Redirecting you to
Podcast Apr 16, 2019

Root Causes 12: PKI in the News

It was a busy news week for PKI and authenticated identity, and our hosts run through four current stories to clarify them. Tune in to learn the latest about the Dragonblood WPA3 vulnerability, Russian spoofing of GPS/GNSS navigation signals, Know Your Customer (KYC) for social media sites, and a Chinese national's apparent attempt to install a USB rootkit somewhere in Mar-a-Lago.

  • Original Broadcast Date: April 16, 2019

Episode Transcript

Lightly edited for flow and brevity.

  • Tim Callan

    Let’s talk about systems not working correctly. GSNN spoofing is showing up in the news of late. I read a Business Insider article that put this on my radar. Turns out there’s been other writings on it as well. It appears that the Russian government is systematically defeating GPS systems, it looks like in the proximity of Vladimir Putin. The Kremlin, his summer dacha and wherever he travels to, it seems that they are actually screwing up GPS systems in the local area presumably in order to impede any kind of threat to Putin that would be dependent on a GPS system. I'm guessing that authentic identity is necessary for the GPS system to run correctly. Do you think that’s right, Jay?

  • Jason Soroko

    The thing is if you, you know the typical off-the-shelf GPS or even in your smartphone, you’re dependent on being able to listen in on signals coming in from the GPS satellites that are out there. A lot of people don’t realize but there are GPS satellites from all over the world, U.S. and even Russian satellites. Most of them cooperate in terms of how these signals are listened.

    The way GPS works is it depends on very, very accurate clocked signals reaching you, and the timing of the signals reaching you is how essentially you are triangulated. What’s interesting here, Tim, is the ability to mess with those signals and that’s what they are, they’re essentially electromagnetic signals going out across the air.

  • Tim Callan

    Yeah, they’re just radiation.

  • Jason Soroko

    Exactly. But they’re just, they’re coming from specific satellites in specific geographic locations themselves through time. The scary part about this is the ability to spoof or the ability to do anything with this. You might think it would require a nation-state level system to be able to hack that when in reality it’s just some very clever people who are sending out spoofed signals that there is no way to know whether or not a GPS signal that you’re receiving is coming from an actual satellite or not. The ability to spoof that signal turns out to be not that difficult.

  • Tim Callan

    The applications for GPS are vast and myriad. So my receiver, it’s kind of like an old-style pager, right? It just sits there and passively receives its signals and then it interprets them itself. It’s a one-way communication from the satellite if I'm correct.

  • Jason Soroko

    Yep.

  • Tim Callan

    And you’re saying ultimately these satellites are self-identified. They’re just saying, “Hi I'm this satellite,” and there’s no equivalent of a shared secret or a certificate or anything like that.

  • Jason Soroko

    Correct. It’s based on trust. Now whether or not the U.S. Military has their own side channel that is identified that way, I'm not privy to that information. But for you and me, just the average person, for any signal, our receivers are essentially trusting it.

  • Tim Callan

    And not just the average person. Commercial transport, like commercial shipping, uses this. Right? Because the origin of this story is that ships were basically being told that they were miles inland when they weren’t, clearly, and that led to people asking why is this happening?

    Bottom line question on this: If these things are so eminently spoofable and if critical systems including the things that drive our economy depend on them, is this an unacceptably fragile system? And does the global community need to be findnig a way to somehow nail down authentic identity for these sources?

  • Jason Soroko

    That’s a huge question. The answer to that if you ask the U.S. Military is we never ever promised you accuracy. They were always very open about this because in a time of conflict, believe me, GPS will go silent.

    Or something worse, which is what you’re seeing now, which is spoofing signals. The average person probably doesn’t know it. Unless you’re a real geek or a major shipping company you probably are aware about this, and therefore maybe you’re already using some other commercial means of navigation.

    So there are other ways to do this. I don’t know of a private GPS system that’s out there currently, but in terms of shipping lanes and things like this there are other means of triangulation. For the big guys who really need to have very, very trustworthy navigation signals, they’re probably already using some other commercial means.

  • Tim Callan

    So GPS: Think of this as a more casual trust model even though it’s being used by very big businesses for very big commercial applications. The rationale there is probably that the stakes in the grand scheme are relatively low. Nobody is going to allow a ship to be out autopiloted onto the rocks because somebody is always double checking that, and if my Google Maps thinks I'm in the wrong place no one’s going to die. That’s how it’s going to be for the time being, I guess.