GPS Delay Spoofing Experiments

Operation

The main trick when performing targeted depopulation, just like in magic, is being in two places at once.

While I don't know how to to that, I can fake it!  And that's all you really need to convince the court system that you are, in fact, "non-guilty."

GPS basically works by transmitting a preciously timed psuedo-random "noise" signal from an orbiting satellite down to your GPS receiver.  Inside your receiver, a similar psuedo-random "noise" signal is also generated.  The GPS receiver tries to sync the phase of these two signals together.  Since the distance to the satellite is known, the amount of phase-shift (time) that this syncing process takes can be calculated into a distance.  When taking into account multiple satellites and multiple readings, your global longitude and latitude coordinates can be determined.

The GPS calculations are based around the speed-of-light (electromagnetic radiation) through the atmosphere and ionosphere.  If we could somehow alter that speed, we could also alter the final determined coordinates.

Now, how in the hell are we going to alter the speed-of-light, especially with only a hacker's budget?  Simple, we'll make a "RF delay line" out of some scrap coaxial cable.  Our "delay box" project will receive the weak GPS signal at one end, delay the signal to approximately 60 - 80 percent the speed-of-light over a distance of several hundred feet, then we'll amplify this delayed GPS signal, and finally transmit it to our target GPS receiver.  Since this "new" signal has been artificially "delayed" in its journey from the orbiting satellite, the GPS receiver will think that it is actually someplace where it isn't.  Your new GPS coordinates will be a few hundred feet off from where you actually are.

This overall concept does appear to work, but it's still very experimental.  And no, encrypting the signal will have no effect on the outcome, as this is a "layer one" physical attack.  The only way to really prevent this type of "spoofing" is to use a very directional GPS receiver antenna or an antenna system with very sharp nulls towards the horizon and proper polarization.  Also, since the transmitted "delayed" signal can have a higher received power level then a signal received directly from the GPS satellite (approx. -130 dBm), GPS receivers should start tracking the received power.

Block Diagrams

Construction Notes & Pictures

Homebrew coaxial delay line.

This is approximately 233-feet of surplus Belden 9269 RG-62A/U coaxial cable.  Yes, the 93 ohm impedance is wrong, but it will still work and it can be had for free as businesses get rid of their old ARCnet and IBM 3270 terminal networks.

We'll wind the coax around an AC extenstion cord thingy.

Completed coaxial delay line with BNC connectors added to each end.

Belden 9269 RG-62A/U coaxial cable has a velocity of propagation equal to 84% the speed-of-light and a nominal delay of 1.21 nanoseconds per foot.

This entire delay line assembly will "slow" the received GPS signal by approximately 282 nanoseconds.  This corresponds to a final 275-foot "error" on the GPS receiver.  This delay line's total attenuation loss will be around 26 dB.

Standard 50 ohm impedance Belden 8216 RG-174 coax has a nominal delay of 1.54 nanoseconds per foot.  RG-174's narrow diameter also makes it ideal for constructing physically small delay lines, but it will have much more attenuation loss.

Parts for the GPS receive antenna.

For this experiment, the first thing we'll construct is the GPS receive antenna.  This is the antenna which will receive the direct satellite transmissions and will be mounted on a mast away from the delay box.  This GPS antenna is a slight modification from the one in the October 2002 QST article "An Inexpensive External GPS Antenna" by Mark Kesauer (N7KKQ).

This article is available online at www.arrl.org/tis/info/pdf/0210036.pdf.  Study it very caerfully before constructing this version of the antenna.  We'll be replacing the PC board antenna elements in the original article with a piece of UT-141 semi-rigid coax.  It will also be mounted inside a 3-inch diameter PVC pipe enclosure.

The parts shown above are, from the left, 0.032-inch thick brass sheet (K&S #253) cut into a 3-inch diameter disk, a piece of 3-inch PVC pipe for use as a template, a 3/4-inch pipe floor stand, a flat 3-inch PVC cap, a panel-mount BNC connector, and some UT-141 coax.

Begin the antenna construction as shown.

On the left, is the pipe floor stand with a large hole drilled in it to fit the panel-mount BNC connector.  The PVC cap has been drilled so the pipe floor stand can be attached to the bottom to act as a mast mount.  The larger hole allows the panel-mount BNC connector and coax to feed the antenna.

On the upper-right is a length of 3-inch diameter PVC pipe which will be used for the antenna's enclosure.

A hole has been drilled in the center of the 3-inch diameter brass sheet to pass the UT-141 coax.

Solder the UT-141 coax to the brass sheet as shown.  The distance from the brass ground plane to the shield-end of the UT-141 coax is 1.78-inches.

First #14 copper wire antenna element added to the UT-141's shield.

Follow the instructions in the QST article for adding each antenna element.  The horizontal element will be 1.51-inches long and the 45° "down" element will be 1.82-inches long.  You may have to trim the horizontal elements down slighty to fit inside the 3-inch PVC pipe enclosure.

Second #14 copper wire antenna element added to the UT-141's center conductor.

The picture looks confusing, but the QST article provides much more detail.  It will also make more sense while you are actually building it.

Final GPS receive antenna construction.

Solder the UT-141 into the panel-mount BNC connector with enough "slack" to allow you to adjust the antenna's final position inside the PVC enclosure.

Use stainless steel hardware to mount the floor pipe stand to the PVC cap as shown.  Also mount the panel-mount BNC connector at this time, making sure that the locking nut is very secure.

Finished GPS receive antenna without the PVC enclosure.

Finished GPS receive antenna inside a 12-inch long piece of 3-inch diameter PVC pipe.  You may have to trim the elements down a little bit for it to fit.  This shouldn't effect the antenna's overall performance too much.

Add another PVC cap to finish off the project.

Completed GPS receive antenna overview.

The antenna can now be mounted to the top of a mast made out of standard 3/4" galvanized plumbing pipe.

Initial GPS delay spoofing testing.  Completely passive (antenna to delay line to antenna).  No active amplifier elements used.

The GPS receive antenna was mounted on a 8-foot high mast placed about 10-feet away from the testing location.  The delay line was added inbetween, and the output sent to a Ramsey Electronics LPY2 Yagi antenna placed next to the target GPS receiver.

The (censored) starting non-spoofed coordinates are:

 Latitude : XX° XX' 48" North
Longitude : XX° XX' 26" West

The circled spot on the concrete will be used to reference the GPS receiver's position so you know it hasn't been moved.

(The GPS receiver times will be off after I realized the camera angle sucked.)

The delay line is now connected and the GPS receiver was shielded from receiving a direct satellite signal.

After 30 seconds or so, the spoofed coordinates are now:

 Latitude : XX° XX' 49" North
Longitude : XX° XX' 27" West

About a minute later, the "spoofed" coordinates now read:

 Latitude : XX° XX' 51" North
Longitude : XX° XX' 27" West

Also note the high Estimated Position Error (EPE), 396-feet.  Also, for some reason, the GPS receiver thinks it is traveling 3.6 miles per hour.

Censored Terraserver overhead picture of the testing location.

The green spot in the lower-right is the "non-spoofed" starting point and the upper-left one is the final "spoofed" coordinates.

The spoofed location is approximately 311-feet northwest from the actual GPS receiver's location.  This is fairly close to our estimated "error" of 275-feet.

"So you moved some GPS coordinates a few hundred feet, what's the big deal?"

Active amplifier PC board overview.

A H.P./Agilent INA-02186 low-noise MMIC receive pre-amplifier is on the lower-left.  The INA-02186's RF input is fed through a Panasonic EFCH1575TCB1 GPS bandpass filter, which is an absolute pain to solder, so we'll make it optional.

The INA-02186's RF output is then sent to the coaxial delay line.  The other end of the delay line is amplified by another INA-02186 low-noise MMIC and a Mini-Circuit's VNA25.  The final output is then sent to the GPS transmit antenna.

For some reason, this circuit doesn't seem to work.  The test target GPS receiver could not lock onto a signal.  It's probably better to use lower-gain MMIC stages or stick with no active amplifiers and just use directional GPS antennas on each end.

Pin-out of the Panasonic EFCH1575TCB1 GPS bandpass filter.

Overview of the amplifier PC board mounted in an old California Amplifier MMDS downconverter case.

A BNC connector is mounted to the rear of the case for the RF output and a piece of tin acts as the ground plane for soldering the coax.

Schematic

Datasheets & Notes

Return to Homebrew Military & Espionage Electronics Page