There has been a lot of speculation today surrounding this Wall Street Journal article:

According to this article, the insurgents were able to capture drone video feeds using software like SkyGrabber.  SkyGrabber is, according to its website, essentially a sniffer for satellite Internet connections that can recognize and extract.  This works because the data stream from the satellite to the clients on the ground is undirected.

This article has fueled a lot of discussion along the lines of “Why aren’t drone feeds encrypted?”.  There are plenty of people writing about that question, so I’m going to take it in another direction:

“What if we (including the WSJ) are missing something here?”

What if the videos found on insurgent laptops were not direct data streams from the drones themselves?  What if they were actually captured as files being shuffled from one place to another over a satellite Internet connection, after they had been recorded and saved?

Now, I haven’t used SkyGrabber, so I would like some feedback from someone who has used it on this, but there are some things that don’t really make sense to me yet about this.  Looking at the feature list for SkyGrabber and (especially) the screenshots, I see progress bars for the downloads.  A progress bar indicates that you know when the file you’re downloading will end.  That indicates, to me at least, that SkyGrabber gets most of its data from protocols like HTTP (and P2P protocols as it states on the product pages) that indicate the size and name of files that they are about to transmit.

How do you know when a live stream, such as one that a drone is transmitting, is going to end?  How likely is it that, if it does record live streams, SkyGrabber would be able to recognize whatever streaming format the drone uses?  Someone with some experience using SkyGrabber (or, more unlikely, unmanned drone communication protocols) might be able to chime in on this.

Now, if recordings are being shuffled around after a mission from location to location, then it would make sense for those to go over protocols that SkyGrabber might understand.  This would fit with the “U.S. officials” statement that there was no evidence that the flights could be controlled or interfered with.

Without any other evidence, it’s hard to take the WSJ article as the complete story.  There’s a lot of room for alternatives:

  • The feeds being intercepted may not be live
  • Software other than SkyGrabber might be used
  • Maybe the story’s right-on and the drone is communicating over well-understood and parse-able protocols

It’s even possible that, while these incidents could have involved interception of non-live data, that the drones do communicate unencrypted and the possibility exists (with better tools) to intercept their feeds.

It’s very hard to say, but there are some of my thoughts on the matter.

  16 Responses to “Using SkyGrabber to Hack Unmanned Drones?”

  1. I don’t understand how they would be able to capture the drone signal. It’s above them and the dish is pointed up. Maybe I’m missing something, or don’t fully understand satellite communication. I didn’t think it was an omni-directional signal.

    • Greg,

      (Following with the premise of the WSJ article) What they would be catching is data coming back down from the satellite, which basically acts as a repeater/hub for the network. They would see the same data stream the legit control/monitoring station would see from the satellite.

      (though it’s unclear how it really works)

  2. The terrists have rocket packs (see Rocketeer), they can fly between the drones (which must fly at a low altitude) and the satellites. It is very tricky holding the laptops at that altitude, so they do hand exercises in their training camps, to be able to hold the computer in one hand during flight.

    Nice post McGrew. There are key missing details in the story as you identify (albeit that seems to be the way of news these days).

  3. It’s also possible, although less likely, that the captured video was intentionally left unsecured in order to determine the counter-surveillance capabilities of insurgents, or it’s deliberate misinformation.

    I used to work for a company that sold softwear to move data around securely. At one point we were contacted by a the government about the possibility of us writing some softwear specifically for satelittes. I can’t imagine they really aren’t encrypting the data, because they certainly know it’s possible.

  4. I’m going to suggest a simpler explanation: videos are being shared by military staff and consultants to other military, consultant and third parties over unencrypted internet connections. Describing this as a complicated telecommunications encryption problem makes things seem a lot more grey and allow the military to save face.

    It is unlikely that SkyGrabber could pull a direct feed. This would imply that commercial over-the-counter direct broadcast satellite internet systems are coinciding in frequency with drone video feed downlinks, or worse, that drones are utilizing commercial direct broadcast satellite internet for these feed uplinks (and people are pulling live feeds off the downlinks).

  5. UAVs of multiple sorts are being used in the area of operations. They’re not all advanced Predator drones.

    Not all companies who develop these devices think of securing their communications. It’s just not a serious consideration during development. It could be that this is the video feed from one of these /other/ drones.

  6. I don’t see the interception of live feeds as the greatest risk at hand. If the drones indeed communicate over unencrypted channels for video, what is the probability that the drones also receive control commands over unencrypted signals? Would the insurgents be able to carry man-in-the-middle attacks this way?

  7. Schneier has an interesting clarification here:
    http://www.schneier.com/blog/archives/2009/12/intercepting_pr.html

    Apparently, the command and control link is encrypted, but not the video feed. He provides an interesting analysis as to why — but it boils down to key management and the idea that it’s better for the allies and the insurgents to have the video feed than for the allies not to have it.

  8. so you wanna play games newfag, THIS MEANS WAR

    OPERATION WeSlay McGrew

  9. The only thing I can think of is a lag in the computers having to decrypt the message but this is so slight and if its really a problem just do a 16 bit encryption. It would keep them from seeing the video at real time at least.

    Could there be issues in ensuring that the American war fighter on the ground must see the video as well and to ensure that no Americans were kept out of the loop on the video due to not having a log in or what not in critical times they just kept it unencrypted? This explanation doesn’t seem like a good one tho.

    To me it sounds like someone just messed up and now its time to fix it.

  10. this is not just about video ,
    satellite communications has some inherent vulnerability in their initial design!

  11. While it is possible and even probable that the video was repeated by the satellite, I find it difficult to imagine that insurgents would be able to hijack the video with any length or clarity to it.

    I’ve done some research on satellites, and, you would essentially have to be in the downstream range of the satellite to receive its traffic, as it’s in orbit (or geosynchronous orbit). Typically these downstream ranges only last a few minutes, unless you know the satellite path and drive as fast as it’s orbiting.

    Drake Anubis used some stuff similar to SkyGrabber (something home brew) and tried to pick up images from weather satellites. Here’s what he got:

    http://drakeanubis.com/?q=node/22

    Apparently he recently made a mess of his site (drakeanubis.com). If you can find a cached copy of the above URL, you’ll find the results.

    There’s also an internet radio show where he discusses it here:
    http://hackerpublicradio.org/eps/hpr0136.mp3

    I think its more likely that there was a third party involved, or that this was already saved footage, or footage being exchanged over the internet as opposed to via a satellite feed that was captured. It may have originated from a satellite feed, but it doesn’t seem very feasible.

  12. Playing safe means to assume that, if there is any doubt, the drones were hacked.

  13. Greg, you wrote “…I don’t understand how they would be able to capture the drone signal. It’s above them and the dish is pointed up…” That’s underestimating an enemy, a potentially fatal strategic flaw.

 Leave a Reply

(required)

(required)

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

   
© 2012 McGrew Security Suffusion theme by Sayontan Sinha