Todd Humphreys' Radionavigation Lab Demonstrates First Successful 'Spoofing' of UAVs
In June, a WNCG team under the direction of Dr. Todd Humphreys demonstrated for the first time that a civilian, unmanned aerial vehicle (UAV) can be commandeered in mid-flight by a civil GPS spoofing attack. The result will likely factor into the Federal Aviation Administration's (FAA's) plans to draw up rules for integrating UAVs into U.S. airspace by 2015.
For several years, Radionavigation Laboratory graduate students Daniel Shepard, Jahshan Bhatti, and Kyle Wesson have for several years now been investigating the security vulnerabilities of systems that depend on civil GPS signals, which are unencrypted and unauthenticated. Prior work in this area at the Radionavigation Lab has focused primarily on GPS-based timingsystems.
This team became interested in UAV navigation security last December when a U.S. spy drone was lost over Iran. Shortly after it went missing, the drone showed up on Iranian state televisionessentially intact. An Iranian engineer asserted that he and others had captured the drone by GPS spoofing, a claim that Humphreys and others found incredible given the likelihood that the drone had access to the encrypted military GPS signals. Nonetheless, the drone's capture remains something of a mystery: neither the CIA, who was operating the drone, nor the Department of Defense, have given an explanation for how the drone was captured intact.Speculation about the role of GPS spoofing in the spy drone capture over Iran became more serious in February when the U.S. Congress handed the FAA a mandate to prepare to open U.S. skies to commercial UAVs by 2015. The Radionavigation Lab researchers were concerned that civil GPS spoofing would pose a threat to such UAVs, whose navigation systems depend heavily on civil GPS.
Around this time, the U.S. Department of Homeland Security (DHS) offered universities and other interested civilian groups a chance to test their proposed techniques for addressing civil GPS vulnerabilities in a series of realistic over-the-air tests at White Sands Missile Range. Humphreys and his team proposed an experiment whereby they would attempt to commandeer a civilian UAV by GPS spoofing. DHS agreed to the test on the condition that the team furnish all the necessary manpower and equipment including the victim UAV.
The team selected a Hornet Mini UAV from Adaptive Flight. This sophisticated $80k rotorcraft, used by law enforcement, has a navigation system built around an extended Kalman filter that draws measurements from an altimeter, a magnetometer, an inertial measurement unit, and a civil GPS receiver. The Hornet Mini's sensor suite and flight control system are representative of those in much larger commercial UAVs.
After a dry test on the UT campus--for which university officials moved UT football practice for access to Texas Memorial Stadium--the team was off to White Sands for the test of record. The UAV was commanded by its ground control system to hover 50 feet above the ground at the test site. From a GPS spoofer on a hilltop about a half mile away, counterfeit GPS signals were broadcast toward the hovering UAV, achieving alignment with their counterpart authentic signals at the location of the UAV's GPS antenna. On command, the counterfeit signal power was rapidly increased, bringing the UAV under the spoofer's control. By inducing a false upward drift in the UAV's perceived location, the spoofer fooled the UAV's autopilot into losing altitude. Just before impact with the ground, a safety pilot took over the UAVs manual control and saved it from crashing.
Dr. Humphreys has been asked to recommend solutions to the problem of civil GPS spoofing before the Oversight Subcommittee of the Congressional Committee on Homeland Security on July 19.