GPS is critical to modern life. It’s also vulnerable, and this researcher is out to fix that

Author: Madelaine Millar
Date: 03.20.23

It didn’t look like much — just a small drone, drifting slowly to the left. To the drone’s controller, it didn’t look like anything at all, and that was the issue.

Two small drones fly in a lab

Like the navigation on your phone, drones rely on GPS data. They determine their location by calculating how far away they are from several constantly transmitting satellites simultaneously. GPS is affordable and easy to use because a device only needs to receive and interpret signals, not transmit, respond, or authenticate them.

But what makes GPS so valuable is also what makes it so vulnerable, says Aanjhan Ranganathan. The Khoury College professor recently received the National Science Foundation (NSF) Career Award to pursue his research on GPS. The half-million-dollar grant recognizes early-career faculty who have the potential to serve as role models in research and education and to lead advances in their fields; it aims to lay the groundwork for the rest of their careers.

A photo of the lab that shows a drone and computers

“GPS is extremely vulnerable to attacks because you’re relying on unsecured signals that are transmitted from satellites 20,000 kilometers above,” Aanjhan said. “When they reach the ground, the signal is already quite weak; $20 worth of equipment can make GPS devices not receive any signal at all. Or, $100 of equipment can transmit signals such that they look like they’re actually coming from GPS satellites. We call it ‘spoofing’ — basically, you can fake where a signal is coming from.”

That’s what Aanjhan was doing to the little drone; by spoofing the signals it was receiving, he tricked it into thinking it was somewhere that it wasn’t. As Aanjhan manipulated the GPS inputs, the drone drifted sideways in an attempt to keep “standing still” — and because the drone thought it was maintaining its position, the controller didn’t show any movement. Aanjhan co-opted the drone without hacking it, effectively circumventing its security protocols.

The implications of spoofing are subtle and widespread. A malicious state could fiddle with airplanes attempting to land and delay entire airports’ worth of flights. A cyberterrorist could steal millions of dollars’ worth of military drones by causing them to land behind enemy lines. Because modern timekeeping relies on GPS, a determined hacker could cost a bank billions by falsifying the timing of stock trades, all without the target’s cybersecurity protocols even having a chance to take effect. A malicious agent’s control is strictly limited to uncorroborated location data, but there is a lot more of that floating around than you might think.

Aanjhan is grateful for the five-year NSF grant because addressing this vulnerability will be complicated in the extreme. His first goal is to understand the GPS ecosystem, its security problems, and what’s already being done to address them. Next, he will design components — from physical hardware to secure applications — that can improve GPS security without overhauling the system.

“You’re not going to replace GPS immediately, no way. It’s going to take more than a couple of years,” Aanjhan said. “During this time, what can we do to protect ourselves from GPS spoofing and jamming attacks? How can we strengthen the security guarantees of GPS position estimates without modifying the infrastructure?”

After that, he’ll turn his attention to longer-term questions. For instance, both the Department of Defense and the European Space Agency are working on adding cryptographic protections to their GPS system. But Aanjhan says these measures do not fully protect GPS, as an adversary can record and replay signals. Today’s secure designs require a number of back and forth communications, and Aanjhan’s work will begin to grapple with questions of scale and how to balance performance with security, privacy, and scalability.

“Wireless networks are ubiquitous already. With the advent of next-generation cellular and Wi-Fi networks such as 5G, every device is becoming very flexible and configurable, which means a new set of applications, a new set of requirements, new standards — but we already have a wealth of information from recent decades to help answer the question ‘How do we build security and privacy by design?’” Aanjhan said. “We are at the right place and the right time to actually influence security and privacy in system design itself.”

He’s also excited to bring more of his students in on the process. He teaches “Security of Wireless Networks” every spring, and enjoys creating hands-on exercises for his students, such as having them compete to locate a wireless-signal-emitting device. Aanjhan has found that computer science students are often intimidated by the complexity of wireless systems, and by showing them how engaging and fun the work can be, he hopes to alleviate this fear and bring more researchers into the space.

“I’m more than a decade into the research topic; one starts to build strong opinions on what is possible and what is not. Beginners are much more like, ‘I think this should be possible’ and they start trying different stuff — and maybe break the boundaries,” Aanjhan said. “Because they are coming from a whole bunch of diverse communities, they bring in different perspectives. If I convince five percent of them to work in the exciting area of wireless security — or just to get interested in cybersecurity and privacy research in general — that would mean so many new perspectives for the community.”

Subscribe to Khoury News

Newsletter Subscription

Enter your information to subscribe now.

This field is for validation purposes and should be left unchanged.