In December 2011, a Lockheed RQ-170 Sentinel descended smoothly onto a runway inside Iran, apparently intact. The CIA stealth drone had been operating near the Afghan border; it ended up near Kashmar, roughly 140 miles inside Iranian territory. U.S. officials attributed the loss to a malfunction. An anonymous Iranian engineer, speaking to the Christian Science Monitor, offered a different account: the Sentinel had been seized using GPS spoofing. The claim sounded implausible in 2011. By 2013, a University of Texas team had demonstrated from a yacht in the Mediterranean that it was not.

Jamming Announces Itself. Spoofing Does Not.

Jamming and spoofing are fundamentally different attacks, but the two get routinely conflated. Jamming raises the noise floor across GPS frequency bands until the receiver loses its position fix and triggers a failsafe — typically return-to-home or controlled descent. The attack is brute-force and loud; a jammer is conspicuous in the RF spectrum, its energy burst visible to any nearby RF sensor, its direction triangulatable in seconds.

Spoofing is the opposite of loud. A spoofing device transmits counterfeit signals that the GPS receiver accepts as legitimate satellite transmissions, delivering false Position, Velocity, and Timing (PVT) data without triggering any alarm. From the receiver's perspective, everything is nominal.

The vulnerability is architectural. GPS is a one-way broadcast system with no receiver feedback channel and no built-in authentication for civil signals. Satellites transmit; receivers listen. There is no mechanism by which a receiver can challenge a satellite to prove its identity. As Todd Humphreys, an aerospace engineering professor at UT Austin who has studied the problem longer than almost anyone, told IEEE Spectrum: "It's provable that you cannot, in all cases, detect spoofing."

Three Stages to Redirect an Aircraft

A carry-off spoofing attack proceeds in three stages. First, synchronization: the spoofer generates counterfeit signals matching the current time and orbital data of the genuine satellite constellation — information derivable from publicly available almanac data. Second, signal capture: the device increases its broadcast power marginally above the authentic signal until the receiver locks onto the counterfeit. The gradual transition avoids triggering a sudden signal-strength alarm. Third, carry-off: with the receiver locked, the spoofer incrementally alters signal timing or phase, steering the autopilot toward whatever destination the attacker has chosen.

A related technique, meaconing, skips full signal synthesis: it intercepts authentic GPS transmissions and rebroadcasts them with a time delay, introducing position errors without requiring the attacker to replicate GPS signal structure.

The Iranian engineer's account of the RQ-170 described a combined approach. Jamming severed the satellite uplink and forced the Sentinel into autonomous mode — "By putting noise [jamming] on the communications, you force the bird into autopilot" — then counterfeit GPS coordinates guided it to a controlled landing. The GPS system was, the engineer said, "the weakest point" of the drone's navigation, and the technique made it "land on its own where we wanted it to, without having to crack the remote-control signals." Robert Densmore, a former U.S. Navy electronic warfare specialist, called it "certainly possible" though not necessarily easy. Pentagon officials publicly questioned Iranian capability. No forensic detail from the aircraft has been released, and the engineer's account remains unverified.

What changed in June 2013 was the public evidence baseline. Humphreys and UT Austin graduate students Jahshan Bhatti and Ken Pesyna boarded the White Rose of Drachs — an 80-million-dollar superyacht crossing from Monaco to Rhodes, roughly 30 miles off Italy's coast — carrying a briefcase-sized device generating counterfeit civil GPS signals. The device gradually overpowered the yacht's authentic GPS, gained navigation control, and steered the vessel several degrees off course through incremental corrections. The ship's electronic chart continued to display a straight line.

"The ship actually turned and we could all feel it, but the chart display and the crew saw only a straight line." — Todd Humphreys, UT Austin

Capture, Not Destruction

For counter-UAS operators, spoofing offers something jamming cannot: an intact aircraft. Once a drone's receiver locks onto a counterfeit signal, the spoofer operator becomes the effective pilot, able to direct the aircraft to a controlled landing and access its camera feed and stored flight data. Jamming forces a crash or RTH; spoofing is a capture technique.

The same dynamic that makes spoofing attractive as a counter-drone weapon makes it dangerous as a background threat. Spoofing incidents have become endemic across the Eastern Mediterranean — near Syria, Cyprus, Lebanon, and Turkey — the Black Sea region, Iraq, Iran, and the Baltic states. In 2023, at least 20 civilian aircraft flying through the Middle East were misled into operating near Iranian airspace without clearance. The affected systems extend well beyond GPS coordinate displays: Flight Management Systems, Terrain Awareness and Warning Systems, ADS-B transponders, and RNP approaches are all degraded when navigation timing is corrupted.

Defense in Depth

No single countermeasure closes the spoofing vulnerability. Effective defense requires layering.

Cryptographic authentication addresses the problem at the signal level. The U.S. military's M-code GPS signal transmits an encrypted signal on both L1 and L2 bands at higher power than legacy civil signals; an attacker cannot replicate it without the encryption keys. M-code is expected to displace the older SAASM standard as the military baseline. On the civil side, Galileo's Open Service Navigation Message Authentication (OSNMA) provides cryptographic verification of navigation messages, blocking generative spoofing attacks that cannot reproduce authenticated codes.

Controlled Reception Pattern Antennas (CRPA) exploit geometry. Legitimate satellite signals arrive from overhead; spoofed signals originate from ground-based transmitters near the horizon. A CRPA uses spatially distributed antenna elements to perform beamforming — amplifying overhead signals — while nulling ground-level interference. A four-element array can suppress up to three simultaneous interferers, with null depths that vary by implementation.

Multi-constellation, multi-frequency receivers raise the attack cost. Tracking GPS, Galileo, GLONASS, and BeiDou across multiple bands can double or triple the available satellite count. Spoofing all constellations simultaneously on multiple frequencies demands substantially more sophisticated equipment.

Inertial cross-checking provides verification that signal manipulation cannot defeat. A tightly-coupled GNSS/INS integration runs satellite-derived position against independent accelerometer and gyroscope data through an extended Kalman filter. If GPS reports a left turn that the IMU recorded as straight-and-level flight, the inconsistency is flagged. Receiver Autonomous Integrity Monitoring (RAIM) adds redundant pseudorange checking across satellite signals, extended by Fault Detection and Exclusion (FDE) systems that allow continued navigation after suspect signals are removed.

Detection indicators — value jumps, Doppler shift anomalies that betray a signal's ground-based origin, timestamp irregularities during meaconing — offer partial visibility, but Humphreys's caveat holds: against a slow, sophisticated carry-off attack, none are reliable. Until M-code receivers and OSNMA authentication are universal on military UAS, the GPS navigation link remains the drone's most exploitable surface.

Sources