Introducing Ledgr — Privacy-first budget tracking, free & open source. Learn more →
Blog Ledgr About Newsletter
June 18, 2026 cryptography 4 min read

The Hidden Channel in Every GPS Satellite

JC
Johnathen Chilcher Senior SRE, TechLoom

Every GPS satellite currently broadcasting over your head is carrying a hidden payload. Not hidden in the conspiratorial sense — it is documented, sort of, buried in a 1995 interface specification as a “special message” field. But for nearly two decades, nobody in the civilian world paid much attention to it. UCL security researcher Steven Murdoch did. What he found is that the U.S. military quietly converted 176 bits inside GPS Subframe 4, Page 17 into a global over-the-air cryptographic key distribution channel.

This is the first post in a three-part series where I do my own independent traffic analysis of Murdoch’s public dataset — 12,163,006 observations of that 22-byte field, spanning June 2007 through January 2026, collected from all 32 operational GPS satellites by the GFZ Potsdam ground station network.

Where exactly in the GPS signal

GPS L1 C/A broadcasts a 50 bps datastream called LNAV (Legacy Navigation). The structure is rigid: 1500-bit frames, divided into five 300-bit subframes, each taking six seconds to transmit. Subframes 1–3 carry the time-critical stuff — satellite health, clock correction parameters, and ephemeris data your receiver uses to compute position. Subframes 4 and 5 carry almanac data across 25 pages per subframe, cycling through the full set over 12.5 minutes.

GPS LNAV frame structure showing Subframe 4 Page 17 location and the 176-bit special message field spanning Words 3–10
GPS LNAV frame structure. The 176-bit special message field spans Words 3–10 of Subframe 4, Page 17. Your GPS receiver decodes this silently and discards it.

Subframe 4, Page 17 is identified by SVID=55 in Word 3. When a receiver sees SVID=55, it is supposed to parse Words 3–10 as a “special message” — originally intended for human-readable text notices from the control segment. The IS-GPS-200 specification allocates 176 bits (22 bytes) for this field. In practice, every civilian receiver I have ever worked with simply ignores it.

What the data actually looks like

The dataset contains 3,994 unique 22-byte payloads observed across 19 years. The overwhelming majority are not human-readable text. They are high-entropy binary blobs that change on a schedule, broadcast identically by all 32 satellites simultaneously. The distribution across byte positions tells an interesting story before you even look at timing.

Three-panel byte-position entropy analysis: weighted per-position entropy bar chart, per-era entropy line profiles, and 2D byte value density heatmap
Top: Obs-weighted Shannon entropy per byte position across all 3,994 messages. Yellow bars flag positions with below-average entropy. Middle: Per-era profiles showing how the byte structure changed across OTAD phases. Bottom: 2D density map of byte values per position — brighter means more concentrated. The × marks show where ASCII “TEXT” would land.

Four byte positions — 4, 5, 10, and 12 — show consistently lower entropy than the rest of the field. The mean per-position entropy across the full corpus is 5.472 bits/byte, and these four positions fall measurably below the threshold at 5.461, 5.468, 5.463, and 5.465 respectively. In a truly random 22-byte ciphertext you would expect flat entropy across all positions. The fact that it is not flat is a structural signal — something in the encryption scheme, framing, or protocol overhead is leaving residual patterns at these specific positions.

The per-era overlay shows the transition year (2011) is visibly different from the operational period, particularly at byte positions 10–14. That transition coincides with Murdoch’s smoking-gun event: on May 26, 2011, all 31 operational GPS satellites simultaneously broadcast an all-0xAA placeholder payload for a six-hour window — a fleet-wide coordinated event that matches the declassified OTAD activation timeline to within two weeks.

The OTAD hypothesis

OTAD stands for Over-the-Air Distribution — the system by which the U.S. military remotely delivers cryptographic keying material to GPS receivers in the field. Before OTAD, soldiers had to physically receive key material on schedule. OTAD automated this through the GPS broadcast itself, invisible to civilian users.

Murdoch’s evidence for this hypothesis is statistical rather than cryptographic — he is not claiming to decrypt anything. The case rests on timeline correlation (change points in the broadcast data match declassified OTAD milestones), fleet synchronization (all satellites maintain the same payload within narrow time windows), rotation periodicity (payload changes follow schedulable patterns), and the sentinel events (placeholder payloads appear at activation and transition moments). His concordance table rates three of five tests as confirmed, with one inconclusive and none contradicted.

The data supports the hypothesis. The next two posts dig into what 19 years of that data reveals about the operational rotation schedule, and the structural anomaly that appeared in December 2023.

Dataset: GFZ Potsdam GNSS navigation-bit archive via Murdoch (2026), DOI 10.5281/zenodo.20073222. Analysis code on GitHub. All analysis is traffic analysis only — no decryption attempted or possible.

Related reading

June 18, 2026 cryptography

The Hidden Channel in Every GPS Satellite

Every GPS satellite broadcasts a 22-byte field that civilian receivers silently discard. For nearly two decades, that field has carried encrypted military key material. Here is what the…

← Previous The Hidden Channel in Every GPS Satellite