GNSS GPS

GNSS/GPS Misconfiguration

Overview of the Vulnerability

Global Navigation Satellite System (GNSS) and Global Positioning System (GPS) spoofing involves the broadcast of fake GNSS/GPS signals to fake the position of a vehicle, or otherwise make the positioning unreliable. An attacker is able to send fake GNSS/GPS signals to the receiver and successfully spoof a vehicle’s position.

Business Impact

This vulnerability can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle.

Steps to Reproduce

  1. The GNSS/GPS signal is identified by using {{hardware}} on {{target}}

  2. Connect to {{target}} by using {{application}} with {{hardware}}

  3. Inject the following payload using {{hardware}}:

{{payload}}

  1. Observe that the GNSS/GPS signal has been spoofed

Proof of Concept (PoC)

The image(s) below demonstrates the process by which an attacker identifies where the GNSS/GPS communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s), causing GNSS/GPS spoofing:

{{screenshot}}

Guidance

Provide a step-by-step walkthrough with screenshots on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result.

Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).

Recommendation(s)

There is no single technique to remediate automotive security misconfigurations. However, implementing the right combination of defensive measures can prevent and limit the impact. Some best practices include the following:

  • Develop and enforce secure configuration guidelines for the automotive system, incorporating guidelines for software, firmware, and network settings.

  • Ensure that the vehicle's firmware is regularly updated with security patches and fixes to address known vulnerabilities and misconfigurations.

  • Conduct regular security audits and assessments of the vehicle's configurations to identify and remediate any misconfigurations. Follow industry best practices and benchmarks for these.

PreviousInjection Vehicle Anti Theft SystemsNextSpoofing

Last updated