UAVs Vulnerable to Civil GPS Spoofing

University of Texas–Austin drone

In June a research team from the University of Texas at Austin (UT-Austin) demonstrated for the first time that a civilian unmanned aerial vehicle (UAV) can be commandeered in mid-flight by a civil GPS spoofing attack. The result will likely factor into the Federal Aviation Administration’s (FAA’s) plans to draw up rules for integrating UAVs into U.S. airspace by 2015.

In June a research team from the University of Texas at Austin (UT-Austin) demonstrated for the first time that a civilian unmanned aerial vehicle (UAV) can be commandeered in mid-flight by a civil GPS spoofing attack. The result will likely factor into the Federal Aviation Administration’s (FAA’s) plans to draw up rules for integrating UAVs into U.S. airspace by 2015.

For several years, under the direction of Dr. Todd Humphreys, UT-Austin Radionavigation Laboratory graduate students Daniel Shepard, Jahshan Bhatti, and Kyle Wesson have been investigating the vulnerabilities of systems that depend on civil GPS signals, which are unencrypted and unauthenticated. The group’s prior research into civil spoofing has focused primarily on GPS-based timing systems.

The UT team became interested in UAV navigation security last December when a U.S. spy drone was lost over Iran. Shortly after it went missing, the drone showed up on Iranian state television — essentially intact. An Iranian engineer asserted that he and others had captured the UAV by GPS spoofing, a claim Humphreys and others found incredible given the probability that the drone used encrypted military GPS signals.

Nonetheless, the drone’s capture remains something of a mystery: neither the CIA, which was operating the drone, nor the Department of Defense, has explained how it might have happened.

Concern about GPS spoofing increased in February when Congress handed the FAA a mandate to prepare to open U.S. skies to commercial UAVs by 2015. The University of Texas researchers were concerned that spoofing would pose a threat to such UAVs, whose navigation systems depend heavily on civil GPS.

About this time the U.S. Department of Homeland Security (DHS) was offering universities and other interested civilian groups a chance to test techniques for addressing civil GPS vulnerability in realistic over-the-air tests at White Sands Missile Range. Humphreys and his team proposed an experiment to try to commandeer a civilian UAV by GPS spoofing. DHS agreed to the test — if the UT team furnished all the necessary manpower and equipment, including the “victim” UAV.

The UT team selected a Hornet Mini UAV from Adaptive Flight. The sophisticated $80,000 rotorcraft, used by law enforcement, has a navigation system built around an extended Kalman filter that draws measurements from an altimeter, a magnetometer, an inertial measurement unit, and a civil GPS receiver. The Hornet Mini’s sensor suite and flight control system are representative of those in much larger commercial UAVs.

After a dry run on the university campus — for which university officials showed their support by moving UT football practice to allow access to Texas Memorial Stadium — the UT team was off to White Sands for the test of record on June 19–20. The UAV was commanded by its ground control system to hover 50 feet above the ground at the test site. Using a spoofer on a hilltop about a half mile away, counterfeit GPS signals were broadcast toward the hovering UAV, aligning them with authentic signals at the UAV’s GPS antenna.

In the White Sands test, on command, the counterfeit signal power was rapidly increased, bringing the UAV under the spoofer’s control. By inducing a false upward drift in the UAV’s perceived location, the spoofer fooled the UAV’s autopilot into losing altitude. Just before crashing into the ground, a safety pilot took over manual control of the UAV and saved it.

Humphreys believes his team’s testing of UAVs’ vulnerability to civil spoofing underlines the need for caution in expanding use of them.

“The integration of UAVs into the national airspace offers a great number of exciting possibilities, from boosting cargo transport efficiency to aiding search and rescue to one day delivery of takeout food to our doorstep,” he said. “But as it draws up rules for UAV integration, the FAA will need to seriously consider questions of privacy and — as our demonstration shows — questions of security.”

Humphreys has been asked to recommend solutions to the problem of civil GPS spoofing at a hearing Thursday (July 19, 2012) of the Oversight, Investigations, and Management Subcommittee of the House Committee on Homeland Security

Speaking of the hearing’s purpose, Oversight Subcommittee Chairman Michael McCaul (R-TX), pointed out that UAVs have been a force multiplier in U.S. military operations abroad and along the nation’s borders and are now being used by law enforcement, government agencies and even academic institutions.

“Some Americans worry such systems will become invasive ‘eyes-in-the-sky,’” said McCaul. “Others say domestic drones will eventually be armed. However, no Federal agency is taking responsibility for creating comprehensive policies and regulations concerning the use of these systems domestically.”

He cited the UT-Austin research as reflecting UAV vulnerabilities to hacking that raises concerns such vehicles could be commandeered by terrorists or others with ill intent.

“Our hearing will examine DHS’s role in the domestic use of unmanned aerial systems and determine the extent to which the Department is prepared to ensure oversight of domestic drones," added McCaul.

The hearing begins at 9:30 a.m. Thursday in Room 311 of the Cannon House Office Building. Humphreys’ presentation will start off the discussion, followed by Gerald Dillingham, director, Physical Infrastructure Issues Government Accountability Office; Chief Deputy Randy McDaniel, Montgomery County (Texas) Sheriff’s Office; and Amie Stepanovich, litigation counsel, Electronic Privacy Information Center.

IGM_e-news_subscribe