Slashdot Mirror

← Back to Stories (view on slashdot.org)

GPS Spoofing Attack Hacks Drones

Posted by Soulskill on from the defense-against-the-borg dept.

Rambo Tribble writes "The BBC is reporting that researchers from the University of Texas at Austin managed to hack an experimental drone by spoofing GPS signals. Theoretically, this would allow the hackers to direct the drone to coordinates of their choosing. 'The spoofed drone used an unencrypted GPS signal, which is normally used by civilian planes, says Noel Sharkey, co-founder of the International Committee for Robot Arms Control. "It's easy to spoof an unencrypted drone. Anybody technically skilled could do this - it would cost them some £700 for the equipment and that's it," he told BBC News. "It's very dangerous - if a drone is being directed somewhere using its GPS, [a spoofer] can make it think it's somewhere else and make it crash into a building, or crash somewhere else, or just steal it and fill it with explosives and direct somewhere. But the big worry is — it also means that it wouldn't be too hard for [a very skilled person] to work out how to un-encrypt military drones and spoof them, and that could be extremely dangerous because they could turn them on the wrong people."

6 of 214 comments (clear)

  1. Surprised? by Imagix · · Score: 5, Informative

    Why is this surprising? Thought that's how the military one was captured a little while ago...

    1. Re:Surprised? by MozeeToby · · Score: 5, Insightful

      Because there is absolutely no way that a military drone should be using a single navigation source as it's be all end all, especially not GPS which can be jammed trivially and spoofed with a bit more effort. If your GPS signal is hundreds of Km off from where your dead reconning (using air speed and compass), says you should be the GPS signal should be ignored entirely. This is what airliner flight management systems do, in fact it's what any idiot hiking through the forest would do. The idea that the people coding software for military grade drones can't figure it out is more concerning than the idea that someone can spoof GPS signals.

    2. Re:Surprised? by Rei · · Score: 5, Interesting

      The full Iranian claim was that they jammed all of the communications to the drone and then spoofed GPS. Aka, there were multiple navigation sources, and it lost them. When the drone loses communication for a length of time it is programmed to return to base and land unless it reestablishes communications and receives alternate orders. But it uses GPS to find out where the base is.

      Yeah, a "GPS position is changing too fast" check could be useful to try to thwart something like that, but it's also the sort of thing that can be overlooked, and also something that could be slowly faked (aka, from a blind plane's perspective, there's no difference between a "drifting GPS" and flying through a strong wind.). So yeah, you could get into a whole range of attacks and countermeasures, but sometimes the attackers will win, sometimes the defenders.

      The people who insisted that a country like Iran could never pull it off always struck me as way overconfident, egotistical. It reminds me of when the Serbians shot down a stealth (which the US tried to blame on hardware failures) and damaged another (among many other aircraft). I read an article on the elite Serbian unit who pulled that off with basically junk hardware and with no air superiority to back them up. They had their tactics down to a tee, and the US got totally overconfident. First they baited NATO into wasting their anti-radiation missiles by jury-rigging together as many fake "radars" as they could muster from junked military equipment. Then they hacked the hardware on the actual radars they were using, boosting the frequency many times over. This made the signal get hugely attenuated by the atmosphere, dramatically decreasing the range, but was A) out of the range of frequencies generally looked for, and B) wasn't nearly as affected by the stealth capabilities of the aircraft. The range was so low that the target aircraft had to fly pretty much over them, but they started mapping out the typical sortie patterns being used and got the hang of reckoning where they'd be and moving to intercept. They also got the hang of how much time it took from when the radar got hot to when a plane could take them out if they were detected, and timed their operations so that the hardware or at least the people had to be Not There Anymore(TM) by the deadline. The troops were drilled over and over in how to set up, get a lock, fire, and then get the heck out of there in the allotted time.

      It's easy to assume that because a country is poorer and can't afford fancy hardware, its people are idiots. But that's a bad assumption to make.

      --
      Rock Us, Dukakis.
    3. Re:Surprised? by Andy+Dodd · · Score: 5, Interesting

      In addition, there's absolutely no evidence to back this claim - "But the big worry is — it also means that it wouldn't be too hard for [a very skilled person] to work out how to un-encrypt military drones and spoof them, and that could be extremely dangerous because they could turn them on the wrong people."

      Transitioning from "making a few fake pseudolites" to "discovering the crypto key before it changes" (I believe the keys rotate on a daily basis, so you would need to crack the key AND the key change algorithm) is a MAJOR step. I don't know what universe that person lives in if they thing breaking military-grade crypto is even remotely close to this attack in complexity. This attack is easymode compared to generating a proper P(Y) code.

      The only "break" so far in the military encryption is the fact that the same keys (and in fact same signal) are used on both L1 and L2, allowing you to cross-correlate L1 and L2 to determine ionospheric delay and remove that one error source. Note that the next block of GPS satellites adds a civilian L2 signal, so this "break" is mostly irrelevant.

      In addition, no evidence was provided that a RAIM-enabled receiver was successfully spoofed, only a cheap consumer-grade unit that lacked RAIM.

      --
      retrorocket.o not found, launch anyway?
    4. Re:Surprised? by element-o.p. · · Score: 5, Interesting
      I pretty much agree with everything you said above (well-written and insightful, IMHO, and I absolutely agree with your conclusion). However, one part doesn't quite make sense to me:

      The full Iranian claim was that they jammed all of the communications to the drone and then spoofed GPS. Aka, there were multiple navigation sources, and it lost them.

      Okay, I don't design, build, fly or repair military drones (or even civilian ones...yet). I am, however, a fixed-wing pilot in my off-hours. In civilian airplanes, we use multiple navigation methods too, and I would presume that many of these navigation systems are applicable to drones as well as Cessnas. For example, it's probably safe to assume that drones use GPS just like I do. Military drones probably also use TACAN, which essentially is just the military equivalent of civilian VOR/DME (navigation using fixed, ground-based radio stations). Either of those systems are susceptible to attack as you've described above. However, larger civilian airplanes, like business jets and airliners, have also used a navigation system called INS, or "Inertial Navigation System," which uses accelerometers and gyroscopes to compute the moral equivalent of dead reckoning ("it's been 23 minutes since I passed my last waypoint, so with an estimated speed of 110 knots, that means I should be reaching my next waypoint in five...four...three...two...one...turn left to heading 070 degrees and descend to 2500 feet MSL..."). INS should be pretty much immune to spoofing or jamming of radio signals, since it is completely internal. Therefore, I would expect that INS should be more than capable of providing a sanity check and fail-over against GPS or TACAN radio navigation. Even better, install multiple INS systems, and if they all agree within a sane margin of error, while your radio navigation systems are either jammed or showing that you are a hundred miles away from your computed location and/or your most recent known-good position, then assume your navigation signals are being attacked and fail-over to INS until/unless you reach a point where all navigation systems agree again.

      --
      MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
    5. Re:Surprised? by Rei · · Score: 5, Interesting

      The US didn't blame anything on hardware failures.

      Sorry, "refused to confirm claims that it was shot down" for several days - is that better?

      The claims about 'baiting NATO to waste their missiles on decoys' are funny - why? Because for this to happen, the SAM radars had to be shut down, thus rendering SEAD efforts successful. It doesn't matter if the missile didn't hit the SAM. What matters is that for that time, the SAM was useless. Result? Serbians dancing on the wreckage of two planes out of hundreds of sorties that demolished their infrastructure. That's right. Those 'so smart tactics' got them two planes and failed to defend their country whatsoever.

      First off: Three planes down (one ditched into the Adriatic, two over land) and a number of hits that crippled other craft but did not lead to crashes (the other stealth that they hit reportedly never flew again), plus several cruise missiles. Dani's unit saw no casualties or loss of hardware. Of course other less trained units sufferedlosses, but that's not the point I was making (I am *not* claiming that weak powers will always outsmart/defeat strong powers, or even that it's likely - just that they shouldn't be underestimated and can sometimes pull off impressive feats). They shot down a stealth and nearly a second one using 1960s hardware and with total loss of air superiority.

      Serbia had no hope of preventing the destruction of fixed infrastructure. Their military budget was something like a tenth of a percent of the military budgets of the nations they were facing. Their only option was to preserve their military capability for as long as possible while costing NATO as much money as possible and buy as much time as possible in hopes that Russia would step in to their defense. HARMs are a heck of a lot more expensive than junkyard radars, and well, F-117s? They don't grow on trees. Serbian losses were quite small at the end of the war and their military pretty much intact, despite earlier NATO claims to the contrary, and the US actually had documents showing that they clearly didn't believe their own numbers they were giving out. Despite the use of obsolete hardware, just over a dozen tanks were destroyed, under 20 artillery pieces, etc. NATO hit orders of magnitude more decoys as actual military targets. There were only 492 Serbian casualties. Of non-fixed military hardware, only the airforce was effectively destroyed, which was pretty much expected (an obsolete airforce is pretty helpless). The problem Serbia had was that NATO was prepping for ground war and Russia, as mad as they were, made it clear that they weren't going to get militarily involved.

      And contrary to your claims, the fact that NATO couldn't destroy anti-aircraft batteries like Dani's made their life a lot harder. It meant they had to fly a lot higher (less precision) and limited the types of aircraft which could get involved. Furthermore, not only were the downed aircraft rallying points (the last thing you want to do is re-moralize your enemies - I'll never forget the "Sorry about your plane, we didn't know it was invisible" sign), parts from the downed stealth are believed to have been sold to China and used for their stealth aircraft program. There are serious material consequences to the US from what happened.

      --
      Rock Us, Dukakis.