Last month, the United States Naval Forces Central Command kicked off the International Mine Countermeasure Exercise (IMCMEX) to support the security of maritime chokepoints in the Suez Canal, Bab al-Mandeb, and Strait of Hormuz. IMCMEX, involving navies from 30 different countries, is one of the world’s largest maritime exercises. According to Vice Admiral Kevin Donegan, commander of U.S. Naval Forces Central Command, the exercise stresses “the need to protect the free flow of commerce from a range of maritime threats including piracy, terrorism, and mines.” However, while cyber attacks have not been addressed within the current IMCMEX, recent events have indicated that GPS spoofing may be a very real threat within the Persian Gulf, and effectively anywhere. It is possible that future naval exercises may include drills to prepare for cyber attacks on naval forces and maritime shipping through Iran or its proxies.
Since 1984, the Islamic Republic of Iran has creatively used their naval forces to control the Strait of Hormuz owing to its importance as a strategic global chokepoint. The United States was initially drawn into the Persian Gulf after Iran blocked exports of Iraqi oil through the Shatt al-Arab during the Iran-Iraq War. The United States was also thrust into the Persian Gulf to uphold the Freedom of Navigation (FON), a principle of customary international law, for Kuwaiti tankers.
Both Iran and Iraq employed anti-ship cruise missiles as part of an anti-access/ area denial (A2/AD) strategy. Since the conflict during the Iran-Iraq War, known as the Tanker War, the United States has deterred anti-ship mines, missile fires, swarm attacks, and general harassment from Iran. During impasses with the West, the Iranian oil minister and other government officials threatened to close the Strait to disrupt oil markets. Though the method of closure was not specified in the threat, GPS spoofing and cyber could be an effective and covert method of controlling merchant shipping in the Persian Gulf.
Iran’s cyber capabilities continue to develop as merchant ships are becoming vectors for cyber attacks. In 2016, the Baltic and International Maritime Council (BIMCO) released their “Guidelines on Cyber Security Onboard Ships,” industry best practices to mitigate risks from the increased networking and automation onboard merchant ships. GPS was listed as a potentially vulnerable system onboard ships; however the extent of the threat was not addressed. Due to the simplicity of the attack, GPS spoofing remains the most likely attack method.
GPS spoofing, an attack that attempts to manipulate a GPS receiver by broadcasting counterfeit signals, could be used by Iran as part of an overarching strategy of cyber dominance to leverage control of the Gulf and oil markets abroad. It has been speculated that Iran is covertly controlling the movement of ships within their waters through a subtle manipulation of ships’ positioning systems, like GPS, as part of a broader A2/AD strategy. North Korea, a close military partner of Iran, has reportedly used GPS jamming to disrupt air and naval traffic within the demilitarized zone. GPS spoofing is the most likely vector for future Iranian cyber attacks; it is not inconceivable that Iran is using similar tactics to control ship movements with the Persian Gulf.
Iran has claimed to have used “spoofed” signals to cause GPS receivers to estimate that an object is in a position determined by the attacker. This “carry-off” attack broadcasts signals that are synchronized with the legitimate signals detected by the targeted receiver. The counterfeit signal is gradually increased to overpower the signal strength of the actual GPS transmitter. By way of example, Iranian engineers claimed to have captured a RQ-170 surveillance drone in 2011 through a “carry-off” GPS spoofing attack.
Researchers attributed similar attack methods to the Iranian capture of two United States riverine patrol boats in January 2016. The vessels unknowingly sailed into Iranian waters and were accused of violating Iran’s territorial integrity. According to international law, the ships were exercising their right of innocent passage. Iran, a signatory of the United Nations Law of the Sea Convention, has acknowledged innocent passage as a custom of international law, with the added provision, however, of requiring prior authorization for warships exercising the right of innocent passage through the territorial sea. Several sources cited human error as the cause of the ship’s transit into territorial waters, while others claim that GPS spoofing could have been used to gain leverage during Joint Comprehensive Plan of Action (JCPOA) negotiations.
Iran has already demonstrated their burgeoning cyber capabilities through state-sponsored attacks against the West. In March 2016, the U.S. Justice Department issued a criminal indictment against seven Iranian hackers. The Iranian nationals were charged with a 2013 computer intrusion at a small New York dam and cyber attacks against dozens of banks that lasted from 2011 to 2013. Iran has shown their capacity for cyber attacks and the sophistication and scale of their attacks has most likely increased since 2013.
If tensions persist between Iran and the West, it is possible that merchant shipping will present an appealing target for future Iranian attacks that include GPS spoofing. The Strait of Hormuz will continue to serve as a chokepoint of economic importance for global oil markets and the West. Attacks on shipping will be a way for Iran to exercise power and control over the Strait while also showing resistance to Western-imposed sanctions.
The escalatory nature of Iran’s cyber attacks suggests that they will continue to use GPS spoofing on merchant shipping as a future attack vector. Increased automation and networking onboard merchant ships will continue to make maritime trade vulnerable to attacks and cyber is the likely next vector.
Ian W. Gray is currently a graduate student at Columbia University and a former surface warfare officer in the U.S. Navy.