
Drone captured by Iran may mean military GPS RSA "red key" has been compromised - mrb
http://cryptome.org/2012/01/0016.htm
======
ck2
Iran is not some backwater and it's not north korea.

When politicians sing about "bomb Iran" these are the innocent people they are
talking about killing

<http://www.youtube.com/watch?v=6v6kF8i-mbw>

[http://www.theatlantic.com/infocus/2012/01/a-view-inside-
ira...](http://www.theatlantic.com/infocus/2012/01/a-view-inside-iran/100219/)

Before 1970 you would not be able to identify pictures of iran from parts of
the usa

[http://www.pagef30.com/2009/04/iran-in-1970s-before-
islamic-...](http://www.pagef30.com/2009/04/iran-in-1970s-before-islamic-
revolution.html)

Currently Iran is just the result of what happens if conservative fundamentals
got ahold of the government of a country.

Yeah the nuclear bomb makers and holocaust deniers have to be stopped, but
let's show some care and understanding for innocent people under their rule
first.

~~~
corin_
So it's not OK to bomb Iran but North Korea and you have no problem - are you
under the impression that everyone in North Korea is evil?

~~~
nl
I think the author's point was that Iran is a sophisticated industrial society
("not a backwater") and the people have a wide range of views ("not North
Korea").

~~~
ck2
You are correct, that is exactly what I meant about the sophistication level.

Hence no surprise they could dissect a drone.

By no means was I implying it would be acceptable to bomb north korea!

------
Steuard
The article confuses me: it seems to be conflating the RSA algorithm (which I
could easily believe might be used to encrypt military GPS) with the RSA
company (a division of EMC which was hacked and had its SecurID product
compromised recently).

Am I missing something, or is the author just confused? Why would having
"broken into EMC's RSA servers" be at all related to being "in pursuit of a
cryptanalytic attack against RSA"?

~~~
dekz
I was a little confused also, I am under the impression that he is mentioning
2 points.

1) Attack on RSA to attempt to see if RSA has some attack on the RSA algorithm
hidden. 2) Using an attack on SecurID to attempt to get more information from
a Lockheed Martin or other breach.

~~~
sunchild
Yes, it was widely reported that Lockheed was a target after SecurID was
breached. Whether or not anything useful was extracted from Lockheed's
systems, and whether or not any Lockheed data was involved in spoofing the
drone, is pure speculation. It seems equally plausible that Iran had an inside
man at a defense contractor. After all, history has shown how relatively
inexpensive and effective double agents are to state actors.

------
parfe
All these complex and sophisticated attacks seem like too much work. It looks
like the author either omits a step from the attack where the SecurID
compromise allowed someone access to flight control systems or that RSA has a
master key/method for breaking any RSA encrypted data.

I think the drone ran out of fuel. The flight control system prevented a stall
by trading altitude for speed. Some emergency collision code attempted to
avoid a ground impact at the last second making for a soft landing.

Something as simple as bad weather forecasting causing the drone to fly into a
headwind during both inbound and outbound could easily account for the fuel
drying up.

~~~
vbtemp
Right - no one wants to consider this null hypothesis. Not exciting enough, I
suppose. Actually _spoofing_ GPS - which would involve masking the actual GPS
signal and producing the precise nanosecond differentials from a simulated
fleet of satellites needed to give a false location, seems highly
unbelievable.

GPS jamming is possible, which may have led to a loss of nav (although I would
have thought there may be some inertial guidance), but either way, the
guidance-and-control system probably just leveled off for a smooth crash
landing. (hence the way the iranians not-so-cleverly hid the underside of the
UAV in anti-american propoganda posters)

~~~
cameldrv
Spoofing GPS, at least the C/A code is not such a huge challenge. You can buy
the hard part off the shelf from many vendors. For example,
<http://sine.ni.com/nips/cds/view/p/lang/en/nid/206805>

~~~
jonknee
That works to spoof GPS for your phone in a controlled location, but not for a
drone that's flying unpredictable routes.

~~~
burgerbrain
Any well funded group of HAMs should be able to iron out the implementation
details.

------
agwa
It's pretty rash for the article to suggest that the RSA algorithm might have
been broken. If the key really has been stolen, it seems far more likely that
it was breached due to crap IT security than a recently-discovered bombshell
weakness in the RSA algorithm.

For example, the RSA corporation's SecurID service (not to be confused with
the RSA algorithm) was compromised due to a spear-phishing attack containing
an Excel spreadsheet with a Flash exploit. Then Lockheed Martin was breached
because they use SecurID[1]. Lockheed Martin happens to make GPS
satellites[2], so they might have a copy of the key...

This is completely speculative (in particular, Lockheed Martin claims no data
was stolen and I know nothing about how GPS works). But in the past, there
have been way more exploits due to insecure systems than to weak crypto
(especially well-established crypto like RSA).

[1]
[http://en.wikipedia.org/wiki/SecurID#March_2011_system_compr...](http://en.wikipedia.org/wiki/SecurID#March_2011_system_compromise)
[2] <http://en.wikipedia.org/wiki/USA-206>

~~~
46Bit
> in particular, Lockheed Martin claims no data was stolen If you had
> something particularly secret stolen you're not going to air it publicly.
> Agree with everything else though - even if this hypothesising is true it'll
> be down to a stolen key.

------
__alexs
red key is from the older PPS-SM system which hasn't been used in new hardware
since 2006. GPS M-Code isn't even meant to be fully operational until 2016.
Which suggests he actually means SAASM.

------
vbtemp
How much certainty is there that the Iranians actually _spoofed_ the GPS
signal? How much evidence is there to overturn the null hypothesis (being that
the GPS signal was either jammed, or the plane simply crash-landed inside
Iran)

~~~
gvb
AvWeek is a more reliable source than the blogs repeating breathless "OMG IRAN
SPOOFED GPS" stories.
[http://www.aviationweek.com/aw/blogs/defense/index.jsp?plckC...](http://www.aviationweek.com/aw/blogs/defense/index.jsp?plckController=Blog&plckBlogPage=BlogViewPost&newspaperUserId=27ec4a53-dcc8-42d0-bd3a-01329aef79a7&plckPostId=Blog%3a27ec4a53-dcc8-42d0-bd3a-01329aef79a7Post%3abca8e6e2-70ef-40a3-8c56-f83aa6fc7ade)

------
freddealmeida
I find this fascinating. However, I think a sale to China would have greater
impact than breaking military crypto.

More interesting is that this drone was flown illegally into sovereign
airspace and no one seems to mention that. Imagine if China flew a drone over
LA.

As for Iran being a target for military action, history has shown that any
country that it sanctions economically is always attacked.

Might as well just prepare for it.

------
7952
Why would you need to have keys at all? Just rebroadcast the signal with a
different delay for each satellite.

~~~
sern
The GPS military signal is protected by virtue of being CDMA-modulated by a
long, pseudorandom sequence (the output of a keyed, secret PRNG). Because of
the spread-spectrum nature of CDMA, it would be impractical to record the
signal without having the key in the first place. And if you did have the key,
why go through the trouble of recording and replaying the signal when you
could directly spoof it?

------
avit
One thing I've never understood all along is how Iran managed to capture the
drone intact. Was it guided into a runway landing somehow? Or else how did
they not crash it?

~~~
Luc
The wings appeared to be held on by duct tape. Perhaps it didn't fall from
very high.

~~~
Luc
This is being downvoted, but I am serious. In the pictures you can see the
wings have been crudely reattached to the body using a white tape to cover up
the supposed break. Hence it seems possible that the plane crashed, but not
from an altitude that would do major damage.

------
rbanffy
Why not jam the military signal and spoof the civilian one?

~~~
ajb
It uses spread spectrum transmission, which is resistant to jamming unless you
know the secret key.

~~~
sern
Nevertheless, it's still possible to jam (see LightSquared). I actually think
this is how Iran did it.

~~~
ma2rten
According to this wired article it is possible, but still unlikely.

<http://www.wired.com/dangerroom/2011/12/iran-drone-hack-gps/>

------
sern
The encrypted GPS service doesn't use RSA.

~~~
mrb
Yes it does, see slide 6: <http://www.scribd.com/doc/51162211/Andrew-
Presentation>

~~~
sern
The key management system (SAASM) indeed uses RSA, but not the GPS itself.

~~~
mrb
We are arguing about a semantic technicality then... "GPS uses RSA" vs. "GPS
key management system uses RSA".

------
shareme
I have some conjecture based on some prior knowledge/connections..

First the info:

Phil Zimmermann has a company working on Secure VOIP. I was contacted past 18
months ago to build the android mobile client. Project never lifted off due to
some large distraction and the excuses I was given never matched up to
reality.

I submit because of Phil's connections to other RSA inventors and break-ins
that occurred in the past 24 months that the distraction was a major hole was
found in RSA or the process to secure it. The RSA inventors are
consultants/board members of the the secure VOIP firm(Phil Zimmermann's firm).

At this time its only conjecture and there are no concrete facts out in the
open to fully confirm it. However, there are some analysis out there such as
the authors that point to a major breach of RSA in the last 24 months that
highlights new RSA holes in either the RSA itself or the process in securing
RSA keys.

~~~
burgerbrain
A "RSA hole", as far as I am aware, would be "somebody found a fast way to
factor numbers". There wouldn't exactly be a fix for that except to move to
another trap door function.

