Infographic: how the U.S. top secret stealth drone was captured by Iran

Dec 17 2011 - 14 Comments

Even if the story that the U.S. stealthy RQ-170 Sentinel drone captured by Iran was hijacked using a GPS spoofing attack is based on known facts and vulnerabilities highlighted in Air Force official documents, the “ambush”, as detailed by an Iranian Electronic Warfare engineer to the Christian Science Monitor, contains some controversial points.

First of all,  the lost-link procedure does not foresse the RQ-170 landing autonomously at his actual homebase (because of the many variables, such as wind and traffic) but orbiting until link is re-established or the drone runs out of fuel.

For instance, even under Remote Split Operations, landing is performed in Line Of Sight by the local ground control station: latency induced by the SATCOM link is not compatible with the last phases of the flight when immediate reactions of the robot’s control surfaces to the inputs given remotely by the pilot are required to safely bring the drone on the ground.

Furthermore, provided that the autolanding is used in the lost-link events, it is not that easy to land the drone on a different landing field than its homebase without causing major damages.

Finally, it seems quite weird that any insider so proud to have achieved a hack of the most secret U.S. unmanned aerial system (UAS) could be at the same time so uncautious to give the details of the entire operation to the public domain, with the first and most obvious consequence of not being able to repeat it in the future. Unless, the type of attack they have described is all but unexpected but very well known because highlighted in the above mentioned official documents.

So, I’ve asked once again my friend Ugo Crisponi to put on a nice infographic what I think may have happened on Dec. 4, 2011, when the drone was “downed”, based on all the details I was able to collect so far.

Here it is.

I think the drone’s link with Creech AFB was disrupted using jamming. How did the Iranians know the “Beast of Kandahar” was in the vicinity if they couldn’t see it on the radar? They may have intensified jamming around uranium enrichment sites.

Serbians were able to shot down the F-117 because during the Allied Force planners put the F117s on repetitive routings. Stealth planes are not invisible. They are extremely difficult to see, if you don’t know where they are and you are not close enough to track them. Maybe something similar happened in Iran.

I think that Iran played a role in the crash landing simply because they were able to recover it. If they hadn’t known where the drone had landed they would not have been able to get their hands on it.

Once the link was lost, as per procedure, the drone started an series of racetracks/orbits waiting for the signal to be re-established. In this phase, maybe the Iranians were able to spoof the onboard GPS and guide the drone in the wrong direction. Nevertheless this would mean that the most important American drone relies only on the GPS for navigational purposes and doesn’t use an INS (Inertial Navigation System) platform. Indeed even some GPS-guided bombs as the JDAM (Joint Direct Attack Munition) use anti-jamming and anti-GPS spoofing systems, some of those are based on simple inertial measurement units.

Then, when the Sentinel ran out of fuel, it crashed. Even though it was not mentioned before, there’s a possibility that the drone survived the impact because it was equipped with a safety chute. In fact, I’ve noticed a mysterious hatch on the top of the RQ-170, that, among other things could host the parachute used to safe the precious drone.

It’s obviously a speculation because such a chute could safe the airframe but could also preserve it for the enemy when the drone runs out of fuel during a mission behind the enemy lines. As happened in Iran.

Look at the following video.

Stay tuned.

This, along with all the previous articles on the Sentinel drone in Iran, can be found at the following link (click and scroll down): http://theaviationist.com/category/captured-stealth-drone/
  • http://gravatar.com/itpastorn itpastorn

    What about the Iranians detecting the UAV when it was using its SAR?

    Triangulation of emitted radar waves could be doable.

  • Bill Smith

    It has an INS.

    Creech AFB doesn’t ‘control’ it any more than they control a Global Hawk.

  • Thorsten

    I wonder if that was the only craft of that type available. Somehow I doubt it, after all we know it is cheaper to build a few examples than only one.

    So far no one brought interceptor aircraft into the equation. Maybe the moment the drone started their orbits / racetracks, they sent up a fighter escort that followed the drone in their final few miles before crashing thus knowing the location.

    Regarding a flight after the fuel ran out – although I am a pure armchair (aviation) general, I assume that for such a drone to have the endurance they have, they must be of a light construction. That coupled enough energy in the batteries to keep the avionics working, I could imagine that the craft made a relatively soft flight until it made ground contact.

    But…. that lost-link procedure – I wonder if it wouldn’t make more sense if in that case the drone would sort of retrace it steps back to base (like making a 180 turn and then follow the waypoints in reverese order. It may not be enough to bring it back to base, but maybe at least closer to the last position where the link was still available.

    Cheers
    Thorsten

  • nico

    Though it is an interesting scenario, David, there still is a lot of unknowns and : “ifs,maybes,buts…” and some things that don’t make sense. As mentioned, even if Iran jammed GPS, what about the INS system, hard to believe there isn’t one on board? How did it “crash” and remain relatively intact? That’s just for starters. Still not sure why UAVs like RQ don’t have a self-destruct as many are mentioning. How did Iran know RQ was around, did it’s operations become so predictable that they eventually spotted it? Just an idea, maybe the color is to keep it closer to “sand dust” or smog, maybe 10,000 ft? not 50,000ft in the atmosphere so significantly closer to Earth. Could it have been visually spotted?

    Still don’t buy the whole theory of jamming, wouldn’t any air force send a fighter for ID? Wouldn’t they first shot it down? The whole “Iran wanted to take it intact, baloney” sounds too much like a James Bond movie. Come to think of it, it is something the evil mastermind would do instead of destroying it outright .Just me putting up a bunch of ideas out there.

    Maybe US is telling the truth, could it just be a plain engine failure?

    I also think the timeline would be revealing here, what exact day did it go missing? and where did it go down? finally, what was it’s target and original orbit? Probably we won’t know for a long time….

  • http://www.MoonofAlabama.org b

    David, I do not agree that drone “crashed”. It just looks to clean for that.

    I agree that the CSM story is false. The RQ-170 does not have an auto-landing feature which the story implies.

    As for finding the drone:
    - The Iranians likely have spies at Shamsir and Kandahar and know when the RQ-170s start and land. They know when to look for one.
    - Infrared observation is the best method to find a stealth plane. IRST sensor have been available for quite some time, mostly from the Russians.

    As for landing the drone:

    As I suggested two weeks ago (http://www.moonofalabama.org/2011/12/how-iran-probably-acquired-a-stealth-drone.html) the Iranians must have spoofed the local control channel that is used to launch and land the drone.

    For latency reasons that channel will not be heavily encrypted and the Iranians had four years time to spy on the radio traffic in Kandahar and Shamsir. Enough time to do pattern recognition for drone starts and landings and to break the presumably light encryption code.

    • http://theaviationist.com/ David Cenciotti

      Hi,
      I don’t think spoofing the local control channel would have any effect on the Iran’s capture as local control is done in LOS while over Iran the drone was controlled by satellite link.

      • http://www.MoonofAlabama.org b

        What happens when the sat-control channel gets jammed (quite easy to do) and the drone is “offered” commands on the local control LOS channel?

        It would be logical to accept the local commands in this case

        • http://theaviationist.com/ David Cenciotti

          Maybe. I’m just not sure that over Iran the drone can be managed in LOS.

  • http://www.MoonofAlabama.org b

    The “beast” has an operational weight of some 10,000 pounds. That would require a huge parachute or multiple smaller ones. I find it unlikely that such a machine would carry so much dead-weight with it only for the case of an emergency.

    My latest thoughts on this
    http://www.moonofalabama.org/2011/12/the-csm-drone-exclusive-does-not-make-sense.html

  • Joel Mayer

    Thank you for linking up all of your articles on drones. I was able to make a high quality pdf out of your most excellent collection of essays. I’m getting the idea you are trying to sell books made out of paper and ink. Why aren’t you marketing electronic books on Amazon and Barnes and Noble? A substantial number of people, novelists mostly, have made millions by selling their books at a dollar a copy. Why not you?

    • http://theaviationist.com/ David Cenciotti

      Hi Joel,
      thank you. Can you please send me the hi-quality pdf of my articles? It could be useful for me too :)
      I’ve never thought of marketing electronic books, but I think I will have to consider it. If you some advice please let me know.

  • bjoern holst jespersen

    The number of thinkable scenarios keeps rising ;o) As a sketch I like this one too, but there are a couple of questions that could be relevant:
    a) if the drone was made to circle until it ran out of fuel. How long would that have taken? Time enough for US to take action in some way?
    b) in order for this scenario to be a deliberate “downing” the Iranian army would need to know that the drone had a chute.

    If there was a chute then one or more of these hatches has to have been opened.
    http://aviationintel.com/?attachment_id=4333

    I’m sceptical. I would expect to see a “double hatch” and I would expect it to show somehow that they had been opened.

  • jaimemnBR

    David,

    I don’t think that an INS, “per se”, would invalidade the GPS spoofing explanation.

    Even if it has an INS (quite shure) they could have induced a GPS “error” smaller than the expected INS error at a very low slew rate what would force the INS to recalibrate according to the fake GPS signal.

    Before someone says it may have RDF/ADF system too to make a coarse “reality check”, I agree with bjorn, “scenarios keeps rising”.

    One thing is for shure, they have an american drone, otherwise the Obama would not ask for the return of it.

    If it was not an GPS spoofing, follows my guess on how they could have taken control of the Sentinel.

    These things are controlled by operators thousands of miles away by geo satellite links, so there is a significant communication time lag between operators sending a command and the drone responding to it. The operator has to send commands in a very ordered way and wait for the attitude response from the drone to see if it has responded correctly. That may take some non-negligible fractions of a second. So, I think, these aircrafts are not piloted in a “normal” way, lets say, the operator does not control the aerodynamic surfaces directly by a joystick (although I think there are this option for shorter links), but by sending commands like, “turn left 35 degrees”, or “change altitude minus 1000 ft” and so on.

    Of course these commands must be transported by a communication protocol that provides data delivery, data integrity and security.

    The Iranians have now been monitoring the drone activities over their air space for many years and most certainly have recorded millions or billions of data exchange between drones and satellites, or drones and ground stations, and they must have guessed also that amongst all that data, there must be many many command repetitions like those I said above.

    Any information technology professional knows that if you have many samples of encrypted data with many unchangeable block in the data stream, you can begin a processes of cryptanalysis based on those premises.

    So the Iranians could observe the drones changing direction, altitude and on and on, and to make the mathematical correlation between the attitude modification and the corresponding data stream that preceded it.

    As they could never witness a “gears down” or an “engine cut off” command, they probably took control of the aircraft by overriding the communication link by a stronger signal generated nearer the plane, directed it down and forced it to belly landing on a lake, after the fuel was over.

  • http://theintelhub.com John Williams

    I’ve been telling my students repeatedly that the key to runaway success in real estate investing is to have a solid understanding how to utilize a few creative investing techniques so that they can capitalize on the opportunities available in today’s market. One tool you need to add to your toolkit if you haven’t already is the subject to deal.