Shostack + Friends Blog

 

Security Advisory SA-26-01 GPS Attacks

GPS attacks trigger revisiting threat models Graph showing number of reports of GPS spoofing every year since 1998, with a significant steep increase in the last 3 years.

Shostack + Associates has issued our first security advisory on the threat modeling impact of GPS attacks. You should read it. I’ll simply quote two bits from the closing and FAQ:

Shostack + Associates is frequently asked “how often should I review or update my threat models?” Our answer is:

  • When the threat landscape changes. This is rare.
  • When your technology changes substantially, such as adding new components, new technology stacks, or new boundaries.
  • At least annually, depending on your rate of technical change.

Why are you issuing this advisory now?

Shostack + Associates has been noting reports of GPS issues for several years, including them in our Appsec Roundups back to May, 2024 and August, 2024. The attacks are sustained and geographically diverse. We are concerned that:

  • Militaries may have gone from considering GPS attacks disproportionately impacting on civilians to seeing them as an accepted and normal part of conflict.
  • The tools for GPS attacks are falling in price while increasing in quality, which enables broader adoption by non-nation state attackers.
  • The geographic spread covers many regions, including major shipping areas such as the Strait of Hormuz and the South China sea, as well as areas of military conflict.

Be sure to read the full advisory for more data, details, and recommendations.

Originally published by Adam on 22 Jan 2026
Categories:   security   threat modeling