LT - GPS Hacking - Recompiler

um my name is this is CHR uh this is our very abbreviate talk on GPS jamming uh you're origin playing to the full talk uh didn't have uh time to finish and uh kind of drop the ball uh this is a talk about GPS jamming as well as GPS we're going to show you a short video this actually happened two weeks ago where a luxury yach talking to Mike sorry Mike

so a luxury yacht at C was hijacked because the GPS signal was hacked and the yacht went off course and ended up in uh the wrong country territorial Works um

take Ste once in control iniates changeip system

uh so essentially the goal going into this project uh was to be able to build our own GPS Jammer much like the University of Texas did uh to be able to hijack small drones uh other autonomous vehicles uh it took a little bit of research we were actually able to put together a small uh uh L1 uh broadcast tower uh large enough to essentially cover something like this room uh the range we were getting is about 50 ft uh the intended demo we had was to actually three of these towers so he could uh perform a full hijack uh only had a chance to complete one of them uh the material cost was under $80 to be

actually to have our own GPS simulator uh uh runs uh off a fairly simple Linux script uh I have not yet been able to actually produce a moving object uh I am able to Pro provide P GPS locations for a stationary Target uh after the conference I will leas see the full uh Hardware spec uh and the scripts to be able to do this at home uh which means you can build up three to five of these and place them somewhere in the building uh so for example somebody fires up their phone uh typically should not have GPS reception uh indoors uh obviously depending on the building materials uh with these uh Towers you can either a

help somebody actually navigate within your own building and give accurate GPS coordinates or uh you could uh misguide and causing somebody to uh drive to the wrong with their car GPS depending what it's planted or to misguide some inside the building uh per to the wrong locations uh obviously there's the L2 GPS signal which is reserved for the military and is encrypted but since it's not available to the civilians uh there's not a lot of reason to actually uh try and broadcast or try to scoof it uh as fa opens up uh drone use for the public uh I do fore more attacks against individually own drones uh especially agriculture drones uh just due to the fact that

they're going to be flying over large open areas uh fairly low just so they can actually interact with the

crops hi um I'm Kurt Cain um actually um yeah to be honest like um I wasn't prepared for this St but we have all the references um yeah we're supposed to do a talk for defon but it was canceled however like I was planning to um do a talk like regarding the GBS jamming to like what um I used to do with a CDMA CDMA before you know CU you know for with the Kia phones before before smartphones and everything um I'll be planning to uh you know give a talk about that about CDMA uh synchronization and like you know how to track someone um for example um yeah using cell phone towers so yeah probably um in the future

I'll be um talking about that so uh if you follow the Twitter feed uh for bides we're going to release the full Hardware spec uh so wor under $80 for the parts you're going to be able to build up your GPS Jammer so just multiply it by three and you can start playing with it yourself uh any questions I can answer Mell is it have any kind of similar attacks against uh so the melon units come in a few varieties uh the ones that have U differential GPS um those are actually a lot harder to attack because you do have two different diversity antennas but the units that have one active antenna are susceptible this attack unless you're talking about

something that's supplemented with a lower end signal I know that they have diversity on those yes if you have diversity antennas which is what most ships have and you have dgps which used as construction set to get resolution down to a few meters those are a lot more difficult to attack it's still doable but then you're going to need to actually synchronize the timing signal on your own attacking noes so that both intends be with your broadcasting so you have to find a chip that's acur PL maintain exactly I believe having your own GPS with an active antenna that's far enough away that you're not jamming your own GPS signal could work or you could actually have your own hardwired

the network to do the back hall so the the chips can communicate with themselves you synchronize off a cell network that you could but then you lose a lot of stuff and the cell phone network itself gets a timing signal off the GPS signal if you're Jam the GPS signal you're time signal how much is CG these days under 80k if you get from the

nav no they make them smaller actually uh I'd love to see it but everything I've seen I've seen maybe sell stuff Surplus that was almost vaguely affordable any other questions answer is doing this super legal uh so doing this foral yes there's numerous FCC and other he regulations that prohibit you from screwing the GPS signal uh however if you're doing in the closed environment for research purposes you can do this uh you need to be in a shield build shielded building Shield environment uh one solution we've actually found it works really well is a harbor freight sells a sand blasting cabinet uh it doesn't take too much more insulation to actually make it a nice St

cage gives you about 2 s ft to work with whose directional intendance to mitigate leakage into the outside environment I wouldn't do it if it comes down to you're actually publishing research somebody knocks on your door and asks to see your secure environment you're probably much better off showing a secure and sealed metal cabin than say oh yeah just doing the field over there with directional antennas given the close close proximity you need in order to do these proof of Concepts what is like practical application of This research like what what can you use this for in in reality so there's no reason why this can't be scaled up uh since I'm not actually doing this for Mouse there was no reason

to but you can easily build or connect a larger H uh there's a reason you were using less than one wat specifically as a proof of concept since I'm releasing it I'm not trying to actually hijack somebody's yach uh I can if you have a a little spark fun GPS or a smaller unit board I could show you that I can goate you in Australia and that's good enough for these purposes and it's easy to take it from there I think I had seen something that was from privacy aspect too if you're worried that somebody is trying to GPS track you with something on your car you could if you jam it they know you're

jamming it but if you fake it and you make it seem like you're somewhere else or going somewhere else or not leaving then you're better from a safety purpose there's a lot system that are actually connected to this a certain device that go lock or unlock or change the privacy settings and Cur settings based on this uh there was actually a funny incident related to the car Jam you were talking about uh so New Jersey has this really Nifty option for truckers is you don't actually have to have a g Easy Pass charg based on GPS so this one trucker figured out a way to save over $177,000 a month uh on his e pass bills the problem is it was

interfering with the New York airport approach system after the the system kept recing over the course of 3 months they realized that something must be going on related to the Jersey turn bike the start reving the tapes and eventually they narrow it down to two trucks and after searching them they found the GPS tracking system it was being sold by deal extreme and that was a week before deal extreme the really Nast letter from the feds any have heard about that was because of the New York airport incident so wait someone's GPS Soper was rebooting the the New York airport like control systems the system that uh allowed the aircraft to do the Final Approach uh autonomously as opposed to

manually yes that's a whole other scary discussion well was the trucks if I remember correctly were parking right like under the approach so as the planes were coming in it distorted the signal and they're like oh and when they reviewed the camera they always saw like what the hell every time it happened there's this truck that park right there and then as soon as it leaves hey look no problem so if I remember correctly this truck wasn't actually parking this truck was actually going down the highway and there was an easy pass uh about a mile and a half from the New York area must have been a different incident because I do remember there was a story

where the trucker parked right at the end of the runway to eat his lunch every day and and then they fig I think that was the Chicago airport incident two years ago oh okay this is a new incident the other airport Jam in so what about altitude uh calculations are you able to play us well uh it it's harder but yes we have the code on to broadcast that a lot of uh units such as the one your part GPS actually don't care about the altitude if you're doing something like hijacking per drone then yes altit calculations is coming to play say it's in the middle of the or something that it's actually really funny because

you can Buzz the GPS and I found that allow the cheaper GPS's and uh to break when you send them good signals so for some reason sending negative altitude is bad de

uh any other questions we can answer how big is the unit uh the unit is actually about the size of the deck of cards again they're broadcasting at only about one watt so I didn't have to do a lot of isolation with uh our refer ampage so if you're scaling it up uh you are going to go up in size pretty much exponentially because you you will need to do a lot more shielding so it's basic like you're saying like if 100 ft it would be the most that you can really do is something that small oh okay but like scaling up is fairly easy with even commercial grade amps if you have a hamadi your license and you worked with

the build the Lo radios then you should be able to scale up easily is GPS the range of most software def radio like usrp H yes it's definitely within the range of usrp because it has drop in boards but uh it's don't have the slide with thees but uh if you buy the little TI dongle you can receive the GPS signal but keep in mind to receive only if you're actually uh doing more than just receiving you're going to need a dedicated software defined radio uh ideally recommend actually getting something that's specific to that Center frequency not something that happens to be able to tune in uh because once you uh drift off signal uh the even consumer

grade GPS's uh are fairly well centered so uh you could start by testing with the time clock Source get like a 10 K it's uh time to Source yes so you've been able to skew time with it to what level I haven't played with skew time I've played with sending the wrong GPS location but if you have if you're getting time to sing off the GPS there's no reason why you can't broadcast 1776 all the time so you wouldn't need an accurate time Source you just need slightly well you are the accurate time source and you could be as accurate or inaccurate as you want you just need the timing source so some 10 KZ uh reference

point that's using any kind of uh bradi Communications we

work all right guys thanks a lot for stopping by we apologize [Applause] com hard softare