Did Iran Hack Our Drone?

I’ve been saying for some time that America’s hubris about drones will end as soon as one of our antagonists figures out how to hack them.

Which is why it’s interesting that Iran has updated its claims to have “shot down” an American drone to suggest they had “brought it down.” (Note, I found this statement on the Mehr website, but not the Fars one.)

The wreckage of the Lockheed-Martin RQ-170 Sentinel stealth drone was largely intact after it was downed, the Fars news agency said.

“Iran’s army has downed an intruding RQ-170 American drone in eastern Iran,” Arabic-language al-Alam TV said, quoting an anonymous source.

“The spy drone, which has been downed with little damage, was seized by the armed forces,” the news network added.

The cyber warfare unit managed to take over controls of the drone and bring it down, a military official said, according to the TV.

An unnamed military official also told the Fars that Iran’s response “will not be limited to the country’s borders.” [my emphasis]

And after some initial doubts that the Iranian claims were correct, ISAF has now admitted that they lost control of a drone last week.

The UAV to which the Iranians are referring may be a US unarmed reconnaissance aircraft that had been flying a mission over western Afghanistan late last week. The operators of the UAV lost control of the aircraft and had been working to determine its status.

Though the US remains coy over whether DOD was operating the drone (suggesting an Afghan mission) or the CIA was (suggesting a non-Afghan mission).

Although the Sentinel was developed for the Air Force, the U.S. official declined to confirm whether it was the U.S. military or the U.S. intelligence community operating the drone at the time of the incident.

Mind you, lurking in the background are the two recent attacks on Iran–the assassination of Hassan Moqaddam and the explosion in Isfahan. With both those previous explosions, Iran has officially offered conflicting stories about whether or not there was an explosion or why.  If the drone was conducting reconnaissance of missile runs over Iran, both sides might say Iran “brought it down” to avoid discussions of where the drone was operating.

Remember, though: less than two months ago, Wired revealed that someone had gotten keylogger software onto Creech Air Force Base’s system in Nevada. So someone already infiltrated the Air Force drone system. It’s just not clear who did so.

Update: Also remember the probable disinformation from a few weeks back saying that the Israelis deliberately let Hezbollah take down one of its drones over Lebanon, which it then detonated to blow up a weapons depot. One reason the ISAF might admit to losing a drone is if it wasn’t their drone.

Update: This appears to confirm the Iranians were right. Though I would suggest both sides still might be lying about aspects of this.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

37 replies
  1. emptywheel says:

    Mind you, lots of NatSec types who are generally right are saying there’s no way Iran “downed” a Sentinel. So that leaves the question of why ISAF is seeming to back the other side of the story?

  2. Arbusto says:

    Knowing next to nothing about remote controlled aircraft systems, but being a big fan of Charles Stross, it’d be interesting if an expert system, broadcasting 24/7 could be more effective than radar in nullifying our stealth remotes. Waiting for Iran (or maybe Russia) to sell the technology to Pakistan, etc..

  3. rugger9 says:

    If anyone thinks that the Creech hack was unrelated, there’s a bridge in NY I want to sell you. There is no way that someone with that kind of information wouldn’t use it, and FWIW, we know the PRC government and PLA have been conducting cyber attacks for years on DOD operations. I wouldn’t be surprised at all to find out the PRC gave Iran the technology to curry favor and interfere with the drones that would be a probable first wave against the PLA when they move. Gee, and haven’t the PRC companies been supplying the computer chips for our DOD toys for some time now? Coinkydink, I think not.

    This is very disturbing news if I’m the ISAF commander.

  4. rugger9 says:

    If anyone thinks that the Creech hack was unrelated, there’s a bridge in NY I want to sell you. There is no way that someone with that kind of information wouldn’t use it, and FWIW, we know the PRC government and PLA have been conducting cyber attacks for years on DOD operations. I wouldn’t be surprised at all to find out the PRC gave Iran the technology to curry favor and interfere with the drones that would be a probable first wave against the PLA when they move. Gee, and haven’t the PRC companies been supplying the computer chips for our DOD toys for some time now? Coinkydink, I think not.

    This is very disturbing news if I’m the ISAF commander.

  5. Ewston says:

    The RQ-170 doesn’t share the same kind of computer software that the UAVs that are controlled out of Creech do. The RQ-170 is controlled, most-likely, like the Global Hawk is controlled, which is just via a desktop computer where the ‘pilot’ inputs the commands. The UAVs controlled out of Creech are actually flown with a stick and rudder, much like an actual aircraft.

    There is possibility that there is some related software between the two, but the RQ-170 is leaps and bounds ahead of the Predators and Reapers that you see on the news everyday.

  6. jerryy says:

    Speaking of hacking :^)

    Did you realize the mobile version of the site has a small down-arrow, notification menu shaped button centered at the top (the button is easy to overlook almost non-existant in phone browsers but is visible in tablet browsers) that gives access to some of your older material, material not available via your full version?

  7. MadDog says:

    A couple thoughts to add to the mix here:

    1) The RQ-170 Sentinel, like most US drones, is designed for the purposes of tactical, real-time operations, and not for strategic reconnaissance of stuff like nuclear facilities and missile complexes like our KH reconnaissance satellites.

    2) As a tactical, real-time operations platform, the user community of the RQ-170 Sentinel consists of the military and the intelligence community (primarily the CIA, but not exclusively). It is used for both tactical surveillance and targeting purposes in military and intelligence operations.

    With those 2 observations, the questions and issues that arise in my mind are:

    a) With the “War in Afghanistan” being fought almost exclusively in the eastern half of the country, what other possible explanation is believable other than that the US was conducting a tactical, real-time operation against Iran by either or both the US military and the CIA?

    b) If the purpose of the RQ-170 Sentinel, like most US drones, is tactical surveillance and/or targeting, what tactical Iranian target was worthy for either real-time surveillance and/or targeting?

    c) One of the purposes of US drones is to support military forces on the ground. Was there a US military and/or intelligence ground force being operationally supported by this RQ-170 Sentinel drone? Was it, is it in Iran?

  8. JohnLopresti says:

    There was a February 2011 short note by Assoc Press about a Yemen theater, ‘Predator’ drone’s wreckage having been waylaid enroute to some safekeeping; there.

  9. MadDog says:

    With regard to hacking the drone, another couple of observations:

    1) It would seem an obvious and fatally flawed idea to use but a single communications channel to both control the flight of the drone and to transmit the reconnaissance material such as the real-time surveillance video. Were the RQ-170 Sentinel designers this stupid?

    2) One of the past hacking rumors regarding US drones was that our opponents were able to hack into and capture the video feed a drone was transmitting. It would seem an obvious idea to encrypt the flight control communications of US drones so that operational control of the drone could not be hijacked. Were the RQ-170 Sentinel designers too stupid to ensure this?

  10. MadDog says:

    @MadDog: I should mention that according to an AviationWeek footnote in that Wikipedia entry for the RQ-170 Sentinel:

    “…The “RQ” prefix for the aircraft indicates an unarmed drone, unlike the “MQ” designation used for Predator and Reaper aircraft equipped with missiles and precision-guided bombs…”

    A couple of points regarding this:

    1) The AviationWeek article is old and dated from December 26, 2009, and in the interim, arming of the RQ-170 Sentinel may have taken place.

    2) In addition, we don’t know, both because of the classified nature of the US drone program as well as the common feature/mission creep of most military programs, whether the name and designation of the Sentinel has changed to reflect a new capability such as being equipped with armament.

  11. rugger9 says:

    @MadDog: #6
    Very good questions indeed, since none of the Iranian nuclear facilities are in the East from what I see on the map.

    Maybe they’re putting in secret ones, but your point about support is valid, why do real-time missions like this if no ISAF are there?

  12. rugger9 says:

    @MadDog: #6
    Very good questions indeed, since none of the Iranian nuclear facilities are in the East from what I see on the map.

    Maybe they’re putting in secret ones, but your point about support is valid, why do real-time missions like this if no ISAF are there?

  13. Jim White says:

    All ur drones are belong to Persia.

    Geez, the @DrunkenPredator Twitter account may be less satire than we imagined.

    I can only imagine the panic at many levels of the military today. They are the ultimate control freaks and it has just been demonstrated to the world that they have lost control of one of their favorite toys.

    I wonder if this event will be the final straw for DoD to implement some of the computer security steps Marcy has been trying to sell them on for several years.

  14. MadDog says:

    @rugger9: Another set of factors that implies a US tactical operation against Iran:

    1) The RQ-170 Sentinel is designed to be at least moderately stealthy so it can be deployed to avoid radar detection. The Taliban have no radar stations, so hence there would be no reason to use a stealthy RQ-170 Sentinel just to surveil or target them. Standard US non-stealthy drones like the Predator and Reaper would do just fine.

    Iran, on the other hand, has a lot of radar stations to detect aircraft, so in attempting to penetrate Iran’s airspace undetected, it would seem likely that the US would opt for the use of a stealthy aircraft.

    2) Unlike other US drones like the Predator and Reaper, the RQ-170 Sentinel is not propeller-driven. Instead, it uses a jet aircraft engine. The use of a jet engine in the RQ-170 Sentinel means that it has far less “loiter capability” due to its jet engine fuel consumption than the prop-driven Predator and Reaper drones.

    Basically, this means that the duration of an operation using an RQ-170 Sentinel must be far less than one using either a Predator or Reaper drone.

  15. emptywheel says:

    @MadDog: Again, you’re assuming it was really the Sentinel. The Iranians are no more credible than we are. And if it was the Sentinel, we might not have confirmed as quickly as we did.

  16. MadDog says:

    @emptywheel: Yeah, that is a big mystery that hasn’t yet been reasonably explained. It would seem a big propaganda opportunity for Iran, and the fact that they haven’t (yet) made pictures available surely casts some measure of doubt on their claims.

    That said, in the news reports quoting US officials that I’ve read thus far, none of them have made any attempt to deny that the downed drone was a Sentinel.

    We shall see, shan’t we? Or maybe not. *g*

  17. MadDog says:

    @emptywheel: Still a good point! Even if we assume that it is not a Sentinel, but instead another US drone like the Predator or Reaper (or really a whole host of other US drones — the list has been growing by leaps and bounds these last 10 years), I think we can still safely proffer that it was being used for a tactical operation rather than strategic reconnaissance. The US has far bigger and better platforms to conduct strategic reconnaissance.

    That said, if we posit that the US drone was downed in Iranian airspace (as opposed to just on the Afghan/Iran border), one would still think that the US would not attempt to penetrate Iranian airspace with a non-stealthy drone.

    If this was just a US drone operation on the Afghan/Iran border (say to monitor and surveil infiltration of arms or people), and the drone just came down on the wrong side of the border, then non-stealthy drones like the Predator or Reaper would obviously still be in the possibility mix.

  18. MadDog says:

    From the WaPo’s piece on the downed drone about 1/2 hour ago:

    “…It is not clear what might have caused the drone’s pilots to lose control of the aircraft as it flew near the Iranian border. The claim by the Iranian news agency that the surveillance drone had been recovered with “little damage” seemed to cast doubt on the claims that it had been shot out of the sky.

    “If this happened, it is a 95 percent chance that it just malfunctioned,” said a second senior Pentagon official, who also spoke on the condition of anonymity. “There are a lot of things that can fail.”

    In the past, pilots have lost satellite connections to drones, causing them to veer off course, run out of fuel and crash. It is also possible that the aircraft suffered other mechanical problems.

    U.S. officials brushed off claims about a cyber-attack downing the drone as preposterous.

    Such attacks are very difficult to execute, especially with the latest generations of aircraft, which use encrypted satellite technology that is very hard for ground systems to intercept and modify, said cyber experts. Even if an enemy could somehow breach the satellite communications, only the most sophisticated adversary could crack the encryption protecting control codes, experts said…”

    A couple thoughts on what the WaPo reports:

    1) The piece seems to confirm that US drone flight control communications are encrypted.

    2) Assuming again for sake of argument that the downed drone was an RQ-170 Sentinel, unless it “autonomously” attempted to land itself, I find it hard to believe that it would be as the Iranian’s claim “downed with little damage”.

    Think about it. All “flying wing” aircraft are inherently unstable. The RQ-170 Sentinel supposedly has a takeoff weight greater than “8,500 pounds”.

    Again, if an RQ-170 Sentinel was not attempting to land itself “autonomously” or by the since US preposterously denied claim of Iranian cyber-control, then something weighing over “8,500 pounds” falling out of the sky, and even from only 100 feet, would smash itself to pieces.

  19. MadDog says:

    Via this evening’s NYT’s piece on the Iranian missile site explosion that happened 3 weeks ago, David Sanger and William Broad try to make a nexus to the downed US drone story. I take their reporting on this aspect with a grain of salt. Maybe even the entire salt shaker:

    “…As concerns about Iran’s intentions have deepened in the West, intense surveillance efforts have been turned on suspected Iranian weapons sites. Iran has frequently accused the United States and Israel of spying and sabotage programs, and on Sunday made another such claim, saying it had shot down an advanced American RQ-170 drone in eastern Iran…

    [snip]

    …There have been reports for months, all unconfirmed, that the same drone was being used regularly over Iran, presumably to hunt for hidden nuclear or missile sites…

    [snip]

    …If a drone was used for intelligence gathering in Iran, it presumably would not belong to the military — since there are no open hostilities with Iran — but rather to the C.I.A. or another intelligence agency, acting under a presidential finding about the Iranian nuclear program…”

    Again, I would reiterate that to me, this does not compute. The US has far more capable strategic reconnaissance systems that have been used for decades now for identifying nuclear facilities and missile sites.

    Flying drones across borders and violating another nation’s airspace for the purpose of identifying nuclear facilities and missile sites as David Sanger and William Broad suggest in their piece, even stealthy ones like the RQ-170 Sentinel, just doesn’t make sense when the US has far more capable reconnaissance satellite systems built for that express purpose and has been using them for this very purpose for decades.

  20. Bob Schacht says:

    @MadDog:

    Didn’t EW write an important diary some time ago on the crappy software we were using to control the drones, and how easy it was to intercept drone communications or some such? What I remember is that the software was on the same level as is used for amateur model airplanes. Has the software situation improved?

    Bob in AZ

  21. MadDog says:

    A couple more observations:

    1) Whichever version of US drone was downed, it likely ran out of fuel and crashed, breaking up into pieces.

    2) It is likely that if it came down in Iran, there are enough identifiable parts remaining for the Iranian claim that it is a US RQ-170 Sentinel.

    3) I find it interesting that the US is not denying that a US RQ-170 Sentinel has been lost. If it wasn’t an RQ-170 Sentinel, I would normally expect the US to laughingly and adamantly deny the Iranian claim. Nothing of the sort has come out from the US.

    4) If it was a US RQ-170 Sentinel, I would hazard a guess that the Iranian claim that the drone was recovered with little damage to likely be a disinformation attempt by the Iranians to create as much uncertainty and angst within the US National Security establishment.

    5) So too would be the Iranian claim that they had cyber-hijacked control of the drone. Again, a likely disinformation attempt by the Iranians to create uncertainty and angst within the US National Security establishment.

  22. Jim White says:

    @MadDog: That nearly made me lose my breakfast. Funny how Daily Beast doesn’t bother to put in any disclaimers noting how much Ijaz profits personally from international instability through his investment holdings in the “homeland security” type market. And yet they give him free rein to add to the insecurity…

  23. William Ockham says:

    The most likely explanation is that we lost control of the drone due to a software and/or communication failure. If that is the case, the drone probably kept flying in whatever direction it last been pointed towards. Which could explain how it ended up in Iran. Like MadDog, I will believe the “little damage” story when I see a picture of it.

    Both sides in this story have a powerful incentive to dissemble, mostly to keep the other side guessing what he truth is.

  24. emptywheel says:

    @MadDog: Again, I think you’re not considering a whole bunch of other possibilities.

    What if it was an Israeli drone designed to come down and explode?

  25. Jim White says:

    @MadDog: I’m wondering if Iran’s claims resulted in the US disclosing classified information about how drones actually operate. How much did Iran and others learn from this article that they didn’t know before?

  26. Heitzso says:

    I wonder whether the keylogging virus was actually on the drone controlling site’s computer systems. If someone was concerned that in the future killing our citizen w/o a trial via drone would lead to criminal action against some part of the chain of command, then claiming the virus and then wiping the drives might be a convenient way to get rid of any evidence. Just thinking …

  27. Bob Schacht says:

    @MadDog: How about Iran learned how to jam the drone’s communications, causing it to meander aimlessly, finally running out of fuel and having a non-catastrophic landing?

    Update: EW already provided the answer.

    (and thanks for the reference to EW’s earlier post.)

    Bob in AZ

  28. jeo marimon says:

    @emptywheel: there s no relation software wise, but the stealth technology was on board, this drone is built to be maneuver with a stick, there s also lots of recording devices aboards,heat sensors, etc
    It was not knock down, it was human error that brought it down.

Comments are closed.