A Y! Tech Headline on Friday suggested that the US RQ-170 spy drone which went down over Iran recently may have been downed by hacking its GPS. Indeed, far from having malfunctioned, or being shot down, there are credible claims by Iranian engineers that GPS vulnerabilities which have been public knowledge for more than 8 years were exploited to land the drone at a place of their choosing with minimal damage to the drone, and maximum damage to our spy drone program.
I know, how could our military be dumb enough to fly drones with easily hackable technology, and surely military GPS is encrypted? Well, it turns out that “Unfortunately, the civilian GPS signals are not secure. Only the military GPS signals are encrypted (authenticated), but these are generally unavailable to civilians, foreign governments, and most of the U.S. government, including most of the Department of Defense (DoD).” In other words, it’s a pretty good bet that commercially produced drones are using the civilian signal stream from the GPS satellites, and thus open to spoofing.
“Sheer stupidity – we knew what the problems were, and let them fester until someone figured out how to exploit them. This is the equivalent of browsing today’s internet with Windows ME and IE5 – unpatched. We flew the drone from Afghanistan (here there be dragons) into Iran (here there be smarter dragons), and did not expect to get burned. More fool us.”
GPS systems are tested using GPS satellite simulators, readily available commercial devices which produce the necessary signals and timing to tell a GPS receiver its location, and thus run a navigation or tracking system through its paces – you’d be amazed if Garmin, TomTom, Magellan, et al, did not have such gadgets. Indeed, as early as 2003, the Vulnerability Assessment Team at Los Alamos National laboratory (now moved to Argonne National Labs) demonstrated how civilian GPS could be spoofed, and listed 7 ways that the spoofing could be detected – most of which would be at negligible (software) cost to current devices – in 2003 that was 5 out of 7, now with many GPS receivers incorporating decent dead-reckoning capability, that is 6 out of 7.
In case you think this is all highly theoretical, and nobody, least of all the Iranians, could implement a successful attack, Dr Roger Johnston of the Argonne Labs demonstrated the ability to hijack a truck while fooling the tracking system into thinking it was still on course. Sherri over at Philosecurity has the detailed description, but note – her story was in 2008, and the original research into the vulnerability was in 2003 – we still haven’t patched it????
As you browse around, you will find several references to the original whitepaper, but this is the only link which includes the illustrations.
But wait, there’s more! In 2009, Iraqi insurgents with Iranian backing had already figured out how to hack into the video stream from a drone, and figure out if they were a likely target. Tricky and expensive? No – $26 software!! WSJ has the story “Insurgents Hack U.S. Drones“ for this incident, which occurred more than two years ago!
And more – our drone fleet’s Ground Control Software may be infected with keylogging malware – apparently it has proved extremely difficult to stamp out over at Creech Air Force Base in Nevada, but that hasn’t stopped us from flying the drones – what if that Pakistani border incident was deliberately self-inflicted? Tecca.com has the whole story: “Computer virus worms its way into the U.S. drone fleet“.
So, we may have the finest soldiers in the world, and the most high tech wizardry in our military, but the DoD bureaucrats are doing a fine imitation of the Keystone Kops!