There’s a new way to take down drones, and it doesn’t involve shotguns
Not a jammer, device lets hackers fly drones and lock out original pilot.
By DAN GOODIN
Oct 26 2016
The advent of inexpensive consumer drones has generated a novel predicament for firefighters, law-enforcement officers, and ordinary citizens who encounter crafts they believe are interfering with their safety or privacy. In a series of increasingly common events—several of them chronicled by Ars—drones perceived as trespassing have been blown out of the sky with shotguns. Firefighters have also complained that hobbyist drones pose a significant threat that sometimes prompts them to ground helicopters.
Now, a researcher has demonstrated a significantly more subtle and proactive remedy that doesn’t involve shotgun blasts or after-the-fact arrests by law enforcement. It’s a radio transmitter that seizes complete control of nearby drones as they’re in mid-flight. From then on, the drones are under the full control of the person with the hijacking device. The remote control in the possession of the original operator experiences a loss of all functions, including steering, acceleration, and altitude. The hack works against any drone that communicates over DSMx, a widely used remote control protocol for operating hobbyist drones, planes, helicopters, cars, and boats.
Besides hijacking a drone, the device provides a digital fingerprint that’s unique to each craft. The fingerprint can be used to identify trusted drones from unfriendly ones and potentially to provide forensic evidence for use in criminal or civil court cases. Unlike most other counter-drone technologies publicly demonstrated to date, it isn’t a frequency jammer that merely prevents a remote control from communicating with a drone. Instead, it gives the holder the ability to completely seize control of the unmanned craft. It was presented on Wednesday at the PacSec 2016 security conference in Tokyo by Jonathan Andersson, the advanced security research group manager at Trend Micro’s TippingPoint DVLab division.
“In the defense and security world, there are people who have done this,” Robi Sen, the founder of counter-drone product maker Department 13, told Ars. “There are also a few hackers who have done this but have not made their research public. To my knowledge, this is the first time that this has all been presented, in a complete package, publicly.”
Andersson’s drone hijacker works because the process DSMx uses to connect a remote control to a drone doesn’t sufficiently cloak a crucial piece of information that is shared between the two devices.
“The shared secret (‘secret’ used loosely as it is not encrypted) exchanged is easily reconstructed long after the binding process is complete by observing the protocol and using a couple of brute-force techniques,” Andersson wrote in an e-mail. “Further, there is a timing attack vulnerability wherein I synchronize to the target radio’s transmissions and transmit a malicious control packet ahead of the target, and the receiver accepts my control information and rejects the target’s.”
Possession of the secret gives attackers everything they need to impersonate the vulnerable transmitter. The transmitters are also vulnerable to what security experts call a timing attack that allows the impersonating attacker to effectively lock out the original operator. Wednesday’s presentation included the following video demonstration: