RESEARCH PAPER ON SPOOFING OF GPS OF
advertisement
SPOOFING OF THE GPS OF THURAYA SATELLITE PHONES: POSSIBLE MEASURES AND COUNTERMEASURES Dr. N. C. Asthana, IPS Inspector General Of Police (Operations), CRPF Kashmir (Published In The ‘International Communication Engineering’) Journal Of Electronics And ABSTRACT It is popularly believed that Pakistani intelligence agencies are assisting the terrorists in Kashmir by ‘spoofing’ the signals of the Thuraya satellite phones that the terrorists use, so as to mislead Indian intelligence agencies about their actual location. This paper examines the technology of spoofing and shows that while it is possible, it is not likely to be used in the presumed context. Secondly, while it may be detected, it is difficult to unmask the original signal from the spoofed signal. KEY WORDS: Spoofing, Thuraya Satellite Phone, GPS, Location Server. INTRODUCTION The Indian media, citing government sources, has been claiming [1-6] that Pakistani intelligence agencies are assisting the terrorists in Kashmir by ‘spoofing’ the signals of the Thuraya satellite phones that the terrorists use. Since intelligence agencies supposedly monitor the terrorists’ use of satellite phones, it is believed that the purpose of such spoofing is to make it impossible for the Indian intelligence agencies to track the location of such satellite phones by making the in-built GPS of the satellite phone to give out deliberately wrong coordinates of the handset. Should it be correct, this is a very serious matter because as a result, it will be difficult to interdict such terrorists in the first place and secondly, Pakistan can easily deny that its soil is being used for assisting the terrorists. Since spoofing is a complex subject and little is known about it even amongst most communication engineering professionals, the author has considered it desirable to present a concise overview of the subject. The purpose of this paper is to examine whether such a thing is possible or not and if possible, what countermeasures can be taken to detect or thwart them. 2 THURAYA SATELLITE PHONES The Thuraya satellite phone network provides coverage over Europe, the Middle East, Central and Northern Africa, Central Asia and the Indian subcontinent. For connection to base station gateway Thuraya satellites uses the C-band. For connection between mobile devices and satellites L-band is used. To allow small mobile devices, Thuaya satellites use a very large L-Band antenna with a diameter of 12.25 m. Each satellite can provide 13750 simultaneous phone connections. The Thuraya geostationary satellites utilize on-board digital signal processing to create more than 200 spot beams that can be redirected on-orbit, allowing the satellite phone network to adapt to customer demand in real time. Thuraya's handheld mobile phone not only combines satellite and GSM, it also offers built-in Global Positioning System (GPS). Thuraya offers “GPS distance and direction display” as a standard feature in its mobile phone. The “GPS distance and direction display” feature on Thuraya’s “Man Machine Interface (MMI)” extends the GPS functionality to support the calculation of distance and direction between two points. When a user determines the present location using the existing MMI commands, the menu option will be available to allow a distance and direction to be calculated. Once he initiates this menu command, the results will prompt you to select a stored benchmark location from memory. After the selection is done, the phone calculates the distance and direction from the current point to the stored point, displaying the results of distance and directions to the user. SPOOFING AND JAMMING: IMPORTANT DISTINCTION The popular belief and media perception is that powerful transmitters have been set up across the Line of Control and the international border dividing India and Pakistan, blanking out signals from the Thuraya phones used by terrorists. This is not correct. The strength of the GPS signal on the earth’s surface averages 160 dBw 7. While many GPS receivers leave large space for signal dynamics, enough power space is left for the GPS signals to be overridden. One does not require ‘powerful transmitters’ to be set up by a nation for that—even low power transmitters would do the job! Spoofing is completely different from jamming. A spoof is defined as a malicious signal that overpowers the authentic signal and misleads the receiver to use a forged signal for further processing. Spoofing could be done to gain access to services such as a particular game broadcast that are restricted to a certain geographic area, an 3 employee deceiving an employer of their true location; by a criminal who is being tracked by the law and does not want the tracker to know his correct location; or to spoof the location of a shipment that is being remotely tracked. The objective of jamming is to simply interrupt the availability of the GPS signals in space at the receiver. In-band or out-of-band harmonic RF transmissions could mask the weak GPS spread spectrum signals. The effect is to cause the signal at the receiver to be corrupted so that no valid GPS signal can be decoded by the receiver. Spoofing is more serious than jamming because jamming will cause the service to degrade in performance while spoofing takes control of the user receiver. Jamming is a low-tech affair and at best, a prank. Jamming would not serve the purpose of the terrorists or those assisting them. They must mislead the agencies intercepting the calls. This falls in the realm of spoofing and which could also be of two types. MISLEADING THE GPS RECEIVER This type would involve an attacker who would provide the receiver with a misleading signal, fooling the receiver to use fake signals in space for positioning calculations. The receiver will produce a misleading position solution. Two basic configurations are possible. GPS signal generator: Spoofers in this category are GPS signal generators readily available from several vendors. For use as a spoofer, the signal generator’s RF out put is amplified and transmitted, possibly using a directional antenna. In this case, the transmitted signals are not phase-and frequencymatched to the GPS signals being received from satellites in the locality, and the navigation data do not replicate the currently active navigation data. Although a receiver could be fooled by this approach, particularly if the target receiver is first jammed and forced to reacquire, the spoofing signal generated in the fashion typically looks like noise—rather than a usable signal—to a receiver tracking it. GPS Receiver Spoofer: Spoofers in this category are coupled to a GPS receiver. The GPS receiver tracks satellite signals at a location and decodes the navigation data. The spoofer then generates a signal that mimics the incident satellite signals in all respects. Conceivably, a spoofer could add a calculated offset to each satellite signal to compensate for a specified geometric offset to the target GPS antenna. The spoofer is also able to vary the signal strength of the constituent signals so that they appear at the target antenna to have the same relative strengths of the authentic signals. The Cornell University “GRID” dual- 4 frequency software-defined GPS receiver is an example of this type of spoofer. It can simultaneously track 12 C/A channel and generate 8 C/A spoofing channels. The hardware required for this type of spoofer is neither very costly nor difficult to procure but the technical knowledge required must be of a high order. The Cornell experiments were widely reported [8-11] in the media and led to a great deal of speculations. It is rather easy [12] to mislead WLAN positioning systems being used as a substitute for or as complement to the GPS, such as the Wi-Fi positioning system (WPS) from Skyhook [13], available for PCs (as a plugin) and on a number of mobile platforms, including the Apple iPod touch and iPhone [14] as well as on Nokia mobile phones based on Symbian [15]. Spoofing attacks on such systems take the following action: (1) impersonation of access points (from one location to another) and (2) elimination of signals sent by legitimate access points. Since rogue access points can forge their Medium Access Control MAC addresses and can transmit at arbitrary power levels, access point impersonation can be easily done in WPS. Equally, since WLAN signals are easy to jam, signals from legitimate access points can be eliminated using a software radio platform like Ettus (Universal software radio peripheral— USRPs) with daughterboards for the 2.4GHz band, thus enabling location spoofing. The idea of an AP impersonation attack is to report remote access points to the attacked device, which will then compute a location that is in the proximity of the remote APs. This attack exploits the fact that the WPS localization relies on (easily replayed) AP MAC addresses for their identification; AP MAC addresses are public since they are contained in the network announcement beacons. For the GPS, there are four GPS observables that can be directly measured by a GPS receiver. They are the GPS message, code ranges, fractional phase ranges and Doppler shift. In a GPS receiver, PRN (pseudorandom noise) code correlation is performed at high frequency to remove the PRN code. The received GPS signal is passed through a high pass filter to remove navigation data. After the navigation message is removed, the resulting signal is the Doppler shifted carrier. The Doppler shifted carrier is then passed to a PLL and compared with a receiver-generated carrier to get the fractional phase offset. The GPS message can be spoofed because PRN code is available to the public. The PRN code ranges of C/A code and P-code are direct observables. One chip of C/A code range will cause 300 km ambiguity. The range measurement for C/A code is the basic observation of GPS receivers and it is derived from the 5 time shift of the receiver PRN sequence and the PRN sequence that is multiplexing the incoming signal. This time shift, however, can be controlled by spoofing the transmitter. Pseudorange measurements can then be modeled. The satellite position vector can be forged by spoofing the GPS messages. Using this model, the PRN code shift can be easily calculated. Spoofing a static receiver (called static spoofing) is much easier than spoofing a dynamic receiver. For a stationary receiver, the position solution is fixed; the spoofed pseudorange can be calculated using code range model. For a moving receiver (called dynamic spoofing), if the spoofer does not need to avoid cross-checking at the spoofed receiver, then the position solution can be forged in advance and then use the pseudorange model again to get a time sequence of the spoofed pseudorange. In one possible application of this sort of spoofing, we could consider spoofing of the VMS (vessel monitoring system). In fishing waters controlled by the European Union (EU), for example, Commission Regulation No.2244/2003 requires that operators of fishing vessels more than 15 meters in length carry a satellite-based vessel monitoring system (VSM). The VMS (typically employing GPS today) records the voyage of the vessel and automatically provides the data to the fisheries monitoring center of the EU member state where the vessel is registered as well as the member state in whose waters the vessel is fishing. Naturally, the data can be used to detect passage into waters into waters for which the vessel is not licensed. In this case of spoofing the intent of the operator would be to log a fictional voyage that does not disclose illegal fishing activities. In such a situation, all the spoofer has to do is to disconnect the GPS antenna and attach instead a local GPS signal generator. Simple ‘GPS fraud kits’ are available for about $2,535 that could feed spoofed signals into the VMS’s RS-232 port after disabling the antenna and opening the VMS box. There are also sophisticated ‘GPS signal simulators’ available for about $126,700 that could be connected to or radiated towards the VMS unit. Countermeasures To Receiver-End Spoofing As a one-way broadcast system, GPS is not immune to spoof attack except the Y-code whose encryption algorithm is not available to civilian users. As analyzed in the introduction section, a spoof can never be detected using check matrices, like the CRC check, in the digital domain. However, by crosschecking the observables, intermediate measurement, and positioning solutions, a spoof can be detected. 6 One method is to monitor the absolute power of each carrier. The received signal power is not expected to exceed -155.5 dBw and -153 dBw, respectively for P(Y) code and C/A code components of the L1 channel, nor -158 dBw for either signal on the L2 channel. Hence a reasonable maximum power can be set to limit the spoof signal power in space, because a spoof station will increase the signal power in space by at least 3 dB. Another method is to monitor signal power changing rate. Still another is to monitor the relative powers. Modernized GPS will have two signals on L2 and one signal on L5. These signals will also have relatively fixed power ratios. On checking the relative power ratio, those types of spoof that do not override all of the signal components on all frequencies (L1/L2 and modernized L5) can be easily detected. Yet another method is to bound and compare range rates. In order to spoof a receiver, code range must be spoofed properly and phase ranges have to be spoofed in accordance with code range if a spoofer wants to let phase range conform to code range. When phase ranges are to be forged with respect to code range, phase range rate will probably be sacrificed to spoof phase range. Therefore, comparing code and phase range rates can detect the abnormality, and bounding the rates gives a mechanism to detect the abnormality. Another method could be Doppler shift check. It is impossible to get all the Doppler shifts for all satellites correct by mimicking satellite movement by the spoof source using a single transmitter because the Doppler shift is changing carrier frequency. Although CDMA signals with different PRN code can be summed before being modulated on a carrier, the spoof signal has to be modulated to a different carrier to avoid the Doppler test. A spoofer might thus have to use one transmitter for each spoofed SV. One could also go for cross-correlation of L1 and L2. Since the signal on L2 is slower than that on L1 due to ionosphere effect, the sign of cross-correlation shift is known. This test requires spoofers to spoof both carriers if any L1 or L2 carrier is spoofed, i.e. messages on both carriers must be spoofed. Still another method could involve L1-L2 range differences. The spoofed signal that is propagating only in the lower layer of atmosphere behaves differently from the authentic signal with ionosphere delay. We could also use received ephemeris data or jump detection. All observables should monitor abrupt changes in the observables and power within a tolerable range. Any jump in observables or signal power might mean the turning on of a spoof attack. 7 These various countermeasures can be summarized [16] as follows: Method Error! Reference source not found. 0 Error! Reference source not found. Error! Reference source not found. Error! Reference source not found. Error! Reference source not found. Error! Reference source not found. Error! Reference source not found. Error! Reference source not found. Test statistic Function Limitation Absolute signal power Limit the spoof signal power Antenna attitude and environment related Signal power changing rate Detect stationary spoof station Antenna attitude and environment related Relative signal strengths on all carriers Detect spoofing on single carrier Affected by ionosphere refraction Range rate Bound the phase and code range rate Relate to GPS receiver’s moving direction Doppler shift Detect spoof that uses one transmitter to spoof all satellites None Correlation peaks Correlate L1/L2 binary message Low performance on Y-code GPS signal after removing all navigation data Recover authentic data Requires low spoof/authentic signal power ratio Range differences: phase/code, L1/L2 Identify signal source Needs to be L1/L2 receiver Ephemeris data Verify ephemeris data including satellite position None 8 Error! Reference source not found. Signal power and data Jump detection None We could also use angle-of-arrival discrimination [17] In this we could use a dual-antenna receiver based on observation of L1 carrier differences between multiple antennas referenced to a common oscillator. If the expected delta phase measurements do not agree with the expected phase profiles within bounds set by the expected noise and attitude uncertainty, then a spoofing signal is identified. For a spoofer to defeat the algorithm as implemented, the spoofing system must emulate the expected carrier phase deltas between the pair of antennas for all satellites in track. Even a sophisticated spoofer cannot emulate this geometry for several satellites if the spoofer is limited to one transmitting antenna. A sophisticated spoofer with two separate points of transmission might be able to defeat the algorithm. However, this would also require the spoofer to know the geometry of the GPS antenna array, locate a matched transmitter antenna very close to each GPS antenna, and deal with other difficult problems associated with multipath, signal leakage, and self-interference. Why Spoofing Military GPS Is Difficult While the GPS P-code is heavily encrypted and thus, is hard to spoof, the civilian GPS signal, the C/A code, is easy to spoof because the signal structure, the spread spectrum codes, and modulation methods are open to the public. In Hollywood films and in popular perception, this could set up the plot for a frightening scenario where terrorists mislead the GPS of GPS-guided missiles and bombs so that they hit an unintended target thereby precipitating a crisis [18]. Manipulating the military GPS is, however, much more difficult. Considerable specific research has been carried out in this regard [19]. The M code signal’s security design is based on next generation cryptography and other aspects, including a new keying architecture. The modulation of the M code signal is a binary offset carrier signal with subcarrier frequency 10.23 MHz and spreading code rate of 5.115 M spreading bits per second, denoted a BOC(10.23,5.115) (abbreviated as BOC(10,5)) modulation; the spreading code transitions are aligned with transitions of the square wave subcarrier. Spreading and data modulations employ biphase modulation, so that the signal occupies one phase 9 quadrature channel of the carrier. The spreading code is a pseudorandom bit stream from a signal protection algorithm, having no apparent structure or period. The baseline acquisition approach uses direct acquisition of the M code navigation signal, obtaining processing gain through the use of large correlator circuits in the user equipment. The M code signal has been designed for autonomous acquisition, so that a receiver will be able to acquire the M code signal without access to C/A code or Y code signals. It is therefore not necessary to discuss it further. MISLEADING THE LOCATION SERVER (LS) In a typical system, the LS is a SUPL (Secure UserPlane Location) Location Platform (OMA-AD-SUPL). The LS may be a Serving Mobile Location Center (SMLC) in a GSM network (3GPP TS 23.271), a Standalone SMLC (SAS) in a UMTS network (3GPP TS 23.271), or another type of network node. The SUPL Location Platform (SLP) is a network entity on the internet that is used to facilitate location. The UserPlane Location Protocol (ULP) is an HTTP-based protocol and is used between the SLP and the SET (OMA-TS-ULP). The SLP has a connection to a GNSS Reference Server (GRS) in order to retrieve and cache assistance data. Location requests are initiated either from the SUPLEnabled Terminal (SET), which is known as a SET initiated transaction, or from the network, which is known as a Network initiated transaction. A Network initiated request is made by a Location-Based Application (LBA) which sends a request to the SLP for the location of a particular handset. The SLP performs the messaging with the SET and determines the location before returning that location to the LBA. When an A-GPS location fix is required, the SLP calculates the GPS assistance data that is specific to the approximate location of the SET. When the SET is in a cellular network, the approximate location generally comes from the coverage area of the serving cell. The SET provides the identification of the cell (cell-Id) to the SLP. The SLP determines which satellites are in view from the approximate location and provides assistance data for those satellites to the SET. The assistance data types sent to the SET depend on the mode of A-GPS. In handset-based A-GPS, the SLP generally provides the navigation model, ionosphere model, reference time, and reference location. The handset uses this information to lock onto the satellites and calculate a location. It then returns the location to the SLP. In handsetassisted mode, the SLP provides the acquisition assistance and the reference time in order for the handset to lock onto the satellites and return the measurements to the SLP. The SLP invokes the PCF (position calculation function) in order to calculate the location of the handset. 10 The spoofer must provide GPS measurements that result in the LS calculating a location that is desired by the spoofer (or attacker). For the Network initiated case, once the LS (SLP) determines the location of the handset, the location is provided to the network entity that requested it. If the LS is trusted by the recipient of the location, then the location will be considered to be valid even though it may not be. The aim of the spoofer is to convince the LS to provide the location that the attacker desires. The attacker does this by falsifying (or spoofing) the measurement data such that the location provided by the LS is effectively predetermined by the attacker. In order to spoof his location, the spoofer needs the satellite ephemeris. The ephemeris may be from a request to the SLP for assistance data. Alternatively, the ephemeris may come from another source such as the internet. One source of the orbital data is the International GNSS Service (IGS). This is used to determine the location of the satellites for the given time. The spoofer calculates the range to each satellite in view of the desired location and uses that as the basis for determining the pseudorange measurements. The measurements are generally converted to pseudoranges by simulating a clock error and introducing other errors such as the ionosphere, troposphere and other random errors. The key piece of information that the spoofer needs to provide to the SLP is the cell-ID. From that, the SLP will look up the coverage area of the cell and calculate the assistance data. This coverage area will also use that as the initial location estimate for the PCF. The cell-ID is also often used for location assurance on the SLP. One way of knowing the cell-IDs is for the spoofer to log cell-IDs against locations and build up a database over time [20]. Countermeasures To Location Server Spoofing This kind of spoofing can also be detected by the server. A server with antispoofing capability will be able to detect the measurements as being spoofed. Some of the obvious signs are on the server of the spoofing will be: Clock error: the receiver clock error will be very small - less than 1x1010 seconds. Residuals: the residuals calculated as part of the least squares process will be very small. Uncertainty ellipse: the uncertainty ellipse will be very small (less than 1 meter of uncertainty) 11 A more sophisticated spoofer will manipulate the measurements by introducing some random errors to each measurement. It will also manipulate all for the measurements by a fixed amount in order to simulate a handset clock error. It may also send a subset of the satellite measurements instead of the complete set of satellites in view. ARCHITECTURE OF SATELLITE TELEPHONE COMMUNICATION INTERCEPTION SYSTEMS In case of terrestrial communication systems, such as land based telephone systems or cellular phone communication systems, the monitoring station may be setup at a public switched telephone network (PSTN) near the location of the subscriber, or in case of cellular communication system, the monitoring station may be setup at a mobile switching controller (MSC). In case of satellite communication systems, however, a call connection originated from a subscriber may not pass through PSTN or MSC because a satellite subscriber (SU) is capable of directly carrying a call connection with a satellite or another SU through a network of satellites without going through a PSTN or MSC. Each satellite system has a number of gateways located at various parts of the world. A gateway that is local to an SU is used for connecting or establishing a call connection between a SU and a land based telephone line, or a call connection between two SU's. When the call is directly between two SU's, the local gateway connections that were made to setup the connection are cut-away from a series of initial connections that were needed to setup the call. Such a series of connections may include at least a connection through a network of satellites. Once the local gateway connection is cut-away, the two SU's communicate directly through the network of satellites, or the network of satellites and a visiting gateway other than the local gateway that has setup the call. The authorized agency can conveniently establish a monitoring station at a gateway to monitor a call connection through the gateway. In case when the call connection is being originated from a first subscriber and terminated at a second subscriber phone or at a land-based telephone connected essentially to another gateway through the connecting PSTN, the authorized agency cannot conveniently establish a monitoring station at every ground gateway station to monitor the calls originated or terminated at the first satellite subscriber phone. In a satellite communication system, one method of unobtrusively intercepting a communication call includes establishing a first connection to originate from a first satellite subscriber (SU) and terminate at a first node at a first transcoder, establishing a second connection to originate from a second node at a second 12 transcoder and terminate at a second SU, switching the first connection to originate from the first SU and terminate at a third node at the second transcoder, and passing a first information carried by the first connection at the third node to the second connection at the second node. The first information without substantial delay or processing is transmitted by the second connection to be received by the second SU. Since the first information originated from the first SU and carried by the first connection at the third node is passed at the second node to the second connection which is terminated at the second SU, the first information is received at the second SU without any processing which makes the appearance that the second connection is directly originated from the first SU without being passed through any other connecting nodes. The first information may be decoded in a decoder portion of the second transcoder to produce a first decoded information. The first decoded information may be monitored. Processing of the first information in addition to what is necessary to carry on a direct satellite subscriber call adds additional delay and changes the quality of the first information when decoded by a receiving portion of the second SU. Substantial additional delays and changes in quality of information are easily detectable. It must therefore be ensured that the information received by the second SU is not substantially delayed or additionally processed, and must have all the indications that it has been received directly from the first SU without going through any other connecting nodes, so that the first and second SU's may not know or detect that the call connection between the first and the second SU's is being monitored. Moreover, no additional signals other than what is necessary to set up the call must be generated. The GPS location of the satellite phone is also gathered in the same process as the set transmits at regular intervals a text message via sms containing the data from the GPS receiver. Monitoring systems are commercially available [21-22]. The systems log the location of Thuraya handset operating within user-selected spot beams, and the telephone numbers with which they communicate. Thuraya has pair of signaling channels; one signaling channel is transmitted at L-band by satellite and received by all Thuraya Phones in the spot beam. This signaling channel is called Broadcast Common Control Channel (BCCH). In addition to BCCH, Access Grant Control, Channel (AGCH), Paging Control Channel (PCH), frequency Correction Channel and Basic Alerting Channel are also time division multiplexed on the same carrier. 13 The other signaling channel is called Random Access Control Channel. RACH provides access to the network for Thuraya Phones. All Thuraya Phones within the spot beams transmits burst at L Band on the RACH Channel, these burst are relayed to PGW at the C band by the satellite. The interception systems typically use a scanning technique to identify C-band downlink frequencies for spot beams of interest. These channels can subsequently be monitored to record the position of mobiles operating within that spot beam, and capture details of the telephone numbers that the mobile contact. The scanning process is performed once in 24 hours, as the frequencies used are dynamically allocated, and change periodically by Thuraya satellite. The position of the target is supposed to be known to within GPS accuracy, (typically 10-20 meters under current conditions). A GIS mapping software is integrated with the system and it plots the location of the target set. Each receiver is independently tunable to any spot beam of the Thuraya Network. The interception system monitors L-Band link from mobile to satellite and C-Band feeder link from satellite to earth station. Since the power transmitted by the mobile handset on the uplink is very low and it is difficult to monitor so the system monitors this information on the C-band downlink (satellite to earth). The system will automatically map the uplink RACH control channel and the appropriate TCH channel of the suspect’s handset at the C-band to appropriate L-band downlink channel of the target spot beam. After that it is only a matter of deciphering the cipher algorithms used on Thuraya network. CONCLUSION Location Server spoofing, in any case, is not easy to accomplish as both the hardware and the technical knowledge required are not easy to come by. It is difficult to believe that the terrorists or the Pakistani intelligence agencies have this level of technical know-how. Further the costs involved also need to be kept in mind. The immense cost would not really be worth the trouble. In any case, in spite of the popular belief so far not a single Thuraya set has been recovered that could be stripped and analyzed to prove that it is ‘spoofed’ or its hardware has been so modified that it misleads the LS server. This is unnatural considering that scores of terrorists keep on getting killed by the security forces and huge quantities of arms, ammunition and communication equipment keep on getting recovered from their possession. How is it that not a single Thuraya phone of the required modifications has not been recovered yet. There is a good reason as to why it cannot be recovered. If it is accepted that Pakistani intelligence agencies are ‘spoofing’ the Thuraya sets so that their location may 14 not be known and hence the complicity of Pakistan in the affair may be denied, why would they run the risk of giving such sets to the terrorists? They know it well that terrorists may be killed and the phones recovered from them. In that case, the spoofed phones would make for an incontrovertible evidence of their complicity, thereby defeating the very purpose of the entire exercise. The risk is not worth the trouble. There is little which can be done to prevent dynamic spoofing of the LS, if at all it is being done. Spoofing can be detected at the server alright but getting the original signal will be difficult or at least not worth the effort. It therefore makes little sense to cry about it. All the commercially available interception systems use proprietary technologies. They have therefore not been subjected to peer-reviewed research in which the functioning of their systems and subsystems are systematically analyzed for the possibility of the unintended introduction of such errors. In all probability, the time-variable GPS coordinates which the intelligence agencies are supposedly getting and which they think are due to dynamic spoofing, are to be attributed to hitherto unknown measurement errors or system errors in their interception systems. REFERENCES 1. `ISI is spoofing Thuraya phone signals to help terrorists`2009-07-08, "http://sify.com/news/isi-is-spoofing-thuraya-phone-signals-to-help-terroristsnews-features-jhiluWchibc.html" 2. India to take up satphones ’spoofing’ with Pakistan July 8th, 2009, http://www.thaindian.com/newsportal/sci-tech/india-to-take-up-satphonesspoofing-with-pakistan_100215069.html 3. India to take up with Pak spoofing of ultras' satellite phones, The Times of India, July 8, 2009, http://m.timesofindia.com/PDATOI/articleshow/4752776.cms 4. India's new worry: Terror phones jammed, with some Pak help, ExpressIndia, July 8, 2009, http://www.expressindia.com/latest-news/Indiasnew-worry-Terror-phones-jammed-with-some-Pak-help/486553/ 5. Pakistan created terrorists, confesses Zardari, Indiatime, July 8, 2009,http://www.indiatime.com/2009/07/08/pakistan-created-terroristsconfesses-zardari/ 6. Terrorist may use Pakistan's Sat phones against India, Siliconindia news bureau, July 8, 2009, http://www.siliconindia.com/shownews/Terrorist_may_use_Pakistans_Sat_pho nes_against_India-nid-58981.html 15 7. Department of Defense. (2000). Navstar GPS Space Segment/Navigation User Interfaces (ICD-GPS-200C with IRN-200C-004), 12 April 2000. Washington, DC: U.S. Government Printing Office. http://www.navcen.uscg.gov/pubs/gps/icd200/icd200cw1234.pdf 8. Researchers raise uncomfortable questions by showing how GPS navigation devices can be duped, Anne Ju, Chronicleonline http://www.news.cornell.edu/stories/Sept08/GPSSpoofing.aj.html 9. GPS open to attack, say researchers, Kate Melville, http://www.scienceagogo.com/news/20080822224026data_trunc_sys.shtml 10. GPS receivers can be 'spoofed,' say researchers, http://www.physorg.com/news141300510.html 11. GPS spoofing device developed to thwart spoofing, Liz Tay, http://www.itnews.com.au/News/124193,gps-spoofing-device-developed-tothwart-thwart-spoofing.aspx 12. See, for example, Nils Ole Tippenhauer, Kasper Bonne Rasmussen, Christina P¨opper and Srdjan ˇCapkun iPhone and iPod Location Spoofing: Attacks on Public WLAN-based Positioning Systems, ftp://ftp.inf.ethz.ch/pub/publications/tech-reports/5xx/599.pdf 13. Inc. Skyhook. http://www.skyhookwireless.com. 14. Apple Inc. http://www.apple.com. 15. Loki Mobile applet for Nokia phones using Symbian. http://loki.com/download/mobile. 16. Hengqing Wen, Peter Yih-Ru Huang, John Dyer, Andy Archinal and John Fagan, Countermeasures For GPS Signal Spoofing, 129.15.114.75/Download/ION/Wen_Spoof.doc 17. Paul V. Montgomery, Todd E. Humphreys, and Brent M. Ledvina, A MultiAntenna Defense: Receiver-Autonomous GPS Spoofing Detection, www.insidegnss.com/node/1370. 18. See for example, Erica Naone, Hijacking Satellite Navigation Sending false signals to GPS receivers could disrupt critical infrastructure, docendi.niuz.biz/hijacking-t157698.html 19. See, for example, Capt. Brian C. Barker, US Air Force, GPS Joint Program Office; John W. Betz, John E. Clark, Jeffrey T. Correia, James T. Gillis, Steven Lazar, Lt. Kaysi A. Rehborn, and John R. Straton, Overview of the GPS M Code Signal,. http://www.mitre.org/work/tech_papers/tech_papers_00/betz_overview/betz_ov erview.pdf 20. Neil Harper, Martin Dawson, and David Evans, Server-side spoofing and detection for Assisted-GPS, http://ignss.org/files/Paper16.pdf. 16 21. L3 Communications TRL Technology, www.trltech.co.uk/app/.../L3%20TRL%20TMS%20Brochure(1).pdf 22. Stratign Portable Thuraya Satellite Monitoring System and Fixed Thuraya Satellite Monitoring System, STRATIGN FZCO, Dubai.
