Slashdot Mirror
New Attack Can Seize Control of Drones
A new radio transmitter "seizes complete control of nearby drones as they're in mid-flight," reports Ars Technica:
From then on, the drones are under the full control of the person with the hijacking device. The remote control in the possession of the original operator experiences a loss of all functions, including steering, acceleration, and altitude... Besides hijacking a drone, the device provides a digital fingerprint that's unique to each craft. The fingerprint can be used to identify trusted drones from unfriendly ones and potentially to provide forensic evidence for use in criminal or civil court cases...
Hijacks could allow law-enforcement officers to safely seize control of vulnerable drones that are endangering or interfering with first responders. The hacks could also provide ordinary citizens with a less-draconian way of disabling a drone they believe is impinging on their property or privacy... A patchwork of federal and state laws makes it unclear if even local authorities have the legal authority to shoot or hack an aircraft out of the sky.
XKCD once proposed solving the problem with butterfly nets, but instead this new attack is exploiting unencrypted DSMx radio signals.
Hijacks could allow law-enforcement officers to safely seize control of vulnerable drones that are endangering or interfering with first responders. The hacks could also provide ordinary citizens with a less-draconian way of disabling a drone they believe is impinging on their property or privacy... A patchwork of federal and state laws makes it unclear if even local authorities have the legal authority to shoot or hack an aircraft out of the sky.
XKCD once proposed solving the problem with butterfly nets, but instead this new attack is exploiting unencrypted DSMx radio signals.
A story about a high tech way to take something away from its user, and only three paragraphs in, we're told how great it will be for law enforcement.
Rule 35 of the internet: "If it can be hacked, it will be". - Charles Stross
If they use the same protocol.
This is not a magic hack that lets you take over ANY drone; somebody figured out the frequency hopping sequence and OTA protocol for a common protocol used in toy drones. This is going to allow you to take overjust those toys, not MQ-9 Reapers. And somewhere between the tricky but doable hack of a toy spread-spectrum based protocol and the military grade encryption used in the Reapers' ARC-210 transceiver there is probably an economical level of protection that is good enough for police use.
My brother-in-law was asking about the Dyn DDOS attack last week; he wanted to know why the devices used to launch the attack weren't secure. The answer is simple: because they're sold to people who wouldn't pay $0.05 more for a secure device. So it follows that some police departments will use hobby drones and those will certainly get hacked.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
And what do you mean I won't be able to take control of a military drone and fly it from my laptop's touch screen? Idiot. I saw someone do this on a documentary last year and then he turned it into an eco sustainable solar powered harvester.
Touch screen won't do it. Have you seen any movies at all?
Taking control of any computer system is a three step process.
(1) Adopt the right attitude (bored condescension).
(2) Type a random string on your keyboard. This must be of the buckling springs type to get that all important tappity-tap sound.
(3) Look up and announce to the guy who is way cooler than you, "I'm in."
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
If you are down to dropping a quarter pound of anything non nuclear using a device that has a range of a mile or so, you're not doing too well militarily.
Of course, the big news here is that this 'hack' doesn't work against the most popular series of drones, those made by the Chinese company DJI. These common UAVs (Phantoms, Inspires, Mavics) use a proprietary, partially encrypted, spread spectrum protocol. They've been jammed by other devices, just not this particular one.
Duck and cover!
Faster! Faster! Faster would be better!
Of course, the big news here is that this 'hack' doesn't work against the most popular series of drones, those made by the Chinese company DJI. These common UAVs (Phantoms, Inspires, Mavics) use a proprietary, partially encrypted, spread spectrum protocol. They've been jammed by other devices, just not this particular one.
That is literally only because the developer hasn't got one:
The attacker in this case had lots of sample hardware, so he attacked that. Sadly, it's the dominant protocol today in general, because it's cheap and good. You can get a LemonRX 0008 DSM2 diversity satellite receiver (two distinct radios in there) for ten bucks shipped or less, but that's a one-week turnaround from a US seller which I've literally just installed into a quadcopter. Most flight controllers will even put them into bind mode now, otherwise you need a DSM RX with a sat port, or a 3.3 volt Arduino.
ISTR there being alternate firmware for some RXs. If so, and it is Open-Sourced, this problem could be fixed in a proprietary, encrypted revision of the protocol and supported by TXs with open firmware like maybe the Devo7e and probably other, fancier Devos which use fancier MCUs with more flash. You'd still be able to predict the frequencies and jam them, but you wouldn't be able to take over without breaking the encryption.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Yes, encryption would be critical in securing the control of the RC craft. When the transmitter and receiver are paired, the receiver memorizes the transmitter's serial number and ignores all other transmissions. The attack device listens for the transmitted signals, records the transmitter serial number, then uses it to quickly transmit a counterfeit signal before the true transmitter transmits. The frequency hopping sequence gets our of sync with the true transmitter and because the signals are only one-way, the original transmitter has no indication that it is no longer in control.
By agreeing on an encryption key during the binding process, the entire exploit fails. The true transmitter no longer transmits its serial number in the clear, the signals are decrypted by the receiver using the stored key, and unless it sees the correct transmitter serial number in the encrypted signal it ignores the transmission. Since the clear text never changes (the transmitter's serial number) it would have to use a rolling key to prevent the counterfeit transmitter from just replaying past transmitter sequences. (Your car's remote key fob and garage door opener already use a rolling code to prevent this same type of replay attack.)
--