GPS security a concern for university expert

July 26, 2012 // By Rick Merritt
After testifying before Congress about security vulnerabilities in civil GPS systems last week, Todd Humphreys is convinced the industry needs a new approach to plugging holes in what he calls “the most popular unauthenticated protocol in the world.”

“There’s a way to add backward-compatible authentication like digital watermarks to GPS signals, and last week I had my best shot at convincing lawmakers to fix the problem at the signal source,” said Humphreys who directs the Radionavigation Laboratory at the University of Texas at Austin.

“I don’t think I will even pursue that anymore because I got a strong sense it is a non-starter,” Humphreys. “No one wants to touch the signals broadcast from the satellites even though all we are asking is to define a new message,” he added.

Only 15 of the 62 possible GPS messages are currently defined. Humphreys and other GPS security experts recommend defining two messages that could automatically authenticate GPS signals.

Even if the U.S. government had the will to make the technical changes, it could take more than five years to implement, Humphreys said. That’s too late given a Congressional mandate opening up the use of civilian drones in the U.S. in 2015.

Humphreys went to Washington DC hoping lawmakers would embrace the cryptographic solution developed in his lab. “We spent two years writing that paper and wanted to hand it to lawmakers as a template free of charge to implement--it will work fairly well,” he said.

The problem is that hackers can readily spoof civil GPS signals. Humphreys’ lab has shown how hackers can use faked GPS signals to take over operation of a drone aircraft, a power grid or a cellular network.

“I don’t want to be an alarmist, but to me it defies reason that we would continue to develop around unauthenticated civilian GPS protocols,” he said. “It seems to be a fairly significant vulnerability like leaving the back door to your house open—the odds are nothing will happen, but you won’t feel good about it,” he said.

With the door to authenticated civilian GPS effectively closed, Humphreys and other researchers are turning their attention to a grassroots campaign.