Glaring Vulnerabilities Make Many Commercial Drones 'Insecure by Design'

Slashdot reader msm1267 quotes ThreatPost: Drones, many readily available on ecommerce shops such as Amazon, are plagued by vulnerabilities that could give attackers full root access, read or delete files, or crash the device. The United States Computer Emergency Readiness Team (US-CERT) published a warning about one model, the DBPOWER U818A WiFi quadcopter, last month, but according to the researcher who reported the vulnerabilities, multiple drone models -- manufactured by the same company but sold under different names -- are also vulnerable.

They contain two appealing attack vectors: an open access point and a misconfigured FTP server. If an attacker was within WiFi range of the drone they could easily obtain read and write permissions to the drone's filesystem and modify its root password... Like any attack dependent on Wi-Fi, an attacker would need to be in close proximity to the drone to carry out an attack, but an attacker could connect their computer to the drone access point, essentially treating it as a proxy to spy on the device's live feed or the drone's open ports.

Commercial?

[ColdWetDog]

TFA makes a big deal about vulnerabilities in 'commercial' UAVs but then goes on about obtaining root in an obvious 'toy' quadcopter. Not the $60,000 big boys that might be fun (or lucrative) to steal or, more threateningly, drop on somebody's head. A half kilogram plastic thing that might poke your eye out if you tried hard enough.

Hell, I (and a whole bunch of others) would love for somebody to root the DJI quads. Then we can get rid of some of the more recent 'improvements' in the firmware.

Really, I'm not seeing this. Somebody pops the innards of a cheap, Chinese toy.

Woot!

a reality check

[Max_W]

A car with a speed of 320 km/h, an engine of 500 hp, and a weight of 3 tons is potentially much more dangerous than a tiny drone, isn't it? Still basically anyone can buy and drive a car.

Re:a reality check

[hey!]

As easy as it is to overlook how dangerous a car is, it's also just as easy to overlook how much effort we put into dealing with that. An alien anthropologist would be astonished by how much time and money we put into automobile regulation.

We think of police as crime fighting organizations, but that hypothetical alien anthropologist, going strictly by observations, would conclude that their primary purpose is to control automobiles. Automobile licensing is the sole thing for which the majority of the population voluntarily submits itself to a competency test. It doesn't seem strange to us at all that all states have multiple major departments devoted in some way to the automobile -- the registry of motor vehicles, highway patrol, highway department etc.

The point of all this is to reduce the dangers posed by automobiles to a level that is tolerable in comparison to their benefits. At some point the risk is irreducible, because there's nothing you can do about a driver who is homicidal and suicidal; you just make a (implicit) value judgment that the benefits outweigh the costs.

The same logic, applied to drones, will surely lead to different places because while the dangers presented by drones are small, so are their benefits.