Design Flaws Make Drones Vulnerable to Hacks

In the past, The Hacker News (THN) reported about various activities surrounding Drones. Whether it was the development of the first backdoor for drones (MalDrone), or Weaponized drones getting legal, or Drones hacking smartphones.

And now the reports depict…
Security Researcher has showcased a method that can be used to hack and hijack Unmanned Aerial Vehicles (UAVs), more commonly known as DRONES.

Senior AV researcher at HP Security Research Oleg Petrovsky demonstrated scenarios of cyber attacks targeting the flight controller of drones with analysis explaining how drones could become victims of cyber attacks.

Petrovsky has analyzed configurations and controllers for various popular multi-rotor unmanned aerial vehicles (UAVs) to discover the weaknesses present in the already implemented cyber attacks.

The research focuses on the flight controllers which is a microprocessor and comprises of:

Input/Output Pins
Multiple sensors onboard
An accelerometer
Gyroscope
Barometer
Compass
GPS

The flight controller of a Drone handles data processing, calculations, and signals and is also known as its “Brain.“

However, technology that Petrovsky has utilized is:

ArduPilotMega (APM) flight controller fitted on a drone he built himself.
Mission Planner, a full-featured ground station application.

Other than APM, the researcher points out that this design flaw is meant for other flight controller systems as well.

The two attack scenarios which the researcher has demonstrated on drones with pre-programmed routes are:

Capturing, modifying, and injecting a data stream into a telemetry link connection over a serial port.
Spoofing the connection to the ground station to take complete control of the interface.

The ground station application enables communication with the Drone, which allows the user to wirelessly control the vehicles in the real time.

Insecure Protocols Led to Installation of Malware

Therefore, the researcher said protocols implemented are not secure and allow an attacker to install malicious software on the system running the ground station.

Also, Telemetry feeds for wireless remote data transmission, and monitoring of the vehicle could be intercepted and flight route of the Drone are shown a different path.

Researcher’s experiments only targeted drones that fly pre-programmed routes, UAVs specifically used in product delivery systems (such as mail, medical tests and food).

Design Flaws in Drones

While discussing the cyber attacks on Drones, Petrovsky emphasized that those attacks are happening not because of actual vulnerability in the system, rather because there are design flaws in the UAV systems.

Further he added, “Securing the firmware on embedded UAV modules, using secure bootloaders, and implementing authentication and encryption mechanisms,” could be some points that…

…an attacker can bypass any security measures, as nothing can be completely secured; similarly “Drones don’t necessarily have to be unhackable the goal should be to make them difficult and expensive to hack.”

Petrovsky also warned about the security concerning Drones by analyzing their development and usage commercially.

During his presentation, he also displayed:

How propellers of his Drone can easily shred a stack of papers even at half of the speed needed to take off from the ground.
Attacks against bootloaders, which are often not locked to signed firmware.

Petrovsky presented his research at the Virus Bulletin conference in Prague.

Source: Thehackernews