A security researcher has demonstrated how high-end drones commonly deployed by government agencies and police forces can be remotely exploited by rogue hackers. Outlining his findings at the annual RSA conference in San Francisco on 2 March, researcher Nils Rodday explained how security flaws in an drone's radio connection gave him the ability to hijack the device with only a laptop and a cheap USB-connected chip.
Rodday, who works for IBM but conducted the drone research during his time at the Netherlands' University of Twente, found he could easily exploit the lack of encryption between the drone and its controller module. Furthermore, he warned that any sophisticated hacker who is able to reverse engineer the device's software would be able to send navigational controls, block all commands from the real operator, or even crash it to the ground.
"If you think as an attacker, someone could do this only for fun, or also to cause harm or to make a mess out of a daily surveillance procedure," Rodday told Wired before his RSA demonstration. "You can send a command to the camera, to turn it to the wrong side so they don't receive the desired information... or you can steal the drone, all the equipment attached to it, and its information."
'Crackable in seconds'
Ultimately, Rodday said he found two security vulnerabilities in the tested unmanned aerial vehicle (UAV) including severe issues with poorly encrypted Wi-Fi connections that left the device 'crackable in seconds'.
The problem, according to the researcher, was uncovered in a communication chip called 'Xbee' that failed to properly implement strong encryption between the drone and its controller module, known as a 'telemetry box'. This leaves the drone open to a so-called 'man-in-the-middle' (MitM) attack in which a hacker could intercept everything happening on the UAVs network connection.
While Rodday signed a non-disclosure agreement with the manufacturer of the UAV in question, he did reveal that it is used for surveillance and cost around €20,000 ($21,700; £15,400). The same model is reportedly also used for power-line inspections, professional photography and agriculture applications, according to the BBC.
Worryingly, the expert indicated the vulnerabilities exposed by his research are not limited to the one model he tested. "I think this vulnerability exists in a lot of other set-ups. The impact of the whole thing is bigger than this manufacturer," he said.
Indeed, in his detailed 2015 thesis outlining the full scope of the research, Rodday concluded: "Although the costs for professional UAVs are extensively higher compared to consumer UAVs, the security of the investigated model can be judged insufficient.
"It was possible to perform a MitM attack on the XBee communication channel. As no encryption and authentication are applied anywhere, packets were successfully injected into the compromised channel, making the UAV react to the attacker's commands.
"Due to the fact that multiple UAV manufacturers are using the investigated technology, the impact of this research is high. This research will be shared with the manufacturers who are known to implement the investigated solutions and made publicly available."
He added: "There are presumably many more manufacturers using the vulnerable setup without revealing their hardware components to the public, leaving their setup prone to attacks. To encounter this issue, security awareness within the community of UAV manufacturers is important."