Chinese Unicorn Team Hacks GPS at DefCon

An elite team of Chinese hackers detail how they are able to spoof GPS coordinates to have GPS devices appear to be somewhere they are not and to have drones bypass no-fly zone restrictions.


GPS is widely used around the world today to help people get where they want to go, as well as to help enforce no-fly zone restrictions for drones. The problem, however, is that it can also be hacked. In a session at the DefCon security conference in Las Vegas Aug. 7, Lin Huang and Qing Yang, researchers with Qihoo 360's elite Unicorn Team, revealed how they were able to successfully spoof GPS information.

"Our primary mission is to guarantee that Qihoo 360 [a Chinese Internet security company with more than 450 million users] is not vulnerable to any wireless attack," Yang said about the Unicorn Team. "In other words, Qihoo360 protects its users and we protect Qihoo360."

For civilian usage, GPS c/a (course/acquisition) signals are used, which are typically unencrypted, Huang said. By making use of a Universal Software Defined Radio Platform (USRP), Huang said that a replay attack is possible. In a replay attack, a GPS signal is first recorded and then played back from another device to confirm that the same signal could be used.

Going a step further, Huang said she wanted to see if it was possible to actually create a fake GPS signal, instead of just replaying a signal. It turns out that's also possible, as she showed a video where the location of a GPS device that was actually in Beijing was shown to be Las Vegas.

As further proof of her team's ability to spoof GPS signals, Huang showed a video demonstrating how a GPS-controlled drone could also be manipulated. Huang explained that drone vendors, most notably DJI, have programmed no-fly zones to prevent drones from flying over sensitive areas. The no-fly zones are controlled and defined by GPS, which, Huang showed, can be spoofed. The video she showed was shot in one such no-fly zone in Beijing, but the Qihoo 360 team was able to spoof the GPS into thinking it was in Las Vegas, where no such no-fly zone exists.

In another example of drone GPS spoofing, Huang showed how a drone operating in an allowed zone could be tricked with a spoofed GPS message that it was in fact in a no-fly zone. In that video, the drone that got the spoofed GPS location literally dropped out of the sky as it hit the spoofed no-fly zone.

Attacking GPS is relatively low cost and can be performed with open-source software and Software Defined Radio hardware, according to Huang.

"We think this is a big risk," she said.

While there are risks, Huang also has some recommendation for how to minimize GPS spoofing. One recommendation is at the application layer and having applications use multimode positioning techniques that get coordinates from multiple systems. Additionally, Huang proposed that civilian GPS chipsets be upgraded to get algorithms to detect signal spoofing.

"GPS is still a great system," Huang said. "It keeps getting updated, so we believe the security issues will be solved in the future."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.