Details on how Iran may have used a GPS override spoof to capture US drone

[I'm applying the sysadmin privilage of making an exception to our usual no-military rule here, because the technical issues are sufficiently interesting].

Apply the usual skepticism about the claims, but there's something plausible in the following. As I understand it, the assertion is that Iran basically used radio jamming techniques to force the RQ-170 into RTL mode, then overrode the GPS signal with a fake one that made it think that "home" was an Iranian field.

An excerpt from the Christian Science Monitor, a good article that discusses what may have caused the capture:

Iran guided the CIA's "lost" stealth drone to an intact landing inside hostile territory by exploiting a navigational weakness long-known to the US military, according to an Iranian engineer now working on the captured drone's systems inside Iran.

Iranian electronic warfare specialists were able to cut off communications links of the American bat-wing RQ-170 Sentinel, says the engineer, who works for one of many Iranian miltiary and civilian teams currently trying to unravel the drone’s stealth and intelligence secrets, and who could not be named for his safety.

Using knowledge gleaned from previous downed American drones and a technique proudly claimed by Iranian commanders in September, the Iranian specialists then reconfigured the drone's GPS coordinates to make it land in Iran at what the drone thought was its actual home base in Afghanistan.

...

"GPS signals are weak and can be easily outpunched [overridden] by poorly controlled signals from television towers, devices such as laptops and MP3 players, or even mobile satellite services," Andrew Dempster, a professor from the University of New South Wales School of Surveying and Spatial Information Systems, told a March conference on GPS vulnerability in Australia.

"This is not only a significant hazard for military, industrial, and civilian transport and communication systems, but criminals have worked out how they can jam GPS," he says.

The US military has sought for years to fortify or find alternatives to the GPS system of satellites, which are used for both military and civilian purposes. In 2003, a “Vulnerability Assessment Team” at Los Alamos National Laboratory published research explaining how weak GPS signals were easily overwhelmed with a stronger local signal.

“A more pernicious attack involves feeding the GPS receiver fake GPS signals so that it believes it is located somewhere in space and time that it is not,” reads the Los Alamos report. “In a sophisticated spoofing attack, the adversary would send a false signal reporting the moving target’s true position and then gradually walk the target to a false position.”

From Wired's DangerRoom:

According to Richard Langley, a GPS expert at the University of New Brunswick in Canada, it’s theoretically possible to take control of a drone by jamming the P(Y) code and forcing a GPS receiver to use the unencrypted, more easily spoofable C/A code to to get its directions from navigational satellites.

“GPS satellites transmit on two legacy radio frequencies,” Langley explains. The unencrypted C/A code used by most civilian GPS unit “is transmitted only on the L1 frequency. The encrypted P code for so-called authorized military users is transmitted on both the L1 and L2 frequency.”

Translated: If the Iranians could selectively jam the encrypted military code on the L1 and L2 frequencies — and that’s a big “if” — the drone’s GPS receiver might reach out to use the less-secure C/A code in a last ditch attempt to get directions. Without the extra protection of encryption, it would be relatively simple for Iran to spoof the receiver using the C/A code and fool the drone into thinking it was back home in Afghanistan.

However. For that scenario to work, the drone’s GPS unit would have to be programmed to use the C/A code in the event the P(Y) code becomes unavailable.

It’s also difficult to jam a drone’s GPS. “They’ve got defenses against these kinds of spoofing attacks,” says Todd Humphreys, who has researched GPS spoofing at the University of Texas’ Radionavigation Laboratory. “They mount their antennas on the top of the drones and sometimes the antennas have the ability to null out jamming or spoofing signals.”

You need to be a member of diydrones to add comments!

Join diydrones

Comments

T3

William Premerlani December 16, 2011 at 5:51pm

@IKE,

Thanks for the link to the Aviation Week Article. For anyone who has not read the article, here are a couple of key paragraphs:

“Among the reasons to doubt the claim that GPS jamming had anything to do with the loss of the RQ-170 is a simple overlooked fact,” says a third U.S. analyst. “GPS is not the primary navigation sensor for the RQ-170 or for most other air vehicles. The vehicle gets its flight path orders from an inertial navigation system, which is essentially unjammable unless you want to monkey with the local gravitational field. The GPS updates the INS and cancels its drift. So, even a full GPS blackout would simply cause the vehicle to be a bit less accurate,” he adds.

“If the GPS was ‘spoofed’ with a fake signal — and even JDAMs have anti-spoofing GPS receivers today, so that might be difficult — any abrupt change in the GPS reading would cause the Kalman filters in the GPS/INS to conclude that the GPS was malfunctioning and cut it out of the loop,” he says.

Best regards,

Bill
Javio December 16, 2011 at 5:35pm

It looks like a mad wing... Grrrr
T3

William Premerlani December 16, 2011 at 4:45pm

@Helldesk,

I agree with you.

I think the implication of what you are saying is that it might not be too hard to bring a UAV down.

But I think the only way you would be able to redirect it to a new location would be to break into its command system. My speculation is that Iran might somehow interfered with the UAV in question, but I doubt they would be smart enough to do much more than that.

Regarding IMUs, just from reading export control rules I conclude that military IMUs must be at least 5 orders of magnitude more accurate than diy IMUs, and probably much better than that. I bet that a military UAV can go a long way without GPS.

Best regards,

Bill
Helldesk December 16, 2011 at 4:06pm

In any case it's another reminder that you can't trust every sensor all the time. Sensors, radio links, and GPS can all fail for a multitude of reasons (not to mention emergent software surprises). A truly autonomous drone needs to know what to do in all of those cases, or combinations of them.

You can beef up some systems with redundancy, but radio links are always vulnerable. Terrain features can block your telemetry even if you had XBee and a backup; GPS can become unreliable due to weather...

Dead reckoning with a redundant IMU or two (maybe three, of which the odd one gets thrown out of the loop) might help you not lose a plane due to loss of GPS. Navigation by sight is probably a tough problem for machine vision, but an awesome project if you can manage it.
T3

William Premerlani December 16, 2011 at 4:00pm

@Chris,

I can believe it is possible to spoof the GPS, but I do not see how it would be possible to spoof the IMU's gyro and accelerometer signals. Any autopilot worth it's salt fuses GPS and IMU information, and would recognize a discrepancy, particularly a large change in position that would imply huge acceleration. The spoofer would have to match the spoofed position with the turns that the autopilot was making in real time. Otherwise the IMU information would declare a "zig" when the GPS information would declare a "zag".

As I mentioned in my comment a few messages back, MatrixPilot can detect when the GPS is not telling the truth using a"dead reckoning" algorithm, I cannot believe that I am ahead of the military.

Best regards,

Bill
3D Robotics

Chris Anderson December 16, 2011 at 3:34pm

From Wired's DangerRoom:

According to Richard Langley, a GPS expert at the University of New Brunswick in Canada, it’s theoretically possible to take control of a drone by jamming the P(Y) code and forcing a GPS receiver to use the unencrypted, more easily spoofable C/A code to to get its directions from navigational satellites.

“GPS satellites transmit on two legacy radio frequencies,” Langley explains. The unencrypted C/A code used by most civilian GPS unit “is transmitted only on the L1 frequency. The encrypted P code for so-called authorized military users is transmitted on both the L1 and L2 frequency.”

Translated: If the Iranians could selectively jam the encrypted military code on the L1 and L2 frequencies — and that’s a big “if” — the drone’s GPS receiver might reach out to use the less-secure C/A code in a last ditch attempt to get directions. Without the extra protection of encryption, it would be relatively simple for Iran to spoof the receiver using the C/A code and fool the drone into thinking it was back home in Afghanistan.

However. For that scenario to work, the drone’s GPS unit would have to be programmed to use the C/A code in the event the P(Y) code becomes unavailable.

It’s also difficult to jam a drone’s GPS. “They’ve got defenses against these kinds of spoofing attacks,” says Todd Humphreys, who has researched GPS spoofing at the University of Texas’ Radionavigation Laboratory. “They mount their antennas on the top of the drones and sometimes the antennas have the ability to null out jamming or spoofing signals.”
Nick December 16, 2011 at 3:30pm

I didn't know they made paper weights that big; It would never fit in my office anyway.
Mark Fetters December 16, 2011 at 3:00pm

http://www.aviationweek.com/aw/blogs/defense/index.jsp?plckControll...
Rob_Lefebvre December 16, 2011 at 2:27pm

Occam's Razor cuts both ways. There have been a number of stunning failures of intelligence services in the past number of years, so I don't have a lot of trouble believing that it was in fact that easy to bring it down.
AVS December 16, 2011 at 2:21pm

@IKE that proves it then, it was a hardware problem. Utter tosh by the Iranians.

of 11

This reply was deleted.