WASHINGTON — A University of Texas (UT) team has managed to spend less than $1,000 to construct a GPS “spoofing” device that commandeered a UAV and sent it veering off course.
After initially demonstrating the concept in Austin, Texas, assistant professor Todd Humphreys and his team were invited to White Sands, N.M., June 19 by skeptical U.S. Department of Homeland Security officials and proved they could divert a UAV from its flight path from about a kilometer away, a UT news release said.
“The recent demonstration … is the first known unequivocal demonstration that commandeering a UAV via GPS spoofing is technically feasible,” according to the release.
The demonstration raises questions about the security of civil and military UAVs, although a similar attack against a military UAV would take greater resources and be far more difficult, Humphreys said.
“It is not something a hacker could do — even a sophisticated ‘Anonymous’ hacker,” he said, referring to the global network of hackers credited with brazen attacks on several government websites. “But that statement is changing.”
New programs are allowing good computer programmers to become good radio developers who can use that knowledge to create GPS systems and one- and two-way radios that could be incorporated into a spoofing device to threaten civilian and military UAVs, he said.
During the demo, team members disoriented a small, university-owned unmanned helicopter using what is called spoofing: sending a signal to the aircraft’s GPS receiver that mimics a legitimate signal telling the aircraft it is off course, allowing the team to pilot it astray.
Civilian GPS devices are unencrypted and extremely vulnerable to spoofing attacks. While not impossible, doing the same to military aircraft that use encrypted signals would be more difficult. Military aircraft are more vulnerable to “broad spectrum attacks,” Humphreys said.
Those attacks do not take direct control of UAVs, but jam their ability to receive signals. That can confuse them and send them into holding patterns that keep them circling overhead until they run out of fuel and crash or automatically land.
Many UAVs run on both GPS signals and direct command from a ground station.
“All drones do well if you cut one of the two links, but if you snip both, they don’t,” Humphreys said. “If you overwhelm the aircraft with enough jamming, it fails to navigate and can’t even phone home for help.”
He suspects that may have been the case in 2011, when a CIA-operated stealthy RQ-170 Sentinel was lost in Iranian airspace and surfaced days later on Iranian TV. Iranian officials said they were able to commandeer the aircraft and land it safely, but Humphreys doubts those claims, saying a broad spectrum jamming attack was far more likely.
The U.S. government requested the aircraft’s return but has been repeatedly rebuked by the Iranian government, which says the U.S. violated Iranian airspace and the UAV is now its property.
The military is concerned about spoofing attacks even though its equipment typically operates on encrypted and authenticated channels. Other systems, including targeting systems for large guns — howitzers, for example — rely in part on potentially vulnerable GPS systems.
Humphreys said there are always possible threats, even to encrypted military UAVs, but “this is not going to affect Predator drones, Global Hawks — it mostly concerns civilian drones that will inhabit the national airspace in 2015 and beyond.”
If spoofed, those could be piloted into targets in the United States, he said, turning even cargo UAVs into deadly missiles.