New Type Of GPS Spoofing Attack In China Creates "Crop Circles" Of False Location Data

The eerie patterns are unlike anything experts have seen in previous GPS spoofing incidents, which have typically pointed to a single location.

A "crop circle" made up of spoofed GPS data in Shanghai.
Strava

A new type of GPS spoofing technology, which may belong to the Chinese government, appears to have been impacting shipping in and around China's Port of Shanghai for more than a year. Unlike previous examples of spoofing attacks, which have typically caused GPS receivers in a certain area to show their locations as being at a limited number of fixed false positions, the incidents in Shanghai caused the transponders on multiple ships at once to show various erroneous positions that forms odd ring-like patterns that some experts have dubbed "crop circles."

An article in MIT Technology Review magazine on Nov. 15, 2019, was among the first to delve into the data. The information had come from an investigation that the Center for Advanced Defense Studies, or C4ADS, a Washington, D.C.-based nonprofit, had previously conducted into what has been happening in Shanghai. Todd Humphreys, the head of the Radionavigation Laboratory at the University of Texas at Austin, an expert in GPS jamming, spoofing, and hacking, who had been assisting C4ADS, gave a presentation on the topic at the ION GNSS+ satellite navigation conference in Florida in September. 

C4ADS has conducted a number of data-driving investigations since 2012, including one in July of this year on the smuggling of luxury goods, including foreign cars, into North Korea. Another one that the organization published four months earlier delved into Russian GPS spoofing and jamming activities in Ukraine's Crimea region and the Black Sea, elsewhere in Europe, and Syria

Russia has been conducting these kinds of attacks for years and they are well known at this point. However, instances of spoofing linked to the Russians have, typically, caused affected receivers to think that they're all in one incorrect location. A series of such attacks in the Black Sea in 2017 notably caused numerous ships to register their locations at a single point several miles inland.

C4ADS

A graphic showing how Russian GPS spoofing incidents in the Black Sea between 2016 and 2018 shifted locations of ships to a limited number of locations, all airports, on land.

C4ADS had not initially been expecting to find anything necessarily unusual about the GPS spoofing in Shanghai after reportedly receiving a tip earlier this year, according to MIT Technology Review. The fact that the port might be experiencing these kinds of attacks was backed up in part by a report that the captain of U.S.-flagged container ship M/V Manukai had filed with the U.S. Coast Guard in July 2018. 

In that case, as the ship approached the port, another vessel disappeared and reappeared multiple times from its screens, with its transponder alternating between showing its position in one of the traffic lanes and in its berth. The captain of the Manukai eventually confirmed that the other ship had never left the pier. His own ship's GPS systems failed completely as they made their way to their own place on the dock, in what sounds like may have just been more traditional jamming.

Matson

The M/V Manukai.

The International Maritime Organization requires most civilian and commercial ships to have a GPS-linked Automatic Identification System (AIS) transponder and broadcast their locations while underway specifically to help ships avoid colliding with each other or other hazards at sea. The risks are very real. For example, the European Maritime Safety Agency (EMSA) found that half of all shipping mishaps that it recorded in 2017 were, at least in part, due to navigation errors that subsequently led to a collision or a ship finding itself grounded on land.

C4ADS purchased a significant amount of AIS transponder data from in and around the Port of Shanghai from an unspecified startup company, which further confirmed spoofing attacks occurring at least as far back as Summer 2018. This was clear from AIS data that showed ships' positions on land rather than in the port itself. 

When C4ADS then went to plot the spoofed ship locations to create a visualization of the data, they discovered something entirely new and very odd. Circular patterns appeared that were unlike any the researchers, and the experts they then reached out to, had ever seen.

"To be able to spoof multiple ships simultaneously into a circle is extraordinary technology. It looks like magic," Humphreys, the expert from the University of Texas at Austin, told MIT Technology Review. "People were slack-jawed when I showed them this pattern of spoofing [at the ION GNSS+ conference]. They started to call it crop circles."

C4ADS

A "crop circle" of spoofed GPS locations in Shanghai that C4ADS discovered when it plotted the compromised AIS data.

It also wasn't just ships that were suffering the effects. C4ADS found that similar "crop circles" in Shanghai using Strava's "Global Heat Map." This company, which bills itself as a social fitness network, creates this map from the anonymized data that its app collects from users' smartwatches and similar devices. This is ostensibly meant to show things like popular running and cycling routes, as well as general athletic activity.

The company did find itself at the center of a controversy last year when it became apparent that the heat map was also effectively highlighting the locations of military and intelligence facilities around the world. What it was showing in Shanghai was that cyclists and anyone else in the city who were using Strava's app were also subjected to the curious spoofing attacks.

Strava

Another "crop circle" that appears on Strava's Global Heat Map.

"I’m still puzzled by this," Humphreys continued. "I can’t get it to work out in the math."

MIT Technology Review did not offer any technical explanations as to how the spoofing might have occurred. It is known that commercially available systems are capable, under certain circumstances, of showing a single object, even one that is actually stationary, moving along an entirely fake route. Creating any sort of pattern involving multiple objects at once is much more complicated, according to Humphreys.

It's also not clear who may be behind the attacks. One obvious possibility is that the Chinese government is using the Port of Shanghai as a testing ground for a new GPS spoofing system that its military or security forces could ultimately employ elsewhere. Since at least 2013, there have been reports that China may be launching electronic warfare attacks on manned and unmanned U.S. aircraft operating near its man-made islands in the South China Sea, for instance. GPS spoofing attacks could make it more complicated and create new risks for American aircraft and ships operating in this and other contested areas in the Pacific Region.

Beyond these particular examples, as The War Zone has explored deeply in the past, GPS spoofing presents a very real and growing threat, in general. In the Pacific Region, or anywhere else, it could potentially throw ships, aircraft, and ground forces off course, creating confusion among opponents and the risks of serious accidents, slowing down the ability of an enemy force to maneuver and respond to new developments substantially. 

It could also impact the employment of precision-guided munitions that rely on satellite navigation to find their targets. This could reduce an enemy's confidence in the ability to use these weapons safely and effectively, especially against targets that a very close to friendly forces or innocent bystanders.

Of course, GPS is uniquely encrypted for the U.S. military and its allies, making its access to the system more resistant to spoofing and an improved family of encrypted receivers is also in development. New antennas that are also less susceptible to jamming attacks are also becoming available.

None of these defenses are foolproof, however, there are also other fail-safes intended to mitigate spoofing attacks, as the War Zone's Tyler Rogoway has noted in the past, writing:

Advanced guidance and navigation systems, like those found on aircraft and in most GPS-guided weapons, use inertial navigation with embedded GPS. System software loaded onto the INS/GPS guidance system uses algorithms to detect discrepancies among various streams of information. This way the system can place less priority on one stream of information, say from a malfunctioning ring-laser gyro or GPS receiver, than others. Or it can discount that steam entirely if it starts straying far from the consensus of the others. This way a navigation system that suddenly loses a component due to failure or has one of its data streams deviate for other reasons won't simply stop working.

For instance, if the GPS telemetry suddenly leaps miles away, the navigation system may "vote out" the GPS information entirely. The system will be less accurate overall because of it, but it will still function. As an example, take a Joint Direct Attack Munition, the most common guided bomb used by the USAF, which uses GPS and INS navigation. If the system suddenly loses GPS connectivity during its attack sequence, INS will take over, but the bomb will be substantially less accurate than it would have been with both GPS and INS working together as a team.

But spoofing isn't as simple as telling a GPS receiver it is somewhere totally different than where it really is. By broadcasting false GPS data that slowly changes over time, navigational systems with GPS and INS may not "throw out" the GPS data so soon, or at all for that matter. Over time this could result in vehicles going far off course or even running into shores, mountains or even other vehicles without warning. Some say this is how the Iranians brought down the RQ-170 Sentinel drone in a relatively intact state in late November 2011, although this remains highly debatable.

With all this in mind, the United States, among others, is already working in fielding GPS receivers that are better hardened against such attacks, as well. In addition, there has been a growing push to acquire and otherwise implement non-satellite navigation alternatives for ships, aircraft, and ground forces. The need for what the U.S. military has referred to as Assured Positioning, Navigation, and Timing (PNT) to respond to what it has begun calling "navigation warfare" attacks is among the most critical and fastest emerging defense areas.

Rather than develop a single substitute for GPS, this has included a layered, multi-faceted approach that includes a wide range of systems and other concepts. This renewed emphasis on map-and-compass land navigation and the use of automated celestial navigation systems, the latter of which you can read about in greater detail in this past War Zone feature. Precision-guided munitions with multi-mode seekers are also becoming increasingly popular in part because they can help mitigate the risks of GPS jamming and spoofing, as well as other electronic warfare attacks, during the munitions terminal phase of flight. 

There is also work being done on higher-tech solutions. This includes advanced and compact Inertial Navigation Systems that can be more readily employed on a variety of platforms. BAE Systems has previously proposed a concept called Navigation via Signals of Opportunity (NAVSOP) that would help provide PNT by leveraging other ambient electromagnetic emissions, such as signals from television stations, cell phones, or even electronic warfare jammers themselves. NAVSOP also offered the possibility to operate passively, which would be beneficial to stealthy aircraft, which need to keep their own emissions to an absolute minimum. Miniaturized atomic clocks could provide another part of the overall solution.

BAE Systems

An infographic showing the potential signal sources that could drive the NAVSOP concept.

The United States and its allies are also increasingly training to fight in GPS-denied environments, well. This has included deliberately causing mass GPS outages in training areas to create a particularly realistic setting. 

Spoofing attacks also have the potential to wreak havoc in the commercial space for many of the same reasons. This reality has raised the possibility that the attacks on GPS systems in and around Shanghai may actually be the work of criminal elements, according to C4ADS. Smugglers trading in sand illegally dredged from the bottom of the Yangtze River – which is almost perfect for making cement, according to MIT Technology Review – have a long history of hacking into their AIS transponders to misreport their positions and elude authorities. 

The Huangpu River Maritime Safety Administration (MSA), which polices the immediate waterway around the port of Shanghai and says it was also subjected to the GPS spoofing, has reported instances of oil smugglers doing the same thing. These "ghost ships," showing false positions, if their transponders are on at all, have become a menace, reportedly being at the root of 23 accidents on the Yangtze in 2018. This was more than half of all major accidents and resulted in the deaths of 53 people, according to MIT Technology Review's report.

Reinhard Kaufhold/Picture-Alliance/DPA/AP Images

Barges carrying sand and gravel on the Huangpu River, with the Shanghai skyline in the background, in 2017.

Screwing with a ship's own transponder signal, or switching them off entirely, is a common tactic employed by maritime smuggling operations around the world, too. Actively spoofing all GPS receivers in the area would certainly be a major escalation for criminal elements and being able to do so at this level of complexity would raise serious concerns about the capabilities for non-state actors to do the same elsewhere. Earlier this year, the U.S. Maritime Administration (MARAD) issued alerts about potential GPS spoofing and jamming tied to Iran or Iranian proxies in waterways in the Middle East, showing that there are already concerns about this technology proliferating.

Still, Humphreys, the University of Texas at Austin researcher, is unconvinced that a non-state actor could be behind as sophisticated an attack as the one in Shanghai. "I don’t think it’s some rogue actor," he told MIT Technology Review. "I’m genuinely puzzled how this is being done."

If nothing else, the GPS spoofing that has been occurring in Shanghai only further underscores that the manipulation of GPS connectivity is a very real threat and is a wakeup call regarding just how rapidly GPS denial and spoofing tactics are evolving. 

UPDATE: Make sure to check out our followup on what is literally at the center of this anomaly by clicking here.

Contact the author: joe@thedrive.com