Law enforcement agencies are in an (unofficial) fight with drone operators. And it’s clear why. While some drone pilots are very careful, some have caused quite some trouble. The fire fighting delays in California and gas leak in New York are two such examples. Up until now, the police either tried to jam the radio for the drone, or try to take it down. (Taking drones down includess eagles, nets, and other shenanigans).
Now, a tiny device lets anyone seize control over drones flying over their heads. Meet Icarus the brainchild of Jonathan Andersson, a researcher at Trend Micro’s TippingPoint DVLab. The device works by hijacking the control packet of the DSMx protocol, so the drone “thinks” that the attacker is the rightful remote. Once the drone is hijacked, the operator gains full control, while leaving the original pilot disconnected from the drone.
Anderson explained how the hijack works to ArsTechnica:
The shared secret (‘secret’ used loosely as it is not encrypted) exchanged is easily reconstructed long after the binding process is complete by observing the protocol and using a couple of brute-force techniques. Further, there is a timing attack vulnerability wherein I synchronize to the target radio’s transmissions and transmit a malicious control packet ahead of the target, and the receiver accepts my control information and rejects the target’s.
This attack only works on DSMx controlled drones (mostly lower-end toy quadcopters), so there is no immediate risk to GoPro, DJI and 3DR drones. Luckily, Icarus is also not something you can buy in stores (yet), so I wouldn’t worry about it (now). But now, that the hacking scheme is out, it will not be surprising if drone-hijacking devices start emerging (remember TV-B-Gone?, it’s like that on steroids).
Anderson suspects that fixing this vulnerability will not be trivial. The DSMx is has wide deployed and not all devices can update the firmware. To make things worse, he also suspects that hacking a DJI would not be much harder. In a comment on AT he says (bolding is mine):
The attack hardware was a teensy and a cyrf6936 transceiver from my friend at 1bitsquared.com, but we could have just as easily implemented it using the same teensy and a ML2724 to attack DJI and Futaba systems. The issue is that all the RC systems from ALL the manufacturers count on frequency hopping obfuscation to “hide” their broadcasts which are easily gathered en masse and reversed with an SDR, or by using a logic analyzer on their transmitters, there is no cryptographically secure authentication layer on any of the current systems. This timing attack is not difficult, just requires some low level radio and embedded system knowledge and about $100 in parts, and is only the tip of the iceberg in the potential attacks available on current systems
This hack opens a whole new set of operational and legal questions. Will hijacking hardware require a license? Will you need a court order to hijack a drone? and Who will be authorized to operate hijacked drones are jsut some of the more immediate questions that I can think of. And this is not even touching the technical aspect of them.
P.S. I guess its good news for the eagles though.
P.P.S while jamming a drone may seem like a good idea, we know how it goes: