An unspecified €20,000 unmanned aerial vehicle used by Dutch police for surveillance can be hacked by sending commands using an 868 MHz link to the Xbee chip inside the drone:
A security researcher has reported finding a way to hijack a high-end drone, using parts costing as little as $40 (£29). The expert says it is possible to start the octocopter's engines, engage auto-takeoff, control its camera and, potentially, crash the machine. He will present his findings at the RSA security conference in San Francisco, and has published a thesis [auto-downloading PDF]. The drone's manufacturer has been informed. However, the researcher told Wired magazine there would be "no easy fix" to the problem, meaning units might have to be recalled for a hardware update.
Nils Rodday is currently a security consultant at IBM, but carried out his research at the Netherlands' University of Twente. His work focused on an unmanned aerial vehicle (UAV) used by the Dutch police force for surveillance. He said it cost about 20,000 euros ($21,700; £15,400).
[...] Mr Rodday focused on its use of a telemetry module fitted with an Xbee radio chip, made by the company Digi International.
The module converts wi-fi commands sent by a computer app into low frequency radio waves, which are then transmitted to another Xbee chip on the drone. This allows the operator to control it from a greater distance than would otherwise be possible. To achieve the hack, Mr Rodday required two Xbee chips of his own, among other low-cost components, as well as the use of a computer. The hack consisted of two parts:
- Intercepting the initial wi-fi connection and displacing the legitimate user. Since the link was only protected by an encryption protocol with known vulnerabilities, Mr Rodday said he could crack it in little time
- Transmitting his own commands to the drone's Xbee chip
The second step had been relatively easy, Mr Rodday said, because the drone-maker had opted not to make use of Xbee's built-in encryption features. The reason for this was that they would have extended the lag between the operator sending a command and the drone reacting.
(Score: 2, Informative) by Anonymous Coward on Friday March 04 2016, @12:39AM
As someone who is in the RC hobby (including building multicopters), the components these companies that sell to LEAs, researchers, etc. use, are often the same we use or derived from it.
The price tag comes from training/certification/support/repair, not the components. It doesn't have a security flaw, there simply is no security because it was intended to be used by bunch of guys flying models on a random field.
Nothing is encrypted, nothing gets verified. For example the only "security measure" most receivers/transmitters (for control) pairs use is an UUID that gets generated when you bind them by pressing a button on the device(s). The UUID is only used to recognize the other and transmitted in the clear. You can just snoop it and use it yourself.
The popular MAVLink telemetry protocol, which is really not just telementry downstream but also control upstream (ranging from "print a log" to "shut down") uses only a simple number, like "25". Not even a UUID.
Much of the gear also operates in ham radio bands where encryption is illegal. Sure you can just do it anyway as a hobbyist but not as a LEA.
Much like the early days of the internet.
(Score: 1) by butthurt on Friday March 04 2016, @03:30AM
I remember that using Kermit and a (PSTN) modem to connect to a remote computer was far more responsive than using PPP and telnet over the same modem, because the latter arrangement has packetisation delay.* The work-around was to limit packet size, often to 384 bytes as I recall. The same strategy might have been adequate for this UAV. It may be that its makers believed the WEP encryption alone was adequate. I wonder why WEP was chosen at all.
* The first way may also have had a small packetisation delay, since a character is a small "packet" of bits.
(Score: 2) by Gravis on Friday March 04 2016, @12:59AM
what the hell do the police need with a UAV?
(Score: 0) by Anonymous Coward on Friday March 04 2016, @01:16AM
When they need to follow that white SUV, it will be cheaper with a UAV than with a piloted helicopter.
(Score: 2) by bob_super on Friday March 04 2016, @01:56AM
Dutch police doesn't need to follow SUVs. They just wait until they get stuck somewhere not designed for their size.
BRB, I need to get back to my net-launcher design. I smell money...
(Score: 2, Interesting) by anubi on Friday March 04 2016, @03:24AM
I keep seeing this image of a bunch of kids hijacking a police drone and chasing the officers all over the place with it - just for shits and giggles and something to post on YouTube.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]