The Quiet Numbers Station: Decoding Nineteen Years of GPS Cryptography

Posted by lordgilman 4 days ago

13284Original

https://lsc-pagepro.mydigitalpublication.com/publication/?i=...

PDF: https://cdn.coverstand.com/61061/865273/2c88ea662e2b57478723... (article is on page 62)

Comments

Comment by ck2 4 days ago

People are complaining about a clickbaity title but it's a fascinating article I am not sure most would read otherwise

What's interesting to me is how out of date US GPS system is compared to China's BeiDou

and while most US GPS receivers will use Russia's GLONOSS, China's BeiDou is blocked

https://news.ycombinator.com/item?id=47849174

Comment by applicative 4 days ago

The going wisdom seems to be that the EU's Galileo is the most accurate system for civilian use. GPS has undergone frequent systematic update for almost a half century.

Comment by dang 4 days ago

(This comment was originally posted to https://news.ycombinator.com/item?id=48414479 - we've since merged the threads)

Comment by anigbrowl 4 days ago

Indeed. i have some GPS receiver modules and had wondered about this data, I had assumed it was imprecision in my device or something to do with a satellite moving around. I'll have to plug it in and go back for another look.

Comment by kortilla 4 days ago

> What's interesting to me is how out of date US GPS system is compared to China's BeiDou

It’s significantly older though. What would you expect?

Comment by entrope 3 days ago

Two things amaze me about GPS. First, that there are still four Block IIR and seven Block IIR-M satellites operational; these had 7.5 year design lives and were launched by 2004 and 2009 respectively. Second, that L1C, L5 and L2C are all still pre-operational thanks to the OCX debacle. L1C and L2C really modernize the signal structure to improve accuracy.

Comment by somat 4 days ago

An interesting lesser known role of GPS is that it is part of the US nuclear monitoring network and it's L3 signal is part of this.

https://www.youtube.com/watch?v=DjLnIb41DuQ I Found The US Nuclear Detection System In Space (saveitforparts)

Comment by thenthenthen 3 days ago

So similar to the constellation discussed in the GNSS jamming article here? > https://news.ycombinator.com/item?id=48409664

Comment by NelsonMinar 4 days ago

Summary from the study author: https://www.benthamsgaze.org/2026/06/02/the-quiet-numbers-st...

PDF of article (page 62) https://cdn.coverstand.com/61061/865273/2c88ea662e2b57478723...

Comment by dang 4 days ago

Thank you! That first link does seem to be the best one (in terms of easiness to access and information explained). We'll use it above.

Comment by zuzululu 4 days ago

I know it isn't really a number station but I wanted it to be true...

Someone broadcasting one time pad messages using GPS over years...

a spy operative using jogging app changing routes slightly

or maybe a cartel member embedded inside highly hostile countries like Singapore

Comment by masfuerte 3 days ago

> To make processing this massive dataset practical, we built a Julia pipeline to extract the bits directly into a DuckDB database.

The raw data is a bit more than 1GB per annum.

The data of interest is 176 bits every 12.5 minutes for 19 years. That is, about 17MB of data. Possibly multiplied by the number of satellites, roughly thirty.

It's not big data.

Comment by sjm217 2 days ago

Though I take your point that it’s not big data by the conventional use (i.e. requiring a distributed computing to process). The phrasing in the original article was better: “To make iterative analysis practical, we wrote a Julia pipeline: NetCDF source files are converted to Apache Arrow, then thread-parallel bit extraction is performed into a DuckDB database.”

Comment by sjm217 3 days ago

The dataset was 136GB (about 7GB per annum), and the Python implementation took 45 hours for each run. The Julia code that processed the whole dataset and built the database took 5 hours, which made iterative development much more pleasant. Of course, later stages in the pipeline had much less data to process and so were much faster. With metadata and indices, that was about 3GB. It's bigger than your estimate since there are multiple observations of the same satellite.

Comment by zerobees 4 days ago

"Numbers station" is a weird analogy, because the idea of a numbers station was to broadcast messages to undercover operatives in a way that can be received using unmodified (and therefore non-suspicious) household radio receivers.

Here, it appears to be a rekeying system for specialized military gear.

Comment by matthewdgreen 4 days ago

You're assuming it requires specialized military gear, as opposed to consumer gear with a flashed firmware. I believe GPS L1 C/A subframe 4 is on the ordinary L1 C/A civil signal, which means commercial receivers can receive it. They just can't (ordinarily) decrypt it. But a few KB of extra code would change that. A pretty broad set of Android phones can receive this data, without even needing to reflash the GPS firmware: you can decrypt on the application processor, since this field is readable.

Comment by WarOnPrivacy 3 days ago

> You're assuming it requires specialized military gear, as opposed to consumer gear with a flashed firmware.

The author studied this supposition [code intended for mil gear] for some time and learned this.

    On 26 May 2011, all 31 active GPS satellites switched to the
    0xAA placeholder within just a few hours.
    This rapid daily change perfectly matches the operational
    rollout of the U.S. Over-the-Air Distribution (OTAD) network.

Comment by matthewdgreen 3 days ago

That doesn't really answer the question of whether it could be used to deliver "numbers station" type messages. Encrypted key material and enciphered messages should be indistinguishable. There are 18 bytes of high-entropy ciphertext that could be used for both purposes.

Comment by WarOnPrivacy 3 days ago

> That doesn't really answer the question of whether it could be used to deliver "numbers station" type messages.

This is true. I suggest that I didn't answer that question because my comment was only addressing the below assertion.

>> You're assuming it requires specialized military gear, as opposed to consumer gear with a flashed firmware.

As for the numbers station reference in the article, that phrasing seems silly. I think it distracts a bit from the article.

Comment by moritzwarhier 4 days ago

I think it's simply because of using a public channel for encrypted communication.

Comment by moritzwarhier 4 days ago

Thanks for all the replies: my phrasing was indeed bad I guess!

A "public channel" is a very broad definition, and most communication channels, including those used for encrypted communication, are by design more or less "public".

Situation with GPS that feels similar to "number stations" (which I only know about thanks to Boards of Canada's album "Geogaddi", tbh^^) is that encrypted messages are deliberatily broadcasted, not that the channel is in some way "public". The latter also applies to all encrypted internet traffic, I guess.

Comment by ronsor 4 days ago

Technically all RF communications are "public." You have to use encryption if you want security.

Comment by jjtheblunt 4 days ago

Would point to point laser seem like it's RF and not readily snooped without detection?

Comment by wang_li 4 days ago

Unless you are in a vacuum, a laser that can reach a useful distance can be observed due to atmospheric scattering.

Comment by jjtheblunt 4 days ago

true!

Comment by 866-RON-0-FEZ 4 days ago

Yeah GPS is not the people's airwaves it is operated by the US Space Force, I suggest you read up on your history.

Comment by moritzwarhier 4 days ago

OK, I have to further narrow down my statement then: a publicly readable medium (or one-way channel).

I didn't want to imply that regular people could simply inject data into what's emitted by GPS satellites.

Sorry if that wasn't clear, but I am aware that GPS is operated by the US military.

Comment by Angostura 2 days ago

So, a number station sending a message 'detonate the bomb' isn't a number station, because most people don't have the bomb?

Comment by anigbrowl 4 days ago

“Every receiver in the world decodes Subframe 4, Page 17,” Murdoch said in his new article. [...] “Every GPS satellite is a numbers station,” he concluded.

Comment by tokai 4 days ago

Yeah its not a number station at all.

Comment by Analemma_ 4 days ago

I disagree? The point of a numbers station is that it broadcasts in the clear and anyone with a receiver can get it, but only people with the appropriate decryption key can make any use of it. Since it's broadcasting all the time, there's no need for steganography or covert transmission. That's exactly what a numbers station is.

Where the article loses me is the implication that this is somehow sinister or beyond the pale: it's just piggybacking on a global transmitter network that exists anyway, why not?

Comment by thaumasiotes 4 days ago

> Since it's broadcasting all the time, there's no need for steganography or covert transmission.

Well, you could look at it that way, or you could say that the fact that it's broadcasting all the time is the steganography. That constant transmission of nonsense that nobody wants is what makes it fail to be suspicious when you send a message that somebody does want.

Comment by anigbrowl 4 days ago

This implication is purely in your head. The article and the scientist whose work it describes are just pointing out the identification of some data that's been transmitted across a public channel for years without anyne noticing.

Comment by defrost 4 days ago

It's been noticed for a long long time, as noted in the article, this is more or less the first time it has broken in more general public news media.

Civilian high precision surveying has been reverse engineering raw GPS since the Navstar sats and swapping notes on back channels.

Comment by BigTTYGothGF 3 days ago

If you need a key it's not "in the clear".

Comment by tokai 4 days ago

Its all comes down to what we buy as the definition for a number station. For me a number station needs sends a message to be a number station, not a key.

Comment by sgjohnson 4 days ago

>For me a number station needs sends a message to be a number station, not a key.

We don't know that it's a key that's being sent. For all we know, it could be just random data. Obviously it's most likely not random data, but ciphertext. Either way, we have no idea what the message is.

Comment by wildzzz 4 days ago

It is kind of like a number station but it's meant for machine to machine communication of commands, keys, and probably test messages specifically for military GPS receivers. The US government has plenty of other satellites (and the internet) at its disposal for sending messages to people covertly. They don't need to risk screwing up critical infrastructure just to send a message to someone. It also wouldn't be prudent to give a secret agent something so obviously a piece of spycraft. There's plenty of off-the-shelf radio receivers you can buy worldwide that would be capable of picking up an encoded message transmitted by a passing satellite.

Comment by robotresearcher 4 days ago

A data payload you didn't already know is a message. This message contains a key.

Comment by sieabahlpark 4 days ago

[dead]

Comment by filup 3 days ago

[dead]

Comment by buredoranna 4 days ago

Since we're talking numbers stations...

I'll take this opportunity to plug the CONET project: Recordings of Shortwave Numbers Stations

https://en.wikipedia.org/wiki/The_Conet_Project

https://archive.org/details/The-Conet-Project

[edit: formatting]

Comment by 4 days ago

Comment by 7777777phil 4 days ago

Slightly related the latest Veritasium Video: Something is jamming GPS over Europe.

https://youtu.be/tz23G_UXCGA

Comment by spwa4 4 days ago

TLDW: Russia is jamming GPS and GNSS over Europe, purposefully, using a constellation of military satellites.

Theory is that Russia is constantly practicing to totally disrupt GPS and GNSS (and the Chinese system) across all of Europe.

Comment by floxy 4 days ago

Anyone have a good source to read up on the current state of the art for daytime celestial navigation? Maybe there isn't too much in the public domain, because things like GPS work so well. But I'd guess that since you can't easily artificially jam celestial navigation there would be military research on this. But I suppose clouds also limit the practicality as well.

https://www.scientificamerican.com/article/how-to-see-stars-...

Comment by dabluecaboose 4 days ago

GNSS is just the catch-all term. It stands for "Global Navigation Satellite System".

The Chinese system is called BeiDou.[1]

[1] https://en.wikipedia.org/wiki/Satellite_navigation#BeiDou_(2...

Comment by entrope 3 days ago

And the Russian system is named (the Russian words for) "Global Navigation Satellite System", but usually only called GLONASS because adding L, O and A is less confusing than having one name for super- and sub-sets in a single category.

The fourth global GNSS constellation is Europe's Galileo. NavIC and QZSS are regional GNSS constellations.

Comment by newtwentysix 4 days ago

Comment by timeinput 4 days ago

This is an interesting article. It has a very strong AI accent.

I really wish I could tell how real it is. When some part of it I can tell is AI slop, how much of it is AI slop? Inside GNSS has always been a marketing rag with sometimes some interesting articles.

The author is a security researcher, so maybe poking at GPS bits makes sense, but talking about floating point bit depth? There's too much slop for me to figure out if there's anything of real interest or if this is just a hallucination.

Edit. After reading more carefully this is 100% AI slop. Inside GNSS published Steven Murdoch's chat gpt session. Maybe some data was transmitted? The only way you'll actually know is to redo the research your self. There are many fabrications / confabulations that clearly happen with AI in the text.

Comment by rcxdude 4 days ago

I've worked with the guy credited in the article before, so I'll vouch for his general credibility and the underlying information likely being solid: there's good evidence for this field being some kind of encrypted data stream, probably key distribution, and the behaviour has changed over time. But the breathless LLM-tone really did make it hard to read.

Comment by 4 days ago

Comment by timeinput 4 days ago

Cool. Some data may have been transmitted over GPS. That's interesting and note worthy.

If only that was all that was posted.

Instead there's this stuff that makes me question Steven Murdoch's research practices. If you're willing to publish slop are his research practices slop? Can I trust any paper he creates in the future when I can tell this one has factual errors? Why should I bother reading it?

I actually think he's a good researcher from a little reading. I wish he hadn't done this.

Comment by andyjohnson0 4 days ago

> Can I trust any paper he creates in the future when I can tell this one has factual errors?

What are the factual errors?

Comment by rcxdude 4 days ago

I agree

Comment by sjm217 4 days ago

The code is all available and every claim is traceable back to the statistical analysis. Results are reproducible from the original data which is archived on Zenodo. Further analysis would be very welcome. https://github.com/sjmurdoch/gps-special-messages

Comment by applicative 4 days ago

Paradoxically, in the blog post he speaks with his own voice, describing the evidence better amassed in ... the AI written article.

Comment by dang 4 days ago

(This comment was posted when the article was https://lsc-pagepro.mydigitalpublication.com/publication/?i=...; we've since done a merge and changed the URL above)

Comment by ekelsen 4 days ago

So much AI. I stopped immediately. He might have something interesting to say, but apparently not important enough for him to write about it himself, so not important enough for me to read it either.

Comment by anigbrowl 4 days ago

The story links to the current issue of the Inside GNSS magazine but the article isn't available in the digital edition, apparently. It's in the print edition, readable at https://lsc-pagepro.mydigitalpublication.com/publication/?i=...

The source data and analytical code (in Julia) is also available at https://lsc-pagepro.mydigitalpublication.com/publication/?i=...

In my view people nitpicking the 404 media story are being ridiculous. Everyone in their audience knows GPS originated as a military system, indeed I think most of teh general public knows that. Bashing them for not mentioning this is just looking for something to be mad about.

Comment by Lammy 4 days ago

> May 26, 2011

> No publicly recorded NANU announces a fleet-wide event of this kind in the surrounding window.

I do remember living through this one in February 2011 which was very strange at the time: https://web.archive.org/web/20111015232120/http://navcen.usc...

“SOUTHEAST ATLANTIC COAST: GPS Testing Information THE GPS NAVIGATION SIGNALS MAY BE UNRELIABLE FROM 20 JAN 2011 - 22 FEB 2011 FROM 0000Z - 0245Z DUE TO TESTING ON GPS FREQUENCIES USED IN SHIPBOARD NAVIGATION AND HANDHELD SYSTEMS. GPS SYSTEMS THAT RELY ON GPS, SUCH AS E-911, AIS AND DSC, MAY BE AFFECTED WITHIN A 150 NM RADIUS OF POSITION 30 49.09N 80 28.18W. DURING THIS PERIOD GPS USERS ARE ENCOURAGED TO REPORT ANY GPS SERVICE OUTAGES THAT THEY MAY EXPERIENCE DURING THIS TESTING VIA THE NAVIGATION INFORMATION SERVICE (NIS) BY CALLING (703) 313-5900 OR BY USING THE NAVCEN WEB SITE'S GPS REPORT A PROBLEM WORKSHEET AT WWW.NAVCEN.USCG.GOV.”

I specifically remember it because I was trying to navigate to the Atlanta IKEA but my phone showed me as being, like, south of Macon; ~100mi of error. That timeframe could fit if they were testing something like key availability in a spoofing scenario before enabling real key material transmission.

Comment by dang 4 days ago

(This comment was originally posted to https://news.ycombinator.com/item?id=48414479, where the article was https://www.404media.co/the-u-s-military-quietly-turned-gps-.... We've since merged the threads.)

Comment by eagerpace 4 days ago

GPS was always a dual use system. This is very detailed and specific, but not interesting or surprising. Research has been study GPS signal data, found parts that are encrypted and he doesn’t understand. The end. Article seems only intended to generate an emotional response of “how dare they use GPS for war, man!”

Comment by sgjohnson 4 days ago

> GPS was always a dual use system

It wasn't. It was going to be a military-only system, until KAL007 presented the obvious life-saving civilian case.

But yes, the title of this article might as well read "Satellite system developed for military use is being used for a military purpose."

Comment by eagerpace 4 days ago

Even better, thanks for clarifying. It’s that kind of omission from the article that makes the rest of it hard to swallow. Even if it is technically correct. Which is sadly the case for most “journalism” these days.

Comment by golem14 4 days ago

It’s not surprising, but I find it interesting.

Comment by transistor-man 4 days ago

This is a fantastic writeup

Comment by 4 days ago

Comment by opengrass 3 days ago

Messages would be split over multiple mediums or be slow.

Comment by jp42 4 days ago

Meanwhile Starlink and Starshield: Hold my beer ;-)

Comment by rafram 4 days ago

Clickbait from 404 Media? Surely not!

The part they kept out of the headline:

> for use in distributing the keys for accessing the military GPS signals

It’s common knowledge that the military has access to a separate, encrypted, higher-precision GPS signal. “Numbers station” implies that they’re distributing unrelated encrypted information, but they’re not; it’s not surprising that GPS signals would be used to deliver information related to GPS, even if only military receivers have any use for it!

Comment by stackghost 4 days ago

>It’s common knowledge that the military has access to a separate, encrypted, higher-precision GPS signal.

The most militarily-valuable aspect of the military GPS signals is actually the anti-spoofing qualities, rather than the higher precision. Survey-grade GPS gear has been able to achieve centimetre-level precision from the regular civilian signals for several years now, using RF fuckery like tracking the phase angle and other techniques.

To be sure, you want the precision too. NATO countries have M982 Excalibur GPS-guided artillery rounds that are precise enough that you can select not just the building you want to hit but the specific window you want the round to enter.

But the primary benefit of the encrypted signal is that it provides cryptographic assurance that the signal is not spoofed and one can be confident that one's GPS-guided cruise missile or other munition is not being diverted off-course.

Nowadays the military GPS signal has moved from transmitting the legacy "P(Y) code", which is a Cold War-era design, to the "M code" which incorporates several decades' worth of lessons learned in terms of spoofing resistance, cryptographic authentication, etc. It's actually a really neat rabbit hole to climb down.

Comment by 05 4 days ago

> has access to a separate, encrypted, higher-precision GPS signal.

That's not it, though. This is available on the consumer L1 band, and you can even read that info using a $5 Ublox receiver (UBX-RXM-SFRBX command).

Comment by kotaKat 4 days ago

Yeah, but the DAGRs out there hop around on both sets. You can run a DAGR without keys and it'll use civ GPS just fine. It'd make sense to have the hidden OTAR/OTAP running on a hidden chunk of L1 traffic.

https://www.baesystems.com/en/product/defense-advanced-gps-r...

Comment by causal 4 days ago

I don't think this qualifies as clickbait in the sense that the headline mismatches the contents. My experience with 404 Media is that they treat every article like they've just released the Pentagon Papers, so you just have to read with that in mind.

Comment by SllX 4 days ago

> My experience with 404 Media is that they treat every article like they've just released the Pentagon Papers

I think you’ve perfectly phrased exactly what it is that annoys me when I see a 404 Media headline. When it was a new shop, I stomached it more, but this is every single headline I ever see from them.

Comment by DANmode 4 days ago

Contrasting the tone of innocence the larger publications use around these institutions feels perfectly within a journalistic mandate.

Comment by SllX 4 days ago

Nobody is disputing that it is a legitimate choice. It is also legitimately off-putting.

If their audience is into it though, good for them.

Comment by DANmode 4 days ago

Honestly, I was surprised to see this take.

Their tone just makes me miss the original The Intercept and other used-to-be-heavy-hitters.

Were they also too punchy for you? (I sound possibly sarcastic, but am genuinely curious)

Comment by SllX 3 days ago

I read The Intercept rarely and never saw enough of them to form any kind of take on their “typical” headline-style. 404 Media has been popping off everywhere though—including here-since they launched.

This may sound pre-judgmental, but a headline is an advertisement & marketing for the article. A headline can get someone in that might otherwise have skipped the article, but it can just as easily dissuade people who might otherwise be interested in the subject matter.

Comment by DANmode 3 days ago

Meanwhile the NBC headline can make the story seem like a normal matter of course.

Comment by cryzinger 4 days ago

For new and under-reported (or otherwise downplayed) stories, I think it's understandable and maybe even good. But when every single story has a breathless, scandalized headline, it gets exhausting fast, and it's hard for me to know what to pay attention to.

I remember last year 404 put out a clickbait-y story about the shitty "covert" websites that the CIA used to communicate with spies they'd recruited in Iran, even though it was old news at that point. If you only read the headline (as many people do...) you'd think it was a startling new development.

Comment by DANmode 4 days ago

> it's hard for me to know what to pay attention to.

If it’s a decent institution?

All of what they’re reporting on! =]

Comment by dang 4 days ago

Comment by 866-RON-0-FEZ 4 days ago

[flagged]

Comment by skeledrew 4 days ago

> [in a new article in Inside GNSS](https://insidegnss.com/current-issue/?ref=404media.co)

These people need to mind their links. Unless that "current-issue" is the only/last one.

Comment by moritzwarhier 4 days ago

Later submission: