A researcher has developed a gadget that is capable of hijacking most drones mid-flight — locking the owner out and giving the attacker complete control over the device.
Jonathan Andersson, a manager at Trend Micro’s TippingPoint DVLab, showed off his findings at the PacSec Security conference [in Japan] on Wednesday, and talked to Ars Technica and The Register about his work.
There are already jamming devices out there that block controlling radio signals, rendering a drone useless. But they don’t give the attacker control like Icarus does. It works by exploiting DSMx, the radio signal protocol that most remote-controlled consumer drones on the market use — letting the hijacker take the reins.
“The shared secret (‘secret’ used loosely as it is not encrypted) exchanged is easily reconstructed long after the binding process is complete by observing the protocol and using a couple of brute-force techniques,” Andersson told Ars Technica. “Further, there is a timing attack vulnerability wherein I synchronize to the target radio’s transmissions and transmit a malicious control packet ahead of the target, and the receiver accepts my control information and rejects the targets.”
Concerningly, it’s not clear whether this is an issue that could ever be fixed or patched. “My guess is that it will not be easy to completely remedy the situation … The manufacturers and partners in the ecosystem sell standalone radio transmitters, models of all kinds, [and] transmitters that come with models and standalone receivers. Only a certain set of standalone transmitters have a firmware upgrade capability, though the fix is needed on the model/receiver side.”
In the Comments section on Ars Technica, someone named Statistical sought to minimize this saying “DSMx is used for the cheap toys. Wake me up when someone can hijack a DJI Phantom or something in that class.” The Horizon PR team is not handling this well at all… they referred the press to their lawyers – conveniently the office was closed. Perhaps a round of golf to consider the approach shot to the problem?
In response, one of the Icarus team, dragosr, wrote that:
To be clear, ALL the current RC systems are vulnerable to this timing injection attack. I was the one who picked DSMx as our first target because it’s the most popular system, my favourite and the one I currently use for all my drones, planes, copters, boats and cars. The attack hardware was a teensy and a cyrf6936 transceiver from my friend at 1bitsquared.com, but we could have just as easily implemented it using the same teensy and a ML2724 to attack DJI and Futaba systems. The issue is that all the RC systems from ALL the manufacturers count on frequency hopping obfuscation to “hide” their broadcasts which are easily gathered en masse and reversed with an SDR, or by using a logic analyzer on their transmitters, there is no cryptographically secure authentication layer on any of the current systems. This timing attack is not difficult, just requires some low level radio and embedded system knowledge and about $100 in parts, and is only the tip of the iceberg in the potential attacks available on current systems. Timing is the low hanging fruit that we picked to attack and demonstrate first. We have further demonstrations planned and Would be glad to talk to any manufacturer about securing their gear.
dragosr goes on a bit, and while he might have said too much, it’s clear that he is not lacking for confidence.
Jonathan Andersson made the following comment on the same thread:
Yes there are many protocols (but they condense to only a handful of radio ICs), your favorite one is not secure just because ‘no one has hacked it yet’. Though you are not personally aware of a particular vulnerability does not mean it is not currently being exploited in the wild.
DJI’s choice to use a particular manufacturer’s radio subsystem is most likely primarily a financial decision (BOM cost, license fees, etc) and not a security one. From the cursory review I did of the top protocols, similar issues are widespread throughout the industry. DJI flight controllers support the use of DSMx satellite receivers and many people use them. This research certainly applies to those DJI models.
Large, expensive and dangerous-if-hijacked models are flown using *all* of the top protocols (and so are ‘toys’). Battery capacity, flight time, model type and features are in *no way* related to the protocol in use.
DSMx is an excellent protocol (one of the top) in terms of robustness, use of advanced radio techniques to facilitate multi user access to spectrum, etc. Horizon has correctly and completely leveraged all of the available featues of the underlying radio IC in this respect.
That said, Horizon has not considered malicious actors and correctly secured DSMx. My further assertion is that there are few if *any* manufacturers in the industry who have. I would challenge any particular manufacturer to stand up and make this claim. This is in fact the point of the research– to start conversations about rc protocol security, and to contribute to ongoing conversations about identification of drone operators, law enforcement’s ability to intervene when necessary, property owner’s privacy rights, etc. Not to ruin anyone’s day or devalue anyone’s investment in equipment.
No one should go ripping receivers out of their models.
Horizon and the rest of the industry has the opportunity to continue to innovate and improve their protocols from a security perspective (DSMx+?) and I sincerely hope they all perform internal reviews and take action.
There is an opportunity to work with law enforcement here as well, implementing possible features like challenge-response identification of drone operators, delivering FCC license info remotely when necessary, short message reception, etc. These features could be used to quickly contact normally law abiding operators when necessary to issue safety info, privacy requests, or flight instructions instead of the escalating situations we see occurring today.
Secure comms will become next to Godliness for anyone who wants to fly in the NAS. It is going to be one of the things that differentiates prosumer from commercial products, and will have a significant influence on price.