Schneier on Security
A blog covering security and security technology.
« Dumbest Camera Ban Ever |
| Assessing Terrorist Threats to Commercial Aviation »
December 13, 2011
Iranians Capture U.S. Drone
Iran has captured a U.S. surveillance drone. No one is sure how it happened. Looking at the pictures of the drone, it wasn't shot down and it didn't crash. The various fail-safe mechanisms on the drone seem to have failed; otherwise, it would have returned home. The U.S. claims that it was a simple "malfunction," but that doesn't make a whole lot of sense.
The Iranians claim they used "electronic warfare" to capture the drone, implying that they somehow took control of it in the air and steered it to the ground. It would be a serious security design failure if they could do that. Two years ago, there was a story about al Qaeda intercepting video signals from drones. The command-and-control channel is different; I assumed that there was some pretty strong encryption protecting that.
EDITED TO ADD (12/14): Photo analysis of the captured drone.
Posted on December 13, 2011 at 6:30 AM
• 68 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Encryption of course only works if the opponent doesn't know the key ;-)
Also, anybody want to bet that the company who designed the drone systems may be using RSA tokens for network access, or has done so in the past?
there is nothing to bet on, the company is lockheed martin and it was breached with securid
A few things which got me thinking.
On the right side of the plane there's this guy in standing there, looking as non-suspicious as possible, on absolutely every picture there is.
He stands too close to the plane to look normal and I guess he is hiding something which looks like a dent in front of the wing. There was a video in which a glimpse was shown.
Then there is this stand on which it rests: probably just some table with cloth to lift it to a comfortable height, but it might be that it also hidessome further clues to its landing.
Call me stupid, but if I was the U.S. I would land one right there and give the Iranians credit for being so smart they could capture one... - and have it full of shoddy electronics etc
A HERF gun perhaps?
If we assume the Iranians didn't just find it somewhere, and aside from the matter of how they brought it down, it implies their air defense can acquire stealthed air craft.
If you were building one of these wouldn't you put a self destruct in it? If there is one, that would suggest that the Iranians have at least managed to cut it off from receiving further commands from home.
Sideing with Vles. And/or Bruce, you're *assuming* pretty strong encryption? That sounds like you work with a commercial company... ;-] I thought you were more of a proof-over-assuption type.
I wonder if it's a trojan. You can bet Ahmadinejad is going to want to see it in person. Maybe it's rigged to blow when he get's nearby. Doubtful but I can't imagine the Iranians got their hands on all the technology needed to gain and then maintain control of this. I suppose anything is possible though.
... Oh and agree too with Irve. As the drone wasn't lightning fast, could it have been captured with e.g. a net ..? Sounds stupid, but in WWII, Spitfires were able to tip the wings of V2 *missiles*. Plus, lack of resources makes resourceful.
Nobody cares anymore that the US fly military equipment over other countries airspace?
I am wondering what the reaction of the US was if another country flew drones like that one over US airspace.
Many people have speculated on the presence of self destruct devices on the drone. While one could picture a few expecially sensitive small parts protected in this way, there's no way that we would put enough explosives to destroy the drone on board as a self destruct device. These things are designed to be maintained by 20 year old E-4s. And any kind of self destruct would put these guys at serious risk.
It's more that nobody is surprised at this rather than that nobody cares. The US is pretty cavalier re: other contries' sovereignty.
I'd bet they jammed the c&c-channel and
did something insant to the local GPS
signals to trick that innocent drone into
Remember this story about the Drone command center being contaminated by viruses?
My best guess would be that the iranians managed to remotely take control of the drone and landed it in Iran!
Way to do payback for Stuxnet!
This could be related to the reports about viruses at Creech AFB where these drones are controlled from.
It seems plausible to me that an interested party, after hearing of the lack of security there might have put together a custom made malware to achieve this result. Perhaps this was of stuxnet level complexity but I suspect things might actually be a lot simpler than that.
I have not heard a lot about the abilities of the Iranian side in malware production and I am not sure how complicated task this would be (Script kiddie level, Sony rootkit level, Average criminal level, or Stuxnet level). I would certainly believe such an undertaking to be within, for example, the Chinese capabilities.
Iranians are claiming that their "military cyber-warfare unit" managed to take over controls of the drone and bring it down. If the Iranians have broken that encryption then this would either be based on a major break in some algorithm or a major blunder by the designers of the drone control link. Of course both these things are possible (the latter more than the former) but I am sure the designers of the drone put a lot of effort into employing all the most unbreakable encryption in this area. After all, the security of the control link is vital for the drone to be effictive. This must have been tested extensively, as the threat of a take-over is obvious.
However the lack of security at the control center for these drones make some kind of malware operation more likely. The computer security at this sort of control center is probably something that is taken for granted by the designers of the drone system. It has been reported, that the drones are programmed to return to base under certain circumstances, for example loss of pilot's control link. If somebody, through rootkits or other malware stuff, could gain access to the system repsonsible for uploading the drones configurations/instructions, they would probably be able to do anything to the drones. Like making it believe that it was actually based in Kashmar, Iran and should return there instead of some boring little runway in Afghanistan.
I think this loss shows just how vulnerable we are. Generally speaking we secure ourselves against onsey twosy bad guys. We secure to the point of making it unfeasible for a small unit to gain benefit from an attack. When nation states, or possibly groups of nation states, become involved the scale of the confilct we are trying to fight escalates.
This reminds me of the old saying brining a knife to a gunfight. We need to to make substantial adjustments to our public and private security measures.
What about an EMP? The Iranians may have crippled the plane by frying its circuitry.
You can bet Ahmadinejad is going to want to see it in person. Maybe it's rigged to blow when he get's nearby.
He's just a puppet for the mullahs, no point offing him (if you wanted to do regime change through targeted assassination you'd be aiming at the mullahs).
Sounds stupid, but in WWII, Spitfires were able to tip the wings of V2 *missiles*.
Actually those were the relatively slow (by missile standards) V1s, the V2s came in too fast for that (and on a ballistic trajectory).
Of course people care about the US breaches other countries borders without caring.
It's just that people know that the US dont care.
Not hard to make enemies that way.
@Dave " loss shows just how vulnerable we are"
I don't see how from our current example. Military hardware is made with the assumption something will blow it up.
This isn't a case of infrastructure that shouldn't be exposed to the enemy. This system is designed to penetrate the enemy.
That increases it's risk of loss a lot (and drones have gone wonky on their own. I think the US lost some marines trying to recover one in Afghanistan didn't they?) and I would have presumed that was assumption of loss to enemy forces was design criteria.
According to reports elsewhere on the web, Obama was told what was happening but refused to give permission for the self-destruct to be activated.
He reputedly also refused permission for a military snatch-and-grab mission.
Another 'reputedly': the datalink wasn't encrypted. This sounds hard to believe, but ever since I read Stoll's 'Cuckoo's Egg' anything is plausible.
BTW the drone is programmed to land by itself, so might very well suffer no damage whilst landing.
So what you're saying is that he reputedly refused to detonate a bomb on Iranian soil or to send troops into Iran?
Huh, I guess the guy is smarter than I've been giving him credit for.
There is also the possibility that it was deliberately "lost" to Iran such as to create a stir which might be used as the basis for another war. Remember Iraq and "yellowcake" along with other weapons of mass destruction?
All seems fishy to me.
-My admittedly weak understanding of these drones is that when jammed they're still supposed to return to base. That's standard, at least, in the civilian versions.
Re. Jurgen's comment about Spitfires tipping the wings of V2 missiles. I think he meant the V1 buzz bomb. The V2 was a supersonic high arc (vertical take off) rocket, whereas the V1 was a horizontal take off subsonic pulse jet.
I must admit I'm curious.
It has been said before that the early drones were a rush job and shipped without encryption at any point.
And that it stayed that way untill the minor embarrassment of the video signals being picked up by a "soft top" a couple or so years back.
Then... They were supposed to have been fitted with "Baton" type 1 security as it was supposadly the only type one cipher system capable of handling video (or atleast that is what a US congressional enquiry was led to believe).
Ho hum I wonder if there have been the usuall "field upgrade issues" causing "fall back" to "unsecured usage"...
I guess we are probably not going to find out for certain any time soon if at all...
Re: Command/Control channels on the Drones.
Reminds me of a recent post on Boingboing about the SCADA systems used on 747s being accessible remotely by engineers on the ground while the 747s were flying.
Link here: http://boingboing.net/2011/09/25/...
For those who do not know, 747's are big flying Unix hosts. At the time, the engine management system on this particular airline was Solaris based. The patching was well behind and they used telnet as SSH broke the menus and the budget did not extend to fixing this. The engineers could actually access the engine management system of a 747 in route. If issues are noted, they can re-tune the engine in air.
The issue here is that all that separated the engine control systems and the open network was NAT based filters. There were (and as far as I know this is true today), no extrusion controls. They filter incoming traffic, but all outgoing traffic is allowed. For those who engage in Pen Testing and know what a shoveled shell is... I need not say more.
@ Anonymous 1 and Spaceman Spiff: Yeah, sort-of a typo. V1 indeed. But the slow speed is what we have here with the drone as well, right? My point was/is that it is physically interceptible in full flight in one way or another, maybe by jamming its radio which might send it on a straight flight path, if it hadn't been already. Locking in for refueling a jet may be more difficult. Anyone with a plausible, technically feasible scenario for this one ..?
So no one is considering that it had an actual malfunction while flying its mission over Iran?
We could of course be missing the obvious...
First the sentinel is a single engine design.
Second although it looks like a stealth design it's anything but, the rounded leading edges on the wing tell us that as do one or two other things.
Thirdly it is a flying wing designed to get good range and performance, thus the wing is almost certainly a stable design, that is it does not require a computer to make over two hundred adjustments to the air surfaces every second (which chews up a lot of energy, and significantly complicate payload instrumentation)
A look at the leading edge also sugests it can fly at very low speeds as well as at low altitude.
Thus it is possible that...
The engine failed, thus cutting power to the avionics and it just glided down to ground level where it pancaked in.
The fact that it is shown in the photographs with it's entire underside covered up from view might be because it's a mangled mess under there either from the landing or from a possible localised self destruct in the belly payload area.
Thus it might just be a case of luck and propergander on the Iranian side.
To be honest though there is nothing on show in the pictures that is not already "known" about the "beast of Kandahar" and many countries could certainly design and build a flying wing of this form with little dificulty. Even the avionics are not that difficult to do for a stable wing design and I've seen several student pprojects on the Internet for flying model aircraft using "gum stick Linux" or similar single board computers and USB or equivalent break out boxes and easily available USB / NEMA peripherals for GPS and compass.
Also it's not that difficult as discussed on this blog several months ago to take an ordinary smart phone with GPS accelerometers and camera to write the software to turn it into an auto-pilot etc controled by ringing it up or sending it SMS messages. Heck if google maps knows about the location and identifing information for cell towers it would be fairly easy to reverse engineer the information and have the phone fly from tower to tower too get it to a destination...
@haiku "According to reports elsewhere on the web"
First I heard about this was this morning out of the right-wing noise machine. Rove and the Koch's are pitching it hard.
What a terrible man the US president is to NOT commit an act of war in an instance where the US is the intruder.
The more I watch the neo-cons the more I understand why it's believeable that even an insane General Ripper thought that he could get the US to make a first strike on the Soviet.
The minute some idiot starts using the term "failsafe", you can pretty much bet the Screw-the-Pooch Clock is ticking.
Next time you ask yourself, "My God, who IS in charge of stuff like this?", the answer is the same as it was in Rome: somebody's nephew.
@BF Skinner - allegedly the rather crude design of the stealth features (lack of wing notches, simple engines, last gen radar absorbing paint) are because it is assumed that one will be lost and the recipient will quickly pass it on to countries able to make use of the technology.
Either that or Lockheed sold them a lemon !
@ B.F. Skinner,
"AP is reporting that an MQ-9 just crashed at the Seychelles Airport"
OMG... First of the major difference is the designation, an RQ is a reconacence only ie no big nasty hellfire missiles etc. Where as MQ is the militarized version with the ability to carry big nasty....
Secondly the MQ-9 Reaper is an older generation drone not sure on which engine it uses.
Apparently the reaper is being used so much over Somalia "looking for pirates" that the drone of the engines is like that of having a Highland Piper playing his bag pipes a glen or three over.
Of course heaven forbid that someone should point out that pirates are generaly found at sea, and the last "scary terrorist plot" using laser printers as faux bombs just happened to originate in Somalia wher AQ is assumed to still be alive and well even without OBL-RIP.
I'm going with Clive's analysis for now. Never attribute to malice or ingenuity what can be more easily explained by failure or stupidity.
The more interesting question however remains what that thing was doing over Iran. Mutatis mutandis, SAC would now be on DEFCON-2 under presidents Gingrich or Bachmann.
guess is it is a trojan to let them disect and see where the information flows to. The second one reported lost is just a back up story.
Folks, were talking spy counter spy- how do we get into the enemys product chain to see where information moves, how there intel works etc.. It could be a red flag operations which we can bet the iran folks are also thinking
BF Skinner wrote: "... right-wing noise machine. Rove and the Koch's are pitching it hard. . . "The more I watch the neo-cons. . ."
What contemptible political trollery. Neither 'Darth' Rove nor the 'dreaded Kochs' have said anything of the drone. And —to illustrate the biased hypocrisy of your comment— the loss was due to left-wing acts of aggression against Iran's sovereignty, turned into cowardice when the drone was captured. My personal, evenhanded and non-political opinion is drones over ANY other country is aggression. Be that as it may; this blog could do without your biased party-line hysterics.
To everyone else in reference to crashing: The plane can land itself; it has onboard stabilization, airspeed, and rate-of-descent built into the core control board, a level below the navigation systems. Similar to the brain where an unconscious person breathes and their heart beats, the systems on drones is layered also so that loss of link-controls —or incorrect descent or navigation commands— don’t crash the bird.
So a HEMP event or similar could easily trash the radios, GPS, and all links, leaving the autonomous ability to land (or attempt to land) on whatever patch of dirt it arrived at.
This smells like a modern remake of Operation Mincemeat. I believe the real target here is either the Russians or Chinese who will be wanting to buy this from the Iranians...
Neither 'Darth' Rove nor the 'dreaded Kochs' have said anything of the drone
Dalek Cheney on the other hand was quite fast in calling for an air strike, admitting that a recovery operation probably would have been a bit difficult. ( http://www.rawstory.com/rs/2011/12/13/... ) I guess even he remembered the kinda disastrous outcome of a somewhat similar mission in April 1980. It is also rumoured that aides were just in time to stop Michelle Bachmann from making a formal declaration demanding the immediate release of its pilots.
The drone probably malfunctioned or ran out of fuel. As for Al Qaeda hax0ring the drones in Iraq that was done by Iraqi resistance not AQ.
I hope all the US drones crash to the ground and burn. I don't approve of flying summary execution machines delivering indiscriminate death from above without due process no matter who may be in the targets.
Also does this now mean that Iran has a 'deployment' method for their nuclear weapons that may or may not exist? Though I'm sure they don't have the little drone arcade seat things and software. If so maybe somebody purposely delivered it to them as an excuse to start a war.
Can you hear the war drums beating? I'm surprised acrobats aren't sent in on top of drones so there's an excuse to rescue the acrobats!
Remember, remember, those "Hikers"? Since when is anyone classified by a routine activity/their hobby vs. their profession? I believe they were more likely SPIES not simple Hikers, but what do I know, I want to bite and chew the edge of a couch with my front teeth until the fabric is warn down to nothing and then I'll start chewing at the wood until there's nothing left there either, then...
Cheers TV Show = Another Illuminati Program?
The show opens with a lady holding a glass of what appears to be red wine but is it instead, blood? Other people are holding glasses with red liquid too, notice the only individual, in green, hidden from the waist up, what message does this convey?
Cheers TV show illuminati = Hermetical Whilst Vinous
coincidence? I think not!
The gentleman holding up the newspaper which reads, "WE WIN!" It's all clear now...
If I were an Iranian general and had the ability to seize control of this drone and fly it to a landing, I really don't think I'd be showing it off to the world press. I'd hide it away and make a convincing crash site (I have time to plan set this up in advance.)
The Iranian military must be considering the possibility of a US invasion at some point. The ability to control drones is much too big an ace in the hole to give up.
First a note: stealth is generally stealthy only against targetting radars; longer wave radars can see these, so knowing it was there was probably not difficult.
Lots of ways this capture could have been done, and possibly several were used.
1) GPS spoofing. Send false hi-power (a few watts; GPS signals are insanely weak) unencrypted GPS signals to the drone while jamming the encrypted channel. Should be fairly easy to do if they know the return coordinates for the automatic drone return (almost certain). (Presumes that any inertial navigation is not sophisticated.)
2) Use an EMP pulse against the drone, which would probably cause it to glide to a landing.
3) Mechanical capture: send an airplane up and catch it in a net, or dump gas/chemicals near the drone to flame the engine out (would require another aircraft flying in tandem with the drone).
4) Hack the control channel (presuming they hacked the manufacturer) and got the encrypted channel keys. (Presumes the control channels are in fact encrypted. If not, even simpler.)
5) Hack the control station.
Possibly, but no one here has mentioned the timing factor in encryption/security. Basically, the more encryption you layer on communications, the slower those communications will be.
Even considering that stealth UAVs are probably not going to be dog fighting, the fact that you already have several built-in (and barely tolerable) delays may mean that adding strong encryption to the command and control systems would degrade performance.
For example, the control stations are (possibly) halfway around the world--transmission delays. You have to aim an extremely sensitive camera (narrow field of view) from a moving platform (jitter, shake, air turbulence) at a small target (which may not be exactly where you thought it would be).
For video and imagery to be analyzed later, you can probably live with the delay involved in encryption/decryption. But when responsiveness to human inputs (and probably stringent real-time limitations) is a major factor, the extra milliseconds to encrypt "bank left" or "add power" may be just too much.
The weakness of the drone communications may be the standard application of encryption rules:
- Strong encryption for stuff that you never want the enemy to see.
- "Weak" encryption for stuff that is only useful for a limited time.
- No encryption for communications that are worthless to an enemy after they have been transmitted.
Dirk Praet wrote ". . . Dalek Cheney on the other hand . . . is also rumoured that . . ."
The first (political) crap-slinging was a lie, so you ignore that and sling more partisan dung hoping it will stick? Rumored? How pathetic. Again —to illustrate the biased hypocrisy of your comment— it is fact, not rumor, that our left-wing President authorized "... an act of hostility against the Islamic Republic of Iran in clear contravention ... of all known international laws and regulations." (Iran's quotes, but close enough) It is also rumored when this inevitability happened, Obama 'choked' at all options, giving Iran time to recover and move the craft into protection at a population center.
My non-political (I am not rooting for D's or R's) opinion is drones over ANY other country is aggression. Cut the politics out and deal with the defense and security issues.
Murphy's Law says any single-engined drones will sooner or later land 'abruptly', stupid to have sent it.
For some of the above commenters, the captured drone is A) Not fully 'stealthy', and B) has never been weaponized. It is a long duration, high altitude surveillance platform for electronic signal, radioactivity, radar, optical, and other snooping. See Wiki for a decent description.
"Sideing with Vles. And/or Bruce, you're *assuming* pretty strong encryption? That sounds like you work with a commercial company... ;-] I thought you were more of a proof-over-assuption type."
This is a military communications system. The NSA is in charge of the encryption for that, and I have more faith in them than I do in your typical commercial-grade security.
Since we are all guessing anyway, here is my versions.
1) Jam GPS and Encrypted Control channel, lots of RF power to overload the Rx channel PGA.
2) Drone should revert to a return home program using inertial navigation
3) But maybe there is a back-up control channel, possibly something as simple as GSM SMS msg control, this has been used in the past for UAV control, so is it still present and maybe active when all else fails? As Clive often says, first force a higher level protocol fail and than watch as the system reverts back to simpler operational protocols...
4) Land the Drone using SMS Msg's
1) use high powered focused isosounders to fry the electronics on the Drone, cough cough HAARP
2) drone disengages motor and glides to a crash landing, probably capable of sub 30Km/h flight so not much damage results in low speed belly landing.
The most plausible explanation I see is for this is that its the result of a chain of errors on our part and good luck on the part of the Iranian military.
I'm certain that a vehicle like this would have a well-protected command and control channel (most likely spread spectrum which is difficult to jam and some type of message authentication and encryption layer at a minimum).
This is technology we have a great deal of experience with, and purpose-built modules are already available. Unlike the video feed, this is a low-bandwidth application which is easier to protect.
Military hardware is also designed to very high electrical immunity standards. Based on test results that are publicly available and the applicable MIL specs, I believe that a practical EMP weapon would need to be deployed very close to the vehicle to do permanent damage if it was designed to spec.
I'm also willing to assume that it was designed in such a way that transmission delays or GPS jamming would not impact its ability to fly away - we spend a lot of money making these things not depend on any single system, and cheap commercial drones can do this now.
That being said, a piece of hardware like this is built so that we can send moderately skilled technicians to deploy it into a hostile place when it is needed for a mission.
At some point, mistakes will be made during its maintenance, operation, mission planning or any one of a thousand other details and the device will malfunction and crash. That's life.
Surely our commanders understand that given enough use, it will eventually fall into our enemy's hands. They must weigh the risks associated with using it against the value of the intelligence it provides. And they won't necessarily be flying the latest package of goodies over enemy territory 24/7.
Having said all of this, I think the inevitable happened, and the Iranians have seized on it as a great propaganda moment. I'm sure they will learn something from our drone, but their real victory is in their battle to keep pro-government and anti-American sentiments stirred up at home.
Bruce, I have an interesting theory on the drone.....I did an article on my blog.....Have a gander and let me know what you think.... Lost UAV or Trojan Horse
How soon till American hackers can sabotage domestic HK drones used against demonstrators? Soon, please God.
It's been pointed out to me on previous occasions that British humour is not generally understood by everyone on this blog. And us in Europe don't really consider current POTUS particularly left-wing. As a matter a fact, we don't see very much difference between your republicans and democrats either, both of which over here fall into the (very) right-wing side of the political spectrum.
BTW, can I interest anyone in my alternate theory that involves the crashing of the smartphone app used to control the drone ... 8)
>> As a matter a fact, we don't see very much difference between your republicans and democrats either
As another non-US poster: +1
+1 on European views of Democrat/Republican difference
@Dirk Praet "don't see very much difference between your republicans and democrats"
Well when the foreign policies and practices remain so consistent from administration to administration it makes you wonder.
@hoodathunkit. You need to start paying attention to how opinion is crafted in the US.
The first mention of 'Obama choked' spin that i've located so far (nice unbiased language btw) came out of the Republican debate. Rick Perry bungled his lines on it. Like a schoolboy on a difficult lesson with a half remembered answer. Who's running Rick Perry's campaign? Same team that put Bush II in office.
Rove's American Crossroads and the Kochs money are using paid call centers personnel to put out a specific word over and over again, on editorial pages, certain infotainment channels, talk radio and call in shows, website comment sections and...ahem blogs.
The consistency we see in the 'conservative' message is in it's source.
So Rick, not notable for being a thinker, who fed him that line? Did he pick it up off talk radio? A policy workshop or was it during debate prep from his team. He was coached and flubbed the line.
Why is everyone so upset about losing a drone?
Isn't that the /point/ of having UAVs? The coverage this is getting makes it sound like a fully manned B-52 (or P-3 Orion) went down over Iran.
Also; yaboo, sucks to you America. Serves you right for flying this stuff over other countrys.
Not sure this is the full story, because it is kinda hard to believe they don't have inertial navigation backup for the drone. especially when it is intended to take-off and land at the same base. modern INS systems have an openloop accuracy of about 500m/hr of flight, so even a 12 hour flight is still accurate to 3km absolute position. That's assuming they don't use some form of closed loop GPS correction for the INS error.
Based on the above article, my guess is that Iran slowly skewed the GPS signal shifting it by the limit of the INS /GPS error correction loop. Lets assume loop allowed for say 5km correction per hour (unnecessary but spec creep often happens..) so a 10 hour flight lets them shift the INS by 50km. It is hard to believe the drone controller would not have noticed an absolute position error of this magnitude accumulating, but maybe that tells us something about the Drone control channel capabilities.
@ RobertT, Rich Rumble,
"GPS spoofing- Looks like a few people were close and or right"
I know how to spoof GPS and have demonstrated adding a shift of over 1KM to it, it's actually technicaly quite simple and does not require much in the way of high tech equipment.
However I'm still a little suspicious of the claim, and am still erring on simple mechanical failure of the drone engine.
Oh and in Afghanistan the RAF used to find drones sharing their airspace at night, when the drones controlers were reporting it to air traffic control as twenty to fourty KM from where it actually was. So yes there may well be a problem with reporting a drone position back to Nellies AFB.
But lets go with the GPS Spoofing (I've explained it befor on this blog but cann't be bothered searching for it so), here's what you need to consider and it's so fundemental to GPS there is no solution in the existing system without a fully independent secondary channel of some kind (which I also know how to do in a number of ways),
The big problem with GPS and other systems like it is the display tells you where it thinks the base of the antenna is. That is the free space measurments are time based and made relative to the antenna, after that they all share the same bit of feedline to the GPS receiver, which justs adds an equal time delay to all the signals, so just time shifts the GPS receiver backwards in time by the propogation time of the feedline.
You can demonstrate this with a 100m drum of high quality coax, a high gain antenna for the GPS signals and a broadband high dynamic range amplifier with sufficient gain to replace the loss in the coax. Simply go to a wide open space about 200m in diameter and put your GPS receiver in a fixed place. Then connect the GPS antenna to the (battery powered) amplifier and the coax from the amp output to the GPS receiver input. You stand by the receiver and get a colleague to take a walk with the antenna.
You will quickly see that the GPS receiver is not telling you the position of it's self but the position of the antenna.
So using this information how do you spoof a GPS receiver, easy replace the coax with a microwave link.
You need the afor mentioned GPS antenna and amplifier and a band shifter upto say Xband (this can be done quite easily home brew by taking a satellite TV LNA + downconverter and turning the fets around and adjusting the DC feeds). This then feeds into a high gain microwave antenna (again use a satellite TV one, for home brew).
At the other end a normal satellite TV antenna, LNA + downconverter puts out the signal at the GPS frequency (if you tune it right) amplify this signal sufficiently and put into another passive high gain GPS antenna to transmitt it out to the ordinary unmodified GPS receiver. By sufficient, I mean that the signal you are transmitting is sufficiently strong as to jam out the real GPS signals at the GPS receiver front end.
You will find that such a cheap home brew setup (less than 200USD) will work upto 10KM line of sight (which is probably all you need for robbing an armourd car).
Obviously if you go to a Minicircuits Microwave circuits catalog, you can buy all the specialised bits in nice little packages with SMA connectors etc so you can plumb it all together to have a MIL spec system which could line of sight do just about as far as you can see at any given hight above the horizon.
To spoof a drone you need two aircraft that fly at a similar speed to the drone. When you locate a drone you fly both aircraft two the drone and turn the spoofing system on. The aircraft with the Xband receiver and GPS re-transmitter stays as close to the drone as it can. The GPS receiver aircraft then flys slowly towards the point where you want the drone to think it is, but also alow for the drones flight path so you have to vector it.
Obviously you cann't fly your GPS receiver aircraft over the boarder to the place the drone would normaly have landed. So you need to make it think it is at or close to the boarder when infact it is atleast the distance from that point to it's landing point inside your country, then jam both the GPS and control channesl. The drone should then turn around and fly the required distance and land just inside you boarders...
Although I have no idea if this was how the Iranians did it, it is the least technicaly sophisticated way I can think of to do it.
However I still would not rule out mechanical failure of the drone and Iranian propogander as the actual cause.
There is also the possability that the photos we have seen from Iran are nothing but a mock up based on the crashed and mangled remains of the drone crashing.
As with all things in the intel world, unlike science and engineering occam's razor is not generaly the best way of eliminating possibilities, in a bluf and counter bluf world where the oponents are both thoughtful and opportunistic in nature.
this is another report from well known Iranian "Dr Khazali"
He has deleted his report from his website but it is yet is Google cache:
he says that it was just a happening and some sheep-keepers reported this airplane to government.
Dr. Khazali was in the jail in Iran because he is one of the Green Revolution Member.
He reports that U.S. Drone were seen accidentally by some sheep-keepers, because it was very shiny in the desert and sheep-keepers were afraid to go closer, so they reported it to police and police reported it to Revolutionary Guard
and they came and they took all mobiles and recorded films from all people in the scene. Dr. Khazali is in Iran and usually is being THREATEN to death because of his openions in his personal website at www.drkhazali.com
This is the DELETED PAGE in PDF in Persian, and I am sure he was pushed to do that:
At this page you can see that "Dr. Khazali" answers (Persian Language) to viewers` question about deleting the posts about US Dron.
He says that he has been pushed to delete them because of Iran National Security Issues.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.