How the RQ-170 Was Hijacked

Thursday, December 15, 2011

Ron Baklarz

91648658a3e987ddb81913b06dbdc57a

The Christian Science Monitor is reporting that the RQ-170 was hijacked by the Iranians using a well know exploit that sure seems to me to be a lot like an old and well known cyber attack known as "the man-in-the-middle" attack. 

Using intelligence gleaned from previously downed and less sophisticated drones, an Iranian engineer, identified that the global positioning system (GPS) is the weak link in the drone's security posture.

The "electronic ambush" begins by jamming the drone's communications forcing the plane into autopilot whereby it loses its "brain".  From there, the Iranians were able to "spoof" and interject landing coordinates to get the plane to land where they wanted it to land.

In the pictures we have seen of the downed RQ-170 there is apparent damage to one part of the wing and the underbelly of the plane itself and landing gear as it is shown resting on boxes. 

Apparently, the Iranians attempted to land the drone at a similar altitude as its home landing base.  Due to a slight difference between the two landing sites, the drone was damaged in landing.

While it is reported that intercepting unencrypted drone communication data streams had first been known to US military since the mid-1990's, examples of these types of exploitation continued on into 2009 where militant laptops were found with drone data and unencrypted video feeds from Predator drones pilfered using inexpensive, off-the-shelf software.

According to the article, other Iranian officials are describing tactics more advanced than simply "jamming" whereby deceptive techniques could be used to re-direct missiles from their intended targets to target coordinates input by the Iranians.

If this account is accurate and the explanation seems entirely plausible, the exploitation of drone technology in this manner is astounding and speaks to the need to build security in at the beginning of a project rather than later as an afterthought. 

Possibly Related Articles:
16707
Network->General
Military
Vulnerabilities Iran Military Hijack GPS Drone Electronic Warfare RQ-170
Post Rating I Like this!
29caf2d9c852c6936e9d8b256513d0bf
Lance Miller @Ron, if this is true wouldn't the Iranians and thier lackeys have already jacked additional drones using this method?
1324036847
91648658a3e987ddb81913b06dbdc57a
Ron Baklarz Who says they haven't? Other than a normal malfunction (which one would assume, wreck the plane much more than it was damaged) this explanantion seems entirely plausible to me. Remember that one of the other failsafes is a self-destruct which didn't work either. No matter, unfortunately we look really bad on this one.
1324037660
29caf2d9c852c6936e9d8b256513d0bf
Lance Miller IMO, the Iranians wouldn't miss the opportunity for the press gold mine for each drone they obtained, Baghdad Bob style.

Also, I haven't seen anything from our guys about recalling/patching the current fleet. Just business as usual. Of course, what do I know...?

It just seems more plausible to me that there is more to this. Trojan horse maybe?

1324038077
91648658a3e987ddb81913b06dbdc57a
Ron Baklarz Good point Lance, a comment to Jeffrey Carr's recent posting on the RQ-170 included a link suggesting that the Russians provided Iran with a jamming device only six weeks ago. Shortly after the downing of the RQ-170, I recall mainstream news mentioning possible Russian jamming technology support in the endeavor. Could it be that this technique is fairly new and the downing of the RQ-170 is the near-first attempt? This is great fun to speculate, for sure! See link below:

http://www.flightglobal.com/blogs/the-dewline/2011/12/avtobaza-irans-weapon-in-rq-17.html?utm_source=twitterfeed&utm_medium=twitter
1324039057
29caf2d9c852c6936e9d8b256513d0bf
Lance Miller Fun, indeed. First attempts usually fail...or is that just when I am invloved?? :)
1324039729
70830de61015ee5312d58e6a9e0254ae
Doug DePeppe I'm doing some checking, but I gotta believe the GPS link has more security than to allow such a fairly simply MinM attack. It is encrypted, for starters, but I guess the issue is how easily it could be jammed.
1324044221
70830de61015ee5312d58e6a9e0254ae
1324045205
Da3ca2c61c4790bcbd81ebf28318d10a
Krypt3ia GPS spoofing paper. http://t.co/bigchaGW Note the RF needs and the stories about the Russian tech that was sold to Iran recently...
K.
1324066257
888605c6c25c19e41bbbb986ea6d43c1
Jim Palazzolo More drones = fantastic job security!

Now, if I could just get our universities to allow our IA programs to operate out side of the box we'd be all set...

A group of us on campus had a round table on this, and there is security designed into the product; but, as we all know as soon as you make contact with the enemy your plan goes right out the window.
1324709596
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.