You Kids Get Those Drones out of my Airspace!

The PacTec Security Conference in Tokyo had something interesting show up. A countermeasure against drones that allows you to take control of any craft using the popular DSMx protocol. According to Ars Technica, DSMx transmitters and receivers exchange a key to prevent interference between adjacent systems. The key isn’t protected very well so by observing traffic and applying a little brute force, you can recover the key (which is set when the transmitter binds to the aircraft).

What’s more is a timing vulnerability allows the rogue transmitter to lock out the legitimate one. You can see a demonstration of the system, called Icarus, in the video below.

This could start an escalating technology war. It is easy to envision a market for a safe drone countermeasure (after all, just jamming one might crash it into something you won’t like; much nicer to take control of the machine and land it so you can impound it). However, it is easy to see that modifications to the protocol could render Icarus unusable. Until researchers find the next vulnerability, at least.

This has more finesse than, say, firing pumpkins. If the trend continues, maybe we’ll get to see some cool drone battles in the sky.

52 thoughts on “You Kids Get Those Drones out of my Airspace!

  1. This is a great hack but I just hope people don’t start air jacking kids quadcopters and selling them on craigslist, ebay. Back to the hack though this is really cool would be great for messing with your friends etc.

    1. Battelle’s DroneDefender (TM) hasn’t passed FCC hoops so they can’t sell it, I wonder if similar stuff applies here, not that it will keep someone from making their own version.

      Alternatively, since DSMx requires a fair amount of hardware and drones increasingly have some fashion of autopilot or computer control. Does hijacking your neighbors drone break the CFAA and count as unauthorized access of a computer system? Making it not just felony theft depending on drone cost, but also a federal crime.

      1. DSMx is on 2.4GHz unlicensed, and this thing attacks at the protocol layer – it *looks* as though it’s using the “attacker transmitter” radio… Both things suggest that FCC-regs don’t come into play. The narrator in the video goes into some description of using power levels that don’t run afoul of regulations…

        I’m totally speculating here. I wish there was a link to the paper or something.

      2. Yeah I think this would bring up interesting legal ramifications if someone used it maliciously. Hopefully the more expensive drones can patch this vulnerability. I am not sure if DJI are susceptible but I would hate to see a few thousand dollars fly away from me.

      3. Some interesting legal minefields. If a drone was hijacked and flown into the back of your moving pick-up truck, unbeknownst to you. And later the police show up at your home, how do you prove your innocence.

          1. Meanwhile, The owners DVR recorded video ( with GPS Long/Lat ), which likely shows the owner or in this case, the vehicle, submitted to the police, Says otherwise. Dumb swag-kid then in the end, simply gets what he deserves. Welcome to being an adult.

        1. Must be the same as when somebody throws other contraband, stolen goods, drugs, etc. into your pickup truck. Could be more difficult, if it happens that you have equipment for hijacking drones in the car yourself. :-) Like if they find stolen goods from a burglary and also the respective tools with you (Lock Pick set or crowbar, depending on used method)

  2. I hope when a black hat hijacks your drone and uses it as a weapon to attack a crowd of people, that you can explain why your drone with your FCC license ID was behaving in a non-random malicious manner in violation of multiple laws.

    1. First you must explain. Why did you have you dronw flying over the crowd of people in the first place.
      In my country it started to become to common to see drones flying directly over the people during festivals and concerts.
      There was one exception that I can remember, where the obviously hired a professional where the drone was all around the concert area but not once flew over the crowd.

  3. The problem of this comes when the highjacker only wants destroy the drone. If the highjacker try to steal the drone, It is relatively easy to catch him; but If the highjacker crash the drone, It would be difficult to prove the crash wasn’t caused due a malfunction or an human error.

  4. The most interesting being if you hijack a Police drone for example, I wonder what the charges would be? Interfering with an investigation would be one, stealing Government property might be the second one. Transmitting using an illegal unlicensed transmitter or not having a license to transmit might be one (assuming no ham license). All bad I’m guessing.

    1. Plus 500 others so your lawyer can plea deal it down to grand larceny, time served $5000 fine and 100 hours community service….. or if you have to rely on the public defender, 25 to life.

      1. Well, in any case it will be a subject that comes up more and more in the near future. Especially the 400ft ceiling, I’m guessing that even if a drone is over your property and below that point you can’t render it useless either by blocking the signal with a stronger one, or actually taking it over. Shotguns are pretty much out too I would guess.

          1. you capture a few of those and it would make a great payday, that is why I really hope this gets solved. I still love the hack though, I really want one of these devices to play pranks but if others make or sell them I think we will see a spike in thefts.

      2. That sounds pretty unfair.

        But then again you more or less stole a police car and derailed what was either the pursuit of a violent criminal or a search for a missing civilian. Either way you probably deserve whatever you get.

    2. Even if you have a ham licence this would still be illegal. It’s illegal for a ham to create intentional interference. Not to mention that a Police drone wouldn’t be operating in the ham bands and certainly wouldn’t be using DSMx. We can only hope that the Police are using a fully encrypted protocol.

  5. I don’t think this is about taking over a drone, in stead it will simply crash it. First of all the video shows that in the take over, the drone had no lift for a short period. In addition the drone can require a certain model, because for example servo’s need to be reversed.
    So in most cases, you have only required control over the drone in terms that you blocked out the original transmitter. And it is locked to yours, but you are not really in control and therefor will crash it.

    1. Of course a hijack may go wrong due to the reasons you give. If you think that might happen, keep your finger on the “off” switch. If the drone goes the wrong way with your controls, flip the icarus off, and give control back to the owner. He’ll think: Just a glitch and attempt to recover. You just reverse the controls and try again.

      Note that icarus already displays the control inputs of the victim. This allows you to verify ahead of the takeover the polarity of the inputs….

      1. And if I saw some dude in a black fedora with a Tx in his hands looking at my quadcopter and my quadcopter started doing funky things, he’d better be a fast runner….

    1. I would expect the drone to know “home” by the GPS coordinates that it recorded at takeoff. It is not that the original ground station is guiding the drone in. So having the drone “home” and land somewhere different means you have to spoof GPS. This is more difficult and a separate hack.

  6. For this to work well, as other have eluded, you would have to sniff the protocol packets and make a good guess as to what channel is controlling what function. Just because I’m using DSMx or JR or whoevers protocol, doesn’t mean I don’t have a flight controller between the receiver and ESCs and servos. And a lot of them let you change up the channels to control stuff in a way that might not be the OEM mapping of the radio. In fact, APM’s mappings were way different than my ER9X radio and was a bit of a pain to get set up correctly. And I’m not just talking mode 1 vs. mode 2.
    If you don’t know that someone’s channel 1 is being used for their throttle, and its actually being used for roll, or EEEK!! I’m being hacked, RTL – FAST!!! Then this won’t work out so well….

    And I bet if this started to become a thing, firmware would be released in short order to make it obsolete anyway.

  7. And OOoooo I got an idea! mount a small pseudodoppler direction finder on a large drone with an auto pilot FC and program it to seek and destroy any signal that tries to control it other than some oddball protocol that simply tells it to launch or RTL/L.

    1. With such a dangerous setup (search and destroy) you have to be very sure about the correctness of the software and the friend/foe differentiation. :-) Not that the last thing you hear in your life is the “boom” of a missile from your own UAV just because of a flipped bit.

  8. A couple years ago i have successfully reverse engineered the Futaba Faast protocol, so i can say that something like this could even be done quite easily on Futaba faast systems.

  9. Another concern — this protocol is also used to control some pretty large and fast “model” aircraft. For example, some of the turbine powered models controlled using Spektrum equipment can be up to 77lbs and go up to 200 MPH. That sort of size and speed is closer to a cruise missile than toy plane. This same protocol and equipment is also used to control these high powered electric helicopters, swinging carbon fiber blades 700mm long, in wild high stress maneuvers toward unprotected crowds (“3D” flying style). While someone not familiar with either of these types would likely not be able to fly them, they could take control and cause these dangerous “model” aircraft into people.

    1. I always wondered – back in the 70’s they had the Formula one planes that would do 160 mph in a dive (I lived down the street from a field for RC planes), doing the pylons – and you could always count on several crashing before the event was over. I wonder how much kinetic energy something like that has? Obviously lighter than what you are talking about – but relative. This was just before the ducted fan stuff started to take off, and I can only imagine how fast the standard planes are now.

    2. Although as far as I have observed, which is sporadically… the safety protocols for public events and flying in front of crowds have only tightened up over the years, and that is since early equipment that still didn’t have the bugs out, through 27mhz that could be “shot down” by nearby CBs, through the 35Mhz AM or FM that was better but could still be interference prone… through to the spread spectrum used today.. so despite the radios getting “better” the safety margins were always being widened on the ground at the same time… therefore I don’t think attempted hacking should cause disasters of “epic” proportions…. however attaining full control of a plane, then turning it toward the spectators against safety protocols, would be another matter.

      But as with other tech, assault is assault and murder is murder, no matter how you achieve it, and the legal penalties against such prevent most people from ending up in hospital instead of at work every morning.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s