Hacker News new | comments | ask | show | jobs | submit login
Drone hijacked by UT hackers with $1,000 spoofer (sophos.com)
159 points by stfu on July 7, 2012 | hide | past | web | favorite | 79 comments

Egads, the news coverage of this is horrible fear mongering.

The researchers from UT built a system to protect against GPS spoofing. In order to prove that their protection system works, they had to demonstrate that GPS spoofing is feasible. Without exception, every news item on this only mentions the spoofing part, and not the protection part.

Military unmanned systems use encrypted GPS that is not vulnerable to the attack demonstrated.

Its possible to make a vehicle fly erratically, or even cause it to crash by spoofing GPS. But to take control requires a lot more than what was demonstrated. An error of 1us in the spoofed signal corresponds to 1000ft -- that's why the actual descriptions of the vehicle say 'banked hard' or 'veered' off course.

GPS jamming is so much easier than spoofing and results in the same thing.

> GPS jamming is so much easier than spoofing and results in the same thing.

Does it? Can't the drone tell that the GPS input that it's getting is inconsistent and fall back to flying home using dead reckoning?

Technically, yes it is possible for an autopilot to use dead reckoning for navigation without GPS at all. (we didn't use GPS to navigate to the moon, right?) However, all commercial autopilots that I know of rely on GPS to some degree. The difference is the use of low-cost gyros and accelerometers. They are good enough when augmented with GPS, but not good enough all alone.

Edit: the low-cost sensors can be augmented with sensors other than GPS too, like vision processing. This has been demonstrated but is not yet in widespread usage. I expect to see this become more common due to demonstrated vulnerabilities in GPS.

State-of-the-art inertial navigation technology has approximately the same precision as state-of-the-art GPS. Even modern run-of-the-mill interferometer-based inertial systems are precise enough for most purposes.

The unique value of inertial navigation is that it requires neither receiving nor sending a signal that can be jammed or spoofed, hence why the military uses it for everything.

1960's inertial navigation systems have better resolution than today's consumer GPS. The issue is not the technology, it's the cost, size, and weight. The small, light, and low-cost sensors fueling the current wave of UAVs are not the most accurate technology available, but that doesn't mean they aren't useful.

The concern I would have with inertial navigation over long distances is the possibility of drift. You might have good resolution over short distances, but what about hours and hours? What if your vectors are not quite right, or you get drift in your gyros (and LR gyros are prone to drift in certain circumstances)?

Which is why aircraft normally have multiple INS units. INS has been used as primary nav for endurance missions (>24hrs) in the US military for decades.

Citation: Myself, I worked on a variety of systems including INS and GPS in the military.

But redundant INS units protect against failure of LR gyros. They don't protect against the case where an extremely slow turn by the plan can induce drift in an LR gyro. In that case all your redundant systems will all drift together.

LR gyros are also limited by physics to a certain limit of precision, and this is the specific mechanism by which they can drift (from what I understand though building larger gyros might help). So flying for a long time.... I don't know to what extent we know how much drift might occur. It would certainly be possible to build in some checks here though since landing in Iran instead of Afghanistan would seem to show some discrepancy between the two systems.

I am just not sure you can be sure that relative position will be as accurate as absolute position over an extended period of airtime.

> But redundant INS units protect against failure of LR gyros. They don't protect against the case where an extremely slow turn by the plan can induce drift in an LR gyro. In that case all your redundant systems will all drift together.

I'm am pretty sure this is very wrong, although I'm not an expert enough to downvote you. Having multiple systems allows one to average out (statistically independent) drifts; it's not just a protection from failure. I don't think there's anything special about a "slow turn" which will cause military-quality INSs to have correlated drifts.

As I understand it with LR gyros, if you rotate them sufficiently slowly so that they move less than half a wavelength in the time the light transits, they re-lock on the new orientation without interference. This is a limit based on quantum physics and it's why I said that larger gyros might reduce the problem.

Well, if so I think this is an issue that designers of military systems have been well aware of for years. Drones don't seem any more at risk than submarines, which have used INSs successfully for decades. Drones seems much less likely to go through large stretches of time without access to GPS than submarines, so I'd be surprised if it's an issue.

I think the real problem is that INSs are simply to bulky and heavy for drones, rather than anything to do with drift.

This is incorrect. They aren't just there for redundancy, they are there to account for gyro 1 vs 2 anomalies (drift).

Why is this HN thread the only Google result for "LR gyro" ?

The full term is laser ring, or ring laser gyroscope.

There was a fratricide in Desert Storm where a bunch of Apaches drifted behind friendly lines. INS is mentioned as a contributing factor. IIRC they were hovering, but a slight wind didn't register with the INS.

Out of curiosity, how precise are we talking? I assume the top-level military tech is classified, but if I buy off-the-shelf parts, how far can I fly and still land on the runway using pure dead reckoning?

Extra bonus points : if you get above the cloud cover, can also use constellations to correct accumulated errors.

I heard some Russian ICBMs had a special window so that cameras can see constellations for that purpose.

And the SR71 had it from the start, too.


Oh wow, this is why I keep coming back to HN again and again. Thank you for teaching me something amazing!

I would expect a secondary form of navigation. Submarines and even Google Maps cars use an inertial guidance system - if GPS is lost or clearly spoofed, you can rely on the inertial guidance system long enough to set a trajectory for a safe zone.

Do you have some reasonable sources about GPS jamming? From what I know, GPS should be protected against jamming through signal spreading, which means you should be only able to do it with investing unreasonable amounts of resources.

Is this good enough? http://www.jammerall.com/categories/GPS-Jammers/

Low-cost GPS jammers are $30-$50 dollars, though they are illegal to sell or to use. Jamming is a simple matter of sending out a signal more powerful than the signal received from the satellites. 100mW transmitter is more than adequate in close range.

> GPS jamming is so much easier than spoofing and results in the same thing.

If that drone is in a homogenous-looking area, say a desert with litte habitation, it wouldn't be hard to slowly get the drone to a different target than desired, possibly having it think another car or house is its target.

Indeed, this is really bad reporting (IAA UAV researcher).

They were using a small rotary wing (relatively cheap) research UAV, despite the various articles including pictures of Global Hawks/MQ-9s etc. These small systems are usually designed for research, and so use the same UBlox/MTK/Sirf based GPS chipsets you find in sat-nav systems for example.

It looks similar to a Yamaha RMax, although I can't be bothered to find the actual model. The RMax is designed for agricultural use & research, not fighting wars.

The vehicle control software simply assumes the GPS is correct. It wouldn't be that difficult to cross-check against the IMU data - our research drones can happily fly for a few seconds if they loose their GPS lock but spoofing would probably knock them down, because we just assume it won't happen!

You could build a DIY version of the Texas drone for around $1000 using open source hardware and a COTS model helicopter.


This not news, anyone who works with these vehicles knows this. It's like shooting a horse and then claiming terrorists can take out tanks with a single bullet.

While I agree the article is sensationalist and the pictures are misleading, I disagree that there is no relevance. If anything, everything you've said makes it more concerning. These are exactly the kind of drones we will have flying overhead, which will all be easily borked by anybody with $1000 and some good technical knowledge.

I agree it is an area that could do with research. However, we know consumer level GPSs have no protection against spoofing (indeed, you can buy GPS jammers from various websites for defeating fleet tracking systems).

You could as well use a replay attack against the pilot's control system (probably on 2.4GHz) using much cheaper hardware.

There is still plenty of work to do before these class of research drones become commonplace overhead - in particular, practically every onboard system is a single point of failure.

Sounds to me then like FAA should require all drones to be safe against things like GPS spoofing, GPS jammers and replay attacks before they open up the airspace for drones.

And/or jail people for using GPS jammers.

Thanks for your comment.

If you are comfortable would you mind linking to your homepage or sending me your contact info? (You can find my email at dylanfield.com) I'd love to talk more with you sometime.

The Rmax is much larger than the helicopter UT is flying.

Indeed - I eventually found a picture of it with a person for scale. Do you know what it is?

I believe they are using an electric Logo 500.

Edit: yep. It's from Adaptive Flight, Inc. which is a modified Logo 500. http://www.wired.com/dangerroom/2012/07/drone-hijacking/all/

There are a few good comments[1] on the article page that point out that Military drones use an encrypted GPS channel that isn't susceptible to this specific attack. A much more sophisticated attack would have to be used to take over a military drone.

[1]: http://nakedsecurity.sophos.com/2012/07/02/drone-hackedwith-...

Military systems have never relied GPS for guidance. These systems were developed during the Cold War; the Soviets had the ability to take out the GPS satellites directly.

The US military has always used inertial navigation systems, usually based on extremely precise laser interferometers. You can't spoof or jam inertial guidance short of locally altering the laws of physics. A few decades ago, GPS was used to apply corrections within the (classified) error bounds of the inertial navigation system, which could be significant; any GPS correction outside the error bound of the inertial navigation system was interpreted as GPS being compromised. As the decades have passed, inertial navigation systems have become progressively more precise to the point that GPS is adding a rapidly shrinking amount of extra precision.

In fact, the US military is starting to test a new type of ultra-precise interferometer that allows inertial navigation to exceed the precision of GPS. GPS correct INS will only continue to be used to the extent it is inexpensive and gets the job done.

This scenario would also assumes that no human is in the loop and the drone is running on auto pilot. The "hack" was averted by the drone pilot switching the drone to manual in the exercise in question. I am not sure what military drones even have to do with this test.

I know the title here is the same as the article, but why the heck did sophos choose "Texas college" for the something done by the University of Texas? I assumed from the title it was done by some small school somewhere in Texas, not UT.

UT is in the top 30 on the Times Higher Education world university rankings: http://www.timeshighereducation.co.uk/world-university-ranki...

They are #13 on the list of world rankings of engineering schools: http://www.timeshighereducation.co.uk/world-university-ranki...

By saying "Texas college", it makes it sound like some random second or third tier school did it. That's much more sensationalistic as it can easily give the casual reader the impression that pretty much anyone can easily hack these drones. If they said a team from a top engineering school did it, it would not frighten people because that's the kind of thing you EXPECT people from top engineering schools to be able to do.

Amen! I had exactly the same reaction. (Disclosure: I'm an alumnus, twice.)

Hook 'em Horns!

Sorry, conditioned response from this alum.

the wife says, "Go Pokes!" :-)

There is only one school in texas worth knowing about.

... Rice University?

Texas College is actually a low-quality college in my town. I was very, very confused for a few seconds.

This is part of the clever and gradual propaganda campaign to increase drone funding/sophistication significantly. A new article intended to nudge the reader toward that conclusion is released about every 6 months.

Other people read this and say it is a clever propaganda campaign to promote the danger of using drones that can be turned against us by hackers, etc....

so likely the simplest answer is correct, it's not a giant conspiracy after all.

Uh, that's what the article said, one doesn't have to infer it. Of course if any form of US military technology is easily hackable there is not likely to be much consensus behind the idea of just cancelling the program...

The article sets the stage for easy agreement with the idea that US drone tech needs an overhaul. Even if the first appropriations toward this go to a small subset of current military drones, that gets the ball rolling.

I believe its too late. Too much money has been already spent by lobbyst and all third parties dying to make trillions off of this scam (vide Chertoff and his radiation scanners: first it was just airports (and I somehow agree) with a reasoning that 300 people aboard a plane can be killed by one idiot with a bomb and when you fly a plane you are in one guy's hands (pilot), but now they are fully rolling it into stadiums, train stations, buses, soon schools universities and all public entities to join, including libraries (no explanation why -- just simple so that bearded guy hiding in Afghanistan mountains won't get you). Chertoff will make ten thousands-fold on his initial investment; brilliant business anywhere outside US would be called illegal and conflict of interest).

I bet you DHS will turn this horrible news into a good PR, something like "we noticed they could take over our drone, but you see if we get additional 10 billion in funding, we could use encryption over GPS and then all our drones will be safe again".

Credit goes to kmfrk who posted the link at http://news.ycombinator.com/item?id=4212085

Video of spoofing an iPhone's GPS: http://www.youtube.com/watch?v=ShRPXkpW1mM

Note that they are able to quite precisely control the spoofed location--there is no hard banking or veering. The phone thinks it's moving smoothly at 40 MPH.

Also note that it is believed that people have already been killed by GPS jamming: http://www.newscientist.com/blogs/onepercent/2012/05/gps-los...

  Each one of these could be a potential missile used against us.
This seems to be exaggerated. Wouldn't you need a drone on American soil, already right next to the target, in order to crash it by sending falsified GPS coordinates?

Did you read the part of the article that said "The demonstration of the near-disaster, led by Professor Todd Humphreys and his team at the UTA's Radionavigation Laboratory, points to a "gaping hole" in the US's plan to open US airspace to thousands of drones," so presumably there's an existing plan to use drones in US airspace. One would imagine they would be most useful over densely populated areas.

The FAA is currently coming up with the rules to govern unmanned systems in the national airspace. They have a mandate from congress to have the rules in place by 2015. As of today, the only way to commercially operate a UAV requires case-by-case permissions.

You can't control altitude or velocity, either (unless the system uses a GPS altimeter instead of a barometric one), so "potential missile" is indeed a massive exaggeration. To be honest, it would be cheaper, easier and more dangerous for a hypothetical bad guy to buy an actual missile like the Qassam for around $800[0] than it would to try and "hijack" a real UAS.

[0]: https://en.wikipedia.org/wiki/Qassam_rocket

This implies that a specific target is necessary. Anywhere with people is usable.

Unless one gets downed abroad and reprogrammed.



edit: ( I think the real concern in this situation would be reverse engineering with an eye to finding vulnerabilities to be exploited in other drones, not so much reprogramming the one and only they have )

Or against US soldiers.

You would still need a strong signal near the target, which is more difficult than setting up a drone-trap like Iran seems to have done.

Is it possible to somehow sign GPS coordinates? (Perhaps sync an internal clock at each mission's start, and check a time-based signature?)

If not, are there practical challenges to integrating the output of a drone's engine and calculating the path travelled, instead of naively believing satellite coordinates?

Actually, wind must make that difficult. For a car, you can attach a magnet to each wheel and count the surges as it passes a sensor on each rotation, to give you an idea of where you are. Due to the external forces on a drone, you would probably want to measure forces with an accelerometer/gyroscope, not engine output.)

What are the challenges involved in such? Is internal-location tracking even feasible?

All military navigation systems are inertial, not GPS. They only accept GPS corrections within the error bars of the inertial system. As a practical matter this means that you can only make a drone deviate from its intended course by a few meters assuming you did a perfect job of spoofing the GPS.

GPS spoofing/jamming only works for systems that use GPS navigation systems; military weapons and systems have never used GPS navigation. Inertial navigation systems are spoof-proof.

I'm moderately certain that military drones use dead reckoning in addition to gps.

If they're not: dear DoD, I can fix this for you with about $50 worth of parts.

What prevents this kind of attack from being used on current commercial airliners?

You'd imagine the pilots would notice if the auto-pilot started flying erratically. I'm sure it could be used to confuse the hell out of the pilots though.

Instrument failure isn't always detected by the crew. In the case of Air France 447 in 2009, even the instruments that were working correctly weren't properly understood.

The black box transcript from AF 447 is quite an interesting read: http://www.popularmechanics.com/technology/aviation/crashes/...

I remember reading that - it is quite terrible but fascinating. It seemed pretty clear that the the crash was 100% human error due to the co-pilot basically panicking and losing his mind. Though it was initiated by an instrument failure.

Planes have crashed for lesser reasons...

Even if the pilots didn't, ATC would (and the plane's own GPS unit's internal checks might notice as well) - and then it's simple enough to disable GPS and use VOR navigation (or radar vectors, in a pinch).

Couldn't the same thing happen with a drone? After all they are being controlled by someone one the ground. If you notice it behaving erratically or ATC notices and contacts you about it you could correct the issue. In fact that is exactly what happened in this situation the drone's autopilot was overridden by another pilot to prevent it from crashing.

Primarily because commercial airliners do not use GPS.

Don't they? AFAIK they are used for navigation, they just can't transmit back - but that's set to be implemented in the coming years. Would love to hear more on that.

All critical systems have used inertial navigation for decades. The systems may accept GPS corrections within the error margins of inertial navigation but nothing more.

Inertial navigation used to have larger margins of error than GPS. Since GPS was not trustworthy and inertial is, they accept GPS fine-tuning to the trusted inertial system. If the inertial system and GPS system disagree, GPS is ignored.

State-of-the-art inertial systems are now more precise than GPS.

What do you mean by "can't transmit back"?

I think he may mean that airliners transmit their GPS coordinates (which I've heard an ordinary citizen can pick up cheaply) but can't receive commands that way.

The exact opposite actually. Apparently airliners, like our mobile phones, can only receive GPS signals to track their own position, but they can't report that back to the control towers - position is calculated from ground radars, which only reach up to 200 miles from shore. That's why the location of AF447 couldn't be pinpointed quickly after the accident, for example, there are only estimates for location while out at sea.

Do you know why the pilots of that plane didn't use GPS to determine their altitude and speed? I read that it's suspected they slammed into the sea because they didn't know their altitude and speed, due to frozen-over measuring devices.

Apparently the entire issue came down to a junior pilot pulling back on the control stick, causing the airplane to stall and fall. It seems commercial airlines usually operate in a mode where it is impossible to stall -- pulling back all the way just ascends as fast as the plane can. But, the plane reverted to another mode of operation and the pilot did not understand this. Additionally, the Airbus control system has no physical feedback between the two pilot inputs and just merges the data. So if one pilot is pulling back, the other has no way of knowing. From the transcription, it seems that the pilots were confused as to why they were falling, until they realised the junior pilot was stalling the plane, and by then it was too late to fix.

Thanks for that description. Amazing that Airbus hadn't addressed this already. I've read that the initial problem that confused the pilots was the lack of air speed (and maybe altitude) data, due to frozen pitons. So I still wonder why the planes couldn't use GPS for that, at least as backup.

I wouldn't consider this "hacking" or even very impressive. If you deliver enough power to the right antenna with the right carrier frequency you can jam any wireless communication. It's the same concept as "whoever yells the loudest will be heard".

Your argument just makes this more serious. It's a (possibly easy) exploit with serious consequences.

I was speaking to how exaggerated the title of the post is, not the ease of exploitation.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact