Commercial Flights Are Experiencing ‘Unthinkable’ GPS Attacks and Nobody Knows What to Do::New “spoofing” attacks resulting in total navigation failure have been occurring above the Middle East for months, which is “highly significant” for airline safety.

  • nixcamic@lemmy.world
    link
    fedilink
    English
    arrow-up
    18
    ·
    1 year ago

    Do none of the systems, GPS, glonass etc. use encryption or authentication of any form?

    • Lafrack@lemmy.world
      link
      fedilink
      English
      arrow-up
      13
      ·
      1 year ago

      Yes Galileo supports encryption. But as far as I know it’s not in use. Has been trialled only. But I know all Airbus aircraft only support GPS satellites and nothing else (yet). I assume Boeing, being American would be the same then.

      As far as solutions go, an aircraft can navigate fine without GPS. It can update its position from ground navigation aids and if they are not available it can still Dead Reckon very well. The navigation error very slowly grows until it’s out of the black spot and can use GPS or navigation aid to increase its accuracy. But this navigation error on the time frame of say an hour is a matter of kilometers at most, not dozens.

    • AreaKode@lemmy.world
      link
      fedilink
      English
      arrow-up
      13
      ·
      1 year ago

      The problem is with the way GPS works. Your device gets telemetry from the satellites. A fake signal can screw up the whole system.

      • jormaig@programming.dev
        link
        fedilink
        English
        arrow-up
        5
        arrow-down
        1
        ·
        1 year ago

        But if they had authentication you would know that the message doesn’t come from a legitimate satélite.

        • Gormadt@lemmy.blahaj.zone
          link
          fedilink
          English
          arrow-up
          7
          ·
          edit-2
          1 year ago

          If their isn’t then there’s a big problem with implementing that now, which would require a retrofit of every single GPS system currently in use and likely a replacement of all GPS satellites

          Edit: I’m slightly mistaken, the military uses encryption but they don’t have that open for public use.

        • Creat@discuss.tchncs.de
          link
          fedilink
          English
          arrow-up
          5
          arrow-down
          7
          ·
          1 year ago

          you can’t have authentication in a one way system. satellites send days, planes receive it, but never send anything.

              • Nailbar@sopuli.xyz
                link
                fedilink
                English
                arrow-up
                2
                ·
                1 year ago

                Playing with semantics a little, it can be thought of as the satellite authenticating with the client using the signature as password.

              • randombullet@feddit.de
                link
                fedilink
                English
                arrow-up
                6
                arrow-down
                1
                ·
                1 year ago

                That’s not how PKI works?

                Unless you know how digital signatures work better than me

              • Nailbar@sopuli.xyz
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                You can’t copy a signature, since it is different every time the signed content is different. You need to have the correct key in order to make a valid signature.

              • zalgotext@sh.itjust.works
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                If you’ve figured out how to do that, a lot of governments would pay you a lot of money for your solution

    • SeriousBug@infosec.pub
      link
      fedilink
      English
      arrow-up
      10
      ·
      1 year ago

      Nope. And more importantly, it looks like nobody considered what might happen if the signal gets spoofed. The backup systems that are supposed to keep working if GPS breaks also break due to these spoofed signals.

      • Ajen@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        9
        ·
        1 year ago

        GPS is encrypted, it’s just that the US military won’t share the encryption keys so the rest of us have to use the unencrypted channels. They’ve clearly thought about it and decided against making it public.

        • grandkaiser@lemmy.world
          link
          fedilink
          English
          arrow-up
          6
          ·
          1 year ago

          If they shared the encryption keys, then it wouldn’t be safe from spoofing anymore. The whole point of encryption is to not share the keys.

          Also, before someone tries to point out PKI, the satellites don’t use PKI. So that’s not relevant. You can’t share the current keys without jeopardizing the system.

          • Ajen@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            1 year ago

            PKI? I assume you mean asymmetric encryption? That’s been available long before the GPS system was launched. Why do you think it isn’t relevant? They could have designed it into the protocol if they wanted to.

            • grandkaiser@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              1 year ago

              The military didn’t design it for civilian use. That’s really all there is to it. The commenter I was replying to made it sound like theres an easy solution here. There isn’t.

              • Ajen@sh.itjust.works
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                I’m the commenter you originally replied to. If the US military wanted unspoofable GPS available to everyone then it would be available to everyone. They only want the public to have unencrypted GPS, so that’s all we get.

                • grandkaiser@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  edit-2
                  1 year ago

                  The military is as concerned with civilian gps as much as they are with anything else that isn’t military-related: not their issue to solve. They won’t stop anyone from using encrypted gps. They really won’t. The only branch in the us that actively tries to prevent public encryption is the NSA. (Even then, they wouldn’t block something like gps). For the record, I’m a security engineer (DDI, private sector), previously worked for the DOD, and used to work in satcom.

    • _s10e@feddit.de
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      GPS is old, the amount of data you get from the satellite is small, essentially satellite id and timestamp. If we would redesign this today, you could include a digital signature.

      Sure, but… you can google this to verify … one can probably manipulate GPS by introducing delay, i.e. resend data from a sat that was hear some seconds ago. With this signal the location will be off.

      • Treczoks@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        But that would also mean the timestamp to be off. Just resending them would also require extremely precise timing if you want to simulate a position that is not anywhere but just a bit off the last position. Making a GPS position jumping around half the world is (comparably) easy, pushing it off for a few kilometers is much, much harder.