Feeds

Iran spy drone GPS hijack boasts: Rubbish, say experts

Cockup far more likely than conspiracy, as usual

Internet Security Threat Report 2014

Doubts that Iran managed to bring down an advanced US drone over the country last month using an advanced GPS spoofing attack have been raised by experts, who say that attacks of this type would be extremely tough to pull off.

Iran announced on 4 December that it had captured an advanced American remotely piloted spy drone, thought to be an RQ-170 Sentinel, and proudly broadcast images of the captured kit on state TV. The images depicted a drone that was intact and showed little or no signs of damage.

The Islamic Republic initially claimed that its air forces shot the drone down after it encroached  on the country’s airspace near the Afghan border. Iran later claimed it was taken down by a sophisticated cyber-attack.  Days later an Iranian engineer said that this attack involved swamping the drone's GPS receivers with a rogue signal that tricked it into landing on autopilot in Iran instead of a US Air Force base.

The unnamed Iranian boffin told Christian Science Monitor that Iran developed the attack after reverse-engineering previously captured or shot down US drones, and by taking advantage inherent weaknesses in the GPS navigation system.

The US said the drone was lost on a mission in Western Afghanistan before conceding it was carrying out a covert spy operation over Iran. The US has asked for the return of the drone via Swiss authorities.

RQ-170 Sentinel drones, nicknamed the Beast of Kandahar, are advanced unmanned aerial vehicle (UAV) with stealth capabilities, developed by Lockheed Martin and operated by the US Air Force, sometimes on behalf of the CIA. The stealth capabilities should have prevented the Iranians from spotting the UAV on radar. However they might have intensified GPS jamming around uranium enrichment sites to ward off drones, so it is plausible that the downed RQ-170 Sentinel came under a GPS nobbling attack. Publicly available material collated by specialist sites, such as The Aviationist, suggest US drones might be vulnerable to this sort of attack, among others.

However, such GPS spoofing attacks are really tough to pull off and analysts are wary of swallowing Iran's spy drone hacking claims. The Iranian authorities would need to know the location of the drone within a matter of metres and hit it with a GPS signal stronger than the satellites' transmissions. Neither of these signals are encrypted so the stronger signal would win out, but the hijacker must gradually introduce errors to guide the craft down towards the chosen landing point, all the time maintaining a signal lock, a non-trivial effort established by US academics during experimentation:

According to our experiments, the attacker must ensure that his time offset to the system time is less than 75ns. Any greater offset will cause the GPS receiver to lose lock when the spoofing signal is turned on. A value of 75ns roughly corresponds to a distance of 22.5m, meaning that the attacker must know his distance from the victim with an accuracy of 22.5m (or better) — a higher offset will cause the victim to lose lock due to the signal (chip phase) misalignment.

We confirmed that the initial location offset will cause a noticeable jump of the victim’s reported position during the attack. Large offsets could therefore be detected by the victim by monitoring its position. Any imperfections in the arrival time of the signal from different antennas will directly impact the position calculated by the victim. If the relative time offset gets above 80ns, the signals will even cause the receiver to lose lock. This means that, if an attacker has multiple antennas, he must precisely know the distance from each antenna to the attacker in order to be able to spoof a desired location. We could also observe a general localization error as predicted in our theoretical analysis, even for smaller mismatches in the arrival times.

The paper, On the Requirements for Successful GPS Spoofing Attacks [PDF], compiled by eggheads at ETH Zurich, in Switzerland, and UCI, in Irvine in the US, suggests various countermeasures. The covert satellite-lock takeover attack is straight out of the playbook of James Bond villains*. Iran may be trying to run such attacks, Russia might even be helping, but the probability of such a hijacking succeeding is very low.

Either Iran got very lucky or the the drone was simply lost, possibly a result of a command-and-control failure, or jamming over an nuclear facility that disrupted communications with its base, before fail-safe mechanisms, er, failed. In this scenario, the drone unluckily landed in the desert somewhere (rather than mountains where it would have been destroyed or severely damaged).

You'd normally expect the drone to have sustained more damage, even in this scenario, but the possibility that it succumbed to a Blofeld-inspired GPS-spoofing attack looks even more far-fetched. Although the drone operates at high altitude it could have fallen into a flat spin that meant it went into the ground belly first and survived relatively unscathed. ®

*The spacecraft-hijacking opening scene of You Only Live Twice to be precise.

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.