use GPS C/A Signal GPS C/A signal is for civilian usage, and unencrypted. Replay attack is a typical GPS spoofing method. Record Replay
  • 7. Firstly try replay attack •  Hardware •  USRP B210 •  Active GPS antenna •  Bias-tee circuit (Mini-Circuit ZX85-12G-S+) •  LNA (Mini-Circuit ZX60-V82-S+)
  • 8. Record GPS signal by a USRP B210
  • 9. Replay the signal by a bladeRF
  • 10. Success! Record then replay the GPS signal. You can see the cellphone gets the position and timing information from the replayed GPS signal. Nexus 5
  • 11. If Create any GPS signal rather than Record & Replay…
  • 12. This is not a replay •  Demo video
  • 13. Search existing solutions on Internet •  Expensive or at least not free •  NAVSYS ~$5000•  NI LabVIEW ~$6000
  • 14. Some famous cases of GPS spoofing •  Leading lab: RadioNavigation Lab from Univ. of Texas at Austin (https:// radionavlab.ae.utexas.edu/ ) •  Prof. Todd E. Humphrey and his team •  2012 TED talk: how to fool GPS •  2013: spoof an US$80M yacht at sea •  2014: unmanned aircraft capture via GPS spoofing
  • 15. We are not navigation experts. How can we do GPS spoofing?
  • 16. As SDR guys, we have USRP bladeRF HackRF
  • 17. And we found some source codes on Internet •  This website collects many open source projects about GPS •  http://www.ngs.noaa.gov/gps-toolbox/index.html •  This is a very good GPS receiver software based on GNU Radio •  http://gnss-sdr.org/ •  Most of projects are GPS receivers and few are transmitters. This is a transmitter example: https://code.csdn.net/sywcxx/gps-sim-hackrf •  It’s not finalized !
  • 18. DIY a GPS Simulator!
  • 19. Basic principle of GPS system
  • 22. Key information in Pseudo-range equations Calculate the delays at receiver WHEN WHERE
  • 23. Structure of message 1 bit (20 ms) 1 word (600 ms) 1 subframe (6 s) 1 page (30 s) 25 pages – the whole message (12.5 min) x30 x10 x5 x25
  • 24. Info of WHEN & WHERE Subframe 1 Subframe 2 Subframe 3 Subframe 4 Subframe 5 Time information WHEN Ephemeris WHERE
  • 26. Get Ephemeris data •  Method 1 •  Download ephemeris data file from CDDIS website •  ftp://cddis.gsfc.nasa.gov/gnss/data/daily/ •  Here we can only get yesterday’s ephemeris data •  Method 2 •  Use ‘gnss-sdr’ program to receive the real-time GPS signal and get the fresh ephemeris data •  The ‘GSDR*’ files are the decoded ephemeris data, in standard RINAX format.
  • 27. Decode the fresh ephemeris data •  Software •  Run ‘gnss-sdr’ •  Get the GSDR* file
  • 28. Matlab code of GPS simulator
  • 29. Example: structure of Subframe 2
  • 32. GPS principle again Calculate the transmission time
  • 33. How to calculate transmission time Satellite is moving Earth is rotating Calculate the coordinate according to ephemeris data Calculate the length of signal path NOT EASY
  • 34. Matlab code of generating waveform
  • 35. Firstly offline verify the signal by ‘gnss-sdr’ OK
  • 36. Secondly verify it by transmitting GPS signal file over air by bladeRF
  • 38. Try to spoof cellphone’s GPS … Failure
  • 39. Which part is not perfect? Doppler effect
  • 40. Another challenge: Doppler effect Moving towards receiver Moving far from receiver
  • 41. GPS principle again Delay will be longer and longer, if moving far from receiver Delay will be shorter and shorter, if moving towards receiver NOT EASY
  • 42. Try cellphone again •  Nexus 5 GPS chipset •  Satellites are detected as pre-setting. •  Satellite signal strengths are same as we defined. •  3D fixed by simulated signal Bingo!
  • 43. Bingo! Samsung Note 3 •  Located at Namco Lake in Tibet but the cellphone is actually in Beijing.
  • 44. Bingo! iPhone 6 •  Namco Lake in Tibet •  iPhone positioning is much slower. •  The cellphone clock was also reset to wrong time if auto- calibration is enabled.
  • 45. Set any time •  You may find the date we set is always Feb. 14 2015. This is because the ephemeris data file we use is at that day. •  Actually not only space but also time, can be spoofed.
  • 46. A cellphone in future time We set the time as Aug. 6, 2015 (today is Jul. 14) and position as Las Vegas.
  • 47. Try to spoof cars •  Demo video: The car, BYD Qin was located in a lake center.
  • 48. DJI drone - forbidden area policy •  To avoid the risk from drone to people and to critical facilities, drone flying are forbidden in many cities. •  For example, DJI drone’s engine will keep off when it finds the position is in forbidden area. A drone that crashed on the grounds of the White House had evaded radar detection.
  • 49. Try to spoof DJI drone •  Demo video Disable forbidden area •  The drone is actually at a forbidden location in Beijing. We gave it a fake position in Hawaii, then it was unlocked and can fly up.
  • 50. Try to spoof DJ drone •  Demo video: Hijack flying drone •  We gave a forbidden position to a flying drone, then it would automatically land.
  • 51. Lessons – how to anti-spoof •  Application layer •  Now usually GPS has highest priority. Cellphone is spoofed even if it has cellular network connection. •  Use multi-mode positioning, GLONASS, Beidou •  Jointly consider cellular network and wifi positioning •  Civil GPS receiver chipset •  Use some algorithms to detect spoofing •  Civil GPS transmitter •  Add digital signatures into the extensible GPS civil navigation message
  • 52. GPS is still a great system •  First global positioning system •  Usable for all of the world •  Very low cost, small size… •  It keeps updating so we believe the security issue will be improved in future.
  • 53. Acknowledgment •  JIA Liwei •  Graduate student of BUAA majoring radio navigation •  https://code.csdn.net/sywcxx/gps-sim-hackrf •  JIAO Xianjun •  Senior iOS RFSW engineer at Apple, SDR amateur •  http://sdr-x.github.io/