by Marc Goodman
The disruption in London is but one of many such global incidents. In New Jersey, the government had installed a new GPS-enabled landing system at Newark Liberty International Airport to allow aircraft to land in poor visibility. For reasons unknown, the system was shutting down twice a day, causing air traffic controllers to scramble to guide in arriving aircraft. Though it took several months, officials discovered the disruption was caused by a single truck driver on the New Jersey Turnpike. He was using his trusted portable GPS jammer to avoid paying tolls on the highway (and crippling the screens of air traffic control at the same time). Of course, there are more profound criminal uses of GPS jammers than avoiding tolls on the New Jersey Turnpike. Stung too many times by surprise police raids, both organized crime groups and even neighborhood thugs have learned that if you’re going to steal a car, especially one with cargo valuable enough to warrant a tracking device, you better be prepared to smooth your getaway with a GPS jammer—and that’s exactly what they are doing. Police in the United States, Germany, Russia, and England have all seen stolen vehicles they were tracking suddenly disappear off their radars when criminals activated their GPS jammers, providing a protective bubble of safety for them to make their escapes. In one case in the U.K., an organized crime group successfully used GPS jammers to steal more than forty large tractor trailers containing cargo worth in excess of $10 million.
Given the level of disruption small GPS jammers generate, imagine what could be achieved with a larger model. Costing just a few thousand dollars, commercial radio-frequency jammers are widely available for sale on the Internet. Deploying one or two of these devices around a major metropolitan area could cause widespread disruption and would make a worthy target of attack for any terrorist organization trying to grab the world’s attention. The threat is serious enough that the U.S. government has issued a chilling warning on the topic: “A ‘multiple agency approach must be urgently developed and executed’ to counteract the ‘alarming’ rise in availability of GPS jammers … The threat to our national security could be ‘devastating.’ ”
Of course, there is a more sinister threat to the global navigation system than preventing the signals from reaching your screens: changing them before they get there. Not only can GPS jammers block locational signals, but GPS spoofers can alter the positional data you receive. The diabolical plot envisioned in Tomorrow Never Dies back in 1997 has become a reality, and GPS spoofing devices are also widely available online, allowing those with the means and technical power to broadcast their own fake earth-based GPS signals. Because of the weak nature of GPS signals, spoofers fool navigational devices by overpowering the legitimate signal with a stronger counterfeit one. Once this has been accomplished, criminals, hackers, terrorists, and governments can take complete control of any GPS receiver and connect it to a low-cost simulator capable of re-creating any route desired on a Google Earth map. Emitting phony signals can send an oil tanker into a bridge or an army convoy into enemy territory. Given how reflexively obedient drivers have become to their GPS devices, what havoc might a mass spoofing attack against a large city’s drivers bring?
To date, GPS spoofing attacks have occurred on numerous occasions around the world. Think of the impact on just one industry: global cargo. According to Cargo Security International, cargo theft costs business $25 billion annually, and 90 percent of global cargo crosses the world’s seas. GPS is a critical component in ensuring the right goods get to the right place at the right time. Yet spoofed navigation systems are capable of putting a major chink in the armor of this arrangement. All passenger and cargo ships at sea (approximately 400,000 vessels worldwide) rely on the Automatic Identification System (AIS) to report their positions to other vessels and to port authorities, which can view all nearby craft in real time. In 2013, however, security research proved AIS lacked even modest security controls and that the system was vulnerable to spectacular spoofing attacks. An assault on these systems could make entire oil tankers and cruise ships vanish from view, crash into one another, or run aground. Because GPS and navigations are “invisible utilities,” we tend to forget about them, but we do so at our own peril. While, as of this writing, the exact location of the missing Malaysia Airlines Flight MH370 still remains a mystery, one thing is clear. The navigational systems responsible for tracking the flight were wholly inadequate for the task. Location matters, and poor, missing, or inaccurate navigational information costs lives.
We saw the power of GPS spoofing in action in mid-2013 when an $80 million yacht was hijacked by spoofing GPS signals. The sixty-five-meter luxury super-yacht White Rose of Drachs was traveling just off the cost of Italy when suddenly it began to drift to the right. The vessel had been on a Mediterranean cruise from Monaco to Rhodes when hackers fired up their blue-box spoofing device. They aimed their briefcase-sized device at the ship’s navigation systems and slowly, imperceptibly, began to emit a counterfeit location signal. At first, the strength of the fictitious beacon was deliberately weak. Gradually, its resonance increased until it first matched and then overpowered the legitimate GPS signals received by the White Rose of Drachs. The hackers now had complete control over the super-yacht and could direct it anywhere they pleased. On the bridge, no alarm bells went off, and the captain continued to believe, erroneously, that he was still in command of his ship.
The hackers’ false signals were indistinguishable from the authentic, and their mission was complete. Though those on board could tell that the yacht had made a pronounced turn in direction, inside the ship’s command room all the screens responsible for its navigation showed the vessel to be traveling in a straight line. Spoofing on the high seas was now a reality. Fortunately for the passengers and crew of the White Rose of Drachs, the ship’s hijacking was carried out not by Somali pirates but by some graduate students from the University of Texas, Jahshan Bhatti and Ken Pesyna. The pair were working with Professor Todd Humphreys, who has for many years raised concerns about the deep insecurity of the Global Positioning System and our dependencies on it.
Just as criminals have mastered GPS jammers to facilitate their robberies and escape routes, so too will they undoubtedly employ spoofers to misdirect 18-wheelers to the incorrect delivery points and cargo ships to the wrong berths, where they will be met by criminal gangs dressed as employees happy to unload all goods and merchandise in their containers. A confused GPS unit equals a successful heist. If the idea seems far-fetched, recall Moore’s law and the iPhone in your pocket. Smaller, faster, cheaper means all of this technology filters down to criminals, often long before it is in common use by the general public. By controlling the navigational screens of ships at sea, cargo trucks, passenger cars, and even aircraft, hackers can project an altered reality, one that is indistinguishable from the truth, allowing them unprecedented control of a world that is run by computer code and screens of all shapes and sizes.
Our undeniable faith in screens can be manipulated in new and novel ways as well, even by falsifying the locational data we see on the apps on our smart phones. In early 2014, students at the Technion–Israel Institute of Technology in Israel hacked the incredibly popular Waze GPS navigational app (purchased by Google in 2013 for a cool $1 billion). The app, which offers crowdsourced real-time traffic management, relies on users to report accidents, police checkpoints, and road hazards as a means of improving vehicle flow. Once the app is launched on your phone, it uses the device’s GPS readings to report how slow or fast your car is going to the Waze network, providing moment-by-moment intelligence reports on the state of congestion in a city. Normally, the app works brilliantly and is a lifesaver in cities with heavy traffic (as supported by Google’s purchase price). Your Waze screen, like all others, however, is up for grabs by hackers.
The students at Technion registered droves of fake Waze users in the system, using an automated scripting program that they wrote to impersonate thousands of smart phones (a sock puppet attack of sorts). Next those virtual smart-phone users connected to anot
her application that reported falsified GPS coordinates to the Waze system, making all the users seem as if they were legitimately moving about the city. Last, the sock puppets intentionally submitted thousands of reports “claiming to be stuck in traffic at the false coordinates.” The result: The Waze system did exactly what it was supposed to do. It rerouted thousands of legitimate users away from a fictitious traffic jam, thereby causing true gridlock in the city as the unsuspecting drivers all converged at the same time on the previously unobstructed routes. Done on a mass scale, such tactics could cause further panic and chaos in association with any other criminal or terrorist attack. Rerouting traffic is one way hackers can make their victims come to them, but some clever Chinese hackers tried a different and more delicious tactic.
When General Tso Attacks
In what investigators called a “ ‘coordinated, covert and targeted’ campaign of cyber espionage against major Western energy firms,” Chinese hackers reportedly pilfered “gigabytes of highly sensitive internal documents, including proprietary information about oil and gas field operations, project financing, and bidding documents.” The perpetrators used a variety of techniques, but on occasion enhanced security measures employed at some of the oil firms posed challenges for the Chinese. Their response was not merely to hit their targets harder but to cause what is known as a “watering hole attack.” Named after a similar maneuver used by lions on the plains of the Serengeti for millennia, the strategy allows predators to merely lurk by a watering hole known to be used by local herbivores. When zebra, antelope, and gazelle arrive, the lions pounce, killing their thirsty prey. The online equivalent entails infecting a Web site frequently visited by a hacker’s targets. Once the innocent stop by and unsuspectingly click on a link or download a file, the virtual predator has his prey. The only question is, which Web site to infect?
After monitoring the online activities of their intended target (an unnamed American oil firm), hackers uncovered a revealing pattern. Their targets loved ordering food from one particular eatery in close proximity to the energy giant’s headquarters—a Chinese restaurant famous for its delicious General Tso’s chicken. In response, hackers infected the online menu of the Chinese restaurant with malware, and when the workers viewed the fare on offer, “they inadvertently downloaded code that gave the attackers a foothold in the business’s vast computer network.” The fact that the Chinese government used a Chinese take-out menu to resurrect the power of one of their fiercest generals is simultaneously brilliant, hysterical, and deeply ironic. You’ll be glad to know that when Wang Baodong, a spokesman for the Chinese embassy in Washington, was asked about the incident, he said that “allegations about Chinese hacking had been raised unfairly. ‘China has very strict laws against hacking activities, and China is also a victim of such activity.’ ” I wonder what General Tso would have thought of Mr. Wang.
Screen Play: Hacking Critical Infrastructures for Fun and Mayhem
All data presented on screens are hackable, not just information on laptops, iPads, or even Chinese menus. From the Jumbotrons at the Lakers game to the bright lights and news tickers of Times Square, screens abound, and each and every one of them can be manipulated, including our television screens. In 2013, hackers were able to take control of the Montana Emergency Alert System and issue an alert on the CBS affiliate KRTV. Afternoon television programming was suddenly interrupted by the attention-grabbing three crackling beeps and long squelching tone of the nation’s Emergency Alert System, meant to warn the public of impending disasters ranging from earthquakes to hurricanes. In this case, however, the warning in Montana notified the public, “Civilian authorities in your area have advised that the bodies of the dead are rising from their graves and attacking the living.” The ominous announcer warned, “Do not attempt to approach or apprehend these bodies, as they are considered extremely dangerous.” After dozens of terrified citizens placed calls to the local sheriff’s office, the station admitted that the alert was not its own: rather, the station’s feed had been hacked and somebody had wrestled control of the airwaves, hitting screens away from CBS.
Even everyday common road signs are fair game for hackers. In Russia, the hacker Igor Blinnikov was able to seize control of another screen, a twenty-by-thirty-foot electronic billboard on one of the main thoroughfares of Moscow, which he commandeered at the height of rush-hour traffic. From his home seven hundred miles away, Blinnikov compromised the server of the advertising agency that owned the massive sign and replaced its video file ads for vodka and high fashion with those of hard-core pornography. In response, “traffic jerked to a standstill as rubbernecking motorists ogled a sexual pornographic clip posted by hackers on big-screen video billboards” on the Garden Ring Road, which just happened to be next door to the Ministry of the Interior. Needless to say, authorities were not amused, and Blinnikov was given a six-year sentence.
Public signage screens are increasingly being taken over to display political messages as well, even racist ones. At the height of the 2012 tensions over the Trayvon Martin shooting in Florida, tempers flared across the nation. It was with that case as a backdrop that somebody chose to hack into the operating system of a digital road sign on Interstate 94 in Dearborn, Michigan, and change its message to read, “Trayvon is a Nigger.” The sign stood for all passersby to see on the busy freeway for over an hour until workers were able to power down and reboot the device. Such incendiary messages could easily push an already tense situation over the edge. By manipulating what we see on the screens, televisions, and billboards all around us, hackers can cause bemusement, panic, or outrage.
Hacked road signs, emergency broadcasts, and GPS signals are of concern because they form part of our critical information infrastructures: “those core elements of a modern society whose destruction or incapacity would have a debilitating impact on national security, the economy, public health or community safety.” The Department of Homeland Security counts among these sectors the energy, food, agriculture, health-care, oil, gas, water, transportation, emergency services, defense, financial services, and transportation industries. Yet the one thing all of these crucial service sectors have in common is their near-total reliance on computer technology and screens as core elements of their safe and secure operation. As we saw at the Iranian nuclear enrichment facility in Natanz, however, such systems can readily be compromised. This fact holds significance for nearly all citizens in both the developed and the developing world.
Though the threats against each and every critical infrastructure sector are far too numerous to list here, just a few examples from the transportation industry alone prove instructive. Screens manage vehicular traffic, railroads, naval shipping, and air traffic control, and at nearly every step of the way the system can be compromised. Consider air transportation: If there is a single false entry in a terrorism watch database about a passenger, a plane can be rerouted mid-flight for an emergency landing or receive an escort by two F-16 jet fighters. Even the security process to get onto a plane is heavily dependent on screens. Transportation security officials don’t pat down every passenger or open every bag. Rather, they let technology do the heavy lifting for them: X-ray machines for carry-on luggage and a variety of metal detectors, millimeter-wave scanners, and backscatter radiation detectors for passengers. Inherent in these security procedures, however, is a layer of technology that intermediates and separates human security officials from the things and people they are investigating, an opportunity for hackers to ply their trade with potentially deadly consequences.
Though airport scanners look like highly complex and specialized machines, their core processing functions are connected to and carried out by ordinary PCs running software on top of a typical Windows installation, and like all Windows machines they are eminently hackable. Even in 2014, many of these devices, such as the commonly used Rapiscan 522B, use Windows variants such as Windows 98 or even Windows XP, operating systems for which thousands of security vulnerabilities have been doc
umented and Microsoft itself has stopped issuing updates. In addition, the banks of scanners at airports are often networked to one another via either Ethernet cables or Wi-Fi, two protocols that are also routinely hacked. Shockingly, operator passwords on many airport security detectors are “stored in plain text, and there are multiple ways to log in to the system without any prior knowledge of user actual names.” Even if a hacker were to enter a completely made-up account and password, after showing an error, the system on these machines would still log in an attacker, as the security researcher Billy Rios at Qualys discovered.
Given the number of zero days and exploits for the underlying software running these systems, were an airport X-ray machine infected with malware and had a rootkit placed on it, hackers could completely control the images security officials viewed on their screens. A Tumi bag containing a bomb or firearm can thus be made to appear on-screen as a Tumi bag with three suits and a pair of Bruno Maglis. Screens intermediate security officials from their task at hand and as such are subject to traditional man-in-the-middle attacks. In a typical airport security configuration, one official watches the bags as they go into the machine, where they are X-rayed by a second official, while yet a third individual supervises the removal of the bags as they came out of the device. With segmented responsibilities such as these, the first and third screeners could view the Tumi go in and out of the device, while the second screener was presented with a video image of a completely different bag. Because the person in the number two position rarely physically observes the object, he or she relies completely on its computer representation to determine whether or not the bag passes security screening.
By commandeering an airport video screen monitoring station, hackers could allow weapons to pass through without detection. And though TSA would rush to deny the possibility, Billy Rios and his team proved that devices such as the Rapiscan 522B already have an embedded supervisory capability that allows TSA managers to see and control dozens of the machines at airports around the country in real time, affecting what individual screeners observe on their monitors. Shockingly, using a common hacker tactic, Rios was able to get around the log-in screen at the supervisory console station and take control of banks of X-ray scanning devices.