Iran’s Alleged Drone Hack: Tough, but Possible
Take everything that Iran says about its captured U.S. drone with a grain of salt. But its new claim that it spoofed the drone’s navigational controls isn’t implausible. Although it’s way harder to do than the Iranian boast suggests, it points to yet another flaw with America’s fleet of robot warplanes.
On Thursday, the Christian Science Monitor published an interview with an Iranian engineer who claims that Iran managed to jam the drone’s communication links to American operators by forcing it to shift into autopilot mode. With its communications down, the drone allegedly kicked into autopilot mode, relying on GPS to fly back to base in Afghanistan. With the GPS autopilot on, the engineer claims Iran spoofed the drone’s GPS system with false coordinates, fooling it into thinking it was close to home and landing into Iran’s clutches.
Again: Iranian feats of technological excellence deserve skepticism. (See the Taiwanese animation above for that.) But GPS spoofing is certainly doable. And if it’s true, it builds on a recent history of security flaws with the drones, from their unencrypted video feeds to their vulnerability to malware.
It’s possible to spoof unencrypted civilian GPS systems. But military GPS receivers, such as the one likely installed on the missing drone, use the encrypted P(Y)-code to communicate with satellites. The notion that Iran could have cracked through the encryption “sounds like a made-for-TV movie” says John Pike, a satellite expert and president of Globalsecurity.org. ”If they could overcome the sorts of of crypto systems that would protect this drone, they would not waste their time on surveillance drones. They would be breaking into banks.”
But Iran might not have had to break the encryption on the P(Y) code in order to bring down a drone. According to Richard Langley, a GPS expert at the University of New Brunswick in Canada, it’s theoretically possible to take control of a drone by jamming the P(Y) code and forcing a GPS receiver to use the unencrypted, more easily spoofable C/A code to to get its directions from navigational satellites.
“GPS satellites transmit on two legacy radio frequencies,” Langley explains. The unencrypted C/A code used by most civilian GPS unit “is transmitted only on the L1 frequency. The encrypted P code for so-called authorized military users is transmitted on both the L1 and L2 frequency.”
Translated: If the Iranians could selectively jam the encrypted military code on the L1 and L2 frequencies — and that’s a big “if” — the drone’s GPS receiver might reach out to use the less-secure C/A code in a last ditch attempt to get directions. Without the extra protection of encryption, it would be relatively simple for Iran to spoof the receiver using the C/A code and fool the drone into thinking it was back home in Afghanistan.
However. For that scenario to work, the drone’s GPS unit would have to be programmed to use the C/A code in the event the P(Y) code becomes unavailable.
It’s also difficult to jam a drone’s GPS. “They’ve got defenses against these kinds of spoofing attacks,” says Todd Humphreys, who has researched GPS spoofing at the University of Texas’ Radionavigation Laboratory. “They mount their antennas on the top of the drones and sometimes the antennas have the ability to null out jamming or spoofing signals.”
Humphreys isn’t buying the Iranian engineer’s explanation of why the apparent RQ-170 Sentinel’s underbelly appeared damaged in the footage released by Iran. The engineer told the Monitor that the drone’s underbelly was scuffed because of a slight difference between the altitude of its actual home base in Afghanistan and the location where it allegedly landed in Iran.
“This is nonsense,” says Humphreys. If the Iranians had been able to spoof the GPS unit in the precise way they claimed, they also would have also been able to control its altitude. “That opens up two scenarios. Either [the engineer] is a user of equipment he’s got from abroad” and doesn’t understand its capabilities, “or he’s making it up.”
The spoofing danger isn’t new. “On the military side,” says Humphreys, “they’ve known about this threat for 20-30 years.”
And this isn’t the first time Iran or its proxies have exploited a long-known vulnerability on an American drone. In 2008, the U.S. military discovered Iranian-backed insurgents in Iraq had managed to intercept unencrypted video feeds from drones using widely available commercial software. That flaw was known to the Air Force as far back as 1996.
Other drone vulnerabilities have also highlighted security fears. In October, Danger Room broke the news that the cockpits at the Air Force’s drone fleet based out of Creech Air Force Base in Nevada were infected with a virus. Malware had apparently made its way onto computers because someone had been using one to play the Mafia Wars game — a stunning security faux pas.
It’s by no means clear that Iran really did spoof the drone’s GPS. But if they did. “If this was really that easy, I’m disappointed,” Humphreys says, “because a lot of very smart people have put a lot of time into this.”