New Attack Can Seize Control of Drones

A new radio transmitter "seizes complete control of nearby drones as they're in mid-flight," reports Ars Technica: From then on, the drones are under the full control of the person with the hijacking device. The remote control in the possession of the original operator experiences a loss of all functions, including steering, acceleration, and altitude... Besides hijacking a drone, the device provides a digital fingerprint that's unique to each craft. The fingerprint can be used to identify trusted drones from unfriendly ones and potentially to provide forensic evidence for use in criminal or civil court cases...

Hijacks could allow law-enforcement officers to safely seize control of vulnerable drones that are endangering or interfering with first responders. The hacks could also provide ordinary citizens with a less-draconian way of disabling a drone they believe is impinging on their property or privacy... A patchwork of federal and state laws makes it unclear if even local authorities have the legal authority to shoot or hack an aircraft out of the sky.
XKCD once proposed solving the problem with butterfly nets, but instead this new attack is exploiting unencrypted DSMx radio signals.

Thank you Editor

...this new attack is exploiting unencrypted DSMx radio signals.

I can't believe I'm saying this but thank you editor, everyone reporting on this fails to mention this detail. Nothing really to see here.

Re:Thank you Editor

[flyingfsck]

Oh wow, someone hacked a RC toy. Woohoo.

Re: Thank you Editor

ISIS has been using these as guided bombs. Strap some C4 to them and its much more than a rc toy. This is why the ability to hack them could prove useful in certain circumstances.

Re: Thank you Editor

[ColdWetDog]

If you are down to dropping a quarter pound of anything non nuclear using a device that has a range of a mile or so, you're not doing too well militarily.

Of course, the big news here is that this 'hack' doesn't work against the most popular series of drones, those made by the Chinese company DJI. These common UAVs (Phantoms, Inspires, Mavics) use a proprietary, partially encrypted, spread spectrum protocol. They've been jammed by other devices, just not this particular one.

Duck and cover!

Re: Thank you Editor

[Joe_Dragon]

C4? what about just get a few note 7's should be easy to find in the dump.

Re: Thank you Editor

[ScentCone]

So what you're saying is that you really have no idea what you're talking about.

Re: Thank you Editor

[drinkypoo]

Of course, the big news here is that this 'hack' doesn't work against the most popular series of drones, those made by the Chinese company DJI. These common UAVs (Phantoms, Inspires, Mavics) use a proprietary, partially encrypted, spread spectrum protocol. They've been jammed by other devices, just not this particular one.

That is literally only because the developer hasn't got one:

The attack hardware was a teensy and a cyrf6936 transceiver from my friend at 1bitsquared.com, but we could have just as easily implemented it using the same teensy and a ML2724 to attack DJI and Futaba systems.

The attacker in this case had lots of sample hardware, so he attacked that. Sadly, it's the dominant protocol today in general, because it's cheap and good. You can get a LemonRX 0008 DSM2 diversity satellite receiver (two distinct radios in there) for ten bucks shipped or less, but that's a one-week turnaround from a US seller which I've literally just installed into a quadcopter. Most flight controllers will even put them into bind mode now, otherwise you need a DSM RX with a sat port, or a 3.3 volt Arduino.

ISTR there being alternate firmware for some RXs. If so, and it is Open-Sourced, this problem could be fixed in a proprietary, encrypted revision of the protocol and supported by TXs with open firmware like maybe the Devo7e and probably other, fancier Devos which use fancier MCUs with more flash. You'd still be able to predict the frequencies and jam them, but you wouldn't be able to take over without breaking the encryption.

Single protocol? Whatever

DSMX is Spektrum. They are a large part of "drone" usage mostly because of the commercial DJI market but hardly the only. The "fingerprinting" they are talking about is the model ID. DSMX reuses a small set of ID's and it's possible to get collisions. They are not unique identifiers.

I wonder how they're bypassing the other radio's signals. Probably by blasting a very high strength signal which is illegal in the Part 15 FCC rules.

There are a ton of radio protocols out there, many of which are better than DSMX.

Re:Single protocol? Whatever

[thinkwaitfast]

I use analog fm pcm on 56mhz ham band.

My "drone" is not hacked. Loosers

Re: Single protocol? Whatever

[mspohr]

Here's an attack that can be used on Wifi
http://makezine.com/projects/b...

It figures...

[Cyberpunk+Reality]

A story about a high tech way to take something away from its user, and only three paragraphs in, we're told how great it will be for law enforcement.

Re:It figures...

[hey!]

Something that can and is used to invade other peoples' privacy.

There need to be federal regulations on how something like this is used though. There are 1.1 million cops in the country, and if they have their share of sociopaths (about 5%) then there's 55,000 sociopath cops out there. Add to that having more than their share of officious idiots too.

Re:It figures...

[ColdWetDog]

Cops can use this all they like. It will do them very little good. See the previous posts on how really useless this device is.

I hope this tool is expensive and hard to make.

If this hacking remote/tool is less expensive than say $750? As an owner of a couple drones that exceed that price....I would be furious if some theif decided to hijack one of mine inflight. Drone thievery could very soon become big business if a tool like this becomes wildly available. Consequently it would likely also but a halt to the growth of the legal market if people become worried someone will steal their expensive drone.

And....profit???

[avm]

This could be a money maker for an enterprising small-time criminal. Look for a surge of drones for sale on eBay. Missing remote controller, charger, and extra batteries. Excellent condition! For parts or fix.

Double-edged sword.

[Gravis+Zero]

This hack cuts both ways: police can take control of people's drones and people can take control of police drones. Yep, that overpriced octocopter the cops bought can now be hijacked with ease.

I got a feeling this is going to get fixed for all the $1000+ drones.

Re:Double-edged sword.

[hey!]

If they use the same protocol.

This is not a magic hack that lets you take over ANY drone; somebody figured out the frequency hopping sequence and OTA protocol for a common protocol used in toy drones. This is going to allow you to take overjust those toys, not MQ-9 Reapers. And somewhere between the tricky but doable hack of a toy spread-spectrum based protocol and the military grade encryption used in the Reapers' ARC-210 transceiver there is probably an economical level of protection that is good enough for police use.

My brother-in-law was asking about the Dyn DDOS attack last week; he wanted to know why the devices used to launch the attack weren't secure. The answer is simple: because they're sold to people who wouldn't pay $0.05 more for a secure device. So it follows that some police departments will use hobby drones and those will certainly get hacked.

Re:Double-edged sword.

[thegarbz]

police can take control of people's drones and people can take control of police drones

I bet you a Mars bar that police drones are not using a protocol specifically designed for hobby RC enthusiasts. Hell I'll bet you a twin pack that many off the shelf ready to fly drones even for the hobby market are not using a drone specifically designed for hobby RC enthusiasts. You can see that by the number of guides and videos on how to hack apart these devices and convert them to work with a variety of off the shelf transmitters including DSMX which they can't do out of the box.

Re: Double-edged sword.

It also cuts a third way, the FAA requires drones flown by local governments to be registered. It would be impossible for the transmitter to ever be permitted by police; it's based on creating a hazardous condition.

Re:Double-edged sword.

[thinkwaitfast]

What is a protocol?

And what do you mean I won't be able to take control of a military drone and fly it from my laptop's touch screen? Idiot. I saw someone do this on a documentary last year and then he turned it into an eco sustainable solar powered harvester.

Re:Double-edged sword.

[hey!]

Touch screen won't do it. Have you seen any movies at all?

Taking control of any computer system is a three step process.

(1) Adopt the right attitude (bored condescension).

(2) Type a random string on your keyboard. This must be of the buckling springs type to get that all important tappity-tap sound.

(3) Look up and announce to the guy who is way cooler than you, "I'm in."

Re:Double-edged sword.

To be more specific, the protocol in question is DSMX. This is a 'proprietary' protocol developed by Spektrum RC (Horizon Hobby). This exploit will only affect their radio gear (granted, there are some Chinese knockoffs that try to use the same protocol). Spektrum is a very popular brand, but it is not the only brand, and may not be the most popular brand for most hobby-grade drone operators.

Re:Double-edged sword.

[ColdWetDog]

FWIW, the capture of the drone in 'Interstellar' used an old Thinkpad with a keyboard. The scene went pretty much as you described it except they let a cute teenaged girl control the thing for a while.

Re:Double-edged sword.

[drinkypoo]

This is not a magic hack that lets you take over ANY drone; somebody figured out the frequency hopping sequence and OTA protocol for a common protocol used in toy drones. This is going to allow you to take overjust those toys, not MQ-9 Reapers.

Actually, it won't just let you take over those toys, but also any others which use the same radio chip. Anyone else who's cloning their transceiver (or more or less doing that) is also vulnerable. The same exact attack might work against DSM2 as well, and if not they can certainly carry it out with the same cyrf6936 transceiver. The same chip will also speak to Devo RXs, and some Nine Eagles helis. Probably none of them are encrypted. While it is physically possible to reflash most of the receivers (as most if not all receivers and transmitters pair a RX with a MCU, they are not integrated into one IC) it's unlikely that most of them will be addressed. Instead, it will be taken as an opportunity to sell a whole new bundle of equipment. I only hope that my Devo7e will speak any new protocols without more radio modules, there's four in there already.

I just installed a LemonRX 0008 DSM2 satellite RX in a drone with a MiniPX4. And it's obsolete already! Whee! But seriously, we all knew that this sort of thing was possible all along, and that it was only a matter of time before it started actually happening.

Re:Double-edged sword.

You could always have a drone follow the other drone, and let this drone relay the differential control signals, so that it has the nearest proximity.

Of course, this is all Sci-Fi.

Newer DJI drones immune.

The wireless protocol is not used by DJI, so my drones are safe from would be thieves. For now anyway. I don't know how many companies use DSMx, but I suspect the numbers will drop precipitously.

Encryption needed

[sandmaninator]

This nice thing about the old 72mhz and newer DSM-based RC control schemes is that they have really, really low latency. There was no need for encryption in the good old days. But now, we have high-speed, low power chips that could handle encryption on both ends of the data stream without too much extra latency. There is not a great deal of data that needs to be moved so, the load on the encrypt-er and the fattening of the data pipe should be modest.

Re:Encryption needed

[thegarbz]

Is encryption needed? The way I see it this exploits takes advantage of a failure in the key sharing part and along with a bit of brute force then presents themselves as the legitimate source. This isn't a case of lack of security this is a case of a bug in security. There's no reason to believe encryption would have solved this problem anymore than we trust WEP these days with our critical WiFi data.

Re:Encryption needed

[CaptQuark]

Yes, encryption would be critical in securing the control of the RC craft. When the transmitter and receiver are paired, the receiver memorizes the transmitter's serial number and ignores all other transmissions. The attack device listens for the transmitted signals, records the transmitter serial number, then uses it to quickly transmit a counterfeit signal before the true transmitter transmits. The frequency hopping sequence gets our of sync with the true transmitter and because the signals are only one-way, the original transmitter has no indication that it is no longer in control.

By agreeing on an encryption key during the binding process, the entire exploit fails. The true transmitter no longer transmits its serial number in the clear, the signals are decrypted by the receiver using the stored key, and unless it sees the correct transmitter serial number in the encrypted signal it ignores the transmission. Since the clear text never changes (the transmitter's serial number) it would have to use a rolling key to prevent the counterfeit transmitter from just replaying past transmitter sequences. (Your car's remote key fob and garage door opener already use a rolling code to prevent this same type of replay attack.)

--

Alternately, terrorists can do it too ...

If someone were to hijack a 'good' drone and use it for bad purposes (ie: send it to the airport to interfere with real air traffic, etc) would the registered owner of the drone be held responsible? Could you get a flock of drones and run them as a swarm to attack a target?

PKI everywhere is the only solution.

That's my current thinking. Everything needs to be encrypted, and everything needs to be protected from Man-In-The-Middle. There's really no other option.

I'm trying to get this as the policy at work, but it's a struggle.

Drones on Ham band

Wow, what a puzzling post; what does your 56 milli hertz antenna look like?

And although it's been over 40 years since I had my ticket, I'm 99% sure that 56 MHz has never been and 100% sure it isn't an amateur allocation in the US; what country allocates it to Amateur Radio Services?

Re:Drones on Ham band

[K.+S.+Kyosuke]

mhz isnt "millihertz", it's millihectozepto. Duh!

Disabling Drones to Control Protests

Hijacks could allow law-enforcement officers to safely seize control of vulnerable drones that are endangering or interfering with first responders.

Imagine the historical impact if this very important footage of protests in Hong Kong, Macedonia, and Greece was seized by authorities.

It is bad enough that authorities are using Stingrays to gather contact information from the phones of those who participate in protests. It is bad enough that constant, aerial,high resolution footage of these peaceful protesters is being used to track them as they go home. The tactics that police use to control the population are one step short of the tactics that are used in modern warfare.

Or, you know, EMP.

That works against 99.9% of the drones and is actually much more fun than a stupid "mine is bigger than yours" radio transmitter.

so people will start encrypting

[belmolis]

If this hijacking tool comes into use, surely manufacturers of drone controls will start encrypting the signals. Its not like the technology for doing this is difficult or unfamiliar.

Take control of Drones ?

[alainbastien]

Does this technology of Drone exist ? https://www.youtube.com/watch?...