Not a jammer, device lets hackers fly drones and lock out original pilot.
Using the attached device, an attacker’s remote control on the right is able to hijack the original remote control on the left.
The advent of inexpensive consumer drones has generated a novel predicament for firefighters, law-enforcement officers, and ordinary citizens who encounter crafts they believe are interfering with their safety or privacy. In a series of increasingly common events—several of them chronicled by Ars—drones perceived as trespassing have been blown out of the sky with shotguns. Firefighters have also complained that hobbyist drones pose a significant threat that sometimes prompts them to ground helicopters.
Now, a researcher has demonstrated a significantly more subtle and proactive remedy that doesn’t involve shotgun blasts or after-the-fact arrests by law enforcement. It’s a radio transmitter that seizes complete control of nearby drones as they’re in mid-flight. From then on, the drones are under the full control of the person with the hijacking device. The remote control in the possession of the original operator experiences a loss of all functions, including steering, acceleration, and altitude. The hack works against any drone that communicates over DSMx, a widely used remote control protocol for operating hobbyist drones, planes, helicopters, cars, and boats.
Besides hijacking a drone, the device provides a digital fingerprint that’s unique to each craft. The fingerprint can be used to identify trusted drones from unfriendly ones and potentially to provide forensic evidence for use in criminal of civil court cases. Unlike most other counter-drone technologies publicly demonstrated to date, it isn’t a frequency jammer that prevents a remote control from communicating with a drone. Instead, it gives the holder the ability to completely seize control of the unmanned craft. It was presented on Wednesday at the PacSec 2016 security conference in Tokyo by Jonathan Andersson, the advanced security research group manager at Trend Micro’s TippingPoint DVLab division.
“In the defense and security world, there are people who have done this,” Robi Sen, the founder of counter-drone product maker Department 13, told Ars. “There are also a few hackers who have done this but have not made their research public. To my knowledge, this is the first time that this has all been presented, in a complete package, publicly.”
Andersson’s drone hijacker works because the process DSMx uses to connect a remote control to a drone doesn’t sufficiently cloak a crucial piece of information that is shared between the two devices.
“The shared secret (‘secret’ used loosely as it is not encrypted) exchanged is easily reconstructed long after the binding process is complete by observing the protocol and using a couple of brute-force techniques,” Andersson wrote in an e-mail. “Further, there is a timing attack vulnerability wherein I synchronize to the target radio’s transmissions and transmit a malicious control packet ahead of the target and the receiver accepts my control information and rejects the targets.”
Possession of the secret gives attackers everything they need to impersonate the vulnerable transmitter. The transmitters are also vulnerable to what security experts call a timing attack that allows the impersonating attacker to effectively lock out the original operator. Wednesday’s presentation included the following video demonstration:
Not available in stores
For now, the device isn’t publicly available, but that will undoubtedly change as more people figure out how to exploit DSMx and, quite possibly, competing radio-frequency technologies used to control drones. The widespread availability of hijacking devices comes with a tremendous number of consequences, some of them unsettling. One of the more frightening scenarios is someone using a device to hijack one or more devices that are in close proximity to a large number of people. Drones are capable of carrying large amounts of flammable fuel that can burst into flames upon impact, as evidenced in this video. Vulnerable drones used by emergency first responders could also be commandeered.
n the positive side, hijacks could allow law-enforcement officers to safely seize control of vulnerable drones that are endangering or interfering with first responders. The hacks could also provide ordinary citizens with a less-draconian way of disabling a drone they believe is impinging on their property or privacy. By measuring the frequency-hopping pattern unique to each craft, the device also gives people a way to positively identify the drones they come in contact with. As Ars has reported previously, legal scholars are uncertain about whether citizens can assert aerial trespass claims. A patchwork of federal and state laws makes it unclear if even local authorities have the legal authority to shoot or hack an aircraft out of the sky.
Andersson said DSMx is a technology for hobbyists that has been marketed for its range, robustness and other performance merits rather than its security. Now that DSMx is in wide use, it’s not clear it can ever be purged of the weaknesses that make his remote hijacking attacks possible.
“My guess is that it will not be easy to completely remedy the situation,” Andersson said. “The manufacturers and partners in the ecosystem sell standalone radio transmitters, models of all kinds, [and] transmitters that come with models and standalone receivers. Only a certain set of standalone transmitters have a firmware upgrade capability, though the fix is needed on the model/receiver side.”
A representative of Horizon Hobby, the company that designed and licenses DSMx, declined to make anyone from its PR department available for comment prior to publication of this post. The representative instead referred inquiries to the company’s legal department, which was closed for the day.