Drone hijacked by hackers from Texas college with $1,000 spoofer

Filed Under: Featured, Vulnerability

Researchers at the University of Texas at Austin hacked and hijacked a drone in front of the dismayed Department of Homeland Security officials who had dared them $1,000 to do it.

According to exclusive coverage of the event from Fox News, the researchers flew the small surveillance drone over the Austin stadium last Monday.

The drone followed a series of GPS waypoints programmed into its flight computer in what initially looked like a routine flight.

At one point, the drone veered off course from its intended flight path.

It banked hard to the right, "streaking" toward the south, before it turned to hurtle at the ground in what looked like imminent drone suicide, according to Fox's description.

A safety pilot radioed the drone - which was owned by the university, according to Reuters - and forced it to pull up just a few feet before it would have crashed into the field.

The demonstration of the near-disaster, led by Professor Todd Humphreys and his team at the UTA's Radionavigation Laboratory, points to a "gaping hole" in the US's plan to open US airspace to thousands of drones, Fox noted: namely, drones can be turned into weapons, given the right equipment.

The researchers managed to hack the drone with a spoofer they put together with about $1,000 worth of parts.

The Department of Homeland Security traditionally has been concerned with GPS jammers - the method of interference that some believe Iran used to bring down a US spy drone in December.

But others, including an anonymous Iranian engineer quoted by the Christian Science Monitor, say that Iran actually used the same spoofing technique that the Texas researchers demonstrated.

Spoofing allows a hacker to take control of a GPS-guided drone and force it to do whatever the attacker commands.

According to the Christian Science Monitor, this is how the engineer described the Iranians' use of spoofing:

The 'spoofing' technique that the Iranians used - which took into account precise landing altitudes, as well as latitudinal and longitudinal data - made the drone 'land on its own where we wanted it to, without having to crack the remote-control signals and communications' from the US control center, says the engineer.

Spoofing involves mimicking the signals of the drone's global positioning device and eventually taking it over completely by sending stronger signals than the unmanned aerial vehicle's (UAV's) legitimate commands.

Humphreys claims that the $1,000 spoofer he and his team rigged up to hack the university's drone last Monday is the most advanced one ever built.

He also says that the implications of a UAV's vulnerability to this type of spoofing are serious. Here's how he described the potential scenario to Fox News:

In 5 or 10 years you have 30,000 drones in the airspace... Each one of these could be a potential missile used against us.

Meanwhile, the Pentagon and drone manufacturers in February pressured Congress to order the Federal Aviation Administration (FAA) to cook up rules that allow government and commercial use of drones in the US by 2015 - an idea that raises serious privacy concerns, with the prospect of police drones keeping watch on citizens already a reality.

Should we trust the US government to darken the skies above us with surveillance UAVs?

On privacy grounds it seems an obvious "No", and apparently not on "make sure those things aren't aimed at our heads" grounds either. From Fox News:

DHS is attempting to identify and mitigate GPS interference through its new 'Patriot Watch' and 'Patriot Shield' programs, but the effort is poorly funded, still in its infancy, and is mostly geared toward finding people using jammers, not spoofers.

The potential consequences of GPS spoofing are nothing short of chilling. Humphreys warns that a terrorist group could match his technology, and in crowded U.S. airspace, cause havoc.

"I'm worried about them crashing into other planes," he told Fox News. "I'm worried about them crashing into buildings. We could get collisions in the air and there could be loss of life, so we want to prevent this and get out in front of the problem."

We're being protected from these chilling scenarios by "poorly funded" programs that are "still in their infancy"?

I don't have much faith in Congress standing up to the Pentagon and drone manufacturers, so Mr. Humphreys and your team, thanks for getting in front of the problem.

Let's hope the DHS joins you, preferably before we've got hackable juggernauts flying over us.

Drone and UAV images, courtesy of Shutterstock.

, , , , , , , , , , , ,

You might like

32 Responses to Drone hijacked by hackers from Texas college with $1,000 spoofer

  1. razpet · 1194 days ago

    Damn this is so crazy :| so die hard and ncis are not science fiction it's reality! LoL

    • froog · 1193 days ago

      reality is far more interesting and the shows takes notes from it. that's the way it goes. unless it's doctor who :)

  2. Steve · 1194 days ago

    Are these the same drones whose armed cousins are conducting assassination missions around Afghanistan at the moment?

    Lovely thought having one of those hacked...

  3. Delta2 · 1194 days ago

    I never trusted the Iranians hacking claims on "RQ-170" but now I do. What a shame the govt has drones equipped with missiles flying above our heads.

    • Randy · 1193 days ago

      I don't think there are missiles in those drones, just surveillance equipment (infrared, video, still pics, etc.). The government wants to watch us, not bomb us. Of course if there were a bank robbery or hostage situation then maybe arming a drone would be considered. You never know with our government keepers.

  4. Am I the only one surprised that the team didn't end up getting arrested for successfully doing what they were asked to do?

    • youwouldthink · 1190 days ago

      i'm sure they are now "suspicious"; i would wonder where they acquired such knowledge at least...

  5. Cass · 1194 days ago

    Dear God, where the hell can I move where I don't have to worry about stupid people being in charge? Why in the hell is Congress making decisions on something they have no clue about? Half of them just figured out what social media was last year and now they are making decisions on advanced technologies that have the potential to harm or kill untold numbers of citizens? Gotta love the way our country works! Lobbyists and the entities they work for run the country while the rest of us get screwed in the process and half of the people in the country say, "MORE!" simply because someone claims to be a Christian, "with family values", who wants to "minimize the government". It's such BS!

    Sorry for the rant but this kind of thing is just too ridiculous.

    • Sootie · 1193 days ago

      The australian outback is nice this time of year....

    • >Dear God, where the hell can I move where I don't have to worry about stupid people being in charge?

      Then, you'd have to worry about being destroyed by USA with stupid people in charge.

    • Gorgio · 1186 days ago

      you have stupid people in charge voted in by lots of other even more stupid people. why? because most of the voters can't figure out the intelligent people, they seem sneaky... why do you think the President is elected by electors and not by popular vote? it could have been much worse..

  6. Patrick · 1194 days ago

    Umm, minor detail, but... "and is mostly geared toward finding people using jammers, not spoofers." WTF!?

    Typical government mentality, a source of many of our nation's ills, and proof positive that the imbeciles that infest Washington have no business being there. They seek neither to fix nor to improve, neither to truly secure, but merely to hunt down and punish those who MIGHT make them look stupid at some point in the future.

    Uncle Sam: the last bastion of security through obfuscation and armed intimidation.

    • Randy · 1193 days ago

      Good point. That's exactly why the Communications Act of 1986 outlawed the sale, manufacture and modification of radio scanners to receive cell phone calls. A congressman was embarrassed by a recording of his cell phone and hastily made a bill outlawing radios capable of receiving those frequencies.
      America is the third country in history with a law like that. The first was Nazi Germany and the second was North Korea.

  7. Keith · 1194 days ago

    I wouldn't be opposed to having UAV's light up the skies with surveillance. It would definitely open up some jobs for pilot training to learn how to input and monitor the drones during police problems, and could help monitor drug busts, etc. With the fact that pretty much any electronic transmission can be hijacked unless it's dedicated(flown by a human pilot), I don't see how they'll work around the obstacle without having some clever hackers put an end to it. I think one of the biggest issues with having a hijacked drone would be to have it crash into a structure, causing casualties. I'm definitely not savvy when it comes to drones, but I think having a sonar jammer so they can't be detected and have them monitoring with extremely powerful lenses/cameras at heights that can't normally be flown by human aircraft might be a start.

  8. John · 1194 days ago

    Privacy is a recent phenomenon (historically, there was nearly none in tiny villages). It appears to be going away again. Not just from government. But also from facial recognition facebook, cell phones, web cameras, firewall holes, and other technologies.

    I think the more important question is this: who gets the data. If _everyone_ gets the drone images, then it is less of a problem. We can then closely spy not just on ourselves but also on the government. The government would, ironically, be pushed into better and sometimes smarter behavior if they _also_ lack privacy.

    I don't fear a lack of privacy. I fear a one-way lack of privacy.

    Obscurity is of increasingly little security benefit.

  9. Bob · 1194 days ago

    I don't trust any research event that gives exclusive rights to any news agency in order to run an "experiment". This looks like a professor trying to squeeze money out of the agency and an agency that's looking to cash in on more funds. I think the professor was provided with an easy target. The mere presence of the media gives this away.

  10. Faz · 1194 days ago

    Am I the only one here wondering if Drone technology was not already used, sometime back, say one 11th of September around a decade ago? Truth is sometimes stranger than fiction, is it not.

    • njorl · 1193 days ago

      You might think that's dependent upon where you mean by "here". (Better not to get too specific in clarifying, though!)

  11. Davey · 1194 days ago

    A blow for freedom against these murderous agents of terriorism.

  12. njorl · 1193 days ago

    "[1] Spoofing involves mimicking the signals of the drone's global positioning device and eventually taking it over completely by [2] sending stronger signals than the unmanned aerial vehicle's (UAV's) legitimate commands."

    In 1, are not the signals being mimicked those of the Global Positioning System satellite constellation? The "drone's global positioning device" might, more readily, be taken to refer to the aircraft's GPS receiver unit (its "Sat Nav"), which is most likely wired to its flight control system. Remotely substituting signals in wired circuitry would be extremely difficult, although defence/law enforcement forces do successfully blow out craft/vehicle control systems by bombardment with microwaves.

    Irrespectively, the strength of signal used for the command channel (2) would not be relevant until the "safety pilot radioed the drone".

    Not surprisingly, GPS satellites (or at least those controlled by it) support a channel encrypted by the US military. If the UAV is able to take its positioning data from this encrypted channel, spoofing should not be much of a risk (providing the encryption is sufficiently tough, of course).

    Sorry to drone on.

    • fredqnurk · 1189 days ago

      What a load of bollocks.
      - gps signals, having been broadcast from space are very weak by the time they get to us on the ground. Building a local transmitter to send a stronger signal to either jam or less simply substitute for them is trivial.
      - there is no encrypted signal. There was once such a thing, but even then it was encrypted mostly to prevent civilian access to highly accurate positioning information. Even if it were still encrypted it can still be drowned out by a stronger/closer transmitter.

      The solution is to use an inertial nav unit and only use satellite positions when they in rough agreement. Given an Arduino IMU can be built for RC models, I would think a multi-million dollar drone could manage one too.

  13. rep · 1193 days ago

    Folks in the GPS community have been aware of how easy it is to spoof commercial GPS systems for many years now. But I still don't believe any Iranian 'spoofing' claims. Jamming, possibly. But not spoofing and here's why:

    The U.S. military uses encrypted GPS signals--not the simplistic, cheapo signals we use in our civilian devices. (fyi, our tax dollars pay a LOT for the military capabilities/payloads on the GPS satellites, and these go far beyond what civilian users ever know or care about.) The civilian signals are known so they can be easily replicated and generated from the ground. However, the military signals require special receivers to decode them before use. The encryption is not easy to break. So unless some bonehead in or military decided to cut corners on the nav systems and use civilian GPS receivers instead of military ones, it's highly unlikely Iran successfully "spoofed" anything.

    Jamming, however, merely requires a sufficiently strong or "loud" signal to overpower the GPS ones--kinda like blaring your stereo would "jam" everyone's ability to hear a whisper. That could make the nav system have problems (if there are no backups--which there should be on a multi-million or billion dollar piece of technology like quite honestly), but it wouldn't permit any control what the drone does next.

    • Sim · 1189 days ago

      The only problem with jamming is you don't control the jammed object. The Iranians were able to perform a controlled landing of that drone. I guess it's possible that they're lying about that too... But that drone didn't look damaged to me. I also think your right regarding encryption though. At least I'd like to believe that. So bottom line is I'm very confused

    • Jonathan · 1187 days ago

      Have you considered the possibility of theft or espionage? I do not doubt for a second that foreign governments have acquired a military receiver or the design specifications for one. I do not know what encryption scheme is used to secure this GPS channel, but any state sponsored program to reverse engineer the channel has had over a decade to run computers at. I would be surprised if the encryption was not broken long ago. Also because there is the encrypted military GPS channel and the civilian GPS channel I would not doubt that the receiver has a failover mode where in the event the military GPS is unavailable (jammed) the receiver will look for the next best thing a strong civilian channel or is somebody making the claim that if military GPS channels are jammed the damn thing should dive into the ground. I know this one tried to, but I believe that was just piss poor spoofing. I outlined this spoofing methodology almost a decade ago. In order to control the device well you have to know where it thinks it is supposed to go and then in real time manipulate the GPS signal so that the drone believes it has arrived at its destination. There is still one problem, unless something has changed drones rely on real altimeters and not GPS calculations. This means that your landing zone where you are coaxing the drone to land must closely match the altitude of the programmed landing zone or it will crash.

      One might say hey why don't we just have a bunch of people waiting to take over if the drone goes off course? Won't work, a sophisticated spoofer will also jam the command frequencies.

      Algorithmically I think this can be mitigated within the drone. Unless the spoofing is spread over a vast stretch of land or the drone's journey is within miles of being done it would mean that the GPS coordinate shifting most likely must be done so quickly that the drone should know it could not have traveled that far that fast and then a mitigation plan could be enacted whether it employs technology to attempt filtering out the stronger signal in favor of a weaker intermittent signal or self destruct in some circumstances.

      I know there is another problem here. What if the GPS shifting didn't move rapidly and instead fooled it into doing circles until fuel/energy runs out or they could land it? Well there should be algorithms in place which tells the drone that there is no way it has traveled x miles over the last few minutes in a straight line when the Allerons and Rudder have been in the current positions. This can be achieved by comparing system state logs with a model of what the state should have been and if something is not within tolerance enact the mitigation plan.

      Rest assured that anything that relies on external information signals to guide it can be spoofed or destroyed via jamming. Don't worry though our politicians are stupid and the defense sector is wealthy, powerful and greedy and drones will crash into planes, they will crash into homes and eventually will be used as weapons against us. Perhaps we should all buy Black Ops 2 this fall for our X-Box and prepare for it.. It is pretty much this premise.

  14. Instead of fearmongering about drones. How about we just mandate that drones have real INU (Inertial Navigation Units) as to back up GPS which solves this problem. (And preferrably other sensors such as laser range finder, air pressure altimeters, and ultrasound.) The problem isn't drones. It's crappy drones with overpriced and inadequate hardware.

    • airmanchairman · 1189 days ago

      Oh I don't know - the Korean 747 airliner shot down over Soviet airspace many years ago had a triplex (multi-redundant) INS system accurate to within 9 feet and yet managed to stray more than 500 miles off it's intended path.

      It's hardly ever about the technology and more about the foibles and shenanigans
      of the people manipulating the technologies to their own personal ends, whether financial or more sinister.

  15. Dana · 1193 days ago

    I've just sent email to Sen. Jay Rockefeller, who is chairman of the Senate Committee on Commerce, Science and Transportation, sending him the URL to this page.

    I hope he or his staff reads the full article, grasps the concept, and puts the brakes on the FAA's half-baked plan to allow drone aircraft to fly in American skies, just because some businesses can make a buck selling or operating the things, without regard to the serious downside.

    I'd suggest some readers take the time to share this page with your representatives in government. Hey, it could make a difference.

  16. horsebones · 1189 days ago

    Daring hackers? This is about the coolest thing I've seen Homeland security do. I think somebody working there actually has a whole functioning brain.

  17. Douglas W. Jones · 1189 days ago

    Back in 1986, I was consulting with Rockwell Collins Avionics on fault tolerant control system architectures. One idea we discussed would have prevented this kind of hack from working, and I don't see why it's not being used today. Each airplane or drone ought to have, at minimum, a GPS receiver and an intertial guidance system (accelerometers and gyroscopes). Both are hand-held packages these days. A barometric altimeter is also likely to be present, and there may also be other tools that can contribute to location awareness.

    The right thing to do is to let all of the location instruments write what they know about the location on what the AI community calls a blackboard. Each instrument writes its notes with the time at which the measurement was made and the accuracy, as believed by that instrument. So long as all readings are consistent, there is no problem, but if the readings start to disagree, the "expert" software that stares at the blackboard to compute the best guess about where the system actually is can recognize that something is wrong and -- if there are enough different sources of information -- it can even determine which reading is most likely to be wrong. For example, it would make good sense to have two inertial guidance systems along with the GPS, to allow two-out-of-three rules to be used to detect failure of one of the instruments.

    • Jonathan · 1187 days ago

      Well Douglas.. If I would have read your post first I wouldn't have laid out pretty much the same idea above only without the idea of fault tolerance. I happen to be a Software Engineer so my take was on the on the algorithms and security of the device rather than fault redundancies. My plan was only to detect the attack and do something programatically about it, but with the inertial guidance system in place the computer could look at the system state logs and then move over to the inertial guidance system to 'undo' the course alterations to the point that the attack was detected and put the drone back on course at the very least..

  18. somebody · 1189 days ago

    we in Iran really laughed at US military about that incident. good job IRGC!

    and by the way, are you really going to allow your gov't to do that?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.