A security researcher has demonstrated to the RSA Conference crowd how he – or anyone, for that matter – can take over control of a drone used by the Dutch police and make it do anything the rightful owner can.
The hijacking – executed via a Man-in-the-Middle (MitM) attack combined with command injection – can be performed easily and very cheaply, researcher Nils Rodday says – you just need a laptop and a cheap radio chip connected via USB.
Rodday performed this research for his master thesis at the University of Twente, and was helped by the fact that the manufacturers of the drone provided one for free for testing.
They asked that the company remain unnamed, but welcomed the research and will hopefully, in time, implement changes that will prevent this type of attack.
The problem is in the weak WEP encryption used in the connection between the drone’s Wi-Fi telemetry module and the drone user’s tablet, as well as the insecure radio protocol that effects communication between the telemetry module and the drone (i.e. the Xbee chips on each).
The Xbee chips have built-in encryption capabilities, but they are not used because it would cause a delay between the sending of the commands and the drone obeying them – and users wouldn’t like (and would not pay) for that.
The problem can be solved by using chips that can perform encryption faster, and hopefully that’s something that the drone maker will consider. But the drones that they have already sold can’t be updated, and this is probably one of the reason for keeping the name of the manufacturer secret.
Even so, the same problem – insecure communications – is more than likely to be found in drones developed and created by other companies.
Rodday’s aim was to raise awareness of manufacturers and the public about the vulnerabilities in Unmanned Aerial Systems used for critical operations.