Over the past month, a GPS spoofing experiment conducted aboard the megayacht White Rose of Drachs has generated international attention. Much of the media coverage has centered on the unnerving possibility that yachts, merchant ships, airplanes, and more can have their systems hacked and therefore can be sent off course. While the possibilities exist, there isn’t cause for immediate alarm in the yachting industry.
First, the experiment. In brief, a professor and students from the University of Texas at Austin wanted to gauge how difficult it would be to carry out a spoof attack at sea. GPS spoofing involves generating a fake signal indistinguishable from a real one coming from a real satellite. The GPS receiver “reads” the fake signal while still reading the true signal, but if the power of the fake signal is gradually raised to be stronger, the receiver follows it. The person controlling the spoofing device therefore now has control over the receiver and set the vessel off course, but have the displays at the helm still show the proper course, leaving the crew none the wiser.
The professor, Todd Humphreys, works in the university’s department of aerospace engineering and engineering mechanics, plus has studied GPS for many years to figure out how to address some of its security issues. He therefore knows a lot about how GPS works in the consumer world versus the military world. As he explained at a TED conference in early 2012, “Civil GPS signals are completely open—they have no encryption, they have no authentication. They’re wide-open vulnerable to a spoofing attack.” (Military-grade GPS devices are encrypted.) While some people have assumed that it would be too difficult and/or too expensive for a hacker to build a GPS spoofing device, Humphreys and a friend set out to debunk that. The goal was to get ahead of the problem and therefore help protect the system. Well, it didn’t take long before the two had created a GPS spoofer from materials readily available to the public. Humphreys first tested the GPS spoofer on his own iPhone, making the locator dot move along some local streets despite the fact that he was sitting still in his house. (Smartphones “read” the same satellite signals as the GPS units in cars and aboard vessels.) Furthermore, in June 2012, Humphreys and fellow researchers successfully spoofed the unencrypted GPS signal of a commercially available drone during a demonstration for the Department of Homeland Security, using about $1,000 worth of equipment.
The experiment this summer aboard the megayacht White Rose of Drachs was conducted with the permission of the captain and crew. Humphreys had met the captain at a conference last year. The video below shows how easily Humphreys and his team set the megayacht off course about 30 miles from land, with no other equipment aboard the megayacht able to detect the switch.
Now, there are a few shortfalls of Humphreys’ experiment. One is that it was conducted onboard, not on another boat alongside or even far behind the megayacht, akin to how pirates would operate. Humphreys says that the results can be replicated from a few miles away, since line of sight is all that is needed, but as of yet has not publicly demonstrated it. This isn’t to say that it’s impossible. However, as is the case with many things, actions likely won’t be taken to specifically counteract the problem until someone definitively demonstrates that a megayacht—or merchant ship, or commercial airliner, or other craft—can be sent off course by someone located elsewhere. Another shortfall is the fact that captains, as well as owner-operators of other yachts, have multiple devices at the ready besides GPS and monitor them. Furthermore, there are developments underway in the GPS satellite field that should result in more satellites being tracked, which in turn should make spoofing more difficult.
Regardless, Humphreys’ experiment does succeed: If someone were to rely solely on GPS even for a seemingly short time, he or she could be sent off course by pirates, malicious “pranksters” intent on crashing a vessel onto rocks, or more. With that in mind, D. Brian Peterman, CEO of security firm Command at Sea International, and who has evaluated how the experiment was conducted, has some words of advice. First, use multiple devices to verify your position, and “do not use GPS-controlled autopilot in waters with line-of-sight access to other vessels and land.” Peterman further recommends keeping a watchful eye on nearby vessels, ”to detect unusual interest.” They may not be as they seem: “People mounting an electronic attack on your vessel will likely be eyeing you,” he explains. Equally important, pay attention to onboard Web usage. “Know what can be accessed through your underway Internet connection,” Peterman says. “It could be that a hacker could gain access to your navigation system through that connection.”
In addition, those of you who closely follow developments in technology will be keenly interested in the discussion at Panbo.com, titled “GPS Spoofing: Will We Ever Learn?” If you’re not familiar with Panbo, for nearly 10 years it has been the definitive source of independent information about marine electronics. Panbo’s editor and chief contributor is Ben Ellison, arguably the most highly respected journalist covering that niche field.