Security Experts:

Reports Say U.S. Drone was Hijacked by Iran Through GPS Spoofing

Iran has captured an RQ-170 drone used by the CIA, and according to unconfirmed reports from the Christian Science Monitor (CSM), the Iranians were able to pull off such a feat by targeting the drone’s GPS systems.

The CSM interviewed an Iranian engineer who is said to be working as part of a team assigned to study the remotely piloted aircraft (RPA). He explained that the process of capturing the drone centered on spoofing the communications signal used to manage GPS.

RQ-170 Drone Hacked by Iran“By putting noise [jamming] on the communications, you force the bird into autopilot. This is where the bird loses its brain...,” the engineer told CSM.

Once the autopilot was activated, Iran was able to force the drone to “land on its own where we wanted it to, without having to crack the remote-control signals and communications...” The CSM report also quoted the engineer as explaining that the technique was a known vulnerability.

SecurityWeek talked to various sources about the RQ-170, developed by Lockheed Martin, but unfortunately, nobody would talk on the record. However, one person familiar with RPAs said that Iran’s explanation is possible, and confirmed many of the known vulnerabilities associated with RPAs and their various operational layers.

The existing vulnerability mentioned by the CSM report and the Iranian engineer is in fact two vulnerabilities, which were chained together to accomplish the goal of seizing the aircraft. As mentioned, it started by flooding the drone with communications noise.

The RQ-170 was developed to overcome the problem of signal flooding by introducing autopilot in the event of signal loss. This means, if an adversary were to flood the communications signal with a laser or use any of the widely available jamming technology, the drone would shift into autopilot to avoid two things - capture and collateral damage.

The military focuses on defending against both, with a focus on collateral incidents, because a drone of this size can cause a high degree of damage should it just fall out of the sky. Flooding the communications system with noise isn’t difficulty, as it is easily detected due to its un-encrypted state. In the past, hostile forced were able to use this lack of encryption to monitor live feeds being delivered by the drones. The reason for the lack of encryption is mission related, as troops on the ground often need fast access to the data being delivered over the operational area.

The autopilot is supposed to allow the drone to sustain its heading until it is clear of the jamming source. However, an additional problem with the autopilot is that the drone's controller cannot switch between semi-autopilot, full-autopilot, or total control from their command station with ease, if at all. Iran knew this, and once the drone kicked into autopilot, the second stage of their attack was launched.

The second stage consisted of spoofing the GPS signal, which the autopilot requires to maintain its present heading or adopt a new one. In basic terms, Iran spoofed the GPS, likely using a series of repeaters over the flight area of the RQ-170. The new GPA was designed to make the drone think it was landing in a friendly area, when in fact it was landing somewhere completely different.

Iran’s engineer handed the CSM reporter the outline of the attack, but didn’t get into specifics, he only confirmed that they tricked the GPS, without mentioning that they first had to disrupt the communication signal to begin with.

The CSM report mentioned that the U.S. was well aware of these flaws, so why haven’t they done anything about them?

In a way, they did, which is how the autopilot became a standard anti-jamming measure, but additional protections are costly, and limit the overall function of drones such as the RQ-170. Yet, there is an ongoing effort to reduce the overhead when mission needs are weighed against the protection of the RPA itself. As it stands, for every protection added, something mission critical (cameras, sensors, fuel economy, etc.) is taken away.

The fact that Iran was able to leverage commonly known problems with the RPA systems is likely going to drive development of countermeasures in the future, but only of the cost can be justified, and if the funding is available.

While some people are wary of Iran's claims that it hacked the drone, it’s horrific to see a drone lost to an unfriendly state, but the government won’t sacrifice mission value if it means risking more collateral damage or the loss of detailed intelligence or strike capabilities. A classic Catch-22.

For those interested, a report from the USAF Scientific Advisory Board covers some of the same vulnerabilities and issues related to RPA usage. It was published earlier this year, and a copy was posted to Public Intelligence. 

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.