Extensive Russian GPS Spoofing Exposed in Report

Recently a US non-profit known as the Center of Advanced Defense (C4ADS) released a report titled "Exposing GPS Spoofing in Russia and Syria". In the report C4ADS detail how GPS and Global Navigation Satellite Systems (GNSS) spoofing is used extensively by Russia for VIP protection, strategic facility protection and for airspace denial in combat zones such as Syria. Using simple analysis methods that civilians can use, they were able to detect multiple spoofing events. 

GNSS spoofing involves creating a much stronger fake GNSS signal that receivers lock on to, instead of the actual positioning satellites. The fake signal is used to either jam GNSS signals, or report an incorrect location of the spoofers choice.

In the report, C4ADS mention how they used AIS data to identify 9,883 instances of GNSS spoofing which affected 1,311 commercial vessels since the beginning of February 2016. AIS is a marine vessel tracking system similar to the ADS-B tracking system that is used on aircraft. It works by broadcasting on board GPS data to nearby ships for collision avoidance. Although they don't appear to mention their AIS data sources, sites like marinetraffic.com collect and aggregate AIS data submitted by volunteer stations. By looking for anomalies in the collected AIS data, such as ships suddenly appearing at airports, they are able to determine when GNSS spoofing events occurred. 

An airport is chosen by Russia as the spoofed location presumably because most commercial drone manufacturers do not allow their drones to fly when their GPS shows them near an airport. This prevents commercial drones from being able to fly in spoofed areas.

C4ADS Research shows GPS spoofing detected via AIS data
C4ADS Research shows GPS spoofing detected via AIS data

Using AIS data, the researchers were also able to determine that the Russian president uses GNSS spoofing to create a bubble of protection around him. During a visit to the Kerch Bridge in annexed Crimea the researchers found that some vessels near his location suddenly began appearing at a nearby airport. Similar events were detected at multiple other visits by the Russian president.

Another interesting method they used to determine GNSS anomalies was to look at position heatmaps derived from fitness tracking apps. These phone/smart watch apps are often used by runners to log a route and to keep track of distance ran, speeds etc. The researchers found that runners going through central Moscow would sometimes suddenly appear to be at one of two Moscow airports. 

In a previous post we showed how Amungo Navigation's NUT4NT+ system was used to detect and locate GPS anomalies at the Kremlin. The C4ADS report also notes how several other Russian government facilities also show signs of GPS anomalies. Of interest, from photos they also saw that the Kremlin has an 11-element direction finding array which could be used to locate civilian drone controllers.

Finally, in the last sections they show how C4ADS and UT Austin used a GPS receiver on board the International Space Station (ISS) to monitor a GPS spoofer at an airbase in Syria. Using Doppler analysis they were able to determine the location of the spoofer and confirm that it is likely the cause of multiple complaints of GPS interference by marine vessels in the area.

C4ADS and UT Texas determine the location of a GPS spoofer in Syria via ISS GPS data
C4ADS and UT Texas determine the location of a GPS spoofer in Syria via ISS GPS data

The BBC also ran a story on this which is available here.

Tweet1
Share270
Reddit
Vote
Email
271 Shares

SignalsEverywhere: ADS-B Aircraft Tracking with RTL-SDR, dump1090 and Virtual Radar Server

Over on his YouTube channel Corrosive from the SignalsEverywhere YouTube channel has uploaded a tutorial that shows how to set up ADS-B aircraft tracking with an RTL-SDR, dump1090 and Virtual Radar Server. The decoder software is dump1090 which is a multiplatform command line tool, and Virtual Radar Server is a Windows and Linux compatible program that is used to display the data on Google maps.

ADS-B is used as a more accurate and modern replacement for traditional aircraft radar. Instead of relying on radar reflections, ADS-B simply transmits a radio signal containing plane data such as GPS location, speed, and identification codes. Other aircraft can use this data for collision avoidance, and ground control use it for traffic management. Setting up your own RTL-SDR based ADS-B receiver allows you to see and track on a map almost all the aircraft currently flying in your area.

ADS-B Receiver With RTL SDR | Tracking Aircraft In Real-time!

Tweet
Share154
Reddit
Vote
Email
154 Shares

NUT2NT+ Crowdfunding: Open Source GNSS RF-to-bits Receiver

Back in May 2018 we first posted about Amungo Navigation's NUT4NT+ project, which is a four channel global navigation satellite system (GNSS) board based on the NT1065 chip. With the right antenna, it is capable of receiving any navigation satellite including GPS, GLONASS, Galileo, BeiDou, IRNSS, and QZSS. With access to multiple satellite systems, the positioning resolution can be down to the centimeter.

Currently Crowd Funding now on CrowdSupply is the NUT2NT+, which is their low cost 2-input GNSS board. Early bird units are going for $250 (12 units left at the time of posting), with the normal price being $320. Compared to their previous legacy version it has an FPGA, TCXO, bias tee and other improvements. They write:

NUT2NT+ hardware is open source, as is the software - giving the user the ability to set a receiver’s modes and frequencies, to capture all signals continuously, and to have complete control over primary processing features.

Several startups and large companies offer proprietary GNSS positioning solutions and even mobile GNSS software-defined receivers. But a closed ecosystem reduces accessibility for an enthusiast or professional developer, and it limits what a user can do with their hardware. We are happy to bring NUT2NT+ to the world as an open source option.

We note that this is an advanced device for developers and experimenters, but the possible applications they write about such as precision positioning for autonomous vehicles and black box logging are quite interesting.

NUT2NT+ with RA125 antenna for precision positioning of autonomous vehicles.
NUT2NT+ with RA125 antenna for precision positioning of autonomous vehicles.

Their higher end four channel input version (which appears to only be for sale via contact on their website at the moment) can be used as a coherent receiver which can locate sources of GPS jamming via an augmented reality app. In our previous post we highlighted how they were able to find the location of the GPS jammer/spoofers famously active around the Russian Kremlin buildings.

XNZR is searching for Moscow GPS Spoofing Anomaly

Tweet
Share106
Reddit
Vote
Email
106 Shares

A Portable RTL-SDR Based ADS-B Receiver with Display and 3D Printed Enclosure

Over on Hackaday.io user nathan.matsuda has written about his RTL-SDR based hand held ADS-B aircraft receiver with display and 3D printed enclosure.

His initial idea was to create a flexible and open portable SDR device, however keeping the device open and built for general use meant increased complexity which quickly slowed his progress. Instead [Nathan] decided to focus on just ADS-B for his portable device as living near an airport he’d been interested in aircraft tracking since his first SDR arrived.

The device consists of a Raspberry Zero, RTL-SDR, 3.5″ IPS LCD and a battery pack for portability. For software he uses dump1090 with some custom code for the map plotting. Together with a 3D printed case and some buttons, the result is a very professional looking portable aircraft tracking device.

Hopefully Nathan will continue updating his project page so that others may replicate it on their own.

Raspberry Pi Zero and RTL-SDR Portable ADS-B Receiver
Raspberry Pi Zero and RTL-SDR Portable ADS-B Receiver
Tweet
Share338
Reddit
Vote
Email
338 Shares

Next International Space Station SSTV Event on April 11 – 14

Thank you to Alex Happysat for writing in and letting us know about the next upcoming ISS SSTV event which will begin on 11 April at about 18:00 UTC and end on 14 April 2019 18:00 UTC. If you were unaware, the International Space Station (ISS) transmits SSTV images several times a year to commemorate special space related events. SSTV or Slow Scan Television is an amateur radio mode which is used to transmit small images over radio signals.

The images will be transmitted constantly at 145.8 MHz over the active period and they are expected to be in the PD-120 SSTV format. To receive the images you can use a simple RTL-SDR dongle and the MMSSTV software. A tuned satellite antenna like a QFH, turnstile, or tracking Yagi would be preferred, but many people have had good success before using simpler antennas like a V-Dipole. Software like Orbitron, GPredict, various Android apps or NASA's Spot the Station website can be used to determine where the ISS is and predict when it will be over your location.

Over on the ARISS SSTV blog, they write:

The next big event will be the ARISS SSTV event that starts Thursday, April 11 about 18:00 UTC and will be operational until about 18:00 UTC on Sunday, April 14. Since this event will run continuously for 72 hours, folks in the higher latitudes should have a pretty good chance to receive all 12 of the images. Operators in the mid latitudes should be able to get most of them depending on location. Good Luck and Enjoy!

Alex also mentions that for this and other ISS events AMSAT Argentina is handing out ARISS-SSTV Diplomas to amateur radio operators who receive, record and upload at least 15 images received from the ISS, in at least two different radio operation with a month or more in between then.

If you cannot set up a receiver, it is possible to use R4UAB's WebSDR which will be available directly at websdr.r4uab.ru. However, note that internet reception is not valid for the AMSAT Diploma. An example of WebSDR SSTV reception and decoding from a smaller ISS SSTV event held a few days ago is shown below.

ISS SSTV R4UAB WEBSDR 12.04.2016 14:00 UTC

Tweet
Share250
Reddit30
Vote
Email
280 Shares

SignalsEverywhere: Setting Up Priority and Groups in DSDPlus Fastlane

In his last video, Corrosive from the SignalsEverywhere YouTube channel showed us a quick guide on setting up a Phase 1 P25 digital voice decoder with two RTL-SDR dongles and the DSDPlus Fastlane decoder.

Now in his latest video Corrosive continues with the DSDPlus tutorial and this time explains how to set up priority and groups. On a trunked radio system there may be many different agencies using the same system simultaneously. Without priorities and groups, you would be listening to all communications in the system, and following a conversation within a particular agency would be difficult. Setting up priorities and groups allows you to filter out the conversations that you are not interested in, allowing you to focus on listening in to a particular agency only.

RTL SDR Digital Radio Scanning Priority and Groups With DSDPlus Fastlane Setup Tutorial

Tweet
Share37
Reddit
Vote
Email
37 Shares

GNU Radio Conference 2019: Registration Open + Call For Papers

GNU Radio Conference is a yearly conference based around the GNU Radio project and the surrounding community. GNU Radio is an open source digital signal processing (DSP) toolkit which is often used to implement decoders, demodulators and various other SDR algorithms.

GRCon is the annual conference for the GNU Radio project & community, and has established itself as one of the premier industry events for Software Radio. It is a week-long conference that includes high-quality technical content and valuable networking opportunities. GRCon is a venue that highlights design, implementation, and theory that has been practically applied in a useful way. GRCon attendees come from a large variety of backgrounds, including industry, academia, government, and hobbyists.

The 2019 GNU Radio Conference will be held on September 16-20 at the Marriot at the Space & Rocket Center in Huntsville, Alabama.

Registration and a call for papers and posters is currently open, see gnuradio.org/grcon/grcon19.

Tweet
Share40
Reddit
Vote
Email
40 Shares

Replicating A Rolljam Wireless Vehicle Entry Attack with a Yardstick One and RTL-SDR

Over on his hackaday.io blog, Gonçalo Nespral has written about his experiences in recreating Samy Kamkars now famous low cost rolljam attack. A rolljam attack allows an attacker break into a car by defeating the rolling code security offered by wireless keyfobs. Back at Defcon 2015, an information security conference, Samy Kamkar presented a method for creating a $32 Rolljam device that consisted of two 433 MHz transceiver modules controlled by an Arduino.

In his version, Gonçalo was able to recreate the attack using a Yardstick One and an RTL-SDR. The RTL-SDR receives the signal, whilst the Yardstick One performs the jamming and retransmit functions.

Actually using this attack in a real scenario would be difficult due to the need to properly jam and receive the keyfob signal, which could prove tricky in an uncontrolled environment. However, there have been reports of criminals entering high end cars with wireless devices before and this could be one such attack method in use.

The important thing to learn is to be suspicious if your car key fob doesn't work on the first press while you are definitely in range of the car. To mitigate the possibility of wireless keyfob attacks, always use a manual key and if you must use the wireless keyfob, only unlock the car when standing right next to it, so that the keyfob signal is strong enough to overcome the jammer. Although it is still plausible that an attacker could attach the rolljam device to the car itself for greater jamming power, and then retrieve it later.

[First seen on Hackaday]

How RollJam Works
How RollJam Works
Tweet
Share96
Reddit1
Vote
Email
97 Shares