A

You're listening to the Cyberwire Network, powered by N2K. Maybe that's an urgent message from your CEO, or maybe it's a deepfake trying to target your business. Doppel is the AI native social engineering defense platform fighting back against impersonation and manipulation.

B

As attackers use AI to make their

A

tactics more sophisticated, Doppel uses it to

B

fight back from automatically dismantling cross channel

A

attacks to building team resilience and more. Doppel outpacing what's next in social engineering.

B

Learn more@doppel.com that's.p p e l dot com.

A

Yeah, I remember when I was researching when I first started this job a few years ago. I remember I pitched to my boss at the time, Brandon Karp, and I said, you know, Brandon, I really want to research GPS spoofing. I'm fascinated about this. And so in my naivete, I started calling a bunch of companies that sell to the US government anti GPS spoofing technology. And I was like, can you tell me how this works?

B

You're like, excuse me, who are you?

A

Welcome, I'm Maria Varmazes and you're listening to T minus Space Cyber Briefing. In this show we examine the evolution of cybersecurity in the global and orbital infrastructure that powers, protects and connects our lives. 3, 2, 1, 0, 0. Let's. Greetings, friends. Thank you for joining me today. Last week on this show, we explored why attacks against GPS and similar space systems matter in a cybersecurity context. Reminder, global navigation satellite systems like GPS are a key dependency for much of our critical infrastructure. And so this week we're all about the how. How do attacks against GPS signals typically work? Well, producer Ethan Cook joins me again to explore a few of the different attack types that we might typically encounter. Let's do this. Hey, Ethan, good to see you again.

B

I'm back.

A

Yeah, you're back. Long time no see.

B

We're back for GPS part two.

A

GPS part two. I mean, honestly, we're, we're probably going to have part three, four, five later.

B

It's never ending, by the way. You know, we're just going to, it's, we're just an iterative.

A

Well, it is so crucial, and you said it brilliantly in the last episode about it is only gonna become more important to how modern technology infrastructure works. And it is vastly underappreciated for what a cornerstone technology it is right now. I certainly, I will raise my hand in that one. I don't think I appreciated how much we use it in our modern lives outside of the obvious, I think that's

B

the story of most technologies. You know, I think we're all like, man, this is so helpful. And when it goes down, we're like, this is the worst thing in the world. And then you realize, man, this is what it was 10 years go.

A

Yeah, it's that XKCD comic of the entire Internet being held up by that one guy in Finland or whatever, which I have been told by all my friends who know this stuff that that is completely true. I think that that one guy in Finland also can sometimes be gps.

B

Yes.

A

Do we realize how much is actually really dependent on this being accessible and the signals being correctly interpreted and all that kind of thing? When the phrase GPS hacking gets thrown around, at least when I started this job a few years ago, I thought we literally meant hacking the GPS satellites, which I think the US Space Force is like, I'd like to see you try.

B

It would be very difficult.

A

It would be extraordinarily difficult. And they're like, bring it on, we're ready for you. So that's not. But that's not really what is meant.

B

It's a lot more ground focused and a lot more. I think the best way to describe it, at least from what I saw, was confusing signals rather than overpowering signals, rather than trying to take down networks.

A

That's exactly it. That was. That surprised me a lot because I really thought it was like, oh, you know, the space horse is just going bing, bing, bing. And I'm sure they are genuinely staving off all these attacks against the actual satellites and the ground stations that they use. But they're in the military, they're handling their own thing for the rest of us. It is exactly that. Like just that phrase, we love the signal and the noise. This is literally that situation of like these signals being blasted out in a spherical radius from the GPS satellites. We monkey with those signals as they hit the ground because they're very weak.

B

They've gone through atmosphere, potentially weather impacts, bounced off walls. They're far, you know, gone through buildings. It's not something that you try to

A

get GPS from inside a house. You're just like, nope, not getting it. Yeah, those are really weak signals by the time they get here. So they are really easy to mess with or fake or overwhelm. And that is essentially what. Why don't we go through maybe some of the frequent attacks against GPS signals? So we call them sort of shorthand hacking gps. But again, it's really attacks against the signals as they arrive on the ground. So what is your understanding of GPS signal jamming?

B

So it feels kind of obvious when you say it out loud and that you're jamming the signal. Right. You're killing the legitimate signal by oftentimes overpowering it. So the legitimate signal cannot go through. Yeah. Use cases for that would be okay. I don't want the signal to accurately find where I am taking that to a real world example, because I think when you talk about attacks, it's really hard to conceptualize impacts unless you have real world examples. The Ukraine war. There has been multiple use cases confirmed at this point that military drones use GPS signals to make sure that they're going to hit the intended target accurately and on time. So if there is a tank or fortification or building that I'm trying to hit as an attacker, I'm using a GPS signal to guide that drone to the correct target.

A

Yeah.

B

Now, GPS jamming can be used to counter that. It's an emerging front. It's something that I think really has popped up as a mainstream as drones have become more popular in the Ukraine front. And I'm sure it is taking place in Iran as well, where you confuse and you overpower the GPS signals that are guiding that drone. And the drone doesn't know where it's going anymore. Yeah, it's still going to hit somewhere and explode, but it's likely not going to hit the thing that it was meant to hit. And obviously that doesn't negate its damage or reduce any casualties. You know, the logic behind it from a defensive perspective is it's not hitting the main target. So maybe it's hitting the building and still causing structural damage, but it's not going to cause the whole building to collapse or it's not going to hit the tank head on, it's going to bounce off. And maybe the tank suffers some mechanical damage, but the whole tank isn't imploded. So that's kind of the logic there.

A

That's exactly right. On the way that I think of it for jamming is the GPS signal as it hits the Earth is like a bird gently chirping. And then if you're jamming, you've got a foghorn and you're trying to hear that chirping bird, but all you can hear is the fricking foghorn.

B

Yeah.

A

And it's just like literally looking for that signal through the noise. Something that I found fascinating years ago when I was learning about this initially, was that a lot of GPS jammers used to be, and I'm sure they still are. If you know where to look. Very unsophisticated, like Bluetooth devices. You could just plug into your car's cigarette lighter, if you still have one. There was a guy who did just that and got massively fined and I'm pretty sure also arrested, which makes sense. Yeah. This was back in 2013 and he operated a GPS jammer from his car sitting outside of Newark Airport in New Jersey specifically to mess with the signals that the airplanes are dependent on, which is a humongously dangerous thing. I mean, he was not the only one. This was just the headline that stuck out in my head. But, you know, it is not a sophisticated attack. No, it's not.

B

Highly illegal.

A

Highly illegal. Do not come after us. We have warned you. Don't do this.

B

It's incredibly dumb if you do.

A

Yeah. And the equipment is extremely low cost, so it makes sense. Why, especially in war zones, this is like one of the first things that people do is your GPS is not going to do anything good for you. And as sort of dark as this is to say, one of my favorite websites to sort of track how this actually looks like on a global scale is this website called gpsjam.org and it's this really fascinating resource. I sometimes I just go there just to. This sounds weird. Just to look around. Yeah, it's just basically uses open source information based on information from commercial planes about how accurate the information is that they're getting. And you can see really easily where the contested zones are. I'm looking at it right now as we're talking. Yeah. Ukraine lit up. Iran lit up. The Strait of Hormuz. Forget it. But also looking near. I'm looking near Estonia right now. Estonia and the Baltics in general are just bright red. So is a whole bunch of the Baltics.

B

They are very close to two conflict zones.

A

Exactly. And there are other spots, like I think I'm looking at Myanmar as well. Even on the US border with Mexico, there are some red spots there. So whether or not that is intentionally being jammed or it is jammed from other factors, this website can't delineate between

B

intentional or like atmospheric incidents or something.

A

Or just like just heavy traffic or something. Yeah. The creator of this website, they mentioned that this is GPS interference as he can map it based on open source information. So don't try to extrapolate necessarily intent. Although in some cases it's obvious.

B

Yes.

A

Like a conflict.

B

So surprise that you know Ukraine, not a surprise there. That GPS may be unreliable.

A

Correct. Yeah. And also near the border with Turkey on the Black Sea. Also Very, very contested. So it also has a historical record which again can be fascinating looking back in time to see how bad were certain spots with GPS interference. So jamming is unsophisticated and sort of table stakes I think for a lot of modern warfare at this point. But sometimes it's also used in petty crime. It is accessible to dumb basic criminals who are just trying to mess with people.

B

I'm sure we'll scale up the punishment when they inevitably get caught.

A

Yeah. So definitely don't do it in your airplanes. Good heavens. So now that we've spent some time on GPS jamming, let's take a quick break. When we come back, we're going to talk about GPS jamming's much more interesting and shall we say sophisticated cousin. And that would be GPS spoofing. Stay with us. So good, so good, so good. New markdowns up to 70% off are at Nordstrom rack stores now. Stock up and save big on shoes, tops, dresses, accessories and more must haves for summer. Join the Nordic Club to unlock exclusive discounts. Shop new arrivals first and more. Plus buy online and pick up at your favorite rack store for free. Great brands, great prices. That's why you rack

B

Study and play come together on a Windows 11 PC. And for a limited time college students get the best of both worlds. Get the unreal college deal everything you need to study and play with select Windows 11 PCs. Eligible students get a year of Microsoft 365 Premium and a year of Xbox game Pass ultimate with a custom color Xbox wireless controller. Learn more@windows.com studentoffer while supplies last ends June 30th terms at aka Ms. College PC.

A

Ethan, I want to you you take the glory on this one. Explain GPS spoofing.

B

So if you know for your cyber professionals out there, if you know what map or Mac address or ip, you know address spoofing is same concept, right? We are taking our signal. We would be displayed as and manipulating it intentionally to show a different thing. A great real world example where this is happening already is in the Strait of Hormuz. A lot of boats going through there. Well, maybe not as much as it used to be but a lot of, a lot of boats should used to be going through there. But you know, we use GPS signals. Boats use them to make sure that we and airplanes too to make sure we aren't colliding with each other because these are massive vehicles, especially boats that are hauling very, very expensive precious cargo. If we were have a collision, not only would that be an environmental disaster, but it would be a significant financial loss. We saw what happened in the Suez Canal a couple years ago when that one boat got stuck in the side.

A

Yes. The ever something. Yeah.

B

I can't remember the company.

A

It was a weird name.

B

Shutting down a key choke point like that is pretty big. Now that was a legitimate example of just someone deciding to by accidentally steer into a canal wall. But I think in the Strait of Hormuz example, you have reports that a bunch of boats are being shown on land in perfect circles, which anyone who knows how a boat works, they don't travel over land. Crazy stuff.

A

I was not familiar with that. Thank you for clarifying.

B

Yeah, it's revolutionary. This is why I went to college. And so anyone who looks at the map goes, ha, ha, ha ha. That's obviously not correct. Right. But I think when you boil that down to actual real world impacts, the answer is, okay, let's say it's nighttime on a foggy day on the sea by the Strait of Hormuz and you really can't see a boat and you're having to go through to deliver the oil or go pick up oil and you go, oh, oh, we have now slammed into another boat. Or you have now slammed into a. Because maybe your address is being also jammed simultaneously so you don't know where you are either. You have now slammed into a seabed that you can't get out of. Right.

A

And.

B

And you take that to a logical conclusion. It is dramatically impactful. It could shut down trade lanes. It could shut down effective communications. Human life factor is absolutely something that needs to be talked about. These are some, these are real world impacts that have significant costs to them.

A

Yeah. The consequences are especially catastrophic for spoofing. The Strait of Hormones is a fantastic example. I remember not that long ago when smugglers were all over the pirates were all over the news. One of the ways that I think they were also evading notice was by spoofing their own signal and being like, yep, we're definitely not where you think we are.

B

We're not in the middle of X, Y and Z. We are, you know, 800 miles to the, to the west and you're never going to be able to see or find us.

A

Yeah. In fact, we're on the ground. You don't even worry about it. Yes. You mentioned drones a little earlier. That's another huge problem because drones also are, you know, key in modern warfare. Yeah. And if you completely redirect where the drone's going to go, not just confuse it, but just like send it elsewhere or tell it to actually, hey, you're in the airspace of an airport, which will force it to land.

B

I didn't know that one.

A

Yeah, yeah. If you tell a drone, actually, you're in airport airspace, they will go, well, time for me to go down to the ground immediately. So, I mean, drone operators know that, but, like, that is a frequent way of kind of trying to mess with them and disrupt their operations. So spoofing is much more sophisticated. It is not easy to broadcast out a different signal that has bad information in it. So this is usually something we see the military doing.

B

I was gonna say, when I was doing my research, jamming was a much more readily available topic to find information on and cover spoofing, the. Pretty much what I got, which is, this is highly illegal. We will not tell you even how it remotely functions. And if you do it, it is a significant punishment.

A

Yeah. I remember when I was researching when I first started this job a few years ago, I remember I pitched to my boss at the time, Brandon Karp, and I said, you know, Brandon, I really want to research GPS spoofing. I'm fascinated about this. And so, in my naivete, I started calling a bunch of companies that sell to the US Government anti GPS spoofing technology. And I was like, can you tell me how this works?

B

Excuse me, who are you?

A

I swear, this is for legitimate purposes. So obviously, nobody told me anything, that no one was gonna do that, of course. And I stupidly even tried. As I said, I'm on a list somewhere, if I wasn't already. But it was a dumb question to even ask, but I was genuinely curious. So the answer is, Maria, if you want to find out, go join the military. So that's.

B

And work your way to the top.

A

My way to the top? Like, yeah. And there's a flavor of spoofing that I keep finding a reference to. Have you heard of this one called Meekening?

B

I have not, but I love the name. Yeah, it's a great name.

A

Yeah. I saw mention of it, and I'm going, that's fascinating. So instead of trying to broadcast a different fake signal that says, actually, I'm over there, it just captures the legitimate GNSS signal and then just rebroadcasts it with a slight delay or modification at a higher signal strength. So it's spoofing, but, like a flavor of spoofing. And the receiver, whoever they are, that signal looks extremely legit to them. It doesn't look like it's been messed

B

with, but it's slightly off.

A

Just Enough, just off enough that it could probably evade a quick glance, essentially. So because the signals are legit, but just like mistimed.

B

Well, going to the point on the timing ambulation that we talked about last episode.

A

Yes. And how insidious this could be. But there are lots of. If you're in the military or the government, there are lots of vendors that will sell you solutions for this, and that is not our lane. But these problems are only getting more and more insidious and the consequences are more and more catastrophic as we become increasingly dependent on gps. The really interesting thing to me is because specifically GPS is such an old technology, the signals are not encrypted. No. So I know forward thinking, the idea is one day these signals will be more spoof resilient because they will be encrypted. And some of the GNSS systems in other parts of the world have better signal, I would imagine because that's because

B

they're newer as well.

A

Yeah, yeah.

B

Did you have security forward mindsets when you invented them or built your networks 20 years later?

A

Yes, that's exactly it. And we got into it a little bit with my interview with Dr. Sean Gorman. But some of the work that was being done to try and make GPS more resilient, especially in the ground systems, unfortunately was recently canceled because it was over budget and behind schedule.

B

Yeah, yeah. Ten years behind schedule and double the cost. The military likes to give you a long leash for off time and overpriced projects. But that was a. Yeah.

A

Even if you go to that one. Yeah, they've got their limits. So the line from the Space Force is they've got these incremental improvements that they're working on to make sure that at least for their things, things are more secure and they can ensure the fidelity of the signal that they're receiving and interpreting. But yeah, GPS is speaking specifically about gps. It's an older system and satellites are being incrementally replaced over time. But you know, it's not a wholesale thing, it's just kind of one in, one out. Maybe one day we'll have fully encrypted signals from GPS would be nice, but it's not tomorrow,

B

it's not in the next five years.

A

No, no. So I think the advice for a cybersecurity professional knowing that like pretty much everything in modern society, there are a lot of flaws and this technology that can be easily exploited is just knowing, in my opinion, where the heck it's being used. What are your dependencies in your environment for gps? I Feel like it begins and ends really right there.

B

I think it's a, it is a risk management factor. It is something that you should be aware of if you're, if you're in, let's say finances, where you're prone to it or it could be impactful, but it is not something that you as an individual or even as an organization can make and you know, really shake up and fix. This is kind of the thing that you, you have redundancies in place to account for if something goes wrong. But you aren't sitting here being like, oh, let me buy the latest solution that fixes this.

A

That's not, you know, the average infosec professional is not going to be.

B

Nope.

A

Securing gps, that, that's the Space Force's job.

B

That's the thing you cross and hope for that. We got good people there.

A

Yeah, exactly. Best men and women working on that. So just knowing that your dependency and managing that risk as best you can, planning around the fact that is not infallible, that's really the takeaway of an advice there as far as I'm concerned. But Ethan, I'm curious if there's any other thoughts you have on that.

B

Yeah, I think it kind of reinforces the conversation that these are technologies that because especially with the modern world as we continue to advance, these are not something that we can just hope they don't get attacked. It's already being attacked. These are things that already people are trying to exploit and successfully time all the time. And we should not rest on the laurels of let's hope it gets better or hope that we can just deal with this. This is something that I think a proactive approach of we need to address, we need to talk about. We need to get governments invested in wanting to increase these, even if previous attempts haven't necessarily been successful. Don't let that kind of be the dying point. Let that be the initial point of a conversation of like, okay, we need to learn why this didn't work previously in our last attempt. Correct that and make sure that we have reasonable timelines and cost expectations and address this now.

A

Yeah, that's a federal government procurement right there. That's a whole other show. But I know that's a lot of your world also, so that's good point.

B

It's a headache world.

A

Yeah, no, that. The understatement of the century right there. As we're talking through and as I was listening to you talking about gps, a lot of this reminds me of just discussions about how the Internet came to be and they said, well, maybe we'll let civilians start using this and not just like a few universities. I mean, they never could have anticipated what it would become. And same thing I don't think they

B

did with GPS when Clinton was like, hey, guys, everyone's. It's free for everyone. You know, go crazy. I didn't think the logical conclusion was, well, what are the modern implications of drone warfare for this?

A

What's a drone? Yeah, exactly. None of this was anticipated, and it's been successful beyond the United States military's wildest dream, I'm sure. And it's. What. What an incredible legacy. Not again. They're not paying me to say that. It's just.

B

It's.

A

It's just kind of amazing, the Internet and gps, like, what. What they've ended up becoming. They weren't meant for civilian use to begin with, so they weren't built with, you know, the idea of thousands of millions of literally billions of us trying to poke holes in them all the time. Exactly. So. And yet that's what we're doing because we're human beings, so we have to kind of just do the best we can with these flawed because they're made by humans systems. So, yeah. Know your dependencies and your risk exposure, and that's about it. Yeah, I think.

B

Well said.

A

Yeah. Thank you. All right, well, Ethan, thanks again for joining me, and thanks for having me. Yeah, of course. Come on back next time.

B

Always.

A

And that's T minus Space Cyber Briefing brought to you by N2K CyberWire. If you like what you heard today, you will also enjoy our newsletter, Signals and Space. You'll get research and notes pulled together by our producer, Ethan Cook and me, along with this week's top Space cyber news stories. Subscribe by visiting TheCyberWire.com newsletters. That's newsletterswith an S. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing cybersecurity landscape. If you like this show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to space2k.com we're proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies, N2K helps helps cybersecurity professionals grow, learn, and stay informed as the nexus for discovery and connection we bring you the people, technology and ideas shaping the future of secure innovation. Learn how@n2k.com thank you for listening to T Minus. I am your host Maria Varmazes. The show is produced by Ethan Cook and Liz Stokes. We are mixed by Elliot Peltzman and Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin with content strategy by Mayan Plout. Peter Kilpe is our publisher and we will see you next week. T minus.

B

Ryan Reynolds here from Mint Mobile with a message for everyone Paying Big Wireless Way too much. Please, for the love of everything good in this world, stop with Mint. You can get premium wireless for just $15 a month. Of course, if you enjoy overpaying. No judgments. But that's weird. Okay, one judgment anyway. Give it a try@mintmobile.com Switch upfront payment

A

of $45 for 3 month plan equivalent to $15 per month required intro rate first 3 months only, then options available, taxes and fees extra. See full terms at mintmobile. Com.