PDA

View Full Version : US spy drone tricked into Iran landing



Troll
7th January 2012, 20:16
An unconfirmed report yesterday quoted an unnamed Iranian engineer as saying that experts in the country were able to electronically ambush the drone, cuting off its communications links and reconfigure its GPS coordinates to trick it into landing in Iran.

gps spoofing (http://news.techworld.com/security/3325752/us-spy-drone-tricked-into-iran-landing-by-gps-spoofing/)


If you know where a drone is, and you can beam a stronger GPS signal at the drone than it would get from a satellite, it would pick up the fake signal and think it is somewhere else. If signals aren't encrypted, the people with the strongest transmitter win," he said.

AtW
7th January 2012, 20:21
And meanwhile remote air controllers were playing cards and totally disregarding that their top secret airplane is landing?

RSoles
7th January 2012, 20:24
This has sooo many applications....

Imagine driving down a road and there's a traffic jam up ahead. Switch on your bad boy transmitter and everyone turns off at the next available exit.

Quiet day at the drive-through?
Redirect all that traffic in.

Toll-roads. A fortune to be made.

AtW
7th January 2012, 20:35
GPS jammer is fairly easy technology, however changing it completely to fool complex aircraft to land nicely is hard - getting it crash into something might be far more likely.

If they achieved this non-trivial feat they'd certainly film the landing and show in on youtube.

I think it's far more likely that the thing crashed on it's own, Iranians found the pieces and created mock up thing using Wikipedia images.

Paddy
7th January 2012, 21:03
And meanwhile remote air controllers were playing cards and totally disregarding that their top secret airplane is landing?

No, the control signal was also jammed.


GPS jammer is fairly easy technology, however changing it completely to fool complex aircraft to land nicely is hard - getting it crash into something might be far more likely.

If they achieved this non-trivial feat they'd certainly film the landing and show in on youtube.

I think it's far more likely that the thing crashed on it's own, Iranians found the pieces and created mock up thing using Wikipedia images.

The GPS signal was overridden not just blocked. The signal spoofed the timing (rather complicated), and the drone believed the co-ordinates for its base was in Iraq although the spoofed coordinates (calculated by the timing) were in Iran. Because the control signal was lost, the drone went into “go home mode” and landed itself in Iran thinking it was Afghanistan. The drone crashed because it was expecting to land at a greater height than what was prepared in Iran as to the height in Iraq. The minor damage to the drone was covered up for the worlds press.

AtW
7th January 2012, 21:05
No, the control signal was also jammed.

Who says?


The GPS signal was overridden not just blocked.

You have evidence of that?

If Iranians could actually do it with such ease they'd never show they have such a weapon because it would be most useful in the event of attack - fooling cruise missiles and precision bombs would be far more valueable than showing off taken drone.

OwlHoot
7th January 2012, 21:26
GPS jammer is fairly easy technology, however changing it completely to fool complex aircraft to land nicely is hard - getting it crash into something might be far more likely.

If they achieved this non-trivial feat they'd certainly film the landing and show in on youtube.

I think it's far more likely that the thing crashed on it's own, Iranians found the pieces and created mock up thing using Wikipedia images.

WHS - It seems highly unlikely the navigation doesn't include a sort of continuity analysis of its GPS coordinates, given its flight speed and heading etc, and if these stray outside stringent bounds then switch to inertial guidance and proceed to the nearest safe landing site, or just carry on as normal without GPS. Ring laser gyroscopes (http://en.wikipedia.org/wiki/Ring_laser_gyroscope) are extremely accurate and reliable now, and must be more than adequate for this.

Also, surely the GPS antennae must be directional, and would ignore signals from a bunch of Iranian goons on the ground, especially as said goons probably weren't even using P(Y) code signals :laugh

edit: If you have a handy atomic clock associated with the GPS unit, you needn't use the C/A code (which a jammer would typically block) to get a bunk up onto the P(Y) code.

NickFitz
7th January 2012, 21:42
Iran spy drone GPS hijack boasts: Rubbish, say experts • The Register (http://www.theregister.co.uk/2011/12/21/spy_drone_hijack_gps_spoofing_implausible/) FWIW :nerd

AtW
7th January 2012, 21:48
Paddy should read less of Iranian and Hezbollah press and watch a few more western movies, like say - 300.

Paddy
7th January 2012, 22:04
GPS antenna are not directional for obvious reasons. There is a component in the GPS to tell the unit which way is up. Every so often an almanac is downloaded telling the unit the positions of the satellites. Many satellites are on the horizon. Spoofed signals can easily be broadcast from TV transmitters high up in mountains

The system was developed by Dariush Rezaei (Phd) who was assonated last year. It was first used in 2007 on a British Navel boat tricking it into Iranian waters.

AtW
7th January 2012, 22:09
The system was developed by Dariush Rezaei (Phd) who was assonated last year.

No, he is just fine and even has got profile on Facebook - Dariush Rezaei | Facebook (http://www.facebook.com/drezaei)

HTH

Paddy
8th January 2012, 00:12
No, he is just fine and even has got profile on Facebook - Dariush Rezaei | Facebook (http://www.facebook.com/drezaei)

HTH

I must admit that you are a drone expert AtW. Without fail you drone on and on and on…

AtW
8th January 2012, 00:19
I must admit that you are a drone expert AtW.

Yes I know a drone when I see one.

Incognito
8th January 2012, 00:51
GPS antenna are not directional for obvious reasons. There is a component in the GPS to tell the unit which way is up. Every so often an almanac is downloaded telling the unit the positions of the satellites. Many satellites are on the horizon. Spoofed signals can easily be broadcast from TV transmitters high up in mountains

The system was developed by Dariush Rezaei (Phd) who was assonated last year. It was first used in 2007 on a British Navel boat tricking it into Iranian waters.

Are you for real?

The Iranian incident occurred over a dispute about where the Iraqi / Iranian maritime border actually is. If you knew the facts you would know that Iran produced the RIB GPS coordinates as part of their defence. You wouldn't really want to do that if you'd spoofed it to think it was really in Iraqi waters. Not to mention you'd have to think of a way of hitting the Lynx (which was observing the dhow they were to board), the RIBs and HMS Cornwall all at the same time. Plus there's the little fact that the RN do not rely on GPS for locational positioning, it is there as a fallback. Having served and spent many a night plotting our position whilst on watch, I think I know more than you on the subject.

Oh and Rezaei was a Nuclear physicist, not a Geospatial one. He was bumped because of his work with the bomb.

AtW
8th January 2012, 01:07
Are you for real?

Yes.

The Iranian Army has got the force within them and can change geo-coords at will.

Tremble before the mighty army infidels!!!

Paddy

Paddy
8th January 2012, 01:08
Are you for real?

]No, I am a sockie that lost its master.[/B]

The Iranian incident occurred over a dispute about where the Iraqi / Iranian maritime border actually is. WFT, go and Google again.

If you knew the facts you would know that Iran produced the RIB GPS coordinates as part of their defence. You wouldn't really want to do that if you'd spoofed it to think it was really in Iraqi waters. Not to mention you'd have to think of a way of hitting the Lynx (which was observing the dhow they were to board), the RIBs and HMS Cornwall all at the same time. Plus there's the little fact that the RN do not rely on GPS for locational positioning, it is there as a fallback. Having served and spent many a night plotting our position whilst on watch, I think I know more than you on the subject. :tumble:

Oh and Rezaei was a Nuclear physicist, not a Geospatial one. He was bumped because of his work with the bomb. Thought someone would come back with that one. Go and Google again; you may just get the right information.



BTW Don't think that all information is on the Internet. Although you detest Iran, do not under estimate your enemies

AtW
8th January 2012, 01:10
Go and Google again; you may just get the right information.

And why not - the Islamic Republic of Iran would make sure correct information is published online about it's scientists working on a forbidden WMDs.

You know it makes sense.

Here is a photo for Paddy to have good night sleep:

http://cache.gawker.com/assets/images/7/2010/04/putin2.jpg


:rollin:

Paddy
8th January 2012, 01:12
And why not - the Islamic Republic of Iran would make sure correct information is published online about it's scientists working on a forbidden WMDs.

You know it makes sense.

Here is a photo for Paddy to have good night sleep:

http://cache.gawker.com/assets/images/7/2010/04/putin2.jpg


:rollin:

Go to bed AtW! :ladybags:

AtW
8th January 2012, 01:13
Go to bed AtW! :ladybags:

:fight:

I am going to watch a bit of WWE and then rest for a bit - SKA needs some Y2K fixing before Monday :eyes

OwlHoot
8th January 2012, 07:15
:fight:

I am going to watch a bit of WWE and then rest for a bit - SKA needs some Y2K fixing before Monday :eyes

Y2K fixing? Bit late for that isn't it - We're 12 years into Y2K already :laugh

doodab
8th January 2012, 08:25
GPS jammer is fairly easy technology, however changing it completely to fool complex aircraft to land nicely is hard - getting it crash into something might be far more likely.

If they achieved this non-trivial feat they'd certainly film the landing and show in on youtube.

I think it's far more likely that the thing crashed on it's own, Iranians found the pieces and created mock up thing using Wikipedia images.

Actually the conclusion from Los Alamos is that it's not that hard to spoof GPS at all


The Vulnerability Assessment Team at Los Alamos National Laboratory has demonstrated the ease with which civilian GPS spoofing attacks can be implemented. This spoofing is most easily accomplished by using a GPS satellite simulator. Such simulators are uncontrolled and widely available.

GPS Spoofing Countermeasures (http://www.homelandsecurity.org/bulletin/Dual%20Benefit/warner_gps_spoofing.html)

How easy spoofing navigation messages on top of P(Y) code is hard to say, it depends on whether they are applied to the P code before encryption (I would hope so), but if they weren't then I think that it's enough to be able to recover a version of the encrypted P(Y) code unmodulated with navigation messages which would probably be possible with access to a captured receiver or might even be possible without one if the navigation messages are the same as the civilian ones. You would need to crunch through quite a bit of data but I think it's doable.

Of course it's also possible that you could just jam the P(Y) code and cause the receiver to fall back to the civilian code which is easy to spoof.

Jeff Maginty
8th January 2012, 09:18
AtW - stop changing your avatar so frequently young man, or I'll have to report you to the headmaster! :spank:

doodab
8th January 2012, 09:35
Actually the conclusion from Los Alamos is that it's not that hard to spoof GPS at all



GPS Spoofing Countermeasures (http://www.homelandsecurity.org/bulletin/Dual%20Benefit/warner_gps_spoofing.html)

How easy spoofing navigation messages on top of P(Y) code is hard to say, it depends on whether they are applied to the P code before encryption (I would hope so), but if they weren't then I think that it's enough to be able to recover a version of the encrypted P(Y) code unmodulated with navigation messages which would probably be possible with access to a captured receiver or might even be possible without one if the navigation messages are the same as the civilian ones. You would need to crunch through quite a bit of data but I think it's doable.

Of course it's also possible that you could just jam the P(Y) code and cause the receiver to fall back to the civilian code which is easy to spoof.

Actually you don't even need to spoof it, a simple replay of already received P(Y) transmissions with the correct time offsets applied to each signal could fool the drone into thinking it was somewhere else.

OwlHoot
8th January 2012, 09:45
Actually you don't even need to spoof it, a simple replay of already received P(Y) transmissions with the correct time offsets applied to each signal could fool the drone into thinking it was somewhere else.

The ability to detect and avoid that would be another advantage of having a miniature atomic clock (if such a thing exists yet) linked to the GPS unit

(the first advantage being, as I mentioned above, the capability to avoid having to rely on the civilian C/A code to get a preliminary fix on the P(Y) code - That's always been a chink in the armour of military GPS)

Paddy
8th January 2012, 09:49
Rember this?


GPS road pricing would deliver benefits...

It would open up the market for jammers.

GPS road pricing is a clear route to driver satisfaction - Public Service (http://www.publicservice.co.uk/feature_story.asp?id=10847)

doodab
8th January 2012, 09:56
The ability to detect and avoid that would be another advantage of having a miniature atomic clock (if such a thing exists yet) linked to the GPS unit

You would be varying the delta-T of the satellite signals, having a more accurate idea of time on board the drone wouldn't make any difference to the subsequent pseudorange calculations, assuming you could get away with simply delaying some transmissions it would just appear that the satellites were further away.

Incognito
8th January 2012, 10:51
Thought someone would come back with that one. Go and Google again; you may just get the right information.


Okay Paddy I did. How about a round up of how the Farsi press reported it?



Dariush Rezaei was killed in Tehran, in an attack that also injured his wife. There are contradictory reports on the exact nature of his expertise and the work in which he was involved.

IRNA, Iran's official news agency, reports that he was a Ph.D. candidate in electronics and a distinguished scientist who was working with several research centers around the country. IRNA gave his last name as Rezaei-Nejad.

On the other hand, the website of Mohaghegh Ardabili University, lists a Dr. Dariush Rezaei Ochbelagh as an assistant professor. Rezaei Ochbelagh evidently received his Ph.D. in nuclear physics in 2007 from the Ferdowsi University of Mashhad and his M.S. degree in 1996 in nuclear engineering with a specialty in nuclear reactors from Amir Kabir University of Technology (Tehran Polytechnic). Kaleme, the website that reflects the views of Mir Hossein Mousavi, states it is this scientist who was killed.

The hardline website Asr-e Iran reports ... A neighbor said that in Rezaei's car there was an insurance card indicating that he had medical insurance with the armed forces.

Fars, the news agency run by the Islamic Revolutionary Guard Corps, quotes Majid Ghasemi, the chancellor of Khajeh Nasir Toosi University in Tehran, as saying that Rezaei-Nejad was a M.S. student of electrical engineering at the university with specialty in power engineering. Ghasemi said that he knows nothing about Rezaei's involvement in Iran's nuclear program. In another dispatch, Fars asserts that identifying the murdered scientist as a nuclear researcher is incorrect.

Mashregh News, the hardline website linked with security forces, reports that Dariush Rezaei-Nejad was a professor of electronics at Khajeh Nasir Toosi in Tehran, but had no links with Iran's nuclear program. Mashregh News also quotes other hardline websites that deny Rezaei was even a researcher, but merely a graduate student that was working toward his degree in a joint program between his university and the University of Hanover in Germany.

Mehr, the news agency run by the Organization for Islamic Propaganda, describes Rezaei only as a "scientist of our nation."

Ayandeh News, the website that is close to Akbar Hashemi Rafsanjani, reports that Dariush Rezaei Nejad was a Ph.D. student at Malek-e Ashtar University, which is run by the Revolutionary Guards and the Ministry of Defense, and was doing his thesis on nuclear-related problems. It points to an abstract online of a research article authored by Dariush Rezaei-Nejad that appears to concern nuclear-related issues.

Safar-Ali Baratlou, deputy governor-general for political affairs of Tehran province, governor-general told ILNA, the Iran Labor News Agency, that the question of whether the murdered person was involved in Iran's nuclear program is still under investigation, and is not yet clear.

ISNA, the Iranian Students' News Agency, reports that Rezaei was a "university professor in Tehran," but that no university or research center "has so far confirmed that Rezaei was working with them."

After the killing of Dr. Majid Shahriari, a prominent academic and expert on nuclear physics, and the failed attempt on the life of Dr. Fereydoon Abbasi, who is now the head of the Atomic Energy Organization of Iran, the latest assassination may represent one more in a chain of murders, presumably committed by foreign agents.

According to Alef, the website published by Majles deputy Ahmad Tavakoli, a nuclear scientist whom it identified as "Dr. Boronzi, a researcher with the Rouyan Institute" was assassinated in the same location where Rezaei was reported murdered.

Iranian Scientist Assassinated in Tehran; Nature of His Work Unclear - Tehran Bureau | FRONTLINE | PBS (http://www.pbs.org/wgbh/pages/frontline/tehranbureau/2011/07/iranian-scientist-assassinated-in-tehran-nature-of-his-work-unclear.html)


Hmm, plenty of mentions of electronics and nuclear physics, nothing about geospatial though. Even you're saying he has a PhD (note the correct abbreviation) so that must rule out the misinformation about him still only being a student. Looks convincingly like you're speaking out of your arse (again).

Incognito
8th January 2012, 10:53
Or how about the German press?



BERLIN: The Israeli secret service Mossad was responsible for the assassination last month of an Iranian scientist in Tehran, Germany’s Spiegel Online news website reported.

The killing of Dariush Rezaei-Nejad was “the first serious action taken by the new Mossad chief Tamir Pardo,” according to an unidentified Israeli intelligence source quoted by Spiegel Online.

Iranian press reports said Rezaei-Nejad was shot five times by unknown assailants as he and his wife were waiting for their child in front of a kindergarten in Tehran on July 23. His wife was wounded in the attack.

The Iranian government blamed the United States and Israel for the attack, the latest in a series targeting Iranian nuclear scientists who are suspected by the West to be working on a nuclear weapon programme.

Tehran denies it has such a programme and insists that its atomic activities are entirely peaceful.

Rezaei-Nejad is believed to have worked on the trigger mechanism for nuclear weapons, Spiegel Online said in its report first published on Monday.

Israel behind killing of Iranian scientist – report | World | DAWN.COM (http://www.dawn.com/2011/08/02/israel-behind-killing-of-iranian-scientist-report.html)

Incognito
8th January 2012, 10:54
BTW Don't think that all information is on the Internet.

You're right, they found this picture in his son's 'What Daddy does for work' scrapbook.

http://scienceblogs.com/startswithabang/upload/2009/04/weekend_diversion_do_tinfoil_h/tinfoil_hat_antenna.jpg

Maybe he is the Tehran TomTom after all. Look Paddy you've got a hat just like his.

doodab
8th January 2012, 11:12
Personally I think it's likely that the Iranians did actually do this and dismissing it as propaganda is a mistake.

Incognito
8th January 2012, 11:15
Personally I think it's likely that the Iranians did actually do this and dismissing it as propaganda is a mistake.

Personally I think if anyone did do it, it was the Chinese who let the Iranians take the glory whilst they take the Tech.

I don't believe Paddy's 'claims' though.

doodab
8th January 2012, 11:52
Personally I think if anyone did do it, it was the Chinese who let the Iranians take the glory whilst they take the Tech.

Why?

There seems to be this perception that because the Iranians are run by an undesirable regime they are somehow backwards and it's just not the case. The regime considers being scientifically and technologically advanced as a key goal and devotes a lot of money to high tech research. Aside from supposedly developing a nuclear weapon, we are talking about a country that has launched it's own satellite on it's own launch vehicle, built it's own fusion reactor, made it's own microprocessors and already makes it's own UAVs and stealth materials. In some fields like medicine and biotech they are world class.

They have apparently been studying these drones since they were deployed and have some examples of other drones that have been shot down. The GPS system does appear to be vulnerable and the Iranians have some fairly advanced electronic warfare equipment purchased from the Russians, the idea that they couldn't figure out how to use it by themselves doesn't hold water IMO.

Paddy
8th January 2012, 12:08
Why?

There seems to be this perception that because the Iranians are run by an undesirable regime they are somehow backwards and it's just not the case. The regime considers being scientifically and technologically advanced as a key goal and devotes a lot of money to high tech research. Aside from supposedly developing a nuclear weapon, we are talking about a country that has launched it's own satellite on it's own launch vehicle, built it's own fusion reactor, made it's own microprocessors and already makes it's own UAVs and stealth materials. In some fields like medicine and biotech they are world class.

They have apparently been studying these drones since they were deployed and have some examples of other drones that have been shot down. The GPS system does appear to be vulnerable and the Iranians have some fairly advanced electronic warfare equipment purchased from the Russians, the idea that they couldn't figure out how to use it by themselves doesn't hold water IMO.


WDS

As I stated many times, I am not for the regime in Iran persons of the pro USA and partially Fundamental Christian Zionists hawks contradict themselves. Meanwhile Iranian scientists have been enticed to work for NASA and other US corps, and other that have refused have been killed

Incognito
8th January 2012, 12:31
Iran has got to where it is through buying Russian, Chinese and Pakistani expertise. You mention this GPS hack as if it is your run of the mill capability. An attacker has to be able to generate fake signals with perfect timing and power level and needs to have perfect knowledge of his victim’s position. Oh and that really only actually applies to civilian GPS. So yes Iran could most probably hack your TomTom.


Some GNSS signals are specifically designed to prevent spoofing or to deny unauthorized access — encrypted signals such as the GPS P(Y) and M-code and Galileo’s Public Regulated Service (PRS), or obscured signals such as the GLONASS P-code.

These signals produce asymmetry, meaning that the service provider has the encryption or generation mechanism while an attacker does not. Consequently, an attacker will not be able to generate the authentic encrypted signal for use in a spoofing broadcast or injection attack. Of course, civil users do not have access to the P(Y), M-code, or PRS, and even authorized military GPS users require Selective Availability/anti-spoofing module (SAASM) hardware, which is both expensive and access-restricted.

Signal Authentication | Inside GNSS (http://www.insidegnss.com/node/1633)

However, if someone managed to get access to lets say the Service Provider and managed to 'replicate' the encryption or generation mechanism then it is plausible that the same attacks that are 'theoretically' possible against civilian GPS is possible against say military GPS.

Do you know of any recent allegations of state sponsored attacks against oh I don't know, satellites perhaps?

Only a theory of course.

Incognito
8th January 2012, 12:36
As I stated many times, I am not for the regime in Iran persons of the pro USA and partially Fundamental Christian Zionists hawks contradict themselves. Meanwhile Iranian scientists have been enticed to work for NASA and other US corps, and other that have refused have been killed

I couldn't care less about the regime in Iran. It's obvious that once Syria is out of the way that Iran is the last big red dot on that map. It's schoolground politics, the biggest survive.

Why on Earth the Iranians can't see that beats me. They've seen all the others topple, do they really think that China / Russia will get involved? The US will already have carved up oil and infrastructure rebuilding rights with them.

Paddy
8th January 2012, 13:00
I couldn't care less about the regime in Iran. It's obvious that once Syria is out of the way that Iran is the last big red dot on that map. It's schoolground politics, the biggest survive.

Why on Earth the Iranians can't see that beats me. They've seen all the others topple, do they really think that China / Russia will get involved? The US will already have carved up oil and infrastructure rebuilding rights with them.


Dictators seldom let go because they convince themselves that they are invincible. Those dictators who gained power through a revolution believe that they own the country and will not give up gracefully. Eg Mugabe.

Regimes have to be toppled from the people inside the country, not bombed into submission from outside do-gooders. Bombing a country only unites people even if they hate their own government.

doodab
8th January 2012, 13:27
Iran has got to where it is through buying Russian, Chinese and Pakistani expertise. You mention this GPS hack as if it is your run of the mill capability. An attacker has to be able to generate fake signals with perfect timing and power level and needs to have perfect knowledge of his victim’s position. Oh and that really only actually applies to civilian GPS. So yes Iran could most probably hack your TomTom.

Unless you decide it's a requirement that the receiver can maintain a continuous lock as you gradually trick into believing it's somewhere else it's only the relative timing of the various fake data streams that matters as you can just blitz the receiver with noise so it loses lock and then start feeding it fake signals for it to regain the lock. These sorts of spoofing attacks have been demonstrated against civilian GPS receivers using both satellite simulators (basically test equipment) and delayed streams obtained directly from the satellites, using off the shelf DSP stuff costing peanuts. The Iranians would probably have a job getting hold of a simulator that can handle the restricted codes (like this one) (http://www.castnav.com/products/cast_1000.html) but the delayed stream trick will work against military GPS as well unless they are designed specifically to detect it. The technology to delay the streams isn't actually that complex, certainly within in the ken of the Iranians.

It's also possible that blocking the military GPS signal might cause the receiver to fall back to the civilian signal that can be easily spoofed.

So the feasibility depends to some extent on how the receiver is designed and how good the spoofing detection capabilities are.



However, if someone managed to get access to lets say the Service Provider and managed to 'replicate' the encryption or generation mechanism then it is plausible that the same attacks that are 'theoretically' possible against civilian GPS is possible against say military GPS.


If you had a captured military grade receiver e.g. from another drone or missile, you would have circuitry that could generate both the encryption code and the P codes, or potentially the newer M code.



Do you know of any recent allegations of state sponsored attacks against oh I don't know, satellites perhaps?

Only a theory of course.

There were some reports of the Iranians "blinding" a spy satellite with a laser, how true they are I don't know.

AtW
8th January 2012, 15:11
Personally I think if anyone did do it, it was the Chinese who let the Iranians take the glory whilst they take the Tech. I don't believe Paddy's 'claims' though.

The Chinese are very likely to be able to do it, but they rarely like to show off their cards just like this and when they do it's beyond question, ie when they shot down their own satellite from orbit.