Billions of people—and a growing number of autonomous vehicles—rely on mobile navigation services from Google, Uber, and others to provide real-time driving directions. A new proof-of-concept attack demonstrates how hackers could inconspicuously steer a targeted automobile to the wrong destination or, worse, endanger passengers by sending them down the wrong way of a one-way road.
The attack starts with a $225 piece of hardware that’s planted in or underneath the targeted vehicle that spoofs the radio signals used by civilian GPS services. It then uses algorithms to plot a fake “ghost route” that mimics the turn-by-turn navigation directions contained in the original route. Depending on the hackers’ ultimate motivations, the attack can be used to divert an emergency vehicle or a specific passenger to an unintended location or to follow an unsafe route. The attack works best in urban areas the driver doesn’t know well and assumes hackers have a general idea of the vehicle’s intended destination.
“Our study demonstrated the initial feasibility of manipulating the road navigation system through targeted GPS spoofing,” the researchers, from Virginia Tech, China’s University of Electronic Sciences and Technology, and Microsoft Research, wrote in an 18-page paper. “The threat becomes more realistic as car makers are adding autopilot features so that human drivers can be less involved (or completely disengaged).”