RESEARCH PAPER ON SPOOFING OF GPS OF

advertisement
SPOOFING OF THE GPS OF THURAYA SATELLITE PHONES:
POSSIBLE MEASURES AND COUNTERMEASURES
Dr. N. C. Asthana, IPS
Inspector General Of Police (Operations), CRPF
Kashmir
(Published In The ‘International
Communication Engineering’)
Journal
Of
Electronics
And
ABSTRACT
It is popularly believed that Pakistani intelligence agencies are assisting the
terrorists in Kashmir by ‘spoofing’ the signals of the Thuraya satellite phones
that the terrorists use, so as to mislead Indian intelligence agencies about their
actual location. This paper examines the technology of spoofing and shows that
while it is possible, it is not likely to be used in the presumed context. Secondly,
while it may be detected, it is difficult to unmask the original signal from the
spoofed signal.
KEY WORDS: Spoofing, Thuraya Satellite Phone, GPS, Location Server.
INTRODUCTION
The Indian media, citing government sources, has been claiming [1-6] that
Pakistani intelligence agencies are assisting the terrorists in Kashmir by
‘spoofing’ the signals of the Thuraya satellite phones that the terrorists use.
Since intelligence agencies supposedly monitor the terrorists’ use of satellite
phones, it is believed that the purpose of such spoofing is to make it impossible
for the Indian intelligence agencies to track the location of such satellite phones
by making the in-built GPS of the satellite phone to give out deliberately wrong
coordinates of the handset. Should it be correct, this is a very serious matter
because as a result, it will be difficult to interdict such terrorists in the first
place and secondly, Pakistan can easily deny that its soil is being used for
assisting the terrorists. Since spoofing is a complex subject and little is known
about it even amongst most communication engineering professionals, the
author has considered it desirable to present a concise overview of the subject.
The purpose of this paper is to examine whether such a thing is possible or not
and if possible, what countermeasures can be taken to detect or thwart them.
2
THURAYA SATELLITE PHONES
The Thuraya satellite phone network provides coverage over Europe, the
Middle East, Central and Northern Africa, Central Asia and the Indian
subcontinent. For connection to base station gateway Thuraya satellites uses the
C-band. For connection between mobile devices and satellites L-band is used.
To allow small mobile devices, Thuaya satellites use a very large L-Band
antenna with a diameter of 12.25 m. Each satellite can provide 13750
simultaneous phone connections. The Thuraya geostationary satellites utilize
on-board digital signal processing to create more than 200 spot beams that can
be redirected on-orbit, allowing the satellite phone network to adapt to customer
demand in real time.
Thuraya's handheld mobile phone not only combines satellite and GSM, it also
offers built-in Global Positioning System (GPS). Thuraya offers “GPS distance
and direction display” as a standard feature in its mobile phone. The “GPS
distance and direction display” feature on Thuraya’s “Man Machine Interface
(MMI)” extends the GPS functionality to support the calculation of distance and
direction between two points. When a user determines the present location
using the existing MMI commands, the menu option will be available to allow a
distance and direction to be calculated. Once he initiates this menu command,
the results will prompt you to select a stored benchmark location from memory.
After the selection is done, the phone calculates the distance and direction from
the current point to the stored point, displaying the results of distance and
directions to the user.
SPOOFING AND JAMMING: IMPORTANT DISTINCTION
The popular belief and media perception is that powerful transmitters have been
set up across the Line of Control and the international border dividing India and
Pakistan, blanking out signals from the Thuraya phones used by terrorists. This
is not correct. The strength of the GPS signal on the earth’s surface averages 160 dBw 7. While many GPS receivers leave large space for signal dynamics,
enough power space is left for the GPS signals to be overridden. One does not
require ‘powerful transmitters’ to be set up by a nation for that—even low
power transmitters would do the job! Spoofing is completely different from
jamming. A spoof is defined as a malicious signal that overpowers the
authentic signal and misleads the receiver to use a forged signal for further
processing. Spoofing could be done to gain access to services such as a
particular game broadcast that are restricted to a certain geographic area, an
3
employee deceiving an employer of their true location; by a criminal who is
being tracked by the law and does not want the tracker to know his correct
location; or to spoof the location of a shipment that is being remotely tracked.
The objective of jamming is to simply interrupt the availability of the GPS
signals in space at the receiver. In-band or out-of-band harmonic RF
transmissions could mask the weak GPS spread spectrum signals. The effect is
to cause the signal at the receiver to be corrupted so that no valid GPS signal
can be decoded by the receiver. Spoofing is more serious than jamming
because jamming will cause the service to degrade in performance while
spoofing takes control of the user receiver. Jamming is a low-tech affair and at
best, a prank. Jamming would not serve the purpose of the terrorists or those
assisting them. They must mislead the agencies intercepting the calls. This falls
in the realm of spoofing and which could also be of two types.
MISLEADING THE GPS RECEIVER
This type would involve an attacker who would provide the receiver with a
misleading signal, fooling the receiver to use fake signals in space for
positioning calculations. The receiver will produce a misleading position
solution. Two basic configurations are possible.
GPS signal generator: Spoofers in this category are GPS signal generators
readily available from several vendors. For use as a spoofer, the signal
generator’s RF out put is amplified and transmitted, possibly using a directional
antenna. In this case, the transmitted signals are not phase-and frequencymatched to the GPS signals being received from satellites in the locality, and
the navigation data do not replicate the currently active navigation data.
Although a receiver could be fooled by this approach, particularly if the target
receiver is first jammed and forced to reacquire, the spoofing signal generated
in the fashion typically looks like noise—rather than a usable signal—to a
receiver tracking it.
GPS Receiver Spoofer: Spoofers in this category are coupled to a GPS
receiver. The GPS receiver tracks satellite signals at a location and decodes the
navigation data. The spoofer then generates a signal that mimics the incident
satellite signals in all respects. Conceivably, a spoofer could add a calculated
offset to each satellite signal to compensate for a specified geometric offset to
the target GPS antenna. The spoofer is also able to vary the signal strength of
the constituent signals so that they appear at the target antenna to have the same
relative strengths of the authentic signals. The Cornell University “GRID” dual-
4
frequency software-defined GPS receiver is an example of this type of spoofer.
It can simultaneously track 12 C/A channel and generate 8 C/A spoofing
channels. The hardware required for this type of spoofer is neither very costly
nor difficult to procure but the technical knowledge required must be of a high
order. The Cornell experiments were widely reported [8-11] in the media and
led to a great deal of speculations.
It is rather easy [12] to mislead WLAN positioning systems being used as a
substitute for or as complement to the GPS, such as the Wi-Fi positioning
system (WPS) from Skyhook [13], available for PCs (as a plugin) and on a
number of mobile platforms, including the Apple iPod touch and iPhone [14] as
well as on Nokia mobile phones based on Symbian [15]. Spoofing attacks on
such systems take the following action: (1) impersonation of access points
(from one location to another) and (2) elimination of signals sent by legitimate
access points. Since rogue access points can forge their Medium Access Control
MAC addresses and can transmit at arbitrary power levels, access point
impersonation can be easily done in WPS. Equally, since WLAN signals are
easy to jam, signals from legitimate access points can be eliminated using a
software radio platform like Ettus (Universal software radio peripheral—
USRPs) with daughterboards for the 2.4GHz band, thus enabling location
spoofing. The idea of an AP impersonation attack is to report remote access
points to the attacked device, which will then compute a location that is in the
proximity of the remote APs. This attack exploits the fact that the WPS
localization relies on (easily replayed) AP MAC addresses for their
identification; AP MAC addresses are public since they are contained in the
network announcement beacons.
For the GPS, there are four GPS observables that can be directly measured by a
GPS receiver. They are the GPS message, code ranges, fractional phase ranges
and Doppler shift. In a GPS receiver, PRN (pseudorandom noise) code
correlation is performed at high frequency to remove the PRN code. The
received GPS signal is passed through a high pass filter to remove navigation
data. After the navigation message is removed, the resulting signal is the
Doppler shifted carrier. The Doppler shifted carrier is then passed to a PLL and
compared with a receiver-generated carrier to get the fractional phase offset.
The GPS message can be spoofed because PRN code is available to the public.
The PRN code ranges of C/A code and P-code are direct observables. One chip
of C/A code range will cause 300 km ambiguity. The range measurement for
C/A code is the basic observation of GPS receivers and it is derived from the
5
time shift of the receiver PRN sequence and the PRN sequence that is
multiplexing the incoming signal. This time shift, however, can be controlled
by spoofing the transmitter. Pseudorange measurements can then be modeled.
The satellite position vector can be forged by spoofing the GPS messages.
Using this model, the PRN code shift can be easily calculated. Spoofing a static
receiver (called static spoofing) is much easier than spoofing a dynamic
receiver. For a stationary receiver, the position solution is fixed; the spoofed
pseudorange can be calculated using code range model. For a moving receiver
(called dynamic spoofing), if the spoofer does not need to avoid cross-checking
at the spoofed receiver, then the position solution can be forged in advance and
then use the pseudorange model again to get a time sequence of the spoofed
pseudorange.
In one possible application of this sort of spoofing, we could consider spoofing
of the VMS (vessel monitoring system). In fishing waters controlled by the
European Union (EU), for example, Commission Regulation No.2244/2003
requires that operators of fishing vessels more than 15 meters in length carry a
satellite-based vessel monitoring system (VSM). The VMS (typically
employing GPS today) records the voyage of the vessel and automatically
provides the data to the fisheries monitoring center of the EU member state
where the vessel is registered as well as the member state in whose waters the
vessel is fishing. Naturally, the data can be used to detect passage into waters
into waters for which the vessel is not licensed. In this case of spoofing the
intent of the operator would be to log a fictional voyage that does not disclose
illegal fishing activities. In such a situation, all the spoofer has to do is to
disconnect the GPS antenna and attach instead a local GPS signal generator.
Simple ‘GPS fraud kits’ are available for about $2,535 that could feed spoofed
signals into the VMS’s RS-232 port after disabling the antenna and opening the
VMS box. There are also sophisticated ‘GPS signal simulators’ available for
about $126,700 that could be connected to or radiated towards the VMS unit.
Countermeasures To Receiver-End Spoofing
As a one-way broadcast system, GPS is not immune to spoof attack except the
Y-code whose encryption algorithm is not available to civilian users. As
analyzed in the introduction section, a spoof can never be detected using check
matrices, like the CRC check, in the digital domain. However, by crosschecking the observables, intermediate measurement, and positioning solutions,
a spoof can be detected.
6
One method is to monitor the absolute power of each carrier. The received
signal power is not expected to exceed -155.5 dBw and -153 dBw, respectively
for P(Y) code and C/A code components of the L1 channel, nor -158 dBw for
either signal on the L2 channel. Hence a reasonable maximum power can be set
to limit the spoof signal power in space, because a spoof station will increase
the signal power in space by at least 3 dB. Another method is to monitor signal
power changing rate. Still another is to monitor the relative powers. Modernized
GPS will have two signals on L2 and one signal on L5. These signals will also
have relatively fixed power ratios. On checking the relative power ratio, those
types of spoof that do not override all of the signal components on all
frequencies (L1/L2 and modernized L5) can be easily detected. Yet another
method is to bound and compare range rates. In order to spoof a receiver, code
range must be spoofed properly and phase ranges have to be spoofed in
accordance with code range if a spoofer wants to let phase range conform to
code range. When phase ranges are to be forged with respect to code range,
phase range rate will probably be sacrificed to spoof phase range. Therefore,
comparing code and phase range rates can detect the abnormality, and bounding
the rates gives a mechanism to detect the abnormality. Another method could
be Doppler shift check. It is impossible to get all the Doppler shifts for all
satellites correct by mimicking satellite movement by the spoof source using a
single transmitter because the Doppler shift is changing carrier frequency.
Although CDMA signals with different PRN code can be summed before being
modulated on a carrier, the spoof signal has to be modulated to a different
carrier to avoid the Doppler test. A spoofer might thus have to use one
transmitter for each spoofed SV. One could also go for cross-correlation of L1
and L2. Since the signal on L2 is slower than that on L1 due to ionosphere
effect, the sign of cross-correlation shift is known. This test requires spoofers to
spoof both carriers if any L1 or L2 carrier is spoofed, i.e. messages on both
carriers must be spoofed. Still another method could involve L1-L2 range
differences. The spoofed signal that is propagating only in the lower layer of
atmosphere behaves differently from the authentic signal with ionosphere delay.
We could also use received ephemeris data or jump detection. All observables
should monitor abrupt changes in the observables and power within a tolerable
range. Any jump in observables or signal power might mean the turning on of a
spoof attack.
7
These various countermeasures can be summarized [16] as follows:
Method
Error!
Reference
source not
found.
0
Error!
Reference
source not
found.
Error!
Reference
source not
found.
Error!
Reference
source not
found.
Error!
Reference
source not
found.
Error!
Reference
source not
found.
Error!
Reference
source not
found.
Error!
Reference
source not
found.
Test statistic
Function
Limitation
Absolute signal
power
Limit the spoof
signal power
Antenna attitude and
environment related
Signal power
changing rate
Detect stationary
spoof station
Antenna attitude and
environment related
Relative signal
strengths on all
carriers
Detect spoofing
on single carrier
Affected by
ionosphere refraction
Range rate
Bound the phase
and code range
rate
Relate to GPS
receiver’s moving
direction
Doppler shift
Detect spoof that
uses one transmitter
to spoof all satellites
None
Correlation peaks
Correlate L1/L2
binary message
Low performance
on Y-code
GPS signal after
removing all
navigation data
Recover authentic
data
Requires low
spoof/authentic
signal power ratio
Range differences:
phase/code,
L1/L2
Identify signal
source
Needs to be
L1/L2 receiver
Ephemeris data
Verify ephemeris
data including
satellite position
None
8
Error!
Reference
source not
found.
Signal power
and data
Jump detection
None
We could also use angle-of-arrival discrimination [17] In this we could use a
dual-antenna receiver based on observation of L1 carrier differences between
multiple antennas referenced to a common oscillator. If the expected delta
phase measurements do not agree with the expected phase profiles within
bounds set by the expected noise and attitude uncertainty, then a spoofing signal
is identified. For a spoofer to defeat the algorithm as implemented, the spoofing
system must emulate the expected carrier phase deltas between the pair of
antennas for all satellites in track. Even a sophisticated spoofer cannot emulate
this geometry for several satellites if the spoofer is limited to one transmitting
antenna. A sophisticated spoofer with two separate points of transmission might
be able to defeat the algorithm. However, this would also require the spoofer to
know the geometry of the GPS antenna array, locate a matched transmitter
antenna very close to each GPS antenna, and deal with other difficult problems
associated with multipath, signal leakage, and self-interference.
Why Spoofing Military GPS Is Difficult
While the GPS P-code is heavily encrypted and thus, is hard to spoof, the
civilian GPS signal, the C/A code, is easy to spoof because the signal structure,
the spread spectrum codes, and modulation methods are open to the public. In
Hollywood films and in popular perception, this could set up the plot for a
frightening scenario where terrorists mislead the GPS of GPS-guided missiles
and bombs so that they hit an unintended target thereby precipitating a crisis
[18].
Manipulating the military GPS is, however, much more difficult. Considerable
specific research has been carried out in this regard [19]. The M code signal’s
security design is based on next generation cryptography and other aspects,
including a new keying architecture. The modulation of the M code signal is a
binary offset carrier signal with subcarrier frequency 10.23 MHz and spreading
code rate of 5.115 M spreading bits per second, denoted a BOC(10.23,5.115)
(abbreviated as BOC(10,5)) modulation; the spreading code transitions are
aligned with transitions of the square wave subcarrier. Spreading and data
modulations employ biphase modulation, so that the signal occupies one phase
9
quadrature channel of the carrier. The spreading code is a pseudorandom bit
stream from a signal protection algorithm, having no apparent structure or
period. The baseline acquisition approach uses direct acquisition of the M code
navigation signal, obtaining processing gain through the use of large correlator
circuits in the user equipment. The M code signal has been designed for
autonomous acquisition, so that a receiver will be able to acquire the M code
signal without access to C/A code or Y code signals. It is therefore not
necessary to discuss it further.
MISLEADING THE LOCATION SERVER (LS)
In a typical system, the LS is a SUPL (Secure UserPlane Location) Location
Platform (OMA-AD-SUPL). The LS may be a Serving Mobile Location Center
(SMLC) in a GSM network (3GPP TS 23.271), a Standalone SMLC (SAS) in a
UMTS network (3GPP TS 23.271), or another type of network node. The SUPL
Location Platform (SLP) is a network entity on the internet that is used to
facilitate location. The UserPlane Location Protocol (ULP) is an HTTP-based
protocol and is used between the SLP and the SET (OMA-TS-ULP). The SLP
has a connection to a GNSS Reference Server (GRS) in order to retrieve and
cache assistance data. Location requests are initiated either from the SUPLEnabled Terminal (SET), which is known as a SET initiated transaction, or
from the network, which is known as a Network initiated transaction. A
Network initiated request is made by a Location-Based Application (LBA)
which sends a request to the SLP for the location of a particular handset. The
SLP performs the messaging with the SET and determines the location before
returning that location to the LBA. When an A-GPS location fix is required, the
SLP calculates the GPS assistance data that is specific to the approximate
location of the SET. When the SET is in a cellular network, the approximate
location generally comes from the coverage area of the serving cell. The SET
provides the identification of the cell (cell-Id) to the SLP. The SLP determines
which satellites are in view from the approximate location and provides
assistance data for those satellites to the SET. The assistance data types sent to
the SET depend on the mode of A-GPS. In handset-based A-GPS, the SLP
generally provides the navigation model, ionosphere model, reference time, and
reference location. The handset uses this information to lock onto the satellites
and calculate a location. It then returns the location to the SLP. In handsetassisted mode, the SLP provides the acquisition assistance and the reference
time in order for the handset to lock onto the satellites and return the
measurements to the SLP. The SLP invokes the PCF (position calculation
function) in order to calculate the location of the handset.
10
The spoofer must provide GPS measurements that result in the LS calculating a
location that is desired by the spoofer (or attacker). For the Network initiated
case, once the LS (SLP) determines the location of the handset, the location is
provided to the network entity that requested it. If the LS is trusted by the
recipient of the location, then the location will be considered to be valid even
though it may not be. The aim of the spoofer is to convince the LS to provide
the location that the attacker desires. The attacker does this by falsifying (or
spoofing) the measurement data such that the location provided by the LS is
effectively predetermined by the attacker. In order to spoof his location, the
spoofer needs the satellite ephemeris. The ephemeris may be from a request to
the SLP for assistance data. Alternatively, the ephemeris may come from
another source such as the internet. One source of the orbital data is the
International GNSS Service (IGS). This is used to determine the location of the
satellites for the given time. The spoofer calculates the range to each satellite in
view of the desired location and uses that as the basis for determining the
pseudorange measurements. The measurements are generally converted to
pseudoranges by simulating a clock error and introducing other errors such as
the ionosphere, troposphere and other random errors. The key piece of
information that the spoofer needs to provide to the SLP is the cell-ID. From
that, the SLP will look up the coverage area of the cell and calculate the
assistance data. This coverage area will also use that as the initial location
estimate for the PCF. The cell-ID is also often used for location assurance on
the SLP. One way of knowing the cell-IDs is for the spoofer to log cell-IDs
against locations and build up a database over time [20].
Countermeasures To Location Server Spoofing
This kind of spoofing can also be detected by the server. A server with antispoofing capability will be able to detect the measurements as being spoofed.
Some of the obvious signs are on the server of the spoofing will be:
 Clock error: the receiver clock error will be very small - less than 1x1010 seconds.
 Residuals: the residuals calculated as part of the least squares process
will be very small.
 Uncertainty ellipse: the uncertainty ellipse will be very small (less than 1
meter of uncertainty)
11
A more sophisticated spoofer will manipulate the measurements by introducing
some random errors to each measurement. It will also manipulate all for the
measurements by a fixed amount in order to simulate a handset clock error. It
may also send a subset of the satellite measurements instead of the complete set
of satellites in view.
ARCHITECTURE OF SATELLITE TELEPHONE COMMUNICATION
INTERCEPTION SYSTEMS
In case of terrestrial communication systems, such as land based telephone
systems or cellular phone communication systems, the monitoring station may
be setup at a public switched telephone network (PSTN) near the location of the
subscriber, or in case of cellular communication system, the monitoring station
may be setup at a mobile switching controller (MSC). In case of satellite
communication systems, however, a call connection originated from a
subscriber may not pass through PSTN or MSC because a satellite subscriber
(SU) is capable of directly carrying a call connection with a satellite or another
SU through a network of satellites without going through a PSTN or MSC.
Each satellite system has a number of gateways located at various parts of the
world. A gateway that is local to an SU is used for connecting or establishing a
call connection between a SU and a land based telephone line, or a call
connection between two SU's. When the call is directly between two SU's, the
local gateway connections that were made to setup the connection are cut-away
from a series of initial connections that were needed to setup the call. Such a
series of connections may include at least a connection through a network of
satellites. Once the local gateway connection is cut-away, the two SU's
communicate directly through the network of satellites, or the network of
satellites and a visiting gateway other than the local gateway that has setup the
call. The authorized agency can conveniently establish a monitoring station at a
gateway to monitor a call connection through the gateway. In case when the call
connection is being originated from a first subscriber and terminated at a second
subscriber phone or at a land-based telephone connected essentially to another
gateway through the connecting PSTN, the authorized agency cannot
conveniently establish a monitoring station at every ground gateway station to
monitor the calls originated or terminated at the first satellite subscriber phone.
In a satellite communication system, one method of unobtrusively intercepting a
communication call includes establishing a first connection to originate from a
first satellite subscriber (SU) and terminate at a first node at a first transcoder,
establishing a second connection to originate from a second node at a second
12
transcoder and terminate at a second SU, switching the first connection to
originate from the first SU and terminate at a third node at the second
transcoder, and passing a first information carried by the first connection at the
third node to the second connection at the second node. The first information
without substantial delay or processing is transmitted by the second connection
to be received by the second SU. Since the first information originated from the
first SU and carried by the first connection at the third node is passed at the
second node to the second connection which is terminated at the second SU, the
first information is received at the second SU without any processing which
makes the appearance that the second connection is directly originated from the
first SU without being passed through any other connecting nodes. The first
information may be decoded in a decoder portion of the second transcoder to
produce a first decoded information. The first decoded information may be
monitored.
Processing of the first information in addition to what is necessary to carry on a
direct satellite subscriber call adds additional delay and changes the quality of
the first information when decoded by a receiving portion of the second SU.
Substantial additional delays and changes in quality of information are easily
detectable. It must therefore be ensured that the information received by the
second SU is not substantially delayed or additionally processed, and must have
all the indications that it has been received directly from the first SU without
going through any other connecting nodes, so that the first and second SU's may
not know or detect that the call connection between the first and the second
SU's is being monitored. Moreover, no additional signals other than what is
necessary to set up the call must be generated. The GPS location of the satellite
phone is also gathered in the same process as the set transmits at regular
intervals a text message via sms containing the data from the GPS receiver.
Monitoring systems are commercially available [21-22]. The systems log the
location of Thuraya handset operating within user-selected spot beams, and the
telephone numbers with which they communicate. Thuraya has pair of signaling
channels; one signaling channel is transmitted at L-band by satellite and
received by all Thuraya Phones in the spot beam. This signaling channel is
called Broadcast Common Control Channel (BCCH). In addition to BCCH,
Access Grant Control, Channel (AGCH), Paging Control Channel (PCH),
frequency Correction Channel and Basic Alerting Channel are also time
division multiplexed on the same carrier.
13
The other signaling channel is called Random Access Control Channel. RACH
provides access to the network for Thuraya Phones. All Thuraya Phones within
the spot beams transmits burst at L Band on the RACH Channel, these burst are
relayed to PGW at the C band by the satellite. The interception systems
typically use a scanning technique to identify C-band downlink frequencies for
spot beams of interest. These channels can subsequently be monitored to record
the position of mobiles operating within that spot beam, and capture details of
the telephone numbers that the mobile contact. The scanning process is
performed once in 24 hours, as the frequencies used are dynamically allocated,
and change periodically by Thuraya satellite. The position of the target is
supposed to be known to within GPS accuracy, (typically 10-20 meters under
current conditions). A GIS mapping software is integrated with the system and
it plots the location of the target set.
Each receiver is independently tunable to any spot beam of the Thuraya
Network. The interception system monitors L-Band link from mobile to satellite
and C-Band feeder link from satellite to earth station. Since the power
transmitted by the mobile handset on the uplink is very low and it is difficult to
monitor so the system monitors this information on the C-band downlink
(satellite to earth). The system will automatically map the uplink RACH control
channel and the appropriate TCH channel of the suspect’s handset at the C-band
to appropriate L-band downlink channel of the target spot beam. After that it is
only a matter of deciphering the cipher algorithms used on Thuraya network.
CONCLUSION
Location Server spoofing, in any case, is not easy to accomplish as both the
hardware and the technical knowledge required are not easy to come by. It is
difficult to believe that the terrorists or the Pakistani intelligence agencies have
this level of technical know-how. Further the costs involved also need to be
kept in mind. The immense cost would not really be worth the trouble. In any
case, in spite of the popular belief so far not a single Thuraya set has been
recovered that could be stripped and analyzed to prove that it is ‘spoofed’ or its
hardware has been so modified that it misleads the LS server. This is unnatural
considering that scores of terrorists keep on getting killed by the security forces
and huge quantities of arms, ammunition and communication equipment keep
on getting recovered from their possession. How is it that not a single Thuraya
phone of the required modifications has not been recovered yet. There is a good
reason as to why it cannot be recovered. If it is accepted that Pakistani
intelligence agencies are ‘spoofing’ the Thuraya sets so that their location may
14
not be known and hence the complicity of Pakistan in the affair may be denied,
why would they run the risk of giving such sets to the terrorists? They know it
well that terrorists may be killed and the phones recovered from them. In that
case, the spoofed phones would make for an incontrovertible evidence of their
complicity, thereby defeating the very purpose of the entire exercise. The risk is
not worth the trouble.
There is little which can be done to prevent dynamic spoofing of the LS, if at all
it is being done. Spoofing can be detected at the server alright but getting the
original signal will be difficult or at least not worth the effort. It therefore
makes little sense to cry about it. All the commercially available interception
systems use proprietary technologies. They have therefore not been subjected to
peer-reviewed research in which the functioning of their systems and subsystems are systematically analyzed for the possibility of the unintended
introduction of such errors. In all probability, the time-variable GPS coordinates
which the intelligence agencies are supposedly getting and which they think are
due to dynamic spoofing, are to be attributed to hitherto unknown measurement
errors or system errors in their interception systems.
REFERENCES
1. `ISI is spoofing Thuraya phone signals to help terrorists`2009-07-08,
"http://sify.com/news/isi-is-spoofing-thuraya-phone-signals-to-help-terroristsnews-features-jhiluWchibc.html"
2. India to take up satphones ’spoofing’ with Pakistan July 8th, 2009,
http://www.thaindian.com/newsportal/sci-tech/india-to-take-up-satphonesspoofing-with-pakistan_100215069.html
3. India to take up with Pak spoofing of ultras' satellite phones, The Times of
India,
July
8,
2009,
http://m.timesofindia.com/PDATOI/articleshow/4752776.cms
4. India's new worry: Terror phones jammed, with some Pak help,
ExpressIndia, July 8, 2009, http://www.expressindia.com/latest-news/Indiasnew-worry-Terror-phones-jammed-with-some-Pak-help/486553/
5. Pakistan created terrorists, confesses Zardari, Indiatime, July 8,
2009,http://www.indiatime.com/2009/07/08/pakistan-created-terroristsconfesses-zardari/
6. Terrorist may use Pakistan's Sat phones against India, Siliconindia news
bureau,
July
8,
2009,
http://www.siliconindia.com/shownews/Terrorist_may_use_Pakistans_Sat_pho
nes_against_India-nid-58981.html
15
7.
Department of Defense. (2000). Navstar GPS Space Segment/Navigation
User Interfaces (ICD-GPS-200C with IRN-200C-004), 12 April 2000.
Washington,
DC:
U.S.
Government
Printing
Office.
http://www.navcen.uscg.gov/pubs/gps/icd200/icd200cw1234.pdf
8. Researchers raise uncomfortable questions by showing how GPS navigation
devices can be duped, Anne Ju, Chronicleonline
http://www.news.cornell.edu/stories/Sept08/GPSSpoofing.aj.html
9. GPS open to attack, say researchers, Kate Melville,
http://www.scienceagogo.com/news/20080822224026data_trunc_sys.shtml
10. GPS receivers can be 'spoofed,' say researchers,
http://www.physorg.com/news141300510.html
11. GPS spoofing device developed to thwart spoofing, Liz Tay,
http://www.itnews.com.au/News/124193,gps-spoofing-device-developed-tothwart-thwart-spoofing.aspx
12. See, for example, Nils Ole Tippenhauer, Kasper Bonne Rasmussen,
Christina P¨opper and Srdjan ˇCapkun iPhone and iPod Location Spoofing:
Attacks
on
Public
WLAN-based
Positioning
Systems,
ftp://ftp.inf.ethz.ch/pub/publications/tech-reports/5xx/599.pdf
13. Inc. Skyhook. http://www.skyhookwireless.com.
14. Apple Inc. http://www.apple.com.
15. Loki Mobile applet for Nokia phones using Symbian.
http://loki.com/download/mobile.
16. Hengqing Wen, Peter Yih-Ru Huang, John Dyer, Andy Archinal and John
Fagan, Countermeasures For GPS Signal Spoofing,
129.15.114.75/Download/ION/Wen_Spoof.doc
17. Paul V. Montgomery, Todd E. Humphreys, and Brent M. Ledvina, A MultiAntenna Defense: Receiver-Autonomous GPS Spoofing Detection,
www.insidegnss.com/node/1370.
18. See for example, Erica Naone, Hijacking Satellite Navigation Sending false
signals to GPS receivers could disrupt critical infrastructure,
docendi.niuz.biz/hijacking-t157698.html
19. See, for example, Capt. Brian C. Barker, US Air Force, GPS Joint Program
Office; John W. Betz, John E. Clark, Jeffrey T. Correia, James T. Gillis, Steven
Lazar, Lt. Kaysi A. Rehborn, and John R. Straton, Overview of the GPS M
Code
Signal,.
http://www.mitre.org/work/tech_papers/tech_papers_00/betz_overview/betz_ov
erview.pdf
20. Neil Harper, Martin Dawson, and David Evans, Server-side spoofing and
detection for Assisted-GPS, http://ignss.org/files/Paper16.pdf.
16
21. L3 Communications TRL Technology, www.trltech.co.uk/app/.../L3%20TRL%20TMS%20Brochure(1).pdf
22. Stratign Portable Thuraya Satellite Monitoring System and Fixed Thuraya
Satellite Monitoring System, STRATIGN FZCO, Dubai.
Download