Iran: Yes, We Hacked the U.S.'s Drone, and Here's How We Did It

Daily Tech ^ | December 15, 2011 7:00 PM | Jason Mick (Blog)

[Ernest_at_the_Beach]

Iran rebuffs skepticism with a detailed description of attack, which experts call "certainly possible"

"You are going to tell me what I want to know, it's just a matter of how much you want it to hurt."
— Jack Bauer, 24

It sounds like a scene out of a spy movie -- highly trained national paramilitary operatives harshly testing a foreign agent until they break and do their bidding. But that's exactly what Iran is claiming it did to a U.S. Central Intelligence Agency spy drone.

In an unconfirmed, yet fascinating report in The Christian Science Monitor, an unnamed "Iranian engineer" claims that Iran used its torture testing from past crashed drones to break the captured drone and bend it to the command of the Iranian authorities, forcing it into a soft landing so they could probe the secrets of its fully intact body.

I. Iran warned the U.S. of its Capabilities

The report points to claims Iran made in September that it was able to "take control" of U.S. guided weapons or surveillance devices.  

Iranian Gen. Moharam Gholizadeh, the deputy for electronic warfare at the air defense headquarters of the Islamic Revolutionary Guard Corps (IRGC), told the Far News, "We have a project on hand that is one step ahead of jamming, meaning 'deception' of the aggressive systems... we can define our own desired information for it so the path of the missile would change to our desired destination...all the movements of these [enemy drones are being watched]" and "obstructing" their work was "always on our agenda."

At the time the claims by Iran -- under pressure for its suspected nuclear weapons development program -- were largely dismissed as factless national rhetoric.  

Similarly, when Iranian state-run media revealed last week that it had captured a U.S. intelligence drone, many experts sneered at Iran's claims that it "hacked" the drone.  Remarked an analyst to the Defense News, "[it'd be] like dropping a Ferrari into an ox-cart technology culture."

But while the detailed description of the "electronic ambush" from the interview with the Iranian engineer has not been verified by U.S. military officials, the U.S. gov't and public are now forced to set aside their prejudices and look at those claims far more seriously.

_{[Image Source: Sepahnews/AP]}
According to the source, the first thing the Middle Eastern nation's "cyberwarfare experts" did was to jam the drone's signal.  While the report does not specifically mention this, the engineer's claims of using past crashed drones to derive the attack indicate that Iranian experts may have used drones to determine the encrypted control frequencies that the drone was communicating on.

Further evidence that adversaries in the region are on to U.S. UAV feed frequencies comes from the fact that in 2009 Iraqi Shiite militants intercepted live, unencrypted video feeds off a U.S. predator drone, using only off-the-shelf hardware.  At the time, Iranian involvement was suspected.

In July and in 2010 Iran claimed to have shot down drones hovering near its nuclear facitilities.

II. "Downing Drones 101"

Using its knowledge of the frequency, the engineer claims, Iran intiated its "electronic ambush" by jamming the bird's communications frequencies, forcing it into auto-pilot.  States the source, "By putting noise [jamming] on the communications, you force the bird into autopilot. This is where the bird loses its brain."

The team then use a technique known as "spoofing" -- sending a false signal for the purposes of obfuscation or other gain.  In this case the signal in questions was the GPS feed, which the drone commonly acquires from several satellites.  By spoofing the GPS feed, Iranian officials were able to convince it that it was in Afghanistan, close to its home base.  At that point the drone's autopilot functionality kicked in and triggered the landing.  But rather than landing at a U.S. military base, the drone victim instead found itself captured at an Iranian military landing zone.

Spoofing the GPS is a clever method, as it allows hackers to "land on its own where we wanted it to, without having to crack the [encrypted] remote-control signals and communications."

_{[Image Source: Reuters]}
While the technique did not require sophistication from a cryptography perspective, it was not entirely trivial, either, as it required precise calculations to be made to give the drone the proper forged distance and find and fine an appropriate altitude landing strip to make sure the drone landed as it did in Afghanistan.  The Iranian engineers knew the details of the landing site, because the drone had been confirmed in grainy photos to be landing at a base in Khandar, Afghanistan.

Despite the careful calculations, the drone still sustained a dent in its wing and underbody (though it did not have the usual signs of a high-speed collision).  During its press conferences, the Iranian military covered this damage with anti-American banners.

_{[Image Source: Iranian state television]}

The engineer explained this damage commenting, "If you look at the location where we made it land and the bird's home base, they both have [almost] the same altitude.  There was a problem [of a few meters] with the exact altitude so the bird's underbelly was damaged in landing; that's why it was covered in the broadcast footage."

The approach echoes an October security conference presentation [PDF] in Chicago, in which ETH Zurich researchers laid out how to use interference and GPS spoofing to more gently down a drone.

III. Is the West "Underestimating" Iran?

Iran warns that the west is underestimating its growing technlogical prowess.  A former senior official is quoted as saying, "There are a lot of human resources in Iran.... Iran is not like Pakistan."

Deputy IRGC commander Gen. Hossein Salami, stated this week, "Technologically, our distance from the Americans, the Zionists, and other advanced countries is not so far [as] to make the downing of this plane seem like a dream for us … but it could be amazing for others."

The Christian Science Monitor report cites an unnamed European intelligence source as claiming that Iran in an unreported incident managed to "blind" a CIA spy satellite by "aiming a laser burst quite accurately" at its optics.  And in September Google Inc.'s (GOOG) security certificates were hacked to give access to 300,000 Iranian citizens Gmail accounts, in what circumstantial evidence indicated was a "state-driven attack," potentially designed to ferret out spys or dissidents.

For now Iran military and government workers -- including the engineer -- are giddy with joy at their success, according to the report.  The source is stated as remarking, "We all feel drunk [with happiness] now.  Have you ever had a new laptop? Imagine that excitement multiplied many-fold."

What they captured was no mere Reaper or Predator -- it was an advanced RQ-170 Sentinel design, made by Lockheed Martin Corp. (LMT) for the CIA.  

He said that members of the National Guard initially feared that the drone was rigged to auto destruct, but eagerly moved to inspect it anyways because they "were so excited they could not stay away."

III. U.S.: Drone Missions to Iran Will Continue

It's important to remember that while the attack described in the report sounds very feasible, it has not been confirmed by the U.S. government, and may never be.  It now appears that the government is at least acknowledging that the drone is a real U.S. drone, as opposed to early reports in which some officials indicated it might be fake Iranian propaganda/publicity stunt.

Former U.S. Navy electronic warfare specialist Robert Densmore told The CS Monitor that Iran's claims were "certainly possible", adding, "I wouldn't say it's easy, but the technology is there... Even modern combat-grade GPS [is] very susceptible [to manipulation]."

The U.S. has claimed that the drone was not spying, but was flying a standard mission over Afghanistan, when it suffered a "unspecified technical malfunction" and went of course, landing in Iranian hands.  They declined to explain how the drone -- flying at high altitude -- could have avoided sustaining serious damage.

U.S. President Barrack Obama has requested that Iran return the drone to U.S. officials.  Iran has refused.  IRGC Brig. Gen. Mohammad Hejazi, comments, "That is a shameless demand raised by the U.S. President.  They raise such claims instead of apologizing to our Islamic establishment and people."

_{Iran has refused President Obama's demands that it return the drone.
[Image Source: Matt Ortega/Flickr]}
Instead, Iran is filing a complaint with the United Nations Security Council, stating, "My government emphasizes that this blatant and unprovoked air violation by the United States government is tantamount to an act of hostility against the Islamic Republic of Iran in clear contravention of international law, in particular, the basic tenets of the United Nations Charter."

Despite that, Defense Secretary Leon Panetta told Fox News that the U.S. would "absolutely" continue to fly drones in the region.  The implied message -- but one that the U.S. military does not officially acknowledge -- is that the hunt for Iranian nuclear weapons activity will continue.

If confirmed, Iran's new drone downing capabilities are a concern.  Currently there's no real secure replacement for GPS satellites -- though China has done pioneering work in creating a state-run GPS network with an encrypted channel..  However, U.S. military suppliers could solve this issue by resorting to more advanced software.  For example a drone could be programmed to:

1. Store GPS coordinates, starting from launch from a "friendly" location and recognize internally large changes to the GPS.
2. Store a "friendly" air-space return path using the GPS history and known routes.  This could allow a drone to escape in a case of jamming like this one, and would prevent the enemy from trying a more slow and subtle modification of GPS coordinates on a jammed drone.

The new "Avenger" drone from General Atomics will soon be deployed to the region.  It's capable of holding a 2,000 lb. missile on attack missions.

Iran recently developed bomber UAVs of its own, though they are believed to be human-controlled designs, which trail the U.S.'s sophisticated UAVs, which are capable of autonomous flight, thanks to their advanced artificial intelligence.

V. Iran Threatens Afghanistan, Afghanistan Tells it to Leave it Out of U.S. Mess

Tensions rose on Thursday when Iran warned its neighbor Afghanistan that it would consider any further drones detected launching from U.S. bases in Afghanistan a "hostile act" by the Afghanis.  Iran's foreign minister Ali Akbar Salehi comments, "We have called on the Afghan government to seriously pursue the case, and under no circumstances let such events happen again, as such events will be regarded as unfriendly."  

It's hard to know exactly what Iran could do in response, given the U.S.'s support for the Afghani government.

The suggestion was enough, though, to rattle Afghani President Hamid Kharzai, who claimed not to know about the drone, stating, "Afghanistan was not aware that the drone had gone or malfunctioned in Iran."

_{Hamid Kharzai told Iran that he wants their nations to be friends and to leave them out of its issues with the U.S. [Image Source: CNN]}

He added, "Afghanistan would not want to be involved in any - how should I put it, not antagonism, adversarial relations between Iran and the United States. Afghanistan wishes that they be friends and Afghanistan's sovereignty and territorial integrity and soil is not used one against the other."

Afghanistan currently gets much of its domestic goods from Iran, a Middle Eastern manufacturing powerhouse.  A trade blockade would, of course, hurt debt-plagued Iran, but it's not entirely impossible that the nation's leadership could resort to such a mutually destructive move out of spite.

VI. Hostilities Between Iran and U.S. Continue

Iran, Israel, and the U.S. continue to be locked in a feud over Iran's reportedly nuclear weapons development.  The U.S. claims their evidence indicates Iran is secretly building bombs.  Iran claims its nuclear weapons activities are peaceful and solely for power purposes.

In addition to allegations of spying, Iran has publicly accused the U.S. and Israel of direct sabotage to its nuclear effort.  They point to the sophisticated "Stuxnet" worm, which specifically targetted Iran's nuclear power facilities, with the goal of sabotaging refining centrifuges.  Their have also been reported assasinations of Iranian nuclear scientists and unexplained explosions at Iranian factories/nuclear facilities.  Again, the Iranians point to U.S. and Israeli intelligence as the perpetrators of these incidents.

While Iran has never officially gone to war with the U.S. or its allies, although it did wage a war with Saddam Hussein's Iraq in the 1980s, a war in which the U.S. government was exposed to be funneling weapons and expertise to Iraq, weapons that would be turned against the U.S. in later conflicts.  The U.S. support of Iraq generated much bitterness and resentment among the Iranian revolutionary movement.

That bitterness has even deeper roots in the U.S. support for The Shah (Persian for "king") who, together with his father had ruled Iran for 54 years with U.S. support.  While the U.S. support helped modernize Iran, his policy of crushing dissidents and his imprisonment of Shiite religious leader Ayatollah Ruhollah Khomeini create pent-up hatred towards the monarch, animosity that exploded in the Iranian revolution of 1978.  

That revolution installed a theocratic government much of the kind that some Christian fundamentalists have called for here in the U.S. -- in which the state had a religion of choice, but (supposedly) offers freedom of religion via legislative protections for religious minorities. 

Some prominent America politicians such as Sen. John McCain (R-Ariz.) have called for the U.S. legal system to recognize the U.S. as a Christian theocracy [source].  Sen. McCain emphasizes "tolerance", but suggests that he would be uncomfortable with allowing a Muslim to be President of the United States.    Likewise Iran, in the 1980s went through a period of increasing its own "tolerance" efforts in the 1980s, allowing its Christian and Jewish minorities to hold token political positions, albeit barring them from top positions of federal power.

Despite the similar fundamental governing philosophies between "conservative" evangelicals in the U.S. and Iranian fundamentalists, the U.S. evangelical movement have led some of the harshest criticism of Iran, though curiously going light on U.S. ally Saudi Arabia, a nation which practices and preaches an even more theocratic religious rule.

Iran has exactly done its best to win friends among moderates in the U.S., though.  It's been accused of funneling weapons to guerillas in the 1982 and 2006 conflicts between Lebanon and the U.S.-backed Israel.  

The U.S. fears -- and perhaps rightly so -- that a nuclear armed Iran could lead to catastrophic destruction of its ally Israel and U.S. military bases in the Middle East.  They also fear the nation could threaten the stability of secular democracies in Iraq, Afghanistan, and Pakistan, funneling support to religious insurgents.  

Israel remains more non-chalant, claiming it can shoot down any Iranian nukes that come its way.  Israel and Iran are currently engage in a cyberwar.

The Islamic republic is a puzzle for the Western world, and its neighbors to deal with in coming years.  Iran, despite economic problems and foreign economic sanctions continues to grow.  It recently passed the 1 million market in yearly automobile production, making it the top domestic producer of cars in the Middle East.  Iran has the benefit of holding the world's second richest natural gas reserves and third richest oil reserves.

In 2009 Iran launched its first satellite into space.

_{Iran is a growing power in terms of education and technology, making its political and military clashes with the U.S., all the more problematic.}

[Image Source: Google Images, original author unknown; 
Fair Use clause TITLE 17 > CHAPTER 1 > § 107]
It also claimed to have 3.5 million college students enrolled in 2008 [source] -- a 4.4 percent enrollment rate which compares approaches U.S. enrollment rates. The U.S. reported in 2009 20.4 million college students enrolled [source], roughly a 6.7 % per capita enrollment rate.  While Iranian propoganda makes it hard to tell whether these numbers are entirely accurate, Iran does appear to have higher college education rates that many of its Middle Eastern peers.

Sources: Christian Science Monitor, ETH Zurich, MSNBC, Fox News

[shanover]

Totally appears fake.Whole story is bizarre. I hope I am wrong because we look like clowns with the a**hole Iranians and Urkel president.

[CharlesWayneCT]

Stock footage of RQ-170:

The air intake looks clearly different from the one in the article picture.

[ILS21R]

Amazing. They've converted our unmanned drone to a manned drone.

[TXnMA]

We missed our opportunity to forever end hijacking of American vessels and aircraft with the Pueblo. We should have destroyed it and its classified equipment/materials at its mooring right in the center of Pyongyang -- with our largest thermonuclear device.

No one would have ever tried to mess with us again after that demonstration of wrath.

Of course, it's still not too late; we know precisely where it is:

Of course a warning to evacuate the city would be humane -- and then we could strike at the time of our own choosing...

The same goes for our drone.

Of course Øbozo lacks two things which prevents him using even a conventional cruise missile to "declassify" our captured drone...

[CodeToad]

Lot of hot air and bullsh*t. None of it is true. Iran are known liars that make crap up that is known to be false and this is just more of the same.

[Ernest_at_the_Beach]

LOL!

[Ernest_at_the_Beach]

We have that going with our leftists.....Global warming scam is one such bit of evidence.

[Marine_Uncle]

The story lines being presented are just to easy to believe. I don’t believe the Iranian’s took control of the ship and brought it down in one piece.

[Patton@Bastogne]

.

This posted story-theory appears to be bogus ...


I discovered the following information at Free Republic last night (2011-12-17) that appears to factually based ...


Regards,

Patton-at-Bastogne, aerospace mechanical engineer, work included Inertial Navigation System (INS) for both the F-35 (JSF) and the PAC III (Patriot) system ...


=========================================


Tale of RQ-170 Hijack In Doubt as Told in Tehran


Purported Iranian engineering specialists have been taking liberties with the laws of physics in their descriptions of an electronic hijacking of the RQ-170 unmanned reconnaissance aircraft, say U.S. analyst.


Holes in the account start with the fact that it took days for the Iranians to discover the lost aircraft. In fact, intelligence officials at one point thought the Iranians might simply never stumble across the crash site because it was in such a remote and uninhabited part of northeastern Iran.


Electronic attack of the Sentinel is “certainly possible, but there’s no indication that they even knew it had crashed in Iran for some time,” says a veteran black-projects manager.


That scenario is validated by an aerospace industry ISR specialist, who agreed that “if they were not aware [of the Sentinel’s presence in Iran for days], then there is no reason to believe they had any semblance of control.”


And then there are technical issues that make a hijacking, as described by the Iranians, unlikely.


“Among the reasons to doubt the claim that GPS jamming had anything to do with the loss of the RQ-170 is a simple overlooked fact,” says a third U.S. analyst. “GPS is not the primary navigation sensor for the RQ-170 or for most other air vehicles. The vehicle gets its flight path orders from an inertial navigation system, which is essentially unjammable unless you want to monkey with the local gravitational field.


The GPS updates the INS and cancels its drift. So, even a full GPS blackout would simply cause the vehicle to be a bit less accurate,” he adds.


“If the GPS was ‘spoofed’ with a fake signal — and even JDAMs have anti-spoofing GPS receivers today, so that might be difficult — any abrupt change in the GPS reading would cause the Kalman filters in the GPS/INS to conclude that the GPS was malfunctioning and cut it out of the loop,” he says.


The continuing discussion of why the RQ-170 went down was renewed by a Christian Science Monitor interview with Iranian military technologists who say they were able to “cut off communications links” to the Sentinel using knowledge gathered from the inspection of at least three other U.S.-operated, non-stealthy, unmanned aerial systems (UAS).


The trick, they say, was to scramble the GPS coordinates that guided the aircraft to make it think it was landing at its home base in Afghanistan, and only imprecision in the altitude data caused the Sentinel to land with its wheels up.


The report went on to quote an Iranian engineer as saying the “electronic ambush” was accomplished “by putting noise [jamming] on the communications, you force the bird into autopilot. This is where the bird loses its brain.”


www.aviationweek.com/aw/blogs/defense/index.jsp?plckController=Blog&plckBlogPage=BlogViewPost&newspaperUserId=27ec4a53-dcc8-42d0-bd3a-01329aef79a7&plckPostId=Blog%3a27ec4a53-dcc8-42d0-bd3a-01329aef79a7Post%3abca8e6e2-70ef-40a3-8c56-f83aa6fc7ade&plckScript=blogScript&plckElementId=blogDest


=========================================




.

[CodeToad]

“scramble the GPS coordinates “

To do that they would have to be able to decrypt and re-encrypt and inject that newinf into the data stream in real-time that is hardened from such attacks. Not even remotely possible.