The UT Austin Radionavigation Lab and the Cornell GPS Lab have probed the possibilities of GNSS/GPS spoofing and detection aboard a superyacht called the White Rose of Drachs. The captain of the White Rose had reached out to the UT Austin group after learning about their work at a conference. He arranged for them to conduct spoofing tests during a Mediterranean voyage in the early summer of 2013. These tests demonstrated the ability of a GNSS/GPS spoofer to steer a ship off course surreptitiously, with the potential for grave consequences. A combined UT Austin/Cornell team conducted spoofing and detection tests on a second White Rose voyage that circumnavigated Italy in late June 2014. Cornell’s detection system correctly authenticated the received GPS signals for all non-spoofed cases, and it identified spoofing attacks whenever the victim receiver had been dragged off to a false position and timing fix.
Before March 2013, the members of the UT Austin Radionavigation Lab and the Cornell GPS Lab had never heard of the superyacht called the White Rose of Drachs. They couldn’t have said what the difference was between a superyacht and a regular yacht. To them, any boat that had its own head was probably a yacht. They didn’t know about the other possibilities: gleaming woodwork in guest cabins, gold-plated sinks in private bathrooms, a formal spiral staircase, an elevator, multiple chefs, and almost twice as many crew members as in the combined roster of the two research groups.
They did, however, know something relevant to superyachts and other high-value maritime and aviation assets: how to spoof their GNSS navigation systems and how to detect spoofing attacks. The UT Austin group had hacked a helicopter drone at the White Sands Missile Range in June 2012. The used their GPS spoofer, the most advanced device that is publically acknowledged, to send false open-source signals into the drone’s sophisticated guidance system. They coaxed it to dive towards the ground while it was operating in hover mode.
The Cornell group was there too, laboring unobtrusively on the sidelines. They had developed a prototype GNSS spoofing detector in the preceding two months and had come to New Mexico to test it against UT Austin’s live-signal attacks. They too succeeded, correctly distinguishing between spoofed and authentic signals every time they tried, but their prototype was clumsy. It included an antenna that had to physically oscillate, and it required hours of customized post-processing in a GPS software receiver in order to perform its detections. Their system, its theory of operation, and the results they achieved with it are described in the technical paper:
Psiaki, M.L., Powell, S.P., and O’Hanlon, B.W. “GNSS Spoofing Detection Using High-Frequency Antenna Motion and Carrier-Phase Data,” Proc. ION GNSS+ 2013, Sept. 17-20, 2013, Nashville, TN, pp. 2949-2991 (Available on-line here).
The success of the White Sands drone spoofing attacks produced much publicity for the UT Austin group and for its leader, Prof. Todd Humphreys. He testified before Congress and was interviewed on national and international news. He was also invited to give a talk about the drone hack at the March 2013 South-by-Southwest (SXSW) conference in Austin, TX: “Extreme GPS: Limits of Security & Precision.”
The SXSW talk may not have seemed important compared to testimony before a congressional committee or an interview on NPR, but the SXSW audience included a wild card, Andrew Schofield, Master of the White Rose of Drachs. (“Master” in UK parlance is the equivalent of “Captain” in the U.S. On this side of the big pond, the latter title does not require a commission in Her Majesty’s Royal Navy or in any navy.) March is off-season for Mediterranean yachting. Andrew was taking the opportunity to broaden his horizons and had been coaxed out to SXSW by his business partner Kenneth Himschoot.
After Todd’s talk, Andrew came forward for a chat. He asked Todd whether he would like to try going bigger than a 1.3 meter drone helicopter for his next spoofing experiment. How about a 65 meter superyacht? Todd was wary at first. Was this Andrew fellow legitimate, or was he like the perpetual-motion-machine-inventor crackpots who routinely seek the attention of engineering professors? Andrew’s demeanor had “legitimate” written all over it. Todd took the trouble to check his claims, and the result was a two-week Mediterranean voyage in the early Summer of 2013 that produced intriguing and provocative results.
Andrew also needed to do some checking. Would the owner of the White Rose consent to hosting the UT Austin team for their proposed experiments? The owner agreed to Andrew’s pitch. Apparently, certain superyacht owners have a laudable tradition of lending their boats to science every so often.
Although the drone hack had been successful, it highlighted a major challenge for the attacking spoofer. If the drone believed the GPS spoofer’s lie about its position or velocity, then its guidance system would react to the apparent deviation from its intended trajectory, and that reaction could be drastic. If the spoofer wanted to induce some sort of controlled trajectory, perhaps a soft landing while the drone thought it was hovering, then the attacker would need to sense the drone’s response to its initial lie and rapidly adjust the lie in a way that produced the desired drone response. This is no small trick. Ask any boy who has tried to deceive his mother regarding his afternoon’s activities, only to be faced with a sequence of difficult-to-answer follow up questions. Although the UT Austin team had implemented a rudimentary system to control the hacked drone through adjustment of their spoofing signals, they were never able to control the spoofed drone in a smooth, reliable way. The drone’s response at White Sands looked more like a bucking bronco about to throw its rider than a trained show horse being led through its paces.
The summer 2013 White Rose experiments offered a chance to develop and test this next level of spoofer sophistication, a controlled sequence of lies that would lead the victim on a precise course selected by the spoofer, a different course from the one intended by the captain. The large mass and slow response of a ship make for easier control by a spoofer.
The UT Austin team achieved its goals, demonstrating smooth control of the White Rose through GPS spoofing. They induced inadvertent turns while the bridge thought it was steering a straight course. They nudged the yacht onto a wrong course that paralleled the desired route. In both cases, the bridge remained unaware of the White Rose’s true course because its GPS receiver and GPS-driven charts indicated that she was on her intended course. An informative video that reviews the 2013 UT Austin test and results is available here.
Prof. Mark Psiaki, head of the Cornell GPS group and Todd’s Ph.D. advisor, learned about the planned White Rose spoofing tests in late June 2013. Todd e-mailed him about their adventure a day before his UT Austin team headed for Cap-d’Ail, France, home port of the White Rose. Mark viewed a picture of the White Rose, read about its luxury accommodations, and responded: “I wouldn’t be surprised to see James Bond clamber over the side in a wet suit. I hope you’re on the right side of things if he does. … you might find that you’ve been duped into helping to heist a yacht.” Todd was already two steps ahead of Mark’s concerns, having “cross-checked the White Rose’s captain against many sources” and having “notified the DHS (U.S. Department of Homeland Security) and the UK’s General Lighthouse Authority.” Both agencies had expressed support for the project.
The voyage itself produced new concerns for Andrew Schofield. His bridge crew had experienced several spoofing attacks, each one potentially lethal, but they had never noticed anything amiss. Fortunately, the UT Austin red team had been acting in a friendly manner. They carried out their attacks in a way that never produced an actual threat to the ship’s safety. Their goal was to raise awareness of this class of threats and to probe the potential attack strategies of a GNSS spoofer.
Within two months, Andrew began promoting a follow-on experiment: A UT Austin red team would mount a spoofing attack against the White Rose’s GPS, and a Cornell blue team would demonstrate a real-time spoofing detection/defense on the White Rose bridge. A series of phone meetings took place at Andrew’s urging during the Fall of 2013, and plans were laid.
The Cornell team, however, faced challenges in transitioning its initial prototype into a more sophisticated version, one that would eliminate the moving parts and operate in real-time. They thought they could produce the next system, but like Mike Mulligan in the classic children’s book about his steam shovel, they were never quite sure they could make good on their boast. Furthermore, they faced a manpower shortage that was exacerbated when they lost the student initially tasked with developing their new system. Facebook had made him an offer he couldn’t refuse.
Andrew was undaunted by Cornell’s uncertainties and setbacks. He wanted to demonstrate a device to counteract the GNSS spoofing threat, and he wanted to do it in 2014. After a second trip to SXSW in March 2014, he made a whirlwind stop in Ithaca, NY to meet the Cornell team and to push for live-signal spoofing and detection tests on the White Rose’s 2014 shakedown voyage in late June.
After Andrew’s visit, the Cornell and UT Austin teams went into overdrive in order to develop a real-time version of the Cornell system. The UT Austin team recorded and pre-processed data for spoofed and non-spoofed cases. These data could be used to test Cornell’s algorithms. Their spoofed-case tests involved transmission of replayed data in an RF chamber that also housed the two antennas of Cornell’s latest spoofing detector. Cornell modified and refined its detection algorithms to work with dual-antenna data instead of moving-antenna data. By early April, Cornell’s modified algorithms had been proven using UT Austin’s data.
The one remaining hurdle was real-time operation. The initial tests involved data recording and offline signal processing. The development plan called for translation of the prototype Cornell algorithms from Matlab to C++. Afterwards, they would be integrated with an existing UT Austin/Cornell GPS software receiver that would perform dual-antenna signal processing in real time on a laptop. This code translation task seemed like an ambitious project for 2 month’s work, especially given that the only available manpower was a student who would be learning C++ in order to do the job.
At this juncture, UT Austin Ph.D. student Jahshan Bhatti proposed a brilliant work-around: Don’t translate anything to C++. Instead, use Cornell’s Matlab code directly in the real-time system. Prior to this, no one had realized that it could be practical to call Matlab from C++ in real time. This proposal was made and accepted on April 15, 2014, and from then on it became clear that the project would be able to meet its June deadline. Mark Psiaki packaged the Cornell Matlab spoofing detection software into a single tic function, and Jahshan coded the C++/Matlab interface that would call Mark’s function. After a few false starts and some e-mail and phone back-and-forth, a working real-time prototype was demonstrated on May 14th.
The Cornell system uses a closely spaced pair of GPS antennas to detect a spoofing attack. Each antenna senses the beat phase of the 19-cm-wavelength GPS carrier signal for each tracked satellite. This phase is the integral of the carrier Doppler shift, and it is affected by range and direction to the satellite. For authentic signals, their diversity of directions of arrival gives rise to a diversity of beat carrier phase differences between the two antennas. If a spoofer transmits all of its false signals from a single antenna, then this diversity disappears. The Cornell spoofing detector compares its sensed phase differences with these two hypotheses. If diversity is the best explanation, then it declares the signals authentic. If uniformity is more believable, then it issues a spoofing alert. The entire system consists of the two antennas, some RF signal reception electronics, and a laptop computer that hosts parallel GPS software receivers for the two antennas, the spoofing detection calculations, and graphical displays of the results.
Was Cornell’s system completely proven by these preliminary tests? Mark Psiaki was confident that the re-radiation test in the RF chamber was completely analogous to spoofing from a single transmission antenna. The Cornell team had used the same strategy to verify its moving-antenna design the previous year, borrowing an anechoic chamber at NASA’s Wallops Island facility, but was this really a valid test? Additionally, the transition from unspoofed signals to spoofed signals had never been tested, not even at White Sands in June 2012. During this initial phase of an attack, the true and spoofed signals lie virtually on top of each other. If they have about the same power, as in the hardest-to-detect attacks, then the two signals will beat against each other, and Cornell’s system wasn’t specifically designed for this situation.
The route to determining the efficacy of the Cornell system lay along the planned course of the White Rose’s first 2014 voyage. She would shove off from Cap-d’Ail on June 26th and sail around Italy to Venice, arriving on June 30th. The Cornell team would have 3 full days in international waters to prove their system, June 27-29th. They finished debugging their system in Ithaca, and two of them packed up and shipped out to France, Prof. Psiaki and Ph.D. student Brady O’Hanlon. Meanwhile, a recent Ph.D. graduate from Todd Humphreys’ UT Austin Radionavigation laboratory also shipped out. He was slated to operate the red-team spoofer, affectionately known as the Texas Lying Machine.
The two teams converged in Cap-d’Ail and performed shake-down tests of their systems in port. They couldn’t do full live-signal tests because they were not yet in international waters. It would have been illegal to transmit spoofer signals in the GPS L1 band while within French territory. The shake-down tests went well and were finished quickly enough to allow the team some pre-voyage downtime.
Late on Thursday June 26th the White Rose shoved off. She spent the first hour doing magnetic compass swings off the Riviera cost. A compass calibration expert installed small corrective permanent magnets and ferromagnetic blocks near the compass to compensate for the ship’s self-magnetism. These additions ensured that this passive navigation aid would provide accurate readings. At least one piece of navigation equipment would be spoof-proof.
The spoofing and detection tests started in earnest on Friday morning June 27th off the southern coast of Italy. The White Rose had passed through the Strait of Messina between Italy and Sicily earlier that day. The initial tests were concerned with selecting the right geometry for the spoofer and detector antennas and with tuning the spoofer power level. Later tests were dedicated to serious deception of the White Rose regarding its true course and location. The details of these tests and their results are reported in the technical paper:
Psiaki, M.L., et al., “GNSS Spoofing Detection using Two-Antenna Differential Carrier Phase,” Proc. ION GNSS+ 2014, Sept. 9-12, 2014, Tampa, FL (Available on-line here)
The Cornell spoofing detection system functioned as expected. It correctly identified authentic GPS signals as such. It correctly identified spoofing attacks after the victim receiver had been dragged off to a false position and timing fix. The true signals stop interfering with the spoofed signals once the spoofed position differs significantly from truth.
The question of performance before the drag-off was extensively investigated, and the Cornell system produced mixed results. If the spoofer signals’ power levels were comparable to those of the true signals, then the Cornell receiver encountered difficulties just trying to maintain lock on the signals, and loss of lock made it impossible to use a given channel’s output to determine whether the signals were authentic. Post-processing of problematic data indicated that altered tunings of the spoofing detection receiver’s Phase-Lock Loops (PLL) could alleviate many of the tracking problems. Unfortunately, the Cornell team did not attempt any PLL re-tuning during the voyage.
Even when the PLLs maintained track during this initial phase, the Cornell system yielded mixed results as to whether or not the signals were being spoofed. Fortunately, the yacht’s true position was never more than 300 m from the false position before this ambiguity disappeared and a definitive spoofing detection could be made. Also, the spoofer often broadcast signals that were much stronger than the true signals in order to ensure capture of the victim receiver’s tracking loops. In that case, the Cornell spoofing detector worked well even in the earliest phases of an attack.
For the 3rd and final day of tests, June 29th, Andrew suggested that the team execute a dramatic scenario: Send the spoofed White Rose to Libya even though she was cruising in the Adriatic from Montenegro to Venice. The owner had taken an interest in the Cornell/UT Austin tests, and Andrew thought that his employer might be entertained to see the White Rose in Libyan waters – in the imagination of its GPS receiver.
Being the owner’s guests, and well-treated guests at that, the Cornell/UT Austin team sought to oblige. Mark calculated the course. The distance was about 600 nm (1100 km). The target trip time of 50 minutes necessitated a peak speed over 900 kts after factoring in the need to limit the initial acceleration and final deceleration. Too large of an acceleration or deceleration might cause the victim receiver’s tracking loops to lose lock and, therefore, to lose the spoofed signals. A straight-line course was plotted because that was the easiest one to program into the UT Austin spoofer. As shown on the accompanying map, this course took the White Rose across the Italian and Sicilian land masses. Actually, it was a straight line in Earth-centered Cartesian coordinates, which meant that it did not curve with the Earth’s surface. Instead, it passed beneath Italy and Sicily, 23 km below the surface of the Earth at its deepest penetration.
Mark and the UT Austin team member worked out how to program the UT Austin spoofer to send the White Rose off on its Libya jaunt, and the stage was set for the attack. Brady and Mark fired up the Cornell spoofing detector on the White Rose bridge. They radioed to UT Austin up on the sun deck to commence the attack, and the White Rose was off on her supership trajectory – only in Jules Verne novels do ships travel above the speed of sound while burrowing 23 km beneath the Earth.
The spoofing detector worked well during the entire attack. The attacker used a significant power advantage over the true GPS signals in order to capture the White Rose’s GPS receiver reliably. Therefore, Cornell’s detector discerned the attack immediately, requiring only a split second’s worth of data to issue a spoofing alert. The Cornell system hung on to the spoofed signals for the entire 50 minute trip and maintained its determination that they were inauthentic. More details about the faux trip to Libya can be found in the conference paper cited above.
The Cornell/UT Austin team made the following video recordings in order to explain and document the Libya attack scenario and the spoofing detector response:
An introductory discussion about the planned Libya attack and spoofing detection defense, conducted between Brady, Mark, and Andrew on the bridge of the White Rose of Drachs in front of the spoofing detector laptop display and electronics.
A close-up view of the display of the spoofing detector and a running commentary during initiation of the Libya spoofing attack. This is a high-fidelity real-time re-enactment of the actual attack and detection. It exploits the spoofing detector’s ability to operate in replay mode on recorded wide-band RF attack data.
Live video footage and running commentary from the bridge of the White Rose of Drachs during the acceleration phase of the Libya spoofing attack. Commentary includes an impromptu princess/black-knight/white-knight analogy for the White Rose, the UT Austin spoofer, and the Cornell spoofing detector. It shows the detector display with successful spoofing detection (upper-left plot displays low gamma values – red asterisks). It also shows the spoofed White Rose of Drachs GPS receiver display (with speed going as high as 345 kts and altitude going as low as -2365 m by the end of the video) along with a spoofed live chart that is driven by the GPS receiver.
Additional live video footage and running commentary from the bridge of the White Rose of Drachs during the middle phase of the Libya spoofing attack. It shows the spoofed White Rose GPS receiver display (with speed going above 800 kts and altitude going as low as -11500 m at about 2/3 through the video) and spoofed live charts that are driven by that receiver. The charts show the yacht making landfall from the southern Adriatic onto the back of Italy’s boot, just above its heel.
The Cornell/UT Austin team found time for other activities while cruising on the White Rose. The team participated in a crew swim in the Adriatic while the yacht was allowed to drift in international waters off the coast of Croatia. Eating in the crew mess provided entertainment, and the food there was better than Cornell’s or UT Austin’s best dining options. The team especially enjoyed the two formal luncheons that Andrew arranged in order to provide pre-season practice for the yacht’s 2-star Michelin chef and his staff.
Swim break off the coast of Croatia.
The spoofing detection red team and blue team concluded their experiments and disembarked from the White Rose in Venice, Italy in early July 2014. They brought back recorded wideband RF data from the 2-antenna Cornell detection system. These data cover all of the live-signal spoofing attack tests that they conducted. They have already performed several significant post-voyage analyses of the stored data. These analyses indicate that better receiver tracking loops can alleviate some of the problems which they encountered during the initial phases of a spoofing attack. They have also demonstrated an ability to re-acquire the true signals in the midst of an attack by an overpowering spoofer (10-15 dB power advantage of the spoofed signals over the true ones).
The team plans to refine and improve their system and to use these stored RF data to evaluate any changes. Their goal is to develop a robust real-time spoofing detection system that reliably detects attacks very soon after they commence. They will likely use a multi-pronged approach. The two-antenna differential-phase calculation will be one of the salient prongs, but advanced RAIM techniques will contribute to the detections, especially in the early phases of a spoofing attack. They also hope to enable their system to recover from a spoofing attack by re-acquiring the true GPS signals and re-determining the authentic user position and time
If new live-signal tests are deemed necessary for evaluation of the next prototype detection system’s capabilities, then the team would not mind being invited to carry out those tests on a future superyacht cruise.