PRAGUE – Virus Bulletin 2015 – Oleg Petrovsky of HP Security Research detailed methods that can be used to hack and hijack unmanned aerial vehicles (UAVs), better known as drones.
Until a few years ago, only military organizations could afford drones, but advances in sensors, microcontrollers and batteries have led to these aerial vehicles becoming available to consumers. These days, anyone can buy a quadcopter with a camera and have fun with it, or use it to shoot professional videos. A market study from Teal Group estimates that worldwide UAV production will soar from the current $4 billion annually to $14 billion, totaling $93 billion in the next ten years.
With the increasing popularity of drones, we’re also seeing a rise in the number of incidents involving these gadgets. These incidents have triggered a response from authorities in the United States, with many states enacting laws related to the use of drones.
While there has been much focus on the careless and irresponsible use of UAVs, only few have taken into account the risk of cyberattacks.
Hacking Drones
One of the first security researchers to analyze drone hacking was Samy Kamkar, who in late 2013 showcased a radio-controlled Parrot AR.Drone quadcopter that could hijack other drones flying in its vicinity by leveraging the lack of security mechanisms. In January 2015, security engineer Rahul Sasi developed a piece of malware that could take control of drones with ARM processors and a Linux-based operating system.
In a presentation at the Virus Bulletin conference taking place this week in Prague, the capital city of the Czech Republic, HP’s Oleg Petrovsky analyzed the attack surface of drones.
While there are numerous drone models, they usually have the same basic components: motors, electronic speed controllers (ESC), a battery, a sensor block, a GPS unit, a remote control radio receiver, and the flight controller.
Part of Petrovsky’s research focuses on attacks targeting the flight controller, a system that consists of several sensors and an embedded processing unit. Some of the most popular flight controller models are ArduPilotMega (APM) and Pixhawk from 3D Robotics, MultiWii, OpenPilot, and DJI Naza.
The fact that these controllers use the same underlying technology is beneficial for development, but it’s also beneficial for potentially malicious actors because it provides them a homogenous attack surface, the expert said.
In his presentation at Virus Bulletin, Petrovsky detailed two attack scenarios targeting drones that fly on a pre-programmed path. While in many cases drones are controlled in real-time using a remote control, their flight path is often pre-programmed using so-called ground station software. The system is used across the world to deliver medicines to remote locations, and in Russia it’s even used to deliver pizza.
The HP researcher detailed a couple of attack scenarios involving an APM controller fitted on a drone he built himself and Mission Planner, a full-featured ground station application. Petrovsky has pointed out that while he used these particular systems in his experiments, the design flaws he has detailed affect other systems as well.
The ground station, which is used to wirelessly communicate with the UAV, displays performance and positioning data in real-time, it can be used to upload new parameters and mission commands, and it allows the user to control the vehicle in flight. The problem, according to the researcher, is that UAV telemetry and command protocol implementations are not inherently secure.
Since the protocols allow drones to be configured and controlled remotely, but don’t use any special authentication, an attacker can use malicious software installed on the computer running the ground station to tap into the telemetry link.
One attack method described by Petrovsky involves capturing, modifying, and injecting a data stream into a telemetry link connection over a serial port. Another attack method involves spoofing the connection to the ground station in order to take complete control of the interface.
The telemetry feed can be transmitted using Wi-Fi, Bluetooth, ZigBee or a proprietary radio link. Bluetooth, which is used for short-range communications, and a radio module, which works for much longer distances (e.g. 1 kilometer), are very popular transmission methods, and both of them can be hacked, the expert said.
Using these telemetry and command feed attack methods, a malicious actor can, for instance, upload an arbitrary flight path to the drone.
A paper published by the researcher at Virus Bulletin also describes attacks against bootloaders, which are often not locked to signed firmware. The firmware itself is another issue, since in many cases it can be modified and uploaded to the flight controller in an effort to alter its behavior. In some cases, rogue firmware can also be used to transmit malware from one computer to another when the drone is connected to the devices.
The hardware testbed, the GPS unit, and middleware also add to the attack surface.
Securing Drones Against Cyberattacks
In an interview with SecurityWeek, Petrovsky pointed out that the attack methods he described are possible due to design flaws rather than actual vulnerabilities in the systems. The expert’s recommendations for preventing such attacks include securing the firmware on embedded UAV modules, using secure bootloaders, and implementing authentication and encryption mechanisms.
The researcher believes that these issues can be addressed only through collaboration between the security community, the hardware and software developers, and regulators. Drones don’t necessarily have to be unhackable — the goal should be to make them difficult and expensive to hack, the expert said.
While some drone hacking research has been presented over the past period, the expert says there hasn’t been much improvement as far as security is concerned. Petrovsky believes that the potential threat has not been taken seriously because there haven’t been any real-world attacks on commercial UAVs. Cybercriminals would need to find a way to make a profit before writing malware that targets drones.
However, the researcher has warned that failing to secure drones against cyberattacks can have serious consequences. In his demonstration at Virus Bulletin, Petrovsky showed how his drone’s propellers can easily shred a stack of papers even at half of the speed needed to take off from the ground.
“We have to realize that paying the cost for securing firmware and embedded devices upfront can prove much cheaper than trying to mitigate a disaster resulting from inadequate security measures — especially in the case of UAVs,” the researcher said.
