Even if the story that the U.S. stealthy RQ-170 Sentinel drone captured by Iran was hijacked using a GPS spoofing attack is based on known facts and vulnerabilities highlighted in Air Force official documents, the “ambush”, as detailed by an Iranian Electronic Warfare engineer to the Christian Science Monitor, contains some controversial points.
First of all, the lost-link procedure does not foresse the RQ-170 landing autonomously at his actual homebase (because of the many variables, such as wind and traffic) but orbiting until link is re-established or the drone runs out of fuel.
For instance, even under Remote Split Operations, landing is performed in Line Of Sight by the local ground control station: latency induced by the SATCOM link is not compatible with the last phases of the flight when immediate reactions of the robot’s control surfaces to the inputs given remotely by the pilot are required to safely bring the drone on the ground.
Furthermore, provided that the autolanding is used in the lost-link events, it is not that easy to land the drone on a different landing field than its homebase without causing major damages.
Finally, it seems quite weird that any insider so proud to have achieved a hack of the most secret U.S. unmanned aerial system (UAS) could be at the same time so uncautious to give the details of the entire operation to the public domain, with the first and most obvious consequence of not being able to repeat it in the future. Unless, the type of attack they have described is all but unexpected but very well known because highlighted in the above mentioned official documents.
So, I’ve asked once again my friend Ugo Crisponi to put on a nice infographic what I think may have happened on Dec. 4, 2011, when the drone was “downed”, based on all the details I was able to collect so far.
Here it is:
I think the drone’s link with Creech AFB was disrupted using jamming. How did the Iranians know the “Beast of Kandahar” was in the vicinity if they couldn’t see it on the radar? They may have intensified jamming around uranium enrichment sites.
Serbians were able to shot down the F-117 because during the Allied Force planners put the F117s on repetitive routings. Stealth planes are not invisible. They are extremely difficult to see, if you don’t know where they are and you are not close enough to track them. Maybe something similar happened in Iran.
I think that Iran played a role in the crash landing simply because they were able to recover it. If they hadn’t known where the drone had landed they would not have been able to get their hands on it.
Once the link was lost, as per procedure, the drone started an series of racetracks/orbits waiting for the signal to be re-established. In this phase, maybe the Iranians were able to spoof the onboard GPS and guide the drone in the wrong direction. Nevertheless this would mean that the most important American drone relies only on the GPS for navigational purposes and doesn’t use an INS (Inertial Navigation System) platform. Indeed even some GPS-guided bombs as the JDAM (Joint Direct Attack Munition) use anti-jamming and anti-GPS spoofing systems, some of those are based on simple inertial measurement units.
Then, when the Sentinel ran out of fuel, it crashed. Even though it was not mentioned before, there’s a possibility that the drone survived the impact because it was equipped with a safety chute. In fact, I’ve noticed a mysterious hatch on the top of the RQ-170, that, among other things could host the parachute used to safe the precious drone.
It’s obviously a speculation because such a chute could safe the airframe but could also preserve it for the enemy when the drone runs out of fuel during a mission behind the enemy lines. As happened in Iran.
Look at the following video.
The “beast” has an operational weight of some 10,000 pounds. That would require a huge parachute or multiple smaller ones. I find it unlikely that such a machine would carry so much dead-weight with it only for the case of an emergency.
My latest thoughts on this
Thank you for linking up all of your articles on drones. I was able to make a high quality pdf out of your most excellent collection of essays. I’m getting the idea you are trying to sell books made out of paper and ink. Why aren’t you marketing electronic books on Amazon and Barnes and Noble? A substantial number of people, novelists mostly, have made millions by selling their books at a dollar a copy. Why not you?
thank you. Can you please send me the hi-quality pdf of my articles? It could be useful for me too :)
I’ve never thought of marketing electronic books, but I think I will have to consider it. If you some advice please let me know.
The number of thinkable scenarios keeps rising ;o) As a sketch I like this one too, but there are a couple of questions that could be relevant:
a) if the drone was made to circle until it ran out of fuel. How long would that have taken? Time enough for US to take action in some way?
b) in order for this scenario to be a deliberate “downing” the Iranian army would need to know that the drone had a chute.
If there was a chute then one or more of these hatches has to have been opened.
I’m sceptical. I would expect to see a “double hatch” and I would expect it to show somehow that they had been opened.
I don’t think that an INS, “per se”, would invalidade the GPS spoofing explanation.
Even if it has an INS (quite shure) they could have induced a GPS “error” smaller than the expected INS error at a very low slew rate what would force the INS to recalibrate according to the fake GPS signal.
Before someone says it may have RDF/ADF system too to make a coarse “reality check”, I agree with bjorn, “scenarios keeps rising”.
One thing is for shure, they have an american drone, otherwise the Obama would not ask for the return of it.
If it was not an GPS spoofing, follows my guess on how they could have taken control of the Sentinel.
These things are controlled by operators thousands of miles away by geo satellite links, so there is a significant communication time lag between operators sending a command and the drone responding to it. The operator has to send commands in a very ordered way and wait for the attitude response from the drone to see if it has responded correctly. That may take some non-negligible fractions of a second. So, I think, these aircrafts are not piloted in a “normal” way, lets say, the operator does not control the aerodynamic surfaces directly by a joystick (although I think there are this option for shorter links), but by sending commands like, “turn left 35 degrees”, or “change altitude minus 1000 ft” and so on.
Of course these commands must be transported by a communication protocol that provides data delivery, data integrity and security.
The Iranians have now been monitoring the drone activities over their air space for many years and most certainly have recorded millions or billions of data exchange between drones and satellites, or drones and ground stations, and they must have guessed also that amongst all that data, there must be many many command repetitions like those I said above.
Any information technology professional knows that if you have many samples of encrypted data with many unchangeable block in the data stream, you can begin a processes of cryptanalysis based on those premises.
So the Iranians could observe the drones changing direction, altitude and on and on, and to make the mathematical correlation between the attitude modification and the corresponding data stream that preceded it.
As they could never witness a “gears down” or an “engine cut off” command, they probably took control of the aircraft by overriding the communication link by a stronger signal generated nearer the plane, directed it down and forced it to belly landing on a lake, after the fuel was over.
I’ve been telling my students repeatedly that the key to runaway success in real estate investing is to have a solid understanding how to utilize a few creative investing techniques so that they can capitalize on the opportunities available in today’s market. One tool you need to add to your toolkit if you haven’t already is the subject to deal.