Experts Sceptical About Iran’s GPS Hack Claim on RQ-170

Take everything that Iran says about its captured US drone with a grain of salt. But its new claim that it spoofed the drone’s navigational controls isn’t implausible.

It’s possible to spoof unencrypted civilian GPS systems. But military GPS receivers, such as the one likely installed on the missing drone, use the encrypted P(Y)-code to communicate with satellites. The notion that Iran could have cracked through the encryption “sounds like a made-for-TV movie” says John Pike, a satellite expert and president of Globalsecurity.org. ”If they could overcome the sorts of of crypto systems that would protect this drone, they would not waste their time on surveillance drones. They would be breaking into banks.”

But Iran might not have had to break the encryption on the P(Y) code in order to bring down a drone. According to Richard Langley, a GPS expert at the University of New Brunswick in Canada, it’s theoretically possible to take control of a drone by jamming the P(Y) code and forcing a GPS receiver to use the unencrypted, more easily spoofable C/A code to to get its directions from navigational satellites.

“GPS satellites transmit on two legacy radio frequencies,” Langley explains. The unencrypted C/A code used by most civilian GPS unit “is transmitted only on the L1 frequency. The encrypted P code for so-called authorized military users is transmitted on both the L1 and L2 frequency.”

Translated: If the Iranians could selectively jam the encrypted military code on the L1 and L2 frequencies — and that’s a big “if” — the drone’s GPS receiver might reach out to use the less-secure C/A code in a last ditch attempt to get directions. Without the extra protection of encryption, it would be relatively simple for Iran to spoof the receiver using the C/A code and fool the drone into thinking it was back home in Afghanistan.

However. For that scenario to work, the drone’s GPS unit would have to be programmed to use the C/A code in the event the P(Y) code becomes unavailable.

It’s also difficult to jam a drone’s GPS. “They’ve got defenses against these kinds of spoofing attacks,” says Todd Humphreys, who has researched GPS spoofing at the University of Texas’ Radionavigation Laboratory. “They mount their antennas on the top of the drones and sometimes the antennas have the ability to null out jamming or spoofing signals.”

Humphreys isn’t buying the Iranian engineer’s explanation of why the apparent RQ-170 Sentinel’s underbelly appeared damaged in the footage released by Iran. The engineer told the Monitor that the drone’s underbelly was scuffed because of a slight difference between the altitude of its actual home base in Afghanistan and the location where it allegedly landed in Iran.

“This is nonsense,” says Humphreys. If the Iranians had been able to spoof the GPS unit in the precise way they claimed, they also would have also been able to control its altitude. “That opens up two scenarios. Either [the engineer] is a user of equipment he’s got from abroad” and doesn’t understand its capabilities, “or he’s making it up.”

The spoofing danger isn’t new. “On the military side,” says Humphreys, “they’ve known about this threat for 20-30 years.”

It’s by no means clear that Iran really did spoof the drone’s GPS. But if they did. “If this was really that easy, I’m disappointed,” Humphreys says, “because a lot of very smart people have put a lot of time into this.”

Source: Wired: Danger Room

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *