Captured U.S. stealthy drone was hijacked exploiting GPS vulnerability. But hack description does not solve the mystery

Eventually there is an explanation for the mysterious capture of the U.S. stealth drone by Iran. In an exclusive interview to the Christian Science Monitor, an  Iranian engineer (on condition of anonymity) working to reverse engineer the RQ-170 Sentinel hacked while it was flying over the northeastern Iranian city of Kashmar, some 225 kilometers (140 miles) away from the Afghan border, says they were able to exploit a known vulnerability of the GPS.

In simple words, in a scenario that I had more or less described in my last post which described also the known threats to the drone’s Position, Navigation and Guidance system, the Iranain electronic warfare specialist disrupted the satellite link of the American robot and then reconfigured the drone’s GPS setting the coordinates to make it land in Iran at what the Sentinel thought it was its home base in Afghanistan.

They jammed the SATCOM link and then forced the drone into autopilot reconfiguring the waypoint of the lost-link procedure to make it land where they wanted.

Such techniques were tuned by studying previously downed smaller drone, like the 4 U.S. and 3 Israeli that could be exhibited in Iran in the next future.

Furthermore, in explaining why the “Beast of Kandahar” had signs of belly landing the engineer said to CSMonitor:

“If you look at the location where we made it land and the bird’s home base, they both have [almost] the same altitude,” says the Iranian engineer. “There was a problem [of a few meters] with the exact altitude so the bird’s underbelly was damaged in landing; that’s why it was covered in the broadcast footage.”

Ok, this seems to explain almost everything.

However, to be honest, it is the last sentence that raises some questions. Landing a drone, as well as an airplane, with the autopilot on a runway it’s not only a matter of altitude. There are many other things to consider, like the runway heading, the procedure to be followed on approach to avoid specific areas, known obstacles etc.

Maybe the Iranians had identified an airport with the same runway heading, with the same elevation, with no planes interesting runways and taxiways and so on. Still, it’s hard to believe that the Sentinel did not encounter any obstacle and suffered only some (minor) damages on landing.

So I’m still not certain that, although tricked by GPS spoofing, a drone can be landed safely without taking over control even if the Iranian engineer said to CSMonitor that they made the robot

“land on its own where we wanted it to, without having to crack the remote-control signals and communications” from the US control center.

Without considering that the lost-link procedure does not foresse the RQ-170 landing autonomously at his actual homebase (because of the many variables, such as wind and traffic) but orbiting until link is re-established or fuel finishes.

Anyway, maybe it’s time for the U.S. to reconsider their drones’ equipment, countermeasures and combat operation procedures as well as Iran’s electronic and cyberwarfare capabilities.

Stay tuned.

This, along with all the previous articles on the Sentinel drone in Iran, can be found at the following link (click and scroll down): https://theaviationist.com/category/captured-stealth-drone/
About David Cenciotti
David Cenciotti is a freelance journalist based in Rome, Italy. He is the Founder and Editor of “The Aviationist”, one of the world’s most famous and read military aviation blogs. Since 1996, he has written for major worldwide magazines, including Air Forces Monthly, Combat Aircraft, and many others, covering aviation, defense, war, industry, intelligence, crime and cyberwar. He has reported from the U.S., Europe, Australia and Syria, and flown several combat planes with different air forces. He is a former 2nd Lt. of the Italian Air Force, a private pilot and a graduate in Computer Engineering. He has written five books and contributed to many more ones.

9 Comments

  1. This doesn’t make much sense to me.

    As far as is known these drones do NOT land automatically for various reasons (local traffic etc).

    For start and landing they are piloted by a controller at the airfield it uses. This on a different channel than the satcom. There is much less signal delay then than per satellite and the local remote pilots are aware of the local situation. Only when up in the air do the remote pilots use the satellite connection to control the drone.

    The local line of sight UHF/VHF connection may well have less encryption than the sat communication line (again for delay) or the Iranians copied the code for that line by analyzing the comm traffic in Kandahar or from other drones.

    I still believe the Iranians used that UHF/VHF local controller channel to get the drone to the ground after they jammed the sat connection.

    Unless someone comes out explaining the alleged automatic landing feature of an RQ 170 (and how that avoids all the possible problems on a busy runway, the GPS spoof story doesn’t make sense.

    • Yes,
      this doesn’t convince me either. I don’t think an auto-land feature exists.
      For instance, landing is so dangerous that it has to be performed in Line-Of-Sight and can’t be performed in Remote Split Operations using the satellite link.

  2. Just for joking….would be possible that running out of fuel this drone would display a parachute for soft landing (rather than featuring an improbable automated landing)?. Don’t know if this is the case, as we have no idea of how the back of this drone would look like and if it can host any of system like this….reapeat just for joking :)

    • It doesn’t have to have an automated landing system for the gear to be dropped by some backup safety mechanism. For example the gear is dropped when the airspeed and engine settings are below some minimum. Say at a point after the fuel was exhausted and then when it had traded all the altitude it had for airspeed.

      It’s just about all wing, the stall speed might be pretty low.

  3. Maybe they were able to land the drone but could not keep it on the runway. It runs off and the landing gear digs in to the soft sand and one wing dips and shears that wing off (see patched wing) and then it noses over slightly.

    • It is likely that the landing was not first-class when the Iranians did it. It was their first landing of this type of plane and that without having had any lessons on how to fly the bird.

      The wings did not detach on the landing. Looks much too smooth for that. They were taken off at the regular detachment points to transport the plane just like they get detached when the bird is flown as air-cargo from the States to Kandahar and elsewhere. This is a quite wide bird and to fit it on any regular transport (and to put it into a gym) you need to take off the wings.

      • I agree, you have to take off the wings. But why do you think you could reattach the wings using poly urethane foam? Only when they are polystyrene mock ups.

        And that is key: the entire thing (exhibited RQ170 drone) is polystyrene.

  4. I think the following:

    1. Why is this drone exposed in a gym?
    2. If I were able to catch a drone intact, I would leave it intact
    3. Cutting the wings of a drone with self destruction possibly active would be suicide
    4. Putting it on exhibit on a basketball field is stupid
    5. By looking at the lines, the circle, the masonry on the background you can really make an estimate of its size: less than 15 meters wing span. The real thing is assumed to have 28 meters wingspan
    6. Looking at the high res images, one can see that the markings for screws, panels, are made by felt-tip marker
    7. The structure is so completely different from the images of the real thing
    8. The detailed images of the “sensors”in the right hand wing are compatible with the images of the ascending RQ 170 at Kandahar, but no information on the left hand wing is available on the internet

    Conclusion:

    This is a very good high school project at reproducing a physical image in polystyrene foam of the images they were supplied with. It is a complete hoax.

  5. The military GPS signal is encrypted so the likelihood it can be spoofed is very, very small absent a unbelievably significant penetration into the US governments cryptographic key distribution system. There is, however, a possibility that they aren’t using the encrypted military system but instead the civilian side. Shit happens.

Comments are closed.