Tag Archives: Operation Neptune’s Spear

Unknown hatch on captured U.S. stealth drone raises questions

The amout of contribution I receive each time I publish a blog post on the stealth drone now part of Iran’s asset is amazing. For instance, yesterday, few minutes after publishing the Infographic that I used to explain how the drone was captured (a theory based on the known facts to date), I got an email from Dave Krakow with an interesting drawing he sent me to show how the mysterious hatch on the top of the RQ-170 Sentinel, it’s not up to the typical American Aerospace standards. “The details are imprecise, nothing like Lockheed Martin products.”

Image courtesy: Dave Krakow

Dave believes the thing shown by Iranians was possibly constructed previously, for radar signature research, with details added in a hurry for cameras. “A lot of the commentary on the web regarding general accuracy assumes Iranian intelligence has only the same photos we have on the internet, and thus they could only know certain details if they had an original.  I don’t think this is a reasonable assumption” he wrote to me.

For sure, as highlighted in the above image, the mysterious “top hatch” (that I supposed could be used to deploy a recovery chute) features some oddities. Some of them in particular, raise questions. However the angle of the camera, the effect of the zoom, and many other contributing factors (lights, shadows, image compression etc) may have affected the quality of the footage shown on Iran State TV rendering, for example, fasteners seemingly randomly spaced.

Furthermore, there’s still a chance that Iranians worked on the Sentinel after they recovered it: maybe they tried to get access to the internal hardware, removed panels to inspect lenses, memories to look for interesting data or to disable any self-destruction mechanisms or Emergency Locator-like systems, in order to prevent the Americans from locating or destroying it.

Nevertheless, we can’t rule out the possibility that the one showcased in what looked like a school in Kashmar was actually obtained by melting pieces belonging to various wrecked Sentinels that Iran has downed in the past, even if this would imply that the U.S. have already lost two or more “Beast of Kandahar” robots in Iran! By the way, Iran has recently announced it will show the remains of three U.S. and four Israeli drones downed in the last years while spying on Iran’s nuclear program.

Someone argued that a deployed recovery chute would have confirmation only if hatch doors were opened but I’ve already given a possible explaination for the fact that they were closed.

Someone suggested the drone is too clean for a crash landing, however, if a recovery chute made its crash landing soft, I would expect a damaged belly, as the hidden bottom of the drone seems to confirm.

Stay tuned.

This, along with all the previous articles on the Sentinel drone in Iran, can be found at the following link (click and scroll down): http://theaviationist.com/category/captured-stealth-drone/

Infographic: how the U.S. top secret stealth drone was captured by Iran

Even if the story that the U.S. stealthy RQ-170 Sentinel drone captured by Iran was hijacked using a GPS spoofing attack is based on known facts and vulnerabilities highlighted in Air Force official documents, the “ambush”, as detailed by an Iranian Electronic Warfare engineer to the Christian Science Monitor, contains some controversial points.

First of all,  the lost-link procedure does not foresse the RQ-170 landing autonomously at his actual homebase (because of the many variables, such as wind and traffic) but orbiting until link is re-established or the drone runs out of fuel.

For instance, even under Remote Split Operations, landing is performed in Line Of Sight by the local ground control station: latency induced by the SATCOM link is not compatible with the last phases of the flight when immediate reactions of the robot’s control surfaces to the inputs given remotely by the pilot are required to safely bring the drone on the ground.

Furthermore, provided that the autolanding is used in the lost-link events, it is not that easy to land the drone on a different landing field than its homebase without causing major damages.

Finally, it seems quite weird that any insider so proud to have achieved a hack of the most secret U.S. unmanned aerial system (UAS) could be at the same time so uncautious to give the details of the entire operation to the public domain, with the first and most obvious consequence of not being able to repeat it in the future. Unless, the type of attack they have described is all but unexpected but very well known because highlighted in the above mentioned official documents.

So, I’ve asked once again my friend Ugo Crisponi to put on a nice infographic what I think may have happened on Dec. 4, 2011, when the drone was “downed”, based on all the details I was able to collect so far.

Here it is.

I think the drone’s link with Creech AFB was disrupted using jamming. How did the Iranians know the “Beast of Kandahar” was in the vicinity if they couldn’t see it on the radar? They may have intensified jamming around uranium enrichment sites.

Serbians were able to shot down the F-117 because during the Allied Force planners put the F117s on repetitive routings. Stealth planes are not invisible. They are extremely difficult to see, if you don’t know where they are and you are not close enough to track them. Maybe something similar happened in Iran.

I think that Iran played a role in the crash landing simply because they were able to recover it. If they hadn’t known where the drone had landed they would not have been able to get their hands on it.

Once the link was lost, as per procedure, the drone started an series of racetracks/orbits waiting for the signal to be re-established. In this phase, maybe the Iranians were able to spoof the onboard GPS and guide the drone in the wrong direction. Nevertheless this would mean that the most important American drone relies only on the GPS for navigational purposes and doesn’t use an INS (Inertial Navigation System) platform. Indeed even some GPS-guided bombs as the JDAM (Joint Direct Attack Munition) use anti-jamming and anti-GPS spoofing systems, some of those are based on simple inertial measurement units.

Then, when the Sentinel ran out of fuel, it crashed. Even though it was not mentioned before, there’s a possibility that the drone survived the impact because it was equipped with a safety chute. In fact, I’ve noticed a mysterious hatch on the top of the RQ-170, that, among other things could host the parachute used to safe the precious drone.

It’s obviously a speculation because such a chute could safe the airframe but could also preserve it for the enemy when the drone runs out of fuel during a mission behind the enemy lines. As happened in Iran.

Look at the following video.

Stay tuned.

This, along with all the previous articles on the Sentinel drone in Iran, can be found at the following link (click and scroll down): http://theaviationist.com/category/captured-stealth-drone/

Captured U.S. stealthy drone was hijacked exploiting GPS vulnerability. But hack description does not solve the mystery

Eventually there is an explanation for the mysterious capture of the U.S. stealth drone by Iran. In an exclusive interview to the Christian Science Monitor, an  Iranian engineer (on condition of anonymity) working to reverse engineer the RQ-170 Sentinel hacked while it was flying over the northeastern Iranian city of Kashmar, some 225 kilometers (140 miles) away from the Afghan border, says they were able to exploit a known vulnerability of the GPS.

In simple words, in a scenario that I had more or less described in my last post which described also the known threats to the drone’s Position, Navigation and Guidance system, the Iranain electronic warfare specialist disrupted the satellite link of the American robot and then reconfigured the drone’s GPS setting the coordinates to make it land in Iran at what the Sentinel thought it was its home base in Afghanistan.

They jammed the SATCOM link and then forced the drone into autopilot reconfiguring the waypoint of the lost-link procedure to make it land where they wanted.

Such techniques were tuned by studying previously downed smaller drone, like the 4 U.S. and 3 Israeli that could be exhibited in Iran in the next future.

Furthermore, in explaining why the “Beast of Kandahar” had signs of belly landing the engineer said to CSMonitor:

“If you look at the location where we made it land and the bird’s home base, they both have [almost] the same altitude,” says the Iranian engineer. “There was a problem [of a few meters] with the exact altitude so the bird’s underbelly was damaged in landing; that’s why it was covered in the broadcast footage.”

Ok, this seems to explain almost everything.

However, to be honest, it is the last sentence that raises some questions. Landing a drone, as well as an airplane, with the autopilot on a runway it’s not only a matter of altitude. There are many other things to consider, like the runway heading, the procedure to be followed on approach to avoid specific areas, known obstacles etc.

Maybe the Iranians had identified an airport with the same runway heading, with the same elevation, with no planes interesting runways and taxiways and so on. Still, it’s hard to believe that the Sentinel did not encounter any obstacle and suffered only some (minor) damages on landing.

So I’m still not certain that, although tricked by GPS spoofing, a drone can be landed safely without taking over control even if the Iranian engineer said to CSMonitor that they made the robot

“land on its own where we wanted it to, without having to crack the remote-control signals and communications” from the US control center.

Without considering that the lost-link procedure does not foresse the RQ-170 landing autonomously at his actual homebase (because of the many variables, such as wind and traffic) but orbiting until link is re-established or fuel finishes.

Anyway, maybe it’s time for the U.S. to reconsider their drones’ equipment, countermeasures and combat operation procedures as well as Iran’s electronic and cyberwarfare capabilities.

Stay tuned.

This, along with all the previous articles on the Sentinel drone in Iran, can be found at the following link (click and scroll down): http://theaviationist.com/category/captured-stealth-drone/

"Three U.S. and four Israeli drones captured in Iran to be put on display soon": Tehran Times says. "Downed" RQ-170 saga continues

Tehran Times reported that Iran is about to put on display “foreign spy drones in Iran’s possession” within an exhibition that will also showcase the “latest domestically manufacture electronic warfare equipment”, and national reporters and foreign ambassadors will be allowed to visit them.

According to a source close to the Iranian newspaper, the foreign robots in the hands of the  ayatollahs’ regime are three U.S. and four Israeli drones.

“the four Israeli drones that are now in Iran’s possession had violated the country’s airspace along the eastern borders, and the three U.S. unmanned aircraft had penetrated into the country’s airspace along either the eastern or southern border.”

The news arrives in the aftermath of the capture of a stealth RQ-170 Sentinel, so far considered the most advanced (known) U.S. drone, the first to be displayed after several claims of American ‘bots downed while spying uranium enrichment sites as part of the covert war against Iran’s nuclear program.

Interestingly, the same article discloses for the first time what everyone already knew: a number of countries have reportedly asked for permission to inspect the “Beast of Kandahar”.

While waiting for new images to analyze, there are still many questions to be answered about the capture of the stealthy Sentinel.

An interesting document titled “Report on Operating Next-Generation Remotely Piloted Aircraft for Irregular Warfare”  published by the U.S. Air Force Scientific Advisory Board in April 2011 and made available by Public Intelligence a couple of days ago, provides some interesting (and official) assesement about the reliability of the communication link between the drone and the ground control station.

According to the document, U.S. drone are subject to the following threats (excerpt):

  • Jamming of commercial satellite communications (SATCOM) links is a widely available technology.  It can provide an effective tool for adversaries against data links or as a way for comma nd and control (C2) denial.
  • Operational needs may require the use of  unencrypted data links to provide broadcast services to ground troops without security  clearances.  Eavesdropping on these links is a known exploit that is  available to adversaries for extremely low cost.
  • Spoofing or hijacking links that can lead to damaging missions, or even to platform loss.

Dealing with the threat to Position, Navigation and Guidance the documents undelines that:

“There is a wide range of methods that a determined adversary can use for  attacking RPA guidance and navigation systems.  The report mentions here only three  categories of threats without going into the details:

  • Small, simple GPS noise jammers can be  easily constructed and employed by an unsophisticated adversary and would be  effective over a limited RPA operating area.
  • GPS repeaters are also available for corrupting navigation capabilities of RPAs.
  • Cyber threats represent a major challenge for future RPA operations.  Cyber attacks can affect both on-board and ground systems, and exploits may range from asymmetric CNO attacks to highly sophisticated electronic systems and software attacks.”

So, what may have happened to the Sentinel?

We can only speculate. The drone may have suffered a lost-link event because of a technical failure (link losses occurs every now and then) or an attack from Iran. Following the loss of satellite link, the procedure foresees that the drone switches to automatic flying and heads towards a preplanned set of waypoints to fly a loop until link is re-established or fuel finishes (with consequent crash).

As I think (and hope) that the preplanned waypoint for lost-link procedure for a mission inside the enemy airspace is set inside the friendly airspace (in order to prevent it from crashing “behind the enemy lines”) I can’t explain why the drone crashed in Iran and not in Afghanistan.

Unless, Iran was really able to corrupt the stealthy robot’s navigational system using jammers and rogue GPS repeaters guiding it in the wrong direction.

04:00PM GMT Dec 15 update

Something that came to my mind while discussing this post with Guido Olimpio, Corriere della Sera correspondent from the U.S.: Tehran is going to show the remains of 7 drones (4 American and 3 Israeli robots) “downed” in Iran. But, if they were flying inside the Iranian airspace they had to be stealth ones.  Shall we expect something never seen before?

BTW: the exhibition could something like the Tishreen War Panorama museum in Damascus, Syria, that I visited few years ago, where wreckage of Israeli planes and parts of them, were showcased.

Stay tuned.

This, along with all the previous articles on the Sentinel drone in Iran, can be found at the following link: http://theaviationist.com/category/captured-stealth-drone/

How many U.S. stealthy drones were actually lost in Iran? New theories about the "downed" RQ-170 surface

Iran will clone and maybe improve the U.S. RQ-170 drone captured on Dec. 4, during a surveillance mission inside the Iranian airspace. One of the few certain facts is that Iran will reverse-engineer the “Beast of Kandahar” and “launch production of their own drone.”

That’s what Vice-Chairman of the parliament’s National Security and Foreign Policy Commission Hossein Ebrahimi told Fars News Agency on Sunday. A statement that made the news but that did not come unexpected, since every single piece of a stealthy weapon system can be used to study and copy advanced technologies, as happened for the Stealth Black Hawk which crash landed at Abbottabad during the Osama Bin Laden raid.

If few metal chunks can give some information about the way a stealth plane was designed, an almost intact drone can give a lot more information. Although the internal memories were (probably) automatically erased as a consequence of the loss of control procedure and data will never been recovered, the circuitry, lenses, memories and sensors are still there and can be evaluated, tested and copied. And, maybe, improved, with the help of some interested third parties (Russia and China).

Anyway, many new theories are trying to explain what really happened to the Sentinel captured in Iran. Some visitors pointed me to a youtube video that was also included in an interesting post by Aviationintel.com, showing a Global Hawk drone crashing at China Lake range. The footage shows the Unmanned Aerial Systems spinning after departing controlled flight until crashing into the ground.

Drones as the Global Hawk or the RQ-170 are made of composite materials and land quite gently on the ground because their surfaces produce a huge amout of lift that tends to drag it in the descent. Even if I can’t be sure, I think that a falling Sentinel, spinning like the China Lake RQ-4, would be extensively damaged. Much more than the slightly damaged Sentinel we have seen in a gymnasium few days ago.

Unless the one showcased by the Iranians (possibly here) is an RQ-170 obtained by melting pieces belonging to various wrecked Sentinels, as suggested by Nico, a reader of this blog. An intriguing theory, coherent with all previous claims (not backed by photographic evidences) that Iran has downed no less than 4 four U.S. drones in the last 12 months but quite worrying since it would imply that the U.S. have already lost a significant amount of spy robots in Iran.

Even if the captured one raised many questions, I tend to believe it is a single Sentinel (version could be slightly different from the example seen at Kandahar in 2009), lost for unknown reasons (maybe a technical failure) and crash landed deep inside the Iranian territory so gently to remain almost intact. Iranian military were able to locate and secure it before the U.S. team could locate and destroy it.

That’s it. All the rest is just an attempt from both sides to hide operational flaws or make propaganda.

This, along with all the previous articles on the Sentinel drone in Iran, can be found at the following link: http://theaviationist.com/category/captured-stealth-drone/