Feeds

Iran spy drone GPS hijack boasts: Rubbish, say experts

Cockup far more likely than conspiracy, as usual

High performance access to file storage

Doubts that Iran managed to bring down an advanced US drone over the country last month using an advanced GPS spoofing attack have been raised by experts, who say that attacks of this type would be extremely tough to pull off.

Iran announced on 4 December that it had captured an advanced American remotely piloted spy drone, thought to be an RQ-170 Sentinel, and proudly broadcast images of the captured kit on state TV. The images depicted a drone that was intact and showed little or no signs of damage.

The Islamic Republic initially claimed that its air forces shot the drone down after it encroached  on the country’s airspace near the Afghan border. Iran later claimed it was taken down by a sophisticated cyber-attack.  Days later an Iranian engineer said that this attack involved swamping the drone's GPS receivers with a rogue signal that tricked it into landing on autopilot in Iran instead of a US Air Force base.

The unnamed Iranian boffin told Christian Science Monitor that Iran developed the attack after reverse-engineering previously captured or shot down US drones, and by taking advantage inherent weaknesses in the GPS navigation system.

The US said the drone was lost on a mission in Western Afghanistan before conceding it was carrying out a covert spy operation over Iran. The US has asked for the return of the drone via Swiss authorities.

RQ-170 Sentinel drones, nicknamed the Beast of Kandahar, are advanced unmanned aerial vehicle (UAV) with stealth capabilities, developed by Lockheed Martin and operated by the US Air Force, sometimes on behalf of the CIA. The stealth capabilities should have prevented the Iranians from spotting the UAV on radar. However they might have intensified GPS jamming around uranium enrichment sites to ward off drones, so it is plausible that the downed RQ-170 Sentinel came under a GPS nobbling attack. Publicly available material collated by specialist sites, such as The Aviationist, suggest US drones might be vulnerable to this sort of attack, among others.

However, such GPS spoofing attacks are really tough to pull off and analysts are wary of swallowing Iran's spy drone hacking claims. The Iranian authorities would need to know the location of the drone within a matter of metres and hit it with a GPS signal stronger than the satellites' transmissions. Neither of these signals are encrypted so the stronger signal would win out, but the hijacker must gradually introduce errors to guide the craft down towards the chosen landing point, all the time maintaining a signal lock, a non-trivial effort established by US academics during experimentation:

According to our experiments, the attacker must ensure that his time offset to the system time is less than 75ns. Any greater offset will cause the GPS receiver to lose lock when the spoofing signal is turned on. A value of 75ns roughly corresponds to a distance of 22.5m, meaning that the attacker must know his distance from the victim with an accuracy of 22.5m (or better) — a higher offset will cause the victim to lose lock due to the signal (chip phase) misalignment.

We confirmed that the initial location offset will cause a noticeable jump of the victim’s reported position during the attack. Large offsets could therefore be detected by the victim by monitoring its position. Any imperfections in the arrival time of the signal from different antennas will directly impact the position calculated by the victim. If the relative time offset gets above 80ns, the signals will even cause the receiver to lose lock. This means that, if an attacker has multiple antennas, he must precisely know the distance from each antenna to the attacker in order to be able to spoof a desired location. We could also observe a general localization error as predicted in our theoretical analysis, even for smaller mismatches in the arrival times.

The paper, On the Requirements for Successful GPS Spoofing Attacks [PDF], compiled by eggheads at ETH Zurich, in Switzerland, and UCI, in Irvine in the US, suggests various countermeasures. The covert satellite-lock takeover attack is straight out of the playbook of James Bond villains*. Iran may be trying to run such attacks, Russia might even be helping, but the probability of such a hijacking succeeding is very low.

Either Iran got very lucky or the the drone was simply lost, possibly a result of a command-and-control failure, or jamming over an nuclear facility that disrupted communications with its base, before fail-safe mechanisms, er, failed. In this scenario, the drone unluckily landed in the desert somewhere (rather than mountains where it would have been destroyed or severely damaged).

You'd normally expect the drone to have sustained more damage, even in this scenario, but the possibility that it succumbed to a Blofeld-inspired GPS-spoofing attack looks even more far-fetched. Although the drone operates at high altitude it could have fallen into a flat spin that meant it went into the ground belly first and survived relatively unscathed. ®

*The spacecraft-hijacking opening scene of You Only Live Twice to be precise.

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.