Police Drone Can Be Hacked With Tech Worth $40
A security researcher has claimed that a police drone can be hacked using parts that cost as little as $40.
While drones are being used by cops, border security forces, military and even first responders to an emergency, one researcher has shown that one government-ready drone model can be hacked from over a mile away to be taken control of by a malicious hacker, WIRED reports.
The exploit will be exhibited by security researcher Nils Rodday, showing flaws in the security of at least one government ready UAV. While there is no “easy fix” for the vulnerability, the drone’s manufacturer has been informed.
Rodday, a security researcher by profession and employed at IBM will demonstrate the flaws in the security framework of a UAV that costs anywhere between $30,000 to $35,000. The vulnerability lies in the drone’s radio connection which allowed him to take complete control over the quadcopter. The means to gaining the exploit? A laptop and a cheap radio chip, connected via USB.
The Drone Hack
Although Rodday doesn’t reveal the drone manufacturer or the specific UAV that he tested, the research was conducted at the University of Twente in the Netherlands. The drone, costing up to $35,000 is more expensive than conventional drone because of certain features including longer flight-time, eight rotors as opposed to four or six and the means to carry loads up to 2.9 kgs.
The three-foot wide drone has been deployed by police and fire departments with a flying time up to 40 minutes. Furthermore, it has also been used for inspecting windmills, power lines and aerial photography.
Rodday discovered that the drone’s telemetry module was fitted with an Xbee radio chip. The Wi-Fi connection used between the telemetry module and the user’s application is WEP or ‘Wired-Equivalent Privacy” encryption, a legacy protocol that can be infiltrated in seconds by any proficient hacker. With this alone, an attacker in the Wi-Fi range to break that connection could potentially send a “deauth” command to boot the drone operator off the network and take over.
Notably, the radio chip module converts Wi-Fi commands sent by the app into low-frequency radio waves. These waves are subsequently transmitted to the drone which houses another Xbee chip.
Rodday, armed with the two Xbee chips and a computer, set out to perform the hack.
- He initially intercepted the Wi-Fi connection to boot the drone operator. Rodday was then made quick work of cracking the WEP protocol.
- Although the Xbee chips had built-in encryption features, they were disabled in order to avoid latency concerns between the operato’s commands and the drone. This left the drone vulnerable to a man-in-the-middle attack.
- This additional participant could intercept commands and take control of the drone, without even touching the drone’s command interface or the telemetry control box controlling the drone.
“If you think as an attacker, someone could do this only for fun, or also to cause harm or to make a mess out of a daily surveillance procedure,” Rodday told the publication.
You can send a command to the camera, to turn it to the wrong side so they don’t receive the desired information…or you can steal the drone, all the equipment attached to it, and its information.
The drone’s manufacturer who are now aware of the exploit, only plan on fixing it in the next version of the quadcopter. Amazingly, owners of the drone will be unable to patch the UAV since it cannot be connected to the internet, or be updated with a security patch. Rodday’s former advisor at the university claims that a patch –even if it can be downloaded onto a PC or tablet – is insufficient, calling for the product to be recalled. The security researcher claimed that the only way to truly ensure security while not compromising on latency would be using an extra module specifically for ensuring security for the UAV.
Rodday also claimed that the vulnerability existed beyond this one drone and its manufacturer, as calls made toward other manufacturers about how they secured the Xbee radio protocol went unanswered.
I think this vulnerability exists in a lot of other setups. The impact of the whole thing is bigger than this manufacturer.
Featured image from Shutterstock.