With US$300 device, Chinese hackers claim they can take over drones or smart cars

Latest method of 'GPS spoofing' drastically lowers the cost involved and potentially puts technology in hands of any criminal

PUBLISHED : Monday, 10 August, 2015, 10:49pm
UPDATED : Tuesday, 11 August, 2015, 9:23am

Using US$300 worth of equipment, Chinese security researchers say they can take control of drones or smart cars by sending fake GPS readings, steering them to any destination they choose.

Such "GPS spoofing" has been used before but the latest method drastically lowers the cost involved and potentially puts the technology in the hands of any criminal.

Huang Lin and Yang Qing, of antivirus firm Qihoo 360, described their technique at the Def Con hacking conference in Las Vegas. Huang said her team used existing tools and open source software to create the device that could spoof GPS signals, tricking smartphones, drones or even smart cars about their location.

Cybersecurity researchers have long warned of the potential vulnerabilities of the Global Positioning System. In 2011, a US military surveillance drone flying near the Afghanistan-Iran border was captured by Iranian forces after they sent it a fake GPS signal forcing it to land. In 2013, researchers at the University of Texas sent a US$80 million yacht off-course by using spoofed GPS signals.

But the cost of building a device to communicate with satellites and receivers prevented the technology from becoming widespread. The Qihoo team said previously available tools cost upwards of US$5,000, while their method costs only a few hundred. "This is a very low-cost way [to build a GPS spoofer]," Huang said during her address to the forum. "This method increases the risk for GPS devices."

Huang and Yang could not demonstrate the hack during the talk for legal reasons, but in a talk they showed how they told a car it was in the middle of a lake.

"If you use GPS to drive a car it can change you to a different location … [or direct the victim] to go down a cliff," Huang said. "Whatever they want you to do. It is very dangerous."

She also explained how GPS spoofing could be used to get around potential restrictions on where drones could fly.

Many cities prohibit drones from certain areas, with the drone using GPS to establish whether it has entered a restricted area.

By spoofing the signal, the team was able to convince a drone made by Shenzhen-based DJI Technologies it was in Hawaii and flew it through a restricted area in Beijing.

Huang said device manufacturers should introduce new software to better detect GPS spoofing, while GPS satellites should also be able to defend against such attacks.