How to fool your GPS enabled devices using Software Defined Radio, in this case using the HackRF One.
Go to file
2020-05-29 18:24:23 +02:00
README.md added some possible improvements and test results 2020-05-29 18:24:23 +02:00

gps_spoofing

How to fool your GPS enabled devices using Software Defined Radio, in this case using the HackRF One. This guide is written for Arch linux. But should be relatively consistent with other platforms.

installing

you could build gps-sdr-sim from scratch, but I choose to use the binary provided by the 'blackarch' distro's repository.

Prerequisits

 $ curl -O https://blackarch.org/strap.sh  
 $ chmod +x strap.sh
 $ sudo ./strap.sh (installing the keyring step takes a few minutes)
 $ sudo pacman -Syyu (update pacman sources etc. although stap.sh already seems to take care of this)
 $ sudo pacman -S blackarch-radio (just install all the radio stuff (1Gb))
 $ sudo modprobe hackrf (load the hackrf kernel module/driver)
 $ hackrf_info  (see if you can see your hack rf one)

Download the latest brdc file from here: ftp://cddis.gsfc.nasa.gov/gnss/data/daily (for example: ftp://cddis.gsfc.nasa.gov/gnss/data/daily/2020/brdc/brdc1460.20g.Z)

Extract the compressed file in a place you will remember

Generate simulated motion file

Generate binary file to be transmitted by hackrf:

 $ gps-sdr-sim -b 8 -e ~/LOCATION_OF_YOUR_BRDC/brdc1460.20n -l 45.803304,12.133697,100  

The default option generates a 300sec (5 min) 'motion' file. This can be increased by using using the '-d' option. The last part is the location of your choosing (lat, long, altitude). This will run for 300 seconds and generate a 'gpssim.bin' file. NOTE the lat/long/alt should not contain any spaces, only commas.

Spoof location

To transmit your spoofed gps position using the hackrf use the follwing command:

 $ hackrf_transfer -t ~/LOCATION_OF_YOUR_BIN_FILE/gpssim.bin -f 1575420000 -s 2600000 -a 1 -x 0 

The motion file only simulates for a given period (-d), luckily hackrf_transfer can repeat the transmission with the '-R' switch! (see: https://www.blackhat.com/docs/eu-15/materials/eu-15-Kang-Is-Your-Timespace-Safe-Time-And-Position-Spoofing-Opensourcely-wp.pdf)

Enjoy!

Test results

Vulnurable devices tested (no need to switch of wifi, gsm etc, works out of the box):

  • iPhone 6, running iOS 12.4.4
  • Samsung s10e, running Anroid 10

Improvements

Combine with fake wifi access points from desired location geo-ap database such as WiGLE (https://api.wigle.net/) or here https://www.mylnikov.org/archives/1170