Feeds

Iran spy drone GPS hijack boasts: Rubbish, say experts

Cockup far more likely than conspiracy, as usual

Protecting against web application threats using SSL

Doubts that Iran managed to bring down an advanced US drone over the country last month using an advanced GPS spoofing attack have been raised by experts, who say that attacks of this type would be extremely tough to pull off.

Iran announced on 4 December that it had captured an advanced American remotely piloted spy drone, thought to be an RQ-170 Sentinel, and proudly broadcast images of the captured kit on state TV. The images depicted a drone that was intact and showed little or no signs of damage.

The Islamic Republic initially claimed that its air forces shot the drone down after it encroached  on the country’s airspace near the Afghan border. Iran later claimed it was taken down by a sophisticated cyber-attack.  Days later an Iranian engineer said that this attack involved swamping the drone's GPS receivers with a rogue signal that tricked it into landing on autopilot in Iran instead of a US Air Force base.

The unnamed Iranian boffin told Christian Science Monitor that Iran developed the attack after reverse-engineering previously captured or shot down US drones, and by taking advantage inherent weaknesses in the GPS navigation system.

The US said the drone was lost on a mission in Western Afghanistan before conceding it was carrying out a covert spy operation over Iran. The US has asked for the return of the drone via Swiss authorities.

RQ-170 Sentinel drones, nicknamed the Beast of Kandahar, are advanced unmanned aerial vehicle (UAV) with stealth capabilities, developed by Lockheed Martin and operated by the US Air Force, sometimes on behalf of the CIA. The stealth capabilities should have prevented the Iranians from spotting the UAV on radar. However they might have intensified GPS jamming around uranium enrichment sites to ward off drones, so it is plausible that the downed RQ-170 Sentinel came under a GPS nobbling attack. Publicly available material collated by specialist sites, such as The Aviationist, suggest US drones might be vulnerable to this sort of attack, among others.

However, such GPS spoofing attacks are really tough to pull off and analysts are wary of swallowing Iran's spy drone hacking claims. The Iranian authorities would need to know the location of the drone within a matter of metres and hit it with a GPS signal stronger than the satellites' transmissions. Neither of these signals are encrypted so the stronger signal would win out, but the hijacker must gradually introduce errors to guide the craft down towards the chosen landing point, all the time maintaining a signal lock, a non-trivial effort established by US academics during experimentation:

According to our experiments, the attacker must ensure that his time offset to the system time is less than 75ns. Any greater offset will cause the GPS receiver to lose lock when the spoofing signal is turned on. A value of 75ns roughly corresponds to a distance of 22.5m, meaning that the attacker must know his distance from the victim with an accuracy of 22.5m (or better) — a higher offset will cause the victim to lose lock due to the signal (chip phase) misalignment.

We confirmed that the initial location offset will cause a noticeable jump of the victim’s reported position during the attack. Large offsets could therefore be detected by the victim by monitoring its position. Any imperfections in the arrival time of the signal from different antennas will directly impact the position calculated by the victim. If the relative time offset gets above 80ns, the signals will even cause the receiver to lose lock. This means that, if an attacker has multiple antennas, he must precisely know the distance from each antenna to the attacker in order to be able to spoof a desired location. We could also observe a general localization error as predicted in our theoretical analysis, even for smaller mismatches in the arrival times.

The paper, On the Requirements for Successful GPS Spoofing Attacks [PDF], compiled by eggheads at ETH Zurich, in Switzerland, and UCI, in Irvine in the US, suggests various countermeasures. The covert satellite-lock takeover attack is straight out of the playbook of James Bond villains*. Iran may be trying to run such attacks, Russia might even be helping, but the probability of such a hijacking succeeding is very low.

Either Iran got very lucky or the the drone was simply lost, possibly a result of a command-and-control failure, or jamming over an nuclear facility that disrupted communications with its base, before fail-safe mechanisms, er, failed. In this scenario, the drone unluckily landed in the desert somewhere (rather than mountains where it would have been destroyed or severely damaged).

You'd normally expect the drone to have sustained more damage, even in this scenario, but the possibility that it succumbed to a Blofeld-inspired GPS-spoofing attack looks even more far-fetched. Although the drone operates at high altitude it could have fallen into a flat spin that meant it went into the ground belly first and survived relatively unscathed. ®

*The spacecraft-hijacking opening scene of You Only Live Twice to be precise.

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.