No matter where you go, there they are. (fwd)

Fri Apr 12 13:55:16 PDT 1996

Forwarded message:

> GPS works by measuring the differing distances to a number of satellites.

Actualy, it measures doppler shift as well.

> It might be possible to seperately record the signals from several
> different satellites, delay them each just the right amount of time, and
> then recombine them to simulate being at another nearby location (within
> several hundred miles). However, this might not be possible. Examine the
> following quote from Denning's paper:

Seems to me that standard satellite tracking software would work just fine
for this once the correct orbital parameters were included. To get the
necessary orbital parameters look on sci.space.news and they are announced
regularly.

> :The location signature is virtually impossible to forge at the
> :required accuracy.

If you can measure the accuracy you can spoof it. It is only a question of
cost at that point.

> :orbit perturbations, which are unknowable in real-time, and intentional
> :signal instabilities  (dithering) imposed by the U.S. Department of Defense
> :selective availability (SA) security policy.

Which are going to be turned off. I have to draw exception to the
'dithering' in regard to the lsb's of the data. They are actualy encrypted.
It is not random which is what 'signal instability' implies. Were it random
then a 'flying capacitor' type filter or a digital filter could get the bits
out. I have two years of experience using such 'flying capacitor' type
filters in LORAN-C equipment I calibrated and repaired for Austron. The
signal on LORAN is a damped sinusoid, very precisely damped. The timing
sequence of sites are drawn on maps as well as published in book and
electronic form. You set the filter for the same repeat rate as the signal
you wish to detect. As the signal is fed over and over into the bank of
capacitors the random noise cancels out and you are left with a remarkably
clean signal. You then feed this to a 2055 microstepper (nS/S) and compare
it to a time reference standard (1210 Time reference standard, my
specialty). When the signals cancel you can get a very accurate reading and
change that to lat/long quite easily. I would regularly sync the 1210's to
USNO and the NIST to measure the oven heated crystal oscillators drift in
frequency over time. By applying a voltage to the circuit you can compensate
for this drift using a 2055 microstepper (a time delay unit). At that time we
were making both the 2000 and 5000 series receivers. The 68000 based machine
was due out when I left for a job at UT Austin. The neatest part of the job
was flying cesium beams around the world and measuring their drift to
accurately measure the rotation rate of the Earth.

You can defeat even the encryption if you take a long enough time to
interpolate. The reason it isn't done is that by the time you get the fix the
target you were going to shoot your missile at is gone. If it is so large (a
city) or slow (grunts) that it won't move significantly in that time you
don't need that accuracy in the first place. I base this on a years worth of
technical support I did for CompuAdd for Desert Shield/Storm. I handled
several problems related to MLRS and Naval systems related to target
selection and tracking & GPS in regards our computers.

> It's possible that the orbit perturbations may be enough to screw up an
> attempt to forge a signal

Which would be enough to scramble the signal as well. As a matter of fact
this might create another means of attack. Namely that the orbit varies is a
given. That the orbit can be predicted to quite good accuracy in less than
real-time is a given. By comparing these to the actual orbit it might be
possible to creat a situation where a fake signal was more accurate than the
real signal making the receiver filter the real signal as noise. The one
drawback here is that it would require considerable power to effectively
impliment the masking.

; the variations in signal timings won't provide
> enough information to an attacker to be able to accurately replicate what
> the signal would look like at another location.

The doppler shift directly corresponds to altitude. If you have the normal
orbital parameters it is a relatively simple matter to use a computer to
predict where it will be in the near future (5 minutes). NASA and United
States Space Command (USSC) regularly track over 8,000 items in orbit. Some
as small as bolts. Tracking accuracy is a well understood problem.

> It remains to be seen
> whether it is reliably possible for the secure host, at its location, to
> distinguish between an accurate signature and an inaccurate but plausible
> forged signature.

Anybody got a GPS receiver in Austin? I believe I can arrange the necessary
equipment and support to attempt it. I know several EE's as well as
somebody with commercial radio service equipment I am shure some of the
other local cpunks might want to help as well. I propose that what be
attempted is making a GPS receiver believe it is 100 miles from where it
actually is.

I will forward a copy of this to the Experimental Science Instrumentation
mailing list (tesla at ssz.com) to see if anyone on there might be interested.

                                                   Jim Choate

                                                   CyberTects
                                                   ravage at ssz.com

                                                   Tivoli - IBM
                                                   jchoate at tivoli.com