Exclusive: Iran hijacked US drone, says Iranian engineer

Originally posted by K1771gnorance

Originally posted by intrptr
I don't care how sophisticated the software is, you see a drone, listen for the encrypted data link. Debug it, amplify it and take over control.

Maybe you should care how sophisticated the software is because what you just said is impossible with the correct challenge-response authentication combined with the implementation of zero-knowledge password proof methods.

You will have better odds listening in on a phone conversation between two people using a language that nobody knows, and trying to impersonate one of the people in the conversation in order to fool the other person while simultaneously guessing the ever changing password they both use before every sentence they speak.

Of course you saw this already since it is on the same page as your response to me...
www.abovetopsecret.com...

Any signal going by the drone containing any authorization can be eavesdropped and decrypted. Lets not measure - countermeasure like the nerds do with "super secret code that can't be hacked".

Originally posted by JoeGuitar

Exclusive: Iran hijacked US drone, says Iranian engineer

www.csmonitor.com

Iranian electronic warfare specialists were able to cut off communications links of the American bat-wing RQ-170 Sentinel, says the engineer, who works for one of many Iranian military and civilian teams currently trying to unravel the drone’s stealth and intelligence secrets, and who could not be named for his safety.

(visit the link for the full news article)

Hey Joe...where ya goin with that drone in your hand?

Sorry I couldn't help it. Has anyone asked why the Iranians hid the part of the pic that shows the gear are down?
(if they are) It would mean that they landed it after commanding it to drop gear, right? That would mean a hi level hack of encrypted commo? Or is that function auto? Your article states:

Iran displayed the drone on state-run TV last week, with a dent in the left wing and the undercarriage and landing gear hidden by anti-American banners.

The Iranian engineer explains why: "If you look at the location where we made it land and the bird's home base, they both have [almost] the same altitude," says the Iranian engineer. "There was a problem [of a few meters] with the exact altitude so the bird's underbelly was damaged in landing; that's why it was covered in the broadcast footage."

I find that hard to digest. Why cover it at all? To hide it is sitting on its gear I think. To hide the extent that they hacked the code (controlled landing). To further save us embarrassment? Who knows, just a thought.

Originally posted by intrptr
Any signal going by the drone containing any authorization can be eavesdropped and decrypted. Lets not measure - countermeasure like the nerds do with "super secret code that can't be hacked".

Maybe you missed my post earlier on this topic.

"Jamming" does not work on drones. The drones will just think it lost signal and will return to base like it is built to do when it loses a signal. It will also use internal navigation and not rely on GPS just incase GPS satellites are shot down.

No, you can NOT just eavesdrop on a signal, magically decrypt it, and magically figure out how to send authorized commands to the drone, it doesn't work like that. Obviously you don't know much about how any of this works or you wouldn't be making such a silly statement.

The drone is a flying computer, and you have to first connect to the computer before you can send it any commands. Connecting to it is the first hurdle, and not an easy one. You have to know the correct encrypted password, and the commands to send to actually handshake with the drone. That would be the single hardest part. The second hardest part would be figuring out all the available commands the drone would accept, and the format at which to send the commands, and how to authenticate each command (really hard to do), and keep track of the sequence number a.k.a. queue of commands sent and received. Then you need to know how to respond to commands sent back from the drone. On top of that you need to maintain an uplink with the drone so you can constantly receive navigation info from the drone if you actually want to fly it manually, you will need to know it's heading, altitude, speed, throttle settings, flap position, gear position, etc., and that isn't just sent in plain text over the radio waves either. And to top it all off, you need to correctly encrypt all of the above commands, and have knowledge of the SALT which is used to encrypt the commands, and trust me, you would need a super computer crunching away for a few years just to even break the encryption.

Once 2 way communication is started with the drone a sequence is started. You can't just send commands from a 3rd party because it would be out of sequence. Depending on how they designed the sequence method, it could me IMPOSSIBLE to predict what sequence packet the drone expects to receive. A simply sequence would just be a counter 1, 2, 3, 4, 5, 6... In that case it would be easy for a 3rd party to predict that sequence 7 is next. But with advanced software, sequences can be passwords that need to be encrypted a certain way every single sequence (a constantly changing password). You would basically have to have answers for questions that you haven't been asked, you just have to know the question, and how to answer it. That is something you can't learn just by eavesdropping on a signal, you would have to reverse engineer the software on the drone itself.

Anyway, this subject is hard to express to people with little to know knowledge of software engineering and communications.

Originally posted by SLAYER69

Originally posted by THE_PROFESSIONAL

The “spoofing” technique that the Iranians used – which took into account precise landing altitudes, as well as latitudinal and longitudinal data – made the drone “land on its own where we wanted it to, without having to crack the remote-control signals and communications” from the US control center, says the engineer.

Are these the same type of Iranian Engineers that blew themselves up recently at the missile facility? Also, if they were able to land it so precisely why are they hiding the under carriage damage? And the drone in question shows obvious signs of wing damage? [which they poorly taped up for the photo op]

I think the Iranians are grandstanding/showboating and trying to milk this for all it's worth and many here at ATS [Supposedly outside the box thinkers] are falling hook, line and sinker for it.

Come on it is the first time that Iranians hack a Drone, you don't expect them to land that thing smoothly, give them a break, little by little they will land all Drones successfully without damage.

reply to post by K1771gnorance

Well, despite what you claim, they did it. If you ask me to believe they are unhackable, well there is no such thing.

Intrptr out...

reply to post by K1771gnorance


A guy at the Kandahar airport with a $150 Radio Shack portable scanner and a digital recorder could give them that. It's been flying in and out of there for 4 years, it's common knowledge.

Takeoffs and landings are done by local ground crews using line of sight radio controls. The sat link is too slow for the type of manueving than may be needed on takeoffs and landings, it gets handed off to the crews at Creech once it reaches altitude.

Don't forget the keystroke logger virus on the drone control computers, that could be playing a role here too.

They have had a lot of help from Russia too. Great way for the Ruskies to test out how effective there stuff is against our frontline equipment without having to up hostilities openly.

For those of you ranting and raving about Iranian and eastern nations abilities to jam Radio controlled drones..American drones are not primarily controlled via radio... the radio systems are utilized as takeoff/landing frequencies. While itwould be possible to trigger an auto landing sequence via strong, directed radio overload, they would never be able to control it or access it. The bulk majority of the systems are secured sattelite feeds and transmissions. Including the operational systems. No signal, no operation. Unless they can duplicate the encrypted signal.

reply to post by intrptr


If you want to believe the propaganda, go for it. I don't believe it one bit. Iran is just trying to scare people.

I could make server/client application that is unhackable from 3rd parties. I'm sure the military can as well.

reply to post by AGWskeptic


Nope sorry. It's not as easy as you make it sound.

You have to connect to the drone like you would a computer over a network. You can't just spam spoof messages.

Originally posted by K1771gnorance

Originally posted by intrptr
Any signal going by the drone containing any authorization can be eavesdropped and decrypted. Lets not measure - countermeasure like the nerds do with "super secret code that can't be hacked".

Maybe you missed my post earlier on this topic.

"Jamming" does not work on drones. The drones will just think it lost signal and will return to base like it is built to do when it loses a signal. It will also use internal navigation and not rely on GPS just incase GPS satellites are shot down.

No, you can NOT just eavesdrop on a signal, magically decrypt it, and magically figure out how to send authorized commands to the drone, it doesn't work like that. Obviously you don't know much about how any of this works or you wouldn't be making such a silly statement.


The drone is a flying computer, and you have to first connect to the computer before you can send it any commands. Connecting to it is the first hurdle, and not an easy one. You have to know the correct encrypted password, and the commands to send to actually handshake with the drone. That would be the single hardest part. The second hardest part would be figuring out all the available commands the drone would accept, and the format at which to send the commands, and how to authenticate each command (really hard to do), and keep track of the sequence number a.k.a. queue of commands sent and received. Then you need to know how to respond to commands sent back from the drone. On top of that you need to maintain an uplink with the drone so you can constantly receive navigation info from the drone if you actually want to fly it manually, you will need to know it's heading, altitude, speed, throttle settings, flap position, gear position, etc., and that isn't just sent in plain text over the radio waves either. And to top it all off, you need to correctly encrypt all of the above commands, and have knowledge of the SALT which is used to encrypt the commands, and trust me, you would need a super computer crunching away for a few years just to even break the encryption.

Once 2 way communication is started with the drone a sequence is started. You can't just send commands from a 3rd party because it would be out of sequence. Depending on how they designed the sequence method, it could me IMPOSSIBLE to predict what sequence packet the drone expects to receive. A simply sequence would just be a counter 1, 2, 3, 4, 5, 6... In that case it would be easy for a 3rd party to predict that sequence 7 is next. But with advanced software, sequences can be passwords that need to be encrypted a certain way every single sequence (a constantly changing password). You would basically have to have answers for questions that you haven't been asked, you just have to know the question, and how to answer it. That is something you can't learn just by eavesdropping on a signal, you would have to reverse engineer the software on the drone itself.

Anyway, this subject is hard to express to people with little to know knowledge of software engineering and communications.

Good explanation Everybody should read it, this is how it is! I was about to write along the same but you clearly know what your saying and do this much better then me with my bad grammar.

New article I just found with I believe has some new additional information? -

Tehran - An Iranian engineer has said that specialists in his country captured the U.S. spy drone by exploiting what they knew was its weakest point. They hacked into its GPS system and re-configured its coordinates to make it land at a chosen location.

recent statements by an Iranian scientist who spoke with The Christian Science Monitor in an exclusive interview, suggests that what appeared to the American controllers of the drone as malfunction really might have been a cyber attack. Observers are pointing out that the fact that the drone was recovered by the Iranians in almost perfect condition suggests it really may have been downed by hacking into its electronic controls.

According to the Iranian engineer, "The GPS navigation is the weakest point. By putting noise [jamming] on the communications, you force the bird into autopilot.This is where the bird loses its brain." The electronic specialists then used a "spoofing" technique which took into "account precise landing altitudes as well as latitudinal and longitudinal data" and made the drone “land on its own where we wanted it to, without having to crack the remote-control signals and communications." The engineer asserted that once the "bird loses its brain" reprogramming it to land at another location is a simple process.

Source

Originally posted by K1771gnorance
reply to post by intrptr

 

If you want to believe the propaganda, go for it. I don't believe it one bit. Iran is just trying to scare people.

I could make server/client application that is unhackable from 3rd parties. I'm sure the military can as well.

edit on 16-12-2011 by K1771gnorance because: (no reason given)

New thread:www.abovetopsecret.com...

reply to post by SLAYER69


I think that you seriously overestimate the capability of satellite recon capability if you think that satellites can do anything that a drone does, but better.

Originally posted by verschickter

Originally posted by K1771gnorance

Originally posted by intrptr
Any signal going by the drone containing any authorization can be eavesdropped and decrypted. Lets not measure - countermeasure like the nerds do with "super secret code that can't be hacked".

Maybe you missed my post earlier on this topic.

"Jamming" does not work on drones. The drones will just think it lost signal and will return to base like it is built to do when it loses a signal. It will also use internal navigation and not rely on GPS just incase GPS satellites are shot down.

No, you can NOT just eavesdrop on a signal, magically decrypt it, and magically figure out how to send authorized commands to the drone, it doesn't work like that. Obviously you don't know much about how any of this works or you wouldn't be making such a silly statement.


The drone is a flying computer, and you have to first connect to the computer before you can send it any commands. Connecting to it is the first hurdle, and not an easy one. You have to know the correct encrypted password, and the commands to send to actually handshake with the drone. That would be the single hardest part. The second hardest part would be figuring out all the available commands the drone would accept, and the format at which to send the commands, and how to authenticate each command (really hard to do), and keep track of the sequence number a.k.a. queue of commands sent and received. Then you need to know how to respond to commands sent back from the drone. On top of that you need to maintain an uplink with the drone so you can constantly receive navigation info from the drone if you actually want to fly it manually, you will need to know it's heading, altitude, speed, throttle settings, flap position, gear position, etc., and that isn't just sent in plain text over the radio waves either. And to top it all off, you need to correctly encrypt all of the above commands, and have knowledge of the SALT which is used to encrypt the commands, and trust me, you would need a super computer crunching away for a few years just to even break the encryption.



Once 2 way communication is started with the drone a sequence is started. You can't just send commands from a 3rd party because it would be out of sequence. Depending on how they designed the sequence method, it could me IMPOSSIBLE to predict what sequence packet the drone expects to receive. A simply sequence would just be a counter 1, 2, 3, 4, 5, 6... In that case it would be easy for a 3rd party to predict that sequence 7 is next. But with advanced software, sequences can be passwords that need to be encrypted a certain way every single sequence (a constantly changing password). You would basically have to have answers for questions that you haven't been asked, you just have to know the question, and how to answer it. That is something you can't learn just by eavesdropping on a signal, you would have to reverse engineer the software on the drone itself.

Anyway, this subject is hard to express to people with little to know knowledge of software engineering and communications.

Good explanation

Everybody should read it, this is how it is! I was about to write along the same but you clearly know what your saying and do this much better then me with my bad grammar.

edit on 17-12-2011 by verschickter because: (no reason given)

You'll probably find that its the connection thats encrypted(ssl), not the commands, probably over a ssh tunnel. The computer on-board probably communicates over one specific port (where firewall rules drop(silently) any ping attempt (icmp) or any port scanning software (like nmap)) However once connection is established the on-board computer is owned.(this process would be VERY difficult by NOT impossible depending on what level of encryption is used.)
TCP/IP packets dont need to arrive in sequence, so what protocol would the drone use? just as a matter if interest?

Originally posted by zippy70
You'll probably find that its the connection thats encrypted(ssl), not the commands, probably over a ssh tunnel. The computer on-board probably communicates over one specific port (where firewall rules drop(silently) any ping attempt (icmp) or any port scanning software (like nmap)) However once connection is established the on-board computer is owned.(this process would be VERY difficult by NOT impossible depending on what level of encryption is used.)
TCP/IP packets dont need to arrive in sequence, so what protocol would the drone use? just as a matter if interest?

The connection is encrypted, and the commands and parameters are encrypted separately as well. It would be dumb to send plain text commands to a server even if the connection itself is encrypted. Encrypting the entire command and the command parameters would seem to be the most secure way to do it.

Say there was a "turn" command that accepted a "heading" parameter like this:

"TURN 180"

You could send that command over the connection as is (plain text) and rely on the connection's encryption to protect people from seeing the command, but that would be one layer of protection. To have two layers of protection you would first encrypt the command and parameter, and then send it over an encrypted connection.

So "TURN 180" encrypted would be something like "*#&$$^E$%", then they send it over an encrypted connection which scrambles it to unreadable data again. That would make it take a very long time to decrypt, especially of the encryption algorithm constantly changed with every command.

If you did manage to get a connection with the drone which I feel would be next to impossible to do (especially when a connection already exists), then you would have to hope they don't use some type of authentication sequence header (which they most surely do).

Example communication with drone WITHOUT sequence:

Pilot>TURN 180
Drone>OK TURN 180

Pilot>SET ALT 40000
Drone>OK SET ALT 40000

Pilot>FLAPS 20%
Drone>OK FLAPS 20%

Example communication with simple number sequence:

Pilot>1 TURN 180
Drone>2 OK TURN 180

Pilot> 3 SET ALT 40000
Drone> 4 OK SET ALT 40000

Pilot> 5 FLAPS 20%
Drone> 6 OK FLAPS 20%

At this point the next sequence would be 7. So if someone wanted to send a command to the drone they would have to send a header packet with "7". If they send a command with the header packet "10" when the drone expects "7" then the command would be out of sequence and rejected.

A number sequence is very simple to predict if someone happens to be watching the communication, so many client/server applications use a changing password for the sequence like this:

Pilot>$%^$ TURN 180
Drone>@#@$ OK TURN 180

Pilot> *&^@ SET ALT 40000
Drone> (*&^ OK SET ALT 40000

Pilot> (!($ FLAPS 20%
Drone> *&^! OK FLAPS 20%

Now you have no idea what sequence is next, only the drone's software and the pilots software knows. So if you try to send a command without knowing what sequence the drone expects to receive, then the command would be invalid and rejected.

The sequence is a form of authentication, like a password to confirm the command is from an authentic source. You could listen to a communication for years and still not be able to crack or reverse engineer the sequence header if you design it correctly.

With a TCP/IP connection the communications don't have any specific sequence. However, a lot of client/server applications implement their own sequence methods in the data itself, which is what the examples above are.

Understand?

reply to post by K1771gnorance


Thanks , good explanation, but I'm still not sure why encrypting a command over an already encrypted connection would be of benefit. Anyone sniffing the network would not see it. I guess the military have reasons for this extra layer of security. Sending encrypted data over and encrypted line would put a high load on the hardware (decrypting the TCP/IP traffic and then decrypting the actual command) But I guess they have the processing power for it .

The fact that they successfully 'kidnapped' it is somewhat worrying, because it means that:

a. They can successfully decrypt 512bit encryption without problems (no idea how they could in such a short amount of time and if that is the type of encryption used)
b. They have a spies in the US military
3. They intercepted verbal communications and overheard a key.

Your comments about the commands in the application layer make sense, anticipating the correct sequence would add a layer of security i guess.


good thread. Thanks for the info =)

reply to post by zippy70


I guess this explains it:

According to the Iranian engineer, "The GPS navigation is the weakest point. By putting noise [jamming] on the communications, you force the bird into autopilot.This is where the bird loses its brain." The electronic specialists then used a "spoofing" technique which took into "account precise landing altitudes as well as latitudinal and longitudinal data" and made the drone “land on its own where we wanted it to, without having to crack the remote-control signals and communications." The engineer asserted that once the "bird loses its brain" reprogramming it to land at another location is a simple process.

Originally posted by K1771gnorance

Originally posted by intrptr
Any signal going by the drone containing any authorization can be eavesdropped and decrypted. Lets not measure - countermeasure like the nerds do with "super secret code that can't be hacked".

Maybe you missed my post earlier on this topic.

"Jamming" does not work on drones. The drones will just think it lost signal and will return to base like it is built to do when it loses a signal. It will also use internal navigation and not rely on GPS just incase GPS satellites are shot down.

No, you can NOT just eavesdrop on a signal, magically decrypt it, and magically figure out how to send authorized commands to the drone, it doesn't work like that. Obviously you don't know much about how any of this works or you wouldn't be making such a silly statement.

The drone is a flying computer, and you have to first connect to the computer before you can send it any commands. Connecting to it is the first hurdle, and not an easy one. You have to know the correct encrypted password, and the commands to send to actually handshake with the drone. That would be the single hardest part. The second hardest part would be figuring out all the available commands the drone would accept, and the format at which to send the commands, and how to authenticate each command (really hard to do), and keep track of the sequence number a.k.a. queue of commands sent and received. Then you need to know how to respond to commands sent back from the drone. On top of that you need to maintain an uplink with the drone so you can constantly receive navigation info from the drone if you actually want to fly it manually, you will need to know it's heading, altitude, speed, throttle settings, flap position, gear position, etc., and that isn't just sent in plain text over the radio waves either. And to top it all off, you need to correctly encrypt all of the above commands, and have knowledge of the SALT which is used to encrypt the commands, and trust me, you would need a super computer crunching away for a few years just to even break the encryption.

Once 2 way communication is started with the drone a sequence is started. You can't just send commands from a 3rd party because it would be out of sequence. Depending on how they designed the sequence method, it could me IMPOSSIBLE to predict what sequence packet the drone expects to receive. A simply sequence would just be a counter 1, 2, 3, 4, 5, 6... In that case it would be easy for a 3rd party to predict that sequence 7 is next. But with advanced software, sequences can be passwords that need to be encrypted a certain way every single sequence (a constantly changing password). You would basically have to have answers for questions that you haven't been asked, you just have to know the question, and how to answer it. That is something you can't learn just by eavesdropping on a signal, you would have to reverse engineer the software on the drone itself.

Anyway, this subject is hard to express to people with little to know knowledge of software engineering and communications.

Thanks for that excellent explanation. So it´s a trojan horse then

reply to post by bicnarok


It could make for a good Trojan horse,I have thought it to be the case myself after it happened and they captured the drone,How convenient that would be.

reply to post by K1771gnorance


Great how you take the time to explain it.

See people its not impossible but its damn hard! K1771 even did not mentoined other security setups, just the easy ones