Captured U.S. stealthy drone was hijacked exploiting GPS vulnerability. But hack description does not solve the mystery

Eventually there is an explanation for the mysterious capture of the U.S. stealth drone by Iran. In an exclusive interview to the Christian Science Monitor, an  Iranian engineer (on condition of anonymity) working to reverse engineer the RQ-170 Sentinel hacked while it was flying over the northeastern Iranian city of Kashmar, some 225 kilometers (140 miles) away from the Afghan border, says they were able to exploit a known vulnerability of the GPS.

In simple words, in a scenario that I had more or less described in my last post which described also the known threats to the drone’s Position, Navigation and Guidance system, the Iranain electronic warfare specialist disrupted the satellite link of the American robot and then reconfigured the drone’s GPS setting the coordinates to make it land in Iran at what the Sentinel thought it was its home base in Afghanistan.

They jammed the SATCOM link and then forced the drone into autopilot reconfiguring the waypoint of the lost-link procedure to make it land where they wanted.

Such techniques were tuned by studying previously downed smaller drone, like the 4 U.S. and 3 Israeli that could be exhibited in Iran in the next future.

Furthermore, in explaining why the “Beast of Kandahar” had signs of belly landing the engineer said to CSMonitor:

“If you look at the location where we made it land and the bird’s home base, they both have [almost] the same altitude,” says the Iranian engineer. “There was a problem [of a few meters] with the exact altitude so the bird’s underbelly was damaged in landing; that’s why it was covered in the broadcast footage.”

Ok, this seems to explain almost everything.

However, to be honest, it is the last sentence that raises some questions. Landing a drone, as well as an airplane, with the autopilot on a runway it’s not only a matter of altitude. There are many other things to consider, like the runway heading, the procedure to be followed on approach to avoid specific areas, known obstacles etc.

Maybe the Iranians had identified an airport with the same runway heading, with the same elevation, with no planes interesting runways and taxiways and so on. Still, it’s hard to believe that the Sentinel did not encounter any obstacle and suffered only some (minor) damages on landing.

So I’m still not certain that, although tricked by GPS spoofing, a drone can be landed safely without taking over control even if the Iranian engineer said to CSMonitor that they made the robot

“land on its own where we wanted it to, without having to crack the remote-control signals and communications” from the US control center.

Without considering that the lost-link procedure does not foresse the RQ-170 landing autonomously at his actual homebase (because of the many variables, such as wind and traffic) but orbiting until link is re-established or fuel finishes.

Anyway, maybe it’s time for the U.S. to reconsider their drones’ equipment, countermeasures and combat operation procedures as well as Iran’s electronic and cyberwarfare capabilities.

Stay tuned.

This, along with all the previous articles on the Sentinel drone in Iran, can be found at the following link (click and scroll down): https://theaviationist.com/category/captured-stealth-drone/
About David Cenciotti
David Cenciotti is a freelance journalist based in Rome, Italy. He is the Founder and Editor of “The Aviationist”, one of the world’s most famous and read military aviation blogs. Since 1996, he has written for major worldwide magazines, including Air Forces Monthly, Combat Aircraft, and many others, covering aviation, defense, war, industry, intelligence, crime and cyberwar. He has reported from the U.S., Europe, Australia and Syria, and flown several combat planes with different air forces. He is a former 2nd Lt. of the Italian Air Force, a private pilot and a graduate in Computer Engineering. He has written five books and contributed to many more ones.

10 Comments

  1. My theory with this is something you briefly mentioned in the above, If Iran already has more then one UAV, they would have looked into the way the aircraft is controlled. I wonder if all or most US UAV’s use the same basic code for flight controls to save money. It’s only when the data from the base station that reaches the drone itself that onboard computers put this into a specific way to control the flight surfaces.

    Now if you have this code you could write a script that could once the GPS/SATCOM link is disrupted reconfigure the drone with the new waypoints and land it where you want.
    DO these drone have an auto land feature? if not someone would be controlling it from a consol, now if you haven’t done it before it would be very easy to mess up the landing and damage the airframe.

    You might also remember the base stations being hacked into a few months back I wonder if this is all linked??

    Thanks for a very good blog David, I’m looking forward to further details

    • Thank you Rich,
      as far as I know these drones have not any autoland feature. However, I must admit that if we accept the theory that the minor damages to the airframe were caused by a lucky crash-landing we have to admit that an auto-landing (if avail) on a different airfield in terms of obstacles, runway heading etc. could cause the same kind of damage.

  2. If comms have not been hijacked, in order to have the drone fly where you want to, you should:

    a) fake the military grade signal using a complex antenna setup which presumes you know in advance the drone’s flight path

    b) track the drone position with a very high precision

    c) know its intended flight path, hoping the drone will auto land (or convince the pilot that everything is ok and have it land the aircraft)

    Even if this were possible, I believe the iranians do not have this capability.

    If they made it, foreign countries have surely been involved (likely the chinese or the russians) and serious mistakes have been made on the US side.

    • I concur.
      Neither impossible nor easy.
      Generally speaking, the Serbians were able to shot down the F-117 because during the Allied Force planners put the F117s on repetitive routings. Stealth planes are not invisible. They are extremely difficult to see, if you don’t know where they are and you are not close enough to track them. Maybe something similar happened in Iran.

  3. So far, this is the most likely scenario that I have heard that is plausible. Iran didn’t have to break any codes or even really sophisticated equipment, just jam the regular GPS signal and replace it with “fake” signal. Still not that easy but I agree with Alessandro, can Iran do this? Maybe but if what you are reporting that Iran has 7 UAVs from USA and Israel is true, definitely Russia or China could help Iran and even try a few things on US drones. This is starting to make some sense, at least to me.

    My question is why does Russia or China want to alert US or Israel to such a vulnerability? This is no small feat, this has huge implications far beyond Iran, not really sure why Russia or China would just throw away such knowledge and alert USA ???

    If this true, you will have to change the design of comms and nav systems on board drones, no more just GPS. You will have to harden systems, better and more sophisticated comms, better software and more than just GPS on board, also inertial or some other form of back up to GPS. UAV’s aren’t going away but I think manned fighters are still going to last a little bit longer than some people were talking about! This mean’s also that the price tag of UAV’s is going to raise.

    Going back to the several drones that Iran has in it’s possession, wow!, 7 drones total is quite a lot. How many years has this been going on and are we going to see some “remains” we can’t identify? Also will these revelations hurt US and Israel,not just in case of a strike on nuclear installations but in terms of PR? Let’s face it, if this is true, this doesn’t paint a very flattering view of US and Israel. These revelations help Iran show the world or explain : “hey, we aren’t doing anything wrong, US and Israel are violating our airspace, which is illegal and we are showing to UN documents and such, the bad guys are the US and Israel.” These arguments will resonate well with a lot of people out there.

    • Yes,
      it’s weird that, after achieving such a hack, an Iranian EW engineer dared to disclose some details about it. By coincidence, this information was made public a couple of days an official US Air Force document provided details about drones’ vulnerability (and GPS spoofing was among the threats….).

  4. Seems like a credible theory, though I wonder how easy it would be to actually spoof the GPS signal, especially considering the antennas are likely on the top of the aircraft.

    The last sentence doesn’t raise too many questions for me. Assuming everything else is accurate, as long as Iran picked a spot that was level it wouldn’t surprise me if the aircraft survived the landing intact. So I wouldn’t necessarily assume it landed on a runway, especially since the Iranian’s too care to mask the lower half of the aircraft.

    • Yes, as said, I must admit that if we assume it survived the crash landing after running out of fuel, we have to accept that it would survive an autolanding (provided this feature is available) on a different landing strip than its home base.

  5. This scenario makes sense, in the way that it doesn’t include an actual taking over the remote piloting, but “only” tricking the system.
    But why this detailed information explaining most of the oddities is given would be nice to know.
    Also one remaining question as fare as I can see: wouldn’t they need to know that the (stealth) drone was there to do the trick? Or would they be able to make the procedure blindly until they got lucky?

    • I replied earlier mentioning the F117 shot down:
      “the Serbians were able to shot down the F-117 because during the Allied Force planners put the F117s on repetitive routings. Stealth planes are not invisible. They are extremely difficult to see, if you don’t know where they are and you are not close enough to track them. Maybe something similar happened in Iran.”

Comments are closed.