GPS Spoofing Attack Hacks Drones 214
Rambo Tribble writes "The BBC is reporting that researchers from the University of Texas at Austin managed to hack an experimental drone by spoofing GPS signals. Theoretically, this would allow the hackers to direct the drone to coordinates of their choosing. 'The spoofed drone used an unencrypted GPS signal, which is normally used by civilian planes, says Noel Sharkey, co-founder of the International Committee for Robot Arms Control. "It's easy to spoof an unencrypted drone. Anybody technically skilled could do this - it would cost them some £700 for the equipment and that's it," he told BBC News. "It's very dangerous - if a drone is being directed somewhere using its GPS, [a spoofer] can make it think it's somewhere else and make it crash into a building, or crash somewhere else, or just steal it and fill it with explosives and direct somewhere. But the big worry is — it also means that it wouldn't be too hard for [a very skilled person] to work out how to un-encrypt military drones and spoof them, and that could be extremely dangerous because they could turn them on the wrong people."
Re:Surprised? (Score:4, Interesting)
FUD (Score:3, Interesting)
This would only work if the drone was using only GPS to fly from place to place. Most drones have a pilot who direct them most of the time and uses GPS to find it's location. A pilot would notice the discrepancy between what the GPS plot shows and what he sees in the camera monitor and assume the GPS screwed up.
This next statement is just stupid;
But the big worry is — it also means that it wouldn't be too hard for [a very skilled person] to work out how to un-encrypt military drones and spoof them, and that could be extremely dangerous because they could turn them on the wrong people."
The way the current system probably works is that it transmits signals similar to the ones from the satellites. To spoof an encrypted drone one can not "unencrypt" it. That would be equivalent to convincing the drone to accept un-encrypted GPS signals. That should be impossible. If someone could send out false data that is encrypted using the same keys and algorithms as the satellites that would ba a major issue as cruise missiles could be spoofed. That kind of spoofing is not something that can be done by "a very skilled person" as it would require knowing the encryption keys.
The following statement is also bunk;
The same method may have been used to bring down a US drone in Iran in 2011.
One can speculate all one wants but that does not make it true. It is much more likely that the drone lost contact with the pilot center and auto landed. Lets use a real life unverifiable incident to support our FUD.
They also talk about hijacking drones delivering FedEx packages. Fred Smith, CEO of Fed Ex says he wants them but he is nowhere near getting them. Even if they did use drones I bet Fed EX would use the encrypted channel and they would rely on navigation aid other than GPS as verification.. If you want to scare us at least talk about something real.
We have plenty of real things to worry about rather than to fall for FUD.
Re:Surprised? (Score:5, Interesting)
The full Iranian claim was that they jammed all of the communications to the drone and then spoofed GPS. Aka, there were multiple navigation sources, and it lost them. When the drone loses communication for a length of time it is programmed to return to base and land unless it reestablishes communications and receives alternate orders. But it uses GPS to find out where the base is.
Yeah, a "GPS position is changing too fast" check could be useful to try to thwart something like that, but it's also the sort of thing that can be overlooked, and also something that could be slowly faked (aka, from a blind plane's perspective, there's no difference between a "drifting GPS" and flying through a strong wind.). So yeah, you could get into a whole range of attacks and countermeasures, but sometimes the attackers will win, sometimes the defenders.
The people who insisted that a country like Iran could never pull it off always struck me as way overconfident, egotistical. It reminds me of when the Serbians shot down a stealth (which the US tried to blame on hardware failures) and damaged another (among many other aircraft). I read an article on the elite Serbian unit who pulled that off with basically junk hardware and with no air superiority to back them up. They had their tactics down to a tee, and the US got totally overconfident. First they baited NATO into wasting their anti-radiation missiles by jury-rigging together as many fake "radars" as they could muster from junked military equipment. Then they hacked the hardware on the actual radars they were using, boosting the frequency many times over. This made the signal get hugely attenuated by the atmosphere, dramatically decreasing the range, but was A) out of the range of frequencies generally looked for, and B) wasn't nearly as affected by the stealth capabilities of the aircraft. The range was so low that the target aircraft had to fly pretty much over them, but they started mapping out the typical sortie patterns being used and got the hang of reckoning where they'd be and moving to intercept. They also got the hang of how much time it took from when the radar got hot to when a plane could take them out if they were detected, and timed their operations so that the hardware or at least the people had to be Not There Anymore(TM) by the deadline. The troops were drilled over and over in how to set up, get a lock, fire, and then get the heck out of there in the allotted time.
It's easy to assume that because a country is poorer and can't afford fancy hardware, its people are idiots. But that's a bad assumption to make.
Re:Surprised? (Score:4, Interesting)
The US didn't blame anything on hardware failures. The failure rested specifically with putting the route of the F-117 right over that SAM. If you get close enough, it will see you (it detected the F-117 at about 23km, according to records). The point of stealth is to shrink surveillance radii and sneak inbetween radars. This was a planning error, not hardware nor anything else. Once close enough, an F-117 is engaged like any other aircraft. There is no magic nor anything at all special about this. No frequency boosting or other BS pseudo-science crap ever happened.
The claims about 'baiting NATO to waste their missiles on decoys' are funny - why? Because for this to happen, the SAM radars had to be shut down, thus rendering SEAD efforts successful. It doesn't matter if the missile didn't hit the SAM. What matters is that for that time, the SAM was useless. Result? Serbians dancing on the wreckage of two planes out of hundreds of sorties that demolished their infrastructure. That's right. Those 'so smart tactics' got them two planes and failed to defend their country whatsoever.
Re:Surprised? (Score:5, Interesting)
In addition, there's absolutely no evidence to back this claim - "But the big worry is — it also means that it wouldn't be too hard for [a very skilled person] to work out how to un-encrypt military drones and spoof them, and that could be extremely dangerous because they could turn them on the wrong people."
Transitioning from "making a few fake pseudolites" to "discovering the crypto key before it changes" (I believe the keys rotate on a daily basis, so you would need to crack the key AND the key change algorithm) is a MAJOR step. I don't know what universe that person lives in if they thing breaking military-grade crypto is even remotely close to this attack in complexity. This attack is easymode compared to generating a proper P(Y) code.
The only "break" so far in the military encryption is the fact that the same keys (and in fact same signal) are used on both L1 and L2, allowing you to cross-correlate L1 and L2 to determine ionospheric delay and remove that one error source. Note that the next block of GPS satellites adds a civilian L2 signal, so this "break" is mostly irrelevant.
In addition, no evidence was provided that a RAIM-enabled receiver was successfully spoofed, only a cheap consumer-grade unit that lacked RAIM.
Re:Surprised? (Score:5, Interesting)
The full Iranian claim was that they jammed all of the communications to the drone and then spoofed GPS. Aka, there were multiple navigation sources, and it lost them.
Okay, I don't design, build, fly or repair military drones (or even civilian ones...yet). I am, however, a fixed-wing pilot in my off-hours. In civilian airplanes, we use multiple navigation methods too, and I would presume that many of these navigation systems are applicable to drones as well as Cessnas. For example, it's probably safe to assume that drones use GPS just like I do. Military drones probably also use TACAN [wikipedia.org], which essentially is just the military equivalent of civilian VOR/DME (navigation using fixed, ground-based radio stations). Either of those systems are susceptible to attack as you've described above. However, larger civilian airplanes, like business jets and airliners, have also used a navigation system called INS [wikipedia.org], or "Inertial Navigation System," which uses accelerometers and gyroscopes to compute the moral equivalent of dead reckoning ("it's been 23 minutes since I passed my last waypoint, so with an estimated speed of 110 knots, that means I should be reaching my next waypoint in five...four...three...two...one...turn left to heading 070 degrees and descend to 2500 feet MSL..."). INS should be pretty much immune to spoofing or jamming of radio signals, since it is completely internal. Therefore, I would expect that INS should be more than capable of providing a sanity check and fail-over against GPS or TACAN radio navigation. Even better, install multiple INS systems, and if they all agree within a sane margin of error, while your radio navigation systems are either jammed or showing that you are a hundred miles away from your computed location and/or your most recent known-good position, then assume your navigation signals are being attacked and fail-over to INS until/unless you reach a point where all navigation systems agree again.
Re:Surprised? (Score:5, Interesting)
Sorry, "refused to confirm claims that it was shot down" for several days - is that better?
First off: Three planes down (one ditched into the Adriatic, two over land) and a number of hits that crippled other craft but did not lead to crashes (the other stealth that they hit reportedly never flew again), plus several cruise missiles. Dani's unit saw no casualties or loss of hardware. Of course other less trained units sufferedlosses, but that's not the point I was making (I am *not* claiming that weak powers will always outsmart/defeat strong powers, or even that it's likely - just that they shouldn't be underestimated and can sometimes pull off impressive feats). They shot down a stealth and nearly a second one using 1960s hardware and with total loss of air superiority.
Serbia had no hope of preventing the destruction of fixed infrastructure. Their military budget was something like a tenth of a percent of the military budgets of the nations they were facing. Their only option was to preserve their military capability for as long as possible while costing NATO as much money as possible and buy as much time as possible in hopes that Russia would step in to their defense. HARMs are a heck of a lot more expensive than junkyard radars, and well, F-117s? They don't grow on trees. Serbian losses were quite small at the end of the war and their military pretty much intact, despite earlier NATO claims to the contrary, and the US actually had documents showing that they clearly didn't believe their own numbers they were giving out. Despite the use of obsolete hardware, just over a dozen tanks were destroyed, under 20 artillery pieces, etc. NATO hit orders of magnitude more decoys as actual military targets. There were only 492 Serbian casualties. Of non-fixed military hardware, only the airforce was effectively destroyed, which was pretty much expected (an obsolete airforce is pretty helpless). The problem Serbia had was that NATO was prepping for ground war and Russia, as mad as they were, made it clear that they weren't going to get militarily involved.
And contrary to your claims, the fact that NATO couldn't destroy anti-aircraft batteries like Dani's made their life a lot harder. It meant they had to fly a lot higher (less precision) and limited the types of aircraft which could get involved. Furthermore, not only were the downed aircraft rallying points (the last thing you want to do is re-moralize your enemies - I'll never forget the "Sorry about your plane, we didn't know it was invisible" sign), parts from the downed stealth are believed to have been sold to China and used for their stealth aircraft program. There are serious material consequences to the US from what happened.
Re:Surprised? (Score:4, Interesting)
There are no reports as to what happened to the second F-117. Some like to claim it was hit by a SAM, but there is nothing credible out there in public.
Some like to claim that B-2's were shot down, too.
The Serbs had and have hardware that is effective, and tactics that are used by pretty much anyone who uses SAMs today. I'm not down-playing anything. I am telling you how it actually is. There's no weapon out there that you can consider to not be a threat when you fly into its WEZ, regardless of how old it may be. This aside, most people don't realize that 'hardware from the 60's' is constantly upgraded. The SA-3 (the SAM that took down the F-117) was well maintained and staffed by a very capable crew, both of which play a huge role in combat effectiveness; finally, the F-117's flight path was a planning/intel failure plain and simple. You can bring down any aircraft by ambushing it successfuly, and in this case, the F-117 was pretty much ambushed.
The tactics they used were standard fare - they searched for the F-117 several times post-detection, taking care to limit radiation time with each attempt to avoid taking a HARM (their search radar was immune to HARMs since it operated at a lower frequency than the HARM antenna can detect). This stuff would have happened a lot faster with a newer system, and that is simply a fuction of modern automation. But once you're targeted, you're in trouble. It doesn't matter if the SAM is old or new. An old SAM is less likely to shoot you down, but it isn't an impossible feat. The F-117 was detected in the heart of the engagement zone where the PK for an SA-3 is something around 97% against a non-maneuvering, non-jamming target ... which is what the F-117 was.
It's easy to go around dismissing the effectiveness of SEAD when you don't understand how these weapons operate; it is also easy to assign 'great inventiveness and ingenuity' to the underdog for the same reason, not to mention the fallacy of appeal to emotion for the underdog.
I'll say it again: The Serbs did nothing special. They just did their job. There was no technological tinkering, no magical stealth-defeating radars or missiles. For all their discipline and capability, all they had to show for it was a couple of shot down planes and surrendered country.
Re:Surprised? (Score:4, Interesting)
INS would be good, yes, but how to identify when a spoofed signal is just a little off what you expect, then increasingly different? Since INS has cumulative error, you can stay within the estimated error bounds and yet totally deceive the drone.
Answer: Radio direction finders. 1930s technology. If the signal is below you and at 300 yards, it's probably not a satellite above you and at 6000 miles. (Marconi, the company, developed the technique of using two RDFs offset from each other to triangulate and therefore give range as well as direction.)
Can you supplement INS using this same technique? Once GPS is marked as out-of-action, those RDFs can be used to triangulate on any radio source, after all. Not if all frequencies are jammed.
Ok, are there any other sensors that could be used? 3-way magnetic sensors (provided they're wired the right way up) could give you some information, provided there were no strong magnetic fields AND you had a magnetic map of the area. The first an enemy can arrange, the second is unlikely in unfriendly territory.
What about terrain-following radar? If you know what the terrain looks like, you can arguably use that with other dead-reckoning techniques to pinpoint your location. I'll give that a maybe, but remember that every added component subtracts from payload and subtracts from the value of using a drone vs a manned vehicle.