The Troubling Potential for ‘Spoofers’ To Commandeer Aircraft
Last December an old, rarely used word–spoofing, –meaning to hoax or to fool others–entered worldwide aviation vocabularies virtually overnight. Simultaneously it brought a new and disturbing strategic escalation to military tactics and a potential, albeit probably lesser, threat to civil aircraft operations.
Before then, the spoofing expression had been almost unknown, but that changed alarmingly on December 4, when the Iranian government announced it had electronically taken over control of an unmanned and, until then, secret U.S. Lockheed Martin turbofan-powered RQ-170 Sentinel intelligence-gathering aircraft as it flew over Iran and caused it to land, more or less intact, 140 miles inside its border, far from its Central Intelligence Agency home base in Afghanistan. Later that day, Washington announced that it had “lost contact” with one of its Afghanistan aircraft. A subsequent request by President Obama to Iran to return the Sentinel was rebuffed.
In military terms, spoofing is the act of surreptitiously transmitting false GPS signals to an aircraft, ship or surface vehicle by remote electronic means and then altering that target’s previous path to a different path chosen by the spoofer, now commonly called “the attacker.” For many years, spoofing has been recognized as a potential military application of GPS, but the technique has never previously been demonstrated–at least, as far as is known–since it has always been felt to be well beyond the ability of present-day technology.
Basically, spoofing relies on the fact that signals from the GPS satellites are extremely weak when they reach the earth. So the attacker first determines the precise GPS signals that the target is using to navigate, a fairly complex and delicate task, particularly if several miles separate the target and attacker. But once the attacker knows the target’s precise GPS coordinates, he commences to broadcast them on the GPS frequency, first at a much lower signal strength, and then slowly increasing their strength to equal and then exceed those from the actual GPS satellites. The target’s own GPS receiver(s) will then start tracking the stronger false signals and will be “captured.” Then, still slowly, the attacker starts to change the original GPS coordinates it has been broadcasting to those of the new “hijack” track, which the captured target then follows. But those changes must be gentle enough, particularly in a manned target capture, not to alert the crew, for example, or to trigger on-board alarms. It is an exacting process involving advanced software programming.
The Iranian capture of the RQ-170 was startling in three quite different ways. First, an aircraft had never before been taken over in flight by a spoofing attack. Second, despite the aircraft’s unconventional tailless, swept-wing design–suggesting possibly unusual handling characteristics–it had been flown and then successfully landed, possibly with its gear up, under remote spoofing control, and with what appeared to be minimal damage. Third–and this might possibly have been the biggest surprise of all–the spoofing technology was not developed by the U.S., Russia, China or any other leading aviation nation, but by Iran. True, we knew of Iran’s burgeoning nuclear activities, but we knew little of its advanced avionics capabilities.
What Happened to the Sentinel?
We may never know the full story, since both sides have wrapped the incident in a massive security cloak, but undeniably this was a remarkable feat by the Iranians. However, some reasonable assumptions can be made. It’s assumed that the Sentinel was in Iranian airspace when the attack commenced, with the first step being the jamming of the satcom and other links to the CIA’s airport base at Shindand in western Afghanistan and any other satcom links aboard the Sentinel, including the link to the USAF Predator main base at Creech, Nev. (Predators in Afghanistan are positioned at local airstrips from which local USAF pilots take them off using UHF and climb to an altitude where direct satcom communications with Creech will allow a two-man crew based at Creech to take over for the planned mission, after which the Creech crew fly the Predators back to their local Afghani airstrip, where satcom and UHF allows control to revert to the local pilots for landing.)
It’s not clear whether the CIA’s Sentinels followed the same procedure through Creech, or had their mission crews based with their aircraft at Shindand, but as soon as the Sentinel’s satcoms were disabled, the attacker’s aircraft carrying the spoofing system and its operator(s) would likely have moved into close formation with the Sentinel to achieve a rapid correlation of the attacker’s spoofer equipment with the Sentinel’s GPS, after which the Sentinel would be under the attacker’s control and turned toward its landing site, follow the spoofer’s commands and probably flying a long, straight in, “tunnel in the sky” descending approach to touchdown.
The Sentinel is reported to operate at up to 50,000 feet, but it seems more likely that the attack would be planned at a much lower altitude to avoid any stability issues with its tailless, 38-foot-span swept-wing configuration. During the descent, however, engine power would have to be reduced, particularly on the Sentinel’s final approach. How this would have been achieved is unknown. However, the Sentinel first flew more than three years ago, increasing its exposure to inadvertent security leaks during engine run-ups and other maintenance work.
What Intelligence Assets Have Been Compromised?
The Sentinel, which the Iranians displayed in Teheran several days later, appeared undamaged, other than its undercarriage and lower fuselage, which were concealed from view. It must be assumed, therefore, that Iranian experts have evaluated all the intel gear. No systems have been publicly displayed or identified, and the Pentagon, CIA and Lockheed Martin are understandably tight lipped. But Bloomberg Businessweek quoted military analyst John Walcott as stating, “The RQ-170 is part of a Secret Compartmented Intelligence (SCI) program, a classification higher than Top Secret.”
The Sentinel’s wings and fuselage were totally stealth coated, and observers believe this is not only a serious loss to the U.S., but also an important bargaining chip for Iran in deals with Russia and China. Military experts are said to expect to see Iran’s fighter defense squadrons replacing their almost vintage machines of questionable performance and reliability with advanced MiGs, Sukhois and Chinese aircraft over the next few years.
Another troubling question is whether the Sentinel’s GPS was an unclassified commercial unit or a highly classified, encrypted military “M-Code” system, the loss of which would be extremely serious for the U.S. and its overseas allies. A GPS industry official told AIN he very much doubted the Sentinel carried an M-Code unit, which would have had strong anti-spoofing characteristics. He added that it seemed extremely doubtful to him that Iran had been able to crack the M-Code to the point that its spoofing transmissions could be adapted to that application. “I just hope I’m right on that,” he cautioned.
Corporate Aviation Spoofing Countermeasures
While there seems little likelihood of a spoofing attack and subsequent capture of a manned commercial aircraft, corporate aviation operates in a quite different environment, with flights sometimes landing at isolated places that never see commercial service, and which the aircraft’s government or private owners wish to remain secret. These operations could conceivably be future targets for an adversarial spoofing hijacking. An operator’s countermeasures could include immediate crew alerting of any apparent track diversion or discrepancy between the satellite positioning system and other systems, such as inertial or ground-based navigation sensors, plus a review of alternate on-board communications systems. Therefore, operators who foresee the future likelihood of flights “off the beaten track” might prudently investigate how tightly integrated their satellite navigation system(s) are within their overall flight management and control system, and how the satnav inputs to the FMS could be quickly and completely disabled by the crew in suspicious circumstances. Note, however, that independent onboard “standalone” satnav systems, or even handheld portable units, would provide no protection on those occasions, as all those units will be simultaneously spoofed in an attack. They too would be misled, causing them to mistakenly “verify” that the aircraft’s primary satnav system was actually working properly.