Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

The RQ170 Affair: Spoofing, Jamming, and The GBAS (Ground Base Augmentation System)

with 13 comments

The RQ-170 Affair and GPS Spoofing Claims

So, there has been a lot of supposition on the blogs and in the news about just how our wayward RQ170 drone ended up pretty much intact and in the hands of the Iranians. In looking at all of the posts online and in the news as well as talking to a knowledgeable source or two, I decided to attempt a little OSINT on the issue and I think I have come up with some more tidbits for everyone to think about. I believe that there is a middle road here to be tread on just how this happened and I would like to think that the potential for such an attack on a drone like this would be hard to pull off, AND that the military and Lockheed had taken into account such attacks before deploying things into the field..

But, we all know mistakes are made and hubris abounds.

So, here we go…

The Potential for GPS Spoofing on Military Systems

After the RQ went missing, and subsequently showed up in Iranian hands, the Military began saying that there was just a “malfunction” however, the malfunction had to have been system wide and epic after seeing the images of the RQ170 intact. You see, there is a self destruct as well as other interesting features on this bird, and if that failed then there had to be a large systems failure, but the question then became why was the RQ still intact? If the systems had failed completely, should not the RQ be in pieces at the very least from falling out of the sky?

After a week or so, a report came out of Iran from a “source” that claimed the RQ had in fact been brought down and landed without incident through a GPS attack on a flaw in the system. This type of attack had been talked about before and it was possible per empirical testing that a GPS system, even a Military one, could in fact be subjected to attacks that would confuse the GPS system into believing it was elsewhere other than it’s real current position. So, the precedent is there, even though the Mil systems would take a bit more effort, it was in fact possible to the right people with the right technology and know how.

So, once again, the possibility is there and we had a drone in the neighborhood… Did they indeed “spoof” the signals?

If then how?

The GBAS and DGPS 1kw System from Fajr Industries

Once I decided to look into this further, I got into the mindset of “If I were Iranian and wanted to know about spoofing GPS, I might in fact talk about it online” Well sure enough, with a few well placed Google searches I was able to come up with the following links and people doing the research:

Azimi Alikhani abedi1386@yahoo.com 

Farshad Somayehee  farshad_somayehee@yahoo.com

Audiovisualtalk.com discussion on home brew (open source) GPS and Military Systems

GPS Augmentation PowerPoint and Reference to Spoofing

It seems that Farshad and Azimi have been working on an analogous project for Iran that also could possibly be used as a launch pad for a spoof attack. The documents (pdf files and Powerpoint) show a program to “augment” the GPS environment in Iran by placing base stations with the Fajr GPS (GBAS) network/hardware in specific sites throughout the country to ostensibly help with aircraft navigation. However, even in their presentation, they mention the possiblity of spoofing and though I don’t have a great translation as yet of the Persian (soon I hope) it seems as though they brought this up as either a potential issue or, as a potential boon to the implementation of the system.

Though, to me, it seems that having such a network of broadcast sites out in the desert one might be able to overpower and spoof the signal of a GPS system in flight on a drone over Iranian airspace makes it all the more possible. You see, the basis of this attack is to overpower the signals from the satellite and make the on board system think it is elsewhere via data lag. If you look at the proposed and existing sites in the PowerPoint, you can get an idea of the scope of the project.

Mind you, this all was started in 2004 and the PowerPoint was last updated in 2007.. So, this has been ongoing for a while. A while that we have also been starting to use the drones more and more coincidentally.

Kvant 1L222 Avtobaza Electronic Intelligence (ELINT) system and The RQ170

Meanwhile, the reports that are circulating on the net and in the news also remark on the fact that Iran recently took possession of some 1L222 Avtobaza ELINT trucks. These may in fact have had some part in this process as well, however, it is rather sketchy at this time to say whether or not the Avtobaza has been moded to work in the satellite ranges as opposed to its main function as a radar jamming station and RF intelligence gathering tool.

So, I can’t say for sure, but it is also possible but I am leaning toward the home brew that Azimi and Farshad worked on as the more possible, with mods, to actually pull off an attack on an “M-code” system. I had been leaning toward the Avtobaza before, but after all my searches and what I found, I have to back off that idea a bit. The fact though, that they have this technology means too that future drones will have to be careful in Iranian airspace as well as all of the border states need to be careful as this system can jam their radar systems and allow attacks potentially to have a leg up.

Hypothesis, Supposition, and Educated Guesses

Overall, even these finds only paint a picture of supposition and educated guesses. What we have is a missing drone that seems to be intact and failed to do everything it was programmed to do (self destruct etc) and yet landed intact. Without an attack that is now becoming more plausible (GPS spoof) how do we explain it all? Certainly Lockheed, the CIA, and the Military won’t be telling us all anytime soon will they? The fact that the Iranian’s started off with just saying they had hacked it, then letting loose with the technician (un-named) saying that it was easy enough with a GPS spoof kind of leads me to believe on this account, they are telling the truth.

… And doesn’t that make us look foolish huh?

It seems that generally the West thinks that Iran is not competent enough to pull off certain kinds of things and would like to write this off…

I would instead beg this question;

“If tey are so lacking competence, then we are we whacking their scientists and worried that they are working on a nuclear weapons program that may bear fruit soon?”

In my book, they scored one on us… Now I just hope that the Military and Lockheed learn from this as well as the other incident with AQ and unencrypted Predator feeds and fix the problems before they launch more advanced drones in country.

K.

Written by Krypt3ia

2011/12/18 at 20:40

Posted in Iran, RQ170

13 Responses

Subscribe to comments with RSS.

  1. Occam’s razor applies. The drone probably suffered a catastrophic internal failure such as the propulsion engine failure or electrical power generation failure. There is probably not an APU to supply emergency electricity as there are on commercial jets. If there is an APU, perhaps it could not have been started. At this point the drone’s systems are probably on a limited battery supply which meant it could stay in the air under computer-controlled Fly-By-Wire (as the system probably is) for a limited time and would have to glide. The glide ratio for this craft might be pretty good, but probably doesn’t exceed 20;1, so it was deep enough into Iran that it could not have glided back to base. At it’s max operating altitude of 50,000 feet it could have glided about 190 miles or less at a 20:1 glide ratio. I don’t know what it’s glide characteristics would be in the thinner, high-altitude air, but it’s an interesting question and was well-researched and applied, I’m sure, for the U2 program.

    The computers, flight control, communications transmitters/receivers are included is probably a fair electrical load. A deployable airstream generator (RAT), common on commercial jets, could not have generated enough electrical power to operate everything and would have been a parasitic drag affecting its glide distance, It’s also questionable how much power a RAT could produce in thinner, high altitude, air.

    We can only speculate about how any self-destruct device(s) would have been affected by a total loss of electrical power. I also speculate that the self-destruct mechanism does not have to blow the entire aircraft in to little pieces. It could be designed to be less dramatic and incinerate/melt only the sensitive components such as CPUs, hard-drives, transceivers, etc. Another self-destruct approach, which might be less sure, because it assumes an operating flight control system, would be do dive the craft a high-speed into the ground.

    Loss of control of the drone would have been inevitable at some point depending on which critical systems were kept on-line and the state of the battery and, if any, backup power generating capability.

    Another possible scenario is an operator-induced loss of control. One would think there would be protections against this, but as Air France found out with AF 447, even the failure of reliable air speed for a short period can escalate into the loss of the aircraft.

    Under either scenario resulting in a flat spin crash, it has been demonstrated by the flat-spin crash of an RQ-4 (YouTube), only peripheral elements of the craft would have broken away. This would explain why the wings seem to have separated from the fuselage and the Iranians seemed to be hiding the underside of the aircraft. The carbon-fiber materials in use these days are extremely strong and maintain more of their integrity during a high-g impact, depending on the nature of the impact, of course.

    Believing that the Iranians spoofed it’s GPS is ignoring much more plausible explanations, such as aliens taking control of its flight control system from a mother ship behind the moon.

    Max Yakov

    2011/12/19 at 04:02

  2. If I understand you, what you outline above and the “official” story they tricked it into clean landing would also have to mean:

    – They either have broken the military GPS system or the drone didn’t use it. Maybe a bad failure more.

    – They geography of the landing zone would have to match any of the bases in Afghanistan or Pakistan. Looking at available information, that seems unlikely. Unless there are unknown bases in north-western Afghanistan which would seem like an odd place to place such a drone.

    – The low-visibility fail why? Because it was circling due to malfunction? Jamming? They had to locate it properly to be able to interfere and then navigate it down.

    – Altitude, speed, compared to the existing studies. Yes, years have passed but for the power levels we’re now talking about (and what you outline above even, lower) some amateur radio operator would’ve noticed something, no? They do today when radar jamming was used in Libya.

    The reports also indicate it was the first time the people saw these big trucks. That to me is very telling. I’d have to believe that got all the practice ~somewhere~, right? Or nailed it their first outing. Also, I’d expect many lesser higher-visibility lower altitude drones to have been brought down first.

    Regarding your last ‘question’.. nuclear weapons development is made to sound like a scientific mastery. It’s not. It’s well academically documented and as you well know, has been passed around a lot. The logistics make it harder but not the know-how.

    They scored one on us, I agree there. The optics along could be a big loss.

    The last thing is that Iran’s prior victories have come with proof and step-by-step disclosure. They do this. Without fail. That is the biggest red-flag for me. And then the fact that Pakistan tried to say they worked with Iran on it and then Iran dismissed Pakistan. Sounds like cross-propaganda fail.

    This time I disagree w/ you friend. -Pk

  3. And then there is this:


    “Among the reasons to doubt the claim that GPS jamming had anything to do with the loss of the RQ-170 is a simple overlooked fact,” says a third U.S. analyst. “GPS is not the primary navigation sensor for the RQ-170 or for most other air vehicles. The vehicle gets its flight path orders from an inertial navigation system, which is essentially unjammable unless you want to monkey with the local gravitational field. The GPS updates the INS and cancels its drift. So, even a full GPS blackout would simply cause the vehicle to be a bit less accurate,” he adds.

    “If the GPS was ‘spoofed’ with a fake signal — and even JDAMs have anti-spoofing GPS receivers today, so that might be difficult — any abrupt change in the GPS reading would cause the Kalman filters in the GPS/INS to conclude that the GPS was malfunctioning and cut it out of the loop,” he says.

    Although I’m not sure I ~buy~ that.. unless they’re trying to not-say-but-really-kinda-sorta-say it was live piloted like other drones/aircraft.

    Source: http://www.aviationweek.com/aw/blogs/defense/index.jsp?plckController=Blog&plckBlogPage=BlogViewPost&newspaperUserId=27ec4a53-dcc8-42d0-bd3a-01329aef79a7&plckPostId=Blog%3a27ec4a53-dcc8-42d0-bd3a-01329aef79a7Post%3abca8e6e2-70ef-40a3-8c56-f83aa6fc7ade&plckScript=blogScript&plckElementId=blogDest

    -Pk

  4. Max, valid points.. Except the swipe about the Mothership. I guess time will tell on this. All I am doing is postulating with information found online. It’d be nice if we did have an explanation from the official operators and makers.. but I doubt that is going to happen.

    Krypt3ia

    2011/12/19 at 10:54

  5. Yeah, I am not saying that my conclusions are the truth, just putting the data out there. It’s all supposition and theory.

    Krypt3ia

    2011/12/19 at 10:56

  6. I think it is fairly obvious that the US fscked up and the Iranians are far more advanced than The West would like to admit. Time for a reality check.

    wireheadlanceLance

    2011/12/19 at 15:01

  7. Well, the system f’d up at the very least. If we ever get any real hard proof of what did happen there, then maybe something more definitive on fuckups will come out.

    Krypt3ia

    2011/12/19 at 15:21

  8. If they had full control of the device then why did the wing break off (seemingly) upon landing. If you look at the pictures that are making their way you can see plainly that the right wing broke completely off and it is held in place with white tape to try and blend it in to the fuselage color.

    This could point to a few possible scenarios:

    1) They did jam it, the bird reverted to fail safe instructions and automagically landed where it thought it was. This auto landing could explain the broken wing.

    2) There was a mechanical failure as previously mentioned and the bird glided to a halt which is very possible given the shape of the plane. This could also explain the broken wing.

    3) They hacked it and gained full control of the plane. The explanation for the broken wing would be that simply didn’t know how to control it well enough and crashed it while having full operational control of the drone.

    It would seem that any of these three scenarios are possible though #1 and #2 seem most plausible and least damning for our INTEL efforts. #3 is what I would consider worst case scenario in that they not only jammed the system but somehow managed to gain full control of the drone. It is one thing cause the drone to revert back to fail safe flight instructions, gaining operator level control remotely is an entirely different ballgame.

    Concerned_Netizen

    2011/12/20 at 15:25

  9. Pic of wing damage here: http://images.defensetech.org/wp-content/uploads/2011/12/rq-170stll4.jpg

    Apologies for the direct link. Credit to defensetech.org

    Concerned_Netizen

    2011/12/20 at 15:27

  10. All good points and thanks for the photo. Though, I never actually said that they took full control of the beast. Just that the potential for a GPS spoof is plausible and that they have some background/infrastructure that could lend a hand in it.
    Cheers,
    K.

    Krypt3ia

    2011/12/20 at 16:02

  11. -Cody Oebel

    I have a bit different take on this scenario being a very U.S optimistic outlook.

    (My View) All plausible scenarios are taken into account during design of the build of this craft, and to entirely
    prevent the technology falling into the wrong hands there would be without question a full fail safe protocol built for the craft to procedurally follow.

    1. Look at the geo-politics going on, and economic politics. Oil, resources, control over Iran’s biddings, and what if they became independent, and no longer followed the U.S hegomony?

    2. Tactics to acquire intelligence on the Nuclear program to stop Iran from building nukes which would gain them the independent power to entirely shut out embargo with the U.S.

    3. Multiple test craft have probably intercepted Iranian air-space with different cross sections to get an idea on their IDF\Radar systems. Many of these craft probably went entirely undetected. So put a craft with a cross section and technology with little to no concern of losing into their airspace to see When Iran detects one which then gives a greater analysis over what current technology they are using. With optimism the U.S is decades ahead such as the case 61 years ahead in building and using nuclear technology. So one must also assume we have already built the platform of detection and jamming capability long ago that Iran is currently using NOW (Old Tech). Note: White paint on the craft instead of the usual radar absorbing black rubber like paint used commonly on most all public release photos of stealth craft. (Following R.A.T.S) Reflect, Attenuate, Transmitt, Scatter. Would this white carbon polymer type composition follow more of the reflect portion of RATS? Does it rely 100% on Transmitt (Active electronic jamming)? Why the white color? Maybe to see if they could get a cross section on this particular and very specific setup to gain understanding of what Iran CAN, and CANNOT detect!

    4. Now lets assume this is not just a junk test craft with minimal hardware and electronics. (E.g what I mean is the craft could entirely have been pre-programmed to fly through Iranian air-space using on-board instructions receiving no remote control, and only to see if it would get detected). Lets assume this was an all out high technology all options fully loaded craft that just accidently some how got captured.

    Following the ladder of #4.

    Would you not assume with such aircraft if fully loaded with all the top secret tech that backup systems to self destroy take effect upon loss? Common sense would state if the craft loses communication, lands itself, has a mal-function without authentication from the command center even it onboard power failed there would be a fail proof backup for the self destruct system then it would be very safe to say the craft should have destroyed itself. Also there was a news article stating Iran should not worry about the craft exploding etc.. I do not have the link. You can google it.

    Ok.. So being entirely optimistic here. Meaning this craft should NOT have been detectable at all. Then simply put. It was not at all detected. It entirely failed without any influence, BUT that fail safe self destruct comes back to mind. WHy not explode but instead allow itself to be in the hands of the Iranians? AHHHhhh moving to my conclusion!

    Much like the Trojans did.. drop the horse inside the fortress to penetrate their infastructure.
    I beleive this entire scenario was purposely done. There are a couple reasons I beleive we would purposely drop this drone with FULL TECH inside Iranian air-space for them to “THINK” they captured it.

    1. This craft has a micro-system undetectable to the eye using decades ahead technology to still perform the very same recon you would think the larger boards would perform. Instead “THINK SMALL HERE”. America is not dumb in the least, just look at your phone, look at your every day hand held device technology, and now think what if you had an infinite military budget? You could still intercept communications. What if this on-board micro technology transmitts in a medium unknown to most countries? Something Decades ahead? The iranians would put the craft in a room that would be monitoring for RF transmission on different frequencies and spectrums, but this craft doesnt use this type of technology! The craft is hearing, listening, intercepting cellular, radio and even possibly actively recording and transmitting live audio from a great distance. Example: You talk outside the building 500 yards away, and through audio translation and doppler effect this craft can take those wave guides and translate them as if it were feet from the speaking source etc..

    In simple the craft is an infection like that to a computer, a true trojan horse to the country!

    NOW…. to top off the cake.

    What if we simply allowed them to have this craft for them to ATTEMPT to reverse engineer it only to scratch their heads and say “Space aliens made this, or the Americans are far far ahead of our capabilities with technology we cannot reproduce, or attempt to make sense of”. Also consider the last sentence, and include a system the IRANIANS could reverse engineer.. e.g Integrated electronics board with a ROM chip\storage media, and on that Media.. when they access the data there is video on it. A message to the Iranians that “We know you cannot reverse engineer this craft and will not have the capability to for another 50 years”. An additional message of video to include “Live recon of the fact we KNOW what they are up too”. Now this said.. what would you do being the Iranians president under such circumstances.. the Americans know you want to build nukes, and possibly use them on the U.S or it’s allies, and the Americans KNOW .. and show you video that captured you saying this behind closed doors.. through buildings using a quantum technology \ medium that allowed from space such recon to be obtained???

    WOW… got you thinking now ehh ? The whole catch here is the craft DID NOT SELF DESTRUCT!
    😉

    Off a side note an idea came to me while drinking coffee, and taking a poop… as I sat on the toilet such an idea hit me. Have you ever had a premonition and it was true? Have you ever imagined someone saying or doing something about you only to later find out it really happened, but you were remote to the action? So you thought to yourself “If I told anyone I seen that, or predicted it, or had such premonition they would think I am skitzophrenic, or crazy”?? So this said.. stating this is a FACT that “WE” humans have some capability to capture space\time\events … then we could conclude even without factual evidence that our brains some how transmitt, or receive an event of time\space in a distinct remote area being seen through another human beings eyes and ears.. as if we transmitted from one to another. Then .. .it would be plausible to have a device or system that could capture this transmission from a humans thoughts, and be modulated into actual audio output, vidoe output. Yes… I’m saying if such is true😉.. a system could be engineered to listen into your very thoughts through ANY MEDIUM. Much like an IP address to a computer.. maybe the DNA strand, or something distinct to each human would be their very own specific finger-print, and all you would need to receive these transmissions is that fingerprint\IP ADDRESS in analogy to THAT SPECIFIC HUMAN !!!!

    Now start thinking about the what-if’s !!

    THank you,

    Cody Oebel

    Cody Oebel

    2012/01/22 at 16:45

  12. Looks like the initial suspicions on the “duct tape” angle were correct.

    http://www.strategypage.com/htmw/htatrit/20120122.aspx

    Concerned_Netizen

    2012/01/23 at 14:11

  13. Great infο. Lucky mе I ame across your site by accident (stumbleupon).
    I’ve book-marked it for later!

    cheat tutorial

    2013/12/25 at 11:33


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: