Making Drones Secure

Critics have accused drones of creating multiple dangers, including invading privacy, colliding with other aircraft, threatening personal safety and even frightening livestock. Yet the biggest drone threat of all may turn out to be attacks made on the vehicles themselves.

Drones, also known as UAVs (unmanned aerial vehicles) and UASs (unmanned aerial systems), need a variety of internal components to work effectively. The list includes MEMS (such as accelerometers, gyroscopes, magnetometers and pressure sensors), GPS modules, processors and digital radios. Together, these components tell a drone where to go, how to orient itself and how to avoid collisions, among other things. Yet many of these same components can also be exploited to wrest control away from a drone’s authorized operator or onboard navigation system.

“There’s a big variety of hardware modules, as well as supporting software and firmware that are used for different UAS configurations,” says Oleg Petrovsky, a senior research engineer at HP Enterprise Security Services. “Overall, each UAS has to have a flight controller, a receiver, electronic speed controllers, motors and, perhaps, a telemetry module. Each could be vulnerable to a number of physical and electronic type of attacks.”

Petrovsky notes that most drone microcontrollers use field-programmable gate arrays (FPGAs) to support their functionality. “These devices significantly increase the possible configuration complexity,” he says. “Of course, it opens the possibility of more flaws at the design and implementation stage.” In some instances, such flaws could be exploited by attackers in order to take unauthorized control over a hobby, commercial or military drone.

Pinpointing vulnerabilities
Using an APM flight controller mounted inside a drone he built himself, Petrovsky says he was able to uncover multiple drone security design flaws. In one experiment using Mission Planner, a ground station application, Petrovsky was able to capture, modify and insert a data stream into a telemetry link connection over a serial port. Another attack method involved spoofing the ground station link to assume full control of the interface.

Petrovsky notes that a telemetry feed can be transmitted via Wi-Fi, Bluetooth, ZigBee or a proprietary radio connection. “Using telemetry and command feed attack methods, a malicious actor can, for instance, upload an arbitrary flight path to the drone,” he says.

Petrovsky isn’t the first security expert to investigate drone vulnerabilities. Back in 2013, security researcher Samy Kamkar showed that a radio-controlled Parrot AR.Drone quadcopter could hijack other drones simply by flying close to a target vehicle and exploiting its lack of security mechanisms. In January 2015, security engineer Rahul Sasi developed a piece of malware that could take control of drones using an ARM processor and a Linux-based operating system.

Earlier this year, a Johns Hopkins University computer security team showed how easily a hacker could force a drone to ignore its human controller and be directed to land in a new location or, more drastically, crash. Five graduate students led by Lanier A. Watkins, a senior cyber-security research scientist at Johns Hopkins’ Whiting School of Engineering, discovered three different ways of sending rogue commands from a laptop computer to interfere with a hobby-class Parrot Bebop drone’s normal operation, land it or send it plummeting to the ground.

In their first successful exploit, the team peppered the drone with about 1,000 wireless connection requests in rapid succession, each asking for control of the airborne device. The digital deluge overloaded the drone’s CPU, forcing it to shut down. The drone then quickly crashed to earth. In another successful attack, the researchers sent the drone an exceptionally large data packet, exceeding the capacity of a buffer in the aircraft’s flight application. Again, the drone crashed.

For their third exploit, the researchers repeatedly sent a fake digital packet from their laptop to the drone’s controller, telling it that the packet’s sender was the drone itself. The drone’s controller eventually began to believe that the packet sender was indeed the aircraft itself. It severed its own contact with the drone, which eventually led to the drone making an emergency landing.

“WiFi and RF are the pathways that can be exploited to access the embedded system within the UAV,” Watkins says. “For the Parrot Bebop, the ARDiscovery process is vulnerable to a denial of service attack, the ARP cache is vulnerable to an ARP cache poisoning attack, and the ARDiscovery process is also vulnerable to a buffer overflow attack.”

Todd Humphreys, an assistant professor of aerospace engineering at the University of Texas in Austin, also has tested drones for vulnerabilities and found them wanting. Working with student researchers at the university’s Radionavigation Lab, which he directs, and using equipment costing less than $2,000, Humphreys was able to mimic unencrypted signals sent to the GPS receiver onboard a small university-owned drone. With Department of Homeland Security (DHS) representatives observing, the team managed to fool the drone in a matter of minutes to follow their commands.

“We attacked the GPS GNSS signals and were able to falsify those signals and cause the UAV to believe it was in a different position or had a different velocity,” Humphreys says. “Dependence on GPS is increasing in smaller UAVs, so the vulnerability is only greater now.”

Searching for solutions
Drone threats are likely to grow worse and more frequent before security catches up, warns Asaf Ashkenazi, senior product management director in Rambus’ security division. “You will see more and more connected drones, or drones that are connected to a device that is connected to the internet,” he says. “And once you have this link, you can attack the drones from anywhere in the world.”

Petrovsky believes there are steps drone designers and component providers could take to make unmanned vehicles more secure. “It’s just a matter of money,” he says. “Obviously, more secure semiconductor solutions would cost a degree more.”

According to Petrovsky, there are already a number of measures in place for making firmware updates to microcontrollers and other devices more secure. “That includes signing the update file, and its verification during the update, inside the actual chip,” he notes. “The mechanisms of ‘hardening’ microcontrollers are well defined and used within the semiconductor industry, so it is just the matter of acknowledging that the problem exists and following the best practices to minimize the impact.”

Serge Leef, vice president of new ventures and general manager of system level engineering for Mentor Graphics, agrees. “The most secure mechanism is to have each chip have a unique fingerprint, and that unique fingerprint is then used to decode keys that are either injected in manufacturing or test time, or in the wild,” he says. “So, in other words, all the permissions can be tied to unique chips if you have a unique fingerprint.”

Leef says that his division is currently working on a product that will allow customers to include a subsystem containing a unique fingerprint on their chips. “When the chip is manufactured, it computes its own fingerprint, the fingerprint gets store elsewhere as well as on the chip itself, and then all future communications with this chip require this fingerprint for authentication before any kind of key injection or modification is possible.”

Money talks…sometimes
“Part of the issue comes down to how much you can spend,” says Philip Solis, a research director covering mobile device semiconductors at ABI Research. “That’s why the military stuff can probably do an array of things, but there’s only so much you can do on the commercial side, especially the lower end of the commercial side.”

Petrovsky notes that drone sales lag far behind more popular consumer and business technologies, such as mobile phones and computers. “So perhaps securing drones is not a priority of the semiconductor industry,” he says. “But this is not to say there are no proven security features and practices in place that couldn’t be followed to make drones more secure.”

Yet money isn’t the only issue facing drone and component manufacturers looking to patch vulnerabilities. The decision to add extra protection without driving up costs (and potentially losing customers), risks creating a performance tradeoff. “If you want to do really secure encryption, you’re reducing the bandwidth you can use,” Solis says. “If you have a lot of encryption and you’re also trying to save costs, it might affect the video feed or you might suddenly not have enough bandwidth for control. So there’s a balance there.”

Leef concurs. “Encryption is going to consume computing, and it’s going to take probably higher-end CPUs to do a lot of encryption fast,” he says. “This could drain energy from the drone, which is going to be a tradeoff. How far you want to fly versus how much data you want to send back?”

Getting Serious
“Intel, Qualcomm, and other chip vendors are paying a lot of attention to security issues, though not everything is announced yet,” Solis says.

Rambus’ Ashkenazi also believes that many semiconductor providers are serious about adding security mechanisms to their silicon. “To enable a security system, you can’t have just the silicon manufacturer involved,” he says. “There needs to be collaboration with the drone manufacturers, and the drone manufacturers have to have motivation to add security.

Watkins, on the other hand, says he’s hasn’t had much luck getting drone makers to recognize the security deficiencies his research has uncovered. “I’m not sure about semiconductor or hardware vendors, but I do know the UAV companies—Parrot and DJI–did not respond in any way when we sent proof we had exploited their products,” he says.

Humphreys, however, has another view. “Folks like DJI, who are offering drones to the mass market, are actually fairly aware of the challenges of security,” he says. “They want to make sure that their UAVs don’t end up in restricted air space and they would like to prevent their UAVs from being spoofed, or jammed or whatnot.”

Over the long term, perhaps spurred by federal regulations, dealing with drone vulnerabilities may require adding expensive redundant solutions and improved software. “The inclusion of more sensors and different types of sensors to do the same thing, such as determining proximity, would help,” Solis says. “For control, using encryption and frequency hopping.” He notes that enhanced software can be designed to double-check GNSS positioning information and make sure it makes sense within both context and timeline. “If it does not, the drone can then ignore the bad information and rely more on machine vision, motion video sensors and accelerometers,” he explains.

Yet the amount of security that should be built into any particular drone also hinges to a large degree on the vehicle’s intended use. In some applications, a drone might not need a great deal of internal protection. “The first time that things really get considered as requirements is when there is liability exposure,” Leef observes. “If I use a drone to survey oil pipelines, for example, what’s the worse thing that can happen if somebody takes over the drone in the middle of the Canadian tundra?”

Solis predicts that security concerns will likely fade as drones become increasingly autonomous. “With the right software and machine learning used to detect brand new threats, a control command may be ignored if a threat is suspected,” he says. A growing number of drones already are equipped with fallback capabilities that automatically kick in when the onboard controller suspects that an attack may be underway. “This might be landing immediately or autonomously navigating back to the starting point and then landing,” Solis says.

All of the experts agree that drone security planning needs to be an ongoing, evolving process. “With each new design, there will be new challenges that have to be addressed,” Petrovsky says. “We need to carefully start thinking about security implications with each design and follow existing best practices.”

Adds Leef: “The whole drone thing is, I would say, kind of a Wild West thing right now. There’s not a lot of regulation in this area. There are not a lot of standards.”

Related Stories
System Research: Vision-Based Drones
Helping drones navigate urban environments
The Trouble With MEMS
Severe price erosion is putting this whole sector under pressure at a time when demand is growing.
ARM Buys Apical
Adds “embedded-at-the-edge” tech in $350M deal.