Iran Hijacked US RQ-170 Sentinel Drone With GPS Hack? Not likely.

Multiple Christian Science Monitor reports have the media abuzz with reports that one of our RQ-170 Sentinel stealth drones was “hijacked” and caused to land in Iran.

I find this incredibly unlikely.

1). The sole primary source seems to be the “Iranian engineer” that granted CSM an “exclusive interview.”  I find this much more likely to be propaganda than reality.  If the Iranians really had this capability, they’d be keeping it secret, not doing interviews.

2). The scenario as painted by the “Iranian engineer” is that they jammed the control channel causing the drone to resort to some fail-safe procedures.  It is entirely plausible that a drone would resort to some pre-programmed behavior if the control channel was lost, and simply jamming (not spoofing, altering, or compromising) the control channel is also quite possible.  However, knowing in advance exactly what the drone would do when the control channel became unavailable and precisely which course it would attempt to fly (because the GPS would have to be spoofed accordingly) is not likely.

3). GPS spoofing has been considered for years and the concept has been proven.  On the ground.  In a controlled lab environment.  Spoofing a stationary receiver to believe it was located at a different stationary position.  And even this is incredibly complex.  However, spoofing a moving target is orders of magnitude more difficult as it requires multiple successful “stationary spoofs” per second while not losing lock, confusing, or alerting the target receiver to anomalies.  Spoofing a moving aircraft at 30, 40, or 50,000+ feet traveling at 300, 400, 0r 500+ MPH is several more orders of magnitude difficult.  It is unlikely that ground-based antennas (even highly directional ones) could do the trick; the spoofing equipment would need to be airborne flying near the drone.  GPS is all about very precise timing; minor timing variations result in miles of error.  So the “chase plane” would need to hold a fixed differential position to within inches of a moving aircraft.

4). The military uses a very different GPS system than the one on your dashboard in your car.  The military GPS signals are encrypted and authenticated.  An attacker is theoretically not able to generate valid military GPS signals; all he could do is to capture and replay existing signals and adjust the transmission timing.  Which is extremely difficult to get right given that the satellite relative positions are constantly changing even if the target is stationary; a moving target is even more complex.

Recall that the “bird’s home base” was almost certainly a distant US military base; so engineering a GPS replay attack could not have been informed by the actual “correct” signals as that would have required Iran to fly an airplane to a US military base, enter the landing pattern, and come within inches of landing, noting the military GPS signals the whole way.  I’m not thinking this is terribly likely.  Slightly more likely is somehow stealing these signals from an authorized aircraft doing the same, but given that airspace around US bases is pretty tightly controlled (to say the least) I’m doubtful.  I’m not even sure extended replay attacks like are possible with military GPS due to the time offset.

However, following that thread, Iran would have to replay military GPS signals for precisely the entire path to be flown from the point of hijack to landing.  Without error.  Under the theory that the drone was operating solely on GPS navigation, if they messed-up the spoofed location even a bit, the drone would correct to the intended path continuously, changing the path it was actually flying unpredictably.  Most aviation navigation systems (autopilots) try to “bracket” the intended flight path, setting an intercept course at 30-45 degrees and turning on course anticipating the point of interception.  Ask any pilot, bracketing an intended flight path is an inexact science largely due to wind conditions and highly driven by feedback (apply controls, observe the effect, and repeat).   Any imprecision in the spoofed or captured/replayed GPS signals would cause erratic and unpredictable consequences due to this feedback loop.

5). It is extremely unlikely that the drone would depend entirely on a single navigation system and have zero crosschecking or “sanity checking.”  Remember, these are military avionics systems; these are the guys that invented triple and quadruple-redundant systems!  I expect a drone would have multiple navigation systems including military and civilian GPS, multiple inertial guidance systems (like commercial aircraft), a magnetic compass, perhaps a pitot tube (for determining airspeed), and dead reckoning sanity checks.  When one system isn’t making sense, the software crosschecks with the others and takes the most likely position.  As a private pilot, I can tell you that comparing and crosschecking multiple systems is a fundamental part of aviation.

6). GPS vulnerabilities are well known to the military.  To think that the latest drone – designed to fly over hostile terrain – doesn’t have countermeasures is just plain silly.

7). While nothing is impossible, even if we believe the narrative, this is the sort of thing that never works on the first try.  Or the second.  Or the third.  My fellow engineers understand this point.  To believe that all of the above was perfectly executed on the first try and resulted in a near-perfect landing (save a few scratches on the underbelly) is highly implausible.  If this were the 18th RQ-170 we’ve lost mysteriously over Iran, that would be different.  Landing an aircraft is a game of inches; being off even a bit results in a fireball, not a few scratches.

If Iran actually has a real drone (that we didn’t “intend” for them to have), I think the most likely scenario is some sort of system failure.  Or it’s some sort of Trojan Horse.  Iran, seeking to look smart to their own people and the rest of the world, constructed this plausible story after the fact.