On August 5, 2016, Cathay Pacific Flight 905 from Hong Kong was heading for an on-time arrival at Manila’s Ninoy Aquino International Airport when something unexpected occurred. The pilots radioed air traffic controllers and said they had lost GPS (Global Positioning System) guidance for the final eight nautical miles to “runway right-24.”
Surprised, the controllers told the pilots to land the wide-body Boeing 777-300 using just their own eyes. The crew members pulled it off, but they were anxious the whole way in. Fortunately, skies were mostly clear that day.
The incident was not isolated. In July and August of that year, the International Civil Aviation Organization received more than 50 reports of GPS interference at the Manila airport alone. In some cases, pilots had to immediately speed up the plane and loop around the airport to try landing again. That kind of scramble can cause a crew to lose control of an aircraft. In a safety advisory issued this past April, the organization wrote that aviation is now dependent on uninterrupted access to satellite positioning, navigation and timing services and that vulnerabilities and threats to these systems are increasing.
In incidents involving at least four major airports in recent years, approaching pilots have suddenly lost GPS guidance. In June a passenger aircraft landing in Idaho nearly crashed into a mountain, according to NASA’s Aviation Safety Reporting System. Only the intervention of an alert air traffic controller averted catastrophe. Security analysts and aerospace engineers who have studied the events say the likely cause in at least some instances is malicious interference. In the best-case scenario, GPS jamming will cause significant delays as pilots are forced to reroute a flight’s last miles, costing airlines and passengers, says Martin Lauth, a former air traffic controller, who now is an associate professor of air traffic management at Florida’s Embry-Riddle Aeronautical University. Crippled GPS could shut down an airport. If someone hacked GPS and instrument landing systems at the major airports in the greater New York City area, there would be no easy place to send arriving planes. Incoming transoceanic flights in particular would start to run out of fuel.
Although we think of GPS as a handy tool for finding our way to restaurants and meetups, the satellite constellation’s timing function is now a component of every one of the 16 infrastructure sectors deemed “critical” by the Department of Homeland Security (DHS). Cell-phone networks, financial markets, the electric grid, emergency services, and more all rely on the timing for basic operation. Yet GPS is vulnerable. Because of the great distance the radio waves must travel—more than 12,000 miles between satellites and receivers on Earth—the signals are weak and easily overridden, or “jammed,” as apparently happened in Manila. They are also easy to “spoof”: a slightly stronger signal from a software-defined radio—a broadcast that can be created by software on a laptop—can deliver a false message or replay an authentic message infused with false information, causing the receiver to believe it is somewhere, or somewhen, it is not.
In critical infrastructure, an error of a few microseconds can cause cascading failures that can throw off an entire network. Todd Humphreys, an associate professor of aerospace engineering at the University of Texas at Austin, as well as Dana Goward, a member of the U.S. National Space-Based Positioning, Navigation and Timing Advisory Board (a federal committee), and a former executive at a major defense contractor, each told Scientific American they now worry that a foreign adversary or terrorist group could coordinate multiple jamming and spoofing attacks against GPS receivers and severely degrade the functionality of the electric grid, cell-phone networks, stock markets, hospitals, airports, and more—all at once, without detection.
The real shocker is that U.S. rivals do not face this vulnerability. China, Russia and Iran have terrestrial backup systems that GPS users can switch to and that are much more difficult to override than the satellite-based GPS system. The U.S. has failed to achieve a 2004 presidential directive to build such a backup. No actual U.S. calamities have happened yet; if they had, policy makers would have finally acted. But as disaster experts like to note, the U.S. always seems to prepare for the previous disaster, not the upcoming one.
Dependence Becomes a Target
The current GPS is a network of 31 satellites known as Navstar, operated by space squadrons of the U.S. Air Force. To maintain accuracy, the squadrons deliver Coordinated Universal Time to the satellites, via a network of four antennas from Cape Canaveral to Kwajalein Atoll, up to three times a day as the satellites fly overhead. Thanks to each satellite’s payload of atomic clocks, the time they keep is accurate to under 40 nanoseconds—after adjustments are made for general relativity, which makes the satellites’ clocks tick about 45 microseconds a day faster than clocks on Earth, and special relativity, which makes them tick seven microseconds slower.
Each satellite continually broadcasts a binary code on one of several frequencies. Military and civilian users get unique broadcasts, kept apart by special bits of code and by being 90 degrees out of phase with one another. The signals contain data packets that encode the time, the satellite’s position at the moment of transmission, and the orbit and status of the other satellites. The GPS receiver in a smartphone figures out its location by calculating how long it takes the radio signals to travel from the transmitting satellites, which provides their distances from the phone. A minimum of four signals is required for a receiver to accurately determine its position and time, which is why you might lose your handy navigation guide amid the skyscrapers of lower Manhattan or the narrow alleyways of Venice. Critical infrastructure in the U.S. has numerous receivers that synchronize operations.*
Hackers can jam a signal by drowning it out with meaningless noise, or they can spoof it by feeding the receiver false time or coordinates, which will disorient the receiver in time or space. Once one device has lost the correct time, it can send the spoofed time to other devices on its network, throwing off the entire complex and degrading its operation.
Industry is especially reliant on GPS because it is the most accurate timekeeping method on Earth and it is free. In the days before GPS, electric-grid operators could only estimate the load on their transmission lines, which led to inefficiencies; today GPS timing allows them to track the state of the grid and optimize operation in response to real-time demand. Financial markets once set their system time to a clock on the wall. Inaccurate timekeeping and uncoordinated transactions were widespread even after trading became computerized because early software used a clock inside a computer that was aligned by hand to the official time of the National Institute of Standards and Technology (NIST), the country’s timekeeper. Today’s financial systems, from a corner deli’s credit-card machine to stock markets, use GPS to time-stamp and verify transactions, freeing retailers from the need to transmit sales at the end of the day and enabling the worldwide, ultrahigh-frequency trading so prevalent now.
Cell-phone networks use GPS to break up, deliver and reassemble packets of data and to hand off calls from tower to tower as a phone moves. Electronic medical records are time-stamped with GPS time. Television networks use GPS to prove to advertisers that their commercials ran during the time slots they paid for. Worldwide, more than two billion GPS devices are used.
The great dependence on GPS is a tempting target. GPS is vulnerable and provides an opportunity for mayhem, and the capability to disrupt it has been shown. The only uncertain factor is whether an angry individual or group would choose GPS as a vehicle for an attack. The answer increasingly seems to be yes. “We now have ongoing demonstrations of state-sponsored spoofing,” Humphreys says.
One of those states is Russia. In March the Center for Advanced Defense Studies, a Washington, D.C., research nonprofit, identified nearly 10,000 incidents originating at 10 locations that included the Russian Federation, Crimea and Syria. Experts in the U.S. government and in academia say Iran and North Korea also have the capability. “Lots of countries and organizations” have it, Goward says.
A government adviser who has repeatedly warned Congress, a former executive at a defense contractor, and a former federal official who was speaking on background told Scientific American that a coordinated spoofing-jamming attack against various systems in the U.S. would be easy, cheap and disastrous. “It can be exercised on a massive and selective scale,” Goward says. A spoofing device costs about $5,000, and instructions are available online. Yet it is difficult to defend against: “Even a relatively trivial spoofing mitigation function against the most basic threats is far from simple to implement,” wrote Gerhard Berz, who works on navigation infrastructure for Eurocontrol, Europe’s air traffic control agency, in Inside GNSS, a trade magazine.
A large-scale, coordinated attack on U.S. infrastructure could be pulled off by 10 or 12 human operators with the right equipment, fanned out across the country. History was changed on September 11, 2001, by 19 Al Qaeda agents in the U.S., but hostile GPS disrupters would not need to have a suicidal devotion to God, the level of technical training required to fly a plane or the brutality to murder a cockpit crew. It is possible that the only thing stopping a GPS attack is international law, which recognizes electronic warfare as equivalent to violent acts if it brings about similar effects. Broad disablement of civil infrastructure would be likely to engender a U.S. military response, which at least so far may have dissuaded adversaries.
Although loss of life from a coordinated jamming-spoofing attack on GPS timing would probably be less than that on 9/11, the disabling effects could be more widespread. One scenario could involve changing stoplights at a few major intersections in various cities across the country to show green in all directions. A hacker in a nearby building would open a software-defined radio on a laptop. It would generate a false copy of the radio-frequency carrier, noise code and data bits from the provider of the global navigation satellite systems the traffic light was using. To induce the light to lock onto the bogus signal, the spoofer would disrupt the light’s regular tracking procedure, causing it to try to reacquire a signal. If the false signal were stronger, the light would likely select it. Now having access to the light’s controller, the hacker could feed it the incorrect time, activating the north-south signal’s green light before the east-west signal changed to red.
Several hackers at different intersections or in different cities could coordinate attacks. Or one of them could set off a cascade of intersection disruptions in one city. When I raised this scenario to a supervisor of traffic signal electricians in San Francisco who was closely involved with the city’s procurement of traffic signal cabinets, he did not think there was a means for anyone to wirelessly connect to the GPS and change its time setting. Yet the Garmin GPS modules that San Francisco uses in its lights employ no antispoofing protections; rather the manufacturer’s technical specifications state that to comply with Federal Communications Commission regulations, the Garmin device must accept any radio-frequency interference it encounters, even if it could scramble the module’s readout.
Not every city uses GPS to time traffic signals, but the alternatives are not necessarily better. Dale Picha, traffic operations manager for the Texas Department of Transportation’s San Antonio district, says the district has been moving away from individual GPS receivers on traffic signal cabinets, choosing to get the time from cell networks instead. But those can be spoofed, too.
People injured in traffic accidents might have to wait awhile for help because paramedics’ radios rely on GPS timing. When several GPS satellites provided incorrect time because of a glitch in 2016, virtually every emergency-responder system in North America experienced communications problems.
A larger target would be the global financial system. In a swampy part of New Jersey two miles from MetLife Stadium, trillions of dollars’ worth of financial instruments are traded every day in bits and bytes. The Equinix data center there hosts 49 exchanges, including the New York Stock Exchange. An error introduced in a GPS receiver that time-stamps stock transactions would “inject confusion into the operations of the financial industry,” says Andrew F. Bach, former global head of network services for the New York Stock Exchange. Seeing something amiss, computers—which now account for 60 percent of market volume, according to J.P. Morgan—might decide to sit on the sidelines. “When too many people head for the exits at the same time, we get a real problem,” says Andrew Lo, a professor of finance at the M.I.T. Sloan School of Management. “It can easily lead to a flash crash [a sudden and dramatic downturn in stock prices] or something much more long-lasting.” Noah Stoffman, an associate professor of finance at the Indiana University Kelley School of Business, says: “I can easily imagine that disrupting GPS would have catastrophic economic consequences.”
As markets reeled in New York, attackers could assault the electric grid in the heartland through a piece of hardware common at virtually every local substation. The Platte River Power Authority’s Fordham substation in Longmont, Colo., 35 miles north of Denver, near where I recently lived, is typical in its equipment and in its ease of reach by a concealed potential attacker. Sitting behind a 12-foot wall around the corner from a Holiday Inn Express, the open-air installation pares electricity in high-voltage transmission lines, generated at a big gas-fired power plant miles away, down to a level that local lines can feed to 348,000 home and business customers in Longmont and three nearby cities.
Scattered across the roughly six-acre facility are metal boxes containing phasor measurement units (PMUs), which monitor the status of the grid. The PMUs’ timing is set by a GPS. Jeff Dagle, an electrical engineer at Pacific Northwest National Laboratory, who is an expert on U.S. electricity networks, insists that because PMUs are not critical to the grid’s actual operation, spoofing them would not cause a blackout. But a September 2017 report from NIST maintains that a spoofing attack on PMUs could force a generator off-line. The sudden loss of several large generators, it says, “would create an instantaneous supply-demand imbalance and grid instability”—a potential blackout. Humphreys and his colleagues demonstrated such a timing failure in a lab environment. Although the PMUs are behind a wall, their GPS receivers could be spoofed from a hotel room a quarter of a mile away. There are 55,000 substations across the U.S.
Goward and Humphreys have warned utility executives about the danger they face, and they say few are aware. Fewer still, they maintain, have adequate contingency plans (some of which also rely on GPS). Human controllers who oversee grid networks “wouldn’t think to look at GPS as a possible source of the problem for probably hours,” Goward says. Furthermore, he notes, “attackers would be able to disguise what they’re doing for quite some time.”
Blackouts are costly and dangerous, but spoofing an airplane might provide the greatest drama. Humphreys and Eurocontrol’s Berz agree that it would be difficult but possible. Military aircraft use a device called a selective availability antispoofing module, but it is not required on civilian aircraft, and deployment is heavily restricted by the government. Lauth, who trains air traffic controllers, told me that pilots have other options for landing. The primary backup, however, is an airport’s instrument landing system, which provides aircraft with horizontal and vertical guidance and its distance from the landing spot. The system operates on radio waves and was built for safety, not security, so it is unencrypted—meaning a person can spoof it by inducing the aircraft’s receiver to lock onto a false signal.
Society’s reliance on GPS will only increase. The 5G-enabled Internet of Things will depend heavily on GPS because devices need precise timing to sync with one another and across networks. So will the “mirror world,” a digital representation of the real world that machines will need to produce for AI and augmented-reality applications.
Although the DHS acknowledges the threat, not everyone is pleased with what it is doing—or not doing—about it. James Platt, director of the position, navigation and timing office at the DHS, says the agency is working with NIST to outline varying levels of security for different receiver types. And the DHS conducts annual exercises that allow equipment manufacturers to test their machines against attack. The results are not public, but Logan Scott, a consultant who has worked with GPS for 40 years, says “a lot of receivers do not do well when exposed to jamming and spoofing.”
Antispoofing is a burgeoning field of research, with hundreds of papers published in the past several years. For example, during a spoofing attack, a vestige of the true GPS signal manifests on the receiver as distortion. Specialized receivers can monitor such distortion and give an alarm if it is detected, but the spoofer can generate a signal to nullify the distortion. “There is no foolproof defense,” Humphreys says. “What you can try is to price your opponent out of the game” by deploying antispoofing protections. Armed with the right equipment, though, a spoofer can overcome them. Protections and new threats are continually evolving in a kind of arms race in the radio-frequency spectrum. “If your opponent happens to be the Russian Federation,” Humphreys says, “good luck.”
An arms race could be defused if the U.S. built a backup timing system like the ones other countries maintain. In December 2018 President Donald Trump signed the National Timing Resilience and Security Act, which instructs the Department of Transportation (DOT) to build a “land-based, resilient, and reliable alternative timing system” by 2020. But neither the act nor the president has funded this undertaking.
The law was just the latest example of the U.S. government’s inadequate response, say critics such as Goward and others. The DHS issued a report on GPS vulnerability in 2001. President George W. Bush directed the DHS and the DOT to create a backup in 2004. The deputy defense secretary and deputy transportation secretary told Congress in 2015 that they would collaborate on a system known as eLoran (enhanced long-range navigation), which does exactly what the 2018 bill requires. Congress funded an eLoran pilot program years ago, but not a penny of that funding has been spent. Adam Sullivan, DOT assistant secretary for governmental affairs, told Peter DeFazio, chair of the House Transportation and Infrastructure Committee, in a May 8 letter that the DOT “is planning to conduct a field demonstration of technologies ... capable of providing backup [position, navigation and timing] services to critical infrastructure” by the end of 2019. In September the DOT issued a request for proposals, a week after Senator Ted Cruz of Texas and Senator Ed Markey of Massachusetts wrote the transportation secretary to ask what was taking so long.
An eLoran system would render jamming and spoofing almost irrelevant by delivering a low-frequency radio signal that is much stronger than GPS’s ultrahigh-frequency signal and hence is virtually impossible to override. The plan for eLoran would be to build about two dozen giant antennas necessary for nationwide coverage through a public-private partnership, according to Goward and to Representative John Garamendi of California, who has been prodding several administrations to act. The U.S. Air Force and the Pentagon are reportedly looking at other potential backup systems as well. The backups that various countries maintain are all essentially versions of eLoran.
Even if work begins tomorrow, eLoran will take years to build. It will be even longer before new devices and receivers that can pick up the signal are designed, manufactured and delivered to customers. “Four years is optimistic,” says Frank Prautzsch, a former director of network systems at Raytheon, who also worked on space systems at Hughes Space and Communications.
A different global patch would be to alter GPS signals at the satellite source with digital signatures that authenticate the data and deploy the public-private key infrastructure common to cryptography. But the signal coming from the current constellation of satellites cannot be changed. An air force spokesperson said no plans exist to incorporate digital signatures into the next generation of satellites, now being built at a secure Lockheed Martin facility west of Denver.
Despite all that, Platt is confident in critical infrastructure’s resilience. “We’ve talked with industry to make sure they have mitigation strategies in place,” he says. Goward’s response: “Suggest to Jim that we turn GPS off for 24 hours just to see what happens.”
*Editor's Note (11/22/19): This paragraph was revised after posting to correct the description of how civilian and military signals sent by GPS satellites are distinguished.