Worse, the connection between that telemetry module and the drone itself uses an even less-secured radio protocol. The module and drone communicate using so-called Xbee chips created by the Minnesota-based chipmaker Digi International. Those chips, often used in mesh networking, do have built-in encryption capabilities. But in order to avoid latency between the user’s commands and the drone, Rodday says, the quadcopter doesn’t implement that encryption function, leaving the drone open to a man-in-the-middle attack in which another malicious machine could join the same network. That interloper, whom Rodday says could be farther than a mile away, could then send commands to the module and drone that reroute packets on the network, establishing communications between the drone and the intruder and intercepting or dropping any commands from the drone’s operator. (Rodday based that attack distance on the range listed in the drone’s manual. He tested his attack at only around 30 feet in his own lab.)
In a proof-of-concept exploit he plans to show in his RSA talk and which he demonstrated for WIRED, Rodday can inject a command to turn on the drone’s motors without touching the tablet or telemetry box meant to control it. But in a more malicious attack, he says an unseen hijacker could just as easily control the quadcopter to make it unresponsive, or worse, to crash it into a building—or to simply fly it away and steal it. “If you think as an attacker, someone could do this only for fun, or also to cause harm or to make a mess out of a daily surveillance procedure,” says Rodday. “You can send a command to the camera, to turn it to the wrong side so they don’t receive the desired information…or you can steal the drone, all the equipment attached to it, and its information.”
Rodday says he’s alerted the drone’s manufacturer to the security flaws he’s found, and the company plans to fix the issue in the next version of the quadcopter that it sells. But there’s no easy fix for the UAVs already in customers’ hands, Rodday says. The quadcopters aren’t connected to the internet, so they can’t download a security update. Even if the company did release new firmware that could be downloaded to a PC or tablet and installed on the flying machines to enable the encryption on the drones’ Xbee chips, Rodday says that update would slow down the drone’s responsiveness to commands, which the quadcopter’s manufacturer may be reluctant to do. Instead, he says that enabling encryption without adding latency would require adding another chip dedicated specifically to those security functions. “A patch over the internet isn’t sufficient,” says Ricardo Schmidt, Rodday’s former advisor at the University of Twente. “The product needs to be recalled.”
The radio connection problems Rodday found may not be confined to the single, unnamed drone that he tested. He says he contacted other drone sellers that use the Xbee radio protocol to ask for information about how they secure their UAVs’ communications, but he didn’t get a response. “I think this vulnerability exists in a lot of other setups,” he speculates. “The impact of the whole thing is bigger than this manufacturer.”
In fact, Rodday’s hack isn’t the first public demonstration of quadcopters’ insecurity. Hacker Samy Kamkar revealed in late 2013 that Parrot AR’s far-cheaper and more common quadcopters didn’t secure their Wi-Fi connections at all. So he built Skyjack, a drone equipped with a Raspberry Pi minicomputer, designed to chase down other quadcopters and take control of them mid-flight. Kamkar says he’s checked out of the security of two other consumer drones and believes they could fall prey to similar attacks, though he has yet to develop the tools to demonstrate as much and declined to name the drones he tested until he has. “It’s all the same story: really poor authentication or no authentication,” Kamkar says.
But Rodday’s research proves that problem for what’s likely the most expensive drone yet—and one that’s used for more serious applications than high-altitude selfies. “What if a massive, expensive drone like this gets taken over?” Kamkar asks. “It’s an interesting attack. And there will be others out there.”
1Updated 3/2/2015 10am EST to clarify that Rodday’s research was conducted during his time as a graduate researcher at the University of Twente, not at IBM.