There’s a new way to take down drones, and it doesn’t involve shotguns
The emergence of low-cost consumer drones has created a new predicament for firefighters, law enforcement officers and ordinary citizens who encounter crafts they feel are intruding on their safety or privacy. In a series of increasingly frequent events—a few on them chronic from Ars— drones perceived as trespassers are blown out of the sky with shotguns. Firefighters also complained about this hobbyist drones pose a significant threat which sometimes prompts them to ground helicopters.
Now, a researcher has demonstrated a significantly more subtle and proactive remedy that doesn’t involve shotgun blasts or subsequent arrests by law enforcement. It’s a radio transmitter that takes full control of nearby drones while they’re in flight. From that point on, the drones are under the full control of the human with the hijacking device. The remote control, which is in the possession of the original operator, suffers a loss of all functions, including steering, acceleration and altitude. The hack works against any drone that communicates DSMxa widely used remote control protocol for controlling amateur drones, airplanes, helicopters, cars, and boats.
In addition to hijacking a drone, the device provides a digital fingerprint that is unique to each ship. The fingerprint can be used to identify reliable drones from unfriendly ones and potentially provide forensic evidence for use in criminal or civil court cases. Unlike most other anti-drone technologies publicly demonstrated to date, it is not a jammer that simply prevents the remote control from communicating with the drone. Instead, it gives the owner the ability to fully take control of the drone. It was introduced on Wednesday PacSec 2016 Security Conference in Tokyo by Jonathan Anderson, group manager of advanced security research at Trend Micro’s TippingPoint DVLab division.
“There are people in the defense and security world who have done this,” Robbie Senn, founder of the anti-drone products maker Department 13, said Ars. “There are also a few hackers who have done this but have not made their research public. As far as I know, this is the first time that all of this has been presented, in a complete package, publicly.”
Andersson’s drone hijacker works because the process DSMx uses to connect a remote control to a drone doesn’t sufficiently mask an important piece of information being shared between the two devices.
“The shared secret (‘secret’, loosely used because it is not encrypted) exchanged is easily reconstructed long after the binding process is complete by following the protocol and using several brute force techniques,” Anderson wrote in an email. “Additionally, there is a timing attack vulnerability where I synchronize with the target radio’s transmissions and transmit a malicious control packet before the target, and the receiver accepts my control information and discards the target’s.”
Possession of the secret gives attackers everything they need to impersonate the vulnerable transmitter. The transmitters are also vulnerable to what security experts call a timing attack, which allows an impersonating attacker to effectively lock out the original operator. Wednesday’s presentation included the following video demonstration:
Not available in stores
For now, devices like the one Anderson demonstrated aren’t publicly available, but that will undoubtedly change as more people figure out how to use DSMx and, quite possibly, competing radio frequency technologies used to control drones. The widespread use of hijacking devices comes with a myriad of consequences, some of them disturbing. One of the worst scenarios is someone using a device to hijack one or more devices that are in close proximity to a large number of people. Drones are capable of carrying large amounts of fuel that can burst into flames on impact, such as proven in this video. Vulnerable drones used by emergency responders can also be commandeered.
On the plus side, hijackings could allow law enforcement officials to safely take control of vulnerable drones that threaten or interfere with first responders. Hacks can also provide ordinary citizens with a less draconian way to disable a drone they feel is infringing on their property or privacy. By measuring the frequency hopping pattern unique to each craft, the device also gives people a way to positively identify the drones they come into contact with. As Ars previously reported, legal scholars are unsure whether citizens can bring claims for airspace violations. A variety of federal and state laws make it unclear whether even local governments have the legal authority to shoot or hack a plane out of the sky.
Anderson said DSMx is a hobbyist technology that is being marketed for its range, ruggedness and other performance advantages, not security. See the article : EDGE unveils two homeland security solutions at World Defense Show 2022. Now that DSMx is in widespread use, it is not clear that it can ever be purged of the weaknesses that make its remote hijacking attacks possible.
“My guess is that it’s not going to be easy to completely remedy the situation,” Anderson said. “Manufacturers and ecosystem partners sell stand-alone radio transmitters, models of all kinds, [and] transmitters that come with models and standalone receivers. Only a select set of standalone transmitters are firmware upgradeable, although a patch is required on the model/receiver side.”
A representative of Horizon Hobby, the company that designs and licenses DSMx, declined to make anyone from its PR department available for comment prior to the publication of this post. The representative instead referred inquiries to the company’s legal department, which was closed for the day.