The US Military Quietly Turned GPS Into a Global 'Numbers Station,' Evidence Suggests (404media.co) 49
A security researcher says evidence suggests the U.S. military has been using an obscure GPS message field for nearly 20 years to broadcast encrypted key-distribution data, effectively turning GPS satellites into a global "numbers station." The hidden-looking 176-bit messages appear tied to the Pentagon's Over-the-Air Distribution system for remotely updating cryptographic keys, meaning ordinary GPS receivers may have been receiving the traffic all along without anyone outside the military noticing. The findings have been detailed by Steven Murdoch, an information security expert, in a new article in Inside GNSS. 404 Media reports: [...] From the beginning, he suspected that the subframe field contained encrypted transmissions because the data was so random. "Random data is actually very unusual to get in nature," Murdoch said. "If you see it, either it's been carefully designed to be random -- but then, why is someone sending out random data? -- or it's encrypted data. I thought encrypted data is by far the most likely explanation." He returned to the subframe on and off over the years, and solicited guesses about its content on Stack Exchange in 2023. Ahmed Kamruddin, a master's student at UCL, developed the project further in 2025. Then, this year, Murdoch put the last pieces of the puzzle together over several weeks by analyzing open archive Global Navigation Satellite System (GNSS) recordings collected since 2007 and kept by GFZ Helmholtz Centre for Geosciences.
This dataset included more than 12 million observations of Subframe 4, Page 17, yielding 3,994 unique 176-bit messages. Within this corpus, Murdoch pinpointed key-repeating "sentinels" including a pattern that appeared in February 2010 and was broadcast on and off across dozens of satellites for more than a decade. Murdoch discovered that this particular sentinel was transmitted by all 31 operational satellites within a window of a few hours on May 26, 2011, potentially heralding the activation of a new operational system. He confirmed that this timeline coincided with the rollout of the military's Over-the-Air Distribution (OTAD) and the Over-the-Air Rekeying (OTAR) by cross-referencing declassified documents, including a 2015 presentation about the dates of the operation.
"There was a perfect match between the timeline and that presentation and the change points that were automatically identified from the data," Murdoch said. "That was the smoking gun that made me think: This is what it's for." These automated systems replaced the cumbersome manual distribution of cryptographic keying material, allowing military GPS receivers around the world to be rekeyed remotely through satellite broadcasts rather than through onsite procedures. For the next 11 years, this expansive rekeying operation was overlooked in public GPS data. In 2022, the system entered a new phase, according to Murdoch's analysis. The shift was characterized by a slowing in the message rotation rate. Later, in December 2023, broadcasts carrying a distinctive "TEXT" prefix emerged then gradually spread across the constellation.
Murdoch isn't sure what explains the recent transition, though it could be a possible modernization of the infrastructure or the introduction of a new protocol. But to him, the bigger takeaway is that the signals were always available for anyone willing to take a closer look, a discovery that suggests that there could be more revelations hidden for the cryptographically curious among us. "Every receiver in the world decodes Subframe 4, Page 17," Murdoch said in his new article. "Almost none of them have ever looked at it. The lesson generalizes: There is more to learn from the bytes already arriving at our antennas than from the bytes we wish were specified differently. The data are publicly available. The signal is overhead, twice a day, every day."
This dataset included more than 12 million observations of Subframe 4, Page 17, yielding 3,994 unique 176-bit messages. Within this corpus, Murdoch pinpointed key-repeating "sentinels" including a pattern that appeared in February 2010 and was broadcast on and off across dozens of satellites for more than a decade. Murdoch discovered that this particular sentinel was transmitted by all 31 operational satellites within a window of a few hours on May 26, 2011, potentially heralding the activation of a new operational system. He confirmed that this timeline coincided with the rollout of the military's Over-the-Air Distribution (OTAD) and the Over-the-Air Rekeying (OTAR) by cross-referencing declassified documents, including a 2015 presentation about the dates of the operation.
"There was a perfect match between the timeline and that presentation and the change points that were automatically identified from the data," Murdoch said. "That was the smoking gun that made me think: This is what it's for." These automated systems replaced the cumbersome manual distribution of cryptographic keying material, allowing military GPS receivers around the world to be rekeyed remotely through satellite broadcasts rather than through onsite procedures. For the next 11 years, this expansive rekeying operation was overlooked in public GPS data. In 2022, the system entered a new phase, according to Murdoch's analysis. The shift was characterized by a slowing in the message rotation rate. Later, in December 2023, broadcasts carrying a distinctive "TEXT" prefix emerged then gradually spread across the constellation.
Murdoch isn't sure what explains the recent transition, though it could be a possible modernization of the infrastructure or the introduction of a new protocol. But to him, the bigger takeaway is that the signals were always available for anyone willing to take a closer look, a discovery that suggests that there could be more revelations hidden for the cryptographically curious among us. "Every receiver in the world decodes Subframe 4, Page 17," Murdoch said in his new article. "Almost none of them have ever looked at it. The lesson generalizes: There is more to learn from the bytes already arriving at our antennas than from the bytes we wish were specified differently. The data are publicly available. The signal is overhead, twice a day, every day."
And then ... (Score:5, Funny)
As the old saying goes... (Score:5, Informative)
Re: (Score:2)
Slashdot posts.
Re:As the old saying goes... (Score:4, Funny)
..the best way to hide a secREt iS to cOnceaL it in Plain sight within a MUndane enviRonmenT.
No doubt about it.
Re: (Score:3)
RESOLPMURT? :P
Re: (Score:3, Informative)
right to left.
Re: As the old saying goes... (Score:2)
No rot13??? How insecure!
Re: (Score:2)
Re:As the old saying goes... (Score:4, Funny)
cootys rat semen
Re:As the old saying goes... (Score:5, Informative)
Numbers stations (Score:1)
How is key management the equivalent of numbers stations? I don't understand the linkage neither do I see the point of publicly disclosing keying material.
Re:Numbers stations (Score:4, Interesting)
The only way it could make sense is if you use the broadcast data against a one-time pad and then you have a key to decrypt some other data, however distributed.
There aren't enough unique messages to be the data payload itself. Regular key rotation makes some sense.
Instead of a key it could be a pointer to another data source too. Frequency, satellite channel, URL, whatever.
It does seem premature to conclude the content. No doubt there are many other possibilities.
Re: (Score:2)
Re: (Score:3)
for one it's not key management, only distribution, and no keying material is publicly disclosed; further they don't state equivalence but found a simile for the method: concealing information in a random stream of open noise. congratulations for hyperfocusing on the least relevant bit of information in the message and still getting it wrong.
Re: (Score:2)
Re: (Score:2)
The announcement follows in the grand Soviet tradition of gross downplaying the aftermath of combat, going back at least to WWII, with the battleship Marat being described as "slightly damaged and later raised" after a Stuka attack. (for those unfamiliar with the terminology, 'raising' a ship means refloating it after it has been sunk)
:-) this is normal in war, and it actually makes sense which is why everyone does it. you should check centcom's last couple of dozen of announcements, or any afu announcement for that matter, most of their strikes are designed as pr stunts from the get-go anyway and never have changed the overall course of the war in their favor (actually, quite the contrary in the long run).
but, thanks, i didn't know about the marat and it's an interesting story. "slightly damaged" and "unsinkable" are indeed bizarre and
Re: (Score:2)
:-) this is normal in war, and it actually makes sense which is why everyone does it. you should check centcom's last couple of dozen of announcements, or any afu announcement for that matter, most of their strikes are designed as pr stunts from the get-go anyway and never have changed the overall course of the war in their favor (actually, quite the contrary in the long run).
The lying is particularly funny, if the actual results of the drone strikes have not only been visible to anyone watching tv or any type of social media, but also to the international clown car descending on St. Petersburg for the SPIEF.
It also speaks for itself, if you expect no change, when dozens of refineries and oil pumping stations go up in flames, and this in a country termed "armed gas station". You are my personal symbol for the break down of Russian propaganda.
but, thanks, i didn't know about the marat and it's an interesting story. "slightly damaged" and "unsinkable" are indeed bizarre and misleading wordings to say the least. but to their credit the symbol endured. the wreck actually participated in the liberation of leningrad with her 305mm guns, and lived to witness the soviets defeating the nazis, which merits some respect. and history doesn't really repeat but does rhime, right?
You must have an interesting view on
Re: (Score:2)
it's "rhyme", not "rhime"
always grateful for a helpful correction. i'm indeed not a native english speaker. apart from that, your crystal ball seems to have a quite fascinating effect but it also seems quite unreliable. i would recommend looking out of an actual window for a change. ermmm ... sober, goes without saying. :o)
Re: (Score:2)
So you admit, that you are one these folks, who came to a western country, took full opportunity of all the riches and freedom they offer, only to spew endless streams of pathetic Russian propaganda?
Shaking my head. See a new low every day ....
Re: (Score:2)
my upbringing isn't a mystery here, i've openly written about it, only anecdotally but at length and on several occasions. you have a really low id and claim to be aware of my "endless stream" so you should know.
but i honestly don't see how that should be of any relevance here unless you are a straight out racist nutcase (which ... kinda seems likely, tbh, in that case feel free to go fuck yourself) and have completely run out of arguments (likely too). anyhow your impertinence doesn't really merit any more
Re: (Score:2)
Came here to say this. It's key distribution for a one-time pad cryptosystem, just like the numbers stations on shortwave radio have been doing for many, many decades.
Merely having access to the numbers means nothing. That's how encryption works.
Not Subject to HF propagation. (Score:2)
Harder to jam.
Smaller antennas.
Easier to Conceal.
Somebody deserves a Medal. (Score:5, Interesting)
This was freakin' genius. Not only did they hide a secret communication system inside a military radio system, but there is more. The US graciously 'gave' permission for civilian use of the previously military only technology, allowing it to be spread throughout the world.
This way their agents could openly use the 'civilian' equipment to receive encrypted military information.
There is some genius American out there that for decades has been unable to brag. Maybe they can give him a medal now.
Re: (Score:1)
It's one of those things that only seems obvious in hindsight,
Bravo or brava to the engineer who proposed it.
Re: (Score:1)
If you are offended by someone being courteous, maybe you should just STFU and get off the internet for a bit. Too much stupid shit like you is how we ended up with Trump, seriously.
Re: (Score:2)
Here's the issue you should have taken:
"Bravo or brava to the engineer or engineerin who proposed it."
Re: (Score:2)
That was the original idea with numbers stations, so it was a natural evolution. Owning a consumer radio was not suspicious, so broadcasting on standard civilian frequencies made sense.
The "random" data in the GPS signal is supposedly there to aid with reception and validate the RNGs on the satellites, but it was a pretty obvious place to hide messages too. I'm sure all the other GNSS systems do it too.
Re: (Score:2)
Remember those shortwave numbers stations? (Score:5, Informative)
Back in the 80s, and maybe early 90s too, you could listen on a certain shortwave frequencies and it was just some dude or a commie-sounding chick spitting out numbers. Whoa .. just googled it... turns to some of those stations are STILL operating:
The Buzzer (UVB-76 / MDZhB)The Operator: Russian Military.The Location: Originally near Moscow; currently broadcasted from transmitter sites near St. Petersburg and Pskov.The Sound: It has broadcasted a monotonous, buzzing tone 25 times per minute, 24 hours a day, since the late 1970s. Every few weeks, the buzzer stops, and a live voice reads Russian names and numbers (e.g., "Mikhail, Dmitri, Zhenya, Boris...").
The Status: Active. You can still hear it today on 4.625 MHz.
HM01 The Operator: Cuban Directorate of Intelligence (DI).The Location: Broadcasted from transmitter sites outside Havana, Cuba.
The Sound: This station is famous for its technical errors, sometimes accidentally broadcasting radio stations like Radio Havana Cuba or Windows error sounds. It mixes a Spanish-speaking voice reading numbers with loud, screeching digital data bursts.
The Status: Active. It regularly targets Cuban agents operating in the United States.
The Lincolnshire Poacher (E03) The Operator: British Secret Intelligence Service (MI6).
The Location: Broadcasted from RAF Akrotiri, a military base in Cyprus.
The Sound: It began each hour with an electronic music box playing the English folk song "The Lincolnshire Poacher." A female voice with a crisp British accent then read five-digit number groups.
The Status: Inactive. It went off the air in 2008.
Re:Remember those shortwave numbers stations? (Score:4, Funny)
I think that these are all just adult album alternative format stations that keep playing that one Wilco record.
Re: (Score:1)
this made my entire day!!! :-)
Re: (Score:1)
Still around, but...
Shortwave radios are not as common as they used to be, so they might look a bit more suspicious than they used to.
There was a Russian spy ring busted in the US some years back (2000's ?) and they were getting their instructions over The Internet, and using some specis software to decode them. I don't think the details were published, but ISTR something about steganography in images.
TFA also says this wasn't communication to agents, but key distribution. Keys for what we don't know...
Re: (Score:2)
Anything that someone with an IQ over 60 can unambiguously figure out the meaning of is a word.
Some hackers broke the encryption (Score:4, Funny)
But all that's stored in that message field is 867-5309 [youtu.be].
Re: (Score:2)
So what? (Score:2)
It is cheaper than running traditional numbers stations (which are still around) and it is really not that well hidden.
This has to go! (Score:2)
This started in February 2010, back when Obama was the POTUS.
I'd thought that The Donald had countermanded everything that Obama did but he obviously missed this one, it has to go.