You may have heard stories about angry neighbors unloading shotguns into drones when they stray too close. We can argue about the merits of that particular approach another time. Now, one researcher has demonstrated a much more subtle way to discourage rogue pilots, and not a single shot needs to be fired. What if you could simply hack drones that venture where they shouldn’t?
With more consumer drones buzzing around our skies, there have been plenty of cases of pilots flying where they shouldn’t. Although most of these are innocent in nature, some rogue drones have had genuine consequences, whether delivering contraband into prisons, drifting into airport airspace or getting in the way of firefighters. Clearly, a minority of drone pilots need to fly more responsibly. The fact that a burgeoning anti-drone security industry is beginning to take off hints at the scale of the problem.
Last week at a conference in Japan, security researcher Jonathan Andersson, who’s the manager of the Advanced Security Research Group at Trend Micro DVLabs, demonstrated a new toy that could have a big impact on drone pilots and the consumer industry going forward.
‘Toy’ is probably the wrong word. This is a gadget that can hack drones, and its name is Icarus. Icarus is capable of hijacking many popular consumer drones in mid-air, allowing the hacker to lock the pilot out completely and take full control of the device. Clearly, this highlights a pretty fundamental security flaw in consumer drones and is something that casual pilots should be wary of. But it also opens the door to anti-drone security companies, who are always keen to find new ways of mitigating the risks posed by drones. Especially if it means tech that can hack drones, not just shoot them down.
Icarus is a small radio transmitter that can hack drones using the DSMx radio protocol, a widely used remote control protocol for consumer drones. Icarus can seize control of nearby drones as they’re in mid-flight, causing the operator to experience a full loss of function, from altitude and acceleration to steering. But this isn’t just a signal jammer; it’s a total takeover.
Drone hijack hardware demonstration at PacSec in Tokyo. pic.twitter.com/NQxA82qJTD
— dragosr (@dragosr) October 26, 2016
Speaking to Arstechnica, Andersson explained that Icarus works due to fact that the way in which DSMx uses connects remote control to drone doesn’t cloak a vital piece of information shared between the two devices:
“The shared secret (‘secret’ used loosely as it is not encrypted) exchanged is easily reconstructed long after the binding process is complete by observing the protocol and using a couple of brute-force techniques,” Andersson said. “Further, there is a timing attack vulnerability wherein I synchronize to the target radio’s transmissions and transmit a malicious control packet ahead of the target, and the receiver accepts my control information and rejects the targets.”
So what can hobbyist pilots do to protect themselves from rogue hackers seeking to take control of their drones? The answer is not much.
The worrying thing is that DSMx technology is widely used in the consumer drone spectrum, albeit toward the bottom end of the market. While it’s great for range and radio performance, this is a pretty obvious security flaw that could potentially impact a lot of RC pilots.
With DSMx widely used in the RC world, Andersson suggests that “It will not be easy to completely remedy the situation. The manufacturers and partners in the ecosystem sell standalone radio transmitters, models of all kinds, [and] transmitters that come with models and standalone receivers. Only a certain set of standalone transmitters have a firmware upgrade capability, though the fix is needed on the model/receiver side.”
Direct Sequence Spread Spectrum attack hardware. All the RC protocols from any manufacturer could be attacked and hijacked this way. pic.twitter.com/477Jh0kyoN
— dragosr (@dragosr) October 26, 2016
The Icarus device has not been made for sale, despite the potential applications in the anti-drone security industry. But if one security wizard is able to put it together, who knows whether similar devices will start becoming available in the near future.