Overreliance on GPS Carries Risk for Everyone
January 10, 2022
Empty shelves where toilet paper and soap should be, idled car factories and empty dealer lots due to a semiconductor shortage, and container ships bobbing at anchor, unable to unload—these images from the COVID-19 era highlight the fragility of global logistics and supply chains.
Another vulnerable point in the smooth functioning of global supply chains on which daily life depends is less obvious: the Global Positioning System (GPS) and other satellite-based navigation systems (GNSS). These provide accurate positioning, navigation, and timing (PNT) that aligns the “where” and “when” for everything from PokemonGo and in-store pop-up ads to cars, drones, trucks, ships, planes, mobile cell-towers, tractors, and aircraft, not to mention precision weapons. It doesn’t take an electronic warfare unit to make a GPS system go haywire or go dark. Common criminals, terrorists, or simply people with chips on their shoulders can easily obtain tools to fool GPS systems with spoofed signals.
A thought experiment imagining an unlikely scenario cast light on our dependence on GPS. In a hypothetical 30-day total cutoff of GPS service, US private-sector industries could face losses of some US$1 billion per day, according to a US government-sponsored study that appeared in 2019. In this scenario, agriculture would bear the brunt of losses if the incident occurred in the growing season, whereas the maritime sector would suffer most at other times of the year. In the United Kingdom, a 2017 study predicted similar losses from a hypothetical five-day total outage, with some two-thirds of that loss coming from road, maritime, and emergency and justice services.
Although these are potential worst-case scenarios that are unlikely except in wartime, these studies drive home how central GPS is to entire economies. True, some regions and devices have access to alternative GNSS systems that Russia, China, and the European Union have developed, but the developers of those systems both cooperate and compete with those who manage the US-based GPS system, probably making them unreliable as global fallback systems. Even as GPS-dependent goods and services continue to proliferate, government agencies have sought to reduce organizations' overreliance on GPS and encourage the development of alternatives, lest it become a single point of failure, as shown below.
Hacktivists and small-time criminals can easily obtain inexpensive software-defined radios and open-source code, allowing them to spoof GPS signals. Though illegal in the US, jammers are available for around US$45 on eBay, sometimes under the innocuous label "signal booster," Gizmodo reported in 2017. Handheld GPS jamming and spoofing devices and software have been widely available in various countries for years, with prices as low as US$14 in 2018. Researchers have demonstrated how to use such affordable jammers to hijack vehicle navigation systems, cheat at Pokémon GO, and even “turn back time”. Criminals have used them to evade detection by law enforcement drones, the Center for Advanced Defense Studies (C4ADS), a nonprofit research organization, reported in 2019.
<<< Start >>>
<<< End >>>
If you are in almost any economic sector, you could lose your location signal or your precision functioning.
Some of the greatest potential threats related to GNSS spoofing and jamming affect the transportation sector: shipping, aviation, GPS-based cargo monitoring services, and location-based services such as mobile navigation apps. If you have a small boat or large ship and go near contested waters, you could lose your GPS. If you are an airline, you could lose GPS if military exercises or a VIP are nearby.
Most automobile owners rely heavily on GPS every day. Multiple car-related GPS-equipped apps are potentially vulnerable. For example, one hacker said he brute-forced and breached thousands of accounts on vehicle fleet tracking Android apps ProTrack and iTrack. He could theoretically have stopped their engines remotely if the cars were going slowly, GPS tracking device manufacturer Concox confirmed. GPS issues can also cause Uber apps to show incorrect fare information.
GPS may also play into next-generation cars as autopilot features become more mainstream. Researchers showed in 2019 that they could spoof GPS signals in a Tesla autonomous vehicle and cause the car to slow down suddenly and veer off the main road.
Automated container processing at ports relies heavily on GPS, as do systems that track cargoes, enable search and rescue efforts, and identify craft engaged in illegal fishing or sanctions violations. As C4ADS noted in 2019, threat actors could disrupt shipping by guiding vessels into dangerous waters; falsely portraying a vessel as having encroached on territorial waters; disrupting automated cranes when loading containers; or stealing cargo and hiding its true location.
C4ADS found global positioning systems on boats off Russia's Black Sea coast misrepresented their locations during VIP visits to the region between 2016 and 2018, doing so with the apparent intention of protecting the VIP during his travels. A 2014 report found that smugglers used compromised computers at the Belgian port of Antwerp to locate specific containers they wanted, remove their smuggled contents, and delete the inventory records. Some ships attempt to thwart attacks in dangerous waters by turning off their navigational data or spoofing the data so it looks like they are at another location.
The US Coast Guard keeps a log of reported civil GPS problems. Of the GPS disruptions reported between September 2020 and July 2021, most occurred in the Eastern and Central Mediterranean. This region encompasses the Suez Canal and other busy shipping lanes. In the noted months, this region also saw conflicts such as a civil war in Libya; disputes between Turkey and Cyprus; and tensions over access to the Black Sea, a site of friction between Russia and NATO. NATO and the US Maritime Administration have reported disruptions in the Mediterranean since at least 2018 and urged sailors to use alternative navigation methods such as radar, chart, and visual data.
The US Federal Aviation Administration requires that most aircraft are equipped with Automatic Dependent Surveillance-Broadcast (ADS-B) transponders, which use GPS to calculate and broadcast their altitude, heading, and speed. Although commercial pilots can theoretically also draw on legacy radio systems and visual aids, many have forgotten these manual techniques, leading to a dangerous overreliance on GPS, according to the Institute of Electrical and Electronic Engineers.
Civilian aircraft can experience GPS jamming related to military exercises, as the Center for Strategic and International Studies found for Northern Europe in the period 2017 to 2019 and the January 2021 IEEE report found for North America. An Israeli GPS outage that paralyzed several airports in early July 2019 may have resulted from jamming related to the military conflict in nearby Syria.
GNSS usage in different countries varies. In the United States, the Positive Train Control system for automatic braking became fully functional throughout freight and passenger systems in December 2020, as the Inside GNSS magazine noted in May 2021, while in Europe, over 150,000 rail freight cars have GNSS sensors, which help make asset and fleet management and supply chains more efficient. Advocates have favored a broader use of the EU's Galileo system to enhance interoperability and safety among European rail systems, according to Inside GNSS. Disruptions to such systems could potentially harm passenger and rail worker safety but would more likely simply slow down systems and reduce efficiency.
GPS chips in smartphones provide location-based services such as navigation, tracking, advertising, ridesharing, geosocial activities and communication, weather, social networking, games, and enhanced 911 emergency service. In a GPS outage, location services would rely on wireless hotspots and cell towers, which are less precise. 5G networks will require even more stringent precision timing to coordinate a larger number of small base stations. Even 5G proponents have said 5G users should have backup timing sources in case of GPS failures.
Internet providers rely on precisely synchronized messaging between centers worldwide, according to the 2017 UK study. The study noted that even "a leap second discrepancy between different applications on its Linux-based servers" caused a crash of Reddit in 2012.
Threat actors could cause electric power outages by disrupting GPS-dependent time synchronization of electrical substations. This would not likely cause a major disruption but could hinder repair crews from locating faults in the grid. In the oil and gas industry, GPS disruptions could affect the dynamic positioning of floating rigs and in the replenishment of supplies and personnel to rigs.
GPS facilitates "precision agriculture," which farmers in various countries use to accurately map soils and yields, guide tractors and combines, and regulate amounts of dispensed seeds and agrochemicals. A hypothetical 30-day GPS outage in the US could cost the agricultural industry some US$15.1 billion if it fell during planting season, the 2019 US government-sponsored RTI report surmised.
GPS outages are unlikely to affect stock exchanges, as they use backup clocks. However, in colocation trading—through which racks of trading servers reside near main trading computers--timestamp discrepancies could appear. Timing errors led to the Flash Crash of 6 May 2010, when "high-frequency traders fled markets, a liquidity vacuum ensued and algorithms began a wave of destructive trades," The Street reported.
The US government seeks to help organizations find alternatives to total reliance on GPS. On 12 February 2020, then-president Donald Trump issued Executive Order 13905, "Strengthening National Resilience through Responsible Use of Positioning, Navigation, and Timing (PNT) Services.” It called on the public and private sectors to identify vulnerabilities and detect disruptions in GPS service that affect critical infrastructure, and to develop resilient PNT infrastructure less dependent on GPS alone.
Several US government agencies followed up with more directives in late 2020 and early 2021, including the Department of Homeland Security, Department of Transportation, National Institute of Standards and Technology (NIST), and others. These directives call for critical infrastructure operators to develop resilient systems, diversify PNT sources, and develop plans for prevention, detection, response, and recovery of core functions.
The US government has provided tools to private industry, encouraged it to test tools, and launched new satellites emitting more-secure signals for military and civilian use. DHS’s Science and Technology Directorate (S&T) has hosted events where GPS receiver manufacturers and critical infrastructure operators can test their equipment, as well as providing low-cost anti-jam Total Horizon Nuller antennas. The US Space Force also planned to make one of its satellites available to ethical hackers, to challenge them to hack something in orbit, in a virtual capture-the-flag competition called HackASat. Finally, on 17 June 2021, the US Space Force launched a GPS III satellite, which provides more-secure military and civilian signals. The civilian signals also allow interoperability with other GNSS.
Alternatives to reliance on GPS that are already in use or under development to include Pseudolite (pseudo-satellite) technology which uses signals from ground-based transmitters or hybrid systems that use eLoran—an upgraded version of the historic Loran system—and other technologies. Other non-GPS methods already in use in underground mines and for indoor geolocation include radar and laser sensors, radio systems, radio-frequency identification (RFID), laser technology, electronic distance measuring, simultaneous localization and mapping (SLAM), geomagnetic positioning, inertial navigation, beacons, wireless network positioning, and barometric pressure.
Some military aircraft and satellites use the astro-inertial navigation system (ANS or “astro-nav”), which uses light from distant stars and an internal chronometer for positioning. The Air Force’s modular AgilePod uses open architectures to combine data from sources like high-definition video, electro-optical and infrared sensors, and radar; it draws on technologies like Vision Navigation, Signals of Opportunity, and magnetic anomaly navigation.
To defend against threats to GPS and other navigation systems, ACTI suggests that developers and users consider the resources the US government has provided. (The information in this blog post is general in nature and does not take into account the specific needs of your IT ecosystem and network, which may vary and require unique action. You should independently assess your specific needs in deciding to use any of the tools mentioned. The tools suggested for guidance within this blog are not an Accenture tool. Accenture makes no representation that it has vetted or otherwise endores these tools and Accenture disclaims any liability for their use, effectiveness or any disruption or loss arising from use of these tools).
ACTI provides actionable and relevant threat intelligence to support decision makers. The intelligence analysis and assessments in this report are grounded in verified facts; more information on this activity is available to subscribed ACTI IntelGraph customers. IntelGraph is a proprietary next-generation security intelligence platform that allows users to search, visualize, and contextualize the relationships among malicious actors, their tools, and the vulnerabilities they exploit. To learn more about ACTI and obtain additional information on our tactical, operational, and strategic intelligence services, please contact CTI.Sales@accenture.com
Accenture Security helps organizations build resilience from the inside out so they can confidently focus on innovation and growth. Leveraging its global network of cybersecurity labs, deep industry understanding across client value chains and services that span the security lifecycle, Accenture helps organizations protect their valuable assets, end-to-end. With services that include strategy and risk management, cyber defence, digital identity, application security and managed security, Accenture enables businesses around the world to defend against known sophisticated threats, and the unknown. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
This document makes reference to marks owned by third parties. All such third-party marks are the property of their respective owners. No sponsorship, endorsement or approval of this content by the owners of such marks is intended, expressed or implied.
This document is produced by consultants at Accenture as general guidance. It is not intended to provide specific advice on your circumstances. If you require advice or further details on any matters referred to, please contact your Accenture representative.
Copyright © 2021 Accenture. All rights reserved.