Unmanned Aerial Vehicles (or drones) are undoubtedly one of the characteristic technologies of the 21st century. Drones are increasingly incorporated into professional services within commercial, security and relief sectors. At the 2016 BlackHat conference (Asia), independent security researcher Nils Rodday presented a briefing illuminating the network-connection vulnerabilities plaguing most commercial and professional drones utilised outside the military (i.e. the MQ-1 Predator).(1) In his briefing, Rodday revealed that commercial drones could be hijacked by exploiting vulnerabilities within its Command, Control and Communication (C3) architecture.
Over the last decade, research has been devoted to resolving this vulnerability, as is apparent from the various technical research papers published on the subject.(2) Research found that the vulnerabilities are not in the drones themselves, but in the communication formats and equipment they utilise. Most advanced commercial drones contain several additional features such as the automated flying through pre-established waypoints, or the relaying of live high-resolution imagery – usually to a smart device (i.e. Tablet or Smart-Phone). These functions require the smooth transference of large volumes of data.
This can be achieved through telemetry links comprising a WiFi network relaying information to a telemetry module which subsequently relays commands to the drone. Such is the C3 architecture of most advanced commercial drones. Essentially, research has shown that pre-existing vulnerabilities reside within the communication links themselves – here is where it gets technical.
First, pre-existing vulnerabilities of WiFi 802.11 within its Media Access Control (MAC) Layer and its Wired Equivalent Privacy (WEP) security algorithm are susceptible to attack typologies like Man-in-the-Middle and Session-Hijacking, as detailed in a GIAC Gold Paper by David Weiler.(3) Drone-lovers have since begun to develop protocols allowing WiFi communications via the Wireless Protected Access (WPA), the successor to WEP that provides enhanced security.(4) However, these security measures can still be breached if the correct conditions are achieved.(5)
Second, the telemetry modules popularly used in most drone C3 architectures are from the XBee series, developed by Digi International – Rodday’s research focused on the XBee 868LP Radio Frequency module.(6) His research revealed that the XBee 868LP modules were designed for open radio-frequency (RF) scanning. This meant that everyone could read/send commands via the XBee 868LP frequency. Drone commands are usually achieved through AT (attention) Commands, encoded as ASCII characters and transmitted as UDP or TCP packets. This makes such communication streams susceptible to Packet-in-Packet injections which could lead to a de-authentication of the user and other malicious outcomes. In his briefing, Rodday reveals how commands encoded in ASCII (basically hexadecimals) are used to convert plain-text commands into lines of code within the Android APK, the file format of most drone C3 architectures.
Basically, an attacker could (with the right equipment) intercept, decompile and manipulate the transmitted commands.
Drones are becoming more commonplace in our society, especially with the progressive advancement of robotics, computer processing and sensor developments. Within professional and commercial sectors, drones are fundamentally designed for three main purposes.
First is payload delivery. The startup Zipline Internationals intends to use drones to coordinate the flyby and ‘airdrop’ of vital medication to isolated communities in Africa. In July, it commenced its programme in Rwanda – in partnership with the local government.(7)
Second is digital media. Within the media industry, drone developer DJI has made significant strides in designing and manufacturing various models with advanced cameras and shot-stabilization gyros.(8) According to multiple reviews from the commercial, film and ‘enthusiast’ sectors, the DJI models have consistently achieved recognition for the quality and capabilities of their drones. Only recently, DJI released their new drone, the Mavic, which possesses an operational range of 7km.
Third is intelligence generation. The surveillance and reconnaissance capabilities of drones, exhibited through their military applications, have undoubtedly been recognized by other government agencies as well, namely the police and rescue services, which is perhaps the largest sector to repurpose commercially available drones.(9) To the police, drones could provide valuable tactical information to Special Weapons and Tactics Teams (SWAT) before intervening in a hostage situation, or allow reconnaissance in areas otherwise too dangerous or enclosed for human surveillance operations.(10) We already see drones (although RC and short range) used in bomb-disposal operations – and already having been repurposed and used for shooting a suspect.(11) To rescue services in the frozen alps, open waters or in disaster relief situations, drones could be outfitted with advanced sensors to support relief operations.(12) Such forms of intelligence could significantly improve the operational speed, and ensure the wellbeing of service personnel.
Ramifications & Rectifications
The ramifications of a compromised drone, specifically for industry, are significant. To aid relief companies like Zipline International, a hijacked drone can mean vital medical supplies not being delivered to the intended recipient or communities. Drones could be rerouted or drop-zones pinpointed for kinetic takeovers by malicious actors. Remember, the drone’s sole function is only the ‘delivery’ and not necessarily the ‘security’ of the payload itself. Rectifying this could significantly raise developmental costs. To the film industry, a hacked drone could mean its footage being siphoned off and sold to either competing agencies, or leaked online. Both could significantly decrease the box-office value of the film or result in the leaking of critical product information,if it was a commercial. To the civil-services, a downed drone would lead to the exposure of surveillance operations and/or the death of civilians in trouble. Especially with police operations, intelligence is vital for the apprehension of sophisticated, adaptive and highly-organized criminal organizations.
It is important to realise that before the rise of the ‘drones’, these kind of operations have hitherto been conducted by humans. While drones have undoubtedly augmented our capabilities, an overdependence could spell disaster – specifically for the civil-services and relief agencies. Drones are here to stay and, as the research has shown, it’s not the drones which are vulnerable but the communication platforms which they operate on. Does this remove the security responsibilities from drone developers? No, but it is does highlight network security issues within our current communication and data transference platforms that must be addressed.
(1) Rodday, N.M. [Slide Deck] Hacking a Professional Drone, (BlackHat: Marina Bay Sands, SG), 2016; Available from: https://www.blackhat.com/docs/asia-16/materials/asia-16-Rodday-Hacking-A-Professional-Drone.pdf, (Accessed October 13 2016).
(2) Won, J., Seo, S-H. & Bertino, E. A Secure Communication Protocol for Drones and Smart Objects, (Purdue University: IN), 2015.
(3) Weiler, C.D. ‘802.11x Vulnerabilities, Attacks and Solutions’, Global Information and Assurance Certification Paper, (Sans Institute: United States), 2002.
(4) @daraosn, AR.Drone WPA/WPA2 support, GitHub.Inc, 2013; Available from: https://github.com/daraosn/ardrone-wpa2, (Accessed October 12 2016).
(5) V. Poddar & H. Choudhary. “A comparitive analysis of wire- less security protocols (WEP and WPA2).” In: International Journal on AdHoc Networking Systems (IJANS), 5(3), 2014; as cited in Rodday, N. ‘Exploring the vulnerabilities of unmanned aerial vehicles’, (Master’s Thesis: University of Twente, NL), 2015.
(6) Rodday, N.M. & Schmidt, R.O. & Pras, A. ‘Exploring Security Vulnerabilities of Unmanned Aerial Vehicles’, University of Twente (The Netherlands), 2015; Available from: http://essay.utwente.nl/67577/, (Accessed October 1 2016).
(7) Toor, A. ‘Drones will begin delivering blood and medicine in the US’, TheVerge, (August 2 2016); Available from: http://www.theverge.com/2016/8/2/12350274/zipline-drone-delivery-us-launch-blood-medicine, (Accessed October 24 2016).
(8) DJI [Corporate Website], Available from: http://www.dji.com, (Accessed October 25 2016).
(9) InterDrone: The International Drone Conference and Exposition, (Paris Hotel, Las-Vegas, NV), September 2016; Available from: http://www.interdrone.com/police-fire-search-and-rescue-interdrone-2016, (Accessed October 18 2016).
(10) Beake, N. ‘London airport police to use surveillance drones’, BBC, (23 April 2015); Avialable from: http://www.bbc.co.uk/news/uk-england-london-32431630, (Accessed October 20 2016).
(11) Allison, P.R. ‘What does a bomb disposal robot actually do?’, BBCFuture, (15 July 2016); Available from: http://www.bbc.com/future/story/20160714-what-does-a-bomb-disposal-robot-actually-do, (Accessed October 20 2016).
(12) Waharte, S. & Trigoni, N. ‘Supporting Search and Rescue Operations with UAVs’, Proceedings of the 2010 International Conference on Emerging Security Technologies, (University of Oxford: Oxford, UK), September 2010.
This article first appeared in the Cyber World December 2016 edition.