Hacker Says He Can Hijack a $35K Police Drone a Mile Away

As the rise of hobbyists’ cheap quadcopter drones freaks out the FAA and the Secret Service, it’s easy to forget that the government itself is putting another tier of much-less-cheap UAVs into service for first responders, cops, and the military. And now a security researcher has shown that at least one model of those government-ready flying machines has serious security vulnerabilities that could allow it to be hacked from more than a mile away, taken over by a rogue operator, or knocked out of the sky with a keystroke.At the RSA security conference in San Francisco on Wednesday, security researcher Nils Rodday will show how flaws in the security of a $30,000 to $35,000 drone’s radio connection allow him to take full control over the quadcopter with just a laptop and a cheap radio chip connected via USB. By exploiting a lack of encryption between the drone and its controller module known as a “telemetry box,” any hacker who’s able to reverse engineer the drone’s flight software can impersonate that controller to send navigation commands, meanwhile blocking all commands from the drone’s legitimate operator. “You can inject packets and alter waypoints, change data on the flight computer, set a different coming home position,” Rodday says. “Everything the original operator can do, you can do as well.”Rodday, who now works at IBM but conducted his drone research while working as a graduate researcher at the University of Twente in the Netherlands, won’t reveal the specific drone he tested or who sells it. The unnamed UAV manufacturer had him sign a non-disclosure agreement in return for loaning him the pricey quadcopter for testing. He hinted, however, that the three-foot wide quadcopter has a flying time of around 40 minutes and has been deployed by police and fire departments, though it’s also marketed for use in industrial applications like inspecting power lines and windmills and aerial photography.¹But the specific make and model of the quadcopter he tested don’t matter as much as the actual security flaws his work spotlights, Rodday argues. He believes the vulnerabilities may apply to a broad swathe of high-end drones. Rodday found that the UAV he studied has two serious security oversights: First, the Wi-Fi connection between its telemetry module and a user’s tablet uses weak “WEP” or “wired-equivalent privacy” encryption, a protocol long known to be crackable in seconds. That would allow any attacker in Wi-Fi range to break into that connection and send a so-called “deauth” command that kicks the drone’s owner off the network.

Worse, the connection between that telemetry module and the drone itself uses an even less-secured radio protocol. The module and drone communicate using so-called Xbee chips created by the Minnesota-based chipmaker Digi International. Those chips, often used in mesh networking, do have built-in encryption capabilities. But in order to avoid latency between the user’s commands and the drone, Rodday says, the quadcopter doesn’t implement that encryption function, leaving the drone open to a man-in-the-middle attack in which another malicious machine could join the same network. That interloper, whom Rodday says could be farther than a mile away, could then send commands to the module and drone that reroute packets on the network, establishing communications between the drone and the intruder and intercepting or dropping any commands from the drone’s operator. (Rodday based that attack distance on the range listed in the drone’s manual. He tested his attack at only around 30 feet in his own lab.)

In a proof-of-concept exploit he plans to show in his RSA talk and which he demonstrated for WIRED, Rodday can inject a command to turn on the drone’s motors without touching the tablet or telemetry box meant to control it. But in a more malicious attack, he says an unseen hijacker could just as easily control the quadcopter to make it unresponsive, or worse, to crash it into a building—or to simply fly it away and steal it. “If you think as an attacker, someone could do this only for fun, or also to cause harm or to make a mess out of a daily surveillance procedure,” says Rodday. “You can send a command to the camera, to turn it to the wrong side so they don’t receive the desired information…or you can steal the drone, all the equipment attached to it, and its information.”

Rodday says he’s alerted the drone’s manufacturer to the security flaws he’s found, and the company plans to fix the issue in the next version of the quadcopter that it sells. But there’s no easy fix for the UAVs already in customers’ hands, Rodday says. The quadcopters aren’t connected to the internet, so they can’t download a security update. Even if the company did release new firmware that could be downloaded to a PC or tablet and installed on the flying machines to enable the encryption on the drones’ Xbee chips, Rodday says that update would slow down the drone’s responsiveness to commands, which the quadcopter’s manufacturer may be reluctant to do. Instead, he says that enabling encryption without adding latency would require adding another chip dedicated specifically to those security functions. “A patch over the internet isn’t sufficient,” says Ricardo Schmidt, Rodday’s former advisor at the University of Twente. “The product needs to be recalled.”

The radio connection problems Rodday found may not be confined to the single, unnamed drone that he tested. He says he contacted other drone sellers that use the Xbee radio protocol to ask for information about how they secure their UAVs’ communications, but he didn’t get a response. “I think this vulnerability exists in a lot of other setups,” he speculates. “The impact of the whole thing is bigger than this manufacturer.”

In fact, Rodday’s hack isn’t the first public demonstration of quadcopters’ insecurity. Hacker Samy Kamkar revealed in late 2013 that Parrot AR’s far-cheaper and more common quadcopters didn’t secure their Wi-Fi connections at all. So he built Skyjack, a drone equipped with a Raspberry Pi minicomputer, designed to chase down other quadcopters and take control of them mid-flight. Kamkar says he’s checked out of the security of two other consumer drones and believes they could fall prey to similar attacks, though he has yet to develop the tools to demonstrate as much and declined to name the drones he tested until he has. “It’s all the same story: really poor authentication or no authentication,” Kamkar says.

But Rodday’s research proves that problem for what’s likely the most expensive drone yet—and one that’s used for more serious applications than high-altitude selfies. “What if a massive, expensive drone like this gets taken over?” Kamkar asks. “It’s an interesting attack. And there will be others out there.”

¹Updated 3/2/2015 10am EST to clarify that Rodday’s research was conducted during his time as a graduate researcher at the University of Twente, not at IBM.