Any communication system relies on the ability of the recipient to be able to identify the sender. Knowing the sender’s identity means sending a reply and seeing if you can trust them. Unfortunately, many communication systems don’t actually include a way to verify that the claimed sender is actually the actual sender. In this situation, it can be possible for an attacker to create certain fake information and potentially affect the recipient’s actions. The process of creating these fake messages is known as spoofing.
Contents
Spoofing in Classical Systems
While generally used to refer to modern digital communications, most pre-computer communication systems are also vulnerable to spoofing. For example, the postal system requires a delivery address. Letters are typically signed and may come with a return address. There’s no standard mechanism to verify that the return address is the sender’s address.
As such, an attacker could try to manipulate two people by sending one a letter purportedly from the other. This could be used to manipulate friendships or familial relationships to achieve financial gain by affecting inheritance. Or other situations either beneficial to the attacker or potentially purely detrimental to the victim.
An attacker could also send a letter allegedly from some official agency or company, demanding a specific action from the recipient, such as a payment to a specified bank account. An unsuspecting recipient may not think to check the letter’s legitimacy and thus fall victim to fraud.
Note: Insider threats such as double agents and malicious employees apply a similar threat. As insider threats are technically a trusted party knowingly providing wrong information, the situation is slightly different from spoofing, where an untrusted party fakes a message.
Spoofing in Digital Systems
Many digital systems have a similar issue. In many cases, countermeasures are in place. But in some situations, these countermeasures aren’t always efficient or are not possible. ARP is an excellent example of a protocol with which it is difficult to prevent spoofing attacks. ARP is a protocol computers use on a local network to broadcast the MAC address associated with an IP address.
Unfortunately, nothing stops a malicious device from using ARP to claim that it has another IP address. This attack typically involves spoofing the IP address, so that network traffic that would go to the router instead goes to the attacker, allowing broad visibility into network traffic.
An email has a similar issue. Many spam and phishing emails spoof the sender’s address. This works because the sender address is part of the data within the packet. A hacker can simply edit the data so that their email from their random domain looks like it’s coming from a legitimate website. Most mail programs allow you to see the actual domain name of the sender, which is an excellent way to identify phishing emails.
Telephone systems feature a caller ID system that advertises the calling number and the caller’s name on the recipient’s device. Unfortunately, VoIP (Voice over IP) systems can be manipulated by the caller to present spoofed names and numbers.
GPS
GPS systems work by triangulating the user’s position from the signals of at least three GPS satellites. This system relies on very well-known technology. An attacker with a sufficiently strong transmitter, and ideally more than one, can broadcast another GPS signal that, due to its strength, is preferred over the weaker legitimate signals.
This can be used to misdirect vehicles that rely on GPS. The attack isn’t beneficial against ground vehicles as they have numerous other directional resources, such as the physical road and road signs. However, it can be more effective against aircraft and ships, which may not have any usable landmarks until the GPS spoofing has caused a significant effect.
Such an attack was the suspected cause behind the Iranian capture of a US UAV. A team of engineering students also demonstrated the viability of this attack against a luxury yacht. However, they were on board and had permission.
The Russian government and military have also used GPS spoofing, causing various disruptions, including an alleged ship collision. The attack vector also provides a risk to autonomous vehicles. However, onboard sensors such as LIDAR should be able to at least identify that discrepancy, as GPS is not the primary guidance system.
Voice and Video
Since the invention of text-to-speech algorithms, voice spoofing has been a possibility. Thanks to the complexity of automatically generating a passable human voice and the fact that doing so is generally unnecessary, there wasn’t much of a risk in this environment. However, this balance has changed with the proliferation of machine learning algorithms. It is now possible to take a sample of speech from a real person and generate arbitrary words and sentences that sound like the original person said them after training the neural network.
The process also works for still images and even video. The class of spoofing is known as “deep fakes.” It has been used to attribute legitimate-looking fake quotes to geopolitical leaders to damage their reputations. The technology is also broadly used in harassment campaigns, primarily against women.
The quality of the spoofed deep fake is primarily based on the training sample size and the time the algorithm runs for. Relatively high-quality results can be obtained with commercially available hardware and minimal time and effort. More advanced spoofed content with few flaws could be relatively quickly made by a determined and well-resourced attacker.
Conclusion
Spoofing is the process of faking some or all of a message by an untrusted party to make the message appear legitimate. Motivations can vary, with financial gain, political humiliation of a rival, and harassment being typical. The exact method varies depending on the protocol and platform used.
Methods can vary from sending a fake message from a real person to a close replica of a real message. Spoofing can be hard to design against, as any attacker-controlled system can simply ignore any protections.
