The Empty Field That Wasn't: GPS, OTAD and Two Decades of<br>Encrypted Broadcasts
The<br>Empty Field That Wasn’t: GPS, OTAD and Two Decades of Encrypted<br>Broadcasts
What 24 million GPS special messages reveal about military rekeying<br>on a public channel.
Steven J. Murdoch . University College London
Version 2 — updated and expanded (June 2026). This<br>is a new version of the article originally published in Inside<br>GNSS, May/June 2026. The dataset used for the original article<br>erroneously omitted bit-flipped frames. This new version of the article<br>updates the analysis to take into account the additional special<br>messages found by the modified decoder. The substantive conclusions in<br>the original article remain unchanged, but some details have been<br>updated and expanded. The complete update record is in the changelog;<br>the original numbers remain reproducible from the archived v1 dataset on<br>Zenodo.
Cold War shortwave numbers stations broadcast strings of digits to<br>anonymous listeners, content that’s meaningless to anyone without a<br>matching one-time pad. They still operate today.
As it turns out, GPS broadcasts in much the same way.
Buried in every L1 C/A navigation message is Subframe 4, Page 17—a<br>176-bit field that IS-GPS-200 reserves for “special messages with the<br>specific contents at the discretion of the Operating Command.”1 Every satellite broadcasts it. Every<br>receiver decodes the subframe that contains it. And for nearly two<br>decades, no one has publicly explained what it contains.
We analyzed 24.09 million observations in this field from 2007<br>through early 2026.2 The content is not text. It is<br>encrypted material consistent with the military’s Over-the-Air<br>Distribution (OTAD) global rekeying network.3 For<br>19 years, every operational GPS satellite has been a numbers<br>station—broadcasting ciphertext on a public channel, to billions of<br>receivers, in plain sight.
If you build receivers, write firmware, run signal monitoring, or<br>care about the gap between civil and military signal transparency, this<br>is your field too. You just have not been reading it.
What follows is the story of how a forgotten 176-bit slot in the<br>world’s most successful navigation signal turned out to be its quietest<br>and most consequential broadcast—and how a few weeks of analysis on a<br>laptop, applied to 19 years of public archive data, was enough to read<br>its operational history off the bytes.
176 Bits, Eight Words, One<br>Forgotten Page
The L1 C/A signal carries 50 bits per second.4<br>Every bit must earn its place. The Legacy Navigation message organizes<br>those bits into 1,500-bit frames, each frame into five 300-bit<br>subframes, each subframe into ten 30-bit words. Subframes 1 to 3 carry<br>the heavy work—clock corrections, ephemeris, the data your receiver<br>needs every few seconds. Subframes 4 and 5 multiplex 25 rotating pages.<br>A receiver sees Page 17 of Subframe 4 every 12.5 minutes.5
Across 32 satellites, that is roughly 3,700 special-message payloads<br>per day, fleet-wide.6 Multiplied across 19 years and the<br>global ground-station archive, the figure climbs to 24.09 million<br>observations.
176 bits is barely enough for a few floating-point numbers, but in a<br>50 bps signal, it is roughly 12% of the LNAV frame that carries it.7 For the control segment to use that<br>bandwidth consistently for two decades implies the content matters—even<br>if no civilian receiver has ever rendered it.
Figure 1 shows how the bits are arranged. The<br>176-bit payload is fragmented across Words 3 to 10 of Subframe 4, Page<br>17: 16 data bits in Word 3 (after eight bits of Data ID and SV ID = 55,<br>the marker that identifies Page 17),8 24 data bits in each of<br>Words 4 to 9, and 16 data bits in Word 10. The final six bits of every<br>word carry the parity bits.9 After parity stripping<br>and reassembly, the 22 bytes of payload are decoded under a subset of<br>Code Page 437.
Figure 1. Anatomy of a special<br>message.
Mining 19 Years of Navbits
The corpus comes from the GFZ Potsdam open archive of GNSS recordings<br>collected from a wide network of ground stations, dating back to 2007.10 After extraction, the numbers<br>settle: 24.09 million observations of Subframe 4, Page 17, drawn from<br>every operational PRN, spanning 19 years, yielding 5,009 unique 176-bit<br>messages.
Initial Python implementations needed hours to process a single year.<br>To make iterative analysis practical, we wrote a Julia pipeline: NetCDF<br>source files are converted to Apache Arrow, then thread-parallel bit<br>extraction is performed into a DuckDB database. The full from-raw<br>rebuild runs unattended in under a day, and SQL across the lot returns<br>in milliseconds.11
With 24.09 million payloads in a queryable database, the question<br>becomes: What does this field actually contain?
It Is Not Text. It Never<br>Was.
The first thing a researcher tries in an unknown field is the obvious<br>one: maybe it is text in a different encoding. We computed the frequency<br>of each of the 45 alphabet symbols defined by IS-GPS-20012<br>across all 5,009 unique messages....