It is now possible to plant a bullfight on the highway to block your parents from coming home too early (SatNav Code 1456), plant a bomb alert at your house (SatNav Code 1516) or misdirect a rival to a meadow, where you can then confront him and steal his girlfriend, because, as the GPS hackers say (insert heavy French accent):
"I am ze evil hacker, so now you are een my power."
Such was the message from GPS hackers Andrea Barisani—chief abuse officer of the CanSecWest security conference and chief security engineer at Inverse Path—and Inverse Path Hardware Hacker Daniele Bianco.
This skullduggery—which can also include planting boxing matches, fog, airplane crashes and a host of other alerts on a car's navigation system—is possible because there's essentially no form of data authentication in RDS-TMC (Radio Data System-Traffic Message Channel), the service now being used throughout Europe and North America to enable in-car satellite navigation.
Traffic information displayed on SatNav, the GPS technology in Barisani's Honda, is "implicitly trusted" by drivers, he said, which means that many nasty things can be attempted.
TMC uses RDS for transmission over FM broadcasts: Traffic messages are sent from a TIC (Traffic Information Center) to radio broadcast stations, which broadcast the messages to GPS-enabled car receivers.
Barisani and Bianco tested the feasibility of decoding and injecting arbitrary TMC messages into a victim (i.e., Barisani's car) using off-the-shelf software and cheap electronics. One component, for example, was a commercially available RDS-TMC encoder. The encoder costs about $40, but you can build your own, the hackers said.
A simplified description of their technique: To communicate with the encoder's chip set, the duo used an I2C bus and a custom C application. They set all the relevant parameters, such as PTY (Program Type) and PI (Program Identification) in the RDS data. An FM transmitter can be tuned to arbitrary frequencies, but it's important to have a stable transmitter for data injection, Barisani said. This setup can cover long distances, but it might be desirable to keep it short enough to reach only the victim car, he said.
The hack further involves locking the SatNav tuner and then hijacking channels through obfuscation of channel and sending of packets. When SatNav locks on to the hijacked channel, the hackers send a fake FM broadcast over an unused frequency.
Wait. You would want to do this why?
To impress chicks, as was demonstrated in a video clip of the scene described above: enemy is misdirected to meadow, waiting hacker confronts enemy, pwned enemy falls to his knees, girlfriend croons "Who are you?", evil hacker winds up locked in passionate embrace, etc.
Barisani noted that upon explanation of his research work, his father inquired as to his son's plans regarding getting a life. His initial list of possible GPS code injection includes messages informing drivers of traffic backups, bad weather, full parking lots, overcrowded service areas, accidents and roadworks.
Where it really gets interesting, Barisani said, is in the ability to close roads, bridges and tunnels with a number of events, including messages that certain routes are closed, that there's no through traffic or that there are accidents ahead.
"The Event table supports a number of security-related messages," Barisani said. "I doubt anyone ever used them so far."
The messages pose "a very interesting target for social engineering purposes," he said. "Homeland Security would freak out." That's because Code 1518 pertains to a terrorist incident, while Code 1481 pertains to an air raid danger. Other alerts pertain to air crashes, bomb alerts, delays due to parades and many more.
TMC supports lightweight encryption for commercial services, used for signal discrimination rather than authentication. Only Location Code is encrypted, but the encryption key can be "trivially" broken by sampling some data, the hackers said. Terminals that support encryption are also expected to access unencrypted data, so code injection is still possible regardless of encryption.
There are other technologies on the horizon that would stand a better chance at blocking tampering. TPEG (Transport Protocol Experts Group) is the new standard designed for replacing TMC. It supports encryption, but encryption still remains optional. GST (Global System for Telematics) is another, one that's an "impressive new architecture for delivering a number of services," Barisani said, but adoption is many years away.
Another possibility is Microsoft DirectBand, used for MSN Direct, another FM subcarrier channel for data transmission. It has more bandwidth—15 times that of RDS—and full encryption. Other than special wristwatches, it's also been used on SatNav systems for traffic information, but it's a closed standard that's not available in Europe.
It looks "very promising," Barisani said, and he'd be happy to play with it.
My advice: Paper maps still work.