
Drone hijacked by UT hackers with $1,000 spoofer - stfu
http://nakedsecurity.sophos.com/2012/07/02/drone-hackedwith-1000-spoofer/
======
asynchronous13
Egads, the news coverage of this is horrible fear mongering.

The researchers from UT built a system to protect against GPS spoofing. In
order to prove that their protection system works, they had to demonstrate
that GPS spoofing is feasible. Without exception, every news item on this
_only_ mentions the spoofing part, and not the protection part.

Military unmanned systems use encrypted GPS that is not vulnerable to the
attack demonstrated.

Its possible to make a vehicle fly erratically, or even cause it to crash by
spoofing GPS. But to take control requires a lot more than what was
demonstrated. An error of 1us in the spoofed signal corresponds to 1000ft --
that's why the actual descriptions of the vehicle say 'banked hard' or
'veered' off course.

GPS jamming is so much easier than spoofing and results in the same thing.

~~~
rabidsnail
> GPS jamming is so much easier than spoofing and results in the same thing.

Does it? Can't the drone tell that the GPS input that it's getting is
inconsistent and fall back to flying home using dead reckoning?

~~~
asynchronous13
Technically, yes it is possible for an autopilot to use dead reckoning for
navigation without GPS at all. (we didn't use GPS to navigate to the moon,
right?) However, all commercial autopilots that I know of rely on GPS to some
degree. The difference is the use of low-cost gyros and accelerometers. They
are good enough when augmented with GPS, but not good enough all alone.

Edit: the low-cost sensors can be augmented with sensors other than GPS too,
like vision processing. This has been demonstrated but is not yet in
widespread usage. I expect to see this become more common due to demonstrated
vulnerabilities in GPS.

~~~
jandrewrogers
State-of-the-art inertial navigation technology has approximately the same
precision as state-of-the-art GPS. Even modern run-of-the-mill interferometer-
based inertial systems are precise enough for most purposes.

The unique value of inertial navigation is that it requires neither receiving
nor sending a signal that can be jammed or spoofed, hence why the military
uses it for everything.

~~~
rdtsc
Extra bonus points : if you get above the cloud cover, can also use
constellations to correct accumulated errors.

I heard some Russian ICBMs had a special window so that cameras can see
constellations for that purpose.

~~~
wazoox
And the SR71 had it from the start, too.

[http://en.wikipedia.org/wiki/Lockheed_SR-71_Blackbird#Astro-...](http://en.wikipedia.org/wiki/Lockheed_SR-71_Blackbird#Astro-
Inertial_Navigation_System)

------
blutack
Indeed, this is really bad reporting (IAA UAV researcher).

They were using a small rotary wing (relatively cheap) research UAV, despite
the various articles including pictures of Global Hawks/MQ-9s etc. These small
systems are usually designed for research, and so use the same UBlox/MTK/Sirf
based GPS chipsets you find in sat-nav systems for example.

It looks similar to a Yamaha RMax, although I can't be bothered to find the
actual model. The RMax is designed for agricultural use & research, not
fighting wars.

The vehicle control software simply assumes the GPS is correct. It wouldn't be
that difficult to cross-check against the IMU data - our research drones can
happily fly for a few seconds if they loose their GPS lock but spoofing would
probably knock them down, because we just assume it won't happen!

You could build a DIY version of the Texas drone for around $1000 using open
source hardware and a COTS model helicopter.

\---

This not news, anyone who works with these vehicles knows this. It's like
shooting a horse and then claiming terrorists can take out tanks with a single
bullet.

~~~
SoftwareMaven
While I agree the article is sensationalist and the pictures are misleading, I
disagree that there is no relevance. If anything, everything you've said makes
it more concerning. These are exactly the kind of drones we will have flying
overhead, which will all be easily borked by anybody with $1000 and some good
technical knowledge.

~~~
blutack
I agree it is an area that could do with research. However, we know consumer
level GPSs have no protection against spoofing (indeed, you can buy GPS
jammers from various websites for defeating fleet tracking systems).

You could as well use a replay attack against the pilot's control system
(probably on 2.4GHz) using much cheaper hardware.

There is still plenty of work to do before these class of research drones
become commonplace overhead - in particular, practically every onboard system
is a single point of failure.

~~~
jeltz
Sounds to me then like FAA should require all drones to be safe against things
like GPS spoofing, GPS jammers and replay attacks before they open up the
airspace for drones.

~~~
TeMPOraL
And/or jail people for using GPS jammers.

------
Judson
There are a few good comments[1] on the article page that point out that
Military drones use an encrypted GPS channel that isn't susceptible to this
specific attack. A much more sophisticated attack would have to be used to
take over a military drone.

[1]: [http://nakedsecurity.sophos.com/2012/07/02/drone-
hackedwith-...](http://nakedsecurity.sophos.com/2012/07/02/drone-
hackedwith-1000-spoofer/#IDComment394919998)

~~~
jandrewrogers
Military systems have never relied GPS for guidance. These systems were
developed during the Cold War; the Soviets had the ability to take out the GPS
satellites directly.

The US military has always used inertial navigation systems, usually based on
extremely precise laser interferometers. You can't spoof or jam inertial
guidance short of locally altering the laws of physics. A few decades ago, GPS
was used to apply corrections within the (classified) error bounds of the
inertial navigation system, which could be significant; any GPS correction
outside the error bound of the inertial navigation system was interpreted as
GPS being compromised. As the decades have passed, inertial navigation systems
have become progressively more precise to the point that GPS is adding a
rapidly shrinking amount of extra precision.

In fact, the US military is starting to test a new type of ultra-precise
interferometer that allows inertial navigation to exceed the precision of GPS.
GPS correct INS will only continue to be used to the extent it is inexpensive
and gets the job done.

------
ARobotics
I know the title here is the same as the article, but why the heck did sophos
choose "Texas college" for the something done by the University of Texas? I
assumed from the title it was done by some small school somewhere in Texas,
not UT.

~~~
xmmx
There is only one school in texas worth knowing about.

~~~
Cyranix
... Rice University?

------
grandalf
This is part of the clever and gradual propaganda campaign to increase drone
funding/sophistication significantly. A new article intended to nudge the
reader toward that conclusion is released about every 6 months.

~~~
dusing
Other people read this and say it is a clever propaganda campaign to promote
the danger of using drones that can be turned against us by hackers, etc....

so likely the simplest answer is correct, it's not a giant conspiracy after
all.

~~~
grandalf
Uh, that's what the article said, one doesn't have to infer it. Of course if
any form of US military technology is easily hackable there is not likely to
be much consensus behind the idea of just cancelling the program...

The article sets the stage for easy agreement with the idea that US drone tech
needs an overhaul. Even if the first appropriations toward this go to a small
subset of current military drones, that gets the ball rolling.

------
joering2
I believe its too late. Too much money has been already spent by lobbyst and
all third parties dying to make trillions off of this scam (vide Chertoff and
his radiation scanners: first it was just airports (and I somehow agree) with
a reasoning that 300 people aboard a plane can be killed by one idiot with a
bomb and when you fly a plane you are in one guy's hands (pilot), but now they
are fully rolling it into stadiums, train stations, buses, soon schools
universities and all public entities to join, including libraries (no
explanation why -- just simple so that bearded guy hiding in Afghanistan
mountains won't get you). Chertoff will make ten thousands-fold on his initial
investment; brilliant business anywhere outside US would be called illegal and
conflict of interest).

I bet you DHS will turn this horrible news into a good PR, something like "
_we noticed they could take over our drone, but you see if we get additional
10 billion in funding, we could use encryption over GPS and then all our
drones will be safe again_ ".

------
stfu
Credit goes to kmfrk who posted the link at
<http://news.ycombinator.com/item?id=4212085>

------
jjwiseman
Video of spoofing an iPhone's GPS:
<http://www.youtube.com/watch?v=ShRPXkpW1mM>

Note that they are able to quite precisely control the spoofed location--there
is no hard banking or veering. The phone thinks it's moving smoothly at 40
MPH.

Also note that it is believed that people have already been killed by GPS
jamming: [http://www.newscientist.com/blogs/onepercent/2012/05/gps-
los...](http://www.newscientist.com/blogs/onepercent/2012/05/gps-loss-kicked-
off-fatal-dron.html)

------
nyellin

      Each one of these could be a potential missile used against us.
    

This seems to be exaggerated. Wouldn't you need a drone on American soil,
already right next to the target, in order to crash it by sending falsified
GPS coordinates?

~~~
michaelt
Did you read the part of the article that said "The demonstration of the near-
disaster, led by Professor Todd Humphreys and his team at the UTA's
Radionavigation Laboratory, points to a "gaping hole" in the US's plan to open
US airspace to thousands of drones," so presumably there's an existing plan to
use drones in US airspace. One would imagine they would be most useful over
densely populated areas.

~~~
asynchronous13
The FAA is currently coming up with the rules to govern unmanned systems in
the national airspace. They have a mandate from congress to have the rules in
place by 2015. As of today, the only way to commercially operate a UAV
requires case-by-case permissions.

------
blhack
I'm moderately certain that military drones use dead reckoning in addition to
gps.

If they're not: dear DoD, I can fix this for you with about $50 worth of
parts.

------
ricardobeat
What prevents this kind of attack from being used on current commercial
airliners?

~~~
jakejake
You'd imagine the pilots would notice if the auto-pilot started flying
erratically. I'm sure it could be used to confuse the hell out of the pilots
though.

~~~
zcid
Instrument failure isn't always detected by the crew. In the case of Air
France 447 in 2009, even the instruments that were working correctly weren't
properly understood.

The black box transcript from AF 447 is quite an interesting read:
[http://www.popularmechanics.com/technology/aviation/crashes/...](http://www.popularmechanics.com/technology/aviation/crashes/what-
really-happened-aboard-air-france-447-6611877)

~~~
jakejake
I remember reading that - it is quite terrible but fascinating. It seemed
pretty clear that the the crash was 100% human error due to the co-pilot
basically panicking and losing his mind. Though it was initiated by an
instrument failure.

------
kyle_martin1
I wouldn't consider this "hacking" or even very impressive. If you deliver
enough power to the right antenna with the right carrier frequency you can jam
any wireless communication. It's the same concept as "whoever yells the
loudest will be heard".

~~~
JabavuAdams
Your argument just makes this more serious. It's a (possibly easy) exploit
with serious consequences.

~~~
kyle_martin1
I was speaking to how exaggerated the title of the post is, not the ease of
exploitation.

