New Research Shows Potential of Electromagnetic Fault Injection Attacks Against Drones

New research shows the potential of electromagnetic fault injection (EMFI) attacks against unmanned aerial vehicles, with experts showing how drones that don’t have any known vulnerabilities could be hacked. 

The research was conducted by IOActive, a company specializing in cybersecurity research and assessments. The security firm previously found vulnerabilities affecting cars, ships, Boeing and other airplanes, industrial control systems, communication protocols, and operating systems.  

The analysis was led by Gabriel Gonzalez, director of hardware security at IOActive, and it focused on electromagnetic side-channel and fault injection attacks with the goal of achieving arbitrary code execution on the targeted drone.

The research is ongoing, but initial results show that EMFI techniques can be efficient for black-box hacking, where the attacker does not have internal knowledge of the targeted system.

IOActive conducted tests on a DJI Mavic Pro drone. DJI’s drones feature signed and encrypted firmware, secure boot, and a trusted execution environment (TEE).  

EMFI attacks involve using a strong electromagnetic field to cause temporary or persistent changes in a chip. The attack is conducted by placing a coil near the targeted chip.

IOActive showed in its lab tests that an attacker who has physical access to the targeted drone can launch an EMFI attack and cause memory corruption after triggering a firmware update. 

The experiments demonstrated that injecting a specific EM glitch at a specific time during the firmware update process could allow an attacker to execute arbitrary code on the main processor, giving them access to the Android operating system that implements core functionality. 

Memory corruption has been proven to exist, but now researchers still have to develop a fully working exploit that would give the attacker full control of the drone.

“Once the fault has successfully been triggered, the exploit should not be too difficult to develop. Although it might take some iterations, the challenging part here is to get a repeatable injection so this process is not too long,” Gonzalez told SecurityWeek.

The goal of this research is to show a potential new attack surface that could be used in the future by threat actors.

“If there are no ‘logical’ or software vulnerabilities (e.g. parsing software elements), fault injection might be the only tool left to try to gain code execution in the device,” Gonzalez explained. “This could be used to get access to the firmware updates in devices that encrypted the firmware packages, leak encryption keys, or access sensitive data that might be stored in the internal memory of a device.”

As for mitigations, IOActive has advised manufacturers to implement both hardware and software countermeasures for EMFI attacks. However, the security firm noted that hardware countermeasures could be costly and they need to be taken into account during the early design stages. Software mitigations can be added at a later stage, but they might not be as effective. 

While the experiments were conducted against a DJI drone, the EMFI attack method — if proven to be effective — could be used against any type of drone.

SecurityWeek has reached out to DJI to find out if the company is or is planning on adding EMFI protections to its drones. This article will be updated if the company responds. 

Update: DJI has provided the following statement to SecurityWeek:

“At DJI, we are dedicated to enhancing data security to meet the growing expectations. We always make our best effort to resolve any potential vulnerabilities. We will be sure to keep you posted if we have any updates on the EMFI subject.”

Related: Drone Maker DJI Says Claims About Security of Pilot App ‘Misleading’

Related: Chinese Drone Giant DJI Responds to Disclosure of Android App Security Issues