U.S. Military Turned GPS into a Global "Numbers Station"

The story links to the current issue of the Inside GNSS magazine but the article isn't available in the digital edition, apparently. It's in the print edition, readable at https://lsc-pagepro.mydigitalpublication.com/publication/?i=...

The source data and analytical code (in Julia) is also available at https://lsc-pagepro.mydigitalpublication.com/publication/?i=...

In my view people nitpicking the 404 media story are being ridiculous. Everyone in their audience knows GPS originated as a military system, indeed I think most of teh general public knows that. Bashing them for not mentioning this is just looking for something to be mad about.

Clickbait from 404 Media? Surely not!

The part they kept out of the headline:

> for use in distributing the keys for accessing the military GPS signals

It’s common knowledge that the military has access to a separate, encrypted, higher-precision GPS signal. “Numbers station” implies that they’re distributing unrelated encrypted information, but they’re not; it’s not surprising that GPS signals would be used to deliver information related to GPS, even if only military receivers have any use for it!

"Numbers station" is a weird analogy, because the idea of a numbers station was to broadcast messages to undercover operatives in a way that can be received using unmodified (and therefore non-suspicious) household radio receivers.

Here, it appears to be a rekeying system for specialized military gear.

> [in a new article in Inside GNSS](https://insidegnss.com/current-issue/?ref=404media.co)

These people need to mind their links. Unless that "current-issue" is the only/last one.

People are complaining about a clickbaity title but it's a fascinating article I am not sure most would read otherwise

What's interesting to me is how out of date US GPS system is compared to China's BeiDou

and while most US GPS receivers will use Russia's GLONOSS, China's BeiDou is blocked

https://news.ycombinator.com/item?id=47849174

GPS was always a dual use system. This is very detailed and specific, but not interesting or surprising. Research has been study GPS signal data, found parts that are encrypted and he doesn’t understand. The end. Article seems only intended to generate an emotional response of “how dare they use GPS for war, man!”

Slightly related the latest Veritasium Video: Something is jamming GPS over Europe.

https://youtu.be/tz23G_UXCGA

Meanwhile Starlink and Starshield: Hold my beer ;-)

best zero day exploit ever

> [in a new article in Inside GNSS](https://insidegnss.com/current-issue/?ref=404media.co)

These people need to mind their links. Unless that "current-issue" is the only/last one.

The source data and analytical code (in Julia) is also available at https://lsc-pagepro.mydigitalpublication.com/publication/?i=...

> May 26, 2011

> No publicly recorded NANU announces a fleet-wide event of this kind in the surrounding window.

I do remember living through this one in February 2011 which was very strange at the time: https://web.archive.org/web/20111015232120/http://navcen.usc...

“SOUTHEAST ATLANTIC COAST: GPS Testing Information THE GPS NAVIGATION SIGNALS MAY BE UNRELIABLE FROM 20 JAN 2011 - 22 FEB 2011 FROM 0000Z - 0245Z DUE TO TESTING ON GPS FREQUENCIES USED IN SHIPBOARD NAVIGATION AND HANDHELD SYSTEMS. GPS SYSTEMS THAT RELY ON GPS, SUCH AS E-911, AIS AND DSC, MAY BE AFFECTED WITHIN A 150 NM RADIUS OF POSITION 30 49.09N 80 28.18W. DURING THIS PERIOD GPS USERS ARE ENCOURAGED TO REPORT ANY GPS SERVICE OUTAGES THAT THEY MAY EXPERIENCE DURING THIS TESTING VIA THE NAVIGATION INFORMATION SERVICE (NIS) BY CALLING (703) 313-5900 OR BY USING THE NAVCEN WEB SITE'S GPS REPORT A PROBLEM WORKSHEET AT WWW.NAVCEN.USCG.GOV.”

I specifically remember it because I was trying to navigate to the Atlanta IKEA but my phone showed me as being, like, south of Macon; ~100mi of error. That timeframe could fit if they were testing something like key availability in a spoofing scenario before enabling real key material transmission.

Clickbait from 404 Media? Surely not!

The part they kept out of the headline:

> for use in distributing the keys for accessing the military GPS signals

People are complaining about a clickbaity title but it's a fascinating article I am not sure most would read otherwise

What's interesting to me is how out of date US GPS system is compared to China's BeiDou

and while most US GPS receivers will use Russia's GLONOSS, China's BeiDou is blocked

https://news.ycombinator.com/item?id=47849174

Here, it appears to be a rekeying system for specialized military gear.

Slightly related the latest Veritasium Video: Something is jamming GPS over Europe.

https://youtu.be/tz23G_UXCGA

Meanwhile Starlink and Starshield: Hold my beer ;-)

> has access to a separate, encrypted, higher-precision GPS signal.

That's not it, though. This is available on the consumer L1 band, and you can even read that info using a $5 Ublox receiver (UBX-RXM-SFRBX command).

>It’s common knowledge that the military has access to a separate, encrypted, higher-precision GPS signal.

The most militarily-valuable aspect of the military GPS signals is actually the anti-spoofing qualities, rather than the higher precision. Survey-grade GPS gear has been able to achieve centimetre-level precision from the regular civilian signals for several years now, using RF fuckery like tracking the phase angle and other techniques.

To be sure, you want the precision too. NATO countries have M982 Excalibur GPS-guided artillery rounds that are precise enough that you can select not just the building you want to hit but the specific window you want the round to enter.

But the primary benefit of the encrypted signal is that it provides cryptographic assurance that the signal is not spoofed and one can be confident that one's GPS-guided cruise missile or other munition is not being diverted off-course.

Nowadays the military GPS signal has moved from transmitting the legacy "P(Y) code", which is a Cold War-era design, to the "M code" which incorporates several decades' worth of lessons learned in terms of spoofing resistance, cryptographic authentication, etc. It's actually a really neat rabbit hole to climb down.

I don't think this qualifies as clickbait in the sense that the headline mismatches the contents. My experience with 404 Media is that they treat every article like they've just released the Pentagon Papers, so you just have to read with that in mind.

HN shadow-bans so many domains but continues to let slop like this through.

The going wisdom seems to be that the EU's Galileo is the most accurate system for civilian use. GPS has undergone frequent systematic update for almost a half century.

Indeed. i have some GPS receiver modules and had wondered about this data, I had assumed it was imprecision in my device or something to do with a satellite moving around. I'll have to plug it in and go back for another look.

I think it's simply because of using a public channel for encrypted communication.

Yeah its not a number station at all.

“Every receiver in the world decodes Subframe 4, Page 17,” Murdoch said in his new article. [...] “Every GPS satellite is a numbers station,” he concluded.

TLDW: Russia is jamming GPS and GNSS over Europe, purposefully, using a constellation of military satellites.

Theory is that Russia is constantly practicing to totally disrupt GPS and GNSS (and the Chinese system) across all of Europe.

> GPS was always a dual use system

It wasn't. It was going to be a military-only system, until KAL007 presented the obvious life-saving civilian case.

But yes, the title of this article might as well read "Satellite system developed for military use is being used for a military purpose."

It’s not surprising, but I find it interesting.

> May 26, 2011

> No publicly recorded NANU announces a fleet-wide event of this kind in the surrounding window.

I do remember living through this one in February 2011 which was very strange at the time: https://web.archive.org/web/20111015232120/http://navcen.usc...

> has access to a separate, encrypted, higher-precision GPS signal.

That's not it, though. This is available on the consumer L1 band, and you can even read that info using a $5 Ublox receiver (UBX-RXM-SFRBX command).

It’s not surprising, but I find it interesting.

>It’s common knowledge that the military has access to a separate, encrypted, higher-precision GPS signal.

HN shadow-bans so many domains but continues to let slop like this through.

best zero day exploit ever

That's not what a 0day exploit is. It doesn't allow you to take over arbitrary GPS receivers, for instance.

> GPS was always a dual use system

It wasn't. It was going to be a military-only system, until KAL007 presented the obvious life-saving civilian case.

But yes, the title of this article might as well read "Satellite system developed for military use is being used for a military purpose."

Even better, thanks for clarifying. It’s that kind of omission from the article that makes the rest of it hard to swallow. Even if it is technically correct. Which is sadly the case for most “journalism” these days.

The going wisdom seems to be that the EU's Galileo is the most accurate system for civilian use. GPS has undergone frequent systematic update for almost a half century.

> My experience with 404 Media is that they treat every article like they've just released the Pentagon Papers

I think you’ve perfectly phrased exactly what it is that annoys me when I see a 404 Media headline. When it was a new shop, I stomached it more, but this is every single headline I ever see from them.

“Every receiver in the world decodes Subframe 4, Page 17,” Murdoch said in his new article. [...] “Every GPS satellite is a numbers station,” he concluded.

I think it's simply because of using a public channel for encrypted communication.

Thanks for all the replies: my phrasing was indeed bad I guess!

A "public channel" is a very broad definition, and most communication channels, including those used for encrypted communication, are by design more or less "public".

Situation with GPS that feels similar to "number stations" (which I only know about thanks to Boards of Canada's album "Geogaddi", tbh^^) is that encrypted messages are deliberatily broadcasted, not that the channel is in some way "public". The latter also applies to all encrypted internet traffic, I guess.

Technically all RF communications are "public." You have to use encryption if you want security.

Yeah GPS is not the people's airwaves it is operated by the US Space Force, I suggest you read up on your history.

Yeah its not a number station at all.

I disagree? The point of a numbers station is that it broadcasts in the clear and anyone with a receiver can get it, but only people with the appropriate decryption key can make any use of it. Since it's broadcasting all the time, there's no need for steganography or covert transmission. That's exactly what a numbers station is.

Where the article loses me is the implication that this is somehow sinister or beyond the pale: it's just piggybacking on a global transmitter network that exists anyway, why not?

That's not what a 0day exploit is. It doesn't allow you to take over arbitrary GPS receivers, for instance.

> My experience with 404 Media is that they treat every article like they've just released the Pentagon Papers

Contrasting the tone of innocence the larger publications use around these institutions feels perfectly within a journalistic mandate.

Thanks for all the replies: my phrasing was indeed bad I guess!

A "public channel" is a very broad definition, and most communication channels, including those used for encrypted communication, are by design more or less "public".

Technically all RF communications are "public." You have to use encryption if you want security.

Would point to point laser seem like it's RF and not readily snooped without detection?

Yeah GPS is not the people's airwaves it is operated by the US Space Force, I suggest you read up on your history.

Where the article loses me is the implication that this is somehow sinister or beyond the pale: it's just piggybacking on a global transmitter network that exists anyway, why not?

OK, I have to further narrow down my statement then: a publicly readable medium (or one-way channel).

I didn't want to imply that regular people could simply inject data into what's emitted by GPS satellites.

Sorry if that wasn't clear, but I am aware that GPS is operated by the US military.

This implication is purely in your head. The article and the scientist whose work it describes are just pointing out the identification of some data that's been transmitted across a public channel for years without anyne noticing.

> Since it's broadcasting all the time, there's no need for steganography or covert transmission.

Well, you could look at it that way, or you could say that the fact that it's broadcasting all the time is the steganography. That constant transmission of nonsense that nobody wants is what makes it fail to be suspicious when you send a message that somebody does want.

Its all comes down to what we buy as the definition for a number station. For me a number station needs sends a message to be a number station, not a key.

TLDW: Russia is jamming GPS and GNSS over Europe, purposefully, using a constellation of military satellites.

Theory is that Russia is constantly practicing to totally disrupt GPS and GNSS (and the Chinese system) across all of Europe.

Anyone have a good source to read up on the current state of the art for daytime celestial navigation? Maybe there isn't too much in the public domain, because things like GPS work so well. But I'd guess that since you can't easily artificially jam celestial navigation there would be military research on this. But I suppose clouds also limit the practicality as well.

https://www.scientificamerican.com/article/how-to-see-stars-...

GNSS is just the catch-all term. It stands for "Global Navigation Satellite System".

The Chinese system is called BeiDou.[1]

[1] https://en.wikipedia.org/wiki/Satellite_navigation#BeiDou_(2...

Contrasting the tone of innocence the larger publications use around these institutions feels perfectly within a journalistic mandate.

Nobody is disputing that it is a legitimate choice. It is also legitimately off-putting.

If their audience is into it though, good for them.

Would point to point laser seem like it's RF and not readily snooped without detection?

Unless you are in a vacuum, a laser that can reach a useful distance can be observed due to atmospheric scattering.

OK, I have to further narrow down my statement then: a publicly readable medium (or one-way channel).

I didn't want to imply that regular people could simply inject data into what's emitted by GPS satellites.

Sorry if that wasn't clear, but I am aware that GPS is operated by the US military.

> Since it's broadcasting all the time, there's no need for steganography or covert transmission.

https://www.scientificamerican.com/article/how-to-see-stars-...

GNSS is just the catch-all term. It stands for "Global Navigation Satellite System".

The Chinese system is called BeiDou.[1]

[1] https://en.wikipedia.org/wiki/Satellite_navigation#BeiDou_(2...

Its all comes down to what we buy as the definition for a number station. For me a number station needs sends a message to be a number station, not a key.

>For me a number station needs sends a message to be a number station, not a key.

We don't know that it's a key that's being sent. For all we know, it could be just random data. Obviously it's most likely not random data, but ciphertext. Either way, we have no idea what the message is.

A data payload you didn't already know is a message. This message contains a key.

Nobody is disputing that it is a legitimate choice. It is also legitimately off-putting.

If their audience is into it though, good for them.

Unless you are in a vacuum, a laser that can reach a useful distance can be observed due to atmospheric scattering.

>For me a number station needs sends a message to be a number station, not a key.

A data payload you didn't already know is a message. This message contains a key.

🌘

Subscribe to 404 Media to get The Abstract, our newsletter about the most exciting and mind-boggling science news and studies of the week.

The U.S. military has likely been quietly broadcasting codes for its global encryption network using public GPS for nearly 20 years, turning each satellite into a hidden “numbers station,” according to Steven Murdoch, an information security expert, who detailed his findings in a new article in Inside GNSS.

That means every device that uses GPS has been receiving hidden government information for years, and nobody outside the military knew it until now.

Murdoch, a professor of security engineering and head of the Information Security Research Group at University College London, presented evidence that a 176-bit GPS sequence labelled “Subframe 4, Page 17” is encrypted material from the Pentagon’s Over-the-Air Distribution (OTAD) network, which delivers cryptographic keys to military personnel around the world.

“I think the evidence that it's for key transmission—for use in distributing the keys for accessing the military GPS signals—is pretty strong now,” Murdoch said in a call with 404 Media. He noted that the military has “specialized receivers that have the ability to have keys loaded into them” and “presumably have the ability to decrypt these special messages.”

In his new article, Murdoch described how this “forgotten 176-bit slot in the world’s most successful navigation signal turned out to be its quietest and most consequential broadcast.”

Murdoch first spotted the sequence more than a decade ago while he was a graduate student tasked with writing a decoder for raw GPS data while working on a project funded by the European Space Agency.

“I noticed that there was this random-looking data present in the subframe,” he recalled. “I looked at the specification, and thought that was a little bit unusual. I recorded a bunch of it to look for any obvious patterns, but that wasn't the main role of the project, so we moved on.”

From the beginning, he suspected that the subframe field contained encrypted transmissions because the data was so random. “Random data is actually very unusual to get in nature,” Murdoch said. “If you see it, either it's been carefully designed to be random—but then, why is someone sending out random data?—or it's encrypted data. I thought encrypted data is by far the most likely explanation.”

He returned to the subframe on and off over the years, and solicited guesses about its content on Stack Exchange in 2023. Ahmed Kamruddin, a master’s student at UCL, developed the project further in 2025. Then, this year, Murdoch put the last pieces of the puzzle together over several weeks by analyzing open archive Global Navigation Satellite System (GNSS) recordings collected since 2007 and kept by GFZ Helmholtz Centre for Geosciences.

This dataset included more than 12 million observations of Subframe 4, Page 17, yielding 3,994 unique 176-bit messages. Within this corpus, Murdoch pinpointed key-repeating “sentinels” including a pattern that appeared in February 2010 and was broadcast on and off across dozens of satellites for more than a decade.

Murdoch discovered that this particular sentinel was transmitted by all 31 operational satellites within a window of a few hours on May 26, 2011, potentially heralding the activation of a new operational system. He confirmed that this timeline coincided with the rollout of the military’s Over-the-Air Distribution (OTAD) and the Over-the-Air Rekeying (OTAR) by cross-referencing declassified documents, including a 2015 presentation about the dates of the operation.

“There was a perfect match between the timeline and that presentation and the change points that were automatically identified from the data,” Murdoch said. “That was the smoking gun that made me think: This is what it's for.”

These automated systems replaced the cumbersome manual distribution of cryptographic keying material, allowing military GPS receivers around the world to be rekeyed remotely through satellite broadcasts rather than through onsite procedures.

For the next 11 years, this expansive rekeying operation was overlooked in public GPS data. In 2022, the system entered a new phase, according to Murdoch’s analysis. The shift was characterized by a slowing in the message rotation rate. Later, in December 2023, broadcasts carrying a distinctive "TEXT" prefix emerged then gradually spread across the constellation.

Murdoch isn’t sure what explains the recent transition, though it could be a possible modernization of the infrastructure or the introduction of a new protocol. But to him, the bigger takeaway is that the signals were always available for anyone willing to take a closer look, a discovery that suggests that there could be more revelations hidden for the cryptographically curious among us.

“Every receiver in the world decodes Subframe 4, Page 17,” Murdoch said in his new article. “Almost none of them have ever looked at it. The lesson generalizes: There is more to learn from the bytes already arriving at our antennas than from the bytes we wish were specified differently. The data are publicly available. The signal is overhead, twice a day, every day.”

“Every GPS satellite is a numbers station,” he concluded. “The receivers were always listening. We just had not been.”

🌘

Subscribe to 404 Media to get The Abstract, our newsletter about the most exciting and mind-boggling science news and studies of the week.

Hacker Times

Hacker Times

U.S. Military Turned GPS into a Global "Numbers Station"

Discussion

Discussion