Sophos Cloud Optix
In June, in international waters some 30 miles off the coast of Italy, the White Rose of Drachs began to drift starboard.
Inexorably, the $80 million, 65-meter luxury super-yacht yielded its GPS-determined course until it was under complete control by hijackers.
No alarms went off.
As far as the ship’s GPS equipment was concerned, the signals it was getting were authentic, and once a location discrepancy was reported by the ship’s navigation system, a course correction was initiated by the crew.
But those signals were not authentic, and the ship was not on course.
The signals were in fact being sent from the White Rose’s upper deck by University of Texas/Cockrell School of Engineering graduate students Jahshan Bhatti and Ken Pesyna.
A team from the school had been invited aboard while the White Rose sailed from Monaco to Rhodes, Greece, on the Mediterranean Sea.
Using a blue box about the size of a briefcase, the duo spoofed the ship’s GPS signals, sending counterfeit signals that slowly, subtly overpowered the authentic GPS signals until the ship ultimately came under their control.
If this sounds familiar, it’s because students from this engineering school did the same thing to a drone last year.
In May 2012, the engineering students tried out their $1,000 spoofer, which they had cobbled together in response to a dare from the US Department of Homeland Security (DHS).
Under the direction of Assistant Professor Todd Humphreys, who is now working for the Department of Aerospace Engineering and Engineering Mechanics, the students last spring managed to hack and hijack a drone with what Humphreys at the time said was the most advanced spoofing device ever.
Both the drone and yacht hijackings were designed to shed light on the perils of navigation attacks, serving as evidence that spoofing is a serious threat to marine vessels and other forms of transportation.
In plain English, that means that hackers can send drones smashing, say, into our skulls.
After the students had gained control of the ship’s navigation system, the team planned to coerce the ship onto a new course with subtle maneuvers that positioned the yacht a few degrees off its original course.
When the ship’s navigation system detected the location discrepancy, the crew corrected the course – at least, they thought they did.
In reality, their course corrections were setting the ship slightly off its course line.
The attack is portrayed in this video posted on Monday by the school.
According to a writeup from the school, inside the yacht’s command room, an electronic chart showed its progress along a fixed line.
On deck, however, passengers could detect “a pronounced curve showing that the ship had turned,” the school reported.
Humphreys said that the ship actually turned – a movement that all could feel – but the chart display and the crew “saw only a straight line.”
The yacht had been nudged onto a parallel track hundreds of meters from its intended course.
Chandra Bhat, director of the Center for Transportation Research at UT Austin, said that the experiment highlights the vulnerability of the transportation sector to such attacks:
“The surprising ease with which Todd and his team were able to control a (multimillion) dollar yacht is evidence that we must invest much more in securing our transportation systems against potential spoofing."
Humphreys said that the experiments are applicable to other semi-autonomous craft that are now operated, in part, on autopilot.
The demonstrations are part of an ongoing research project supported by the university’s Wireless Networking and Communications Group through an Industrial Affiliates program.
DHS has been attempting to identify and mitigate GPS interference through its Patriot Watch and Patriot Shield programs, but the effort has been deemed poorly funded, was still in its infancy as of June 2012, was mostly geared toward detecting GPS hackers using jammers instead of spoofers, and, judging by the results of the successful yacht takeover, hasn’t to date produced much change in the vulnerabilities of GPS.
Now, in addition to worrying about hackable juggernauts flying over us in the form of drones, we can worry about autopilot superyachts being yanked like puppets on strings by pirates, careening off course, or being used as weapons.
Would one call those hackable aquanauts?
Time to break out the sextants!
A good idea, if anyone on the crew knew how to use one or even what a sextant was. Oh, and compass and good chronometer would help, too.
In that case observing the curve in the trail of the boat would have been enough.
A set of gyroscopes in the boat could help to detect GPS hijacking, the board computer could detect any inconsistency…
So what? They had a device on the ship. Is this really newsworthy and how does this really link in any way to the security of the companies Sophos proports to protect?
This article doesn't directly relate to the products and services Sophos sells – but I think that's no bad thing. Else we'd be more of an advertorial site than a place for news/opinion/advice/research.
But if you accept that the cornerstone of infosec is the "holy trinity" of availability, integrity and confidentiality, then I think this article does bring into the spotlight quite interestingly that integrity is tough to do well. (Is that *really* my data, or did you mess with it?)
Anyway, integrity is one of the things that our products can look after, for example by means of encryption. Good crypto products deal with keeping things secret *and* untampered-with.
We write a lot about general security stuff, we run puzzles, we analyse algorithms for fun, we tell you about the history of cryptography, we dig into malware to depths that are unnecessary to know if all you want to do is *stop* viruses in the first place, we write about busts of cybercrooks by law enforcement, and much more.
Our readers generally seem to like our non-product-centricity. We get our marketing benefits unobtrusively, in my opinion – I think you can work out what vendor "nakedsecurity.sophos.com" would recommend 🙂
Paul, we really do appreciate it. I find this stuff interesting, and it's great to have somewhere to go that is much more focused on information security and goes into greater depth than a news website, and that is updated much more regularly than something like krebsonsecurity or XyliBox.
Just want to say thanks to you, Paul, and all of the writers at nakedsecurity 🙂
a. Wolves, you're welcome. It's truly a pleasure to write up and to deliver to you interesting, non-product-flogging, non-marketing-fluff material.
b. Yea, yea, what Mr. Duck said.
I'll second that! Keep up the interesting work rather than just blowing your own whistle – this sort of stuff makes the site much more interesting and readable.
Indeed this kind of article tells a lot about what security is and helps one to think better when conceiving devices or softwares that have to deal with possible tampering or misuses.
For example this shows that one should not trust blindly a GPS and should implement consistency checks whenever using a "trusted" source or information feed…
The only way to fix a problem is to know that it exists in the first place. I own a drone and want to know for sure that I am in control of it and not some idiot with a black box.
Good work Sophos
In other news:
http://www.spectracomcorp.com/ProductsServices/GP…
This is nothing new.
Looks like it woulkd fit in a box "about the size of a briefcase" (albeit a slightly bulky briefcase"), too.
A quick search of online shopping sites shows that they are readily available in all colours of the rainbow. (Briefcases, not GPS simulators.)
I thought they are radio beacons that can be used as secondary systems to check whether they are on correct course instead of replying to GPS solely.
Could something of this nature be used to force drones off course?
Yea, bingo, already done last year by the same engineering school, under Humphreys. There's a link to the drone hack in the article, and here it is again: http://nakedsecurity.sophos.com/2012/07/02/drone-…
In response to your response to Disinterested; I am very often amused, pleased, shocked and encouraged by the stuff I read on the Sophos blog. The fact is, you Sophos guys have discovered a fantastic non-advert-riddled information tool that keeps people up to date with the latest revelations on cyber crime et al. It's a fact that using technology to influence a mode of transport from its programmed course isn't new – but the key to this is that before today – I hadn't heard of it, so it is news to me. Well done Lisa and the team; do keep up the good work!
As usual – you can send the fee by Western Union transfer to my office in Lagos.
I'll just drop it off when I come for dinner on Sunday, mom. Oh, excuse me, I mean Mick A.
Lets be realistic what ever it is if somthing requires a signal of any description to do what it is supposed to then that signal can be faked in the same way the genuine signal is produced the only real way to prevent haking of automatd systems is to have manually operated systems that even if operated remotely still require manual input and even then it is not completely secure – just more secure than an automated system I guess for the time being thing should have at least 2 systems recieving data from at least 2 different sources and compare the data and if the data from different sources does not correspond then clearly there is a problem