Using a GPS spoofing device that cost less than $1,000 to build, a University of Texas team was able to commandeer an unmanned aircraft and send it veering off course.
After initially demonstrating the concept in Austin, assistant professor Todd Humphreys and his team were invited to White Sands, N.M., on June 19 by skeptical Department of Homeland Security officials and proved they could divert a UAV from its flight path from about a kilometer away, a university news release said.
“The recent demonstration ... is the first known unequivocal demonstration that commandeering a UAV via GPS spoofing is technically feasible,” according to the release.
The demonstration raises questions about the security of civil and military unmanned planes, although a similar attack against a military drone would take greater resources and be far more difficult, Humphreys said.
“It is not something a hacker could do — even a sophisticated ‘Anonymous’ hacker,” he said, referring to the global network of hackers credited with brazen attacks on several government websites. “But that statement is changing.”
New programs are allowing good computer programmers to become good radio developers who can use that knowledge to create GPS systems and one- and two-way radios that could be incorporated into a spoofing device to threaten civilian and military aircraft, he said.
During the demo, team members led astray a small, university-owned unmanned helicopter by sending their own signal to its GPS receiver.
Civilian GPS devices are unencrypted and extremely vulnerable to spoofing attacks. While not impossible, doing the same to military aircraft that use encrypted signals would be more difficult. Military aircraft are more vulnerable to “broad-spectrum attacks,” Humphreys said.
Those attacks do not take direct control but jam an unmanned aircraft’s ability to receive signals. That can confuse them and send them into holding patterns that keep them circling overhead until they run out of fuel and crash or automatically land.
Many drones run on both GPS signals and direct command from a ground station.
“All drones do well if you cut one of the two links, but if you snip both, they don’t,” Humphreys said. “If you overwhelm the aircraft with enough jamming, it fails to navigate and can’t even phone home for help.”
He suspects that may have been the case in 2011, when a CIA-operated, stealthy RQ-170 Sentinel was lost in Iranian airspace and surfaced days later on Iranian TV. Iranian officials claimed they were able to commandeer the aircraft and land it safely, but Humphreys doubts those claims, saying a broad-spectrum jamming attack was far more likely.
The U.S. government requested the aircraft’s return but has been repeatedly rebuked by the Iranian government, which says the U.S. violated Iranian airspace and that the aircraft is now its property.
The military is concerned about spoofing attacks even though its equipment typically operates on encrypted and authenticated channels. Other systems, including targeting systems for large guns — howitzers, for example — rely in part on potentially vulnerable GPS systems.
Humphreys said there are always possible threats, even to encrypted links, but “this is not going to affect Predator drones, Global Hawks — it mostly concerns civilian drones that will inhabit the national airspace in 2015 and beyond.”
If spoofed, those could be piloted into targets in the U.S., he said, turning even cargo drones into deadly missiles.