[matthewdgreen]

You're assuming it requires specialized military gear, as opposed to consumer gear with a flashed firmware. I believe GPS L1 C/A subframe 4 is on the ordinary L1 C/A civil signal, which means commercial receivers can receive it. They just can't (ordinarily) decrypt it. But a few KB of extra code would change that. A pretty broad set of Android phones can receive this data, without even needing to reflash the GPS firmware: you can decrypt on the application processor, since this field is readable.

[WarOnPrivacy]

> You're assuming it requires specialized military gear, as opposed to consumer gear with a flashed firmware.

The author studied this supposition [code intended for mil gear] for some time and learned this.

    On 26 May 2011, all 31 active GPS satellites switched to the
    0xAA placeholder within just a few hours.
    This rapid daily change perfectly matches the operational
    rollout of the U.S. Over-the-Air Distribution (OTAD) network.

[matthewdgreen]

That doesn't really answer the question of whether it could be used to deliver "numbers station" type messages. Encrypted key material and enciphered messages should be indistinguishable. There are 18 bytes of high-entropy ciphertext that could be used for both purposes.

[WarOnPrivacy]

> That doesn't really answer the question of whether it could be used to deliver "numbers station" type messages.

This is true. I suggest that I didn't answer that question because my comment was only addressing the below assertion.

>> You're assuming it requires specialized military gear, as opposed to consumer gear with a flashed firmware.

As for the numbers station reference in the article, that phrasing seems silly. I think it distracts a bit from the article.