$35,000 police drone can be hijacked by hackers from a mile away says security researcher
The drones are in spotlight once again. Thanks to a security researcher who has revealed that one of the models of government-ready flying machines has critical vulnerability issues that can allow it to be hacked from a distance of more than a one mile away.
Security researcher Nils Rodday at the RSA security conference in San Francisco on Wednesday demonstrated how defects in the $35,000 drone’s radio connection allowed him to completely take over the quadcopter with the help of just a laptop and a cheap radio chip connected via USB.
Any hacker who’s able to reverse engineer the drone’s flight software can imitate that controller to send navigation commands by taking advantage of the lack of encryption between the drone and its controller module known as a “telemetry box.” Rodday says, “You can inject packets and alter waypoints, change data on the flight computer, set a different coming home position. Everything the original operator can do, you can do as well.”
Rodday, who now works at IBM, discovered this while he was engaged in a drone research while working as a graduate researcher at the University of Twente in the Netherlands, prior to him collaborating with IBM on this. He did not provide any information on the specific drone he tested or the name of the seller.
The unnamed UAV manufacturer had him sign a non-disclosure agreement in return for loaning him the pricey quadcopter for testing. However, he hinted that the three-foot wide quadcopter has a flying time of around 40 minutes and has been deployed by police and fire departments, though it’s also marketed for use in industrial applications like professional photography, power-line inspections and inspecting windmills.
The UAV that was studied by Rodday has two serious security flaws: The Wi-Fi connection between its telemetry module and a user’s tablet uses weak “WEP” or “wired-equivalent privacy” encryption, and even worse, the incredibly insecure encryption (or lack thereof) that connects the telemetry model to the UAV itself. That would allow any attacker in Wi-Fi range to break into that connection and send a so-called “death” command that kicks the drone’s owner off the network. Not only that, this hack will also block every single command from the drone’s legitimate operator.
Current police drones are often equipped with cameras, and can be used in rescue and emergency situations to look for locations that would be difficult to reach, so it’s not as if Rodday’s hack puts him in control of a hellfire-equipped predator drone.
“If you think as an attacker, someone could do this only for fun, or also to cause harm or to make a mess out of a daily surveillance procedure,” Rodday told Wired. “You can send a command to the camera, to turn it to the wrong side so they don’t receive the desired information … or you can steal the drone, all the equipment attached to it and its information.”
Rodday has since informed drone manufacturers to the breaches he has uncovered, and tells Wired that the company plans to address the issue when it updates its line of drones. But that means that the UAVs already on the market are fair game for hacking, and from quite a distance at that.