Comments on: Ghost ships, crop circles, and soft gold: A GPS mystery in Shanghai

Ghost ships, crop circles, and soft gold: A GPS mystery in Shanghai

gen — Sun, 17 Nov 2019 19:15:11 -0800

Ghost ships, crop circles, and soft gold: A GPS mystery in Shanghai: A sophisticated new electronic warfare system is being used at the world's busiest port. But is it sand thieves or the Chinese state behind it?

By: Windopaene

Windopaene — Sun, 17 Nov 2019 19:30:47 -0800

The world we live in...

By: the antecedent of that pronoun

the antecedent of that pronoun — Sun, 17 Nov 2019 19:43:30 -0800

Can someone tell me why GPS spoofing is such a technical feat? Open source software can generate GPS signals to follow any desired trajectory. Superficially, it feels like "all" you need to do is do it in real-time and hook it to appropriate transmitters. You probably need some precise, distributed clocks too, but that's only a matter of money... I guess what I'm thinking is, I doubt how instantaneous a strava heat map is; if your *spoofed trajectory* were a circle, and you looked at the heat map made by everyone swirling in it *integrated over time* you would see the same thing. (what is this, at least the second time that data from strava has been important to intelligence efforts?)

By: Mitheral

Mitheral — Sun, 17 Nov 2019 21:11:14 -0800

Their has got to be more to it than the article is reporting or it's the Chinese government who is causing this and they are intentionally letting the spoofing happen. In order to spoof GPS signals you have to operate a transmitter or several transmitters. Sophisticated range finding and triangulation are going to be able to find the antenna/transmitter(s) pretty much instantly. EG: I used to participate in Bunny Hunts with CBs and bunnies would rarely evade capture for more than an hour. And our range finding equipment was the directional bias imposed on the omnidirectional antennas by the irregular ground plane of our vehicles and the tiny SWR meters built into radios. Plus we generally didn't run teams so triangulation required physically moving our receivers enough to get a triangle. Can't imagine government level elint squads equipped with multiple much more sensitive and directional equipment would have any trouble tracking this down.

By: Pinback

Pinback — Sun, 17 Nov 2019 22:25:34 -0800

The article's terrible - there's nothing there (or in any of the others I've seen) to indicate that GPS is being 'spoofed' rather than jammed. Conversely, the description of what happened with the AIS is that it was spoofed. Which is not all that hard to do; AIS is simply a beacon that broadcasts its position every few seconds when moving (and every few minutes when stationary). Set up a fake beacon spoofing different ship's unique IDs and sending fake location data, and everyone within range - including the ships you're spoofing - will see that fake data. Or, if you want a dramatic hook for the story, "ghost ships"… And it's all done in the clear (though certain short messages - the AIS equivalent of SMS - may optionally be encrypted, the ID & location isn't). I occasionally listen in and follow ships off the coast and in the local port with nothing more than a homebrew VHF receiver and AIS decoder software.

By: pompomtom

pompomtom — Sun, 17 Nov 2019 22:41:57 -0800

I know that if I were a government messing with GPS signals I'd do it in my own busiest port.

By: philip-random

philip-random — Sun, 17 Nov 2019 22:51:15 -0800

whatever the **** is going down, Sand Thieves is a great band name.

By: j_curiouser

j_curiouser — Sun, 17 Nov 2019 23:13:43 -0800

Read closely, the rub is that it's different for every ship. And bike. The 'different' part means there isn't just a GPS transmitter blasting. The bike-inference is that the issue is unrelated to AIS because, well, the bikes don't have AIS. That's how I read it, fwiw.

By: Joe in Australia

Joe in Australia — Sun, 17 Nov 2019 23:57:51 -0800

If I were going to spoof my AIS signal I imagine I'd also spoof everybody else's, so my change would get lost in the confusion. If that's the explanation then I bet the circles are an error due to sloppy programming.

By: clew

clew — Mon, 18 Nov 2019 00:01:59 -0800

They remembered to randomize \theta but not r? Plausible, strange.

By: Joe in Australia

Joe in Australia — Mon, 18 Nov 2019 02:27:47 -0800

Or the radius was meant to be a constant plus a random number, and they thought "rand(n)" meant "a random number from 0...n". There are lots of ways to get things wrong, and it seems that the rings are only noticeable when you plot lots of observations. Any individual trial would look fine.

By: Glomar response

Glomar response — Mon, 18 Nov 2019 04:06:04 -0800

Oh good, we're crowdsourcing the debugging of infrastructure hackers!

By: atrazine

atrazine — Mon, 18 Nov 2019 04:11:57 -0800

Can someone tell me why GPS spoofing is such a technical feat? Open source software can generate GPS signals to follow any desired trajectory. Superficially, it feels like "all" you need to do is do it in real-time and hook it to appropriate transmitters. You probably need some precise, distributed clocks too, but that's only a matter of money... Spoofing all GPS over an area to think it's at the same location is easy, as you say. Spoofing it to many different locations is much harder and people aren't quite sure they're doing this.

By: ryanrs

ryanrs — Mon, 18 Nov 2019 11:25:22 -0800

If I wanted to do this with off the shelf parts and crap lying around my office, this is what I'd do: I'd listen for AIS packets from my target ship, decoding them live. Probably need to write your own code to do this, because you want to extract the data in realtime. Specifically, I'd want to extract the Ship ID (near the beginning of the packet) before the packet is finished transmitting. When I detect a target Ship ID, then I immediately key up my transmitter/jammer to stomp on the tail end of the packet, the part that contains the CRC which is used for error detection. If I do it right, other stations listening will discard the original packet, since the mangled CRC will look like a reception error. Then I'd transmit my own spoofed AIS packets on another timeslot, pretending to be the target ship. This will let me spoof the positions of any number of ships, with a different spoofed location for each one, should I desire it. Note that this scheme does not require any kind of GPS spoofing or jamming. Potential problems This should be really easy to detect by AIS surveillance if you're looking for it. But it may not necessarily be automatically detected since the surveillance receiver will probably discard the stomped packets as errors. The target ship's navigation computer might realize that someone else (me, the bad guy) is transmitting AIS packets using their Ship ID and pop up an alarm or warning. But also maybe not. This scheme also does not explain the GPS outage on the Manukai. So maybe I'm doing some brute force GPS jamming too, why not? Other avenues for messing with GPS Sophisticated GPS spoofing can do stuff like spoof individual satellites, or turn "off" certain satellites (by spoofing "this satellite is broken, please ignore" packets). Some of these packets can be injected using DGPS or WAAS spoofing. I could definitely imagine some of these techniques causing the circles. Re: foxhunts. Spoofed GPS signals can be well below the noise floor, so you'd need dedicated equipment for location finding. Specifically, you'd need to at least decode the PRN sequence. I'm pretty sure such instruments already exist, though.

By: gryftir

gryftir — Mon, 18 Nov 2019 12:13:44 -0800

civilian GPS isn't digitally signed (I believe the military version is signed and encrypted). It has a 24 bit CRC for error detection but that could be spoofed. A digital signature would be the obvious solution to this but between satellites and a worldwide system currently in use, I wouldn't hold my breath for an update happening any time soon. That said, they are trying to reconstruct this, as best I can tell, from AIS recordings and GPS records that drop the actual packet info/bad packets, don't measure signal strength, etc. I bet it would be much easier to figure out if they set up receivers to record raw data in shanghai during one of these incidents. Professor Humphries is also the guy that spoofed (with permission) the GPS on a superyacht so the fact that he's confused when he's one of the world's experts on GPS spoofing is concerning.

By: j_curiouser

j_curiouser — Mon, 18 Nov 2019 14:38:57 -0800

Which is cool and interesting. Still doesn't explain the bikes, unless you're intercepting their coordinate re-transmission too. (in whatever protocol, probably over cell). I'm too ignorant to counter-argue, it just seems like the bike takes ais out of the equation (shrugs).

By: ryanrs

ryanrs — Mon, 18 Nov 2019 14:48:22 -0800

Oh yeah, the bikes. That does rule out AIS fuckery. And if those mobile phones are doing AGPS with the cell towers, that could make it even more difficult.

By: flug

flug — Mon, 18 Nov 2019 21:58:43 -0800

Two things about the Shanghai-area GPS shenanigans: #1. Here is the exact spot with the funny circle and other interesting phenomena on Strava Heatmap. If you don't have a Strava account you can see a little, though it will all be pretty fuzzy. If you have a Strava account you can zoome in see quite a bit of interesting detail. #2. A more detailed view of the Strava Heatmap area (imgur) and annotated. In those views, you can see the "crop circles" in greater detail, but also something even more puzzling: One major route through the area (but ONLY one!) is a "ghost road": It is duplicated, but the duplicate is lighter and is moved southeast by about 1/3 mile (2000 meters). Look for the black arrows on the annotated version. The "ghost road" could be some kind of artifact of China's messing with map/GPS coordinates. The map vs the satellite image for this area is displaced by almost the same amount/direction (click here & switch between map & satellite views). That still doesn't explain why the displacement happens only to ONE route, however. In conclusion, GPS in China is a land of contrasts . . .

By: away for regrooving

away for regrooving — Tue, 19 Nov 2019 23:53:03 -0800

The map/satellite displacement is classic for China putting its map data into GCJ-02 coordinates, which are warped relative to WGS-84 (and relative to orthonormalized overhead imagery). The warping function has been reverse-engineered so you could factor that piece of confusion out of the stew. If you flip between Google Maps map/aerial -- which is a way of seeing the local warp vector -- it closely matches the "ghost road" shift vector. But I got nuthin' on why that one road would show "ghosting".