Captured U.S. stealthy drone was hijacked exploiting GPS vulnerability. But hack description does not solve the mystery

Dec 15 2011 - 28 Comments

Eventually there is an explanation for the mysterious capture of the U.S. stealth drone by Iran. In an exclusive interview to the Christian Science Monitor, an  Iranian engineer (on condition of anonymity) working to reverse engineer the RQ-170 Sentinel hacked while it was flying over the northeastern Iranian city of Kashmar, some 225 kilometers (140 miles) away from the Afghan border, says they were able to exploit a known vulnerability of the GPS.

In simple words, in a scenario that I had more or less described in my last post which described also the known threats to the drone’s Position, Navigation and Guidance system, the Iranain electronic warfare specialist disrupted the satellite link of the American robot and then reconfigured the drone’s GPS setting the coordinates to make it land in Iran at what the Sentinel thought it was its home base in Afghanistan.

They jammed the SATCOM link and then forced the drone into autopilot reconfiguring the waypoint of the lost-link procedure to make it land where they wanted.

Such techniques were tuned by studying previously downed smaller drone, like the 4 U.S. and 3 Israeli that could be exhibited in Iran in the next future.

Furthermore, in explaining why the “Beast of Kandahar” had signs of belly landing the engineer said to CSMonitor:

“If you look at the location where we made it land and the bird’s home base, they both have [almost] the same altitude,” says the Iranian engineer. “There was a problem [of a few meters] with the exact altitude so the bird’s underbelly was damaged in landing; that’s why it was covered in the broadcast footage.”

Ok, this seems to explain almost everything.

However, to be honest, it is the last sentence that raises some questions. Landing a drone, as well as an airplane, with the autopilot on a runway it’s not only a matter of altitude. There are many other things to consider, like the runway heading, the procedure to be followed on approach to avoid specific areas, known obstacles etc.

Maybe the Iranians had identified an airport with the same runway heading, with the same elevation, with no planes interesting runways and taxiways and so on. Still, it’s hard to believe that the Sentinel did not encounter any obstacle and suffered only some (minor) damages on landing.

So I’m still not certain that, although tricked by GPS spoofing, a drone can be landed safely without taking over control even if the Iranian engineer said to CSMonitor that they made the robot

“land on its own where we wanted it to, without having to crack the remote-control signals and communications” from the US control center.

Without considering that the lost-link procedure does not foresse the RQ-170 landing autonomously at his actual homebase (because of the many variables, such as wind and traffic) but orbiting until link is re-established or fuel finishes.

Anyway, maybe it’s time for the U.S. to reconsider their drones’ equipment, countermeasures and combat operation procedures as well as Iran’s electronic and cyberwarfare capabilities.

Stay tuned.

This, along with all the previous articles on the Sentinel drone in Iran, can be found at the following link (click and scroll down):
  • Rich_Clements

    My theory with this is something you briefly mentioned in the above, If Iran already has more then one UAV, they would have looked into the way the aircraft is controlled. I wonder if all or most US UAV’s use the same basic code for flight controls to save money. It’s only when the data from the base station that reaches the drone itself that onboard computers put this into a specific way to control the flight surfaces.

    Now if you have this code you could write a script that could once the GPS/SATCOM link is disrupted reconfigure the drone with the new waypoints and land it where you want.
    DO these drone have an auto land feature? if not someone would be controlling it from a consol, now if you haven’t done it before it would be very easy to mess up the landing and damage the airframe.

    You might also remember the base stations being hacked into a few months back I wonder if this is all linked??

    Thanks for a very good blog David, I’m looking forward to further details

    • Thank you Rich,
      as far as I know these drones have not any autoland feature. However, I must admit that if we accept the theory that the minor damages to the airframe were caused by a lucky crash-landing we have to admit that an auto-landing (if avail) on a different airfield in terms of obstacles, runway heading etc. could cause the same kind of damage.

  • Alessandro Zummo

    If comms have not been hijacked, in order to have the drone fly where you want to, you should:

    a) fake the military grade signal using a complex antenna setup which presumes you know in advance the drone’s flight path

    b) track the drone position with a very high precision

    c) know its intended flight path, hoping the drone will auto land (or convince the pilot that everything is ok and have it land the aircraft)

    Even if this were possible, I believe the iranians do not have this capability.

    If they made it, foreign countries have surely been involved (likely the chinese or the russians) and serious mistakes have been made on the US side.

    • I concur.
      Neither impossible nor easy.
      Generally speaking, the Serbians were able to shot down the F-117 because during the Allied Force planners put the F117s on repetitive routings. Stealth planes are not invisible. They are extremely difficult to see, if you don’t know where they are and you are not close enough to track them. Maybe something similar happened in Iran.

  • nico

    So far, this is the most likely scenario that I have heard that is plausible. Iran didn’t have to break any codes or even really sophisticated equipment, just jam the regular GPS signal and replace it with “fake” signal. Still not that easy but I agree with Alessandro, can Iran do this? Maybe but if what you are reporting that Iran has 7 UAVs from USA and Israel is true, definitely Russia or China could help Iran and even try a few things on US drones. This is starting to make some sense, at least to me.

    My question is why does Russia or China want to alert US or Israel to such a vulnerability? This is no small feat, this has huge implications far beyond Iran, not really sure why Russia or China would just throw away such knowledge and alert USA ???

    If this true, you will have to change the design of comms and nav systems on board drones, no more just GPS. You will have to harden systems, better and more sophisticated comms, better software and more than just GPS on board, also inertial or some other form of back up to GPS. UAV’s aren’t going away but I think manned fighters are still going to last a little bit longer than some people were talking about! This mean’s also that the price tag of UAV’s is going to raise.

    Going back to the several drones that Iran has in it’s possession, wow!, 7 drones total is quite a lot. How many years has this been going on and are we going to see some “remains” we can’t identify? Also will these revelations hurt US and Israel,not just in case of a strike on nuclear installations but in terms of PR? Let’s face it, if this is true, this doesn’t paint a very flattering view of US and Israel. These revelations help Iran show the world or explain : “hey, we aren’t doing anything wrong, US and Israel are violating our airspace, which is illegal and we are showing to UN documents and such, the bad guys are the US and Israel.” These arguments will resonate well with a lot of people out there.

    • Yes,
      it’s weird that, after achieving such a hack, an Iranian EW engineer dared to disclose some details about it. By coincidence, this information was made public a couple of days an official US Air Force document provided details about drones’ vulnerability (and GPS spoofing was among the threats….).

  • Andy

    Seems like a credible theory, though I wonder how easy it would be to actually spoof the GPS signal, especially considering the antennas are likely on the top of the aircraft.

    The last sentence doesn’t raise too many questions for me. Assuming everything else is accurate, as long as Iran picked a spot that was level it wouldn’t surprise me if the aircraft survived the landing intact. So I wouldn’t necessarily assume it landed on a runway, especially since the Iranian’s too care to mask the lower half of the aircraft.

    • Yes, as said, I must admit that if we assume it survived the crash landing after running out of fuel, we have to accept that it would survive an autolanding (provided this feature is available) on a different landing strip than its home base.

  • bjoern holst jespersen

    This scenario makes sense, in the way that it doesn’t include an actual taking over the remote piloting, but “only” tricking the system.
    But why this detailed information explaining most of the oddities is given would be nice to know.
    Also one remaining question as fare as I can see: wouldn’t they need to know that the (stealth) drone was there to do the trick? Or would they be able to make the procedure blindly until they got lucky?

    • I replied earlier mentioning the F117 shot down:
      “the Serbians were able to shot down the F-117 because during the Allied Force planners put the F117s on repetitive routings. Stealth planes are not invisible. They are extremely difficult to see, if you don’t know where they are and you are not close enough to track them. Maybe something similar happened in Iran.”

  • b

    This doesn’t make much sense to me.

    As far as is known these drones do NOT land automatically for various reasons (local traffic etc).

    For start and landing they are piloted by a controller at the airfield it uses. This on a different channel than the satcom. There is much less signal delay then than per satellite and the local remote pilots are aware of the local situation. Only when up in the air do the remote pilots use the satellite connection to control the drone.

    The local line of sight UHF/VHF connection may well have less encryption than the sat communication line (again for delay) or the Iranians copied the code for that line by analyzing the comm traffic in Kandahar or from other drones.

    I still believe the Iranians used that UHF/VHF local controller channel to get the drone to the ground after they jammed the sat connection.

    Unless someone comes out explaining the alleged automatic landing feature of an RQ 170 (and how that avoids all the possible problems on a busy runway, the GPS spoof story doesn’t make sense.

    • Yes,
      this doesn’t convince me either. I don’t think an auto-land feature exists.
      For instance, landing is so dangerous that it has to be performed in Line-Of-Sight and can’t be performed in Remote Split Operations using the satellite link.

  • U

    Just for joking….would be possible that running out of fuel this drone would display a parachute for soft landing (rather than featuring an improbable automated landing)?. Don’t know if this is the case, as we have no idea of how the back of this drone would look like and if it can host any of system like this….reapeat just for joking :)

    • Bill Smith

      It doesn’t have to have an automated landing system for the gear to be dropped by some backup safety mechanism. For example the gear is dropped when the airspeed and engine settings are below some minimum. Say at a point after the fuel was exhausted and then when it had traded all the altitude it had for airspeed.

      It’s just about all wing, the stall speed might be pretty low.

  • Wild Bill

    Maybe they were able to land the drone but could not keep it on the runway. It runs off and the landing gear digs in to the soft sand and one wing dips and shears that wing off (see patched wing) and then it noses over slightly.

    • b

      It is likely that the landing was not first-class when the Iranians did it. It was their first landing of this type of plane and that without having had any lessons on how to fly the bird.

      The wings did not detach on the landing. Looks much too smooth for that. They were taken off at the regular detachment points to transport the plane just like they get detached when the bird is flown as air-cargo from the States to Kandahar and elsewhere. This is a quite wide bird and to fit it on any regular transport (and to put it into a gym) you need to take off the wings.

      • iskandar

        I agree, you have to take off the wings. But why do you think you could reattach the wings using poly urethane foam? Only when they are polystyrene mock ups.

        And that is key: the entire thing (exhibited RQ170 drone) is polystyrene.

  • iskandar

    I think the following:

    1. Why is this drone exposed in a gym?
    2. If I were able to catch a drone intact, I would leave it intact
    3. Cutting the wings of a drone with self destruction possibly active would be suicide
    4. Putting it on exhibit on a basketball field is stupid
    5. By looking at the lines, the circle, the masonry on the background you can really make an estimate of its size: less than 15 meters wing span. The real thing is assumed to have 28 meters wingspan
    6. Looking at the high res images, one can see that the markings for screws, panels, are made by felt-tip marker
    7. The structure is so completely different from the images of the real thing
    8. The detailed images of the “sensors”in the right hand wing are compatible with the images of the ascending RQ 170 at Kandahar, but no information on the left hand wing is available on the internet


    This is a very good high school project at reproducing a physical image in polystyrene foam of the images they were supplied with. It is a complete hoax.

  • Bill Smith

    The military GPS signal is encrypted so the likelihood it can be spoofed is very, very small absent a unbelievably significant penetration into the US governments cryptographic key distribution system. There is, however, a possibility that they aren’t using the encrypted military system but instead the civilian side. Shit happens.

  • U.S House Intelligence committee doesn’t seem to think ‘outside-interference’ was a factor…

  • iskandar

    Lets face it:
    It is a hoax.

    The “drone”is displayed on a gym floor, suitable for basketball:
    Have a look at a basketball floor dimensions:

    It is an immense joke!

    • b

      “Lets face it:
      It is a hoax.”

      That must be the reason why Obama want’s it back.

  • Jeff

    The Iranians are a very capable people , take for example Lee Bzorgi , he is the current director of the Y-12 National Security Technology Center at Oak ridge :

    So I don’t think we should underestimate their technical capabilities .

  • Pingback: December 2011 Cyber Attacks Timeline (Part I) « Il Blog di Paolo Passeri()

  • brad

    I know I’m late on this but I need to make a few points that you all are missing.
    1) Beings that this is a military aircraft it is likely using military grade GPS. Military grade gps is much more difficult to jam. And it can’t really be “faked out” because it is encrypted. The Iranians would have to have had the encryption key, which is extremely unlikely because these keys have the same level of security classification as the project itself (Secret or Top Secret).
    2) Autonomous landing of a UAV is a relatively simple task, and almost all of our modern systems are capable of it. We are currently developing a drone that can land autonomously on a aircraft carrier.
    3) The most likely scenario is that there was some sort of software glitch that put the aircraft into auto-land mode.
    4) Even if the Iranians were able to detect the aircraft, it is extremely unlikely that they were able to hijack it. Everything on that aircraft is encrypted. And if they do have other U.S drones in their possession, they would be of limited value to them. All systems of this type have “anti-tamper” technology on them. This basically means in the event of a failure or crash, all of the electronics are fried to prevent the enemy from obtaining the code and reverse engineering or exploiting vulnerabilities.
    5) Iran just got lucky, they had nothing to do with this aircraft crashing.

  • d

    that bird had tainted gear on it and was steered right into iranian airspace. the exploit was allowed. christians in action aren’t stupid…

  • jarvis

    The drone should have been in flying autonomously.

  • Elmo Cotton

    Probably the greatest Trojan Horse deception since the original..It was delivered to them intact
    so the GPS and low freq TX molded into the wing will work properly. All drones captured or shot down by Irainians were followed by the same US official response. This drone “capture” was followed by an unusual response from the US. Iran took it hook, line and sinker-