How to hack drones with just a $40 hardware from 2 km away

Pierluigi Paganini April 01, 2016

The IBM expert Nils Rodday revealed how to hack drones with just a $40 hardware from 2 km away by replicating its signals and blocking legitimate operators.

At the Black Hat Asia hacking conference, the IBM expert Nils Rodday revealed that hackers can hijack expensive professional drones from 2 km away by replicating its signals and blocking legitimate operators from reconnecting to the UAV.

I bet the Radday name is not new to you! Yes you are right! Nils Rodday presented at the annual RSA conference in San Francisco 2016 the findings of its study on hacking drones.

Rodday focused its previous research on remote hijacking high-end drones commonly deployed by government agencies and law enforcement agencies. The expert explained how to exploit security holes in the drone’s radio connection to gain control on the UAV, an attack that just need a laptop and a cheap USB-connected chip.

At the RSA conference he did not provide details on the specific drone model he has tested because he signed a non-disclosure agreement with its manufacturer of the UAV.

Back to our days, Rodday has found a way to hack drones by exploiting the lack of encryption for the communication between the drone and controller module. The researcher focused his analysis on the Xbee chip that is used in drones adopted in every industry, he demonstrated how hacking drones by sending legitimates commands discovered through a reverse engineering of the software running on the UAVs.

Rodday, with the assistance of the unnamed vendor, analyzed expensive quadcopters (€25,000) that are today used by many professionals in the private industries and law enforcement, discovering that they lack encryption implementation in on-board chips.

Irony of fate, hacking these quadcopters is very cheap, the expert used a $40 hardware and thanks to a basic knowledge of radio communications he succeeded in his experiment.

Rodday analyzed the software running on the drones and a mobile Android app which allows to control it. He discovered that despite the encryption is supported, the Xbee chips doesn’t use it due to performance problems, but he also discovered that the WiFi connection to the drone at altitudes below 100 metres uses the Wired Equivalent Privacy (WEP) protocol, which is notoriously vulnerable.

Basically the attacker can emulate the commands sent through the Android app to control the aircraft, this is quite simple by cracking the WEP connection and disconnecting the legitimate operators.

“You can break the WiFi WEP encryption and disconnect their tablet and connect your own, but you have to be within 100 metres,” Rodday explained to The Register“On the Xbee link we can perform a man-in-the-middle attack and inject commands between the UAV and the telemetry box from up to two kilometres away. 

“An attacker can re-route packets, block out [the operator], or let the packets go through, but I guess most attackers would [steal] it.”

A possible solution to prevent this attacks is to enable the Xbee encryption and encrypt communications, in this way it was impossible for the attacker to snoop on traffic and launch MITM attacks.

The manufacturer that helped Rodday is evaluating to encrypt communications in the drone firmware and the Android app.

UAVs are widely adopted by organizations in many industries, with their diffusion the number of threat actors interested in hacking them is increasing, for this reason it is necessary to implement all the necessary countermeasures using an approach to the security by design.

Pierluigi Paganini

(Security Affairs – hack drones, hijacking)

[adrotate banner=”9″]

you might also like

leave a comment