(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for December 18th, 2011

The RQ170 Affair: Spoofing, Jamming, and The GBAS (Ground Base Augmentation System)

with 13 comments

The RQ-170 Affair and GPS Spoofing Claims

So, there has been a lot of supposition on the blogs and in the news about just how our wayward RQ170 drone ended up pretty much intact and in the hands of the Iranians. In looking at all of the posts online and in the news as well as talking to a knowledgeable source or two, I decided to attempt a little OSINT on the issue and I think I have come up with some more tidbits for everyone to think about. I believe that there is a middle road here to be tread on just how this happened and I would like to think that the potential for such an attack on a drone like this would be hard to pull off, AND that the military and Lockheed had taken into account such attacks before deploying things into the field..

But, we all know mistakes are made and hubris abounds.

So, here we go…

The Potential for GPS Spoofing on Military Systems

After the RQ went missing, and subsequently showed up in Iranian hands, the Military began saying that there was just a “malfunction” however, the malfunction had to have been system wide and epic after seeing the images of the RQ170 intact. You see, there is a self destruct as well as other interesting features on this bird, and if that failed then there had to be a large systems failure, but the question then became why was the RQ still intact? If the systems had failed completely, should not the RQ be in pieces at the very least from falling out of the sky?

After a week or so, a report came out of Iran from a “source” that claimed the RQ had in fact been brought down and landed without incident through a GPS attack on a flaw in the system. This type of attack had been talked about before and it was possible per empirical testing that a GPS system, even a Military one, could in fact be subjected to attacks that would confuse the GPS system into believing it was elsewhere other than it’s real current position. So, the precedent is there, even though the Mil systems would take a bit more effort, it was in fact possible to the right people with the right technology and know how.

So, once again, the possibility is there and we had a drone in the neighborhood… Did they indeed “spoof” the signals?

If then how?

The GBAS and DGPS 1kw System from Fajr Industries

Once I decided to look into this further, I got into the mindset of “If I were Iranian and wanted to know about spoofing GPS, I might in fact talk about it online” Well sure enough, with a few well placed Google searches I was able to come up with the following links and people doing the research:

Azimi Alikhani 

Farshad Somayehee discussion on home brew (open source) GPS and Military Systems

GPS Augmentation PowerPoint and Reference to Spoofing

It seems that Farshad and Azimi have been working on an analogous project for Iran that also could possibly be used as a launch pad for a spoof attack. The documents (pdf files and Powerpoint) show a program to “augment” the GPS environment in Iran by placing base stations with the Fajr GPS (GBAS) network/hardware in specific sites throughout the country to ostensibly help with aircraft navigation. However, even in their presentation, they mention the possiblity of spoofing and though I don’t have a great translation as yet of the Persian (soon I hope) it seems as though they brought this up as either a potential issue or, as a potential boon to the implementation of the system.

Though, to me, it seems that having such a network of broadcast sites out in the desert one might be able to overpower and spoof the signal of a GPS system in flight on a drone over Iranian airspace makes it all the more possible. You see, the basis of this attack is to overpower the signals from the satellite and make the on board system think it is elsewhere via data lag. If you look at the proposed and existing sites in the PowerPoint, you can get an idea of the scope of the project.

Mind you, this all was started in 2004 and the PowerPoint was last updated in 2007.. So, this has been ongoing for a while. A while that we have also been starting to use the drones more and more coincidentally.

Kvant 1L222 Avtobaza Electronic Intelligence (ELINT) system and The RQ170

Meanwhile, the reports that are circulating on the net and in the news also remark on the fact that Iran recently took possession of some 1L222 Avtobaza ELINT trucks. These may in fact have had some part in this process as well, however, it is rather sketchy at this time to say whether or not the Avtobaza has been moded to work in the satellite ranges as opposed to its main function as a radar jamming station and RF intelligence gathering tool.

So, I can’t say for sure, but it is also possible but I am leaning toward the home brew that Azimi and Farshad worked on as the more possible, with mods, to actually pull off an attack on an “M-code” system. I had been leaning toward the Avtobaza before, but after all my searches and what I found, I have to back off that idea a bit. The fact though, that they have this technology means too that future drones will have to be careful in Iranian airspace as well as all of the border states need to be careful as this system can jam their radar systems and allow attacks potentially to have a leg up.

Hypothesis, Supposition, and Educated Guesses

Overall, even these finds only paint a picture of supposition and educated guesses. What we have is a missing drone that seems to be intact and failed to do everything it was programmed to do (self destruct etc) and yet landed intact. Without an attack that is now becoming more plausible (GPS spoof) how do we explain it all? Certainly Lockheed, the CIA, and the Military won’t be telling us all anytime soon will they? The fact that the Iranian’s started off with just saying they had hacked it, then letting loose with the technician (un-named) saying that it was easy enough with a GPS spoof kind of leads me to believe on this account, they are telling the truth.

… And doesn’t that make us look foolish huh?

It seems that generally the West thinks that Iran is not competent enough to pull off certain kinds of things and would like to write this off…

I would instead beg this question;

“If tey are so lacking competence, then we are we whacking their scientists and worried that they are working on a nuclear weapons program that may bear fruit soon?”

In my book, they scored one on us… Now I just hope that the Military and Lockheed learn from this as well as the other incident with AQ and unencrypted Predator feeds and fix the problems before they launch more advanced drones in country.


Written by Krypt3ia

2011/12/18 at 20:40

Posted in Iran, RQ170