Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Dissecting a Squid |
| Sensible Comments about Terrorism »
July 9, 2012
Students Hack DHS Drone
A team at the University of Texas successfully spoofed the GPS and took control of a DHS drone, for about $1,000 in off-the-shelf parts. Does anyone think that the bad guys won't be able to do this?
EDITED TO ADD (7/9): It wasn't a DHS drone. It was a drone owned by the university.
Posted on July 9, 2012 at 6:02 AM
• 25 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
It was the college's one drone, not a DHS one. See the clarification at the end of the first story.
- it was using the civilian GPS; the military use encrypted GPS so you can't spoof it, only jam it
- and big expensive drone like the RQ-170 would be bound to have inertial guidance backup if the GPS is jammed, and a human can steer it anyway
- but no, even if this demonstration is pure hyperbole, nobody thinks that the bad guys won't be able to do this...
- but really, the panic for me? That the DHS have drones in the first place...
@Will - having an encrypted signal does not prevent spoofing; all you have to do is delay the signal by the appropriate time and amplify it a bit. There's no need to know the content. And the issue is not jamming, but spoofing; you lead the aircraft from its true position to your desired position over time, and the INS is insufficient to correct for that, since it has a high drift rate on its own.
What is the risk? So the bad guys lure a drone off course? Large drones with GPS navigation and Inertial Navigation aren't going to be used to stud an ongoing terror situation. Smaller RF controlled drones will fill that role.
This leaves long term observation under threat of disruption. Such a location is already under suspicion. So a consistent GPS drift would be detected on the 2nd or 3rd occurrence. Direct remote piloting would then be used instead.
How much $ in engineering do we want to spend on a very low cost risk? I thought security was all about $ trade-offs. I think DHS has this trade-off correct.
That "correction" should have been posted at the TOP of the story.
I am a former military comm specialist and a HAM and I am suprised that anyone is susprised that a close radio station can drown out a (very, very, very, very) distant one.
The technology to meacon (masking beacon; ie "spoof") a drone to not merely divert it but seize control of it would be similar to that used by a system called RNAV in the 70s; it used a computer to mix existing navigational beacon signals to pretend that a third one existed where it doesnt so you could navigate directly to that point. Back then it was expensive technology but computers have gotten waay cheaper and more powerful in the subsequent decades.
Plus, once every city in the US has a drone to go with their SWAT team for serving parking tickets, private flying will be illegal because the drones cant "see and avoid" humans.
I thought about RQ-170 too. So "bad" guy ARE able to capture them, aren't they?
As long as we keep exactly which shelves and which parts a secret, then I'm sure we'll be safe.
Are these drones large enough to carry exact clocks? That would limit an attacker to enlarge the calculated distance to an authenticated satellite. And given they have to receive the signal themselves before sending it again they should end up with a rather high lower bound to the possible drift.
ok, at the risk of asking a dangerous question. A thought occurs to me.
The second amendment allowed citizens to have weapons. At the time, citizens had pretty much the same weapons as the government in theory to rebel against the powers that be. Hmm.
The thought is interesting but the thought of private citizens having rocket launchers holds me back. road rage would take on a whole different meaning...
But citizens do have economic power to bring down the government, if they simply refuse to be governed, soft power so to speak. (John Galt) Just my thoughts.
iron au: the risk of getting the drone off-course is making the nation that has its flag on the aircraft responsible for the actions of the third-party.
Scenario: unmanned unarmed (but capable of) drone hovers over Pakistan settlement with reported terrorist activity. Terrorists steer it to the local school, helping with, say, Stinger rocket (heritage of Afgan war). Reuters journalists are tipped off in advance, so whole thing goes on camera, including discovering remnants of star-spangled tail among dead children body parts.
I'm waiting for off the shelf ground to air missiles. Could an Arduino board successfully knock down a police dept drone? It would definitely make for great sci-fi terror script.....
I do think the hype of a Fedex drone being missile-ized is hyped up. There's be no moral quandary for a fighter pilot to knock that down once it went off track.
I thought DHS *was* the bad guys.
Does anyone thing the dhs are good guys or that they are fighting bad guys? Come on now Schneier no slipping back into those old black and white paradigms they do so like to feed us.
"Does anyone think that the bad guys won't be able to do this?"
They did it, so they are bad guys.
AFAIK an average Arduino board doesn't posses necessary speed and weight, not to mention explosive power.
@tim Playing a delayed message would probably not work since the Sat has already received that message and the most basic anti-spoofing would reject duplicate messages.
A sequence of such messages might work, but delays place the drone apparently lower, so redirection by delays would push drone toward satellite, and you would have to jam that satellite's signals, but not the others'.
Delaying more than 2 sat signals would result in invalid locations. Even delaying 1 sat signal might result in an invalid location if the GPS receiver is receiving from 3+ other satellites,
Delaying 2 sat signals could push a drone toward either or both satellites. Basic anti-spoofing should detect a barometric pressure drop that did not correspond with sat altitude calcs as well as a consistent inertial drift.
Basic spoofing doesn't need to receive a sat signal first - they are very predictable. The sat signals are also very weak, so easy to overwhelm, even 20 miles up, tho you would want a directional antenna to avoid confusing pilots of other planes who might complain, or even nearby ground-based police with GPS.
Speeders have radar detectors. DHS will likely have GPS spoof detectors.
Taking control would mean feeding wrong location info, so you would need to know where the drone "wants" to go to shove it in a different direction, though you might just experiment and see where the drone goes given different info.
You could probably crash it if the drone:
- had no driver or object-avoidance, and
- no reasonability standards for its signals to reject "obvious" errors (that disagreed with barometer, inertial readings, or were too strong).
So you might confuse a drone but it would be hard to control it. That might be enough it you just want to divert it away from you. But the act of spoofing might be detectable, so delicacy might be in order to avoid spooking the spooks!
Of course, the DHS domestically could also use other location technology, from cell tower triangulation, to wifi detection, to broadcast station direction finding in order to confirm location within some error radius.
Globally, Iridium and Globalstar can provide location to within a km or two, avoiding major dislocations.
eLORAN could be used around the UK and some other jurisdictions as another locations source.
There are several GPS systems, the US', Russia's, China's and soon Europe's. A GPS receiver using info from all of these would be very hard to spoof or even confuse.
So lots of counter-counter-measures are available.
Playing a delayed message would probably not work since the Sat has already received that message and the most basic anti-spoofing would reject duplicate messages.
It all depends on how you do it. A short burst of noise sufficiently long to block just two "frame" times should be sufficient to cause the target receiver to lose lock on the real satellites. If you the transmit a near zero delay replay signal at the target then it will re-lock to the replay signal not the satellites.
What happens as you increase the delay is dependent on a number of charecteristics of the receiving system. If it has an "out of band" refrence signal it will eventualy detect the replay attack. One such refrence signal might be a very very low drift rate clock (such secondary standards are available relativly cheaply but they are generaly fairly hefty and power hungry). Others could be "terrain following", "star following" and Optical Passive Satellite  following systems but they have their own issues as do INS.
The thing is that most of the spoofing issues work because the GPS receiver generaly has only a single spacial point of refrence with regards the satellites.
If the GPS receiver has two or more antennas spaced a reasonable distance appart then it has two or more spacial refrence points.
This will enable it to form a "direction finder" for any and all the satellites which transmit from different locations where as a simple spoofer will transmit from only one location. Obviously the receiver knows exactly where the satellite is two ways. Firstly the satellite tells the receiver, secondly the orbit parameters are well known and quite stable and thus can be predicted into the future for a reasonable period of time compared to that of a drones flight time.
It would thus be extreamly difficult to spoof this spatial information as you would have to have as many transmitters as satellites and they would have to "orbit" the drone in the correct directions which would be very difficult at best.
However because of the way the GPS systems satellites work they send out a very accurate time refrence with respect to each other. And as a consiquence of the way they transmit their signals (google "Gold Codes" and "JPL ranging codes") you can also with two or more points of spacial reference (antennas) calculate the range from the point they are being transmitted sufficiently that the spoofing transmitters would have to be a long long way away from the drone.
Thus a two or more antenna GPS receiver with the appropriate front end circuitry could detect delay/replay attacks currently without the use of the Military System or having the signals encrypted.
Oh and if you think about it using encryption for anti-spoofing in a general broadcast system has some significant issues. The first being "keying material distrubution" and secondly "your enemy" can buy as many copies of the system as they need so they can "know the system". Thus the security of such a system falls to "obscurity" and a re-key system that may have exploitable flaws...
 GLONAAS has and Galileo does/will have laser retro-reflectors which will enable a suitably equiped vehical to use a laser and telescope to acuratly identify those GPS satellites. NASA has requested that the same be fitted to the US GPS Block IIIA satellites to be deployed over the next few years.
 There are a number of "passive" non GPS satellites that carry retroreflectors most notable are LAGEOS, LARES and Starshine.
Since even a bad crystal oscillator won't drift more than 1s in an hour, the requirements for near real time replay are fairly stringent. You probably need to replay the signal within a 100ms to defeat even basic anti-spoofing.
exactly what paradigms do you figure are simple black and white ideals and what exactly do you think are "bad" guys and "good" guys. Everyone is entitled to their own opinions, but sheeshhhhh, you're drifting on paranoid if you don't think our enemy is, by definition, considered a bad guy. Sometimes it really is as simple as it seems. Terrorists want to kill our population, DHS wants to prevent that. so, what the EFF are you talking about? I'll rephrase for your sensitive paranoia: bad guys want to kill you
100 ms means 10 Hz and 30 000 km
" having an encrypted signal does not prevent spoofing; all you have to do is delay the signal by the appropriate time and amplify it a bit."
I don't think that works. A receiver needs pseudoranges from 4 transmitters to achieve a solution. If you delay a signal without also changing the transmitted ephemerides then the only change you can make is to increase a pseudorange. But with a solution for at least 4 transmitters, in most configurations it is not possible to get a consistent solution when pseudoranges are only increased, and none are reduced.
So the receiver will reject the solution, and all you have done is a very complicated version of jamming.
If you delay all the signals, you can slowly shift the receiver's timebase; then you could have some signals delayed, and some "advanced" against the shifted timebase.
Even that is considerably harder than it sounds. In the "encrypted" military signal, the encrypted part is the CDMA spreading sequence. If the attacker cannot predict the next element of the spreading sequence for each satellite then the only way he could separate the signals of each satellite would be through a complex of many steerable directional antenna. Possible, but very much more difficult than spoofing the C/A signal (which can be done with one omnidirectional antenna.)
Finally, the latest upgrade to the military system includes a secondary set of beams on each satellite. These beams are semi-directional and much stronger. After using the ordinary C/A and P(Y) signal to get an approximate location, the receiver can use an electronically steered directional array to reject all signals except those from a very narrow sky angle around the true current location of each satellite. Very difficult to jam.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.