What Is GPS Spoofing and How Do You Defend Against It?

GPS spoofing is when a counterfeit radio signal is transmitted to a receiver antenna to counteract and override a legitimate GPS satellite signal. It is often a form of cyberattack perpetrated by bad actors attempting to steer goods or people off course. 

GPS spoofing can be used to steal shipments, send boaters into the hands of pirates, or project a false location. 

Global positioning system, or GPS, technology is a standard part of many businesses and used by many consumers. 

Using GPS can help individuals to navigate from one point to another. It is common practice for shipping and individuals relying on the technology to reach a specific destination. 

Companies and individuals can take measures to protect against GPS spoofing, including using decoy antennae and keeping GPS-enabled equipment offline when connectivity is not necessary. Practicing good cyber hygiene can also help to protect against GPS spoofing.

Defining GPS spoofing

In short, the word “spoofing” means faking. With GPS spoofing, “fake” information is sent to a receiver while overriding the actual information.

GPS spoofing involves a radio transmitter near a target that interferes with the actual GPS signals being transmitted. GPS signals are often weak and transmitted through satellites. A stronger radio transmitter can be used to override the weaker signal and send illegitimate coordinates and information to the receiver. 

GPS spoofing can then send people off course or say that someone is somewhere that they are not.

GPS is one of the global navigation satellite systems (GNSS) used in the world. Along with delivering location information, it is also used to keep accurate time. These functions can also be disrupted through spoofing or jamming.

Impacting businesses and individuals alike, GPS spoofing can interfere with smartphone apps and location data as well as involve cyberattacks on network systems and critical infrastructure that relies on GPS data.

How does GPS spoofing work?

The U.S. GPS system is made up of 31 satellites known as Navstar that broadcast PRN codes to both civilians and the U.S. military. The codes sent to the military are encrypted. Civilian PRN codes are not and are published in public databases. This makes them vulnerable to cyberattack. 

A hacker will first determine which of the GPS satellites will be nearby based on its orbit. From there, the hacker will then use the public PRN code to make a new code for each satellite. These signals are broadcast to the nearby satellites and gradually increased in strength until the receiver grabs hold of the spoofed codes. The attacker can then input false coordinates to the receiver.

Different types of GPS spoofing

GPS spoofing sends false data to a receiver to divert traffic, goods, or people with falsified information. When done on a large scale, such as by a state-sponsored actor, GPS spoofing can involve expensive equipment and expert operators. 

Russia, for example, has potentially engaged in nearly 10,000 spoofing cases, sending out false location data to civilian ships, to prevent drones from approaching President Putin and to safeguard sensitive sites. This type of spoofing involves equipment capable of sending spoofing signals potentially 500 times stronger than the authentic GNSS.

GPS spoofing can also be done with commercially available, cheap, and portable equipment too, including using software-defined radios running open-source software. With this type of spoofing, a broadcast antenna is used to point at a target’s GPS receiver to override the GPS signals provided by nearby buildings, aircraft, or ships.

Spoofing devices can also be carried onto airplanes by a passenger or deployed by a drone. These devices are small and handheld, inexpensive, and can be used very close to a target. 

Cyberattacks are also possible forms of GPS spoofing, often involving smartphone apps that interfere with the phone’s legitimate location data. 

The harms of GPS spoofing

GPS spoofing can be detrimental for both companies and individuals alike. Potential issues can have global implications. Some of the industries most vulnerable to GPS spoofing include shipping companies, construction companies, and rideshare and taxi companies. 

These are some hazards of GPS spoofing:

• Misdirecting cargo shipments to alternate locations to steal the shipments: Often, shippers use GPS-enabled locks to ensure that they are only opened when they reach their destination, but GPS spoofing can unlock these.  
• Hijacking a boat for piracy purposes: This can include large cargo ships, cruise ships, yachts, and private boats that rely on GPS coordinates to navigate the seas.  
• Interfering with GPS at airports: This can cause a plane to go off course or have to attempt a “blind” landing, putting everyone on board at risk.  
• Moving assets from construction sites: Construction equipment is often expensive and involves high-value items that are protected through GPS asset tracking systems. These systems can be spoofed to send equipment to false locations where it is stolen.  
• Taxi and rideshare operators falsifying locations for profit: Ride share apps often rely on “surge” pricing during peak times, and drivers can use GPS spoofing to place themselves in these locations for financial gain. It can also allow them to incorrectly report their location in order to commit criminal acts while on the clock.  
• Sending people on “fake” dates: Dating apps are commonly used to set up dates, and GPS spoofing can send a potential date into a dangerous location or into the hands of a predator.  
• Misdirecting cars: Drivers and cars often use GPS to reach a destination. When this information is spoofed, they can be sent off course. This is especially concerning when considering the vulnerability of fully autonomous self-driving cars.
• Disrupting the universal time source: Financial companies, power utilities, and telecommunication companies all use the GNSS universal time source. If this is spoofed, it has the potential to crash financial markets, cause power blackouts, and disrupt the communication grid.  
• Disrupting services through mobile apps and websites: Location data is used by many of these sites and apps to verify customer identities. When spoofed, it can give false information and deny someone access.

Ways to protect against GPS spoofing

Companies can use a variety of techniques to protect against GPS spoofing, including cryptography, direction-of-arrival sensing, and signal distortion detection. 

• Cryptography: With cryptography, organizations encrypt the satellite codes coming and going. Only those with access to these codes can read the coordinates. This is similar to the way military encryption works.

This is not always an effective method on its own in the civilian sector, however, since it requires distribution of the “key” to unlock the encrypted data. Since that key has to be widely distributed, it is therefore vulnerable to hackers.  

• Direction-of-arrival sensing: Spoofers are typically in one static place when attempting an attack, which means that the false signals they send are coming from only one place. This can be spotted through direction-of-arrival sensing since legitimate GSP data is transmitted from multiple satellites at once.  
• Signal distortion detection: This method involves the addition of more signal-processing channels and hardware that can track the signal’s amplitude profile with a higher level of accuracy. 

When a GPS signal is spoofed, it will initially send both the original signal and the false one, which can create a small “blip.” If this can be detected at the beginning of the spoof before the original signal is dropped off and the “drag off” to the false one has occurred, the attack can potentially be stopped.

The Department of Homeland Security (DHS) provides the following tips for protecting businesses against GPS or GNSS spoofing attacks:

• Obscure or hide your real antennas. Make sure they are not visible to the public by installing barriers or putting them in a place where they will not be seen. 
• Choose the location of your antennas carefully. They will need a clear view of the sky, but it can be wise to ensure that they are blocked from public locations and nearby buildings.
• Install decoy antennas. Make these antennas clearly visible and put them at least 300 meters away from your real ones. 
• Add redundant antennas. Having more than one antenna in a slightly different location can help companies to spot potential issues quickly.
• Use blocking antennas. These work to protect against jamming and interference. They can also lower the risk for spoofing attacks.
• Use backups. Inertial sensors can help to determine actual position and cesium, or rubidium clocks can work as backup timing systems when GPS is down. Backup systems that do not rely on GPS are helpful in the event of an issue.
• Practice good cyber hygiene. When not needed for network connectivity, GPS receivers and associated equipment should be kept offline. Two-factor authentication should be in place, passwords changed often, and updates and patches installed regularly. Virus protection, firewalls, and cyber defense practices should all be implemented. 

Benefits of GPS spoofing

While GPS spoofing does create a lot of potential risks and vulnerabilities to consumers and businesses, it can also have some legitimate and beneficial purposes too. 

GPS tracking involves location sharing, which can be a privacy concern. For this reason, GPS spoofing techniques can be used to hide the actual location of a person or product. There are many GPS spoofing apps and products on the market for just this purpose.

GPS spoofing is also used by security companies wishing to protect high-value targets or individuals. Spoofing techniques are regularly used by consumers who wish to “trick” a system into thinking they are somewhere where they are not, such as in the case of location-based smartphone games and apps. These can often be downloaded for free from the app store on a smartphone.

Additional resources

• Resource product list for GPS spoofing protection from Homeland Security Systems Engineering and Development Institute (HSSEDI)
• Information on the PNT (Positioning, Navigation, and Timing) Program and resources provided through DHS
• A GPS Receiver Whitelist Development Guide from DHS, which is a free resource for device developers  

References

GPS Is Easy to Hack, and the U.S. Has No Backup. (December 2019). Scientific American.

Russia ‘Spoofing’ GPS on Vast Scale to Stop Drones From Approaching Putin, Report Says. (March 2019). NBC News. 

News Release: DHS Publishes Two Free Resources to Protect Critical Infrastructure From GPS Vulnerabilities. (October 2021). Science and Technology Directorate.

Responsible Use of GPS for Critical Infrastructure. (December 2017). Homeland Security Systems Engineering and Development Institute (HSSEDI).

Positioning, Navigation, and Timing (PNT) Program. (January 2022). Science and Technology Directorate.

GPS Receiver Whitelist Development Guide. (July 2021). U.S. Department of Homeland Security (DHS).