Ghost ships, crop circles, and soft gold: A GPS mystery in Shanghai
November 17, 2019 7:15 PM Subscribe
Ghost ships, crop circles, and soft gold: A GPS mystery in Shanghai: A sophisticated new electronic warfare system is being used at the world’s busiest port. But is it sand thieves or the Chinese state behind it?
Can someone tell me why GPS spoofing is such a technical feat? Open source software can generate GPS signals to follow any desired trajectory. Superficially, it feels like "all" you need to do is do it in real-time and hook it to appropriate transmitters. You probably need some precise, distributed clocks too, but that's only a matter of money...
I guess what I'm thinking is, I doubt how instantaneous a strava heat map is; if your *spoofed trajectory* were a circle, and you looked at the heat map made by everyone swirling in it *integrated over time* you would see the same thing.
(what is this, at least the second time that data from strava has been important to intelligence efforts?)
posted by the antecedent of that pronoun at 7:43 PM on November 17, 2019 [1 favorite]
I guess what I'm thinking is, I doubt how instantaneous a strava heat map is; if your *spoofed trajectory* were a circle, and you looked at the heat map made by everyone swirling in it *integrated over time* you would see the same thing.
(what is this, at least the second time that data from strava has been important to intelligence efforts?)
posted by the antecedent of that pronoun at 7:43 PM on November 17, 2019 [1 favorite]
Their has got to be more to it than the article is reporting or it's the Chinese government who is causing this and they are intentionally letting the spoofing happen.
In order to spoof GPS signals you have to operate a transmitter or several transmitters. Sophisticated range finding and triangulation are going to be able to find the antenna/transmitter(s) pretty much instantly. EG: I used to participate in Bunny Hunts with CBs and bunnies would rarely evade capture for more than an hour. And our range finding equipment was the directional bias imposed on the omnidirectional antennas by the irregular ground plane of our vehicles and the tiny SWR meters built into radios. Plus we generally didn't run teams so triangulation required physically moving our receivers enough to get a triangle. Can't imagine government level elint squads equipped with multiple much more sensitive and directional equipment would have any trouble tracking this down.
posted by Mitheral at 9:11 PM on November 17, 2019 [5 favorites]
In order to spoof GPS signals you have to operate a transmitter or several transmitters. Sophisticated range finding and triangulation are going to be able to find the antenna/transmitter(s) pretty much instantly. EG: I used to participate in Bunny Hunts with CBs and bunnies would rarely evade capture for more than an hour. And our range finding equipment was the directional bias imposed on the omnidirectional antennas by the irregular ground plane of our vehicles and the tiny SWR meters built into radios. Plus we generally didn't run teams so triangulation required physically moving our receivers enough to get a triangle. Can't imagine government level elint squads equipped with multiple much more sensitive and directional equipment would have any trouble tracking this down.
posted by Mitheral at 9:11 PM on November 17, 2019 [5 favorites]
The article's terrible - there's nothing there (or in any of the others I've seen) to indicate that GPS is being 'spoofed' rather than jammed.
Conversely, the description of what happened with the AIS is that it was spoofed. Which is not all that hard to do; AIS is simply a beacon that broadcasts its position every few seconds when moving (and every few minutes when stationary). Set up a fake beacon spoofing different ship's unique IDs and sending fake location data, and everyone within range - including the ships you're spoofing - will see that fake data. Or, if you want a dramatic hook for the story, "ghost ships"…
And it's all done in the clear (though certain short messages - the AIS equivalent of SMS - may optionally be encrypted, the ID & location isn't). I occasionally listen in and follow ships off the coast and in the local port with nothing more than a homebrew VHF receiver and AIS decoder software.
posted by Pinback at 10:25 PM on November 17, 2019 [6 favorites]
Conversely, the description of what happened with the AIS is that it was spoofed. Which is not all that hard to do; AIS is simply a beacon that broadcasts its position every few seconds when moving (and every few minutes when stationary). Set up a fake beacon spoofing different ship's unique IDs and sending fake location data, and everyone within range - including the ships you're spoofing - will see that fake data. Or, if you want a dramatic hook for the story, "ghost ships"…
And it's all done in the clear (though certain short messages - the AIS equivalent of SMS - may optionally be encrypted, the ID & location isn't). I occasionally listen in and follow ships off the coast and in the local port with nothing more than a homebrew VHF receiver and AIS decoder software.
posted by Pinback at 10:25 PM on November 17, 2019 [6 favorites]
I know that if I were a government messing with GPS signals I'd do it in my own busiest port.
posted by pompomtom at 10:41 PM on November 17, 2019
posted by pompomtom at 10:41 PM on November 17, 2019
whatever the **** is going down, Sand Thieves is a great band name.
posted by philip-random at 10:51 PM on November 17, 2019 [3 favorites]
posted by philip-random at 10:51 PM on November 17, 2019 [3 favorites]
Read closely, the rub is that it's different for every ship. And bike.
The 'different' part means there isn't just a GPS transmitter blasting.
The bike-inference is that the issue is unrelated to AIS because, well, the bikes don't have AIS.
That's how I read it, fwiw.
posted by j_curiouser at 11:13 PM on November 17, 2019 [2 favorites]
The 'different' part means there isn't just a GPS transmitter blasting.
The bike-inference is that the issue is unrelated to AIS because, well, the bikes don't have AIS.
That's how I read it, fwiw.
posted by j_curiouser at 11:13 PM on November 17, 2019 [2 favorites]
If I were going to spoof my AIS signal I imagine I'd also spoof everybody else's, so my change would get lost in the confusion. If that's the explanation then I bet the circles are an error due to sloppy programming.
posted by Joe in Australia at 11:57 PM on November 17, 2019 [1 favorite]
posted by Joe in Australia at 11:57 PM on November 17, 2019 [1 favorite]
They remembered to randomize \theta but not r? Plausible, strange.
posted by clew at 12:01 AM on November 18, 2019
posted by clew at 12:01 AM on November 18, 2019
Or the radius was meant to be a constant plus a random number, and they thought "rand(n)" meant "a random number from 0...n". There are lots of ways to get things wrong, and it seems that the rings are only noticeable when you plot lots of observations. Any individual trial would look fine.
posted by Joe in Australia at 2:27 AM on November 18, 2019
posted by Joe in Australia at 2:27 AM on November 18, 2019
Oh good, we're crowdsourcing the debugging of infrastructure hackers!
posted by Glomar response at 4:06 AM on November 18, 2019 [3 favorites]
posted by Glomar response at 4:06 AM on November 18, 2019 [3 favorites]
Can someone tell me why GPS spoofing is such a technical feat? Open source software can generate GPS signals to follow any desired trajectory. Superficially, it feels like "all" you need to do is do it in real-time and hook it to appropriate transmitters. You probably need some precise, distributed clocks too, but that's only a matter of money...
Spoofing all GPS over an area to think it's at the same location is easy, as you say. Spoofing it to many different locations is much harder and people aren't quite sure they're doing this.
posted by atrazine at 4:11 AM on November 18, 2019
Spoofing all GPS over an area to think it's at the same location is easy, as you say. Spoofing it to many different locations is much harder and people aren't quite sure they're doing this.
posted by atrazine at 4:11 AM on November 18, 2019
If I wanted to do this with off the shelf parts and crap lying around my office, this is what I'd do:
I'd listen for AIS packets from my target ship, decoding them live. Probably need to write your own code to do this, because you want to extract the data in realtime. Specifically, I'd want to extract the Ship ID (near the beginning of the packet) before the packet is finished transmitting.
When I detect a target Ship ID, then I immediately key up my transmitter/jammer to stomp on the tail end of the packet, the part that contains the CRC which is used for error detection. If I do it right, other stations listening will discard the original packet, since the mangled CRC will look like a reception error.
Then I'd transmit my own spoofed AIS packets on another timeslot, pretending to be the target ship.
This will let me spoof the positions of any number of ships, with a different spoofed location for each one, should I desire it. Note that this scheme does not require any kind of GPS spoofing or jamming.
Potential problems
This should be really easy to detect by AIS surveillance if you're looking for it. But it may not necessarily be automatically detected since the surveillance receiver will probably discard the stomped packets as errors.
The target ship's navigation computer might realize that someone else (me, the bad guy) is transmitting AIS packets using their Ship ID and pop up an alarm or warning. But also maybe not.
This scheme also does not explain the GPS outage on the Manukai. So maybe I'm doing some brute force GPS jamming too, why not?
Other avenues for messing with GPS
Sophisticated GPS spoofing can do stuff like spoof individual satellites, or turn "off" certain satellites (by spoofing "this satellite is broken, please ignore" packets). Some of these packets can be injected using DGPS or WAAS spoofing. I could definitely imagine some of these techniques causing the circles.
Re: foxhunts. Spoofed GPS signals can be well below the noise floor, so you'd need dedicated equipment for location finding. Specifically, you'd need to at least decode the PRN sequence. I'm pretty sure such instruments already exist, though.
posted by ryanrs at 11:25 AM on November 18, 2019 [5 favorites]
I'd listen for AIS packets from my target ship, decoding them live. Probably need to write your own code to do this, because you want to extract the data in realtime. Specifically, I'd want to extract the Ship ID (near the beginning of the packet) before the packet is finished transmitting.
When I detect a target Ship ID, then I immediately key up my transmitter/jammer to stomp on the tail end of the packet, the part that contains the CRC which is used for error detection. If I do it right, other stations listening will discard the original packet, since the mangled CRC will look like a reception error.
Then I'd transmit my own spoofed AIS packets on another timeslot, pretending to be the target ship.
This will let me spoof the positions of any number of ships, with a different spoofed location for each one, should I desire it. Note that this scheme does not require any kind of GPS spoofing or jamming.
Potential problems
This should be really easy to detect by AIS surveillance if you're looking for it. But it may not necessarily be automatically detected since the surveillance receiver will probably discard the stomped packets as errors.
The target ship's navigation computer might realize that someone else (me, the bad guy) is transmitting AIS packets using their Ship ID and pop up an alarm or warning. But also maybe not.
This scheme also does not explain the GPS outage on the Manukai. So maybe I'm doing some brute force GPS jamming too, why not?
Other avenues for messing with GPS
Sophisticated GPS spoofing can do stuff like spoof individual satellites, or turn "off" certain satellites (by spoofing "this satellite is broken, please ignore" packets). Some of these packets can be injected using DGPS or WAAS spoofing. I could definitely imagine some of these techniques causing the circles.
Re: foxhunts. Spoofed GPS signals can be well below the noise floor, so you'd need dedicated equipment for location finding. Specifically, you'd need to at least decode the PRN sequence. I'm pretty sure such instruments already exist, though.
posted by ryanrs at 11:25 AM on November 18, 2019 [5 favorites]
civilian GPS isn't digitally signed (I believe the military version is signed and encrypted). It has a 24 bit CRC for error detection but that could be spoofed. A digital signature would be the obvious solution to this but between satellites and a worldwide system currently in use, I wouldn't hold my breath for an update happening any time soon.
That said, they are trying to reconstruct this, as best I can tell, from AIS recordings and GPS records that drop the actual packet info/bad packets, don't measure signal strength, etc. I bet it would be much easier to figure out if they set up receivers to record raw data in shanghai during one of these incidents.
Professor Humphries is also the guy that spoofed (with permission) the GPS on a superyacht so the fact that he's confused when he's one of the world's experts on GPS spoofing is concerning.
posted by gryftir at 12:13 PM on November 18, 2019 [1 favorite]
That said, they are trying to reconstruct this, as best I can tell, from AIS recordings and GPS records that drop the actual packet info/bad packets, don't measure signal strength, etc. I bet it would be much easier to figure out if they set up receivers to record raw data in shanghai during one of these incidents.
Professor Humphries is also the guy that spoofed (with permission) the GPS on a superyacht so the fact that he's confused when he's one of the world's experts on GPS spoofing is concerning.
posted by gryftir at 12:13 PM on November 18, 2019 [1 favorite]
Which is cool and interesting. Still doesn't explain the bikes, unless you're intercepting their coordinate re-transmission too. (in whatever protocol, probably over cell). I'm too ignorant to counter-argue, it just seems like the bike takes ais out of the equation (shrugs).
posted by j_curiouser at 2:38 PM on November 18, 2019
posted by j_curiouser at 2:38 PM on November 18, 2019
Oh yeah, the bikes. That does rule out AIS fuckery. And if those mobile phones are doing AGPS with the cell towers, that could make it even more difficult.
posted by ryanrs at 2:48 PM on November 18, 2019
posted by ryanrs at 2:48 PM on November 18, 2019
Two things about the Shanghai-area GPS shenanigans:
#1. Here is the exact spot with the funny circle and other interesting phenomena on Strava Heatmap. If you don't have a Strava account you can see a little, though it will all be pretty fuzzy. If you have a Strava account you can zoome in see quite a bit of interesting detail.
#2. A more detailed view of the Strava Heatmap area (imgur) and annotated.
In those views, you can see the "crop circles" in greater detail, but also something even more puzzling:
One major route through the area (but ONLY one!) is a "ghost road": It is duplicated, but the duplicate is lighter and is moved southeast by about 1/3 mile (2000 meters).
Look for the black arrows on the annotated version.
The "ghost road" could be some kind of artifact of China's messing with map/GPS coordinates. The map vs the satellite image for this area is displaced by almost the same amount/direction (click here & switch between map & satellite views).
That still doesn't explain why the displacement happens only to ONE route, however.
In conclusion, GPS in China is a land of contrasts . . .
posted by flug at 9:58 PM on November 18, 2019 [1 favorite]
#1. Here is the exact spot with the funny circle and other interesting phenomena on Strava Heatmap. If you don't have a Strava account you can see a little, though it will all be pretty fuzzy. If you have a Strava account you can zoome in see quite a bit of interesting detail.
#2. A more detailed view of the Strava Heatmap area (imgur) and annotated.
In those views, you can see the "crop circles" in greater detail, but also something even more puzzling:
One major route through the area (but ONLY one!) is a "ghost road": It is duplicated, but the duplicate is lighter and is moved southeast by about 1/3 mile (2000 meters).
Look for the black arrows on the annotated version.
The "ghost road" could be some kind of artifact of China's messing with map/GPS coordinates. The map vs the satellite image for this area is displaced by almost the same amount/direction (click here & switch between map & satellite views).
That still doesn't explain why the displacement happens only to ONE route, however.
In conclusion, GPS in China is a land of contrasts . . .
posted by flug at 9:58 PM on November 18, 2019 [1 favorite]
The map/satellite displacement is classic for China putting its map data into GCJ-02 coordinates, which are warped relative to WGS-84 (and relative to orthonormalized overhead imagery). The warping function has been reverse-engineered so you could factor that piece of confusion out of the stew.
If you flip between Google Maps map/aerial -- which is a way of seeing the local warp vector -- it closely matches the "ghost road" shift vector. But I got nuthin' on why that one road would show "ghosting".
posted by away for regrooving at 11:53 PM on November 19, 2019
If you flip between Google Maps map/aerial -- which is a way of seeing the local warp vector -- it closely matches the "ghost road" shift vector. But I got nuthin' on why that one road would show "ghosting".
posted by away for regrooving at 11:53 PM on November 19, 2019
« Older "I have to buy containers and pickling salt." | Oh no, not again Newer »
This thread has been archived and is closed to new comments
posted by Windopaene at 7:30 PM on November 17, 2019