Bookmark this page:
  Re: RQ-170 Sentinel stealth - spoofing military G...
| Peter H. Coffin... | 12-15-2011 |
   Re: RQ-170 Sentinel stealth - spoofing military G...
| Wolfgang S. Rup... | 12-16-2011 |
If you were Registered and logged in, you could reply and use other advanced thread options
Iran claims that it captured the RQ-170 Sentinel stealth drone by
jamming the comms links and spoofing the GPS.
http://www.csmonitor.com/World/Middle-East/2011/1215/Exclusive-Iran-hijacked-US-drone-says-Iranian-engineer
Is P-code not as spoof-proof as first thought? Did they pull off a
playback attack where the real signals (perhaps just the modulation, not
the RF) is recorded and played back later in order to have the drone
work out it's position incorrectly? If one records each visible
sattellite independently and then adjusts the actual delay, and
re-transmits then one could (in theory at least) trick the receiver into
thinking it was in a different spot than it really was.
If true, I bet someone wishes that they could have forced the GPS
manufacterer to add a highly accurate reference clock that would allow
them to detect this sort of playback attack.
-wolfgang
--
g+: https://plus.google.com/114566345864337108516/about
On Dec 15, 6:18=A0pm, "Wolfgang S. Rupprecht"
1 - Aircraft GPS antennas are pointed upwards, with very little
sensitivity to signals coming lower than the horizon
2 - Are we aware of any successful spoofing of P(Y) code ?
3 - Then there's the encrypted link that control the aircraft, and all
drone aircraft should have some sort of INS system, that will quickly
diverge and raise an alarm in face of a spoofed signal (huge heading
and ground speed differences between GPS and INS). That would actually
detect the spoof just a well as an onboard atomic clock.
4 - Perhaps there are Iranian sympathizers with access to the P(Y)
key. Or they hacked a DoD network that stores the key
5 - The clock you mention is already available, the CSAC. But it just
became available in the last 10 months or so, way too little time for
the military to incorporate it into new/existing receivers and go
through a complete certification cycle. A non atomic frequency
standard is a part of every GPS receiver, and that might also be
enough to detect the spoof.
6 - I don't know about the RQ 170, but other drones keep constant
contact with their pilots, so it would be fairly easy for the drone to
constantly send its GPS derived time to the control base and compare
that with a local GPS derived time (the control link delay is easy to
calculate down accurate to 1ms for more precise comparison), any
playback attack that causes the drone to be 100km+ off course would
result in a clock mismatch very easy to detect
7 - Its very easy to detect a spoofing attack by comparing signal
power levels, spoofed signals will be received way stronger than even
a satellite directly overhead, and it likely won't have differences in
power level between multiple satellites as it should. A weak signal
compatible with an actual satellite will not be able to overpower the
satellite signal.
Of course that's all theory, I don't have access to anything that
isn't public on the internet. But there are plenty of public articles
on spoofing detection and mitigation.
Marcelo
> Is P-code not as spoof-proof as first thought? =A0Did they pull off a
> playback attack where the real signals (perhaps just the modulation, not
> the RF) is recorded and played back later in order to have the drone
> work out it's position incorrectly? =A0If one records each visible
> sattellite independently and then adjusts the actual delay, and
> re-transmits then one could (in theory at least) trick the receiver into
> thinking it was in a different spot than it really was.
> If true, I bet someone wishes that they could have forced the GPS
> manufacterer to add a highly accurate reference clock that would allow
> them to detect this sort of playback attack.
> -wolfgang
> --
> g+: =A0https://plus.google.com/114566345864337108516/about
> playback attack where the real signals (perhaps just the modulation, not
> the RF) is recorded and played back later in order to have the drone
> work out it's position incorrectly? =A0If one records each visible
> sattellite independently and then adjusts the actual delay, and
> re-transmits then one could (in theory at least) trick the receiver into
> thinking it was in a different spot than it really was.
> If true, I bet someone wishes that they could have forced the GPS
> manufacterer to add a highly accurate reference clock that would allow
> them to detect this sort of playback attack.
> -wolfgang
> --
> g+: =A0https://plus.google.com/114566345864337108516/about
1 - Aircraft GPS antennas are pointed upwards, with very little
sensitivity to signals coming lower than the horizon
2 - Are we aware of any successful spoofing of P(Y) code ?
3 - Then there's the encrypted link that control the aircraft, and all
drone aircraft should have some sort of INS system, that will quickly
diverge and raise an alarm in face of a spoofed signal (huge heading
and ground speed differences between GPS and INS). That would actually
detect the spoof just a well as an onboard atomic clock.
4 - Perhaps there are Iranian sympathizers with access to the P(Y)
key. Or they hacked a DoD network that stores the key
5 - The clock you mention is already available, the CSAC. But it just
became available in the last 10 months or so, way too little time for
the military to incorporate it into new/existing receivers and go
through a complete certification cycle. A non atomic frequency
standard is a part of every GPS receiver, and that might also be
enough to detect the spoof.
6 - I don't know about the RQ 170, but other drones keep constant
contact with their pilots, so it would be fairly easy for the drone to
constantly send its GPS derived time to the control base and compare
that with a local GPS derived time (the control link delay is easy to
calculate down accurate to 1ms for more precise comparison), any
playback attack that causes the drone to be 100km+ off course would
result in a clock mismatch very easy to detect
7 - Its very easy to detect a spoofing attack by comparing signal
power levels, spoofed signals will be received way stronger than even
a satellite directly overhead, and it likely won't have differences in
power level between multiple satellites as it should. A weak signal
compatible with an actual satellite will not be able to overpower the
satellite signal.
Of course that's all theory, I don't have access to anything that
isn't public on the internet. But there are plenty of public articles
on spoofing detection and mitigation.
Marcelo
On 2011-12-15 17:07 , macpacheco wrote:
A spoof or jamming signal will arrive at the aircraft with a lot of
power. Further, we've observed with commercial antennas that even when
an aircraft is banked to the point of masking a low satellite, it still
tracks it very well. There seems to be a skin effect where the signal
"follows" the skin of the airplane to the antenna.
They wouldn't tell you.
Correct.
I'm leaning to simple engine failure or other system failure that
prevented controlled or fallback RTB.
--
"I see!" said the blind man as he picked up his hammer and saw.
> On Dec 15, 6:18 pm, "Wolfgang S. Rupprecht"
>> Iran claims that it captured the RQ-170 Sentinel stealth drone by
>> jamming the comms links and spoofing the GPS.
>> http://www.csmonitor.com/World/Middle-East/2011/1215/Exclusive-Iran-h ...
>> Is P-code not as spoof-proof as first thought? Did they pull off a
>> playback attack where the real signals (perhaps just the modulation, not
>> the RF) is recorded and played back later in order to have the drone
>> work out it's position incorrectly? If one records each visible
>> sattellite independently and then adjusts the actual delay, and
>> re-transmits then one could (in theory at least) trick the receiver into
>> thinking it was in a different spot than it really was.
>> If true, I bet someone wishes that they could have forced the GPS
>> manufacterer to add a highly accurate reference clock that would allow
>> them to detect this sort of playback attack.
>> -wolfgang
>> --
>> g+: https://plus.google.com/114566345864337108516/about
>> jamming the comms links and spoofing the GPS.
>> http://www.csmonitor.com/World/Middle-East/2011/1215/Exclusive-Iran-h ...
>> Is P-code not as spoof-proof as first thought? Did they pull off a
>> playback attack where the real signals (perhaps just the modulation, not
>> the RF) is recorded and played back later in order to have the drone
>> work out it's position incorrectly? If one records each visible
>> sattellite independently and then adjusts the actual delay, and
>> re-transmits then one could (in theory at least) trick the receiver into
>> thinking it was in a different spot than it really was.
>> If true, I bet someone wishes that they could have forced the GPS
>> manufacterer to add a highly accurate reference clock that would allow
>> them to detect this sort of playback attack.
>> -wolfgang
>> --
>> g+: https://plus.google.com/114566345864337108516/about
> 1 - Aircraft GPS antennas are pointed upwards, with very little
> sensitivity to signals coming lower than the horizon
> sensitivity to signals coming lower than the horizon
A spoof or jamming signal will arrive at the aircraft with a lot of
power. Further, we've observed with commercial antennas that even when
an aircraft is banked to the point of masking a low satellite, it still
tracks it very well. There seems to be a skin effect where the signal
"follows" the skin of the airplane to the antenna.
> 2 - Are we aware of any successful spoofing of P(Y) code ?
They wouldn't tell you.
> 3 - Then there's the encrypted link that control the aircraft, and all
> drone aircraft should have some sort of INS system, that will quickly
> diverge and raise an alarm in face of a spoofed signal (huge heading
> and ground speed differences between GPS and INS). That would actually
> detect the spoof just a well as an onboard atomic clock.
> drone aircraft should have some sort of INS system, that will quickly
> diverge and raise an alarm in face of a spoofed signal (huge heading
> and ground speed differences between GPS and INS). That would actually
> detect the spoof just a well as an onboard atomic clock.
Correct.
I'm leaning to simple engine failure or other system failure that
prevented controlled or fallback RTB.
--
"I see!" said the blind man as he picked up his hammer and saw.
On Thu, 15 Dec 2011 12:18:16 -0800, Wolfgang S. Rupprecht wrote:
Or put some better dead-reckoning flight rules into the thing. Initial
reports were that it crashed. Which sounds like someone set up a
high-power jammer, kept enough Mark I Eyeballs around for the thing
to fly nearby, flipped the jammer on, and watched the drone fly into
terrain.
The drawback to pilot-less recon is that there's no pilot.
.sig-monster notwithstanding.
--
"To every complex problem there is a solution which is
simple, neat and wrong" - HL Mencken
> Iran claims that it captured the RQ-170 Sentinel stealth drone by
> jamming the comms links and spoofing the GPS.
> http://www.csmonitor.com/World/Middle-East/2011/1215/Exclusive-Ira
> n-hijacked-US-drone-says-Iranian-engineer
> Is P-code not as spoof-proof as first thought? Did they pull off a
> playback attack where the real signals (perhaps just the modulation,
> not the RF) is recorded and played back later in order to have the
> drone work out it's position incorrectly? If one records each visible
> sattellite independently and then adjusts the actual delay, and
> re-transmits then one could (in theory at least) trick the receiver
> into thinking it was in a different spot than it really was.
> If true, I bet someone wishes that they could have forced the GPS
> manufacterer to add a highly accurate reference clock that would allow
> them to detect this sort of playback attack.
> jamming the comms links and spoofing the GPS.
> http://www.csmonitor.com/World/Middle-East/2011/1215/Exclusive-Ira
> n-hijacked-US-drone-says-Iranian-engineer
> Is P-code not as spoof-proof as first thought? Did they pull off a
> playback attack where the real signals (perhaps just the modulation,
> not the RF) is recorded and played back later in order to have the
> drone work out it's position incorrectly? If one records each visible
> sattellite independently and then adjusts the actual delay, and
> re-transmits then one could (in theory at least) trick the receiver
> into thinking it was in a different spot than it really was.
> If true, I bet someone wishes that they could have forced the GPS
> manufacterer to add a highly accurate reference clock that would allow
> them to detect this sort of playback attack.
Or put some better dead-reckoning flight rules into the thing. Initial
reports were that it crashed. Which sounds like someone set up a
high-power jammer, kept enough Mark I Eyeballs around for the thing
to fly nearby, flipped the jammer on, and watched the drone fly into
terrain.
The drawback to pilot-less recon is that there's no pilot.
.sig-monster notwithstanding.
--
"To every complex problem there is a solution which is
simple, neat and wrong" - HL Mencken
On 12/15/2011 2:14 PM, Peter H. Coffin wrote:
was completely jammed, then ran out of fuel.
I like the theory about playing back old GPS data with the encryption
present. But you would think the GPS signal has an absolute time code in
it at some point, so it would be a really stupid control system that saw
time go backwards and not detect a spoof.
> On Thu, 15 Dec 2011 12:18:16 -0800, Wolfgang S. Rupprecht wrote:
>> Iran claims that it captured the RQ-170 Sentinel stealth drone by
>> jamming the comms links and spoofing the GPS.
>> http://www.csmonitor.com/World/Middle-East/2011/1215/Exclusive-Ira
>> n-hijacked-US-drone-says-Iranian-engineer
>> Is P-code not as spoof-proof as first thought? Did they pull off a
>> playback attack where the real signals (perhaps just the modulation,
>> not the RF) is recorded and played back later in order to have the
>> drone work out it's position incorrectly? If one records each visible
>> sattellite independently and then adjusts the actual delay, and
>> re-transmits then one could (in theory at least) trick the receiver
>> into thinking it was in a different spot than it really was.
>> If true, I bet someone wishes that they could have forced the GPS
>> manufacterer to add a highly accurate reference clock that would allow
>> them to detect this sort of playback attack.
>> jamming the comms links and spoofing the GPS.
>> http://www.csmonitor.com/World/Middle-East/2011/1215/Exclusive-Ira
>> n-hijacked-US-drone-says-Iranian-engineer
>> Is P-code not as spoof-proof as first thought? Did they pull off a
>> playback attack where the real signals (perhaps just the modulation,
>> not the RF) is recorded and played back later in order to have the
>> drone work out it's position incorrectly? If one records each visible
>> sattellite independently and then adjusts the actual delay, and
>> re-transmits then one could (in theory at least) trick the receiver
>> into thinking it was in a different spot than it really was.
>> If true, I bet someone wishes that they could have forced the GPS
>> manufacterer to add a highly accurate reference clock that would allow
>> them to detect this sort of playback attack.
> Or put some better dead-reckoning flight rules into the thing. Initial
> reports were that it crashed. Which sounds like someone set up a
> high-power jammer, kept enough Mark I Eyeballs around for the thing
> to fly nearby, flipped the jammer on, and watched the drone fly into
> terrain.
> The drawback to pilot-less recon is that there's no pilot.
> .sig-monster notwithstanding.
Under LOS, they orbit. You don't need a GPS for an orbit. More likely it
> reports were that it crashed. Which sounds like someone set up a
> high-power jammer, kept enough Mark I Eyeballs around for the thing
> to fly nearby, flipped the jammer on, and watched the drone fly into
> terrain.
> The drawback to pilot-less recon is that there's no pilot.
> .sig-monster notwithstanding.
was completely jammed, then ran out of fuel.
I like the theory about playing back old GPS data with the encryption
present. But you would think the GPS signal has an absolute time code in
it at some point, so it would be a really stupid control system that saw
time go backwards and not detect a spoof.
- GPS military software glitch
- Tomtom GPS
- 2010-06-01
- Opinion about buying a Gps
- Garmin GPS
- 2009-12-15
> jamming the comms links and spoofing the GPS.
> =A0 =A0http://www.csmonitor.com/World/Middle-East/2011/1215/Exclusive-Ira=