There has been a lot of speculation today surrounding this Wall Street Journal article:

According to this article, the insurgents were able to capture drone video feeds using software like SkyGrabber.  SkyGrabber is, according to its website, essentially a sniffer for satellite Internet connections that can recognize and extract.  This works because the data stream from the satellite to the clients on the ground is undirected.

This article has fueled a lot of discussion along the lines of “Why aren’t drone feeds encrypted?”.  There are plenty of people writing about that question, so I’m going to take it in another direction:

“What if we (including the WSJ) are missing something here?”

What if the videos found on insurgent laptops were not direct data streams from the drones themselves?  What if they were actually captured as files being shuffled from one place to another over a satellite Internet connection, after they had been recorded and saved?

Now, I haven’t used SkyGrabber, so I would like some feedback from someone who has used it on this, but there are some things that don’t really make sense to me yet about this.  Looking at the feature list for SkyGrabber and (especially) the screenshots, I see progress bars for the downloads.  A progress bar indicates that you know when the file you’re downloading will end.  That indicates, to me at least, that SkyGrabber gets most of its data from protocols like HTTP (and P2P protocols as it states on the product pages) that indicate the size and name of files that they are about to transmit.

How do you know when a live stream, such as one that a drone is transmitting, is going to end?  How likely is it that, if it does record live streams, SkyGrabber would be able to recognize whatever streaming format the drone uses?  Someone with some experience using SkyGrabber (or, more unlikely, unmanned drone communication protocols) might be able to chime in on this.

Now, if recordings are being shuffled around after a mission from location to location, then it would make sense for those to go over protocols that SkyGrabber might understand.  This would fit with the “U.S. officials” statement that there was no evidence that the flights could be controlled or interfered with.

Without any other evidence, it’s hard to take the WSJ article as the complete story.  There’s a lot of room for alternatives:

  • The feeds being intercepted may not be live
  • Software other than SkyGrabber might be used
  • Maybe the story’s right-on and the drone is communicating over well-understood and parse-able protocols

It’s even possible that, while these incidents could have involved interception of non-live data, that the drones do communicate unencrypted and the possibility exists (with better tools) to intercept their feeds.

It’s very hard to say, but there are some of my thoughts on the matter.

© 2012 McGrew Security Suffusion theme by Sayontan Sinha