To avoid being spoofed, U.S. military systems listen to a different frequency than civilian GPS receivers, an encrypted channel from the satellite. How could Iran get around that? Iran could have gotten its hands on the encryption key used on U.S. drones, perhaps in the wreckage of the Reaper drones it has already shot down. Alternatively, Iran could have jammed the military GPS frequency, forcing the RQ-170 to shift to the civilian GPS channel.
If they did that, the RQ-170, unable to phone home, would have tried instead to fly home, but it would do so using a GPS signal that Iran was spoofing. By telling the drone that west was east and then giving it more detailed mis-directions, Iranian electronic specialists could have flown the aircraft to a base where Iranian intelligence officers were waiting for it. When the RQ-170 got to where it thought its home base was located, it would have landed on auto-pilot.
That's the story one Iranian official told the Christian Science Monitor (though other Iranian officials claim they did more than just "spoof" the drone.) Is the story plausible? Pentagon and U.S. intelligence experts say no, but they may underestimate Iran and overestimate their own systems. That kind of arrogance has happened before, when the U.S. was confident that the Soviet Union could not be reading the American Navy's encryption codes (but it was, thanks to the Walker family spy ring.). If the U.S. story is right, that the American pilot "lost control" of the RQ-170, the drone should have automatically flown home. It did not. If the U.S. is right and then drone just flew the wrong way and ran out of fuel, it should have crashed and been seriously damaged. In the Iranian pictures, the RQ-170 isn't badly damaged, or at least is made to look undamaged.
It is impossible for outside observers to know for sure which side's claims are right. It may even be hard for senior U.S. government officials to be sure that what they are being told by their experts is right. One lesson I learned over and over is that initial reports are almost always wrong. What we do know, however, is that Iran is seeking revenge for what it believes are CIA attacks, including the cyber weapon Stuxnet. And we can be sure that with both sides continuing to employ covert-action programs against the other, the risk of escalation and miscalculation increases, as does the risk of military hostilities.