Drones are being considered for use in delivery, security, and plenty of other fields, but law enforcement and rescue workers are already using drone technology. However, one Nils Rodday has demonstrated a hack that could allow someone to steal one of those expensive professional-grade drones from up to 2 kilometers away. Rodday, who works as a security specialist at IBM, says this can be accomplished with a little knowledge and $40 worth of hardware.
Rodday explained the attack at the Black Hat security conference in Asia. The problem is in the way many high-end drones use Xbee RF chips to connect to the controller. The vendor of the drone used in this experiment declined to be mentioned for obvious reasons, but many drones use similar hardware and can cost nearly $30,000.
Many drone makers have failed to take advantage of encryption features of the Xbee chips because of the added performance overhead. The additional processing cycles can reduce battery life and increase response time, both of which are particularly undesirable for drone aircraft. This is what gave Rodday his opening, though. By examining the code in an Android app that can interface with the drone’s control interface, Rodday was able to copy the commands that would normally be sent by the intended controller. If the connection were encrypted, the drone would reject these commands. In this scenario, the operator is not completely locked out of the drone, but the attacker could issue commands that crash or divert the aircraft. He demonstrated by firing up the engines of the drone from his computer.
According to Rodday, an attacker could intercept and block the operator’s commands at distances up to 2 kilometers, then insert new commands. This man-in-the-middle attack is only the beginning, though. The Xbee chips are considerably more vulnerable when you’re within 100 meters. That’s when the drone’s ad-hoc Wi-Fi network is encrypted, but it uses WEP. Yes, the same WEP that was cracked and rendered near-useless years ago. Taking over this connection would be trivial, allowing an attacker to disconnect the operator’s controller and connect their own. At that point, the drone can be flown away and stolen.
The company that provided Rodday with the drone to test has been evaluating the results and considering how best to respond. The easiest way to patch the gaping security hole would be to enable encrypted communication with the drone. It’s unclear how many other drones might be vulnerable to the same attacks, but it might be a significant number.