Schneier on Security
A blog covering security and security technology.
« Snow Cone Machines for Homeland Security |
| Cameo in a Rock Video »
December 16, 2011
More on the Captured U.S. Drone
There's a report that Iran hacked the drones' GPS systems:
"The GPS navigation is the weakest point," the Iranian engineer told the Monitor, giving the most detailed description yet published of Iran's "electronic ambush" of the highly classified US drone. "By putting noise [jamming] on the communications, you force the bird into autopilot. This is where the bird loses its brain."
The "spoofing" technique that the Iranians used -- which took into account precise landing altitudes, as well as latitudinal and longitudinal data -- made the drone "land on its own where we wanted it to, without having to crack the remote-control signals and communications" from the US control center, says the engineer.
The Aviationist has consistently had the best analysis of this, and here it talks about the Tehran Times report that Iran has four Israeli and three U.S. drones.
My original blog post.
Posted on December 16, 2011 at 12:01 PM
• 45 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I've often wondered how feasible it would be to feed bad position data to a GPS unit remotely, now I have my answer.
Also, why the hell isn't it checking its GPS data against less vulnerable magnetometers and accelerometers, not to mention reacting to persistent position/speed/altitude changes that it didn't initiate? It should be able to navigate well enough with dead reckoning to at least turn around and leave hostile territory, or perhaps even continue its mission depending on the extent of the jamming and spoofing resources.
Looks like I'm at least partially vindicated in my suspicion of GPS spoofing.
It should be very easy to do. There are commercial 'GPS simulators' which do exactly what is needed, and are not terribly expensive. (And you'll need an RF power amplifier, and something to jam the drone's control channel.)
Apparently the drones have a minimal or no inertial navigation system.
@Granade: "... now I have my answer."
Only if you believe the unnamed Iranian engineer.
GPS spoofing paper. http://t.co/bigchaGW Note the RF needs and the stories about the Russian tech that was sold to Iran recently...
@Kevin - I would assume it does. But like anything else that uses an IMU it assumes that GPS is correct and the IMU is wrong.
If you deviate the course slowly enough it looks like IMU drift and you update the inertial nav to the correct GPS signal
I think there will be a big demand for sextants - it's hard to spoof the sun and stars!
I always thought it had some sort of self-destruction mechanism to prevent it from falling into the wrong hands.
Bruce: you've made it big time now! ;)
Interestingly, the SR-71 had an astro-inertial navigation system which supplemented the IMU with star tracking. It could find stars in broad daylight and was supposedly accurate to within 300ft. Would make an excellent cross-check for a GPS system, I imagine.
Is my understanding correct that after bypassing control and communications they took over its GPS navigation just like that ? Surely, the latter must have been protected with some authorisation mechanism ? Or was that a 4-digit pin ?
I was surprised that GPS lacks the ability to tell receivers, "yea verily, this signal you're getting is from a real honest-to-gosh GPS satellite and not some spoofed signal"...
I guess GPS technology predates a perceived need for such authentication; I guess the military was primarily interested in ensuring that the highly accurate version of the signal was protected (though as we all know that went by the wayside eventually)...
@mikeash - ICBMs use star trackers for a similar reason, you know you are in a shooting war when all you GPS sats disappear!
@Dirk - no, they couldn't take over the encrypted comms link do they simply broadcast a shifted GPS signal to convince it that it was at home and so it landed normally.
It's very easy to do this either deliberately as in this case, or accidentally like Lightsquared. This is the reason for augmentation systems (waas/egnos) which stop your plane going off course if the GPS is bad - I'm guessing there isn't a good augmentation service in this area.
Military GPS is authenticated, but apparently vulnerable to realtime replay (custom delay) atta cks.
@yeliaB - the military encrypted signal didn't go by the wayside - it's still there. What they removed was the ability to deliberately degrade the civilian signal.
The military one both gives you a second frequency which lets you achieve higher accuracy by cancelling out some atmospheric effects and gives you a confirmation that you are receiving a genuine GPS signal.
Either this drone wasn't using military GPS - because of politics or perhaps just commercial reasons to go with an existing commercial GPS chipset.Or they managed to spoof encrypted GPS which would be 'interesting'
In most areas that GPS users care about you can combine your local signal with a reference beacon (either free WAAS or pay service) to get high accuracy and some guarantee that you aren't being spoofed.
Now that GPS is being much more widely used for item tracking and timestamps there is a lot of interest in ways of detecting spoofing - by looking at noise characteristics and the way signals change - see http://www.insidegnss.com/node/1633
Why does everyone suppose Iran has this technology? Why are we so prone to believe whatever crazy story Iran has about this "achievement"? Does anyone remembered the doctored pictures of their missile tests? Anyone ever hear their leader speak on the Holocaust? Seriously, if they had such technology, why wait until now to use it? This surely isn't the first time we've flown drones over there. Here's another article I posted on this.
At the very least, I'd expect a drone to have enough logic to figure out "I can't be home, I haven't traveled far enough" or "I'm not seeing the secret beacon" or "the terrain isn't right. I'm being hijacked."
(1) The technology to generate spoofed GPS signals is simple, relatively inexpensive, and commercially available (e.g., for calibration of flight-rated GPS units).
(2) Overwhelming the legitimate GPS signals is trivial. The actual signals are generally 'below the noise floor' and use correlation gain to extract the signals. A GPS spoofer doesn't need high power. Even a few watts of terrestrially-based signal will completely drown out the real signal.
(3) Believing the unnamed Iranian engineer is easy: it's the simplest approach and the most likely to succeed. Apparently it did... IMO, it's also given credence in that I predicted this strategy last week.
(4) Inertial navigation systems are relatively expensive, and integrating them with a GPS system apparently more expense than the drone engineers/mfrs wanted to deal with. It isn't fundamentally hard to do, but apparently the expense was spared.
(5) Military GPS is encrypted, and receivers hard to come by, but like civilian GPS, low-power and easily jammed.
(6) For all of this to work, the control channel to the drone did not need to be subverted, merely diverted. Jamming the control channels would have required some power and, if the drones are sophisticated, some knowledge of backup channels or spread-spectrum channels for their control. (I.e., a semi-smart drone should be aware of jamming/signal loss on its control frequencies, and should move to backup frequencies or communication mechanisms. The Iranian military would have to know about those and jam them as well... if they exist.)
Wasn't this in a bond film?
GPS spoofing of civilian grade systems should be easy. I'm wondering how thay managed to spoof the mil-spec stuff that (IIRC) should be a heck of a lot harder.
bcs: GPS spoofing of civilian grade systems should be easy. I'm wondering how thay managed to spoof the mil-spec stuff that (IIRC) should be a heck of a lot harder.
Why bother? Just jam it.
Google "trojan horse" for details on this scheme ;-)
Why has no one considered that there would be extreme value in having a highly sophisticated surveillance device get carried into the top-secret Iranian labs?
How do they know it's not uplinking all its observations on, say, radiation levels, to some sat?
To all the, "Why wasn't [this]", "Why wasn't [that]" questions here, please add "Why aren't drones equipped with something like a more explosive version of lightweight primer cord that is wound around all the sensitive bits of the drone, so if it senses it has been compromised it explodes into small bits of nothing?" I do realize that part of the problem appears to be that it didn't realize it had been compromised.
I hope the more destructive Predator has better fail-safes all around.
James Bond, "Tomorrow Never Dies"
Tom, self destruct mechanisms are almost never worth it on something like a drone. The chance of it going off when being serviced and injuring a technician * the medical bills / disability pay tends to be larger than the cost of the drone, and they're generally designed to not carry any terribly secret equipment. After all, drones are often used where you can't risk a human pilot being shot down.
GaryL, I should hope the Iranians are smart enough to do any work on captured devices inside a Faraday cage. Covering a room in grounded foil isn't terribly expensive.
A couple of reasons for no self destruct.
You assume something like this is going to be lost so you don't put your latest tech onboard - that's why it's not very stealthy.
For real security you would need some sort of "assume I'm captured" logic so it took a specific highly encoded secret to stop it going bang - combine that with 19year old, whatever the lowest grade of tech is in the USAF, and you can see the issues.
The bigger problem is that you intend to fly these over other people's countries - either allies or potential enemies. At what point does a highly unstable self destruct charge packed drone become a cruise missile ?
For those who want to know how to simply spoof a single antenna GPS system including the one using "the oh so secret" Mil version of GPS I wrote a simplified explanation the other day,
Which has a few more pertinent details and is based on a rehash from memory of one I posted a year and a half ago on Bruce's posting of a page about a report on "Space Terrorism"
If you read down you see that Greg and I further discussed some of the technical issues as did others.
There is also one from even further back which I can hunt out if people want me to, I did the experiments originally years ago to prove a point as to why GPS should not be used on it's own or as the intermittent "master reference". Originally I did this when indirectly involved with a MIL project (where the aim was to reduce "collateral damage" and I pointed out it could actually make things worse).
And I did it again with slightly better equipment a few years later when involved with the design of an "ultra high value load" security transportation system.
None of the existing GPS systems are "spoof proof" on their own for a variety of reasons, the simplest being that it's not possible to authenticate reliably on a "one way" communications channel due to "replay attacks". Thus they all need a secondary channel of some kind, that preferably cannot be jammed.
The easiest non jammable secondary channel to "retro fit" is an independent high precision time reference adjacent to the GPS receiver against which you measure "time slip" against the GPS averaged clock from the GPS receiver. It will show a predictable output with any but the best spoofing showing time jumps etc (what you do with that info is a whole different subject). This is not quite as good as additionally running a secondary synced chip code, but as the MIL version is supposed to be "ultra secret" you would not really want to put it on a drone that only has a single engine and is not really stealthy just low probability of detect due to the "paint job".
If you have some method of mitigating jamming such as a highly frequency agile across a very wide band, high power secondary RF channel available then you can send various forms of authenticated signal sending some form of secondary reference signal that is it's self encoded in a very time dependent manner. However even this can still be spoofed but with quite a bit more difficulty (,especially if it is highly mobile it's self, on a secret but "known to the drone not the enemy" path).
The solution to spoofing is almost always the use of two way channels with replay and MITM protection. The problem is the "return channel" acts as a beacon for those wishing to find the drone. Thus you end up with a classic compromise problem, which is further exacerbated by having an intelligent and reactive adversary that adapts faster than you can.
The solution to this is the same as won the American Civil War and most subsequent wars and it is industrialization. In this case ask a series of questions such as "Do we really need stealth?", "Do we really need live feed?", "Do we really need hands on stick pilots all the time or at all?", "Do we really need secrecy during design?", etc, etc. Answering no to many of these sorts of question generally adds up to a simple mass produced item which has attendant low production costs and the drones almost become "use once and discard" items and other significant advantages become possible. For instance assume instead of a single high value drone you have a swarm of N low value drones to the same dollar value working as a self aware network, what does this get you in terms of overall utility value?
Well first off it gets you resilience in terms of the enemy has to get all N drones. Which is unlikely as the job of defeating such as system is almost N times worse for the enemy in small numbers and at a certain N overwhelms their defensive capability. But it also gets you "space diversity" which means spoofing and jamming are very very much more difficult, and a whole load of other advantages such as multi-point perspectives / views virtually for free. It also allows not just for the detection of spoofing and jamming but for it's source to be pinpointed with accuracy and thus effective real time counter measures to be taken such as evasion or as counter strike as some drones could effectively be "baby cruise missiles" carrying a small low cost war head like that of a 70mm rocket. etc...
@ Tom Hebert,
"I hope the more destructive Predator has better fail-safes all around."
It depends on what you mean by "better" because your better might be my worse.
A piece of history, most people who lived through any part of the cold war as adults has an unease about nukes and especially the idea of MAD.
What people did not realise was the different views about nukes between the US and CCCP.
The CCCP idea of "fail safe" was that the darn things actually went off if deployed so their idea was "simple" and thus reliable.
The US idea of "fail safe" was based around the idea of what happens if the nukes are stolen or a soldier etc goes mad, so they did not want the darn things to actually go off unless deployed correctly, so they went the other way, and put in Permissive Action Links (PALs) so their idea was "complex" and thus effectively unreliable.
There was one estimate that said due to PALs only about 1/3 of US nukes would work on correct deployment, so the US needed three times as many nukes to ensure parity...
So by "better" do you mean "more" cases for self destruct to prevent loss to enemy, or as others have indicated "less" cases for self destruct to prevent loss of life to your own troops and other collateral damage?
For instance loss of GPS is quite common as is loss of control channel due to many forms of "drop out" in normal operation other than deliberate jamming. The cost of such drones is high as would be the collateral damage if one self destructed with weapons on board above a crowded town market square etc etc.
>"For instance assume instead of a single high value drone you have a swarm of N low value drones to the same dollar value working as a self aware network, what does this get you in terms of overall utility value?"
In other words; we've already flown n thousand sorties and have collected all the information we desire. Hurray we've only lost seven drones? ;P
Then again, moving outside the realm of mil&tech into (international) politics of which the former are but tools of trade, there's still a lot of "untapped" value in appearing vulnerable when you are not.
And if you are indeed vulnerable, there's still value in making the other party believe that you orchestrated this vulnerability deliberately to "appear" vulnerable. And so on, and so on...
Here's a funny thought: Maybe Israel and the U.S.A are Pavlov conditioning extremists intending to blow up things and implore them to learn to build and fly information collecting drones over their airspaces instead in a sort of "look-this-is-much-more-fun-and-gentle-to-each-others-population-why-don't-you-do-this-back-to-us-because-we'd-love-the-opportunity-to-remote-hack-or-subvert-or-capture-one-of-your-drones-too"
"look-this-is-much-more-fun-and-gentle-to-each-others-population-why-don't-you-do-this-back-to-us-because-we'd-love-the-opportunity-to-remote hack-or-subvert-or-capture-one-of-your-drones too"
Sort of "Spy-V-Spy" with electronic-butter-fly-nets?
Instead of the cold war, "A spy for a spy"
Personaly I think the US should be getting drones from "South of the boarder down Mexico way" that would be more fun, because some might be Spy-Drones, some might be Mule-Drones and others just Looking-for-Work-Drones all mixed up with DHS-Drones and those little DHS funded Texas-Sherif-Non- lethal-weapon-UAV's.
Such congestion could lead too all sorts of things research papers into "ATC less 3D-Driving in cogested skys" oh and DoD / DHS funding as they realise that they can apply all the old Sub-V-Sub rules to drones and have "Hunter Killer K class drones" with "Mini-Me-Missiles" instead of torpedoes...
>Sort of "Spy-V-Spy" with electronic-butter-fly-nets?
You seen "Men Who Stare At Goats"? I was reminded of the scene in which the generals were sitting in a circle and received a flower from Jeff Bridges. ;)
In a sense, the Iranians get to practise playing with/reverse engineering ET tech
Wasn't this in a bond film?
Two of them: Never Say Never Again, as well as Tomorrow Never Dies (mentioned by Spencer).
this is another report from well known Iranian "Dr Khazali"
He has deleted his report from his website but it is yet is Google cache:
he says that it was just a happening and some sheep-keepers reported this airplane to government.
Dr. Khazali was in the jail in Iran because he is one of the Green Revolution Member.
He reports that U.S. Drone were seen accidentally by some sheep-keepers, because it was very shiny in the desert and sheep-keepers were afraid to go closer, so they reported it to police and police reported it to Revolutionary Guard
and they came and they took all mobiles and recorded films from all people in the scene. Dr. Khazali is in Iran and usually is being THREATEN to death because of his openions in his personal website at www.drkhazali.com
This is the DELETED PAGE in PDF in Persian, and I am sure he was pushed to do that:
I do wonder how they managed to spoof the military signal.
On the other hand, maybe they just did a "downgrade attack" by jamming the military one, and providing a spoofed civilian one...
"Military GPS is encrypted, and receivers hard to come by"
Didn't the iranians shot down a couple of drones? Maybe they managed to salvage the GPS unit from one of them, or recover enough bits from both to figure out how it works.
@eyesoars: "Why bother? Just jam it."
There is only one man that would DARE give me the raspberry! Lonestar!!!!
"ICBMs use star trackers for a similar reason, you know you are in a shooting war when all you GPS sats disappear!"
you know you're in a REAL shooting war when all your *stars* disappear.
The term we are searching for here is "meaconing" and its been around probably since people started using fire as a navigational aid. If a drone was not designed with this at least having been a bullet point on the design document the mfr should have to give the money back.
Clive Robinson wrote: "The CCCP idea of "fail safe" was that the darn things actually went off if deployed so their idea was "simple" and thus reliable.
The US idea of "fail safe" was based around the idea of what happens if the nukes are stolen or a soldier etc goes mad, so they did not want the darn things to actually go off unless deployed correctly, so they went the other way, and put in Permissive Action Links (PALs) so their idea was "complex" and thus effectively unreliable."
A similar situation existed on 9 track 1/2 tape drives. These tapes had a plastic ring that could be inserted and detected via a pin on the tape drive.
In the U.S., this was a "write enable" ring. If the ring was removed, the tape was Read Only hence could not be accidentially overwritten. Good for important data.
In Russia, they had the drives changed to make this a "read enable" ring. If the ring was out, no one could read the tape. Anyone could write it anytime.
Different world views - in the U.S., people didn't want to accidentally lose important data. In Russia, people wanted to prevent some sensitive data being accidentally READ. If it got overwritten, no big deal.
One important point regarding the tape rings.
In the U.S. they were readily available in any computer room.
In Russia they were tightly controlled and had to be signed for - you could get in serious trouble for possessing one without authorization.
Different world views - in the U.S., people didn't want to accidentally lose important data. In Russia, people wanted to prevent some sensitive data being accidentally READ. If it got overwritten, no big deal.
I had not heard about that.
If you remember back in the early days of 5 1/4 inch drives, you got a little piece of stick foil to go over the write notch to make it read only. The original idea being that for software distributors they could buy floppy disks without the cuttout and manufacturers of bulk software copiers would supply there systems with "inverted write logic".
Oddly it was way back then when I had occasion to be in Berlin and the Berliners (the people not the doughnuts) had a slightly warped sense of humour. I was told a joke about two journalists one Russian and one American sitting at a cafe table. They had been having a long conversation about the merrits of their respective societies and neither was convincing the other and finally as they sat there in silence for a while when the Russian made a comment.
"You know our systems are not that different"
The American very surprised said,
And the Russian replied,
"Well look at it this way we both lock up what we hold most dear, with you Americans it's your money, with us Russian's it's our people".
Interesting... the HARM was designed to attack radar installations. An upgrade and enhancement would be to attack GPS spoofs. With laser gyros and other tricks detecting trouble seems to be almost easy. Next is a way to target the transmitter used to spoof the signal. Also wing surfaces could be used to shield the receiver from below the horizon transmitters.
'Spoofing' the GPS system is not necessary. The 'Unnamed Iranian Engineer' said they *jammed* the system.
So all they had to do was overwhelm (overload) the GPS receiver on the drone long enough for it to decide that the system was dead, and it would automatically land. This is a very sensible attack and it shows some knowledge of the Drones AI.
We should NOT assume the Iranians are stupid.
I kind of think that reality has escaped the minds of those who think they are in control. You have Geek weapon systems that look good and work well at first. I used to hate history in my youth but now I cherish it. History shows that the adversary perceived will by some method understand the threat and and will defend themselves against it. We are creatures of war and have been acquiring the adversaries knowledge for millennium. don't be so arrogant to think history changes just for your short time here. It has been a game of cat and mouse from the beginning. Come to accept we are waring creatures and you will not be so disappointed in humanity and its actions. Take care and say hi to a stranger today :-)
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.