GPS spoofing: tech researchers take aim at a self-driving car hazard that you’ve probably never thought about

By Bill Hayward

Interior of a GM autonomous vehicle.
Photo: GM Corporate Newsroom.

With every new technology comes a new set of security vulnerabilities, and autonomous vehicles are no exception.

We all know that cyber threats have come a long way since the old “email from a gazillionaire Nigerian prince” scam (even though, incredibly, I still get those emails from time to time).

But “GPS spoofing?” Is that really a thing?

According to published reports, it is already happening, outside of the context of autonomous vehicles.

And—I promise we’re not making this up—the Russians are allegedly involved.

Popular Mechanics last month cited a report claiming detection of “9,883 instances of GPS spoofing by Russian security forces.”

According to the report, authored by C4ADS, a think tank based in Washington D.C. that bills itself as “a nonprofit organization dedicated to providing data-driven analysis and evidence-based reporting on global conflict and transnational security issues,” discovered incidents have included those in the context of efforts to protect Russia’s military forces, especially in Syria and Crimea, as well as measures to safeguard Russian President Vladimir Putin during his travels within Russia.

But consumers need to be worried about GPS spoofing as well, according to Moscow-based cyber-security firm Kaspersky Lab. Yesterday, Kaspersky reported that incidents of spoofing already affecting everyday users of GPS technology include scenarios like finding that the navigation app on your smartphone “thinks that you are at the airport” while you’re driving downtown.

Kaspersky attributes this kind of incident to signals that, though fake and originating from ground-based sources, are strong enough to drown out legitimate satellite signals and disrupt the ability of devices and to convey accurate location information and navigation directions to users.

Since autonomous vehicles are highly dependent on technologies that use GPS signals, the potential danger from spoofing is clear. But Southwest Research Institute (SwRI), a nonprofit research and development organization headquartered in San Antonio, Texas, is already laying the groundwork for countering the threats, with a test system designed to demonstrate vulnerabilities in GPS-based devices.

This week, SwRI announced that they have developed a cyber security system to test for vulnerabilities in automated vehicles and other technologies that use GPS receivers for positioning, navigation and timing.

“This is a legal way for us to improve the cyber resilience of autonomous vehicles by demonstrating a transmission of spoofed or manipulated GPS signals to allow for analysis of system responses,” said Victor Murray, head of SwRI’s Cyber Physical Systems Group in the Intelligent Systems Division.

According to their press release, developing the test system required workarounds to ensure compliance with U.S. federal regulations prohibiting over-the-air re-transmission of GPS signals without prior authorization.

Sounds like a pretty reasonable rule, don’t you think?

Through their testing system, SwRI has demonstrated how false signals can give a spoofing system “full control over a GPS receiver”—including such a device installed in a self-driving vehicle.

Yes, that’s pretty scary.

With the vulnerabilities identified, the next challenge is to develop solutions for neutralizing the threats.

“Most automated vehicles will not rely solely on GPS because they use a combination of sensors such as lidar, camera machine vision, GPS and other tools,” Murray said. “However, GPS is a basis for positioning in a lot of systems, so it is important for manufacturers to have the ability to design technology to address vulnerabilities.”

Come to think of it, I do remember firing up MapMyWalk one time and finding that the app was reporting my location as somewhere in Africa when I was in fact in Lancaster County, Pennsylvania.

That’s a pretty wide miss.

To set things back to normal, I did what any savvy smartphone user would do: I powered my phone off and restarted it.

After that, all was magically back to normal.

So was I GPS-spoofed? I’ll never know for sure. But it’s good to know that research efforts are already under way to respond to the perils of GPS spoofing.

AutoNewsblaster