Unencrypted key allows drone hijacking
Thu 27 Oct 2016
A researcher has discovered a new technique for hijacking drones by attacking a popular radio wireless control protocol known as DSMx.
The transmission protocol covers millions of hobbyist devices including radio-controlled toy cars, airplanes, helicopters and boats. While jammers are already available to intercept radio signals and disrupt flight paths, security expert Jonathan Andersson at Trend Micro DVLabs, has now found an exploitable vulnerability which allows a hijacker to completely control the drone itself.
In his presentation at the 2016 PacSec security conference in Tokyo, Andersson explained how the unencrypted binding key used to connect the remote transmitter with the DSMx receiver can be extracted from the protocol through brute-force attacks. He also found that a timing weakness allows for hijacker commands to be sent before legitimate ones, causing the compromised drone to reject the real operator’s instructions.
Using a tiny device called Icarus, built using off-the-shelf electronics and software-defined radio (SDR), Andersson has shown how an interceptor can take over control of the radio-controlled devices, locking out the original owner in seconds.
Commercial drones and radio-controlled aircraft are of increasing concern, with commercial airlines afraid of collision and property owners worrying that their privacy is being invaded. No-fly zones and boundary systems are being introduced slowly, but users often pay little attention. Officials are even considering passing legislation to prevent risk.
Andersson argues that being able to commandeer a potentially harmful drone and controlling its landing is a safer, less ruthless method than shooting an aircraft down mid-flight. In the hands of law enforcement, safer perhaps, but Icarus used by a more malicious actor is another question altogether.
The expert doubted that beyond issuing patches and updated hardware, as well as securing the industry-wide protocol in future UAVs, there was little to be done to solve the issue.
‘My guess is that it will not be easy to completely remedy the situation,’ Andersson told Ars Technica. ‘The manufacturers and partners in the ecosystem sell standalone radio transmitters, models of all kinds, [and] transmitters that come with models and standalone receivers. Only a certain set of standalone transmitters have a firmware upgrade capability, though the fix is needed on the model/receiver side…’