Category: Information hiding

The Quiet Numbers Station: Decoding Nineteen Years of GPS Cryptography

The Global Positioning System (GPS) relies on its primary L1 frequency to broadcast precise timing and orbital data, allowing receivers on Earth to calculate their exact location. Because the L1 C/A signal transmits at just fifty bits per second, every bit of this navigation data must earn its place. Yet, within this highly constrained signal, the standard sets aside Subframe 4, Page 17 – a 176-bit field broadcast every 12.5 minutes – for “special messages with the specific contents at the discretion of the Operating Command”. While the official specification suggests it carries readable text, the reality is entirely different. For nearly twenty years, this channel has acted as a global numbers station, broadcasting military ciphertext on a public signal to billions of receivers in plain sight.

Analysing a Nineteen-Year Archive

To understand what these broadcasts actually contain, we analysed an archive of 12.16 million observations collected between 2007 and early 2026. To make processing this massive dataset practical, we built a Julia pipeline to extract the bits directly into a DuckDB database. This setup allowed us to run queries across nineteen years of global ground-station data in milliseconds.

Our first question was basic: is this field carrying text in an unusual format, or is it true ciphertext?. We calculated the marginal entropy of the payloads using a compression model trained on our data. The results matched a synthetic baseline of random noise almost perfectly. By every statistical measure, the GPS messages are indistinguishable from random data, but we found a few clear, structural exceptions.

The blue histogram indicates the marginal coding cost of each of the 3,994 unique 22-byte payloads under an order-8 PPM-D model trained on the corpus (μ≈131.5 bits per message≈6.0 bits per byte, σ≈7.6). The red curve indicates the same model scored against a synthetic baseline of 3,994 messages drawn uniformly from the 45-symbol GPS alphabet (μ≈132.0 bits, σ≈3.8). The two distributions overlap almost perfectly—the GPS messages are indistinguishable from random under the model.

First, we found intentional placeholders. Satellites frequently broadcast 22 bytes of 0xAA (the CP437 negation glyph ‘¬’). In binary, 0xAA is 10101010 – a standard test pattern used in hardware to check connections and frame alignment. A satellite sending this pattern is effectively stating that no operational payload is loaded.

Continue reading The Quiet Numbers Station: Decoding Nineteen Years of GPS Cryptography

Exploring an Attack on Image Scaling Algorithms

In their 2019 publication ‘Seeing is Not Believing: Camouflage Attacks on Image Scaling Algorithms’, Xiao et al. demonstrated a fascinating and frightening exploit on a few commonly used and popular scaling algorithms. Through what Quiring et al. referred to as adversarial preprocessing, they created an attack image that closely resembles one image (decoy) but portrays a completely different image (payload) when scaled down. In their example (below), an image of sheep could scale down and suddenly show a wolf.

Two images are shown, the left shows the original attack image, which depicts a group of sheep. The right shows the scaled down attack image, which shows a grey wolf.
On the left, a group of sheep can be seen in a slightly stretched out photo (the decoy). When scaled down to the correct dimensions (right), the image shows a grey wolf (payload). This is an example of an attack image.

These attack images can be used in a number of scenarios, particularly in data poisoning of deep learning datasets and covert dissemination of information. Deep learning models require large datasets for training. A series of carefully crafted and planted attack images placed into public datasets can poison these models, for example, reducing the accuracy of object classification. Essentially all models are trained with images scaled down to a fixed size (e.g. 229 × 229) to reduce the computational load, so these attack images are highly likely to work if their dimensions are correctly configured. As these attack images hide their malicious payload in plain sight, they also evade detection. Xiao et al. described how an attack image could be crafted for a specific device (e.g. an iPhone XS) so that the iPhone XS browser renders the malicious image instead of the decoy image. This technique could be used to propagate payload, such as illegal advertisements, discreetly.

The natural stealthiness of this attack is a dangerous factor, but on top of that, it is also relatively easy to replicate. Xiao et al. published their own source code in a GitHub repository, with which anyone can run and create their own attack images. Additionally, the maths behind the method is also well described in the paper, allowing my group to replicate the attack for coursework assigned to us for UCL’s Computer Security II module, without referencing the paper authors’ source code. Our implementation of the attack is available at our GitHub repository. This coursework required us to select an attack detailed in a conference paper and replicate it. While working on the coursework, we discovered a relatively simple way to stop these attack images from working and even allow the original content to be viewed. This is shown in the series of images below.

Continue reading Exploring an Attack on Image Scaling Algorithms