44 Scientific American, December 2019spoofing mitigation function against the most basic threats is far
from simple to implement,” wrote Gerhard Berz, who works on
navigation infrastructure for Eurocontrol, Europe’s air traffic
control agency, in Inside GNSS, a trade magazine.DISTRIBUTED ATTACKS
A lArge-sCA le, coordinated attack on U.S. infrastructure could be
pulled off by 10 or 12 human operators with the right equipment,
fanned out across the country. History was changed on Septem-
ber 11, 2001, by 19 Al Qaeda agents in the U.S., but hostile GPS
disrupters would not need to have a suicidal devotion to God,
the level of technical training required to fly a plane or the bru-
tality to murder a cockpit crew. It is possible that the only thing
stopping a GPS attack is international law, which recognizes
electronic warfare as equivalent to violent acts if it brings about
similar effects. Broad disablement of civil infrastructure would
be likely to engender a U.S. military response, which at least so
far may have dissuaded adversaries.
Although loss of life from a coordinated jamming-spoofing
attack on GPS timing would probably be less than that on 9/11,
the disabling effects could be more widespread. One scenario
could involve changing stoplights at a few major intersections in
various cities across the country to show green in all directions.
A hacker in a nearby building would open a
software-defined radio on a laptop. It would
generate a false copy of the radio-frequency
carrier, noise code and data bits from the
provider of the global navigation satellite
systems the traffic light was using. To induce
the light to lock onto the bogus signal, the
spoofer would disrupt the light’s regular
tracking procedure, causing it to try to reac-
quire a signal. If the false signal were stron-
ger, the light would likely select it. Now hav-
ing access to the light’s controller, the hacker
could feed it the incorrect time, activating
the north-south signal’s green light before the east-west signal
changed to red.
Several hackers at different intersections or in different cities
could coordinate attacks. Or one of them could set off a cascade
of intersection disruptions in one city. When I raised this scenar-
io to a supervisor of traffic signal electricians in San Francisco
who was closely involved with the city’s procurement of traffic
signal cabinets, he did not think there was a means for anyone to
wirelessly connect to the GPS and change its time setting.^ Yet the
Garmin GPS modules that San Francisco uses in its lights employ
no antispoofing protections; rather the manufacturer’s technical
specifications state that to comply with Federal Communications
Commission regulations, the Garmin device must accept any ra-
dio-frequency interference it encounters, even if it could scram-
ble the module’s readout.
Not every city uses GPS to time traffic signals, but the alterna-
tives are not necessarily better. Dale Picha, traffic operations
manager for the Texas Department of Transportation’s San Anto-
nio district, says the district has been moving away from individ-
ual GPS receivers on traffic signal cabinets, choosing to get the
time from cell networks instead. But those can be spoofed, too.
People injured in traffic accidents might have to wait awhile
for help because paramedics’ radios rely on GPS timing. When
several GPS satellites provided incorrect time because of a
glitch in 2016, virtually every emergency-responder system
in North America experienced communications problems.
A larger target would be the global financial system. In a
swampy part of New Jersey two miles from MetLife Stadium,
trillions of dollars’ worth of financial instruments are traded ev-
ery day in bits and bytes. The Equinix data center there hosts 49
exchanges, including the New York Stock Exchange. An error in-
troduced in a GPS receiver that time-stamps stock transactions
would “inject confusion into the operations of the financial in-
dustry,” says Andrew F. Bach, former global head of network ser-
vices for the New York Stock Exchange. Seeing something amiss,
computers—which now account for 60 percent of market vol-
ume, according to J.P. Morgan—might decide to sit on the side-
lines. “When too many people head for the exits at the same
time, we get a real problem,” says Andrew Lo, a professor of fi-
nance at the M.I.T. Sloan School of Management. “It can easily
lead to a flash crash [a sudden and dramatic downturn in stock
prices] or something much more long-lasting.” Noah Stoffman,
an associate professor of finance at the Indiana University Kel-
ley School of Business, says: “I can easily imagine that disrupt-
ing GPS would have catastrophic economic consequences.”
As markets reeled in New York, attackers could assault theelectric grid in the heartland through a piece of hardware com-
mon at virtually every local substation. The Platte River Power Au-
thority’s Fordham substation in Longmont, Colo., 35 miles north
of Denver, near where I recently lived, is typical in its equipment
and in its ease of reach by a concealed potential attacker. Sitting
behind a 12-foot wall around the corner from a Holiday Inn Ex-
press, the open-air installation pares electricity in high-voltage
transmission lines, generated at a big gas-fired power plant miles
away, down to a level that local lines can feed to 348,000 home
and business customers in Longmont and three nearby cities.
Scattered across the roughly six-acre facility are metal boxes
containing phasor measurement units (PMUs), which monitor
the status of the grid. The PMUs’ timing is set by a GPS. Jeff Da-
gle, an electrical engineer at Pacific Northwest National Labora-
tory, who is an expert on U.S. electricity networks, insists that
because PMUs are not critical to the grid’s actual operation,
spoofing them would not cause a blackout. But a September 2017
report from nist maintains that a spoofing attack on PMUs
could force a generator off-line. The sudden loss of several large
generators, it says, “would create an instantaneous supply-
demand imbalance and grid instability”—a potential blackout.
Humphreys and his colleagues demonstrated such a timing fail-
ure in a lab environment. Although the PMUs are behind a wall,An eLoran backup system would
render jamming and spoofing almost
irrelevant by delivering a signal that is
much stronger than the GPS feed and
hence virtually impossible to override.
© 2019 Scientific American