Information Security

Defending the digital infrastructure

Nmedia - Fotolia

CISOs take notice as GPS vulnerabilities raise alarms

GPS has been extraordinarily reliable, but there's a growing chorus of experts who say it's time to assess GPS security and consider protective strategies.

A collection of orbiting satellites used to triangulate location, the U.S. global positioning system is best known for its ability to locate things on or above the Earth's surface. Whether it's a mapping application, a truck fleet monitoring system or a family car, use of GPS services has become ubiquitous and indispensable.

GPS also serves as the de facto world clock, transmitting accurate time everywhere. The precision timing powers and coordinates communication networks and electrical grids; GPS timestamps drive financial transactions determining, for example, which "buy" order was first. 

But GPS vulnerabilities and the growing reliance on this technology have raised security concerns. U.S. prosecutors charged three Chinese nationals in November with hacking and attempted theft of trade secrets from Moody's Analytics, Siemens AG and Trimble, which is developing a new global navigation satellite system.

Mother Nature (solar flares) or bad actors with free online tools or inexpensive equipment can jam or alter local GPS reception. Hostile states could potentially shutdown all or part of the GPS system. And where backups once existed -- atomic clocks for timing and long range navigation (Loran) -- secondary systems are becoming rare, a victim of cost cutting.

"GPS is increasingly a core service for all of our networked systems, some would argue for our entire society, and it is still far too exposed," said Nathaniel Gleicher, head of cybersecurity strategy at Illumio, a cloud security company in Sunnyvale, Calif., and the former director of cybersecurity policy for the National Security Council.  

Nathaniel Gleicher, head of cybersecurity strategy, IllumioNathaniel Gleicher

For security decision-makers, GPS vulnerabilities present a dangerous problem. Time signal interruption could cause business systems to fail or become unmanageable. Financial transactions could snarl or simply not occur. Not to mention the possibility that electrical grids and communications systems could shut down.

CenturyLink, based in Monroe, La., is a critical infrastructure provider with more than 40,000 employees and 600,000 miles of internet backbone. The global communications and IT services provider is not focused on GPS security "though we are broadly aware of the issues," CSO David Mahon said. Like many security decision-makers, Mahon is more concerned about common problems like denial of service and ransomware issues.

"I am responsible for designing and implementing global security; the CISO, who is a member of my team, focuses mostly on governance, risk, compliance and policies, while a separate cyberdefense team identifies next-generation threats and aligns the response," Mahon said. "We try to be predictive rather than reactive."

The only CenturyLink customers who have raised concerns about GPS vulnerabilities have been in government. "They seem to be more focused on GPS than commercial customers, at least as far as we have heard," Mahon said.

Spurred on by the success of the Soviet satellite Sputnik, and after years of experiments, the Department of Defense launched its first Navigation System with Timing and Ranging (Navstar) in 1978. Today, GPS is a global navigation system made up of 31 satellites roughly 20,000 km from the Earth and multiple control centers. It is operated by the U.S. Air Force. The Standard Positioning System -- coarse acquisition code on the L1 frequency -- is freely available worldwide. The Precise Positioning System is restricted to U.S. Armed Forces, federal agencies and select foreign governments. Based on GPS security fears, the U.S. Navy reintroduced celestial navigation into its formal training in 2016. This summer, the House of Representatives passed the Department of Homeland Security Authorization Act of 2017, H.R. 2825, which includes provisions for an enhanced Loran system based on terrestrial radio navigation for the U.S. Coast Guard. However, an eLoran system to backup GPS was promised during both the Bush and Obama administrations and never materialized.

A GPS satellite in orbit above Earth
Navstar Global Positioning System 2F Satellite

GPS poses a risk in part because of the service that it offers: It is a public, widespread, distributed system that must be accessible from around the world if it is going to be useful. In this exposure lies its vulnerability.

"We could secure GPS by locking it down and limiting its use, but this would draw to a grinding halt all of the innovation that has been built on top of it," Gleicher said. "So we're left stuck in a trap between slowing innovation and increasing security."

Fake signals

Drone hijacking exposed the dangers of GPS vulnerabilities. An area of particular concern is timing latency in the GPS beacon "updates" between the GPS receiver and the four satellites -- one for redundancy -- in orbit. If an "interloper" can successfully slow down communications between the GPS receiver and satellite transmitters that relay the triangulation, inaccuracy can result.

"Items that can perform man-in-the-middle attacks can modify coordinates entirely between all satellites and the unit being tracked," said Dennis Chow, an advisory consultant for RSA Security and an advisor at SCIS Security.

Another concern is that the GPS design specifications are widely available. Anyone, including hackers, can reverse engineer and construct fake GPS signals that could overpower a GPS receiver and jam its ability to navigate.

"When you power on a GPS unit, it takes several minutes to initialize. Part of that time is where it senses the strongest set of GPS satellite signals from which it can derive accurate time," said Cameron Camp, a security researcher at ESET North America, a San Diego-based provider of security software. "By 'seeing' several signals and comparing the time of each, it can infer information about where the unit is located relative to the Earth's surface."

Cameron Camp, security researcher, ESETCameron Camp

This is typically very accurate, providing location data to within a few feet, depending on the model, Camp noted. However, if fake GPS signals are present, the unit may lock on the fakes and start deriving its own fake position based on that information.

A lot of attention is paid to malicious actors attempting to override the signal strength of GPS to confuse systems within a localized area. A risk that receives less attention is the vulnerability of GPS control stations -- the Operational Control Segment -- that monitor and coordinate the GPS system in space. The ground facilities are a perfect example of a high-value asset within a broader global network. Operators use a master control station, alternative master control station, 11 command-and-control antennas, and 16 monitoring sites to maintain satellite signals and identify anomalies within the system.

An intruder who compromises these facilities might be able to do more than take down the GPS system, Gleicher warned. Attackers often focus their attempts to break into networks on core services -- applications like Active Directory that are essential to the functioning of the entire network. These applications provide easy paths to cause damage and rich opportunities to move laterally through the network to reach other high-value targets.

GPS data

In addition to security gaps in transportation and network functions, CISOs are concerned about the vulnerability of data generated through GPS systems.

"With machine learning, attackers can more quickly find, identify and sort through social media and aggregate data at a scale and scope they never had before; GPS data is yet another attribute to enable more effective targeting," said Stan Black, CSO at Citrix Systems Inc., an enterprise software company headquartered in Santa Clara, Calif., and Fort Lauderdale, Fla. The target could be individuals or whole organizations.

If corporate policies aren't clearly set up or defined with mobile network operators detailing how GPS data is collected and used by devices, the internet and cloud service providers, companies can be left open to a large-scale attack.

Assume that GPS will go down. Then ask yourself what your business continuity and disaster recovery plan is if there is a critical function performed by this element.
David Mahonvice president and CSO, CenturyLink

"Shadow IT can make this especially tricky if employees are using apps that go around corporate policy to get their work done, not to mention that many cloud providers are legally or covertly able to gather and sell user data," Black said.

An echo of that concern is heard from Sales Partnerships Inc., a Broomfield, Colo., company that provides technology with integrated mapping tools that support customer relationship management and other sales functions.

"GPS has been a great tool for us to capture robust data based on movement to track our outside sales teams," said Orion Wiseman, vice president of information systems and privacy.

The data allows teams to analyze the effectiveness of the company's field marketing and sales efforts against modeled expectations generated by territory management processes and systems. Loss of the data would violate the privacy of personnel and put company trade secrets at risk.

To protect this sensitive data, Wiseman's team starts with endpoint protection using over-the-air management to enforce security standards on devices and make sure these standards remain in place using remote diagnostic tools. "We use a dedicated app on the device to capture the GPS data and transmit the data securely to a hardened server," Wiseman said. Access to the server is limited by IP address and virtual LAN within the corporate network. "We also regularly conduct security assessments and testing to ensure our infrastructure and policies and procedures remain secure," he added.

Steps to stay safe

Like the rest of the world, businesses have developed a growing reliance on GPS technology. It is at the heart of many systems that move people and goods and sometimes plays less obvious roles in providing timing signals for electronic networks and infrastructure systems.

While GPS has been extraordinarily reliable, it isn't entirely foolproof. And some experts say it's time to assess GPS vulnerabilities and consider protective strategies. Because GPS security doesn't quite fit anywhere else in the corporate structure, CISOs are likely to find it in their lap almost by default.

On a practical level, CISOs can start by finding out which systems internally depend on GPS technology and then looking at the GPS vulnerabilities of their telecom carriers, cloud providers and supply chain partners.

"When you think of that function around telecommunication networks, while we do use GPS, [we] will still be using those cesium clocks, too," Mahon said. And that can help ensure that critical infrastructure providers, at least, are resistant to timing-signal problems.

CISOs should also assess whether alternative or backup technologies are feasible and consider what workarounds would be available if GPS problems develop.

David Mahon, CenturyLink CSODavid Mahon

"Assume that GPS will go down," Mahon said. "Then ask yourself what your business continuity and disaster recovery plan is if there is a critical function performed by this element."

Pay attention to the basics, Mahon advised. Patch management is important. Assess your GPS receivers and make sure they have proper configurations; consider performing vulnerability testing and look at antenna placement and backup capabilities.

Some companies may look to insurance coverage to provide a backstop if GPS problems crop up. Generally, business-interruption coverage under an insured's property policy will not cover losses due to a GPS outage.

"This is because there has been no actual damage to any insured's property, which is required to trigger coverage under a property policy," explained Tom Mackey, risk-management consultant at Epic Insurance Brokers and Consultants, based in San Francisco.

Even though many cyberinsurance policies include first-party coverage for business interruption due to a breach, hack, distributed denial-of-service attack or other network exploit, if the security problem is traced to GPS -- which is a government-owned-and-operated technology -- coverage would likely not be provided. Most cyber liability policies have exclusions for mechanical or electrical failure and service interruptions based upon or arising out of any failure of electrical infrastructure, telecommunications infrastructure or a satellite.

"Given that GPS is effectively a 31-satellite telecommunications infrastructure, this exclusion would clearly preclude any coverage under this policy," Mackey said. Companies that want to get insurance for GPS risks will have to custom-negotiate a premium in exchange for business-interruption coverage should the GPS technology go down.

Longer term, according to experts, plans are in the works to either revive older backup systems or -- more likely -- make GPS more robust and survivable, perhaps through encrypting signals and providing secure channels for the more critical GPS users.

Article 3 of 5

Next Steps

The wearable technology trend is coming to the enterprise

When are device tracking and location services acceptable?

Enterprise teams work together on cyberinsurance

This was last published in December 2017

Dig Deeper on Security operations and management

Get More Information Security

Access to all of our back issues View All