Skip to main content

FM
Former Member
Exclusive: Iran hijacked US drone, says Iranian engineer
In an exclusive interview, an engineer working to unlock the secrets of the captured RQ-170 Sentinel says they exploited a known vulnerability and tricked the US drone into landing in Iran.


By Scott Peterson, Staff writer, Payam Faramarzi*, Correspondent / December 15, 2011

ISTANBUL, TURKEY
Iran guided the CIA's "lost" stealth drone to an intact landing inside hostile territory by exploiting a navigational weakness long-known to the US military, according to an Iranian engineer now working on the captured drone's systems inside Iran.

Iranian electronic warfare specialists were able to cut off communications links of the American bat-wing RQ-170 Sentinel, says the engineer, who works for one of many Iranian military and civilian teams currently trying to unravel the drone’s stealth and intelligence secrets, and who could not be named for his safety.

Using knowledge gleaned from previous downed American drones and a technique proudly claimed by Iranian commanders in September, the Iranian specialists then reconfigured the drone's GPS coordinates to make it land in Iran at what the drone thought was its actual home base in Afghanistan.


"The GPS navigation is the weakest point," the Iranian engineer told the Monitor, giving the most detailed description yet published of Iran's "electronic ambush" of the highly classified US drone. "By putting noise [jamming] on the communications, you force the bird into autopilot. This is where the bird loses its brain."

The “spoofing” technique that the Iranians used – which took into account precise landing altitudes, as well as latitudinal and longitudinal data – made the drone “land on its own where we wanted it to, without having to crack the remote-control signals and communications” from the US control center, says the engineer.

The revelations about Iran's apparent electronic prowess come as the US, Israel, and some European nations appear to be engaged in an ever-widening covert war with Iran, which has seen assassinations of Iranian nuclear scientists, explosions at Iran's missile and industrial facilities, and the Stuxnet computer virus that set back Iran’s nuclear program.

Now this engineer’s account of how Iran took over one of America’s most sophisticated drones suggests Tehran has found a way to hit back. The techniques were developed from reverse-engineering several less sophisticated American drones captured or shot down in recent years, the engineer says, and by taking advantage of weak, easily manipulated GPS signals, which calculate location and speed from multiple satellites.


Western military experts and a number of published papers on GPS spoofing indicate that the scenario described by the Iranian engineer is plausible.

"Even modern combat-grade GPS [is] very susceptible” to manipulation, says former US Navy electronic warfare specialist Robert Densmore, adding that it is “certainly possible” to recalibrate the GPS on a drone so that it flies on a different course. “I wouldn't say it's easy, but the technology is there.”

In 2009, Iran-backed Shiite militants in Iraq were found to have downloaded live, unencrypted video streams from American Predator drones with inexpensive, off-the-shelf software. But Iran’s apparent ability now to actually take control of a drone is far more significant.

Iran asserted its ability to do this in September, as pressure mounted over its nuclear program.

Gen. Moharam Gholizadeh, the deputy for electronic warfare at the air defense headquarters of the Islamic Revolutionary Guard Corps (IRGC), described to Fars News how Iran could alter the path of a GPS-guided missile – a tactic more easily applied to a slower-moving drone.


“We have a project on hand that is one step ahead of jamming, meaning ‘deception’ of the aggressive systems,” said Gholizadeh, such that “we can define our own desired information for it so the path of the missile would change to our desired destination.”


Gholizadeh said that “all the movements of these [enemy drones]” were being watched, and “obstructing” their work was “always on our agenda.”

That interview has since been pulled from Fars’ Persian-language website. And last month, the relatively young Gholizadeh died of a heart attack, which some Iranian news sites called suspicious – suggesting the electronic warfare expert may have been a casualty in the covert war against Iran.

Iran's growing electronic capabilities

Iranian lawmakers say the drone capture is a "great epic" and claim to be "in the final steps of breaking into the aircraft's secret code."

Secretary of Defense Leon Panetta told Fox News on Dec. 13 that the US will "absolutely" continue the drone campaign over Iran, looking for evidence of any nuclear weapons work. But the stakes are higher for such surveillance, now that Iran can apparently disrupt the work of US drones.

US officials skeptical of Iran’s capabilities blame a malfunction, but so far can't explain how Iran acquired the drone intact. One American analyst ridiculed Iran’s capability, telling Defense News that the loss was “like dropping a Ferrari into an ox-cart technology culture.”

Yet Iran’s claims to the contrary resonate more in light of new details about how it brought down the drone – and other markers that signal growing electronic expertise.

A former senior Iranian official who asked not to be named said: "There are a lot of human resources in Iran.... Iran is not like Pakistan."

“Technologically, our distance from the Americans, the Zionists, and other advanced countries is not so far to make the downing of this plane seem like a dream for us … but it could be amazing for others,” deputy IRGC commander Gen. Hossein Salami said this week.

According to a European intelligence source, Iran shocked Western intelligence agencies in a previously unreported incident that took place sometime in the past two years, when it managed to “blind” a CIA spy satellite by “aiming a laser burst quite accurately.”

More recently, Iran was able to hack Google security certificates, says the engineer. In September, the Google accounts of 300,000 Iranians were made accessible by hackers. The targeted company said "circumstantial evidence" pointed to a "state-driven attack" coming from Iran, meant to snoop on users.

Cracking the protected GPS coordinates on the Sentinel drone was no more difficult, asserts the engineer.

US knew of GPS systems' vulnerability

Use of drones has become more risky as adversaries like Iran hone countermeasures. The US military has reportedly been aware of vulnerabilities with pirating unencrypted drone data streams since the Bosnia campaign in the mid-1990s.

Top US officials said in 2009 that they were working to encrypt all drone data streams in Iraq, Pakistan, and Afghanistan – after finding militant laptops loaded with days' worth of data in Iraq – and acknowledged that they were "subject to listening and exploitation."

Perhaps as easily exploited are the GPS navigational systems upon which so much of the modern military depends.

"GPS signals are weak and can be easily outpunched [overridden] by poorly controlled signals from television towers, devices such as laptops and MP3 players, or even mobile satellite services," Andrew Dempster, a professor from the University of New South Wales School of Surveying and Spatial Information Systems, told a March conference on GPS vulnerability in Australia.

"This is not only a significant hazard for military, industrial, and civilian transport and communication systems, but criminals have worked out how they can jam GPS," he says.


The US military has sought for years to fortify or find alternatives to the GPS system of satellites, which are used for both military and civilian purposes. In 2003, a “Vulnerability Assessment Team” at Los Alamos National Laboratory published research explaining how weak GPS signals were easily overwhelmed with a stronger local signal.

“A more pernicious attack involves feeding the GPS receiver fake GPS signals so that it believes it is located somewhere in space and time that it is not,” reads the Los Alamos report. “In a sophisticated spoofing attack, the adversary would send a false signal reporting the moving target’s true position and then gradually walk the target to a false position.”

The vulnerability remains unresolved, and a paper presented at a Chicago communications security conference in October laid out parameters for successful spoofing of both civilian and military GPS units to allow a "seamless takeover" of drones or other targets.

To “better cope with hostile electronic attacks,” the US Air Force in late September awarded two $47 million contracts to develop a "navigation warfare" system to replace GPS on aircraft and missiles, according to the Defense Update website.

Official US data on GPS describes "the ongoing GPS modernization program" for the Air Force, which "will enhance the jam resistance of the military GPS service, making it more robust."

Why the drone's underbelly was damaged

Iran's drone-watching project began in 2007, says the Iranian engineer, and then was stepped up and became public in 2009 – the same year that the RQ-170 was first deployed in Afghanistan with what were then state-of-the-art surveillance systems.

In January, Iran said it had shot down two conventional (nonstealth) drones, and in July, Iran showed Russian experts several US drones – including one that had been watching over the underground uranium enrichment facility at Fordo, near the holy city of Qom.

In capturing the stealth drone this month at Kashmar, 140 miles inside northeast Iran, the Islamic Republic appears to have learned from two years of close observation.

Iran displayed the drone on state-run TV last week, with a dent in the left wing and the undercarriage and landing gear hidden by anti-American banners.

The Iranian engineer explains why: "If you look at the location where we made it land and the bird's home base, they both have [almost] the same altitude," says the Iranian engineer. "There was a problem [of a few meters] with the exact altitude so the bird's underbelly was damaged in landing; that's why it was covered in the broadcast footage."

Prior to the disappearance of the stealth drone earlier this month, Iran’s electronic warfare capabilities were largely unknown – and often dismissed.

"We all feel drunk [with happiness] now," says the Iranian engineer. "Have you ever had a new laptop? Imagine that excitement multiplied many-fold." When the Revolutionary Guard first recovered the drone, they were aware it might be rigged to self-destruct, but they "were so excited they could not stay away."

* Scott Peterson, the Monitor's Middle East correspondent, wrote this story with an Iranian journalist who publishes under the pen name Payam Faramarzi and cannot be further identified for security reasons.

Replies sorted oldest to newest

If this is indeed true then the Iranians have some pretty good engineers/hackers. The US is pretty careless, they should have installed a self destruct device in case of such situations. There goes the tax payers dollars again.
FM
quote:
Originally posted by TI:
I thought the Iranians were backward dodos Big Grin

Why do you think the Israelis want the Iranians nuked now? It is better to remove a superpower before it is born. The Israelis might get one of their fight planes captured in the same way, with pilot and everything and face a biblical humiliation.
FM
December 15, 2011, 6:32 PM
Amid Claims of More Captured Drones, a Report on Their Vulnerability
By J. DAVID GOODMAN

An Air Force report that surfaced online this week points to deficiencies in the communication network that could put American drones at greater risk in hostile areas.
After flaunting its capture of a sophisticated American spy drone on national television last week, Iran is said to be planning to invite local reporters and foreign diplomats to an even more spectacular display of pilotless hardware in the near future.

The Tehran Times, an English-language newspaper supported by Iran’s government, reported the impending “exhibition” of seven drones, three from the United States and four from Israel, along with the electronic equipment that is said to have been used to bring them down.


The news report, from a single anonymous source, was originally published online on Wednesday but was picked up on Thursday by the semiofficial Mehr News Agency, indicating that at the very least there is interest in Tehran in spreading the news more widely.

Iran has frequently accused the United States and Israel of running covert programs to spy on Iran and sabotage its nuclear facilities.

The paper said each of the drones had violated the country’s airspace, and while it did not elaborate on how or when the drones had fallen into Iranian possession, it did include quotes from a January interview with an Iranian military commander who asserted that at least two “highly advanced spy planes” had been “shot down” by Iran.

If a public display of multiple American and Israeli drones occurs, it would be the first confirmation of such Iranian assertions before the most recent capture of an advanced American RQ-170 drone in eastern Iran, which was announced last week.

American officials dismissed the notion that more drones were held by Iran.

“One would wonder if Iran has drones why they haven’t trotted them out before now,” said one United States official, who spoke on condition of anonymity because of the sensitive nature of the subject. The official added that the Iranian government appeared to be “in full propaganda blast mode right now.”

It still remains unclear how the RQ-170, one of the American military’s most sophisticated spy drones, came into the possession of the Iranian military, let alone how several more could have ended up there.

The Iranian military has said it had staged a cyberattack against the RQ-170 that enabled it to guide the remotely piloted aircraft to a safe landing. Footage shown on Iranian television last week of what appeared to be an intact stealth drone, though discoloration along one of the wings indicated possible damage and repair work.

Another possible explanation is simple malfunction.

But an Air Force report that surfaced online this week points to deficiencies in the communication network that could put drones at greater risk in hostile areas.

Dated April 2011, the report from the United States Air Force Scientific Advisory Board was published on Tuesday by Public Intelligence, a whistle-blower Web site that describes itself as a “repository of information in the public interest” and allows for the anonymous disclosure of documents.

“We did receive the report last week approximately one to two days after Iran said it had the RQ-170,” said Michael Haynes, the site’s administrator.

The timing of the disclosure interested the cybersecurity analyst Jeffrey Carr. “Clearly someone with FOUO access wanted this information to be made public to inform the controversy surrounding the incident,” he wrote on his blog on Thursday, using the acronym for the report’s classification as “for official use only.” He said the report outlines drone vulnerabilities that should be taken seriously:

With this report as background, the capture of the RQ-170 by Iranian forces needs to be evaluated fairly and not dismissed as some kind of Iranian scam for reasons that have more to do with embarrassment than a rational assessment of the facts.
Among the key findings of the drily written report, entitled “Operating Next-Generation Remotely Piloted Aircraft for Irregular Warfare,” is that American drones — also called remotely piloted aircraft or RPAs — are hampered by their communications systems:

Limited communications systems result in communications latency, link vulnerabilities, and lost-link events, which limits mission roles assigned to RPAs, operational flexibility, and resiliency in the face of unanticipated events.
The report, a full version of which is included at the top of this post, lists several ways in which drones can come under attacks targeting their communications:

There is a wide range of methods that a determined adversary can use for attacking RPA guidance and navigation systems. The report mentions here only three categories of threats without going into the details:

– Small, simple GPS noise jammers can be easily constructed and employed by an unsophisticated adversary and would be effective over a limited RPA operating area.

– GPS repeaters are also available for corrupting navigation capabilities of RPAs.

– Cyber threats represent a major challenge for future RPA operations. Cyber attacks can affect both on-board and ground systems, and exploits may range from asymmetric CNO attacks to highly sophisticated electronic systems and software attacks.
The report also found that the “spoofing or hijacking” of communication links could also lead to “platform loss” — i.e., a missing drone.

An Iranian engineer said to be involved in working on the captured RQ-170 told The Christian Science Monitor on Thursday that it had been just those sorts of weaknesses in the communication network that allowed Iran to get the drone:

“The GPS navigation is the weakest point,” the Iranian engineer told The Monitor, giving the most detailed description yet published of Iran’s “electronic ambush” of the highly classified US drone. “By putting noise [jamming] on the communications, you force the bird into autopilot. This is where the bird loses its brain.”

The “spoofing” technique that the Iranians used – which took into account precise landing altitudes, as well as latitudinal and longitudinal data – made the drone “land on its own where we wanted it to, without having to crack the remote-control signals and communications” from the US control center, says the engineer.
FM
quote:
Originally posted by Lucas:

The Tehran Times, an English-language newspaper supported by Iran’s government, reported the impending “exhibition” of seven drones, three from the United States and four from Israel, along with the electronic equipment that is said to have been used to bring them down.


All the US enemies now know how to hack the drones. This is a disaster for the US of A.
FM

Add Reply

×
×
×
×
×
Link copied to your clipboard.
×
×