GPS Spoofing Attack Hacks Drones

Rambo Tribble writes "The BBC is reporting that researchers from the University of Texas at Austin managed to hack an experimental drone by spoofing GPS signals. Theoretically, this would allow the hackers to direct the drone to coordinates of their choosing. 'The spoofed drone used an unencrypted GPS signal, which is normally used by civilian planes, says Noel Sharkey, co-founder of the International Committee for Robot Arms Control. "It's easy to spoof an unencrypted drone. Anybody technically skilled could do this - it would cost them some £700 for the equipment and that's it," he told BBC News. "It's very dangerous - if a drone is being directed somewhere using its GPS, [a spoofer] can make it think it's somewhere else and make it crash into a building, or crash somewhere else, or just steal it and fill it with explosives and direct somewhere. But the big worry is — it also means that it wouldn't be too hard for [a very skilled person] to work out how to un-encrypt military drones and spoof them, and that could be extremely dangerous because they could turn them on the wrong people."

Surprised?

[Imagix]

Why is this surprising? Thought that's how the military one was captured a little while ago...

Re:Surprised?

[scubamage]

I remember people laughing that Iran couldn't possibly have done this. But I would assume that this would be exactly how they did do it.

Re:Surprised?

[MozeeToby]

Because there is absolutely no way that a military drone should be using a single navigation source as it's be all end all, especially not GPS which can be jammed trivially and spoofed with a bit more effort. If your GPS signal is hundreds of Km off from where your dead reconning (using air speed and compass), says you should be the GPS signal should be ignored entirely. This is what airliner flight management systems do, in fact it's what any idiot hiking through the forest would do. The idea that the people coding software for military grade drones can't figure it out is more concerning than the idea that someone can spoof GPS signals.

Re:Surprised?

[scubamage]

Wouldn't there be an order of precedence for multiple navigation signals? I'm not a drone engineer, so I could be wrong, but it would seem if you have multiple radios running you'd set priority for one over the others. If that one is jammed (say, find out what frequency its running on and flood that with noise) it will fail back to one of the other signals (perhaps civilian GPS), which could open a vector for exploitation? Just curious.

Re:

[aaarrrgggh]

Voting is the more common approach - 3 means of determining something, and if one disagrees with the other two it is ignored.

Re:

[f3rret]

Because there is absolutely no way that a military drone should be using a single navigation source as it's be all end all, especially not GPS which can be jammed trivially and spoofed with a bit more effort.

This might be true, what is entirely possible however, is that one guy has to take care of tens of drones at once where most of them are simply on autopilot. So if the operator isn't constantly paying attention to one of the drones (either because he is focused on another drone or because of laziness) then one drone can be brought far enough off course that you end up loosing it.

Re:

[jklovanc]

one guy has to take care of tens of drones at once where most of them are simply on autopilot.

Care to cite anything that verifies this assumption that there are multiple drones being controlled by a single pilot in service now?

I have heard of possibilities of this occurring but have never heard of it being in use today. Where this approach hass been proposed it is more of as a swarm where multiple drones communicate and coordinate with each other to perform a task. There is always someone looking after the swarm. If a few drones are spoofed it would be obvious to the controller.

Re:Surprised?

[Rei]

The full Iranian claim was that they jammed all of the communications to the drone and then spoofed GPS. Aka, there were multiple navigation sources, and it lost them. When the drone loses communication for a length of time it is programmed to return to base and land unless it reestablishes communications and receives alternate orders. But it uses GPS to find out where the base is.

Yeah, a "GPS position is changing too fast" check could be useful to try to thwart something like that, but it's also the sort of thing that can be overlooked, and also something that could be slowly faked (aka, from a blind plane's perspective, there's no difference between a "drifting GPS" and flying through a strong wind.). So yeah, you could get into a whole range of attacks and countermeasures, but sometimes the attackers will win, sometimes the defenders.

The people who insisted that a country like Iran could never pull it off always struck me as way overconfident, egotistical. It reminds me of when the Serbians shot down a stealth (which the US tried to blame on hardware failures) and damaged another (among many other aircraft). I read an article on the elite Serbian unit who pulled that off with basically junk hardware and with no air superiority to back them up. They had their tactics down to a tee, and the US got totally overconfident. First they baited NATO into wasting their anti-radiation missiles by jury-rigging together as many fake "radars" as they could muster from junked military equipment. Then they hacked the hardware on the actual radars they were using, boosting the frequency many times over. This made the signal get hugely attenuated by the atmosphere, dramatically decreasing the range, but was A) out of the range of frequencies generally looked for, and B) wasn't nearly as affected by the stealth capabilities of the aircraft. The range was so low that the target aircraft had to fly pretty much over them, but they started mapping out the typical sortie patterns being used and got the hang of reckoning where they'd be and moving to intercept. They also got the hang of how much time it took from when the radar got hot to when a plane could take them out if they were detected, and timed their operations so that the hardware or at least the people had to be Not There Anymore(TM) by the deadline. The troops were drilled over and over in how to set up, get a lock, fire, and then get the heck out of there in the allotted time.

It's easy to assume that because a country is poorer and can't afford fancy hardware, its people are idiots. But that's a bad assumption to make.

Re:Surprised?

[wvmarle]

It's easy to assume that because a country is poorer and can't afford fancy hardware, its people are idiots. But that's a bad assumption to make.

Necessity is the mother of all invention, right?

People that don't have much can become really creative with what they do have.

Re:

[element-o.p.]

People that don't have much can become really creative with what they do have.

For some reason, that makes me think of the Sardaukar [wikipedia.org] or the Fremen.

Re:

[Rei]

The Serbs had hardware from the 1960s and a tiny military budget. The US airforce was designed to fight a modern military. As much as you'd like to downplay it, this was *not* supposed to happen once, let alone twice (the second F-117 limped home but never flew again).

Re:Surprised?

[Anonymous Coward]

There are no reports as to what happened to the second F-117. Some like to claim it was hit by a SAM, but there is nothing credible out there in public.
Some like to claim that B-2's were shot down, too.

The Serbs had and have hardware that is effective, and tactics that are used by pretty much anyone who uses SAMs today. I'm not down-playing anything. I am telling you how it actually is. There's no weapon out there that you can consider to not be a threat when you fly into its WEZ, regardless of how old it may be. This aside, most people don't realize that 'hardware from the 60's' is constantly upgraded. The SA-3 (the SAM that took down the F-117) was well maintained and staffed by a very capable crew, both of which play a huge role in combat effectiveness; finally, the F-117's flight path was a planning/intel failure plain and simple. You can bring down any aircraft by ambushing it successfuly, and in this case, the F-117 was pretty much ambushed.

The tactics they used were standard fare - they searched for the F-117 several times post-detection, taking care to limit radiation time with each attempt to avoid taking a HARM (their search radar was immune to HARMs since it operated at a lower frequency than the HARM antenna can detect). This stuff would have happened a lot faster with a newer system, and that is simply a fuction of modern automation. But once you're targeted, you're in trouble. It doesn't matter if the SAM is old or new. An old SAM is less likely to shoot you down, but it isn't an impossible feat. The F-117 was detected in the heart of the engagement zone where the PK for an SA-3 is something around 97% against a non-maneuvering, non-jamming target ... which is what the F-117 was.

It's easy to go around dismissing the effectiveness of SEAD when you don't understand how these weapons operate; it is also easy to assign 'great inventiveness and ingenuity' to the underdog for the same reason, not to mention the fallacy of appeal to emotion for the underdog.

I'll say it again: The Serbs did nothing special. They just did their job. There was no technological tinkering, no magical stealth-defeating radars or missiles. For all their discipline and capability, all they had to show for it was a couple of shot down planes and surrendered country.

Re:Surprised?

[Anonymous Coward]

The US didn't blame anything on hardware failures. The failure rested specifically with putting the route of the F-117 right over that SAM. If you get close enough, it will see you (it detected the F-117 at about 23km, according to records). The point of stealth is to shrink surveillance radii and sneak inbetween radars. This was a planning error, not hardware nor anything else. Once close enough, an F-117 is engaged like any other aircraft. There is no magic nor anything at all special about this. No frequency boosting or other BS pseudo-science crap ever happened.

The claims about 'baiting NATO to waste their missiles on decoys' are funny - why? Because for this to happen, the SAM radars had to be shut down, thus rendering SEAD efforts successful. It doesn't matter if the missile didn't hit the SAM. What matters is that for that time, the SAM was useless. Result? Serbians dancing on the wreckage of two planes out of hundreds of sorties that demolished their infrastructure. That's right. Those 'so smart tactics' got them two planes and failed to defend their country whatsoever.

Re:Surprised?

[Rei]

The US didn't blame anything on hardware failures.

Sorry, "refused to confirm claims that it was shot down" for several days - is that better?

The claims about 'baiting NATO to waste their missiles on decoys' are funny - why? Because for this to happen, the SAM radars had to be shut down, thus rendering SEAD efforts successful. It doesn't matter if the missile didn't hit the SAM. What matters is that for that time, the SAM was useless. Result? Serbians dancing on the wreckage of two planes out of hundreds of sorties that demolished their infrastructure. That's right. Those 'so smart tactics' got them two planes and failed to defend their country whatsoever.

First off: Three planes down (one ditched into the Adriatic, two over land) and a number of hits that crippled other craft but did not lead to crashes (the other stealth that they hit reportedly never flew again), plus several cruise missiles. Dani's unit saw no casualties or loss of hardware. Of course other less trained units sufferedlosses, but that's not the point I was making (I am *not* claiming that weak powers will always outsmart/defeat strong powers, or even that it's likely - just that they shouldn't be underestimated and can sometimes pull off impressive feats). They shot down a stealth and nearly a second one using 1960s hardware and with total loss of air superiority.

Serbia had no hope of preventing the destruction of fixed infrastructure. Their military budget was something like a tenth of a percent of the military budgets of the nations they were facing. Their only option was to preserve their military capability for as long as possible while costing NATO as much money as possible and buy as much time as possible in hopes that Russia would step in to their defense. HARMs are a heck of a lot more expensive than junkyard radars, and well, F-117s? They don't grow on trees. Serbian losses were quite small at the end of the war and their military pretty much intact, despite earlier NATO claims to the contrary, and the US actually had documents showing that they clearly didn't believe their own numbers they were giving out. Despite the use of obsolete hardware, just over a dozen tanks were destroyed, under 20 artillery pieces, etc. NATO hit orders of magnitude more decoys as actual military targets. There were only 492 Serbian casualties. Of non-fixed military hardware, only the airforce was effectively destroyed, which was pretty much expected (an obsolete airforce is pretty helpless). The problem Serbia had was that NATO was prepping for ground war and Russia, as mad as they were, made it clear that they weren't going to get militarily involved.

And contrary to your claims, the fact that NATO couldn't destroy anti-aircraft batteries like Dani's made their life a lot harder. It meant they had to fly a lot higher (less precision) and limited the types of aircraft which could get involved. Furthermore, not only were the downed aircraft rallying points (the last thing you want to do is re-moralize your enemies - I'll never forget the "Sorry about your plane, we didn't know it was invisible" sign), parts from the downed stealth are believed to have been sold to China and used for their stealth aircraft program. There are serious material consequences to the US from what happened.

Re:

[Cow Jones]

When the drone loses communication for a length of time it is programmed to return to base and land unless it reestablishes communications and receives alternate orders. But it uses GPS to find out where the base is.

The drone knows where it is at all times. It knows this because it knows where it isn't. By subtracting where it is from where it isn't, or where it isn't from where it is (whichever is greater), it obtains a difference or deviation. The guidance subsystem uses deviation to generate corrective commands to drive the drone from a position where it is to a position where it isn't and arriving at a position where it wasn't, it now is. Consequently, the position where it is is now the position that it wasn't, a

Re:

[aaaaaaargh!]

You've just given the most convoluted explanation of dead reckoning I've ever read.

But isn't the problem that, since the error increases over time, the drones prefer to resort to GPS if they think it's available? What I find strange about the Iranian story, though, is that one would assume that a US drone only used encrypted GPS signals, i.e. P(Y) code according to Wikipedia. These shouldn't be spoofable. So was that perhaps a classical "fallback to an unsafe option" security problem?

Re:

[peragrin]

You are forgetting two parts of the Serbia plane.

One it was flying in an extremely confined corridor between nations (like 30-40 mes wide). If you know where something will be you have the advantage

Two the F-117 was ugly because it was built with a 1970's computer that quite literally couldnt handle curves.

Yes the serbian shot it down and he did do just about all you describe but remember while he took advantage of all battlefield conditions like a good general. Not just technology

Re:Surprised?

[element-o.p.]

I pretty much agree with everything you said above (well-written and insightful, IMHO, and I absolutely agree with your conclusion). However, one part doesn't quite make sense to me:

The full Iranian claim was that they jammed all of the communications to the drone and then spoofed GPS. Aka, there were multiple navigation sources, and it lost them.

Okay, I don't design, build, fly or repair military drones (or even civilian ones...yet). I am, however, a fixed-wing pilot in my off-hours. In civilian airplanes, we use multiple navigation methods too, and I would presume that many of these navigation systems are applicable to drones as well as Cessnas. For example, it's probably safe to assume that drones use GPS just like I do. Military drones probably also use TACAN [wikipedia.org], which essentially is just the military equivalent of civilian VOR/DME (navigation using fixed, ground-based radio stations). Either of those systems are susceptible to attack as you've described above. However, larger civilian airplanes, like business jets and airliners, have also used a navigation system called INS [wikipedia.org], or "Inertial Navigation System," which uses accelerometers and gyroscopes to compute the moral equivalent of dead reckoning ("it's been 23 minutes since I passed my last waypoint, so with an estimated speed of 110 knots, that means I should be reaching my next waypoint in five...four...three...two...one...turn left to heading 070 degrees and descend to 2500 feet MSL..."). INS should be pretty much immune to spoofing or jamming of radio signals, since it is completely internal. Therefore, I would expect that INS should be more than capable of providing a sanity check and fail-over against GPS or TACAN radio navigation. Even better, install multiple INS systems, and if they all agree within a sane margin of error, while your radio navigation systems are either jammed or showing that you are a hundred miles away from your computed location and/or your most recent known-good position, then assume your navigation signals are being attacked and fail-over to INS until/unless you reach a point where all navigation systems agree again.

Re:

[xtal]

..the above is why the logical next step for drones is to apply AI expert systems and let them make their own decisions. It's the only way to overcome comms jamming/spoofing if you're not going to use radar seeking missiles to take out the ECM sites.

I welcome our new drove overlords.

Re:Surprised?

[jd]

INS would be good, yes, but how to identify when a spoofed signal is just a little off what you expect, then increasingly different? Since INS has cumulative error, you can stay within the estimated error bounds and yet totally deceive the drone.

Answer: Radio direction finders. 1930s technology. If the signal is below you and at 300 yards, it's probably not a satellite above you and at 6000 miles. (Marconi, the company, developed the technique of using two RDFs offset from each other to triangulate and therefore give range as well as direction.)

Can you supplement INS using this same technique? Once GPS is marked as out-of-action, those RDFs can be used to triangulate on any radio source, after all. Not if all frequencies are jammed.

Ok, are there any other sensors that could be used? 3-way magnetic sensors (provided they're wired the right way up) could give you some information, provided there were no strong magnetic fields AND you had a magnetic map of the area. The first an enemy can arrange, the second is unlikely in unfriendly territory.

What about terrain-following radar? If you know what the terrain looks like, you can arguably use that with other dead-reckoning techniques to pinpoint your location. I'll give that a maybe, but remember that every added component subtracts from payload and subtracts from the value of using a drone vs a manned vehicle.

Re:

[Aighearach]

It reminds me of when the Serbians shot down a stealth (which the US tried to blame on hardware failures) and damaged another (among many other aircraft). I read an article on the elite Serbian unit who pulled that off with basically junk hardware

There is no mystery, "stealth" planes have a normal (non-stealthy) radar profile when wet, and the decision was made to use it like a normal plane when the weather was unfavorable. One of them got shot down. Not by junk, but by one of the best small soviet AA missiles with Serbian moderizations.

They took a risk and they lost a plane. It happens.

Re:Surprised?

[Andy Dodd]

In addition, there's absolutely no evidence to back this claim - "But the big worry is — it also means that it wouldn't be too hard for [a very skilled person] to work out how to un-encrypt military drones and spoof them, and that could be extremely dangerous because they could turn them on the wrong people."

Transitioning from "making a few fake pseudolites" to "discovering the crypto key before it changes" (I believe the keys rotate on a daily basis, so you would need to crack the key AND the key change algorithm) is a MAJOR step. I don't know what universe that person lives in if they thing breaking military-grade crypto is even remotely close to this attack in complexity. This attack is easymode compared to generating a proper P(Y) code.

The only "break" so far in the military encryption is the fact that the same keys (and in fact same signal) are used on both L1 and L2, allowing you to cross-correlate L1 and L2 to determine ionospheric delay and remove that one error source. Note that the next block of GPS satellites adds a civilian L2 signal, so this "break" is mostly irrelevant.

In addition, no evidence was provided that a RAIM-enabled receiver was successfully spoofed, only a cheap consumer-grade unit that lacked RAIM.

Re:

[jd]

In this case, and in all times in the past, sure. I'll buy that.

In the future? Not so sure. Not many key change algorithms are approved for military use, and any encryption algorithm that uses primes (eg: RSA) will become vulnerable in the foreseeable future. A war in 20-30 years time should be considered against an opponent that can break any algorithm of that type well within the 24 hours required. Since technology developed now will take a decade or so to develop and test, and needs the same in lifetime

Re:

[Belial6]

I would think that the solution to future encryption would be one time pads. One time pads don't work for things like Wifi and credit cards because there is no good out of band way to load them on the client. With a drone, there is all sorts of maintenance that is going to be done at the time of launch. So, at launch time, a sufficiently huge set of one time pads are loaded into the drone, and copied to the control center. Using this method, you could decrypt the signal using a simple XOR, yet still mai

Re:

[h4rr4r]

What in the world makes you think it would be designed well?

Simple fact of life, the less clients you have the worse the design will be. This is because everything is one off.

Re:

[jd]

In theory, the fewer clients you have, the better the design will be because you can use optimizations that won't apply in a more general case.

In practice, however, you are correct, often because when you get into those situations, those few clients are not terribly concerned with quality and there aren't any alternatives if they were.

Re:

[T-Bone-T]

Just because humans do it doesn't mean a computer can do it. Humans do some incredibly complex things without giving them a second thought.

Re:Surprised?

[Anonymous Coward]

Military drones, and other aircraft that use GPS for navigation use some form of GPS-enhanced INS, rather than just GPS. 'Hacking' a drone that only uses civillian GPS (ie. unencrypted signals) is probably no harder than 'hacking' an open WiFi - or even one with WEP. You just need the right equipment and software.

Hacking an aircraft using the encrypted military signal and GPS-enhanced INS is a different game altogether. It is very unlikely that Iran could have done this; a spurious GPS signal will be rejected and the aircraft will simply fly with un-corrected INS until such as time as the GPS signal is determined to be reliable again.

Also note that this has been successfuly demonstrated by GPS-guided bombs. Iraqis attempted to jam or spoof the GPS signals, but the onboard INS guided the bombs to target.

Re:Surprised?

[Rei]

Link [wired.com]

Quick summary: Security on the drones has a history of bad decisions, such as unencrypted video feeds and malware. Breaking GPS encryption would be almost impossible, but it's quite possible that the drones were programmed to use unencrypted GPS as a fallback if encrypted GPS was lost, so if Iran jammed only the encrypted GPS signal, the plane would rely on spoofed unencrypted GPS. The short answer: it would have been tough, and we don't know whether they really did it or not, but it's not as impossible as people are making it out to be.

Re:

[element-o.p.]

^^^This^^^

Keep in mind that this is /. There is a greater-than-average collection of people who do computer security day-in and day-out here. I'm not saying that the /. collective is necessarily brighter than those tasked with building and maintaining military drones, but, well, here's an anecdote for you: I was talking to an Army guy around Christmas who was describing what he does to get computer systems "functional" for his squad after the techies send them new desktops and/or laptops. If

Re:

[AmiMoJo]

Jam the encrypted GPS signal and spoof the unencrypted one. The spoof signal starts out accurate but slowly drifts at a rate below the threshold for the drone's error detection to kick in. As time goes by it gets further and further off course.

INS just isn't that accurate. Commercial aircraft have all sorts of aids to help them, but even then sometimes get out of position and crash. Guided bombs don't rely on just INS, they have terrain following. Terrain following doesn't work very well over flat areas lik

Re:

[f3rret]

And yet here we are. We are spouting the same rhetoric we did when the Iraqis claimed they hacked a drone.

We going to put our heads in the sand again?

Iranians.

And yes, yes we are.

Re:

[jklovanc]

Had the Iraqis been able to hack the military GPS signal it would have happened a lot more than once. The US did not stop using drones after the one went down. If Iraq could hack a drone what didn't they do it again? Answer; they didn't do it in the first place.

Re:

[Baloroth]

It isn't surprising. It would be surprising if they managed to hack a drone that used encrypted GPS, which is (hopefully) what the military drone was using (and also one reason people are skeptical about Iran's claims).

Re:

[Shoten]

Possibly, but possibly not. For one thing, the attack being shown here is far, far from news. And there are actually tons of ways [gpsworld.com] to build a GPS receiver with the native ability to detect spoofing, and those features are standard for high-risk equipment [wikipedia.org] (like classified stealth drones). But on the other hand, all of the details are classified in some way or another, so it's really hard to know for sure...but I doubt that it was all that simple as the attack shown here.

One simple way of detecting spoofing

Re:

[cavreader]

Prove it. Backup your speculation without using more speculation from yourself or others. And while you do that I will give you something else to roll around in your head. The US knew where the drone went down and could have destroyed it using an armed drone strike, manned jet strike, spec op mission, or even a cruise missile if something important was built into it. Why didn't they? It's not like Iran could have stopped them or the US would give a damn about any Iranian sensibilities. It didn't go down in

Thanks a lot

[Anonymous Coward]

Thanks a whole bunch, Treyarch, way to give the terrorists awesome ideas. Maybe next time make a game called Rainbow Factory: Gumdrop River 2 and we don't have to cower in fear everywhere we go ^ ^,

Iran already did it

[GameboyRMH]

That's how they brought down that blended-wing-body drone a while back.

Re:

[Rei]

Anyone else remember the story of the Iranian concrete [economist.com] from a while back? Read about how much it blew away the competition [wired.com] at a concrete strength contest and brought the issue to light. 50-60k PSI concrete failure strength is just insane.

"the big worry" described above

[circletimessquare]

isn't that exactly how Iran caught that US drone a few months ago?

google...

tada:

http://news.slashdot.org/story/11/12/15/2013249/us-sentinel-drone-fooled-into-landing-with-gps-spoofing [slashdot.org]

Re:

[slashmydots]

Or you could have not googled it and just read the 2nd paragraph of TFA: "The same method may have been used to bring down a US drone in Iran in 2011."

Re:

[circletimessquare]

reading TFA is not allowed according to slashdot cultural norms. who are you stranger?

Re:

[slashmydots]

But you're forgetting the revised amendment that states if 25 posts have not yet been registered, you're actually not allowed to read the summary either. You have to base your comment 100% on the title only.

Re:"the big worry" described above

[NeutronCowboy]

The problem is that no one knows for sure whether that actually happened. Yes, the Iranians claim that's what they did, but it is unlikely for two reasons: the article specifically mentions that military GPS signals are encrypted (although it wouldn't be the first time that the military decides to use unencrypted channels to send/receive live drone information), and the Iranians are... well, prone to exaggerating their achievements. I'm much more of the opinion that the drone malfunctioned, crash landed, and the Iranians went "PR Jackpot!".

Re:

[andydread]

It could also be possible that if you jam the encrypted military signals the drone may fallback to civilian unencrypted signal recognition in an attempt to return to base then you spoof unencrypted signal and voila. Drone lands.

Re:

[Mabhatter]

But drones are flown by operators in windowless offices... They don't have a sense of "space". They get number from ABC agency and maybe a Satillite picture.. They don't "need to know" the rest.

All you'd have to do is keep corrupting some of the GPS signals. Just "lean" it off course. The operator only has numbers... They won't KNOW they are not flying in a line, which is why it wouldn't work for airplanes so well because pilots usually know where they are going by sight.

Also, they use drones specifically b

Re:

[Savage-Rabbit]

The problem is that no one knows for sure whether that actually happened. Yes, the Iranians claim that's what they did, but it is unlikely for two reasons: the article specifically mentions that military GPS signals are encrypted (although it wouldn't be the first time that the military decides to use unencrypted channels to send/receive live drone information), and the Iranians are... well, prone to exaggerating their achievements. I'm much more of the opinion that the drone malfunctioned, crash landed, and the Iranians went "PR Jackpot!".

Dont make the mistake of thinking the Iranians are a bunch of ill educated goat herders and dirt farmers I'm sure some of them are ill educated but the Iranians have some pretty intelligent CS and math people, I have met some of them. If the Iranians or anybody else could really hack the encrypted data streams on these drones like those UT researchers seem to be suggesting then the pilotless airforce concept is in trouble (never been a big fan myself). People keep talking about drones as if, when you loosa

Re:

[radtea]

I'm much more of the opinion that the drone malfunctioned, crash landed, and the Iranians went "PR Jackpot!".

Likewise, the US security-industrial complex has a long history of vastly overstating the difficulty of defeating or reproducing American technology, starting with the A-bomb, which the Russians weren't supposed to get for decades (it took them a couple of years, thanks to some well-placed spies) and the H-bomb (primarily due to careful analysis of fall-out from atmospheric testing, which allowed them to reverse-engineer the basic structure in some detail.)

Unless you're going to claim that Iranian scientist

Re:

[NeutronCowboy]

I wouldn't necessarily say it is a tie, it's more something that we can't really much about. Your thesis is completely valid as well - that the US military just has a shitty navigation system that thinks GPS is either unjammable or unspoofable. However, in the absence of solid evidence, I tend to favor the simpler explanation: that the drone malfunctioned, and Iran got some free PR out of it. Occam's razor, if you will.

Re:

[wvmarle]

GPS signals are weak, and as such can be easily disturbed by simple jamming: broadcasting noise at that frequency range. So that part is very plausible.

Giving it fake GPS signals (i.e. valid but wrong data), not so much. GPS relies on satellites, with high-precision timed signals, and needs to receive multiple signals at a time to get a location. That means the jammers basically need a GPS transmitter, and I don't think they're easy to come by. The only ones that I know to exist are circling around our pla

Re:

[bill_mcgonigle]

the article specifically mentions that military GPS signals are encrypted

Nobody really thinks they broke the encrypted GPS. They think they jammed all signals to the drone and then fed them a spoofed GPS signal for the failsafe 'return to base' condition. Since the signals were jammed, the remote destruct instruction couldn't get through. Who wants to be the guy who is disarming the self-destruct on the drone while the signal jammer is still running?

Of course, all this is fairly impressive for people who

Re:

[FreeFire]

There's a third reason it's highly unlikely to have happened the way the Iranians said; there was only 1 drone crashed. There's never been another.

solution

[slashmydots]

It's difficult but not really all that difficult relatively speaking to slap an encrypted GPS transmitter on a weather or spy satellite. Since another slashdot article says we're running low on Earth-monitoring satellites for weather and stuff, the government always wants more spy satellites, and now they need an expanded encrypted GPS network, they could possibly justify launching a do-it-all satellite for cheaper than 3 separate ones. I believe cost was the reason all 3 of those haven't been launched mu

Unencrypted GPS

[SirGarlon]

Is anyone else troubled that civilian planes use unencrypted GPS and are therefore susceptible to spoofing?

Re:

[asynchronous13]

No. GPS on civilian aircraft is a secondary system. Even with complete GPS blackout (or spoofing), the pilot in command still has all of the primary sensors available for navigation.

Re:

[CompMD]

Its becoming a primary system. As the FAA decommissions radar stations and other navaids, GPS and ADS-B interrogation are replacing those technologies and services. Similarly, small aircraft can use GPS for precision approaches in instrument meteorological conditions instead of ILS. Many small airports don't have ILS runways, and many small civilian aircraft aren't equipped to use ILS. In the case of a GPS approach, if a fix is lost or wrong, the pilot must abort the landing and execute a missed approac

WHO KEEPS THE METRIC SYSTEM DOWN?

[Thud457]

shhhh, that's why the cancelled The Lone Gunman" series. [wikipedia.org]

Re:

[f3rret]

Is anyone else troubled that civilian planes use unencrypted GPS and are therefore susceptible to spoofing?

Not really no, because civilian planes also tend to have pilots in them who might notice that they aren't in the right spot.

Re:

[element-o.p.]

Not to speak ill of the dead, but JFK, Jr. was a marginally trained, marginally experienced pilot with way too complex an airplane for his skill level, flying a difficult route (relatively speaking) in poor weather and, IIRC, while suffering a medical condition (wasn't his ankle broken or something?). Over water, at night, with low ceilings and poor visibility with very little night or bad weather experience is an accident waiting to happen...and it did.

Re:

[LanMan04]

Meh, not really. Eventually the plane's dead reckoning system (estimation of where the plane is in 3-space based on air speed, compass heading, and altimeter) will start to diverge quite a bit from what the GPS says.

Standard procedure at that point is to believe the dead reckoning system, start using "traditional" methods to determine your location, and ignore the GPS.

In short, your instruments are to be believed over the GPS.

Re:

[Githaron]

Not really. They have human pilots as backup.

Re:

[Andy Dodd]

1) The GPS in real aircraft (small cheapo drones use cheapo GPS) does self-integrity monitoring. So far we only know they spoofed a consumer-grade (or equivalent) GPS. No indication that they defeated a RAIM-enabled unit. (e.g. spoofing it without triggering an alarm)
2) Most such aircraft also have a fairly robust inertial navigation system the GPS is checked against. (often this is checked as part of the RAIM monitoring process)
3) In the case of manned aircraft not on an instrument approach, you nee

Re:

[WaffleMonster]

Is anyone else troubled that civilian planes use unencrypted GPS and are therefore susceptible to spoofing?

Just as troubled as I am that people think the use of encrypted signals will make any difference.

What does any GPS receiver do? It measures the propogation delay of radio signals. This means understanding those signals is not necessary to delay them sufficiently to fool them.

Re:

[element-o.p.]

No.

I don't mean to be derogatory, so please don't take it that way, but your question reminds of that scene in "The Net" where the bad guys hack the pilot's navigation system, and even though the weather is severe clear, the pilot flies his airplane into the chimney of a factory. If you are flying IFR (in bad weather, where you can't see obstacles outside in time to avoid them), you aren't going to have a single system of navigation, and you will be comparing those nav systems against each oth

Re:

[Concerned Onlooker]

You don't even need the equipment. All you need are two things: fear, surprise and an almost fanatical devotion to...wait, all you need are three things....

money

[Max_W]

Drone's URL, USB key-stick, log-in and password theoretically can be bought.

Certainly, we entertain an idea that there are no traitors, who sell information for money, but it happened before.

A paper on this from 2002

[Anonymous Coward]

Here's a paper [anl.gov] on this from 2002.

All they did was purchase a commercial GPS simulator, which is used by companies to develop their GPS receivers and is easily attainable. They just connect an antenna to the simulator and beam it at the direction of a GPS receiver, jam the receiver so it loses current lock, and then it'll be spoofed once it locks onto your antenna. I always thought you needed to do some super complicated math and use multiple sources since GPS relies on careful timing information to get posi

Jamming vs Spoofing

[habig]

it also means that it wouldn't be too hard for [a very skilled person] to work out how to un-encrypt military drones and spoof them

Jam? Sure. But one of the reasons millitary grade hardware is so expensive redundant systems, take one out, you can still function. In this case, very good interial navigation systems.

But "not very hard" to break military grade encryption on something as vital as the defense channel from GPS satellites... if that's easy we've got bigger problems than rogue drones. They're no

Re:

[habig]

Bleh - I even previewed that post. "interial" -> "inertial".

Drones

[AdmV0rl0n]

Cheap assed weapons, built by lowest cost contractors, flown by kids who are probably on low pay, and in an enviroment that pandering to the lowest user operations. They already changed from Windows to Linux due to malware/virus infestation.

None of any of it is impressive. I think any serious nation state, or indeed well padded grouping could probably dig for some extended time and develop counters and counter operations against drome based operations.

And I suspect that somewhere in the drone ops, there are

Exaggerate much?

[tomhath]

FTFA:

Todd Humphreys and his colleagues from the Radionavigation Lab at the University of Texas at Austin hacked the GPS system of a drone belonging to the university...They demonstrated the technique to DHS officials, using a mini helicopter drone

So they were able to take control of their own model helicopter. And they hypothesize that IF they could break the encryption of a military drone they could do the same thing. But that's a huge IF.

It didn't happen in Iran, several drones have crashed in Afghanistan and Pakistan, and I assume several more have crashed in the US. Without a pilot onboard a fairly minor electronic or mechanical problem will bring them down.

Re:

[Andy Dodd]

You have zero evidence to support your claim.

The Iranians were VERY careful not to show the underside of the drone, which is the part most likely to sustain crash damage.

Re:

[bill_mcgonigle]

The Iranians were VERY careful not to show the underside of the drone, which is the part most likely to sustain crash damage.

Right. Common wisdom is that they screwed up the altitude calculation on the spoofed GPS signal.

FUD

[jklovanc]

This would only work if the drone was using only GPS to fly from place to place. Most drones have a pilot who direct them most of the time and uses GPS to find it's location. A pilot would notice the discrepancy between what the GPS plot shows and what he sees in the camera monitor and assume the GPS screwed up.

This next statement is just stupid;

But the big worry is — it also means that it wouldn't be too hard for [a very skilled person] to work out how to un-encrypt military drones and spoof them, and that could be extremely dangerous because they could turn them on the wrong people."

The way the current system probably works is that it transmits signals similar to the ones from the satellites. To spoof an encrypted drone one can not "unencrypt" it. That would be equivalent to convincing the drone to accept un-encrypted GPS signals. That should be impossible. If someone could send out false data that is encrypted using the same keys and algorithms as the satellites that would ba a major issue as cruise missiles could be spoofed. That kind of spoofing is not something that can be done by "a very skilled person" as it would require knowing the encryption keys.

The following statement is also bunk;

The same method may have been used to bring down a US drone in Iran in 2011.

One can speculate all one wants but that does not make it true. It is much more likely that the drone lost contact with the pilot center and auto landed. Lets use a real life unverifiable incident to support our FUD.

They also talk about hijacking drones delivering FedEx packages. Fred Smith, CEO of Fed Ex says he wants them but he is nowhere near getting them. Even if they did use drones I bet Fed EX would use the encrypted channel and they would rely on navigation aid other than GPS as verification.. If you want to scare us at least talk about something real.

We have plenty of real things to worry about rather than to fall for FUD.

Re:

[radtea]

We have plenty of real things to worry about rather than to fall for FUD.

The problem is you have nothing to counter the FUD but RUC: Reassuring Unsupported Claims.

"You bet"... FedEX would encrypt them, eh? I'm glad you feel that your gambling problem is relevant to this discussion of actual reality, but I have no idea why you think it is. Neither I nor anyone else cares what your bet is. We care what FedEX will actually do, when it comes time to deploy drones with software supplied by the lowest bidder.

Furthermore, while FedEX may be some years from getting drones, closing o

Re:

[CXI]

Is this where I come in and point out something about straws and men? I've been away for a while so it's taking a while to come back to me...

Re:

[jklovanc]

How about this paper [cornell.edu] which shows how the spoofing works (exactly as I stated) and the defense against it.

Fed Ex does not have drones right now. When and if they get autonomous drones they can open themselves up to billions of dollars of lawsuits by using the civilian channels which can be spoofed or they can do their fiduciary duty and use the military channels. Since no one has made the decision as to which course to take, all we can do is speculate. I speculate they will want to protect their company and

Re:

[jklovanc]

There is also a defense [cornell.edu] against such hacking.

Re:

[AmiMoJo]

This would only work if the drone was using only GPS to fly from place to place. Most drones have a pilot who direct them most of the time and uses GPS to find it's location. A pilot would notice the discrepancy between what the GPS plot shows and what he sees in the camera monitor and assume the GPS screwed up.

Naturally that signal was jammed, so the drone was flying on its own.

That would be equivalent to convincing the drone to accept un-encrypted GPS signals.

You like it would be forced to if the encrypted ones were being jammed for some reason?

that would ba a major issue as cruise missiles could be spoofed

They mostly use terrain following and dead reckoning, but yes, it is a concern.

It is much more likely that the drone lost contact with the pilot center and auto landed.

So it was programmed to auto-land when the control signal was jammed? Seems pretty dumb as it would be landing in enemy territory.

Re:

[jklovanc]

So it was programmed to auto-land when the control signal was jammed? Seems pretty dumb as it would be landing in enemy territory.

That is why most military drones that are flown over enemy territory have a self destruct mechanism which is armed at by the pilot. At sufficient levels of damage or malfunction the drone will destroy itself. During missions over friendly territory this mechanism is never armed. It looks like the pilot did not arm the self destruct when the aircraft entered enemy territory.

So someone would trust a drone that has the video jammed and the military GPS channel jammed to fly back to base? I highly doubt that.

Re:

[element-o.p.]

What if you spoof the GPS signal and jam the C^2 channel as well?

The Solution

[Scutter]

Clearly, the solution is to arrest and prosecute the researchers and pretend that this isn't a giant security hole. That way, the company's profits will still be protected and they won't have to spend more R&D money on fixing the problem.

No Need to decrypt

[iceco2]

We have no reason to believe encrypted GPS signals can be decrypted easily, but that doesn't mean they can't be spoofed.
You can record them and play them on a delay of your choosing (with higher local signal strength)
Since GPS positioning is all about the relative delay if you control the delay you don't need to decrypt the signal of create your own.
The comments also mentioned their is a pilot normally in control of the drone,
but since the pilot is connecting remotely the control signal can theoretically be

A question on Drone Building dot mil

[RobertLTux]

Why would you not have some sort of self redact function to fix the problem of a drone going down in hostile territory??

All you really have to do is program the drone to Explode/Thermite the electronics bay if it reaches Zero Velocity without some sort of HomeBase signal being received (rotate the exact signal on a weekly basis)

or even put some sort of DeadMan switch in the electronics bay that you have to open another panel (and insert a SafeKey) to disable.

What drone was hacked?

[WaffleMonster]

Am I supposed to be impressed? What drone was it? Why no pictures or any information other than the university owned the UAV. For all I know their "drone" is just a model airplane project a student jury rigged using a cellphone.

Just to be safe lets go with military drone images on all of these web sites parroting the same story and mention someone from DHS was present as well. What does that matter?

Was the drone using raim? Did it use other sensors like fluxgates, rlgs to confirm position? Is ANY useful information available?

This drone

[DeeEff]

I'm pretty positive this drone wasn't using very many advanced algorithms. I mean, in the base case, you could easily spoof the unencrypted signal and try to force the drone to change directions. Unfortunately, this really only works when you're using Pseudorange measurements, as opposed to Carrier Phase. Moreover, if there was an INS on the drone as well, this interference problem would become rather trivial.

When using a GPS, if you notice large gaps where your data suddenly "jumps" from one location to an

Inertial Navigation?

[MarkvW]

I suppose that's why inertial navigation is such a good backup for any sane person who is going to design a military drone.

Spoofing GPS is useless

[tlambert]

It's useless to spoof the GPS signal unless you know, apriori, where the drone is going. Lying to it about where it is is only useful if you lie to it relative to its destination, unless you are trying to lie it into a target very near the jamming signal source.

The Iranian spoof worked because the self destruct wasn't armed, and when jammed, the drone was known to be programmed to return to its launch site, which was a known location, and THAT location could be spoofed.

I imagine that there were a number of

Not a military drone!

[Matt_Bennett]

As was pointed out here [rt.com] this was not a military drone. Until they can spoof p(y) code, this is nothing. For just this reason, all military equipment is required to use an encrypted signal (of course, this was as of 10 years ago, when I was still working with military GPS systems)- civilian GPS can be pretty easily jammed and/or spoofed- "civilian" GPS is also called "C/A" or coarse acquisition- which was designed only to get you "about right" before the receiver switches over to the more precise encrypted code. Anti-spoofing is a very important part of true military grade GPS. Many civilian users (surveying companies, particularly) would pay *big* money to get access to this- but they don't get the keys.

I think this article should be more accurately titled "Texas college hacks insecurely designed civilian drone"

Re:

[von_rick]

How long before someone hacks into one of these drones to scribble "Happy birthday grandpa" in the sky? Granted that the drones don't have white fumes, but it'd still be pretty cool.

Re:

[cayenne8]

Hmm...wonder when there'll be a YouTube video out on how to do this...?

:)

Re:

[Baloroth]

This is plane wrong. One of the drones sends the video stream back unecrypted and it was a large issues quite recently. Also all GPS signals are unencrypted. How people took this long to realize it is beyond me. I knew this was possible back in high-school I just didn't realize it would be so cheap to do.

No, the drone sent a video signal to the ground unencrypted (it was intended to be visible to troops, and was presumably unencrypted to allow ease of viewing. Stupid, yes, but it makes a kind of sense). And military GPS signals are encrypted, specifically to prevent spoofing. The P-code the military GPS system uses is encrypted, and has been for years.

Re:

[kasperd]

And military GPS signals are encrypted, specifically to prevent spoofing.

Encryption doesn't prevent spoofing. When people who thinks it does are involved with designing cryptographic systems we end up with insecure systems that are broken the first time somebody knowledgeable looks at it.

You can add message-authentication-codes or digital signatures to your data. That will ensure the data is authentic, but it won't stop replay attacks.

If you replay the authentic signals a little bit delayed and with a

Re:

[Baloroth]

Yes, it does prevent spoofing. How do you send a valid, encrypted signal if you don't have the encryption key? This isn't like public-key encryption where anyone can generate a valid signal: if the encryption key itself is secret, you can't either encrypt or decrypt the signal without knowing it, and that does prevent spoofing. You can jam the signal, sure, but not spoof it. For reference, the source P-code, which is encrypted with the W-code (the details of which are secret) is 720 gigabytes long, and only

Re:

[leonardluen]

if your signal is vulnerable to a replay attack, then you designed your protocol wrong.

i recently developed a wireless communication protocol for a project i was working on, you could record and replay the encrypted signals all you want, and it would reject the replayed signal as invalid. you could take it a bit further and if it detects a lot of replayed signals it could alert you that someone is being nefarious.

simplest solution i can think of...send a timestamp as part of the signal...that time code sho

Re:

[SparkEE]

The problem with the ever-increasing timestamp concept is that it doesn't account for multi-path issues. I thinks the GP's idea of replay is to do it quick enough that it looks like a stronger multi-path version of the signal. However, there are two problems with that I see. 1. Without being able to decrypt the original message and encrypt a new one, I don't see how one would do the replay with any use. 2. Even if you did have the ability to decrypt and encrypt, it would take far too long to do all that

Re:

[leonardluen]

With GPS the exact timing of the message is critical as that is how it calculates its position. i suppose if you could retransmit the encrypted message on an extremely short delay and get it to accept your signal because it is the strongest one, you probably could introduce an error into its position calculation, and continuing to do this over time eventually cause it to go off-course.

that might be a bit difficult to protect against seeing that gps (at least for civilians) is one way communication. it see

Re:

[jklovanc]

The civilian signal signal has the ability to use selective availability [gislounge.com]. It is turned off right now but can be turned on at any time and has in times of war to deny GPS information to the enemy. The military channel is also transmitted as accurate as possible but is not available to civilians because it is encrypted.

Re:

[heypete]

The new GPS satellites no longer have Selective Availability capabilities, or so the government claims (and I have no reason to disbelieve them on this subject).

Considering that GPS is widely relied upon for aviation, land, and marine navigation, surveying, public safety, and precision timekeeping, I suspect that it would be very unlikely for the government to turn SA or otherwise degrade the accuracy of GPS.

Re:

[element-o.p.]

This is plane wrong.

ROFL! Oh...you mean that wasn't supposed to be a pun? :P