Sunday, August 12, 2007

The jamming signal increases its hum

We don't just moan about today's government surveillance projects and fiddle with other people's webcams here. No. Sometimes we can offer you better things; like the solution to a huge mass-surveillance IT disaster that hasn't even happened yet.

Spyblog reports that even before Alastair Darling's deranged scheme to monitor all motor vehicles by GPS has made it off the green paper, it's already been hacked. How did they manage that? Well, a GPS is essentially a radio receiver that picks up time signals from multiple satellites and compares the time from each one with its local time, thus plotting its distance from each. Providing you're within geostationary orbit (damn, I love that subclause!), this can give you your position in three dimensions.

Obviously, as the signal is not encrypted, the way to spoof a unwanted GPS is to replace the real signal with one more to your liking. As your jammer is a few metres away, and the satellite many thousands of kilometres away, this is trivial. Because of this, the amount of transmitter power required is tiny, and therefore damned hard to direction-find on. Detailed instructions are available here. Those, however, only go so far as to jam the device with noise and stop it working. (For that, an afternoon with a GPS receiver and a range of commercially available TV antenna boosters might suffice.)

But there are smarter things you could do - like feed it with fake data. During the Second World War, the RAF's electronic warfare "Y" Service did this to German aircraft using nondirectional radio beacons to navigate over the UK. NDBs are simple; they broadcast a carrier wave with occasional morse idents in all directions, and you direction-find on them to either home in, or else plot a fix with two or three of them on your chart. The hack was elegant; the beacon signal was received at a station on the coast, and relayed by landline to a distant transmitter (often a borrowed BBC station), where it was rebroadcast with the tx power turned up to 11. Evidently, the result was that the direction finder would point the wrong way. The process was known as Meaconing. In a refined version, because once the German aircrew were thoroughly haxx0red they would transmit on their radios and ask their controller to take a bearing on their own transmission, the Y Service would Meacon the transmission from the plane.

Similarly, you could produce a GPS signal set that would correspond to the centre of your driveway, or No.10 Downing Street. I'm indebted for this suggestion to none other than Charlie Stross, in a sadly-lost comment to this post. Specifications are here (pdf); the most complicated element of such a scheme would appear to be keeping the spoof consistent in an environment of changing numbers of satellites. Very interestingly (insert evil laughter here), there is a section in the signal that gives details of the various satellites' health - unhealthy ones are ignored by the receiver.


Tom said...

Department of coincidence - this week I've been rereading (for the umpteenth time) R.V.Jones' Most Secret War, and it occured to me that the British reaction to some mindless authoritarian trying to control you by wireless should be to find something elegant to bugger it up. It's nice to see the traditions that won WW2 being maintained.

Unknown said...

This would work all well and good until you drove past a camera connected to automatic numberplate recognition...

Anonymous said...

Any inconsistency between the GPS readings and your milometer would be picked up at the MOT and charged at penalty rates. Probably.

