1 / 36

CW/EW Attacks against UAV Systems

CW/EW Attacks against UAV Systems. Media Induced Hysteria or Sobering Reality? Sachin Deodhar Threatlabz Security Research Group. Introduction to “ myself ”. Here is where I blow my own horn ;-) Sachin Deodhar (Cyber Security Researcher, APT and CPS)

gefjun
Download Presentation

CW/EW Attacks against UAV Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CW/EW Attacks against UAV Systems Media Induced Hysteria or Sobering Reality? SachinDeodhar Threatlabz Security Research Group

  2. Introduction to “myself” • Here is where I blow my own horn ;-) • Sachin Deodhar (Cyber Security Researcher, APT and CPS) • Threatabz Security Research Group (Zscaler Inc.) • Work with Defense, IC, CT and Government sector

  3. Unmanned Aerial Vehicles • An aircraft with no pilot on board • Flight is controlled either by computers in the vehicle (autonomous), or under the remote control of a pilot on the ground or in another vehicle (remotely piloted). • A taxonomy is necessary to provide a consistent and unambiguous way to talk about UAVs • Different ways to think about UAVs – different types, different missions, different payloads, different levels of endurance, different degrees of autonomy • Not all UAVs are “armed” and not all UAVs are used in the military

  4. UAVs – Typical Systems Architecture

  5. Types of UAVs - Missions • Intelligence, Reconnaissance • Surveillance • Armed Missions • Communications • Extraction/Insertion

  6. Mission Types • Intelligence/Reconnaissance - providing battlefield intelligence • Mapping – preparing maps, charts, analyzing aerial photographs • BDA – battlefield damage assessment • Target Acquisition/Designation – static, dynamic, hostile/benign • Surveillance • Geospatial – static (non-moving target), dynamic (moving target) • Listening – signals intelligence • NBC Sensing – detecting signs/indicators of nuclear, biological and chemical (warfare) attacks

  7. Mission Type (Contd.) • Communications – mobile ad-hoc networks (wireless) using UAV • Comm. Relays/Ad Hoc Battlefield Networks • Extraction/Insertion • EW – Electronic Attack (EA), Electronic Protection (EP) • Payload Delivery – Lethal, Non-Lethal • Armed Missions • Decoys – providing ground and aerial gunnery a target that simulates an enemy aircraft or missile • Targeted (Armed) Missions - providing attack capability for high-risk missions

  8. Types of UAVs - Autonomy • Autonomy - ability to make decisions without human intervention. To that end, the goal of autonomy is to teach machines to be "smart" and act more like humans • The ultimate goal in the development of autonomy in UAV technology is to replace the human pilot • Degrees of Autonomy – ranges from remotely piloted aerial vehicles to fully autonomous (fire and forget style) UAV systems • Gradual evolution towards “full vehicle autonomy” - reduce the dependence of a UAV on the Ground Control infrastructure making it a self-contained and autonomous

  9. Autonomy – Requirements • Sensor fusion – combine information from various sensors on a “single window” • Motion (Path) Planning and Trajectory Generation – generate optimal path and execute optimal control maneuvers and/or faithfully cohere to the path defined • Distributed Communications - Handling communication and coordination between multiple agents in the presence of incomplete and imperfect information

  10. UAV Types - Endurance • UAVs are not burdened with the physiological limitations of human pilots, they can be designed for maximized on-station times • IC Engines (low endurance) • Solar Powered (medium endurance) • Electric UAVs (very high endurance – uses laser beaming technology) • Primary objective of high endurance UAVs – “stare" at the battlefield for a long period of time to produce a record of events that could then be played backwards (e.g. to track where improvised explosive devices (IEDs) came from) • E.g. VULTURE - Very-high altitude, Ultra-endurance, Loitering Theater Unmanned Reconnaissance Element

  11. Attacks against UAV platforms • Growing incidences of cyber/electronic attacks against UAVs in recent years • Attack vectors and techniques are dependent on type of UAV and its system/functional characteristics • Attack vectors are typically more potent and effective when targeting civilian use (non-military) UAVs • Attacks target either • on-board avionics systems and software • Communication data-links between ground based stations and UAVs • Support systems (e.g. GPS) that UAVs rely upon for navigation and control

  12. RQ-170 Stealth Sentinel • RQ-170 (Stealth Sentinel) measures 27.43m wide and 1.82m high. • It is a high altitude and long endurance unmanned aerial vehicle (UAV) designed and manufactured by Skunk Works, a division of Lockheed Martin Corporation, for the United States Air Force (USAF) • The aerial vehicle was designed to execute intelligence, surveillance, reconnaissance and target acquisition (ISTAR) and electronic warfare missions over a target area.

  13. RQ-170 Drone Specifications • RQ-170 UAV can capture real time imagery of the battlefield and transfer the data to the ground control station (GCS) through a line of sight (LOS) communication data link • Flies at an altitude of approx. 50,000ft • Lost-link profile – RQ-170 must autonomously follow a pre-programmed “lost-link” profile consisting of waypoints at various altitudes, forming a loop until it re-establishes contact or crashes • Controlled either manually from the GCS or through autonomous mode • An automatic launch and recovery (ALR) system facilitates the aircraft to land safely when communication with the control station fails

  14. RQ-170 Drone GCS • GCS of the RQ-170 displays the real time imagery or videos captured by the vehicle's payload cameras onboard • GCS tracks, controls and monitors the RQ-170 by transferring commands to the vehicle via LOS SATCOM data link • Operated by the 432nd wing of air combat command (ACC) at Creech Air Force Base, Nevada, and 30th reconnaissance squadron at Tonopah Test Range, Nevada.

  15. RQ-170 Stealth Sentinel

  16. RQ-170 Drone Capture - Details • On 4 December 2011, an American Lockheed Martin RQ-170 Sentinel unmanned aerial vehicle (UAV) was captured by Iranian forces near the city of Kashmar in northeastern Iran • Iran claims that the “UAV was brought down by its cyberwarfare unit which commandeered the aircraft and safely landed it” • The attack comprised of jamming both satellite and land-originated control signals to the UAV, followed up by a GPS spoofing attack that fed the UAV false GPS data to make it land in Iran at what the drone thought was its home base in Afghanistan • It is speculated that the UAV navigation & guidance could be targeted by 1L222 Avtobaza ELINT (radar jamming and deception system) supplied to Iran by Russia

  17. Iranian Engineer – how the RQ-170 was forced to land • Original Persian Transcript - با قرار دادن سر و صدا [پارازیت] در ارتباطات، شما را مجبور پرنده به خلبان اتوماتیک. این جایی است که پرنده مغز خود را از دست می دهد • EN Translation - "By putting noise [jamming] on the communications, you force the bird into autopilot. This is where the bird loses its brain.” • “The “spoofing” took into account precise landing altitudes, as well as latitudinal and longitudinal data – made the drone “land on its own where we wanted it to, without having to crack the remote-control signals and communications” from the US control center”

  18. 1L222 Avtobaza ELINT System

  19. 1L222 Avtobaza ELINT- Specifications

  20. RQ-170 Drone on Display in Iran

  21. FARS original report on RQ-170 Drone Capture by Iran

  22. RQ-170 Drone Capture (Contd.)

  23. RQ-170 Drone Capture - Summary • Does not constitute a conventional “cyber attack” but falls in the realm of “electronic warfare attacks” • Compromised the UAV’s navigation and guidance system • Primary attack vector – GPS jamming • Secondary attack vector – GPS spoofing • Cat and Mouse – US claims that the primary navigation/guidance system used by the RQ-170 is NOT GPS based but is an “inertial navigation” system; but confirmed that Iran was in possession of the RQ-170 drone after previously denying Iranian claims

  24. Replicating the RQ-170 attack • Assumptions & Constraints • Attack will target a civilian drone • Limited resources • Limited budget • Attack focused on civilian GPS signals (L1) • Civilian GPS spoofer (Ref: work on civilian GPS spoofer by the Radionavigation Laboratory at the UoT – Austin) • Multi-stage attack closely shadows the Iran incident – jam  signal correlation  spoof  hijack

  25. Typical GPS spoofing setup

  26. Candidate Spoofer Architecture

  27. GPS Receiver Spoofer Architecture

  28. GPS Spoofer DSP Box

  29. GPS Receiver Spoofer Hardware

  30. Countermeasures Increasing sophistication (top to bottom) • Data bit latency defense (basic defense against simple spoofing attacks) • Vestigial signal defense • Multi-antenna defense (defense against intermediate level spoofing attacks) • Assimilative defense (makes existing GPS equipment resistant to jamming and spoofing without requiring hardware or software changes to the equipment) • Cryptographic defense based on estimation of W-bits (embedding cryptographic signatures in the spreading codes that will defeat a sophisticated spoofing attack)

  31. Multi-Antenna Defense (typical architecture)

  32. Multi-Antenna Defense (hardware)

  33. Offline (demo) GPS Receiver Spoofer

  34. Implications • Not all UAVs are armed drones (not all drones “kill”) • Not all attacks are “cyber” • Lone wolf is an unlikely scenario at least in the near future • Nation states are more likely to have the necessary technical capabilities and know-how to launch attacks • Attacks against civilian-use UAVs are a greater concern • Civilian use hardware/software, communication protocols are less likely to be subject to same level of scrutiny and testing, and inherently insecure in many instances

  35. Cyber attacks against UAVs – future possibilities • Current research – software avionics vulnerabilities, and compromise of communication data links (data link 16) • Flaws in ADS-B, ACAIRS and other protocols used in civil aviation systems could be potentially used to compromise UAVs that rely on similar or same communication protocols • UAVs in civilian airspace for civilian applications – increasing use and insecure software, communication protocols • Next talk(s) will illustrate these flaws and their potential to be exploited

  36. Questions?

More Related