The vulnerability of the control channels shtatovskih tactical UAV: technological moments
A very significant and interesting, from a tactical point of view, event took place in the Donbass theater of operations in early December 2016. As it became known on December 8, closer to midnight, specialists in electronic intelligence and electronic warfare made a successful attempt to intercept the radio control channel of the RQ-11B Raven territorial reconnaissance unmanned aerial vehicle. This was reported by the well-known news agency "Reuters" with reference to the command of the Ukrainian Air Force. Radio control channel drone was successfully analyzed by the electronic intelligence units of the People's Militia Corps of the Luhansk People's Republic, and then duplicated by the electronic warfare of the militias, but with completely different "packages" of commands, with the help of which the "Raven" was safely landed on the territory controlled by the Armed Forces of the LPR. The fact that drones are vulnerable to data interception had a tremendous impact on the General Staff of the Armed Forces of Ukraine, up to the temporary refusal to use the RQ-11B in the Donbass.
As stated by "Reuters" with reference to the Ukrainian sources, the Ukrainian Armed Forces use drones with analogue radio control modules, which are very easy to hack into data packets with various radio commands, which is why such cases occur. Nevertheless, this question looks much more complicated than it is described by Reuters employees who are poorly qualified in this field, as well as the speakers of the “independent” General Staff. After all, we are all perfectly familiar with the more “daring” examples of the interception of control and landing of more sophisticated and large regional reconnaissance UAVs, which include the RQ-170 "Sentinel" from Lockheed Martin. As is known, this machine, with a length of 4,5 m and a wingspan of 20 m, is controlled through complex digital radio control channels using pseudo-random tuning of the operating frequency (with a tuning frequency of up to tens of kHz), as well as various methods of scrambling telemetry and radio command channels. Nevertheless, even the super secret and “stuffed” advanced element base “Sentinel” was “planted” by Iranian EW in the eastern part of Iran, even 5 years ago, in December, 2011.
According to sources in the General Staff of the Islamic Republic of Iran, the operators of the Iranian electronic warfare were able to gain control over the control systems of the American drone thanks to the analysis, copying and substitution of information "packets" of the GPS control radio channel emitted by antenna installations at one of the US air bases or military camps in Western Afghanistan. This technique looks extremely implausible, since it is known that the control of a UAV of such a class as the "Sentinel" is carried out far from a direct radio channel within the radio horizon, but via a specialized GPS channel from a satellite. At the same time, the channel uses exclusively precisely directed antennas mounted on the upper part of the UAV fuselage, directed to the upper hemisphere. The question automatically arises: how did they do it?
The most plausible is the version with the use of upgraded GPS-spoofers - portable radio transmitters with frequencies 1227,6 MHz and 1575,42 MHz (all GPS receivers of the civilian and military sectors operate on these frequencies; the latter are often equipped with radio coding modules). These transmitters carry out the so-called “spoofing” attack on the receiving GPS-module of a unit (drone, ground-based unmanned combat vehicle), which slowly deflects it from the specified path by transmitting false data about the true location in space. Making a civilian GPS device with a standard omnidirectional follow the false coordinates is much easier than a unit with a precisely directed antenna installation. To influence the latter, it is often necessary not only to have a more powerful L-band UHF amplifier, in which there are two main channels of GPS operation, but also a top location of a GPS spooler emitting a false radio signal, which may require the use of a higher-altitude drone or a specialized electronic reconnaissance aircraft and EW , acting in this bundle leading machine. This will create a more powerful false signal to the GPS receiving antenna, which “looks” into the upper hemisphere of the enemy’s reconnaissance UAV. Iran could easily use its own EW airplanes equipped with modern Chinese "iron", including GPS-spoofers, to seize control of the "Centinel".
Given that control over the US RQ-170 was intercepted over the western border areas of Afghanistan and Eastern Iran, there is another version of the incident, associated with the favorable terrain. Eastern Iran is replete with many mountain ranges with peaks from 2800 to 4000 meters, and the deployment of GPS spoolers in this area several dozen times increases the likelihood of successful suppression of a satellite GPS channel by a spurious channel emitted directly by the spoofer with a powerful amplifier, since the antenna of the intercepting complex is located on a few kilometers closer to the enemy drone. The most favorable such interception could be if the flight of the RQ-170 "Sentinel" UAV took place at an altitude of 2,5 - 3 km. In this case, Iranian spoolers had enough to be located on any mountain elevation in the eastern part of the country to get into the RQ-170 GPS antennas survey zone, after which you could begin “spoofing” attack.
To carry out flawless “spoofing” attacks, constantly updated information is needed with the exact coordinates of the GPS module unit carrier, which can be obtained thanks to modern means of electronic reconnaissance, which are used by the Air Force of the Islamic Republic of Iran. The simplest and most accurate of them is Radar "Caste-2Е2". The station operates in the decimeter range, and is capable of detecting and tracking small air targets, including UAVs, up to 100 m. This is quite enough for a reliable determination of such a large drone as the RQ-170 "Sentinel". When the radar assigns the target path, and the data packets with a changing real location of the target arrive at the operator's “spoofing” complex with short interruptions, the first stage of the attack begins - impacting the drone with a slightly more powerful GPS signal of the spoofer with the correct coordinates package targets obtained by radar. Then, the EW operators, using the software “spoofing” algorithm, gradually reject the satellite’s flight path of the enemy’s unmanned machine, turning it from an autonomous into a driven air “tool”, with which you can do almost everything, even turning it into a kamikaze drone, but only only within the scope of the “spoofing” -complex (Iran does not yet have its own satellite navigation group).
It is also worth noting here that the Russian radio intelligence systems 1L222 Avtobaza purchased for the needs of the Iranian Air Force, from a technical point of view, cannot be used to suppress and “crack” the Sentinel GPS channel RQ-170, since Avtobaza is passive RTR. Moreover, 1L222 cannot be used as a means for analyzing “packets” of data from the GPS orbiting satellite constellation, since its receiver covers only a centimeter frequency range from 8 to 17,544 GHz. The Avtobaza complex is intended for direction finding of tactical X- / J- and Ka-band airborne radars aviation, Tomahawk TFR radio altimeters and other high-precision missile weapons flying around the terrain, as well as active radar seeker missiles of the air-ship / ground class and medium and long-range air combat missiles. More logical may look like information regarding the use in the RQ-170 Sentinel control interception procedure of the experienced Belarusian electronic warfare systems “Canopy-U” designed to suppress GPS channels.
Other sources also weave a complete absurdity, arguing that the malfunctioning of the INS and the entire avionics of the RQ-170 drone could create powerful noise interference stations, SNP-4, set by Belarus. Psevdospetsialista absolutely forgot about the true purpose of the complex SNP-4. First, the station was designed for passive radio-technical reconnaissance of radio-emitting multifunctional on-board radar systems of the enemy operating in the centimeter range, as well as their further suppression at a distance of no more than 60 km. The SNP-4 station is not a super-power ground-based electronic countermeasure device capable of completely disrupting the stable operation of the autopilot systems of the RQ-170 “Sentinel” UAV, as a super-high-frequency complex “Ranets-E” is capable of doing. Secondly, most of the elemental base of modern avionics, including all cables, wiring and other components, is shielded, and is also often covered with specialized radio absorbing materials to get rid of the negative effects of electronic countermeasures. Yes, and the maximum power of the station noise interference SNP-4 does not exceed 2,5 kW, which by the standards of modern radio engineering concepts - a drop in the ocean. The bottom line is this: “spoofing” -attack is the most realistic version of the interception of control over the American RQ-170 “Sentinel” UAV.
The most advanced characteristics of the "hacking" of the radio channels of the UAV today have the domestic electronic warfare complex "Dogov-AERO". This unit is able to perform: electronic reconnaissance for the presence of radio control channels of enemy UAVs, analysis of these radio channels (including extracting “packets” of data with control commands and return telemetry information), full-fledged “spoofing” attacks on enemy drones using the GPS suppression channel for all kinds of consumers. A large number of different types of antenna installations allows you to most accurately find the sources of radio control of the UAV in the range from 25 to 2500 MHz. To suppress the radio control of the Shiprock-AERO drones, the 4 has a range of electronic countermeasure and counter-interference radio emission: 0,025 - 0,08 GHz, 0,4 - 0,5 GHz, 0,8 - 0,925 GHz, and 2,4 - 2,485 GHz.
"Dogov-AERO" was first demonstrated to the public in 2012 year, in the framework of the International Forum "Technologies in mechanical engineering-2012" of the radio engineering concern "Vega". And in July of the 2016-year, the first messages from the Ukrainian side about the arrival of the complex in the capital of the Donetsk People's Republic appeared. Of course, listening to the statements from Kiev is a very ungrateful task, but I would like to hope that the “Rosehip-AERO” complexes really stand guard over the long-suffering Russian city of Donbass - Donetsk. These complexes could be an excellent help in protecting the population of Novorossia from constant destructive artillery strikes on schools, shops, houses, as well as strongholds of the Armed Forces of the DPR, which did not stop even after the conclusion of new agreements on the ceasefire for the New Year holidays. Conducting territorial aerial reconnaissance with the help of UAVs from the Kiev Nazis is not only an indirect threat, which consists in reconnaissance of the most populated objects for artillery strikes, but also a direct threat, since the Ukrainian Armed Forces have been engaged in natural terror for more than six months. Thus, the Osa-AKM self-propelled anti-aircraft missile systems and the NM LDNR anti-aircraft artillery systems intercepted more than 5 reconnaissance drums of the Armed Forces of Ukraine equipped with home-made suspension points with makeshift air bombs built on various hand grenades, projectiles and other explosives. "Rosehip AERO" in such conditions turns into an indispensable tool.
Let us return to the cases of interception of the radio channel of control of the American RQ-11B UAV “Raven” purchased by the “Square” UAV. For “hacking” of this drone, which starts from the hand, absolutely no sophisticated tools like Dogrose-AERO are needed at all. “Raven” is also equipped with a GPS module, but with a simpler non-directional antenna: this allows you to “jam” the drone's navigation system even using the simplest portable set of suppression of the GPS channel. But given that the Ukrainian militants more often use the RQ-11B radio command guidance within the line of sight (up to 10 km), it is not difficult to calculate the command and control points for the militia. What is enough for direction finding of the control channel sources RQ-11B within the radio horizon?
Today, for most knowledgeable residents of the liberated and occupied territories of the Donetsk and Lugansk People's Republics, a very small digital device called DVB-T tuner is very familiar. The device combines the functions of a full-fledged radio receiver, TV tuner, as well as a frequency scanner capable of serving radio frequencies in the range from 24 to 1750 MHz. The compact DVB-T tuner card is built around an RTL2832U + R820T2 radio frequency microchip, which has a fairly high sensitivity with an excellent noise suppression factor in the air. The population and military personnel of the LDNR often use the device to detect the radio stations of the Ukrainian military formations on the air, which sometimes can help prepare for unforeseen circumstances (shelling, movement of equipment, and also places of possible escalation of hostilities). As you know, the frequency range of portable radio stations is in the range from 136 to 174 MHz, while the analogue range of UAV control is at higher frequencies.
Armed with a self-made exactly directional antenna connected through an antenna output and an adapter to an SDR tuner, using the peaks in the frequency diagram, you can easily determine the approximate direction of the radiated radio control channel drone RQ-11B. The frequency chart is displayed in the SDRShurp program installed on a portable tablet or laptop running on the Windows OS. For devices on the Android OS (smartphones and tablets) there is a similar software called “SDRTouch”. Tuners are connected to computer technology via the USB interface. The price of the issue is no more than 550 - 600 rubles, and therefore DVB-T tuners are one of the most purchased electronic devices that volunteers deliver for the needs of the intelligence units of the People’s Militia of the LDNR.
The reconnaissance UAV RQ-11B, which was "intercepted" and forcibly planted by means of EW LNR, moved to the line of contact with the LPR from the direction of the village Crimean. The terrain in this area is relatively flat, and therefore it was absolutely no problem to determine the radio emitting station of the drone control. The signal was analyzed and transmitted to the "Raven" with more power, so there was a control interception, then the car was simply given a command to land. For analyzing the analog radio signal by the “Raven” control (defines “packages” with plane control commands), more advanced software is needed than “SDRSharp” or “SDRTouch”, which uses more serious drivers and filters, which are obviously used by specialists of the Armed Forces of the LC .
There is also a mass of other software, drivers and filters designed to collect traffic from satellite channels. They can be slightly upgraded to scan the decompression of poorly protected telemetric information channels broadcast by various reconnaissance UAVs. So, back in the year 2008, the US military captured a rebel, whose laptop was loaded with photos taken by American UAVs in the Iraqi theater of operations, computers with video files lasting several hours were found in other rebels already in 2009. On which also reconnaissance scenes of American unmanned drones. According to information from Western information resources, a modified software package like “SkyGrabber” with the price of 26 dollars was used to receive files.
Summing up our today's review, which is intended to reveal in detail the issues of “hacking” of radio channels controlling modern reconnaissance UAVs, we can note two main points.
1. The most comprehensive protection from the "interception" of control and removal of telemetry information have a heavy strategic reconnaissance UAV type RQ-4A / B / C "Global Hawk / Triton"; Operating at altitudes up to 19,5 km, these machines are less susceptible to the false signals of even the most powerful ground-based EW equipment, the maximum damage that can be caused to their work is the suppression of the AN / ZPY-2 on-board radar; as for navigation and GPS control systems with precisely directed receiving antennas, it is very difficult to “score” them. Indeed, not one Global Hawk has yet been “planted” by either Russian or Chinese EW equipment, although these machines fly both over the South China Sea and directly near our air borders near the Crimea ... We draw conclusions.
2. Taking control over the digital control channels of low-altitude and medium-altitude UAVs is a rather complicated task, but quite feasible. Success depends on the performance of the computing facilities of the EW complex, which carries out a “spoofing” attack on the drone’s GPS module, as well as on the power of the attacking radio channel amplifier, which must exceed the capacity of the satellite correction channel. Given that the "spoofing" -attack programs are regularly improved, then 100% protection should not be expected. As for the analogue radio control channels, which is applicable in the case of the Ukrainian RQ-11B "Raven", it is easy to crack them even with the help of the simplest means of electronic intelligence and EW.
Information sources:
https://xakep.ru/2012/01/19/58149/
http://www.rusarmy.com/pvo/pvo_vvs/reb_spn-4.html
http://radiolubitel.net/index.php/obzory-ustrojstv/341-radioskaner-sdr-priemnik-iz-usb-tv-tyunera-rtl2832u-r820t
https://informnapalm.org/25187-rossijskij-kompleks-shipovnik-aero-v-tsentre-donetska/
Information