Free Trial
Contact Us
Podcast

Root Causes 12: PKI in the News

Hosted by
Tim Callan
Tim Callan
Chief Compliance Officer
Jason Soroko
Jason Soroko
Fellow
Original broadcast date
April 16, 2019

It was a busy news week for PKI and authenticated identity, and our hosts run through four current stories to clarify them. Tune in to learn the latest about the Dragonblood WPA3 vulnerability, Russian spoofing of GPS/GNSS navigation signals, Know Your Customer (KYC) for social media sites, and a Chinese national's apparent attempt to install a USB rootkit somewhere in Mar-a-Lago.

Podcast Transcript

Lightly edited for flow and brevity.
Tim CallanTim CallanLet’s talk about systems not working correctly. GSNN spoofing is showing up in the news of late. I read a Business Insider article that put this on my radar. Turns out there’s been other writings on it as well. It appears that the Russian government is systematically defeating GPS systems, it looks like in the proximity of Vladimir Putin. The Kremlin, his summer dacha and wherever he travels to, it seems that they are actually screwing up GPS systems in the local area presumably in order to impede any kind of threat to Putin that would be dependent on a GPS system. I'm guessing that authentic identity is necessary for the GPS system to run correctly. Do you think that’s right, Jay?
Jason SorokoJason SorokoThe thing is if you, you know the typical off-the-shelf GPS or even in your smartphone, you’re dependent on being able to listen in on signals coming in from the GPS satellites that are out there. A lot of people don’t realize but there are GPS satellites from all over the world, U.S. and even Russian satellites. Most of them cooperate in terms of how these signals are listened.

The way GPS works is it depends on very, very accurate clocked signals reaching you, and the timing of the signals reaching you is how essentially you are triangulated. What’s interesting here, Tim, is the ability to mess with those signals and that’s what they are, they’re essentially electromagnetic signals going out across the air.
Tim CallanTim CallanYeah, they’re just radiation.
Jason SorokoJason SorokoExactly. But they’re just, they’re coming from specific satellites in specific geographic locations themselves through time. The scary part about this is the ability to spoof or the ability to do anything with this. You might think it would require a nation-state level system to be able to hack that when in reality it’s just some very clever people who are sending out spoofed signals that there is no way to know whether or not a GPS signal that you’re receiving is coming from an actual satellite or not. The ability to spoof that signal turns out to be not that difficult.
Tim CallanTim CallanThe applications for GPS are vast and myriad. So my receiver, it’s kind of like an old-style pager, right? It just sits there and passively receives its signals and then it interprets them itself. It’s a one-way communication from the satellite if I'm correct.
Jason SorokoJason SorokoYep.
Tim CallanTim CallanAnd you’re saying ultimately these satellites are self-identified. They’re just saying, “Hi I'm this satellite,” and there’s no equivalent of a shared secret or a certificate or anything like that.
Jason SorokoJason SorokoCorrect. It’s based on trust. Now whether or not the U.S. Military has their own side channel that is identified that way, I'm not privy to that information. But for you and me, just the average person, for any signal, our receivers are essentially trusting it.
Tim CallanTim CallanAnd not just the average person. Commercial transport, like commercial shipping, uses this. Right? Because the origin of this story is that ships were basically being told that they were miles inland when they weren’t, clearly, and that led to people asking why is this happening?

Bottom line question on this: If these things are so eminently spoofable and if critical systems including the things that drive our economy depend on them, is this an unacceptably fragile system? And does the global community need to be findnig a way to somehow nail down authentic identity for these sources?
Jason SorokoJason SorokoThat’s a huge question. The answer to that if you ask the U.S. Military is we never ever promised you accuracy. They were always very open about this because in a time of conflict, believe me, GPS will go silent.

Or something worse, which is what you’re seeing now, which is spoofing signals. The average person probably doesn’t know it. Unless you’re a real geek or a major shipping company you probably are aware about this, and therefore maybe you’re already using some other commercial means of navigation.

So there are other ways to do this. I don’t know of a private GPS system that’s out there currently, but in terms of shipping lanes and things like this there are other means of triangulation. For the big guys who really need to have very, very trustworthy navigation signals, they’re probably already using some other commercial means.
Tim CallanTim CallanSo GPS: Think of this as a more casual trust model even though it’s being used by very big businesses for very big commercial applications. The rationale there is probably that the stakes in the grand scheme are relatively low. Nobody is going to allow a ship to be out autopiloted onto the rocks because somebody is always double checking that, and if my Google Maps thinks I'm in the wrong place no one’s going to die. That’s how it’s going to be for the time being, I guess.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!

Listen on Apple PodcastsListen on SpotifyListen on SoundCloud