Is it possible to take control of a copter?

Contents of the article

1. To the history of the issue

2. Under the hood of the drone

3. Drone interception

4. Big toys

5. Conclusions

Along with the development of the Internet of Things, methods for hacking smart devices are also evolving. There is already a whole zoo of Trojans for IoT, but the range of smart devices is by no means exhausted by routers, set-top boxes and IP video cameras alone. Drones are of particular interest from an information security point of view—many people dream of learning how to control someone else’s aircraft. Are there ways to take control of drones? Let's figure it out now!

To the history of the issue

States spend millions of dollars annually on combating drones, as well as on measures to regulate their use by the population, although without much success. There is a recent case in the news when the work of the British Gatwick Airport was paralyzed for several days by copters that appeared out of nowhere, and the government was even forced to bring in snipers to destroy them. What can we say about officials who are haunted by drones with video cameras scurrying over their estates and trying to stick their intrusive lens into someone else’s private life. Oh, if there was a reliable way to intercept control of drones, the cherished dream of many government officials would become a reality. Or does such a method still exist?

If everything were as simple as it seems, government officials would not be inventing ingenious ways to combat flying electronic evil, such as training hunting falcons, developing interceptor drones armed with networks, and creating other electromagnetic guns. But if you look at the problem from an engineering point of view, any copter is, by and large, an electronic device with remote control, which means that the radio channel through which control commands are transmitted could theoretically be compromised. The only question is the difficulty of achieving this goal, however, as they say, there are no fortresses that the Red Army is unable to take.

To begin with, I suggest separating dipteran insects from fried minced meat dishes. When it comes to cheap toys from AliExpress, the remote controls of which do not use authorization when connecting to the receiver, “drone interception” is not particularly technically difficult. If, immediately after turning on the power of the copter or connecting the battery to it, at the moment when the LED indicator on the drone is blinking quickly and the device is in the transmitter search mode, first turn on a similar transmitter nearby (when using “universal” remote controls, you will still have to press the Bind button), then the drone will most likely “get hooked” to it and “lose” the original one. But if we are talking about more or less serious technology, then the situation is much more complicated.

Under the hood of the drone

Many remote-controlled aircraft (as well as radio-controlled toys) use the DSM2/DSMX protocol for communication, with SLT technology being a common alternative. DSM is used in wideband transmitters with a frequency of 2.4 GHz and is considered to be well protected from random interference in the radio channel. This protocol allows flight data to be saved to a log file, and DSM2 supports signal loss detection (for example, during a power failure) while DSMX does not, but both standards are compatible. The SLT protocol operates at the same frequency and is compatible with transmitters from various manufacturers, but its “native” hardware is devices manufactured by Tactic and Hitec.

Another protocol supported by some unmanned aerial vehicles is called MAVlink, which is often used to transmit telemetry. MAVlink is open source, implemented as a Python module, and licensed under the LGPL. This protocol does not encrypt data by default and is therefore theoretically more vulnerable to attacks than competing technologies that do.

A number of copters, which can be controlled from any modern smartphone, use an 802.11 wireless network with WEP encryption as a data transmission medium. Much has already been written about Wi-Fi security and in great detail, so there is no point in repeating it. Hacking such a network can be called a routine procedure; the arsenal of technical means available for this is very extensive.

And now let's move from the general to the specific.

Drone interception

First of all, let's talk about drones that operate wirelessly. Why the creators of drones decided to use the unbreakable WEP as an encryption algorithm instead of the more common WPA/WPA2 is a mystery, but most likely it has something to do with the speed of data transmission and processing by the aircraft’s equipment. It’s one thing if the local network suddenly starts lagging, and quite another if the communication channel with a drone flying at an altitude of ten meters above someone else’s garden fails. The consequences will be completely different.

Like any other similar device, a copter with Wi-Fi on board is equipped with a network adapter that has a MAC address by which it can be identified. This is how Parrot aircraft work, for example. In this case, a smartphone with an installed application serves as an analogue of the control panel from which the drone receives commands.

To identify the control device, an ID Key is used - a unique tag “linked” to the application installed on the smartphone (Flight control software) and the current session. The hacking principle is simple: the attacker connects to the drone’s network, determines a unique tag, and then sends a command to the copter that will force it to disconnect from the current control device and begin receiving commands from the attacker’s smartphone that have a “copied” tag of the original device.

was used to hack the drone network Aircrack-ng . The program can monitor the airwaves in search of protected Wi-Fi networks, intercept packets and export data from them for subsequent analysis, and also apply various network attack algorithms. Its functions are described in more detail on the manufacturer's website.

However, simply hacking the network is not enough; you also need to intercept the data transmitted between the drone and the operator. An example of the implementation of such interception was demonstrated by a guy named Samy Kamkar, who assembled a special device for this purpose based on a Raspberry Pi single-board computer and recorded his experiments on video . The essence of his method is briefly as follows.

The guy used a Raspberry Pi with a Wi-Fi dongle plugged into its USB port and an external Alfa AWUS036H adapter, with which he actually hacked the network. The single-board device was powered by a battery via Micro USB and was used as a scanner, probing the airwaves and determining the MAC addresses of devices connected to wireless networks. The trick is that all copters manufactured by Parrot use similar MAC addresses from one block, information about which can be found in public sources. By checking the address for compliance with this range, you can unmistakably determine that this is a Parrot drone, and not some smart bread slicer or pressure cooker with a network interface.

The mentioned video used the node-ar-drone client, written in Node.js and designed to work with Parrot AR Drone 2.0 copters. The source code for this library can be found on GitHub . Node-ar-drone allows you to interact with Parrot drones using JavaScript commands: change the flight direction and altitude, receive a video stream or pictures from the copter's camera, and do other fun things with it.

Samy Kamkar attached a Raspberry Pi to his own quadcopter and launched it in search of other Parrot drones. Having discovered the network of such a drone, our researcher hacked it using Aircrack-ng, established a connection with the “enemy” drone, and then, using node-ar-drone, intercepted the video stream coming from the copter. Thus, he could see everything that came into the field of view of the “hacked” drone’s camera, but the drone’s flight control was not implemented in this experiment.

The interception of control of the Syma quadcopter was implemented in approximately the same way by the guys from Positive Technologies, about which an educational video . The basic idea here was the same: Raspberry Pi as a channel scanner, allowing you to track transmitters operating nearby and intercept the unique identifier of the drone remote control. It is on the verification of this identifier that the entire security system of the control protocol used by Syma copters is built. If you enter this identifier into a program that emulates the operation of the remote control, you will be able to control the drone.

After starting the emulator connected to the HF signal transmitter, the drone is connected simultaneously to two control panels: the real one, which is in the hands of the RC pilot, and the fake one, while the device responds to commands from both panels. The essence of the hack is that a program running on the attacker’s remote control can send control commands to the drone twice as often as the original remote control. If the operator, for example, gives the copter a command to descend, then the attacker may receive two commands to increase speed in the same discrete unit of time. The drone will obediently process all of them, but the resulting action will be a climb, since more such directives have been received. Using this simple feature of executing commands in turn, the thief can take the drone beyond the range of the original control panel and land it safely in a nearby forest.

Big toys

In the previous section we talked about inexpensive and fairly simple in design aircraft. What about “serious” technology that uses encryption, or drones that transmit data using DSM2/DSMX or SLT protocols without any smartphones? Is it possible to intercept control of, say, DJI products?

Here, as some girls like to say, everything is complicated. Firstly, manufacturers try to encrypt not only in the literal sense, but also figuratively, for example, they erase markings from microcircuits mounted in receivers and transmitters, although experts already know very well what chips are used there. Secondly, even though all such transmitters operate with a specific set of frequencies, the frequency changes automatically at intervals of two milliseconds, that is, every second the copter switches from one frequency to another approximately 500 times. Thirdly, all commands transmitted over the control channel are mixed with pseudo-random data, therefore, even if you “hear” the signal of such a drone on the air, it will be very difficult to replace it.

That is, in theory, this is, of course, possible: you need to dump the drone’s firmware, disassemble it, find out the algorithm by which frequencies are changed and digital “noise” is generated, and then write an emulator... You can also use vulnerabilities in the protocols, if any can be discovered. The MAVlink protocol is the most promising from this point of view, since source code is available for it (with the exception of proprietary components) and a whole heap of documentation. Only the expenditure of effort and nerves in this case may be incommensurate with the result obtained.

If the main goal is not to steal a copter, but simply to prevent it from flying over a certain geographical point, intelligence agencies have long been using simpler methods to solve this problem, such as GPS spoofing. The use of this technology explains the phenomenon of redirecting users of GPS navigators to Sheremetyevo Airport when they find themselves near the Kremlin. Devices used for GPS spoofing ( signal jammers ) jam the signal of navigation satellites and broadcast their own signal, broadcasting false coordinates to the receiving device. Because of this, the device thinks it is in the area of ​​the nearest airport. The calculation is made on the fact that the firmware of most drones includes a ban on flights over civil air harbors - when approaching an airport, the drone automatically lands or tries to fly around it.

According to the intelligence services, this measure should reliably protect VIPs from unexpected air attacks. And such fears, it should be noted, are not without foundation: for example, last year, in an attempt on the (failed) life of Venezuelan President Nicolas Maduro, attackers loaded a drone with explosives. And in Syria, militants have long been using cheap drones to attack military infrastructure. On the other hand, at Gatwick, the attackers’ copters flew over runways and taxiways for hours and felt great at the same time...

It is noteworthy that the cost of programmable radio transmitters, with the help of which you can jam or fake a GPS signal, is relatively low today and amounts to only a few hundred dollars, and you can buy everything you need on the Internet. Moreover, even for “professional” copters, overly powerful jammers are completely unnecessary: ​​there are cases when large drones like Phantom were “lost” near the antennas of base stations of mobile operators or high-voltage power lines. If the copter gets into the coverage area of ​​such a jammer, it will most likely begin to drift with the wind, and due to the lack of a signal from navigation satellites, it will not be able to correctly determine its current location in order to return to the departure point. Then, as they say, there are possible options.

Conclusions

So is it still possible to intercept a drone? As we see, it is possible, technically there are no insurmountable barriers to this. However, everything depends, of course, on the device itself, the software it uses and the data transfer protocols. Be that as it may, among all the high-tech tricks, a regular slingshot often turns out to be much more effective in the fight against copters - you just need to choose the right cobblestone from an aerodynamic point of view.