The case of flying saucer – Highway to the Danger Drone

Pierluigi Paganini January 04, 2017

One of the most discussed topics these days are the various nefarious uses that a Drone can be put to or just flown where they shouldn’t be.

2016 has been an eventful year bagged with mixed sentiments around the US presidential election, Brexit and Global terrorism striking the World’s news outlets. Simultaneously not far behind are the debates to seek, understand innovative venues/loopholes that have the potential to create havoc globally.  One of the most discussed topics these days are the various nefarious uses that Drones can be put to or just flown where they shouldn’t be.

Drone Pilots capabilities to fly a drone into restricted areas or the risk of harming others is a topic for another day. Here in this short blog, we have tried to look at the various strategies Governments and Aviation Authorities have attempted to instigate to curb the menace only to see a threat evolving which poses a danger to the drones themselves.

So just what is a drone anyway? For the sake of argument let’s focus on the type of aircraft that you can purchase as a consumer for Video and Photography purposes (as opposed to the firing missiles and blow up things type). The world’s media has slapped the label of “Drone” onto any Quadrocopter, Octocopter or any other modern platform without actually investigating the differences between commercial platform, military devices and traditional models. Essentially our UAV (Unmanned Aerial Vehicle -which is the correct term!) has four components:

  1. Power supply (typically a high power Li-Po Battery)
  2. Propulsion units (4+ motors)
  3. Transmitter (Video/Photo) / Receiver
  4. Motherboard (the Flight controller)

Up until number 3 we were in the same ballpark as remote control helicopters and other model aircraft, which are controlled with servos according to the radio signals. However, with the introduction of the Motherboard we now have a flying computer with just as many undisclosed security issues as any other Internet of Things (IoT) device. Just because there isn’t a cable connected to the device does not mean that it is not susceptible to attack. For a clear breakdown of what is and isn’t a drone we have the following:

  • Model Aircraft Remote control only, no preprogrammed flight paths etc.
  • Drone Equipped with a flight computer, however, has no ability to follow pre- programmed path, nor does it have any built-in intelligence
  • Unmanned Aerial Vehicle (UAV) Encompasses all of the features seen in a drone but has additional intelligence features (Object Tracking, Terrain/Hazard avoidance etc.)
  • Unmanned Aerial System (UAS) All components seen in a UAV with additional support equipment (Base Station etc.)

So let’s have a look at some of the ways that have been identified to remove consumer UAVs from the air.

Shotgun:         Eh, think we get this one! The US town of Deer Trail Colorado even attempted to enact a law to allow residents to hunt for federal UAV’s and shoot them down!

Net:      Police forces and organizers of sporting events around the world have been trialing nets which are launched from a bazooka. This expands in the air and fowls the UAV’s rotor blades bringing it crashing to earth. There are also other slightly less destructive methods used where nets are carried by other larger UAVs; this approach has been adopted by the police force in Tokyo[1]. These again snare the rotor blades and are designed to capture the errant flying machine rather than send it crashing to the ground and onto potential pedestrians.

RF Generator (Denial of Service!)        Or more simply a UAV Radio signal jammer. These devices overpower the radio signals (typically 2.4Ghz for most commercial UAVs which is the same range as standard Wi-Fi networks, Bluetooth connections, microwave ovens, car alarms, baby monitors, and ZigBee devices) with white noise causing the UAV to return to it’s “Home” position if this has been set (or is available) or at the very least severe the control from the Pilot. However, it should be noted that these devices themselves are highly illegal in most countries[2]. Some commercial firms are investigating Jamming Guns which target a narrow window and allow the operator to aim at the offending UAV without affecting other services.

Exploitation     The takeover of the UAV’s flight systems by an outside attacker by various technical means allowing the attacker to have complete control of the system for their own purposes. The owner/pilot is locked out and has no way of controlling the system.

Hacking UAVs is not new with the first high profile case being of an RQ-170 Sentinel stealth drone, a key weapon in the intelligence gathering arsenal of the US Central Intelligence Agency (CIA); the drone was diverted and captured by the Iranians in December 2011. In this case, the Iranian military had identified that the US Military utilized encrypted GPS frequencies for its control systems. They first jammed the drone’s communications link to its ground controllers (which forced the drone into autopilot mode) this also had the effect of forcing the drone to search for unencrypted commercial control channels. The Iranian attackers spoofed these signals sending wrong GPS coordinates tricking the drone into believing it was at its home base in Afghanistan, thus landing on Iranian territory to the welcoming arms of its attackers. It should be noted that the US Military disputed this account and stated that it was a system malfunction; however subsequently researchers have been able to reproduce the incident with commercial UAVs using encrypted GPS signals.

Security Analysts and Hackers alike have been investigating these types of attacks for some time now Samy Kamkar (an Independent researcher) created a program called “dronestrike” in 2013 where he mounted a Raspberry Pi computer running his code on his Parrot AR UAV 2.0 along with a wireless transmitter[3]. When his UAV was flown in the vicinity of another parrot UAV the dronestrike program would make a connection to the victim UAV and disconnect the owner/pilot and take control of the system itself.

Earlier this year Johns Hopkins University[4] set its capstone project for Master’s Degree students. The students’ task was to conduct wireless pen testing on a consumer UAV and then take what they had identified and craft exploits to attack the system. Three various strategies were identified all of which successfully broke the connection to the pilot:

  1. Denial of Service: The UAV was bombarded with over 1,000 wireless connection requests in a short period of time; each connection attempt asked to take control of the aircraft. This overloaded the UAV’s CPU causing it to shut down.
  2. Buffer Overflow: In this scenario, an exceptionally large data packet was sent to the UAV. This exceeded the buffer in the UAV’s flight application causing the aircraft to crash.
  3. Spoofing: The third scenario utilized an attack against the controller rather than the UAV. A fake packet was sent to the controller impersonating the UAV itself. The Controller severed the connection with the real UAV resulting in the aircraft making an emergency landing. XBee – Spectral analysis is seen to be utilized aggressively here.

These three types of attacks are nothing new to Cyber Security Analysts with these types of attacks occurring daily in Enterprise computer systems. But surely we as an industry don’t really have to be that worried about this, as these are only isolated case for hobbyist fliers? Think again, a UAV is a flying computer. Computers get hacked. Period!

drone

To add complication to this many logistical firms are trialing UAV delivery systems including Amazon, DHL and Domino’s Pizza to name but a few. Amazon has already been awarded a patent for the flying warehouse, (AFC) an airborne fulfillment center. The notion is that AFC could be used as a launch pad for drones to make local deliveries.  The approved patents highlight that AFC would be housed at about 45,000 feet allowing UAVs to be stocked, deployed and flown as necessary.

With the above development moving forward the possibility of hacking into a UAV and divert it without the owner knowing where it has gone will be a massive incentive for criminals seeking to steal the deliveries flying over their heads. With the assistance of insiders within the delivery firm the criminals can target specific cargos. Already we have seen evidence where attackers are easily able to intercept the operator’s command at a distance up to 2 kilometers and spoof its own. At a distance of 100 meters, WEP can be easily cracked and the drone can be stolen.

A number of firms are now looking to UAV’s to provide a mobile security platform for organizations with large estates or in the case of smaller UAV’s warehouse security. The opportunity to attack these platforms is twofold. Firstly an attacker who is able to take control of the UAV is then able to turn it’s “eyes” away from any intruders on the ground. Secondly and more worrying is where the attacker diverts the drone, lands it and attaches their own monitoring equipment cameras with transmitting equipment etc.  to the aircraft. When this is returned to the control of the automated system/pilot the UAV will continue about it’s tasks as though nothing has happened, all the while becoming a physical Trojan Horse to the attached monitoring equipment. This could lead to the loss of trade secrets with the likes of the indoor warehouse UAVs. This kind of attack can also be used to kill out market competition, not to forget current 70% of the commercial drone market is held by Chinese DaJiang Innovation technology (DJI)

One threat vector, which is already being utilized, is where criminal gangs are utilizing UAV’s to smuggle drugs into prisons for waiting for inmates. Whilst this is already occurring, the UAV’s themselves have either been purchased or stolen from their owner’s residencies. To have the ability to hack into a UAV take over it and then use it for your own purposes removes a great deal of risk and removes all attribution to the criminals when and if the UAV is captured by Prison staff. The ability to steal a UAV in flight is going to be a great temptation to criminals.

On a relevant note there is also a psychological dimension as the drone pilot while operating at a distance can be in a sense detached from the local context and culture. This may trigger the creation of dream-world/ gaming environment thus detaching from the physical reality and risking operator behavior towards professional reasonability and social mores. [5]

What we have seen in this blog is that UAV’s, or drones (if you must!) are just like any system which relies upon a computer to operate. They can be hacked and taken over for many nefarious activities and we have only just seen the beginning. When the delivery platforms take to the air (pun intended) cyber criminals are going to have a field day!

We are truly on the highway to the Danger Zone.

[1] http://www.telegraph.co.uk/technology/2016/01/21/tokyo-police-are-using-drones-with-nets-to-catch-other-drones/

[2] https://www.fcc.gov/general/jammer-enforcement

[3] https://www.youtube.com/watch?v=EHKV01YQX_w

[4] http://releases.jhu.edu/2016/06/08/johns-hopkins-team-makes-hobby-drones-crash-to-expose-design-flaws/

[5] http://releases.jhu.edu/2016/06/08/johns-hopkins-team-makes-hobby-drones-crash-to-expose-design-flaws/

Azeem Aleem Director RSA Advanced Cyber Defence Practice EMEA

An experienced information security executive with over 15 years of practitioner experience in cyber defense technologies, security operations, counter threat intelligence, data analytics and behavioral classification of cyber criminal. As a subject matter expert, he has made frequent appearance on regional television and radio programs as an expert on cyber threats. A published book author and academic criminologist, he has also authored several periodical on advanced security threats in peer-reviewed journals and security magazines. He is an eminent plenary conference guest speaker both at the national and international level.

Dave Gray: Senior Consultant RSA Advanced Cyber Defence Practice EMEA

David has been in the security business all his adult life having started in the Royal Air Force as his first job. He has worked in the cyber security field for over 10 years now in various cyber defence positions including Network, Malware and Forensic Analysis before leading teams himself.

He has co-developed an open framework for implementing Use Cases into any SOC and spoken at a number of International Security Conferences including RSAC and SANS on various cyber-related security topics. David currently works as a Team Leader for RSA ACD deploying security programs and Advanced SOC/CIRC designs to customers in EMEA.

Gareth Pritchard   Consultant Advanced Cyber Defense Services Practice EMEA

Gareth Pritchard is a consultant for the Advanced Cyber Defense Services Practice – EMEA. In this capacity, Gareth is responsible for professional services engagement for Global Incident response/Discovery (IR/D), breach readiness, remediation, SOC/CIRC redesign.

Gareth has over 10 years of experience in Information technology focusing on root cause analysis of infrastructure and cyber security related issues. This has led to a broad knowledge base of remediating problems and designing processes and procedures to assist in the prevention of issues arising in the future. Gareth has studied various technologies and has a broad wealth of experience in application scripting, web design, malware analysis, big data correlation, data mining and windows / Linux technologies. This knowledge has been paramount in learning more about the current threats and tactics used by cyber criminals in the cyber security threat landscape.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – drone, cyber security)



you might also like

leave a comment