We’ve talked before about number stations — mysterious shortwave transmitters repeating numbers, presumably for clandestine purposes. But, of course, the mere fact that they are unusual makes them stand out. The best place to hide something is in plain sight. In the old days, a broadcaster might slip a fake news story in mentioning a name that has a secret meaning, for example. But according to [Steven Murdoch], the United States has an even more obvious hiding place for a numbers station: inside GPS.
Every L1 C/A navigation message is a 176-bit field known by the affectionate moniker: Subframe 4, Page 17. The GPS specification says it is for “special messages.” No one has disclosed what those messages might be.
[Murdoch] at University College London analyzed over 12 million GPS packets from 2007 to 2026, trying to understand what was in this field. You might think 176 bits isn’t much, and you are right. But the L1 C/A signal carries 50 bits per second, and each frame is 1,500 bits. As [Murdoch] points out: “every bit must earn its place.” Each subframe is 300 bits, so this mysterious signal is 12% of the subframe. It must be important to someone.
Even if you don’t find spy stuff that interesting, the techniques used to sift through 19 years of data using Python, Julia, and other tools are worth reading about. The source code is available, too.
In 2023, the field has, at least sometimes, changed format. However, the best guess is that the field is sending cryptographic rekeying to other systems.
Of course, the truth could be different, but you have to admit, hiding spy messages in the GPS stream is truly hiding in plain sight. Of course, there are still contemporary traditional number stations out there, too.
“every bit must earn its place”, Shirley?
First thing I noticed. And don’t call me Shirley.
(A hospital doctor? What is it? It’s a big building with patients. But that’s not important right now.)
Drem u, Drebin!
A major point of a numbers station is that the recipient doesn’t need any suspicious hard- or software. So that should a potential spy be ever captured and thoroughly searched, they can plausibly deny any spying activity.
With the traditional short wave numbers station you just need a very common shortwave receiver and have memorized how to decode the messages.
With the gps stuff you need a special gps receiver or a smartphone with a custom patched firmware instead.
Any USB (And I think also bluetooth) GPS dongle that spits out NMEA can show those frames. Not as common as a smartphone.
What could be more common than a smartphone? The special gps firmware could be well hidden and only get activated if you start a common location/mapping app and search for a special keyword.
Who carries around a shortwave receiver? A smartphone would draw less suspicion.
is a 176-bit field -> has a 176-bit field
Each subframe is 300 bits, so this mysterious signal is 12% of the subframe. ->This mysterious … of the frame.
Yep, spotted that one to, 176 to 300 would be almost 60%.
Oh, and another downside of the GPS approach: Jamming and Spoofing
In the regions around an active military conflict, like currently Ukraine and the Golf region, you can see very wide-spread jamming of GPS, sometimes also spoofing. This would of course also mess up any messages sent via GPS.
Since these are the regions where you’d need a covert message channel to your spies most, GPS might not be the best choice. In most other regions you can just use some hidden internet site or service instead.
Unless the purpose of that field is to tell if the GPS signal is authentic or not.
If you use better/directional antennas, jamming becomes very hard. It’s just a signal over noise battle.
Well, it wasn’t hard enough for the Iran Cybercommand to hijack a Lockheed Martin RQ-170 Sentinel drone in 2011. https://en.wikipedia.org/wiki/Iran%E2%80%93U.S._RQ-170_incident
The reverse engineering influenced the design of the Iran Shahed 171 Simorgh and Shahed 191 drones. In 2018 one of them were shot down and it was confirmed that the design is largely based on the US drone.
So at least in 2011 the field wasn’t used to authenticate the GPS signal i guess.
The last group of Commie Spies that was captured (severl years ago), was using PCs and steganography in images on the web to communicate. Also used is the technique of sharing a GMail or Hotmail address, typing in drafts but never sending them. The other end of the conversation reads the drafts and deletes them.
The article mentions Over The Air Rekeying…but of exactly what, they remain coyly silent.
Yeah I used to download images from Usenet. Of kittens, of course. I had a database of MD5 sums of all the files I already had or I’d decided I didn’t want, so when a file had the same checksum, it was removed automatically. But I noticed I’d always get the same batch of files every day that always had different checksums. No matter how many variations of checksums I saved, those always showed up the next day as new files. I always wondered if there was hidden data in those.
Every communication method has its issues. This is just one of many ways secret communication could be done.
I know about GPS Selective Availability (discontinued in 2000 by presidential decree), but not how it works. Could this be related to SA that at the time ensured the US military had better position precision than non governmental users?
Nope.
Selective availability diddled with the timing of the “civilian” signal. The receiver calculates its position based on the timing of the signal, so any inaccuracy in the timing makes the position inaccurate.
Basically, each satellite transmits data packets that say “It is now exactly 12:00:00.00000000 on day X.” The receiver picks up the signal. It knows exactly when (down to micro seconds or nanoseconds) the signal came in. The difference between the time stamp in the data and the time it arrived at the receiver tells you how far the satellite is from the receiver. The receiver knows where each satellite is at all times (rather, they have orbital data for each satellite and calculate exactly where in its orbit each is.) Using the distance from at least 4 satellites, the receiver calculates the one point on the Earth’s surface that is the correct distance from all of the satellites it is using.
Any error in the time signal or the timing of the signal messes up the calculated position.
I don’t recall if they change the transmit time or if they just change the content of the data stamp.
This is not really a numbers station, which is used for general-purpose encrypted broadcast messaging to spies via receiving equipment that offers plausible deniability. It appears that the only message this system sends is encrypted GPS key updates for military GPS receivers, intended for automated software/firmware updates rather than encrypted messaging to spies. So I would describe it as a secure OTA update broadcast system rather than a “numbers station,” at least until there’s some evidence that it’s being used that way…although it would have a lot of downsides in such a role as Electronic Eel pointed out (susceptibility to jamming, need to hide specialized software and/or hardware)
Yes, subframe 4 – Page 17 are TDK OTA updates for decoding the M-Block on the GPS messages – in combination with the device’s key, of course
The other GNSS do a similar thing
I wouldn’t be surprised if there was something being sent via BBC Teletext,
embedded in daily newspapers or even quiz shows. No doubt the data and keys are sent via separate media. A one time pad with a short message is still one of the most secure ways to send information.
So what’s the entropy of the extra data? Does it seem to be encrypted?
Over the years did they manage to screw up the encryption and leak plain text out?
If you had read the source article, you would know the answer to those questions.
I guess until 2011 it wasn’t really used, then after the 2011 Iran–U.S. RQ-170 incident they used the field to authenticate the GPS signal, later in 2022 everything was switched to StarShield which is a lot more resistant due to lower orbit, handovers and the sheer mass of satellites.
StarShield is the military version of StarLink from SpaceX.
And maybe it still is some kind of dead man’s switch for some doomsday devices.