The RQ170 Affair: Spoofing, Jamming, and The GBAS

Sunday, December 18, 2011

Infosec Island Admin

7fef78c47060974e0b8392e305f0daf0

The RQ-170 Affair and GPS Spoofing Claims

So, there has been a lot of supposition on the blogs and in the news about just how our wayward RQ170 drone ended up pretty much intact and in the hands of the Iranians.

In looking at all of the posts online and in the news as well as talking to a knowledgeable source or two, I decided to attempt a little OSINT on the issue and I think I have come up with some more tidbits for everyone to think about.

I believe that there is a middle road here to be tread on just how this happened and I would like to think that the potential for such an attack on a drone like this would be hard to pull off, AND that the military and Lockheed had taken into account such attacks before deploying things into the field... (click image to enlarge)

image

But, we all know mistakes are made and hubris abounds. So, here we go…

The Potential for GPS Spoofing on Military Systems

After the RQ went missing, and subsequently showed up in Iranian hands, the Military began saying that there was just a “malfunction” however, the malfunction had to have been system wide and epic after seeing the images of the RQ170 intact.

You see, there is a self destruct as well as other interesting features on this bird, and if that failed then there had to be a large systems failure, but the question then became why was the RQ still intact? If the systems had failed completely, should not the RQ be in pieces at the very least from falling out of the sky?

After a week or so, a report came out of Iran from a “source” that claimed the RQ had in fact been brought down and landed without incident through a GPS attack on a flaw in the system. This type of attack had been talked about before and it was possible per empirical testing that a GPS system, even a Military one, could in fact be subjected to attacks that would confuse the GPS system into believing it was elsewhere other than it’s real current position. So, the precedent is there, even though the Mil systems would take a bit more effort, it was in fact possible to the right people with the right technology and know how.

So, once again, the possibility is there and we had a drone in the neighborhood… Did they indeed “spoof” the signals? If then how?

The GBAS and DGPS 1kw System from Fajr Industries

(click image to enlarge)

image

Once I decided to look into this further, I got into the mindset of “If I were Iranian and wanted to know about spoofing GPS, I might in fact talk about it online”. Well sure enough, with a few well placed Google searches I was able to come up with the following links and people doing the research:

(click image to enlarge)

image

It seems that Farshad and Azimi have been working on an analogous project for Iran that also could possibly be used as a launch pad for a spoof attack. The documents (pdf files and Powerpoint) show a program to “augment” the GPS environment in Iran by placing base stations with the Fajr GPS (GBAS) network/hardware in specific sites throughout the country to ostensibly help with aircraft navigation.

However, even in their presentation, they mention the possibility of spoofing and though I don’t have a great translation as yet of the Persian (soon I hope) it seems as though they brought this up as either a potential issue or, as a potential boon to the implementation of the system. (click image to enlarge)

image

Though, to me, it seems that having such a network of broadcast sites out in the desert one might be able to overpower and spoof the signal of a GPS system in flight on a drone over Iranian airspace makes it all the more possible. You see, the basis of this attack is to overpower the signals from the satellite and make the on board system think it is elsewhere via data lag. If you look at the proposed and existing sites in the PowerPoint, you can get an idea of the scope of the project.

Mind you, this all was started in 2004 and the PowerPoint was last updated in 2007.. So, this has been ongoing for a while. A while that we have also been starting to use the drones more and more coincidentally.

Kvant 1L222 Avtobaza Electronic Intelligence (ELINT) system and The RQ170

(click image to enlarge)

image

Meanwhile, the reports that are circulating on the net and in the news also remark on the fact that Iran recently took possession of some 1L222 Avtobaza ELINT trucks. These may in fact have had some part in this process as well, however, it is rather sketchy at this time to say whether or not the Avtobaza has been moded to work in the satellite ranges as opposed to its main function as a radar jamming station and RF intelligence gathering tool.

So, I can’t say for sure, but it is also possible but I am leaning toward the home brew that Azimi and Farshad worked on as the more possible, with mods, to actually pull off an attack on an “M-code” system. I had been leaning toward the Avtobaza before, but after all my searches and what I found, I have to back off that idea a bit.

The fact though, that they have this technology means too that future drones will have to be careful in Iranian airspace as well as all of the border states need to be careful as this system can jam their radar systems and allow attacks potentially to have a leg up.

Hypothesis, Supposition, and Educated Guesses

Overall, even these finds only paint a picture of supposition and educated guesses. What we have is a missing drone that seems to be intact and failed to do everything it was programmed to do (self destruct etc) and yet landed intact. Without an attack that is now becoming more plausible (GPS spoof) how do we explain it all?

Certainly Lockheed, the CIA, and the Military won’t be telling us all anytime soon will they? The fact that the Iranian’s started off with just saying they had hacked it, then letting loose with the technician (un-named) saying that it was easy enough with a GPS spoof kind of leads me to believe on this account, they are telling the truth.

And doesn’t that make us look foolish huh? It seems that generally the West thinks that Iran is not competent enough to pull off certain kinds of things and would like to write this off… I would instead beg this question:

“If they are so lacking competence, then we are we whacking their scientists and worried that they are working on a nuclear weapons program that may bear fruit soon?”

In my book, they scored one on us… Now I just hope that the Military and Lockheed learn from this as well as the other incident with AQ and unencrypted Predator feeds and fix the problems before they launch more advanced drones in country.

K.

Cross-posted from Krypt3ia

Possibly Related Articles:
18168
Network->General
Military
Iran Military Spoofing GPS Lockheed OSINT Drone Electronic Warfare RQ-170 GBAS Ground Base Augmentation System
Post Rating I Like this!
Default-avatar
Max Yakov The navigation systems for stealth military vehilcels have been based on multiple, cross-checking inertial navigation system (INS) for at least the last 50 years because of the latent threat of radio-signal spoofing. They rely on only periodic, drift-canceling 'resets' from a reliable position fix source or multiple sources (if they need any at all for flights less than 24 hours). Commercial jets have INS systems so why wouldn't this drone?

Additionally, if they actually had a means of spoofing GPS, why would they tell anyone about it, potentially limiting their future possibilities? This story probably gave our intelligence folks a pretty good laugh.

That one of their fighters might have flown alongside and flipped it over with a wing, causing it to go out of control seems much more plausible to me. That is if the Iranians had anything to do with its going down at all

My Occam's razor says that the drone suffered some kind of failure that caused it to crash. It doesn't take that much of a failure to bring down an aircraft, especially a remotely operated/autonomous one. Take AF 447 accident, for example, where iced-up pitot tubes escalated into an unnecessary loss of the entire aircraft and all aboard.

Additionally, being single-engined, they were EXPECTED to be lost according to the WIKI entry for the RQ-170. For me the only remaining questions are 1) Were there self-destruct mechanisms? and, 2) Did they function effectively or at all?

Reports that our military considered going into Iran to either destroy or retrieve it tell me that they probably knew that it was relatively intact and were probably not comfortable about the completeness of the destruction, if any, occurred (other than crash damage). Having the fuselage and wings relatively intact is a propaganda victory if nothing else.

It could be said that 'they scored one on us', but, to me, it's more like we shot ourselves in the foot.




1324288667
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.