New Attack Can Seize Control of Drones

A new radio transmitter "seizes complete control of nearby drones as they're in mid-flight," reports Ars Technica: From then on, the drones are under the full control of the person with the hijacking device. The remote control in the possession of the original operator experiences a loss of all functions, including steering, acceleration, and altitude... Besides hijacking a drone, the device provides a digital fingerprint that's unique to each craft. The fingerprint can be used to identify trusted drones from unfriendly ones and potentially to provide forensic evidence for use in criminal or civil court cases...

Hijacks could allow law-enforcement officers to safely seize control of vulnerable drones that are endangering or interfering with first responders. The hacks could also provide ordinary citizens with a less-draconian way of disabling a drone they believe is impinging on their property or privacy... A patchwork of federal and state laws makes it unclear if even local authorities have the legal authority to shoot or hack an aircraft out of the sky.
XKCD once proposed solving the problem with butterfly nets, but instead this new attack is exploiting unencrypted DSMx radio signals.

Thank you Editor

[Anonymous Coward]

...this new attack is exploiting unencrypted DSMx radio signals.

I can't believe I'm saying this but thank you editor, everyone reporting on this fails to mention this detail. Nothing really to see here.

Re:

[flyingfsck]

Oh wow, someone hacked a RC toy. Woohoo.

Re:

[ColdWetDog]

If you are down to dropping a quarter pound of anything non nuclear using a device that has a range of a mile or so, you're not doing too well militarily.

Of course, the big news here is that this 'hack' doesn't work against the most popular series of drones, those made by the Chinese company DJI. These common UAVs (Phantoms, Inspires, Mavics) use a proprietary, partially encrypted, spread spectrum protocol. They've been jammed by other devices, just not this particular one.

Duck and cover!

Re:

[ScentCone]

So what you're saying is that you really have no idea what you're talking about.

Re:

[drinkypoo]

Of course, the big news here is that this 'hack' doesn't work against the most popular series of drones, those made by the Chinese company DJI. These common UAVs (Phantoms, Inspires, Mavics) use a proprietary, partially encrypted, spread spectrum protocol. They've been jammed by other devices, just not this particular one.

That is literally only because the developer hasn't got one:

The attack hardware was a teensy and a cyrf6936 transceiver from my friend at 1bitsquared.com, but we could have just as easily implemented it using the same teensy and a ML2724 to attack DJI and Futaba systems [arstechnica.com].

The attacker in this case had lots of sample hardware, so he attacked that. Sadly, it's the dominant protocol today in general, because it's cheap and good. You can get a LemonRX 0008 DSM2 diversity satellite receiver (two distinct radios i

Re:

[Joe_Dragon]

C4? what about just get a few note 7's should be easy to find in the dump.

Re:

[thinkwaitfast]

I use analog fm pcm on 56mhz ham band.

My "drone" is not hacked. Loosers

Re:

[K. S. Kyosuke]

mhz isnt "millihertz", it's millihectozepto. Duh!

Re: Single protocol? Whatever

[mspohr]

Here's an attack that can be used on Wifi
http://makezine.com/projects/b... [makezine.com]

It figures...

[Cyberpunk Reality]

A story about a high tech way to take something away from its user, and only three paragraphs in, we're told how great it will be for law enforcement.

Re:

[hey!]

Something that can and is used to invade other peoples' privacy.

There need to be federal regulations on how something like this is used though. There are 1.1 million cops in the country, and if they have their share of sociopaths (about 5%) then there's 55,000 sociopath cops out there. Add to that having more than their share of officious idiots too.

Re:

[ColdWetDog]

Cops can use this all they like. It will do them very little good. See the previous posts on how really useless this device is.

And....profit???

[avm]

This could be a money maker for an enterprising small-time criminal. Look for a surge of drones for sale on eBay. Missing remote controller, charger, and extra batteries. Excellent condition! For parts or fix.

Double-edged sword.

[Gravis Zero]

This hack cuts both ways: police can take control of people's drones and people can take control of police drones. Yep, that overpriced octocopter the cops bought can now be hijacked with ease.

I got a feeling this is going to get fixed for all the $1000+ drones.

Re:Double-edged sword.

[hey!]

If they use the same protocol.

This is not a magic hack that lets you take over ANY drone; somebody figured out the frequency hopping sequence and OTA protocol for a common protocol used in toy drones. This is going to allow you to take overjust those toys, not MQ-9 Reapers. And somewhere between the tricky but doable hack of a toy spread-spectrum based protocol and the military grade encryption used in the Reapers' ARC-210 transceiver there is probably an economical level of protection that is good enough for police use.

My brother-in-law was asking about the Dyn DDOS attack last week; he wanted to know why the devices used to launch the attack weren't secure. The answer is simple: because they're sold to people who wouldn't pay $0.05 more for a secure device. So it follows that some police departments will use hobby drones and those will certainly get hacked.

Re:

[thinkwaitfast]

What is a protocol?

And what do you mean I won't be able to take control of a military drone and fly it from my laptop's touch screen? Idiot. I saw someone do this on a documentary last year and then he turned it into an eco sustainable solar powered harvester.

Re:

[hey!]

Touch screen won't do it. Have you seen any movies at all?

Taking control of any computer system is a three step process.

(1) Adopt the right attitude (bored condescension).

(2) Type a random string on your keyboard. This must be of the buckling springs type to get that all important tappity-tap sound.

(3) Look up and announce to the guy who is way cooler than you, "I'm in."

Re:

[ColdWetDog]

FWIW, the capture of the drone in 'Interstellar' used an old Thinkpad with a keyboard. The scene went pretty much as you described it except they let a cute teenaged girl control the thing for a while.

Re:

[drinkypoo]

This is not a magic hack that lets you take over ANY drone; somebody figured out the frequency hopping sequence and OTA protocol for a common protocol used in toy drones. This is going to allow you to take overjust those toys, not MQ-9 Reapers.

Actually, it won't just let you take over those toys, but also any others which use the same radio chip. Anyone else who's cloning their transceiver (or more or less doing that) is also vulnerable. The same exact attack might work against DSM2 as well, and if not they can certainly carry it out with the same cyrf6936 transceiver. The same chip will also speak to Devo RXs, and some Nine Eagles helis. Probably none of them are encrypted. While it is physically possible to reflash most of the receivers (as mos

Re:

[thegarbz]

police can take control of people's drones and people can take control of police drones

I bet you a Mars bar that police drones are not using a protocol specifically designed for hobby RC enthusiasts. Hell I'll bet you a twin pack that many off the shelf ready to fly drones even for the hobby market are not using a drone specifically designed for hobby RC enthusiasts. You can see that by the number of guides and videos on how to hack apart these devices and convert them to work with a variety of off the shelf transmitters including DSMX which they can't do out of the box.

Encryption needed

[sandmaninator]

This nice thing about the old 72mhz and newer DSM-based RC control schemes is that they have really, really low latency. There was no need for encryption in the good old days. But now, we have high-speed, low power chips that could handle encryption on both ends of the data stream without too much extra latency. There is not a great deal of data that needs to be moved so, the load on the encrypt-er and the fattening of the data pipe should be modest.

Re:

[thegarbz]

Is encryption needed? The way I see it this exploits takes advantage of a failure in the key sharing part and along with a bit of brute force then presents themselves as the legitimate source. This isn't a case of lack of security this is a case of a bug in security. There's no reason to believe encryption would have solved this problem anymore than we trust WEP these days with our critical WiFi data.

Re:

[CaptQuark]

Yes, encryption would be critical in securing the control of the RC craft. When the transmitter and receiver are paired, the receiver memorizes the transmitter's serial number and ignores all other transmissions. The attack device listens for the transmitted signals, records the transmitter serial number, then uses it to quickly transmit a counterfeit signal before the true transmitter transmits. The frequency hopping sequence gets our of sync with the true transmitter and because the signals are only on

Alternately, terrorists can do it too ...

[Anonymous Coward]

If someone were to hijack a 'good' drone and use it for bad purposes (ie: send it to the airport to interfere with real air traffic, etc) would the registered owner of the drone be held responsible? Could you get a flock of drones and run them as a swarm to attack a target?

so people will start encrypting

[belmolis]

If this hijacking tool comes into use, surely manufacturers of drone controls will start encrypting the signals. Its not like the technology for doing this is difficult or unfamiliar.