RQ-170 Sentinel Drone hacked – Discussion Group – This is some of the threads from a security discussion groups about the RQ-170 that Iran has and how was it hacked.
gAtO – tHiNk- Maybe you’all heard of the RSA hacking that happened this year. Well guess what- Military-band GPS (M-code) is protected against spoofing by the RSA cipher. Can we start to connect the dots. The RQ -170 was guided down by Russianequipment.
developed by Lockheed Martin - Hacked this Summer 2011 along w/ RSA
The aircraft’s presence was detected by peripheral installations that are part of the S300 antiaircraft system, and it was forced to land at a base in the desert region of Tabas, some 250km from the frontier with Afghanistan. Relations between Iran’s military industrial system, linked to the Guardians of the Revolution, or Pasdaran, and Russia’s GRU make it probable that Iran will share the drone’s secrets with the Russians. Did the Chinese or the Russian hack us this spring and summer.
It’s actually less likely that a stealth drone was using C-code GPS than it is that Iran stole the RSA red key to M-code GPS, but are we really talkin’ odds here?
Crypto-systems provide integrity & assurance, so we are either assured that the drone was not landed with GPS spoofing, or we are assured that the use of classified red-key RSA is compromised.
It isn’t well-known that M-code uses RSA, but it isn’t exactly a secret either, so I’m just surprised that apparently I’m the only person alive openly wondering about the relation of RSA integrity to the continuing claims of military GPS spoofing by Iran &/or Russia.
M-code was designed for an improved key distribution system, so they can ultimately recover integrity of GPS guidance so long as the keys were stolen and not compromised through advancements in factoring techniques.
Ron Started the discussion:
While it is reported that intercepting unencrypted drone communication data streams had first been known to US military since the mid-1990’s, this exploitation continued on into 2009 where militant laptops were found with drone data and unencrypted video feeds from Predator drones…
https://www.infosecisland.com/blogview/18778-How-the-RQ-170-Was-Hijacked.html — by Ron Baklarz
Ray– If, as the CS Monitor claims, the effect was achieved through GPS, then I can think of three possible scenarios. I make no claim that these are reality – more information would probably change my hypotheses. All of these assume that the UAV’s control link was jammed – since this is a satellite link and satellites have weak transmission capability this is not difficult once the correct frequency is identified. Once the control link is severed, the UAV was probably programmed to return to base (although circling until the link is restored is another reasonable response).
Hypothesis #1. The Iranians have developed or gained the ability to spoof P-mode GPS transmissions, having cracked the three-(or is it six?) week Gold code protecting those transmissions. This would only work if the programmers who wrote the UAV software failed to put in a check that would notice the sudden change of position from Iran to hundreds of miles away in Afghanistan (systems and software error #1).
Hypothesis #2. The Iranians have acquired (possibly from the Internet) the capability to jam P-mode and spoof C/A-mode . The UAV could not get a position fix using P-mode and fell back to C/A mode – this is like negotiating SSL down to no encryption while leaving the lock symbol in the victim’s browser. This type of ungraceful degradation, if it exists, would be systems and software error #2.
Hypothesis #3. The Iranians realized that the original developers and System Program Office of the UAV committed systems and software error #3 and used commercial GPS (i.e. C/A mode) in the UAV. This would allow the Iranians to hijack the vehicle with the least amount of capability – control link jamming and easily obtainable C/A spoofing. If this is the case, the developers and SPO were almost criminally negligent and the operations planners exhibited the arrogance of ignorance in risking the asset.
All three hypotheses depend upon systems and software engineering errors, some on multiple errors. Some folks will probably claim that these are not errors because they do not relate to the drone function. However, good systems engineering involves anticipating as many as possible of the future environments and circumstances of the system and preventing bad results up to the limit of the project resources.
Given the record of security problems in the UAV program (encrypting broadcast imagery with satellite TV encryption for which commercial cracks existed and running software environments susceptible to ordinary malware in control centers) my guess is that the third hypothesis is correct. After all, many of the UAV designs are from General Atomics, which got into this field based on their 70+ year history of building target drones. Target drones do not require security.
 Garmin and others sell reference transmitters for use in developing GPS equipment that could be repurposed to spoof C/A mode.
Andrei – The comms are also radio based .the encryption its breakable . Seems that the gps system was flawed – somebody admitted that was an known flaw and also admitted that it was matter of time till first drone will be “secluded ” by the enemy .
So the third option its viable in my opinion
Ps.Another question arise – if the gps hacking its true ( personally i have huge doubts that the drone was hijacked in this way) then what about the DGPS NAV ‘s security – its compromised ?( just asking – i dont need an answer)
Matt – DailyTech article  mentions GPS and links to the CCS’11 paper “On the Requirements for Successful GPS Spoofing Attacks” . One comment may be of particular interest (?) :
“If you look carefully, the wings were torn off and reattached. They’ve continually covered up the bottom, so it’s probably all torn up too. Maybe from a wheels-up belly landing.
These things are programmed to fly and land themselves. Depending on how those behaviors were layered, you can get all sorts of unintentional behavior in unusual circumstances. We ran into similar problems with our autonomous submarine while I was in grad school. Someone wanted sonar measurements of the ocean floor from 5 meters, so he went and changed the priority of the safety behavior keeping it more than 10 m from the bottom. The new priority resulted in the sub performing its entire mission with the nose buried in the mud. Turns out someone had forgotten to remove a behavior from an open-ocean mission. So the sub was now trying to dive down to 200 m in 20 m of water, without the safety behavior keeping it at least 10 m from the bottom.
I’m rather skeptical. You can’t just send a GPS signal telling the drone it’s in Afghanistan. GPS location works based on the time those signals arrive at the drone. To successfully pull this off would require tracking the locations of all the GPS satellites overhead at the time (they are moving at about 7 km/sec), correctly guessing at the drone’s location and velocity, then successfully spoofing the correct GPS signals at the correct time down to a few microseconds if not nanoseconds, while simultaneously blocking the real signals.
If you’re off by a few milliseconds, the GPS will say it’s over India. And if you’re off by a few nanoseconds, the GPS will tell the drone it’s flying sideways or backwards, or up or down. If you don’t transmit all the satellite signals correctly for the correct location and movement, the UAV will calculate one position from some satellites, a different position from others. Only 3 satellites are needed for a lock; any more are used to further refine the accuracy of the position. But if you don’t predict the drone’s location and spoof all these other satellites correctly, all these other spoof satellites would result in decreased accuracy, resulting in the AI deciding the GPS has failed and discounting the position it’s reporting.
All aircraft I’ve seen have multiple navigation systems (including inertial, which can’t be jammed), and any programmer worth his salt would put the UAV into a failsafe mode if the positions reported by these deviated significantly from each other. Large or inconsistent fluctuations in the GPS position would be grounds for the AI distrusting the GPS readings and prioritizing other navigational measurements like inertial. And to top it off, the military GPS signal is encrypted. You can jam it, but spoofing it is a whole nother ball of wax.
A malfunction still seems like the most likely cause. The spoofed GPS claim really sounds to me like BS by someone who’s never worked with navigation systems based on signal arrival times from beacons.”
Andy – http://youtu.be/rSLG3AS2YUw |
The Drone was not hijacked by GPS .It was a combination of ELINT ,HUMINT and a smart geek
Ray – @Andy – the video downlink is an old issue we discussed on this forum a long time ago. That has nothing to do with the control and data links back to the operators.
Mathjis has made some good points about GPS hijacking. It might be possible if the ground reference transmitters were fed accurate information from a radar and the UAV was using C/A mode. Although C/A mode is normally as accurate as P mode, it can be degraded. GPS receivers make allowance for that degradation possibility. That gives a slightly larger margin of error for the spoofing. Normally, fast vehicles like aircraft have from six to twelve receiver “stacks” (originally separate receivers but now that separation is done in software). As Mathjis said, three satellites are used to obtain a fix – usually receivers use the three best signals (although geometry does enter into the calculation). The remaining receivers track other satellites so they’re ready when one of the top three is lost. Clearly, three ground reference transmitters are going to have the best signals. If the spoofing is done fast enough, the satellites they are “replacing” won’t be over the horizon before the receiver notices and the aircraft is not down. Of course, it’s possible that the receiver is programmed to accept ground reference transmitters – this is a common method to improve GPS in a local area. So far as I know, only commercial (C/A mode) receivers support this function.
Tony – Scot has a good writeup:
The RQ170 Affair: Spoofing, Jamming, and The GBAS
MAX – Intel says Iran pointed a laser at the CIA satellite control node of the drone, and then used a program similar to skygrabber to lower the drone. Intel provides the Iranians picked up the crashed drone, after the satellite was jammed, and then used media to promote their propaganda it was intact when recovered. They also say they have a commander from Baghram Airfield they tracked from that air field that was an Iranian sent to penetrate into Iran for HUMINT data on this operation. I do know this. Irans capabilities as a military is growing innumerate. Do not underestimate a sale of laser jamming satellite equipment sold from Communist superpowers developing this technology. We are looking at a big mess here. While I have been away some things are not being resolved. I’m back. I suggest a team get on google chrome tv in the Iran media and get more data past what has been rebroadcast by Iran already to test our EWS systems. OK
We could start testing THEOL upwards instead of at missile ICBM’s.
Beware Iranian birds.
AngryBirds is coming to a THEOL drone near you.
Suj – I was wondering if the Iranians simply fried some of the key electronics. It was in their airspace after all. The UAV would simply come down reasonably hard — as it apparently did. What do you think?
Joel-WAY too many assumptions here, poor open source intelligence and not enough attention to simple physics.
One jams receivers, it is nearly impossible to jam a transmitter, DEW being the sole exception. Jamming the satellite transmitters on the satellite is nearly impossible and to jam three or more transmitters from GPS satellites simultaneously would have been international news front headlines.
If a directional antenna points upwards, at a satellite, it is very, very difficult to overwhelm an intended signal from a satellite from a ground transmission. SHF, VHF and UHF frequencies from the birds are line of sight transmissions and ‘bleed over’ does not occur, and certainly not from a ground transmission.
Geolocating a stealthy (can’t say stealth) RQ-170 while in flight is very difficult, targeting it with multiple systems is nearly impossible.
Read my blog, I’ve listed a number of other ‘laws of physics’ problems with this scenario. Occam’s razor: the controllers lost control or the bird developed an electrical or mechanical malfunction and glided to a landing.
@Sujeet, you might have a point, but the downward pointing sensors are not connected to the flight controllers. Using DEW on the aircraft as a whole might have blinded or disabled the craft, but I have not seen reports of a successful DEW program in Iran.
Max, DEW includes laser, but the power needed to overwhelm a receiving antenna is much greater than you can imagine. The physics needed to get a receiver to process the signal is not complex, but at the beginning of the equation “power” is practically off the charts to do what I outlined above. Then we’re thinking exact frequency (not in the lazer’s capacity), harmonics and still using it as a carrier wave. It is not ‘wave of the hand’ physics.
Also, the bird was controlled by proprietary software, the signal encrypted and ‘skygrabber’ is not the appropriate program.
Gee, wasn’t that easy?
Lory – ok maybe joel is right but then how did the bird land right near a battalion of guards that were waiting for it to land?
next question – someone on the inside, seems like the wheel are gone, but now they can see the electronics and figure some things out , no?
third question – what now? besides give it back what are the dangers?
Joel – Thanks, Lori! That’s probably the nicest thing anyone’s said about me in years, ‘I might be right!’
‘curious… I haven’t read the report about a battalion of guards. Kindly share a source? I’d be curious as to what kind of guards, were they part of the ‘EW unit’?
My guess? A roving patrol found it. I don’t think they have seismic detectors in enough places to detect a hard landing. Bottom line, until we see more details we’ll be left with more questions than answers.
Again, my guess, they haven’t figured out how to lower the wheels. It sure would look cool to have that puppy held up by its wheels, it made it look like the nicknamed “Beast of Kandahar”. They’re supposed to be figuring out the code, when they figure out how to control the wheels I suspect we’ll see a new picture. Was it just me or did the RQ-170 seem a little off on height compared with the pictures from Qandahar?
No way in H-E-Double Hockey sticks we’ll ever get that puppy back. It’s going to be dismantled and pored over for years and then put into some really neat museum “look how good we are!”.
Paul – “near a battalion of guards that were waiting for it to land” It would be great if you could expand on this important detail. Please feel free to contact me.
Thanks for the comments everybody!
Lory – that was what was written in the Israeli papers
See the original quote from the Israeli media with translation.
The Air Force Commander of the Revolutionary Guards, General Amir Ali Haz’izda, claimed that “recently, information-gathering intelligence and our means of tracking the electronics in this plane revealed a plan to penetrate the airspace of the country for espionage. After it entered the eastern parts of the country, the plane fell into the trap of our armed forces and landed in Iran with minimal damage. ”
Hope that helps.
By the way, i am gaining expertise in this field and would be happy to take part in “think tanks”. I wrote some articles that may be of interest. Thank you Lori
Tony – I remember seeing my hapless cat sitting in front of our large glass windows when a bird ran into them and dropped at his feet. He looked around, picked up the bird in his mouth, and trotted off happily as if he had just made the kill himself. Point: given the source was the Iranian RG, I would take that info with a pound of salt.
gAtO– Joel is wrong again. It’s a know fact for years that weak GPS signals can be over-written, you don’t need signal coming from the top (satellite) jamming is an old technology and every military knows of this. The reason why the RQ-170 Sentinel crashed was because the altimeter was incorrect as Matthijs explained about the sub with it’s nose in the mud. The military is working on a private military-GPS network to correct these problems. Just a few years ago you could buy of the shelf software for 30$ and capture live video feeds from drones as the Iranians show us.
Remote control devices can be hacked it’s the nature of the beast simple encryption of all telemetry data could resolve this problem. As Mr Freed said the cat got the bird and a cat smile is all were going to get from Iran. China and the Russian will pay big bucks to get a look at this drone. The Iranians military were waiting for the drone the right place but barometric pressure messed up the landing cycle.
from one source –http://www.ufppc.org/us-a-world-news-mainmenu-35/10757-news-how-they-did-it-iran-landed-supersecret-rq-170-drone-by-overriding-weak-gps-signals.html
“The GPS navigation is the weakest point,” the Iranian engineer told the Monitor, giving the most detailed description yet published of Iran’s “electronic ambush” of the highly classified U.S. drone. “By putting noise [jamming] on the communications, you force the bird into autopilot. This is where the bird loses its brain.”
The “spoofing” technique that the Iranians used — which took into account precise landing altitudes, as well as latitudinal and longitudinal data — made the drone “land on its own where we wanted it to, without having to crack the remote-control signals and communications” from the U.S. control center, says the engineer.
Our satellites use old outdated electronics and the software is older. The project life of a satellite is over 3 years to build and then launch into space orbit, longer in some cases. If you simply apply Morres law in 3 years time the electronics of that satellite is absolete before they launch it. Red Tape is one problem. That someone can hack older technology with systems 3 times faster and better should not surprise us. I worked on 2 satellites and one had a navigation system that could only be certified with a computer that used boolean gates as schematic and all transistors for every AND, NAND and OR gate.
Other countries ramp up and if somethings new comes they try it. I know their failure rate will increase without these safe guards but we can do a better job with CIA operation.
Joel –gAtO, as earlier stated, Skygrabber is one of the programs available to download video, etc from a UAV. I’m not disputing that unencrypted video can be copied. My contention is it is far more difficult to hack a signal emanating from a UAV and somehow magically hack back into a transmitter. Physically impossible, sorry. I wrote a textbook on Electronic Warfare and have been working in EW for many decades. Now, remembering the laws of physics, once again, that video signal is not being transmitted to a local ground station, as in the case of Skygrabber utility, but to a satellite. After a bounce or two it is downlinked to a ground station. Incidentally, that ground station is not in the US and not where you might guess, I just confirmed this with one of the engineers working near the project, but not on it.
The altimeter was incorrect? Cool. How? Again, in this formula, stating “and then a miracle occurs” will not suffice. How was it hacked? Putting on a wizard’s hat and thinking ‘make it so’ will not a hack make. I challenged my last class of graduate students, all IT and IA professionals, to explain exactly which exploit they would use to hack into a number of unclass systems, I gave them four months, and not one single hack emerged. Just because a conspiracy theorist says ‘they hacked the system’ does not make it true, and I trust an Iranian engineer’s obviously ‘unbiased and totally uncoerced’ musings even less. Anything and everything emanating from Iranian sources is widely regarded by most professionals as complete rubbish.
About the GPS signals, they’re currently in Block II and Block III is being fielded (completion in 2014). All the assumptions I’ve read about GPS jamming have been addressed – for all US Intelligence Community and military systems. “United for Peace of Pierce County” is not a credible source, the Iranian engineer in that article is out to lunch and after speaking with four different seniors in the IC and Pentagon in the past week, the Christian Science Monitor article is complete hogwash.
As for the spoofing techniques, once again, the signal the GPS for this particular bird uses is encrypted, I’ve confirmed that. How in the heck do you spoof an encrypted signal coming from a minimum of three and up to nine satellites in near real time?
gAtO – Joel:
Bread goes in toast comes out – You can’t explain that!
I put the garbage at the end of the driveway, Gone when I get home – You can’t explain that!
If evolution were true, Why are there still monkeys? -You can’t explain that!
I understand your cavalier stance that all Iranian sources are just camel herders and know nothing about computer, programing or hacking. People from the middle-east know nothing but wear burkas and go around with swords and cut peoples heads off. For an educated person and a professor you sure show bigotry, being born in another country you would of failed me because all Cuban are “mango munchers” and know nothing about the laws of Physics like your (I’ll make a guess) white students do.
Every person not from the US is wrong they are all dumb foreigner who know nothing. This is exactly what the enemy wants to see a bigot so tight in his perfect box that nothing can change, nothing can go wrong in his perfect world. But the facts are they (the illiterate, uneducated Iranian) got the bird.
capital I – for respect not all Iranian are evil, just like all American were not baby killers (from the Vietnam days).
“You have back access to confirmed this with one of the engineers working near the project”.
People in TS government project just talk to anyone and all this information you quote has been cleared for this forum. I’m just a dumb Cuban boy, that defies the laws of physics, I am not your TOP students with a 220 IQ. To tell you the truth I do have a GED education nothing more nothing less, so I’m a nobody that knows nothing and will learn from my betters like yourself.
“That particular bird uses is encrypted, I’ve confirmed that”
Boy you seen to have all sorts of people that work on secrets project that blab to anyone and they post it on LinkedIn, that’s scary to throw government secrets out like that.
I guess I’m a wizard with a hat (sombrero) and hacked, the FBI, CIA, State Department, US Sanate, The Pentagon, Lockheed, RSA (ever heard of these guys) and many other companies that have such a secure network that they had a RAT in the DOD for over 2 years. Oh by the way some of these were 15-18 years old kiddies (LuzSec) with no knowledge of the “Laws of Physics taught by you” They just hacked them.
If you think everyone else is an idiot and your the only one right then – -I can’t explain that!
Drone goes up crashes down in enemy territory, -I can’t explain that!
You got gAtO – -I can’t explain that!
gAtO is sometimes a jerk, ah well.. mEoW mEoW