The US Military Quietly Turned GPS Into a Global 'Numbers Station,' Evidence Suggests (404media.co) 28
A security researcher says evidence suggests the U.S. military has been using an obscure GPS message field for nearly 20 years to broadcast encrypted key-distribution data, effectively turning GPS satellites into a global "numbers station." The hidden-looking 176-bit messages appear tied to the Pentagon's Over-the-Air Distribution system for remotely updating cryptographic keys, meaning ordinary GPS receivers may have been receiving the traffic all along without anyone outside the military noticing. The findings have been detailed by Steven Murdoch, an information security expert, in a new article in Inside GNSS. 404 Media reports: [...] From the beginning, he suspected that the subframe field contained encrypted transmissions because the data was so random. "Random data is actually very unusual to get in nature," Murdoch said. "If you see it, either it's been carefully designed to be random -- but then, why is someone sending out random data? -- or it's encrypted data. I thought encrypted data is by far the most likely explanation." He returned to the subframe on and off over the years, and solicited guesses about its content on Stack Exchange in 2023. Ahmed Kamruddin, a master's student at UCL, developed the project further in 2025. Then, this year, Murdoch put the last pieces of the puzzle together over several weeks by analyzing open archive Global Navigation Satellite System (GNSS) recordings collected since 2007 and kept by GFZ Helmholtz Centre for Geosciences.
This dataset included more than 12 million observations of Subframe 4, Page 17, yielding 3,994 unique 176-bit messages. Within this corpus, Murdoch pinpointed key-repeating "sentinels" including a pattern that appeared in February 2010 and was broadcast on and off across dozens of satellites for more than a decade. Murdoch discovered that this particular sentinel was transmitted by all 31 operational satellites within a window of a few hours on May 26, 2011, potentially heralding the activation of a new operational system. He confirmed that this timeline coincided with the rollout of the military's Over-the-Air Distribution (OTAD) and the Over-the-Air Rekeying (OTAR) by cross-referencing declassified documents, including a 2015 presentation about the dates of the operation.
"There was a perfect match between the timeline and that presentation and the change points that were automatically identified from the data," Murdoch said. "That was the smoking gun that made me think: This is what it's for." These automated systems replaced the cumbersome manual distribution of cryptographic keying material, allowing military GPS receivers around the world to be rekeyed remotely through satellite broadcasts rather than through onsite procedures. For the next 11 years, this expansive rekeying operation was overlooked in public GPS data. In 2022, the system entered a new phase, according to Murdoch's analysis. The shift was characterized by a slowing in the message rotation rate. Later, in December 2023, broadcasts carrying a distinctive "TEXT" prefix emerged then gradually spread across the constellation.
Murdoch isn't sure what explains the recent transition, though it could be a possible modernization of the infrastructure or the introduction of a new protocol. But to him, the bigger takeaway is that the signals were always available for anyone willing to take a closer look, a discovery that suggests that there could be more revelations hidden for the cryptographically curious among us. "Every receiver in the world decodes Subframe 4, Page 17," Murdoch said in his new article. "Almost none of them have ever looked at it. The lesson generalizes: There is more to learn from the bytes already arriving at our antennas than from the bytes we wish were specified differently. The data are publicly available. The signal is overhead, twice a day, every day."
This dataset included more than 12 million observations of Subframe 4, Page 17, yielding 3,994 unique 176-bit messages. Within this corpus, Murdoch pinpointed key-repeating "sentinels" including a pattern that appeared in February 2010 and was broadcast on and off across dozens of satellites for more than a decade. Murdoch discovered that this particular sentinel was transmitted by all 31 operational satellites within a window of a few hours on May 26, 2011, potentially heralding the activation of a new operational system. He confirmed that this timeline coincided with the rollout of the military's Over-the-Air Distribution (OTAD) and the Over-the-Air Rekeying (OTAR) by cross-referencing declassified documents, including a 2015 presentation about the dates of the operation.
"There was a perfect match between the timeline and that presentation and the change points that were automatically identified from the data," Murdoch said. "That was the smoking gun that made me think: This is what it's for." These automated systems replaced the cumbersome manual distribution of cryptographic keying material, allowing military GPS receivers around the world to be rekeyed remotely through satellite broadcasts rather than through onsite procedures. For the next 11 years, this expansive rekeying operation was overlooked in public GPS data. In 2022, the system entered a new phase, according to Murdoch's analysis. The shift was characterized by a slowing in the message rotation rate. Later, in December 2023, broadcasts carrying a distinctive "TEXT" prefix emerged then gradually spread across the constellation.
Murdoch isn't sure what explains the recent transition, though it could be a possible modernization of the infrastructure or the introduction of a new protocol. But to him, the bigger takeaway is that the signals were always available for anyone willing to take a closer look, a discovery that suggests that there could be more revelations hidden for the cryptographically curious among us. "Every receiver in the world decodes Subframe 4, Page 17," Murdoch said in his new article. "Almost none of them have ever looked at it. The lesson generalizes: There is more to learn from the bytes already arriving at our antennas than from the bytes we wish were specified differently. The data are publicly available. The signal is overhead, twice a day, every day."
And then ... (Score:5, Funny)
As the old saying goes... (Score:5, Informative)
Re: (Score:2)
Slashdot posts.
Re: (Score:3, Funny)
..the best way to hide a secREt iS to cOnceaL it in Plain sight within a MUndane enviRonmenT.
No doubt about it.
Re: (Score:3)
RESOLPMURT? :P
Re: (Score:3, Informative)
right to left.
Re: As the old saying goes... (Score:2)
No rot13??? How insecure!
Re: (Score:2)
Re:As the old saying goes... (Score:4, Funny)
cootys rat semen
Re: (Score:3)
Numbers stations (Score:1)
How is key management the equivalent of numbers stations? I don't understand the linkage neither do I see the point of publicly disclosing keying material.
Re: (Score:3)
The only way it could make sense is if you use the broadcast data against a one-time pad and then you have a key to decrypt some other data, however distributed.
There aren't enough unique messages to be the data payload itself. Regular key rotation makes some sense.
Instead of a key it could be a pointer to another data source too. Frequency, satellite channel, URL, whatever.
It does seem premature to conclude the content. No doubt there are many other possibilities.
Re: (Score:2)
Re: (Score:2)
for one it's not key management, only distribution, and no keying material is publicly disclosed; further they don't state equivalence but found a simile for the method: concealing information in a random stream of open noise. congratulations for hyperfocusing on the least relevant bit of information in the message and still getting it wrong.
Not Subject to HF propagation. (Score:2)
Harder to jam.
Smaller antennas.
Easier to Conceal.
Somebody deserves a Medal. (Score:5, Interesting)
This was freakin' genius. Not only did they hide a secret communication system inside a military radio system, but there is more. The US graciously 'gave' permission for civilian use of the previously military only technology, allowing it to be spread throughout the world.
This way their agents could openly use the 'civilian' equipment to receive encrypted military information.
There is some genius American out there that for decades has been unable to brag. Maybe they can give him a medal now.
Re: (Score:1)
It's one of those things that only seems obvious in hindsight,
Bravo or brava to the engineer who proposed it.
Remember those shortwave numbers stations? (Score:4, Informative)
Back in the 80s, and maybe early 90s too, you could listen on a certain shortwave frequencies and it was just some dude or a commie-sounding chick spitting out numbers. Whoa .. just googled it... turns to some of those stations are STILL operating:
The Buzzer (UVB-76 / MDZhB)The Operator: Russian Military.The Location: Originally near Moscow; currently broadcasted from transmitter sites near St. Petersburg and Pskov.The Sound: It has broadcasted a monotonous, buzzing tone 25 times per minute, 24 hours a day, since the late 1970s. Every few weeks, the buzzer stops, and a live voice reads Russian names and numbers (e.g., "Mikhail, Dmitri, Zhenya, Boris...").
The Status: Active. You can still hear it today on 4.625 MHz.
HM01 The Operator: Cuban Directorate of Intelligence (DI).The Location: Broadcasted from transmitter sites outside Havana, Cuba.
The Sound: This station is famous for its technical errors, sometimes accidentally broadcasting radio stations like Radio Havana Cuba or Windows error sounds. It mixes a Spanish-speaking voice reading numbers with loud, screeching digital data bursts.
The Status: Active. It regularly targets Cuban agents operating in the United States.
The Lincolnshire Poacher (E03) The Operator: British Secret Intelligence Service (MI6).
The Location: Broadcasted from RAF Akrotiri, a military base in Cyprus.
The Sound: It began each hour with an electronic music box playing the English folk song "The Lincolnshire Poacher." A female voice with a crisp British accent then read five-digit number groups.
The Status: Inactive. It went off the air in 2008.
Re: (Score:2)
I think that these are all just adult album alternative format stations that keep playing that one Wilco record.
Re: (Score:1)
Still around, but...
Shortwave radios are not as common as they used to be, so they might look a bit more suspicious than they used to.
There was a Russian spy ring busted in the US some years back (2000's ?) and they were getting their instructions over The Internet, and using some specis software to decode them. I don't think the details were published, but ISTR something about steganography in images.
TFA also says this wasn't communication to agents, but key distribution. Keys for what we don't know...
Some hackers broke the encryption (Score:3)
But all that's stored in that message field is 867-5309 [youtu.be].
So what? (Score:2)
It is cheaper than running traditional numbers stations (which are still around) and it is really not that well hidden.