On the evening of June 19, a group of researchers from the University of Texas successfully hijacked a civilian drone at the White Sands Missile Range in New Mexico during a test organized by the Department of Homeland Security.
The drone, an Adaptive Flight Hornet Mini, was hovering at around 60 feet, locked into a predetermined position guided by GPS. Then, with a device that cost around $1,000 and the help of sophisticated software that took four years to develop, the researchers sent a radio signal from a hilltop one kilometer away. In security lingo, they carried out a spoofing attack.
“We fooled the UAV (Unmanned Aerial Vehicle) into thinking that it was rising straight up,” says Todd Humphreys, assistant professor at the Radionavigation Laboratory at the University of Texas.
Deceiving the drone’s GPS receiver, they changed its perceived coordinates. To compensate, the small copter dove straight down, thinking it was returning to its programmed position. If not for a safety pilot intervening before the drone hit the ground, it would have crashed.
But for Humphreys playing the part of an evil genius in a thriller movie, everything worked exactly to plan. “It was beautiful,” he tells Danger Room.
The rogue takeover exploited a vulnerability in GPS to take control of the drone. It was, by Humphreys’ accounting, the first time somebody proved a civilian drone could be hijacked. Last year, when the CIA lost a drone in Iran, there were reports indicating the Iranians might have launched a spoofing attack and tricked it into landing, but we’ll never know for sure. Also, in September 2011, North Korea reportedly forced a U.S. spy plane to land with a jamming attack.
With the planned integration of civilian drones in the American airspace, these problems might be coming to the U.S. The FAA must come up with new rules to allow for a freer use of drones in America by 2015 and, apart from worrying about possible collisions between manned and unmanned aircrafts, now the FAA might have to worry about people hijacking drones with spoofing devices.
What’s worse, the experiment at White Sands shows that drone-jacking is “just the tip of the iceberg of a much bigger security issue we have in this country,” according to Logan Scott, a GPS industry consultant who has worked for defense giants like Lockheed Martin.
In other words, it’s not only about drones, it’s GPS in general that is not safe.
The Global Positioning System, commonly referred to as GPS, is a space-based satellite navigation system. It’s what allows you to get turn-by-turn directions to the mini-mart in your automobile. But most people don’t know that it also has countless other crucial applications. Among others, it’s the backbone of the global air traffic system. It is also used to control the power grid, to power banking operations (for instance, ATMs depend on it) and to keep oil platforms in position. And virtually all communications systems, like the world’s cellular networks, rely on it.
“It’s a stealth utility,” says Scott, “meaning that we don’t necessarily know it’s even in the system until something is wrong.”
GPS is also free, unauthenticated and unencrypted. Its open nature has been its biggest strength. Now, it could be its biggest flaw.
“The core problem is that we’ve got a GPS infrastructure which is based on a security architecture out of the 1970s,” Scott tells Danger Room. “From a security point of view, if you look at GPS’s current status, is more or less equivalent to operating computers without firewalls, with no basic checks.”
Since its signals comes from satellites at very high altitude, GPS relies on very weak signals that are extremely vulnerable not only to spoofing attacks but also to jamming – the deliberate or accidental transmission of radio signals that interfere with regular communications.
This weakness has already been exposed in a few incidents in the past. In late 2009, GPS receivers at Newark Airport were going down intermittently every day and no one understood why. It took two months to track down the source of the interference: a driver had installed in his truck an illegal GPS jammer – which can easily be bought online for $50– so that his employer couldn’t track his every move. In 2001, a boat’s television antenna preamplifier took out GPS over the entire harbor town of Moss Landing, just south of San Francisco, for weeks.
There is no reliable system to spot, let alone prevent, this kind of incidents. If you think of jamming incidents as fires, “what we have today is not quite as archaic, but think of the old forest ranger in the fire tower with his binoculars looking for smoke,” says Milton Clary, an aerospace policy analyst at Overlook Systems, a company that specializes in GPS services.
“He sees a smoke column out across the horizon, but he knows nothing regarding the size or source of the fire, and all he can do is feed the information back to the headquarters.”
To improve the situation, the Department of Homeland Security and Overlook have been working since 2009 on a program called Patriot Watch, a network of sensors that would be able to detect, characterize and locate interference sources. Unfortunately, according to Clary, the program is underfunded and, at this point, it’s nothing more than a PowerPoint presentation.
The problem, says Clary, is that it probably would be too expensive to lay down a network of devices over the entire country. And there hasn’t been a huge-headline-generating incident to push the nation’s bureaucracies to make it a a priority.
“We certainly don’t want a GPS Pearl Harbor, but probably it’s gonna take a GPS Mogadishu to get people’s attention,” he says. Meanwhile, other solutions have been proposed. For instance, Navsys is working for the Defense Advanced Research Projects Agency (DARPA) on an app that would make Android cellphones able to detect GPS jamming sources.
There are already drones in use in the country that are plausible targets for jamming – think of the drones being used to monitor the border between the U.S. and Mexico for drug smuggling and border jumping.
A spokesperson for the U.S. Customs and Border Protection (CBP) wrote in an email to Danger Room that “the unmanned aircraft used for the test are a different class and type than what CBP operates. CBP will not comment on specific aircraft capabilities or vulnerabilities, but this test does not have any bearing on our Predators’ security.”
Another CBP official says that the drones used by the agency “have the same protections as the Department of Defense variants and are not subject to spoofing.” However, both the Department of Homeland Security and the FAA declined to comment on Patriot Watch or any other programs that will integrate UAVs into America’s airspace.
Logan Scott believes that, apart from a warning system like Patriot Watch, manufacturers need to make GPS receivers safer.
“Receivers need to know what’s going on and be able to, at a minimum, identify the fact that they are being spoofed and or jammed,” he says. A solution could be to encourage the production of certified receivers that are equipped with spoofing or jamming detectors. Another alternative is encrypting GPS signals, like the military does. The military’s drones use a “Selective Availability Anti-Spoofing Module” which decrypts GPS signal. It protects drones in Afghanistan or Yemen — and also the ones used by CBP — from spoofing.
Despite these issues, Humphreys cautions against thinking that drones will be hijacked and turned into weapons on American soil. Even though the drone they hijacked is much like any other civilian one currently available on the market, hijacking a drone is tougher than one might think..
“You may be able to do certain things in a laboratory than in real life are much more difficult to do,” Clary tells Danger Room. However, he warns, it’s something that the feds should be looking at. And he is not the only one to believe it.
“I think this would be a gaping security vulnerability,” says Humphreys. And, although he believes it’s a problem that can be fixed, “I don’t want to see drones coming into the national airspace before we patch this problem.”
Til that fixes comes, keep your head down and wear a helmet.