Cybersecurity for hobbyists’ drones is a total afterthought, and a result they are easily hackable, security researchers tell FedScoop.
Earlier this month, a team of Johns Hopkins University graduate students led by senior cybersecurity research scientist Dr. Lanier Watkins hacked into a commercially available small drone called a Parrot Bebop 1. In mid-flight, the team captured network traffic emitted by the drone, identified the weak points in its protocol and broke them. The team overloaded the drone’s central processing unit, or CPU, with thousands of rapid-fire wireless connection requests, thereby confusing its flight application, and causing it to crash.
The Bebop 1 is a popular hobbyist drone, weighing in at 14 ounces and costing roughly $350. Watkins compiled the findings of his team’s report in a Vulnerability Disclosure Package for Parrot earlier this year. He told Forbes that the company had yet to respond to the disclosure.
The Hopkins drone experiment was intended to reveal some of the cybersecurity vulnerabilities in today’s commercial drone fleet. But it is far from the first to showcase the lack of cybersecurity in commercial drones.
Earlier this year, IBM security researcher Nils Rodday presented a proof-of-concept drone exploit to a packed room at the annual RSA Conference. The exploit, costing about $40 in hardware and software purchases, would enable a hacker to hijack a $35,000 Unmanned Aerial Vehicle, or UAV, as the drone industry likes to call its products.
In 2012, Todd Humphreys, an aerospace engineering associate professor at The University of Texas at Austin, similarly illustrated the security faults of a Hornet Mini UAV — an expensive model then known for its use by law enforcement — built by Adaptive Flight Incorporated.
Humphrey’s researchers investigated the potential for jamming a drone’s navigation signals. The mission — which secured a $1,000 show of support by The Department of Homeland Security — centered on taking control of the drone rather than simply downing it.
Several months after a U.S. UAV mysteriously crash-landed while flying in Iranian air space, The UTA security researchers were able to disrupt their own commercial drone’s flight pattern by overloading it with false signals that perfectly matched up with authentic satellite signals — a practice called “spoofing.” These satellite signals are produced via the Global Positioning System, or GPS.
Commercial drones, unlike military-grade units, are largely guided through two-way communication with an open, unencrypted, civilian designated GPS band.
Humphreys told FedScoop, “we were told by the UAV’s manufacturer that it would be unlikely to respond to our spoofing. We ended up understanding the UAV’s dependency on GPS even better than its designers did, showing that it was indeed critically dependent.”
In the final spoofing trial of Humphreys’ experiment, the $60,000 Hornet Mini UAV fell out of the sky because of the data corruption caused by the spoofing.
“We thought we’d be able to recover after the attack by going into GPS denied mode and ignoring GPS. Little did we know that by the time we switched into GPS denied mode it was far too late: the internal estimated state of the UAV (position, velocity, attitude) was so corrupted by the spoofing that there was no way to recover save for direct servo control via the safety pilot. We didn’t figure this out till it was too late,” explained Humphreys.
He joked, “[at least] we were able to publish a nice paper on the topic, and maybe that was worth the drone’s sacrifice.”
Jörg Lamprecht, CEO and co-founder of Silicon Valley-based anti-drone technology developer DeDrone, told FedScoop that while jamming commercial drones is heavily restricted — based upon current Federal Aviation Administration regulation — the practice is used more regularly than the public would imagine.
To be clear: spoofing and jamming are two drastically different concepts. Jamming a signal stops all communication while spoofing can mimic an authentic command.
DeDrone sells its drone detection hardware and software to prisons, foreign embassies and power plants — many of which are privileged to a special package of DeDrone products that enable jamming in emergency situations.
In broad strokes, the DeDrone system can detect drones based on the radio frequency they emit, thereby sending push notifications to facility management. Over the last six months, the firm has closed a multi-million dollar funding round and moved headquarters from Kassel, Germany, to San Francisco, in the face of mounting demand.
“I think hacking, I mean, it’s probably the next step in drone defense — being able to reliably take control and safely land a drone is sort of the goal. While people can certainly do it today the legal ramifications are significant; perhaps policy is lagging,” said Lamprecht in a phone interview with FedScoop. “The issue, I think, is that the FAA can’t fix it all. Here at DeDrone, we’re addressing the threats that come from people that won’t register their drones, who won’t comply with laws or some regulation.”
Lamprecht said that to legally jam a drone’s signal a client requires direct permission from the FCC. “Up until today, it has generally been more of an act and ask for forgiveness than beg for permission situation.”
An FAA spokesperson, in an email to FedScoop, declined to go into detail: “We are evaluating the cybersecurity risks for small UAS — those under 55 lbs. — flown within visual line of sight. For unmanned aircraft above 55 lbs. we apply the same oversight as for any FAA-certificated product.”
Jim Williams, a public policy principal for global law firm Dentons and former FAA UAV executive, said that he isn’t surprised that hobbyist drone cybersecurity is behind. “The biggest risk with these devices, because they’re so small, is probably theft. And if someone is going to steal your drone they can certainly find an easier way than hacking it.”
When asked what he would advise the FAA to do given this issue of lacking cybersecurity for commercial drones, Watkins — who works in the university’s Whiting School of Engineering, Department of Computer Science — said, “the FAA [should] require companies like Amazon to cyber certify (require penetration testing) any off the shelf drones they rebrand for their commercial products/services prior to offering such products/services to the public. This will avoid injury to the public from crashes or theft of ordered items and thus delays in final delivery.”
Humphreys, on the other hand, wrote in an official testimony to Congress more than two years ago: “the vulnerability of civil GPS to spoofing has serious implications for civil unmanned aerial vehicles … emerging tools of software-defined radio and the availability of GPS signal simulators are putting spoofers within reach of ordinary malefactors.”
He recommends, among other things, for lawmakers and the FAA to “commit to funding development and implementation of a cryptographic authentication signature in one of the existing or forthcoming civil GPS signals” which could additionally service commercial drone activity.
The FAA, for its part, already created a panel last summer — complete with top figures from government and the aviation industry — to design a first draft of cybersecurity standards for airliners. And just this week, the Wall Street Journal, citing unnamed officials, reported that this very same panel has reached a preliminary agreement on the standards. It’s unlikely, however, that this preliminary framework will speak directly about UAV security risks but GPS may make an appearance.
“Such safeguards for ubiquitous Global Positioning System satellite broadcasts aren’t widely available today, and regulators typically don’t mandate them on any aircraft. But the proposals envision that these and other provisions would be incorporated into a broad package of future cyber-protections and enhanced airworthiness requirements applying to both new and existing aircraft,” WSJ’s Andy Pasztor reports.