Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

GPS Spoofing Attack Hacks Drones

Soulskill posted more than 2 years ago | from the defense-against-the-borg dept.

The Military 214

Rambo Tribble writes "The BBC is reporting that researchers from the University of Texas at Austin managed to hack an experimental drone by spoofing GPS signals. Theoretically, this would allow the hackers to direct the drone to coordinates of their choosing. 'The spoofed drone used an unencrypted GPS signal, which is normally used by civilian planes, says Noel Sharkey, co-founder of the International Committee for Robot Arms Control. "It's easy to spoof an unencrypted drone. Anybody technically skilled could do this - it would cost them some £700 for the equipment and that's it," he told BBC News. "It's very dangerous - if a drone is being directed somewhere using its GPS, [a spoofer] can make it think it's somewhere else and make it crash into a building, or crash somewhere else, or just steal it and fill it with explosives and direct somewhere. But the big worry is — it also means that it wouldn't be too hard for [a very skilled person] to work out how to un-encrypt military drones and spoof them, and that could be extremely dangerous because they could turn them on the wrong people."

Sorry! There are no comments related to the filter you selected.

Black Ops II (1, Funny)

protodevilin (1304731) | more than 2 years ago | (#40494073)

IRL?

Re:Black Ops II (1)

von_rick (944421) | more than 2 years ago | (#40494297)

How long before someone hacks into one of these drones to scribble "Happy birthday grandpa" in the sky? Granted that the drones don't have white fumes, but it'd still be pretty cool.

Re:Black Ops II (2)

cayenne8 (626475) | more than 2 years ago | (#40494919)

Hmm...wonder when there'll be a YouTube video out on how to do this...?

:)

Surprised? (5, Informative)

Imagix (695350) | more than 2 years ago | (#40494079)

Why is this surprising? Thought that's how the military one was captured a little while ago...

Re:Surprised? (4, Insightful)

scubamage (727538) | more than 2 years ago | (#40494097)

I remember people laughing that Iran couldn't possibly have done this. But I would assume that this would be exactly how they did do it.

Re:Surprised? (5, Insightful)

MozeeToby (1163751) | more than 2 years ago | (#40494275)

Because there is absolutely no way that a military drone should be using a single navigation source as it's be all end all, especially not GPS which can be jammed trivially and spoofed with a bit more effort. If your GPS signal is hundreds of Km off from where your dead reconning (using air speed and compass), says you should be the GPS signal should be ignored entirely. This is what airliner flight management systems do, in fact it's what any idiot hiking through the forest would do. The idea that the people coding software for military grade drones can't figure it out is more concerning than the idea that someone can spoof GPS signals.

Re:Surprised? (3, Interesting)

scubamage (727538) | more than 2 years ago | (#40494353)

Wouldn't there be an order of precedence for multiple navigation signals? I'm not a drone engineer, so I could be wrong, but it would seem if you have multiple radios running you'd set priority for one over the others. If that one is jammed (say, find out what frequency its running on and flood that with noise) it will fail back to one of the other signals (perhaps civilian GPS), which could open a vector for exploitation? Just curious.

Re:Surprised? (2)

aaarrrgggh (9205) | more than 2 years ago | (#40494389)

Voting is the more common approach - 3 means of determining something, and if one disagrees with the other two it is ignored.

Re:Surprised? (1)

f3rret (1776822) | more than 2 years ago | (#40494485)

Because there is absolutely no way that a military drone should be using a single navigation source as it's be all end all, especially not GPS which can be jammed trivially and spoofed with a bit more effort.

This might be true, what is entirely possible however, is that one guy has to take care of tens of drones at once where most of them are simply on autopilot. So if the operator isn't constantly paying attention to one of the drones (either because he is focused on another drone or because of laziness) then one drone can be brought far enough off course that you end up loosing it.

Re:Surprised? (1)

jklovanc (1603149) | more than 2 years ago | (#40494613)

one guy has to take care of tens of drones at once where most of them are simply on autopilot.

Care to cite anything that verifies this assumption that there are multiple drones being controlled by a single pilot in service now?

I have heard of possibilities of this occurring but have never heard of it being in use today. Where this approach hass been proposed it is more of as a swarm where multiple drones communicate and coordinate with each other to perform a task. There is always someone looking after the swarm. If a few drones are spoofed it would be obvious to the controller.

Re:Surprised? (5, Interesting)

Rei (128717) | more than 2 years ago | (#40494729)

The full Iranian claim was that they jammed all of the communications to the drone and then spoofed GPS. Aka, there were multiple navigation sources, and it lost them. When the drone loses communication for a length of time it is programmed to return to base and land unless it reestablishes communications and receives alternate orders. But it uses GPS to find out where the base is.

Yeah, a "GPS position is changing too fast" check could be useful to try to thwart something like that, but it's also the sort of thing that can be overlooked, and also something that could be slowly faked (aka, from a blind plane's perspective, there's no difference between a "drifting GPS" and flying through a strong wind.). So yeah, you could get into a whole range of attacks and countermeasures, but sometimes the attackers will win, sometimes the defenders.

The people who insisted that a country like Iran could never pull it off always struck me as way overconfident, egotistical. It reminds me of when the Serbians shot down a stealth (which the US tried to blame on hardware failures) and damaged another (among many other aircraft). I read an article on the elite Serbian unit who pulled that off with basically junk hardware and with no air superiority to back them up. They had their tactics down to a tee, and the US got totally overconfident. First they baited NATO into wasting their anti-radiation missiles by jury-rigging together as many fake "radars" as they could muster from junked military equipment. Then they hacked the hardware on the actual radars they were using, boosting the frequency many times over. This made the signal get hugely attenuated by the atmosphere, dramatically decreasing the range, but was A) out of the range of frequencies generally looked for, and B) wasn't nearly as affected by the stealth capabilities of the aircraft. The range was so low that the target aircraft had to fly pretty much over them, but they started mapping out the typical sortie patterns being used and got the hang of reckoning where they'd be and moving to intercept. They also got the hang of how much time it took from when the radar got hot to when a plane could take them out if they were detected, and timed their operations so that the hardware or at least the people had to be Not There Anymore(TM) by the deadline. The troops were drilled over and over in how to set up, get a lock, fire, and then get the heck out of there in the allotted time.

It's easy to assume that because a country is poorer and can't afford fancy hardware, its people are idiots. But that's a bad assumption to make.

Re:Surprised? (4, Insightful)

wvmarle (1070040) | more than 2 years ago | (#40494857)

It's easy to assume that because a country is poorer and can't afford fancy hardware, its people are idiots. But that's a bad assumption to make.

Necessity is the mother of all invention, right?

People that don't have much can become really creative with what they do have.

Re:Surprised? (0)

Anonymous Coward | more than 2 years ago | (#40495283)

In the context of the parent to your post, not really. The Serbs did have all this stuff; SAM decoys are standard tactics for anyone who actually uses them. Their use is detailed in the right field manuals, if you know where to look. There is nothing special or unexpected about this at all.

Re:Surprised? (1)

element-o.p. (939033) | more than 2 years ago | (#40495303)

People that don't have much can become really creative with what they do have.

For some reason, that makes me think of the Sardaukar [wikipedia.org] or the Fremen.

Re:Surprised? (4, Interesting)

Anonymous Coward | more than 2 years ago | (#40495107)

The US didn't blame anything on hardware failures. The failure rested specifically with putting the route of the F-117 right over that SAM. If you get close enough, it will see you (it detected the F-117 at about 23km, according to records). The point of stealth is to shrink surveillance radii and sneak inbetween radars. This was a planning error, not hardware nor anything else. Once close enough, an F-117 is engaged like any other aircraft. There is no magic nor anything at all special about this. No frequency boosting or other BS pseudo-science crap ever happened.

The claims about 'baiting NATO to waste their missiles on decoys' are funny - why? Because for this to happen, the SAM radars had to be shut down, thus rendering SEAD efforts successful. It doesn't matter if the missile didn't hit the SAM. What matters is that for that time, the SAM was useless. Result? Serbians dancing on the wreckage of two planes out of hundreds of sorties that demolished their infrastructure. That's right. Those 'so smart tactics' got them two planes and failed to defend their country whatsoever.

Re:Surprised? (1)

Cow Jones (615566) | more than 2 years ago | (#40495133)

When the drone loses communication for a length of time it is programmed to return to base and land unless it reestablishes communications and receives alternate orders. But it uses GPS to find out where the base is.

The drone knows where it is at all times. It knows this because it knows where it isn't. By subtracting where it is from where it isn't, or where it isn't from where it is (whichever is greater), it obtains a difference or deviation. The guidance subsystem uses deviation to generate corrective commands to drive the drone from a position where it is to a position where it isn't and arriving at a position where it wasn't, it now is. Consequently, the position where it is is now the position that it wasn't, and it follows that the position that it was is now the position that it isn't.

In the event that the position that it is in is not the position that it wasn't, the system has acquired a variation, the variation being the difference between where the drone is and where it wasn't. If variation is considered to be a significant factor, it too may be corrected by the GEA. However, the drone must also know where it was. The drone guidance computer scenario works as follows. Because a variation has modified some of the information the drone has obtained, it is not sure just where it is. However, it is sure where it isn't, within reason, and it knows where it was. It now subtracts where it should be from where it wasn't, or vice versa, and by differentiating this from the algebraic sum of where it shouldn't be and where it was, it is able to obtain the deviation and its variation, which is called error [ytmnd.com] .

Re:Surprised? (1)

aaaaaaargh! (1150173) | more than 2 years ago | (#40495495)

You've just given the most convoluted explanation of dead reckoning I've ever read.

But isn't the problem that, since the error increases over time, the drones prefer to resort to GPS if they think it's available? What I find strange about the Iranian story, though, is that one would assume that a US drone only used encrypted GPS signals, i.e. P(Y) code according to Wikipedia. These shouldn't be spoofable. So was that perhaps a classical "fallback to an unsafe option" security problem?

Re:Surprised? (0)

Anonymous Coward | more than 2 years ago | (#40494787)

Military drones don't rely on GPS as their sole source of navigation, they use it as a backup if they loose link with the ground station controlling it. The Iranians first used broad spectrum jamming to cause the UAV to loose link, then when the UAV entered its return home sequence using GPS because it had lost link, the Iranians spoofed GPS to make the UAV think its home field was the Iranian landing strip.

Re:Surprised? (0)

Anonymous Coward | more than 2 years ago | (#40494937)

The idea that the people coding software for military grade drones can't figure it out is more concerning than the idea that someone can spoof GPS signals.

Not that they can't, probably just that it wasn't explicit in the contract and it's actually a hard non-trivial problem. An example of this same issue being handled in the DOT:
http://www.fra.dot.gov/rpd/downloads/PDFs/RD_Review2012_JWithers_TrainControlAndComm_FINAL.pdf
(see pages 7-9 of the pdf)

As the paper above shows, it's not even that accurate in one dimension (forward/backward along defined path). It's harder in three dimension (+compass +roll +pitch). Any minor sensor drift/noise in dead reckoning leads to large errors over time. 'Direct measurements' (altitude, lat, lon) are needed to remove the drift.

Re:Surprised? (5, Interesting)

Andy Dodd (701) | more than 2 years ago | (#40495163)

In addition, there's absolutely no evidence to back this claim - "But the big worry is — it also means that it wouldn't be too hard for [a very skilled person] to work out how to un-encrypt military drones and spoof them, and that could be extremely dangerous because they could turn them on the wrong people."

Transitioning from "making a few fake pseudolites" to "discovering the crypto key before it changes" (I believe the keys rotate on a daily basis, so you would need to crack the key AND the key change algorithm) is a MAJOR step. I don't know what universe that person lives in if they thing breaking military-grade crypto is even remotely close to this attack in complexity. This attack is easymode compared to generating a proper P(Y) code.

The only "break" so far in the military encryption is the fact that the same keys (and in fact same signal) are used on both L1 and L2, allowing you to cross-correlate L1 and L2 to determine ionospheric delay and remove that one error source. Note that the next block of GPS satellites adds a civilian L2 signal, so this "break" is mostly irrelevant.

In addition, no evidence was provided that a RAIM-enabled receiver was successfully spoofed, only a cheap consumer-grade unit that lacked RAIM.

Re:Surprised? (4, Informative)

Anonymous Coward | more than 2 years ago | (#40494283)

Military drones, and other aircraft that use GPS for navigation use some form of GPS-enhanced INS, rather than just GPS. 'Hacking' a drone that only uses civillian GPS (ie. unencrypted signals) is probably no harder than 'hacking' an open WiFi - or even one with WEP. You just need the right equipment and software.

Hacking an aircraft using the encrypted military signal and GPS-enhanced INS is a different game altogether. It is very unlikely that Iran could have done this; a spurious GPS signal will be rejected and the aircraft will simply fly with un-corrected INS until such as time as the GPS signal is determined to be reliable again.

Also note that this has been successfuly demonstrated by GPS-guided bombs. Iraqis attempted to jam or spoof the GPS signals, but the onboard INS guided the bombs to target.

Re:Surprised? (0)

Anonymous Coward | more than 2 years ago | (#40494371)

And yet here we are. We are spouting the same rhetoric we did when the Iraqis claimed they hacked a drone.

We going to put our heads in the sand again?

Re:Surprised? (0)

Anonymous Coward | more than 2 years ago | (#40494495)

Did they hack it, or did the drone crash all on its own? They do this with alarming regularity.

It's easy to say 'Iran hacked the drone!' (at least I assume you meant Iran); but it seems that everyone wants to ignore the possibility of a crash caused by a mechanical malfunction.

Re:Surprised? (1)

f3rret (1776822) | more than 2 years ago | (#40494507)

And yet here we are. We are spouting the same rhetoric we did when the Iraqis claimed they hacked a drone.

We going to put our heads in the sand again?

Iranians.

And yes, yes we are.

Re:Surprised? (1)

jklovanc (1603149) | more than 2 years ago | (#40494697)

Had the Iraqis been able to hack the military GPS signal it would have happened a lot more than once. The US did not stop using drones after the one went down. If Iraq could hack a drone what didn't they do it again? Answer; they didn't do it in the first place.

Re:Surprised? (4, Informative)

Rei (128717) | more than 2 years ago | (#40494819)

Link [wired.com]

Quick summary: Security on the drones has a history of bad decisions, such as unencrypted video feeds and malware. Breaking GPS encryption would be almost impossible, but it's quite possible that the drones were programmed to use unencrypted GPS as a fallback if encrypted GPS was lost, so if Iran jammed only the encrypted GPS signal, the plane would rely on spoofed unencrypted GPS. The short answer: it would have been tough, and we don't know whether they really did it or not, but it's not as impossible as people are making it out to be.

Re:Surprised? (0)

Anonymous Coward | more than 2 years ago | (#40495377)

Actually it probably never relied on GPS, but on EINS - GPS corrected INS. Once the GPS is detected to be unreliable (ie. no longer in accordance with the INS), GPS corrections will be ignored. It isn't that easy to spoof these things. Not impossible, just not very likely.

Re:Surprised? (1)

Baloroth (2370816) | more than 2 years ago | (#40494373)

It isn't surprising. It would be surprising if they managed to hack a drone that used encrypted GPS, which is (hopefully) what the military drone was using (and also one reason people are skeptical about Iran's claims).

Re:Surprised? (2)

Shoten (260439) | more than 2 years ago | (#40495275)

Possibly, but possibly not. For one thing, the attack being shown here is far, far from news. And there are actually tons of ways [gpsworld.com] to build a GPS receiver with the native ability to detect spoofing, and those features are standard for high-risk equipment [wikipedia.org] (like classified stealth drones). But on the other hand, all of the details are classified in some way or another, so it's really hard to know for sure...but I doubt that it was all that simple as the attack shown here.

One simple way of detecting spoofing is by frequency strength. The most basic attack is to impersonate the satellites, and to be strong enough in output that the receiver is sure to pick up your "sats" instead of the real ones. But that typically means you're putting out a WAY stronger signal than you'd normally get from a GPS, and that ends up being a dead giveaway.

For military uses, the open and unencrypted C/A code GPS signal isn't even used; they use the more secure (and originally supposedly more accurate...but not really more accurate) P code signal (which now has a W code overlaid onto it as well). So there are inherent features involved in military GPS [unsw.edu.au] that act as anti-spoofing as well.

Thanks a lot (2, Funny)

Anonymous Coward | more than 2 years ago | (#40494093)

Thanks a whole bunch, Treyarch, way to give the terrorists awesome ideas. Maybe next time make a game called Rainbow Factory: Gumdrop River 2 and we don't have to cower in fear everywhere we go ^ ^,

Re:Thanks a lot (1)

BanHammor (2587175) | more than 2 years ago | (#40494391)

So, has Effel Tower fallen lately? I may be late for the news.

Iran already did it (1, Redundant)

GameboyRMH (1153867) | more than 2 years ago | (#40494099)

That's how they brought down that blended-wing-body drone a while back.

AMERICA, FUCK YEAH! (-1)

Anonymous Coward | more than 2 years ago | (#40494323)

Just because some American college students can do it doesn't mean that a bunch of Iranian cameljockeys could.

Re:AMERICA, FUCK YEAH! (1)

BanHammor (2587175) | more than 2 years ago | (#40494407)

Why not? It's not like they have a fundamental disability.

but this one goes to 11! (0)

Anonymous Coward | more than 2 years ago | (#40494659)

That WHHHHHOOOOOOOOSSSSSHHHH you just heard was the sound of a hijacked drone making a low pass before unleashing a hellfire missile to recalibrate your sarcasm detector.

Re:AMERICA, FUCK YEAH! (1)

Rei (128717) | more than 2 years ago | (#40494885)

Anyone else remember the story of the Iranian concrete [economist.com] from a while back? Read about how much it blew away the competition [wired.com] at a concrete strength contest and brought the issue to light. 50-60k PSI concrete failure strength is just insane.

but military drones don't use unencrypted signals (0)

Anonymous Coward | more than 2 years ago | (#40494111)

So yes you can fool a civilian drone or airliner this way (but they have access to other navigation technologies like marker beacons). But it won't work on military systems.

I wonder if we'll ever have a civilian system using an encrypted public/private key system where the public key is distributed to all equipment manufacturers?

Re:but military drones don't use unencrypted signa (0)

Anonymous Coward | more than 2 years ago | (#40494305)

This is plane wrong. One of the drones sends the video stream back unecrypted and it was a large issues quite recently. Also all GPS signals are unencrypted. How people took this long to realize it is beyond me. I knew this was possible back in high-school I just didn't realize it would be so cheap to do.

Re:but military drones don't use unencrypted signa (1)

Baloroth (2370816) | more than 2 years ago | (#40494457)

This is plane wrong. One of the drones sends the video stream back unecrypted and it was a large issues quite recently. Also all GPS signals are unencrypted. How people took this long to realize it is beyond me. I knew this was possible back in high-school I just didn't realize it would be so cheap to do.

No, the drone sent a video signal to the ground unencrypted (it was intended to be visible to troops, and was presumably unencrypted to allow ease of viewing. Stupid, yes, but it makes a kind of sense). And military GPS signals are encrypted, specifically to prevent spoofing. The P-code the military GPS system uses is encrypted, and has been for years.

Re:but military drones don't use unencrypted signa (1)

kasperd (592156) | more than 2 years ago | (#40494851)

And military GPS signals are encrypted, specifically to prevent spoofing.

Encryption doesn't prevent spoofing. When people who thinks it does are involved with designing cryptographic systems we end up with insecure systems that are broken the first time somebody knowledgeable looks at it.

You can add message-authentication-codes or digital signatures to your data. That will ensure the data is authentic, but it won't stop replay attacks.

If you replay the authentic signals a little bit delayed and with a little bit more power than the authentic signal, you can throw off the navigation even without knowing the actual meaning of the signal.

To protect against that sort of attack, you are going to need a challenge response protocol. The receive will need to send a signal to the satellite, and the satellite will need to respond. The roundtrip time will give the receiver a maximum distance between itself and the satellite. With a few such maximum distances the position can be narrowed down.

Re:but military drones don't use unencrypted signa (2)

Baloroth (2370816) | more than 2 years ago | (#40495287)

Yes, it does prevent spoofing. How do you send a valid, encrypted signal if you don't have the encryption key? This isn't like public-key encryption where anyone can generate a valid signal: if the encryption key itself is secret, you can't either encrypt or decrypt the signal without knowing it, and that does prevent spoofing. You can jam the signal, sure, but not spoof it. For reference, the source P-code, which is encrypted with the W-code (the details of which are secret) is 720 gigabytes long, and only replays once a week or so (each satellite has it's own P-code). The W-code is significantly smaller, but probably still long enough that brute-forcing it is impossible. A replay attack is impossible, as long as the W-code and the P-code are not in sync (i.e. the encrypted Y-code doesn't repeat, which it doesn't). The result is that the encrypted signal is little better than noise to an observer: you can't fake it.

The only problem with the current system is that you can't always use the encrypted system alone (you have to lock on to the unencrypted signal first). The modernization of the GPS system is looking to fix that problem, too.

Re:but military drones don't use unencrypted signa (1)

leonardluen (211265) | more than 2 years ago | (#40495487)

if your signal is vulnerable to a replay attack, then you designed your protocol wrong.

i recently developed a wireless communication protocol for a project i was working on, you could record and replay the encrypted signals all you want, and it would reject the replayed signal as invalid. you could take it a bit further and if it detects a lot of replayed signals it could alert you that someone is being nefarious.

simplest solution i can think of...send a timestamp as part of the signal...that time code should always increase, if it doesn't you know something isn't right with the signal and someone is trying to replay it...and if i recall correctly the GPS signal basically is a timestamp...so just do some validation to make sure it always increases, you can even compare it to your internal clock to ensure it increased by the expected amount. **unless you built a time machine

Re:but military drones don't use unencrypted signa (1)

jklovanc (1603149) | more than 2 years ago | (#40494901)

The civilian signal signal has the ability to use selective availability [gislounge.com] . It is turned off right now but can be turned on at any time and has in times of war to deny GPS information to the enemy. The military channel is also transmitted as accurate as possible but is not available to civilians because it is encrypted.

"the big worry" described above (4, Informative)

circletimessquare (444983) | more than 2 years ago | (#40494117)

isn't that exactly how Iran caught that US drone a few months ago?

google...

tada:

http://news.slashdot.org/story/11/12/15/2013249/us-sentinel-drone-fooled-into-landing-with-gps-spoofing [slashdot.org]

Re:"the big worry" described above (2)

slashmydots (2189826) | more than 2 years ago | (#40494191)

Or you could have not googled it and just read the 2nd paragraph of TFA: "The same method may have been used to bring down a US drone in Iran in 2011."

Re:"the big worry" described above (1)

circletimessquare (444983) | more than 2 years ago | (#40494357)

reading TFA is not allowed according to slashdot cultural norms. who are you stranger?

Re:"the big worry" described above (4, Insightful)

NeutronCowboy (896098) | more than 2 years ago | (#40494225)

The problem is that no one knows for sure whether that actually happened. Yes, the Iranians claim that's what they did, but it is unlikely for two reasons: the article specifically mentions that military GPS signals are encrypted (although it wouldn't be the first time that the military decides to use unencrypted channels to send/receive live drone information), and the Iranians are... well, prone to exaggerating their achievements. I'm much more of the opinion that the drone malfunctioned, crash landed, and the Iranians went "PR Jackpot!".

Re:"the big worry" described above (2)

andydread (758754) | more than 2 years ago | (#40494363)

It could also be possible that if you jam the encrypted military signals the drone may fallback to civilian unencrypted signal recognition in an attempt to return to base then you spoof unencrypted signal and voila. Drone lands.

Re:"the big worry" described above (0)

Anonymous Coward | more than 2 years ago | (#40494511)

Very unlikely. They have a compass, airspeed sensors, and inertial sensors, in addition to the GPS. You can vote sensors against each other. So if the GPS is significantly in disagreement with the other 3, you vote in favor of the 3 and ignore the GPS.

Re:"the big worry" described above (1)

Mabhatter (126906) | more than 2 years ago | (#40494771)

But drones are flown by operators in windowless offices... They don't have a sense of "space". They get number from ABC agency and maybe a Satillite picture.. They don't "need to know" the rest.

All you'd have to do is keep corrupting some of the GPS signals. Just "lean" it off course. The operator only has numbers... They won't KNOW they are not flying in a line, which is why it wouldn't work for airplanes so well because pilots usually know where they are going by sight.

Also, they use drones specifically because they use a lot of non-military hardware. Mostly because it's cheaper, but also so the truly secret stuff doesn't get lost. While a plane may have those security features, I'd doubt they put that on drones.

Re:"the big worry" described above (0)

Anonymous Coward | more than 2 years ago | (#40494455)

*Ahem!*

SOMEONE knows for sure what actually happened. In fact no less than TWO people know what happened.

Two guys in an elevator, and one guy farts. Everyone knows who did it.

Re:"the big worry" described above (2)

Savage-Rabbit (308260) | more than 2 years ago | (#40494491)

The problem is that no one knows for sure whether that actually happened. Yes, the Iranians claim that's what they did, but it is unlikely for two reasons: the article specifically mentions that military GPS signals are encrypted (although it wouldn't be the first time that the military decides to use unencrypted channels to send/receive live drone information), and the Iranians are... well, prone to exaggerating their achievements. I'm much more of the opinion that the drone malfunctioned, crash landed, and the Iranians went "PR Jackpot!".

Dont make the mistake of thinking the Iranians are a bunch of ill educated goat herders and dirt farmers I'm sure some of them are ill educated but the Iranians have some pretty intelligent CS and math people, I have met some of them. If the Iranians or anybody else could really hack the encrypted data streams on these drones like those UT researchers seem to be suggesting then the pilotless airforce concept is in trouble (never been a big fan myself). People keep talking about drones as if, when you loosa a squadron of them, you can just break out a new one like a six pack of beer. The problem is that a drone that has JSF or F -22 level tech also has a JSF or F -22 level price tag plus you defenitely do not want a whole brace of them to be hijacked by the enemy and captured in foll working condition along with their precious top secret tecnology and radar absorbant materials.

Re:"the big worry" described above (2)

radtea (464814) | more than 2 years ago | (#40494601)

I'm much more of the opinion that the drone malfunctioned, crash landed, and the Iranians went "PR Jackpot!".

Likewise, the US security-industrial complex has a long history of vastly overstating the difficulty of defeating or reproducing American technology, starting with the A-bomb, which the Russians weren't supposed to get for decades (it took them a couple of years, thanks to some well-placed spies) and the H-bomb (primarily due to careful analysis of fall-out from atmospheric testing, which allowed them to reverse-engineer the basic structure in some detail.)

Unless you're going to claim that Iranian scientists, engineers and spies are somehow all completely incompetent, you have to admit that it's more-or-less a tie as to who is more likely lying in the case of the American drone captured by the Iranians.

Re:"the big worry" described above (1)

wvmarle (1070040) | more than 2 years ago | (#40495005)

GPS signals are weak, and as such can be easily disturbed by simple jamming: broadcasting noise at that frequency range. So that part is very plausible.

Giving it fake GPS signals (i.e. valid but wrong data), not so much. GPS relies on satellites, with high-precision timed signals, and needs to receive multiple signals at a time to get a location. That means the jammers basically need a GPS transmitter, and I don't think they're easy to come by. The only ones that I know to exist are circling around our planet.

The encryption is probably not too hard to overcome: jam the military (encrypted) signals, feed fake civilian (unencrypted) signals. Very likely that civilian signals are fall-back. But creating valid signals, that's the problem.

Blocking/jamming other communication: well that's of course also a no-brainer. You just have to find the correct frequencies to jam.

So all in all your malfunction-theory is very plausible.

Didn't Iran do this... (1)

Anonymous Coward | more than 2 years ago | (#40494121)

Like, 6 months ago? If I remember it was a proper predator 2, even, not some experimental prototype.

Also, use it on the wrong people? I would imagine those getting fired at with hellfire missels from unknown planes silently circling and spying with robotic eyes would think, "gee, THOSE guys are the 'wrong people'"

Re:Didn't Iran do this... (0)

Anonymous Coward | more than 2 years ago | (#40494531)

No, they most likely didn't. And no, it wasn't. Wow, you just can't even google, can you?

solution (1)

slashmydots (2189826) | more than 2 years ago | (#40494231)

It's difficult but not really all that difficult relatively speaking to slap an encrypted GPS transmitter on a weather or spy satellite. Since another slashdot article says we're running low on Earth-monitoring satellites for weather and stuff, the government always wants more spy satellites, and now they need an expanded encrypted GPS network, they could possibly justify launching a do-it-all satellite for cheaper than 3 separate ones. I believe cost was the reason all 3 of those haven't been launched much lately.

Unencrypted GPS (3, Insightful)

SirGarlon (845873) | more than 2 years ago | (#40494239)

Is anyone else troubled that civilian planes use unencrypted GPS and are therefore susceptible to spoofing?

Re:Unencrypted GPS (0)

Anonymous Coward | more than 2 years ago | (#40494411)

You mean, *one* could crash airplanes into tall buildings with just $700 worth of equipment?

Wow, I hope the bogeymen don't find out about this.

I mean, that would render the TSA redundant?

Re:Unencrypted GPS (1)

Concerned Onlooker (473481) | more than 2 years ago | (#40494579)

You don't even need the equipment. All you need are two things: fear, surprise and an almost fanatical devotion to...wait, all you need are three things....

Re:Unencrypted GPS (2)

asynchronous13 (615600) | more than 2 years ago | (#40494427)

No. GPS on civilian aircraft is a secondary system. Even with complete GPS blackout (or spoofing), the pilot in command still has all of the primary sensors available for navigation.

Re:Unencrypted GPS (2)

CompMD (522020) | more than 2 years ago | (#40495331)

Its becoming a primary system. As the FAA decommissions radar stations and other navaids, GPS and ADS-B interrogation are replacing those technologies and services. Similarly, small aircraft can use GPS for precision approaches in instrument meteorological conditions instead of ILS. Many small airports don't have ILS runways, and many small civilian aircraft aren't equipped to use ILS. In the case of a GPS approach, if a fix is lost or wrong, the pilot must abort the landing and execute a missed approach.

FD: I'm a pilot and engineer with a background in avionics.

Re:Unencrypted GPS (0)

Anonymous Coward | more than 2 years ago | (#40494459)

Not anywhere near as much. In the end, a civilian plane has a pilot who can look at his GPS, look out the window, and realize "A != A", while a drone is far more restricted in that it's designed to cut -out- the human failsafe.

People are valuable. Don't underestimate their drive not to screw up massively. Or take a trip to Iran.

WHO KEEPS THE METRIC SYSTEM DOWN? (1)

Thud457 (234763) | more than 2 years ago | (#40494465)

shhhh, that's why the cancelled The Lone Gunman" series. [wikipedia.org]

Re:Unencrypted GPS (1)

f3rret (1776822) | more than 2 years ago | (#40494535)

Is anyone else troubled that civilian planes use unencrypted GPS and are therefore susceptible to spoofing?

Not really no, because civilian planes also tend to have pilots in them who might notice that they aren't in the right spot.

Re:Unencrypted GPS (0)

Anonymous Coward | more than 2 years ago | (#40494685)

Unless they're JFK Jr.!

Oh too soon?

Re:Unencrypted GPS (0)

Anonymous Coward | more than 2 years ago | (#40494993)

Generally they'll maintain altitude, start alerting of a failure and demand pilot intervention. You'd have to slowly distort the signal so that it looks like a direction change instead of an instant jump, and the plane then tries to compensate.

The reason this isn't a huge risk is because of the geographical area involved. If you need to do this slowly, you need to stay within spoofing range for quite awhile.

Re:Unencrypted GPS (1)

LanMan04 (790429) | more than 2 years ago | (#40495175)

Meh, not really. Eventually the plane's dead reckoning system (estimation of where the plane is in 3-space based on air speed, compass heading, and altimeter) will start to diverge quite a bit from what the GPS says.

Standard procedure at that point is to believe the dead reckoning system, start using "traditional" methods to determine your location, and ignore the GPS.

In short, your instruments are to be believed over the GPS.

Re:Unencrypted GPS (1)

Githaron (2462596) | more than 2 years ago | (#40495253)

Not really. They have human pilots as backup.

Re:Unencrypted GPS (1)

Andy Dodd (701) | more than 2 years ago | (#40495305)

1) The GPS in real aircraft (small cheapo drones use cheapo GPS) does self-integrity monitoring. So far we only know they spoofed a consumer-grade (or equivalent) GPS. No indication that they defeated a RAIM-enabled unit. (e.g. spoofing it without triggering an alarm)
2) Most such aircraft also have a fairly robust inertial navigation system the GPS is checked against. (often this is checked as part of the RAIM monitoring process)
3) In the case of manned aircraft not on an instrument approach, you need to defeat the Mk1 Eyeball in addition to the GPS and INS.
4) In the case of manned aircraft on instrument approach - most airports still also have legacy ILS.

In short - spoofing a civilian aircraft without causing a "my instruments are fucked, pull up" pilot response is orders of magnitude more difficult than this hack.

money (1)

Max_W (812974) | more than 2 years ago | (#40494281)

Drone's URL, USB key-stick, log-in and password theoretically can be bought.

Certainly, we entertain an idea that there are no traitors, who sell information for money, but it happened before.

They're aren't any "right" people. (1, Offtopic)

pigiron (104729) | more than 2 years ago | (#40494301)

Drones raining death from the sky shouldn't be killing *any* people.

Who are the right people? (0)

Anonymous Coward | more than 2 years ago | (#40494303)

See title.

I don't see the problem here (0)

Anonymous Coward | more than 2 years ago | (#40494315)

It's not that all drones are used on the right people nowadays.

A paper on this from 2002 (2, Informative)

Anonymous Coward | more than 2 years ago | (#40494329)

Here's a paper [anl.gov] on this from 2002.

All they did was purchase a commercial GPS simulator, which is used by companies to develop their GPS receivers and is easily attainable. They just connect an antenna to the simulator and beam it at the direction of a GPS receiver, jam the receiver so it loses current lock, and then it'll be spoofed once it locks onto your antenna. I always thought you needed to do some super complicated math and use multiple sources since GPS relies on careful timing information to get position, but the commercial simulator handles it all for you.

Jamming vs Spoofing (1)

habig (12787) | more than 2 years ago | (#40494409)

it also means that it wouldn't be too hard for [a very skilled person] to work out how to un-encrypt military drones and spoof them

Jam? Sure. But one of the reasons millitary grade hardware is so expensive redundant systems, take one out, you can still function. In this case, very good interial navigation systems.

But "not very hard" to break military grade encryption on something as vital as the defense channel from GPS satellites... if that's easy we've got bigger problems than rogue drones. They're not using WEP, after all.

Re:Jamming vs Spoofing (1)

habig (12787) | more than 2 years ago | (#40494415)

Bleh - I even previewed that post. "interial" -> "inertial".

Re:Jamming vs Spoofing (0)

Anonymous Coward | more than 2 years ago | (#40495109)

Oh but come on. I just "hacked" my next-door neighbor's unencrypted wi-fi, so it obviously wouldn't be too hard for [a very skilled person] to work out how to hack into classified pentagon computer systems. Based on my simplified proof-of-concept, of course. They're virtually the same thing!

Drones (1)

AdmV0rl0n (98366) | more than 2 years ago | (#40494419)

Cheap assed weapons, built by lowest cost contractors, flown by kids who are probably on low pay, and in an enviroment that pandering to the lowest user operations. They already changed from Windows to Linux due to malware/virus infestation.

None of any of it is impressive. I think any serious nation state, or indeed well padded grouping could probably dig for some extended time and develop counters and counter operations against drome based operations.

And I suspect that somewhere in the drone ops, there are radio or systems that are actually very old, and have major flaws, and there will be aspects of the drone be it GPS or otherwise that are achillies heels.

That and the fact that someone one day will realise that a real airforce with real aircraft kill capacity would eliminate drone fleets on an industrial scale. Especially in 5-10 years when 'clever' Generals and Politicians have concluded that they can do away with airforces almost totally and just have a bunch of drones.

Everything in warfare is the established case of counter, then counter again.

Exaggerate much? (1)

tomhath (637240) | more than 2 years ago | (#40494489)

FTFA:

Todd Humphreys and his colleagues from the Radionavigation Lab at the University of Texas at Austin hacked the GPS system of a drone belonging to the university...They demonstrated the technique to DHS officials, using a mini helicopter drone

So they were able to take control of their own model helicopter. And they hypothesize that IF they could break the encryption of a military drone they could do the same thing. But that's a huge IF.

It didn't happen in Iran, several drones have crashed in Afghanistan and Pakistan, and I assume several more have crashed in the US. Without a pilot onboard a fairly minor electronic or mechanical problem will bring them down.

Re:Exaggerate much? (0)

Anonymous Coward | more than 2 years ago | (#40494941)

The drone in Iran did not crash. It was in perfect condition when Iran showed it.

It was captured.

Re:Exaggerate much? (2)

Andy Dodd (701) | more than 2 years ago | (#40495341)

You have zero evidence to support your claim.

The Iranians were VERY careful not to show the underside of the drone, which is the part most likely to sustain crash damage.

FUD (2, Interesting)

jklovanc (1603149) | more than 2 years ago | (#40494505)

This would only work if the drone was using only GPS to fly from place to place. Most drones have a pilot who direct them most of the time and uses GPS to find it's location. A pilot would notice the discrepancy between what the GPS plot shows and what he sees in the camera monitor and assume the GPS screwed up.

This next statement is just stupid;

But the big worry is — it also means that it wouldn't be too hard for [a very skilled person] to work out how to un-encrypt military drones and spoof them, and that could be extremely dangerous because they could turn them on the wrong people."

The way the current system probably works is that it transmits signals similar to the ones from the satellites. To spoof an encrypted drone one can not "unencrypt" it. That would be equivalent to convincing the drone to accept un-encrypted GPS signals. That should be impossible. If someone could send out false data that is encrypted using the same keys and algorithms as the satellites that would ba a major issue as cruise missiles could be spoofed. That kind of spoofing is not something that can be done by "a very skilled person" as it would require knowing the encryption keys.

The following statement is also bunk;

The same method may have been used to bring down a US drone in Iran in 2011.

One can speculate all one wants but that does not make it true. It is much more likely that the drone lost contact with the pilot center and auto landed. Lets use a real life unverifiable incident to support our FUD.

They also talk about hijacking drones delivering FedEx packages. Fred Smith, CEO of Fed Ex says he wants them but he is nowhere near getting them. Even if they did use drones I bet Fed EX would use the encrypted channel and they would rely on navigation aid other than GPS as verification.. If you want to scare us at least talk about something real.

We have plenty of real things to worry about rather than to fall for FUD.

Re:FUD (2, Insightful)

radtea (464814) | more than 2 years ago | (#40494727)

We have plenty of real things to worry about rather than to fall for FUD.

The problem is you have nothing to counter the FUD but RUC: Reassuring Unsupported Claims.

"You bet"... FedEX would encrypt them, eh? I'm glad you feel that your gambling problem is relevant to this discussion of actual reality, but I have no idea why you think it is. Neither I nor anyone else cares what your bet is. We care what FedEX will actually do, when it comes time to deploy drones with software supplied by the lowest bidder.

Furthermore, while FedEX may be some years from getting drones, closing our eyes to the potential problems in the meantime doesn't help. FedEX or someone like them will get drones. This is a certainty. That they don't have them now is irrelevant.

I'm also grateful that you have informed us so authoritatively as to "the way the current system probably works." I'm sure you have a very good imagination, but what you imagine and what is real are unrelated. No one is interested in what you imagine. We only care about what is real, which you have told us nothing about.

Your whole post is classic security-industrial bluff and bluster, full of RUC, but no more substantive or meaningful than the FUD you claim to dispute.

Re:FUD (1)

CXI (46706) | more than 2 years ago | (#40495189)

Is this where I come in and point out something about straws and men? I've been away for a while so it's taking a while to come back to me...

Re:FUD (1)

jklovanc (1603149) | more than 2 years ago | (#40495265)

How about this paper [cornell.edu] which shows how the spoofing works (exactly as I stated) and the defense against it.

Fed Ex does not have drones right now. When and if they get autonomous drones they can open themselves up to billions of dollars of lawsuits by using the civilian channels which can be spoofed or they can do their fiduciary duty and use the military channels. Since no one has made the decision as to which course to take, all we can do is speculate. I speculate they will want to protect their company and use the military channels.

No autonomous aircraft would ever be allowed to fly using only one source of location information. What happens if the GPS system goes out for some reason like s solar storm or massive hacking by a belligerent country? Would it be acceptable for all GPS only autonomous aircraft to fall out of the sky? There will always be backup navigation devices and if they do not agree to a certain degree an alarm will go off and the aircraft will be remotely piloted. There is no way an autonomous aircraft will be allowed to have a single point of failure that is this important.

We only care about what is real, which you have told us nothing about.

If you "care what is real" then do your own research. There is this thing called Google [google.com] that can help you with that.

Re:FUD (0)

Anonymous Coward | more than 2 years ago | (#40495619)

yeah like the military is going to open up their channels to FEDEX you blithering incompetent idiot. only a complete moron would think fedex would use military GPS with rotating keys.

Re:FUD (0)

Necron69 (35644) | more than 2 years ago | (#40494859)

Exactly! DRONES ARE NOT ROBOTS. THEY HAVE PILOTS!!!

God, how stupid are so many people, especially reporters, that they don't seem to get that? Spoofing a GPS signal does not give you control over the pilot.

Necron69

Re:FUD (1)

jklovanc (1603149) | more than 2 years ago | (#40495029)

There is also a defense [cornell.edu] against such hacking.

Sensationalism (1)

Anonymous Coward | more than 2 years ago | (#40494625)

I certainly don't see how the skills necessary to broadcast a spoofed GPS signal relate to cracking the encryption of the military GPS. Also, inertial information can be used. The original post about the drone in Iran talks about this a lot:

http://news.slashdot.org/story/11/12/15/2013249/us-sentinel-drone-fooled-into-landing-with-gps-spoofing

This seems a little sensationalist.

GPS spoofing a problem? Use more than just GPS (0)

Anonymous Coward | more than 2 years ago | (#40494667)

BAE Systems is developing a navigation system that uses "signals of opportunity" Wired has an article describing the system: http://www.wired.co.uk/news/archive/2012-06/29/bae-gps

The Solution (1)

Scutter (18425) | more than 2 years ago | (#40494719)

Clearly, the solution is to arrest and prosecute the researchers and pretend that this isn't a giant security hole. That way, the company's profits will still be protected and they won't have to spend more R&D money on fixing the problem.

No Need to decrypt (1)

iceco2 (703132) | more than 2 years ago | (#40494733)

We have no reason to believe encrypted GPS signals can be decrypted easily, but that doesn't mean they can't be spoofed.
You can record them and play them on a delay of your choosing (with higher local signal strength)
Since GPS positioning is all about the relative delay if you control the delay you don't need to decrypt the signal of create your own.
The comments also mentioned their is a pilot normally in control of the drone,
but since the pilot is connecting remotely the control signal can theoretically be jammed, at which point the drone will normally
try to assume a predefined course.
Obviously there are technical difficulties, but one theory is that this is exactly what the Iranians did to the US drone a while back.
There are countermeasures available but this is a very real threat.

Re:No Need to decrypt (1)

timmy.cl (1102617) | more than 2 years ago | (#40495225)

GPS signals include the time. Replaying encrypted signals that include time information can be trivially detected. Now, if encrypted stuff only includes positioning data, then just spoof the unencrypted time+position, plus replay encrypted position.

We're looking at this from the wrong angle (0)

Anonymous Coward | more than 2 years ago | (#40495387)

This is why we need to remove Critical Thinking subjects from our educational curriculum. If nobody could figure out how to break or fool weak encryption, these sorts of devices could be much less expensive to produce and operate.

Claims may be valid, but very system-dependent. (1)

PseudoCoder (1642383) | more than 2 years ago | (#40495459)

I think the article might be a bit sensationalist considering the context is that you are able to spoof your own drone, but I get the general point. Spoofing unencrypted civilian GPS (CA code) is a possibility, but harder after a receiver has a fix. Spoofing unencrypted military GPS (P-code) using the same technique is VERY difficult because of the length of the pattern, but not impossible. Spoofing encrypted military GPS (Y-code) is statistically improbable.

I'm a UAV guy but not much of an RF guy. Anybody know what chance there is to selectively jam one band while letting the other band pass? I don't think it's very likely, so slim chance of jamming P/Y code to spoof the C/A fallback (if it's being used at all). Frankly, I wouldn't use CA fallback anyways if I suspect jamming. I'd look at my residuals (dead reckoning navigation errors) and try to head towards my pre-defined return home point. Which brings me to my next point.

If you want it to use the return-home function that results from a lost datalink you need to jam the datalink. And that's still not a landing instruction, just a safe point to fly to in order to reacquire, so spoofing to return-home is unlikely to give you an intact drone.

To actually command a landing at a certain spot you need to know which coordinate to spoof your GPS towards, which implies that you unencrypted the datalink AND know its packet structure to interrogate, if not redefine, the recovery point, which is pre-programmed during pre-flight checklist and not casually redefined during normal operations.

In my professional opinion, all this adds up to a high improbability of Iran deliberately bringing down that drone. Unless some incompetent decided to use an unencrypted GPS receiver and datalink on one of the most valuable assets in the inventory. Then I'd have them fired. Out of a cannon.

A question on Drone Building dot mil (1)

RobertLTux (260313) | more than 2 years ago | (#40495463)

Why would you not have some sort of self redact function to fix the problem of a drone going down in hostile territory??

All you really have to do is program the drone to Explode/Thermite the electronics bay if it reaches Zero Velocity without some sort of HomeBase signal being received (rotate the exact signal on a weekly basis)

or even put some sort of DeadMan switch in the electronics bay that you have to open another panel (and insert a SafeKey) to disable.

*yawn* (1)

Tmann72 (2473512) | more than 2 years ago | (#40495629)

Iran bragged about doing this to the US's drone months ago. *Yawn*

What drone was hacked? (2)

WaffleMonster (969671) | more than 2 years ago | (#40495645)

Am I supposed to be impressed? What drone was it? Why no pictures or any information other than the university owned the UAV. For all I know their "drone" is just a model airplane project a student jury rigged using a cellphone.

Just to be safe lets go with military drone images on all of these web sites parroting the same story and mention someone from DHS was present as well. What does that matter?

Was the drone using raim? Did it use other sensors like fluxgates, rlgs to confirm position? Is ANY useful information available?

Easy to Detect (0)

Anonymous Coward | more than 2 years ago | (#40495685)

I would say that a low cost spoofing solution should be easy to detect by a half decent drone design even when you don't use encrypted position codes (which would be unlikely). For a start, a signal that was stronger from below the horizon than in the air are not trustworthy, after all, what obstacles are above a drone? Any signal that causes extreme difficulty in the equations that resolve an accurate space and time fix converging can be marked as untrustworthy too. Also any space and time fix that doesn't also correlate with the inertial guidance can be marked as untrustworthy(with modern mems technology, who wouldn't have this on board ?).

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?