Glaring Vulnerabilities Make Many Commercial Drones 'Insecure by Design'

Slashdot reader msm1267 quotes ThreatPost: Drones, many readily available on ecommerce shops such as Amazon, are plagued by vulnerabilities that could give attackers full root access, read or delete files, or crash the device. The United States Computer Emergency Readiness Team (US-CERT) published a warning about one model, the DBPOWER U818A WiFi quadcopter, last month, but according to the researcher who reported the vulnerabilities, multiple drone models -- manufactured by the same company but sold under different names -- are also vulnerable.

They contain two appealing attack vectors: an open access point and a misconfigured FTP server. If an attacker was within WiFi range of the drone they could easily obtain read and write permissions to the drone's filesystem and modify its root password... Like any attack dependent on Wi-Fi, an attacker would need to be in close proximity to the drone to carry out an attack, but an attacker could connect their computer to the drone access point, essentially treating it as a proxy to spy on the device's live feed or the drone's open ports.

Unsafe by design

Nothing about commercial drones is safe. They've been designed by people who don't give a shit about safety, are unaware of aviation, and don't give a shit if they hurt someone. Nothing says capitalism like throwing away a hundred years of aviation safety research.

Re: Unsafe by design

Safety is a feature, you need to pay more for that.

Re: Unsafe by design

No you need to give a shit.

Commercial?

[ColdWetDog]

TFA makes a big deal about vulnerabilities in 'commercial' UAVs but then goes on about obtaining root in an obvious 'toy' quadcopter. Not the $60,000 big boys that might be fun (or lucrative) to steal or, more threateningly, drop on somebody's head. A half kilogram plastic thing that might poke your eye out if you tried hard enough.

Hell, I (and a whole bunch of others) would love for somebody to root the DJI quads. Then we can get rid of some of the more recent 'improvements' in the firmware.

Really, I'm not seeing this. Somebody pops the innards of a cheap, Chinese toy.

Woot!

Re:Commercial?

Improvements?

Go on...

Re:Commercial?

[BarbaraHudson]

Exactly.

" plagued by vulnerabilities that could give attackers full root access, read or delete files, or crash the device"

It's a feature. And a lot quieter than using a shotgun on them, or hiring eagles to kill them dead.

Re:Commercial?

[ColdWetDog]

DJI already has that as a built in feature. A quick perusal of the various forum threads shows that the two most common behaviors are crashing or just running away.

The other way to look at this, however, is perhaps they're learning. They're taking the first steps towards Skynet. Hiding in crevices, sewers, old Novell servers hidden in back rooms. Waiting for the final reflash.

(Stares at the pair of Phantoms on the shelf.)

Re:Commercial?

[Harlequin80]

It's even got crappy plastic prop guards. This thing is not even a very good toy.

Come back when someone can hack an Inspire in flight.

Re:Commercial?

[arglebargle_xiv]

Meh, that's for wooses. Russian solution is more economical.

Re:Commercial?

[geekmux]

TFA makes a big deal about vulnerabilities in 'commercial' UAVs but then goes on about obtaining root in an obvious 'toy' quadcopter. Not the $60,000 big boys that might be fun (or lucrative) to steal or, more threateningly, drop on somebody's head. A half kilogram plastic thing that might poke your eye out if you tried hard enough.

Hell, I (and a whole bunch of others) would love for somebody to root the DJI quads. Then we can get rid of some of the more recent 'improvements' in the firmware.

Really, I'm not seeing this. Somebody pops the innards of a cheap, Chinese toy.

Woot!

Drop a drone into 8 lanes of freeway traffic, and tell me again how a "toy" should always be dismissed as harmless as chaos ensues from distracting drivers.

And if you have suggestions for vendors to correct 'improvements' their hardware, then let them know instead of sitting around waiting for a hack.

Re:Commercial?

Drop a drone into 8 lanes of freeway traffic, and tell me again how a "toy" should always be dismissed as harmless as chaos ensues from distracting drivers.

I did years long distance freeway driving and became very quick at evaluating debris on the road. Yes, you'll see people swerve dangerously to avoid an empty plastic bag blowing across the road or a simple sheet of cardboard. So, yes, people are stupid. If I saw a toy drone on the road, I'd probably aim for it, especially if it was still flying.

Ummm.,, really not a problem

I appreciate that there are certain mission critical systems where security is paramount and lives are at steak... but this is certainly not one of them. Simply put, nobody is going to waste the time an energy to exploit this whole for no reason other than because it's there. These are just reasearchers trying to issue random alerts about every little thing to try to justify their budget. In reality all their doing is scaring people and numbing people to the fact that other, more important systems have attack vectors that do need attention.

The Internet of Shit

[Gravis+Zero]

The Internet of Shit has been known to be insecure for a long time. Now there are people bricking these shitty devices which I do not object to because it's only possible due to neglect by the device maker.

Re:The Internet of Shit

Most of which are made in China and other locations whose governments would love to spy on the US. Bricking them is a good thing.

High security standards should be enforced for all networked and wireless equipment. Violators should have their devices rejected at the port of entry.

Re: The Internet of Shit

Exactly. Brick them. Make it public. No one can use them for not nets. No one will buy a identical replacement model knowing it will be bricked again and cost money.

Why are we not doing this? This is a genuine public service.

Lives are at steak

You are all tasty cows. Moo! say the tasty coys...MOOOO!

a reality check

[Max_W]

A car with a speed of 320 km/h, an engine of 500 hp, and a weight of 3 tons is potentially much more dangerous than a tiny drone, isn't it? Still basically anyone can buy and drive a car.

Re:a reality check

[hey!]

As easy as it is to overlook how dangerous a car is, it's also just as easy to overlook how much effort we put into dealing with that. An alien anthropologist would be astonished by how much time and money we put into automobile regulation.

We think of police as crime fighting organizations, but that hypothetical alien anthropologist, going strictly by observations, would conclude that their primary purpose is to control automobiles. Automobile licensing is the sole thing for which the majority of the population voluntarily submits itself to a competency test. It doesn't seem strange to us at all that all states have multiple major departments devoted in some way to the automobile -- the registry of motor vehicles, highway patrol, highway department etc.

The point of all this is to reduce the dangers posed by automobiles to a level that is tolerable in comparison to their benefits. At some point the risk is irreducible, because there's nothing you can do about a driver who is homicidal and suicidal; you just make a (implicit) value judgment that the benefits outweigh the costs.

The same logic, applied to drones, will surely lead to different places because while the dangers presented by drones are small, so are their benefits.

Ha Lame click bait article

An 80 dollar shitty toy that no one gives a fuck about. Fuck off slashdot.

How else do you upgrade them?

[RogueWarrior65]

How else do you allow updates to the system without root access?

I guess someone was at DEFCON 23.

[Mal-2]

Someone evidently saw this talk and decided to try it at home. These vulnerabilities have been public for a couple years now.

Legal problems with drone hacking and hijacking.

Even if it's just "toy" drones in question, laws are written in many countries now with strict liability for the operators of the drones, on the primary assumption that they are the only ones using the drone, and are therefore liable for any accidents or breaches of the law caused by drone operation.

As a drone operator, even if the drone isn't a danger to others, you'd have to be worried that someone who doesn't want you operating the drone nearby, or perhaps has commercial reasons for attacking your fleet, might use this to cause you harm - kind of like "SWATting" but on a different level.

And, of course, people think wifi is close-range, but with the right antenna, tens of kilometers is quite possible to access wifi -

So this does represent a significant threat - though perhaps not so much to the general public.