Hi there.
In this video, I will demonstrate that the execution
of the GNSS spoofing attack has become simple. You just need a smartphone
and HackerRF one transceiver.
We will try to spoof the Ublox M8T module. It
is widely utilized in the timing application.
And it has embedded spoofing
detection and mitigation algorithms.
Let's check it out.
First of all, you need to download a famous GPS-SDR-SIM project from the
GITHUB. You will find aт already compiled Windows executable file in the release folder.
The application creates a file with GPS baseband signal data. And we are going to play
it on HackRF One from the android smartphone.
GPS-SDR-SIM requires ephemeris data.
You can find it on the NASA website.
Go to GNSS data
Broadcast ephemeris data
daily
2020
scroll down to the BRDC folder
scroll down and download the latest file.
This should be the current data.
In order to play the baseband signal data file, download and install the HackRF_Test
application from the hackrf_android repository.
You will find the APK file in
the Examples folder. Here it is
OK, we have now downloaded the essential files.
Next, run the command prompt and go to the folder with the stored files.
Check the available options for gps-sdr-sim software.
And let’s try to run it
Firstly define an ephemeris file
that we have already downloaded
We will simulate a static point
with the following coordinates.
Set 10 a.m. as the scenario start time.
Notice it’s a UTC time.
And finally set IQ data format to 8 bits.
Ok. Try to Run.
Great. It works. The baseband
signal data file is being created.
We need to wait.
It seems to be done..
The folder contains the created file. Perfect
Now we need to copy the newly created file to the android phone to the folder
with the HackRF_Test application.
It is already there. I have installed
the application previously.
Now let's prepare an experiment. We will
conduct it under the live-sky condition.
Here we have a GNSS antenna, RF coupler
to mix the authentic and fake signals.
And 40 dB attenuator to
reduce HackRF’s power level.
The next step is to set up the Android phone.
Connect the HackRF one via a USB host cable. Run the application and Check the connection.
It works – great. Set the sample rate to 2.6 Mhz, and the central frequency to
1-5-7-5-4-2, then enter the file name.
Finally! The part we have been
waiting for – we can begin spoofing.
But before we start, let's see what the GNSS
receiver shows. We use U-CENTRE. It’s the original software for all UBLOX navigation modules.
Here you can see that the receiver is configured to use the GPS, GLONASS, and
Galileo. Now the module uses 10-GPS, 10-GLONASS, and 8-Galileo satellites.
Than enable an embedded interference monitor and try to find a spoofing detection flag.
It should be in the UBX-NAV-STATUS packet. Here it is.
Let’s start the generation.
It seems to be working. Great.
Take a look - the module perceives the fake satellite signals but does
not use them. Let's wait for a while.
Ok.
We can’t accomplish a successful spoofing attack. It looks like the receiver
does contain spoofing mitigation algorithms.
But take a look - the spoofing
detection flag still shows ok.
Hmm.
Let's do a simple trick. Let’s try to block the GLONASS and Galileo signals
with a simple jammer. We will use attenuators to make the jammer’s power high enough to block the
original signals, but lower than the fake signal.
Turn the jammer on.
Now we can see that the Glonass and Galileo satellites are effectively blocked,
but the receiver still detects fake GPS signals.
Now wait for what happens
next – the crucial part.
Yes, look, we did it! We
successfully spoofed the receiver.
You see? The coordinates have shifted.
And what happened to the spoofing flag? - Nothing at all.
That’s very interesting. It would be cool if the UBLOX support
team left a comment below the video.
Now. Let's turn off the
jammer and see what happens.
Surprise. Now the GLONASS and Galileo
satellites are perceived as fake.
It is not good.
Ok, let’s turn the spoofer off.
You see. Half a minute later, the
receiver switches to real signals.
Well, we did a great experiment I think.
In this video we demonstrated how simple and cheap GNSS spoofing is. It can
even be done on protected receivers!
This affordable set up can undermine your critical infrastructure within a radius of
hundreds of meters over-the-air.
So, if you want to be protected
against GNSS threats, contact us.
And we will help you to develop a resilient
and robust synchronization system.
If you want us to create another video on GNSS
spoofing, or have any questions please leave a comment below. And don’t forget to subscribe
to our channel for more GNSS spoofing content.
Bye for now, and until the next
video.
