A very significant and interesting, from a tactical point of view, event took place in the Donbass theater of operations in early December 2016. As it became known on December 8, closer to midnight, specialists of electronic reconnaissance and electronic warfare made a successful attempt to intercept the radio channel of control of the unmanned aerial vehicle of territorial reconnaissance RQ-11B "Raven". This was reported by the well-known news agency "Reuters" with reference to the command of the Air Force of Ukraine. The drone control radio channel was successfully analyzed by electronic intelligence units of the People's Militia Corps of the Lugansk People's Republic, and then duplicated by the militia's electronic warfare equipment, but with completely different "packages" of commands, with the help of which "Raven" was safely landed in the territory controlled by the Armed Forces of the LPR. The fact of vulnerability to the interception of drone data had a tremendous impact on the General Staff of the Armed Forces of Ukraine, up to the temporary abandonment of the use of RQ-11B in Donbas.
According to Reuters, citing Ukrainian sources, the Armed Forces use drones with analog radio control modules, which are very easy to crack data packets with various radio commands, which is why such cases occur. Nevertheless, this issue looks much more complicated than it is described by the poorly qualified employees of Reuters, as well as the spokesmen of the General Staff of the Independent. After all, we are all well acquainted with the more "daring" examples of interception and landing of more advanced and large reconnaissance UAVs of regional reconnaissance, which include the RQ-170 "Sentinel" from the company "Lockheed Martin". As you know, the control of this machine, with a length of 4.5 m and a wingspan of 20 m, is carried out through complex digital radio control channels using pseudo-random tuning of the operating frequency (with a tuning frequency of up to tens of kHz), as well as various techniques for scrambling telemetry and radio command information channels. … Nevertheless, even the super-secret and "stuffed" with an advanced element base "Sentinel" was "planted" by means of the Iranian electronic warfare in the eastern part of Iran 5 years ago, in December 2011.
According to sources in the General Staff of the Islamic Republic of Iran, the operators of the Iranian electronic warfare equipment were able to gain control over the control systems of the American drone by analyzing, copying and replacing information "packages" of the GPS radio control channel emitted by antenna installations at one of the US air bases or military camps in Western Afghanistan … Such a technique looks extremely unlikely, since it is known that control of a UAV of such a class as the Sentinel is carried out by far not through a direct radio channel within the radio horizon, but through a specialized GPS channel from a satellite. At the same time, the channel uses exclusively precisely directional antennas installed on the upper part of the UAV fuselage, aimed at the upper hemisphere. The question automatically arises: how did they manage it?
The most plausible is the version with the use of modernized GPS spoofers - portable radio signal transmitters with frequencies of 1227.6 MHz and 1575.42 MHz (it is at these frequencies that all GPS receivers of drones, both civil and military sectors, operate; the latter are often equipped with encoding modules radio signal). These transmitters carry out the so-called "spoofing" attack on the receiving GPS-module of one or another unit (drone, ship, ground-based unmanned combat vehicle), which slowly deviates it from a given trajectory by transmitting false data about its true position in space. It is much easier to get a civilian GPS device with a standard omnidirectional antenna to follow false coordinates than a unit with a precisely directed antenna installation. To influence the latter, not only a more powerful amplifier of the L-band of decimeter waves is often needed, in which there are two main channels of GPS operation, but the upper location of the GPS spoofer emitting a false radio signal, which may require the use of a higher-altitude drone or a specialized aircraft of electronic reconnaissance and electronic warfare acting in this bundle by the leading machine. This will create a more powerful false signal to the GPS receiving antenna, which "looks" into the upper hemisphere of the enemy reconnaissance UAV. Iran could well use its own electronic warfare aircraft, equipped with modern Chinese hardware, including GPS spoofers, to intercept control over the Sentinel.
Given that control over the American RQ-170 was intercepted over the western border areas of Afghanistan and eastern Iran, there is another version of what happened, associated with the favorable terrain. Eastern Iran abounds in many mountain ranges with peaks from 2800 to 4000 meters, and the deployment of GPS spoofers in this area increases the probability of successful suppression of a satellite GPS channel by a false channel emitted directly by a spoofer with a powerful amplifier, since the antenna of the intercepting complex is located on a few kilometers closer to the enemy drone. The most favorable such interception could be if the flight of the RQ-170 Sentinel UAV took place at an altitude of 2, 5 - 3 km. In this case, it was enough for Iranian spoofers to settle on any mountain elevation in the eastern part of the country to get into the coverage area of the RQ-170 GPS antennas, after which they could start a “spoofing” attack.
To carry out an impeccable "spoofing" attack, constantly updated information with the exact coordinates of the GPS-module carrier unit is required, which can be obtained thanks to modern electronic reconnaissance means, which are in service with the Air Force of the Islamic Republic of Iran. The simplest and most accurate of them can be considered the "Casta-2E2" radar. The station operates in the decimeter range, and is capable of detecting and tracking small air targets, including UAVs, with an accuracy of 100 m. This is quite enough to reliably identify such a large drone as the RQ-170 Sentinel. When the radar sets up the target's track, and the "packets" of data with the changing real location of the target arrive at the operator's "spoofing" complex with short interruptions, the first stage of the attack begins - the impact on the drone with a slightly more powerful GPS signal from the spoofer with the correct "packet" of coordinates targets received by the radar. Then the EW operators, using the software "spoofing" -algorithm, gradually reject the flight trajectory of the enemy unmanned vehicle set by the satellite, turning it from an autonomous into a slave air "tool" with which you can do almost everything, up to turning into a kamikaze drone, but only only within the scope of the "spoofing" complex (Iran does not yet have its own satellite navigation group).
It is also worth noting here that the Russian 1L222 Avtobaza radio intelligence systems purchased for the needs of the Iranian Air Force, from a technical point of view, cannot be used to suppress and "hack" the RQ-170 Sentinel GPS channel, since Avtobaza is passive means of RTR. Moreover, 1L222 cannot be used as a tool for analyzing data "packets" from the GPS orbital satellite constellation, since its receiver covers only the centimeter frequency range from 8 to 17.544 GHz. The Avtobaza complex is designed for direction finding of X- / J- and Ka-band airborne radars of tactical aviation, radio altimeters of the Tomahawk SKR and other high-precision missile weapons flying in the terrain bend mode, as well as active radar seeker missiles of air-to-ship classes / ground”and medium and long-range air combat missiles. The information regarding the use of the experimental Belarusian electronic warfare systems "Nave-U", designed to suppress GPS channels, may look more logical.
Other sources also weave complete nonsense, claiming that a failure in the operation of the INS and the entire avionics of the RQ-170 drone could have been created by the powerful noise interference SNP-4 supplied by Belarus. The pseudo-specialists have completely forgotten about the true purpose of the SNP-4 complex. Firstly, the station is designed for passive electronic reconnaissance of radio-emitting multifunctional enemy airborne radars operating in the centimeter range, as well as their further suppression at a distance of no more than 60 km. The SNP-4 station is not a super-powerful ground-based electronic countermeasures capable of completely disrupting the stable operation of the autopilot systems of the RQ-170 Sentinel UAV, as the Ranets-E ultra-high-frequency complex can do. Secondly, most of the element base of modern on-board radio-electronic equipment, including all loops, wiring and other components, is shielded, and also often covered with specialized radio-absorbing materials to get rid of the negative effects of electronic countermeasures. And the maximum power of the SNP-4 noise interference station does not exceed 2.5 kW, which is a drop in the ocean by the standards of modern radio engineering concepts. The bottom line is this: a "spoofing" attack is the most realistic option for intercepting control over the American RQ-170 "Sentinel" UAV.
The most advanced characteristics for "hacking" UAV radio channels today are possessed by the domestic electronic warfare system "Rosehip-AERO". This unit is capable of performing: electronic reconnaissance for the presence of radio channels for controlling enemy UAVs, analyzing these radio channels (including extracting data "packets" with control commands and reverse telemetry information), full-fledged "spoofing" attacks on enemy drones using the GPS radio navigation system suppression channel for all types of consumers. A large number of different types of antenna installations allows the most accurate direction finding of sources of UAV radio control channels in the range from 25 to 2500 MHz. To suppress radio control channels for drones, Rosevnik-AERO has 4 ranges of radio-electronic interference countermeasures and correction: 0.025 - 0.08 GHz, 0.4 - 0.5 GHz, 0.8 - 0.925 GHz, as well as 2, 4 - 2, 485 GHz.
"Rosehip-AERO" was first demonstrated to the general public in 2012, within the framework of the International Forum "Technologies in Mechanical Engineering-2012" of the Vega radio engineering concern. And already in July 2016, the first messages from the Ukrainian side appeared about the arrival of the complex in the capital of the Donetsk People's Republic. Of course, listening to the statements from Kiev is a very thankless task, but I would like to hope that the Rosevnik-AERO complexes really stand guard over the long-suffering Russian city of Donbass - Donetsk. These complexes could be an excellent help in protecting the population of Novorossia from constant destructive artillery strikes on schools, shops, houses, as well as strongholds of the DPR Armed Forces, which did not stop even after the conclusion of regular agreements on a ceasefire for the period of the New Year holidays. Conducting territorial aerial reconnaissance using UAVs on the part of the Kiev Nazis poses not only an indirect threat, consisting in reconnaissance of the most populated objects for the application of artillery strikes, but also a direct threat, since the Armed Forces of Ukraine have been engaged in natural terror for more than six months. So, self-propelled anti-aircraft missile systems "Osa-AKM" and anti-aircraft artillery systems NM LDNR intercepted more than 5 reconnaissance drones of the Armed Forces of Ukraine, equipped with homemade suspension points with homemade aerial bombs, created on the basis of various hand grenades, warheads of shells and other explosive devices. In such conditions, Rosehip-AERO turns into an irreplaceable tool.
Let's return to the cases of interception of the radio control channel purchased by the "independent" American UAV RQ-11B "Raven". To “hack” this hand-launched drone absolutely does not require such sophisticated means as “Rosehip-AERO”. "Raven" is also equipped with a GPS module, but with a simpler omnidirectional antenna: this allows you to "jam" the drone's navigation system even with the use of the simplest portable GPS channel suppression kit. But given that Ukrainian militants often use the RQ-11B radio command guidance within the line of sight (up to 10 km), it is not difficult to calculate the command and control points for the militia. What is enough for direction finding of RQ-11B control channel sources within the radio horizon?
Today, for most of the knowledgeable residents of the liberated and occupied territories of the Donetsk and Lugansk People's Republics, a small digital device called a DVB-T tuner is very familiar. The device combines the functions of a full-fledged radio receiver, a TV tuner, and a frequency scanner capable of serving radio frequencies in the range from 24 to 1750 MHz. The compact DVB-T tuner card is built around the RTL2832U + R820T2 radio frequency microchip, which has a fairly high sensitivity with an excellent noise suppression ratio on the air. The population and military personnel of the LPR often use the device to detect the radio stations of Ukrainian military formations on the air, which can sometimes help prepare for unforeseen circumstances (shelling, movement of equipment, as well as places of possible escalation of hostilities). As you know, the frequency range of portable radio stations is in the range from 136 to 174 MHz, while the analog control range of the UAV is at higher frequencies.
Armed with a homemade, precisely directional antenna connected through the antenna output and an adapter to the SDR tuner, you can easily determine the approximate direction of the emitted radio control channel of the RQ-11B drone from the peaks in the frequency diagram. The frequency diagram is displayed in the SDRShurp program installed on a portable tablet or laptop running on Windows OS. For devices running on Android OS (smartphones and tablets), there is a similar software called "SDRTouch". Tuners are connected to computer equipment via the "USB" interface. The price of the issue is no more than 550 - 600 rubles, and therefore DVB-T tuners are one of the most purchased electronic devices that volunteers deliver for the needs of the intelligence units of the People's Militia Corps of the LDNR.
The RQ-11B reconnaissance UAV, which was "intercepted" and forcibly planted by means of the LPR's electronic warfare, was moving towards the line of contact with the LPR from the side of N of the item. Crimean. The relief in this area is relatively flat, and therefore it was absolutely not difficult to determine the radio-emitting control center of the drone. The signal was analyzed and transmitted to Raven with greater power, so control took over, then the car was simply given the command to land. To analyze the analog radio signal by the Raven control (determines the “packets” with plane control commands), more advanced software is needed than “SDRSharp” or “SDRTouch”, which uses more serious drivers and filters, which, obviously, were used by the specialists of the Armed Forces of the LPR …
There is also a lot of other software, drivers and filters designed to collect traffic from satellite channels. They can be slightly upgraded for scanning, unpacking weakly protected telemetry information channels broadcast by various reconnaissance UAVs. For example, back in 2008, American servicemen captured a rebel, whose laptop was loaded with photographs taken by American UAVs in the Iraqi theater of operations; other rebels, already in 2009, were found to have computers with video files lasting several hours, which also show reconnaissance scenes of American unmanned drones. According to Western information resources, a modified software package such as "SkyGrabber" with a price of $ 26 was used to obtain the files.
Summing up the results of our today's review, designed to reveal in detail the issues of "hacking" radio control channels of modern reconnaissance UAVs, two main points can be noted.