Anti-Drone Fence: Science or Snakeoil?

Remember when it was laser pointers? Well, now it’s drones.

[Thinkerer] sent us this link to what’s essentially a press release for a company called Sensofusion that makes a UAV detector and (they claim) smart jammer, and apparently one is being installed at Denver International airport.

We buy that the “Airfence” system will be able to detect known systems by signature, and possibly even take them over. We’ve seen two exploits of quadcopter radio protocols (one a timing attack and the other a controller ID spoof) that would allow them to do just that. But is that the problem? Don’t most of the major manufacturers fence off airports in software these days anyway? And are drones really the droids that you’re looking for?

They also make some claims about being able to detect and stop DIY copters, but we don’t see how. Imagine that your copter ran encrypted on 2.4 GHz. How is this different from any other WiFi signal? Or imagine that it sends and receives infrequent data in the congested pager bands? And short of jamming, we don’t see how they’re going to take down anything that they don’t already understand.

So, commenteers, how would you do it? Detect and even take over an arbitrary drone? Possible or snakeoil?

80 thoughts on “Anti-Drone Fence: Science or Snakeoil?

  1. Jamming is technically easy, although it’s very easy to fall afoul of FCC regulations. Several cases of jamming cell phones, GPSs, and wifi have shown that FCC is pretty serious about this.

    However it’s increasingly easy to build your own or just buy a drone that will follow a set of GPS waypoints, thus removing the need to communicate at all. Thus jamming will have no effect on them.

    1. Right!

      And the thing is: “What do you want to defend against?”. If it is clueless people living under the runway approach that got a quadcopter for christmas and are “heavy handed” on the throttle, then, yes, this will work. But someone who WANTS to intercept a plane can still do so.

      1. I would imagine this device is to protect the airports and their non-malicious owners alike. Bumping into this fence un-intentionally is less harm for everybody than facing legal actions from FAA or other government actors. Against malicious intent this is not effective and most likely it is not intended to be so.
        Aviation requires open sky in more than one way and hence can not rely on fixed borders to protect itself anyway.

    2. Unless you jam the incredibly weak GPS signal from space…but jamming GOS at an airport could down real planes.

      I would say this device would only work on very specific devices it can identify using standard protocols. The more interesting question is what will then happen to the drone. Will it fall from the sky on to the runway, or hover in the same place until the old signal is restored, or head in a random direction possibly towards aircraft. It would be fairly easy to identify common drones control signals, but then what to do to not make things worse?

      1. Even if you jammed GPS, there’s still dead-reckoning based on the INS if you don’t have GPS updates, too. Maybe spoofed GPS? Cause a lot of car-navigation problems near your house?

        1. An INS ‘dead reckoning’ does not produce the required navigation performance for precision approaches, and precision approaches without ground based radio aids is where the industry is going.

  2. “They also make some claims about being able to detect and stop DIY copters, but we don’t see how.”

    Simple, they look at the most popular DIY implementations and then provide hacks like the commercial ones or provide a disruptive signal that is likely to cause the drone to drop out of the sky. It doesn’t have to be 100% effective, just effective enough to cover your ass and fool idiots who don’t know any better.

  3. Most GPS stabilised quadcopters won’t “drop out of the sky” if they lose connection with the transmitter. Generally they’ll sit still for a couple of seconds then return to where they took off from.
    As mentioned above, I can see being able to jam or disrupt the more common protocols (though obviously with dubious legality), but probably also causing issues with legitimate 2.4GHz transmissions in the area. Be a bit annoying if you happen to run a business near an airport and your wifi and Bluetooth devices all stop working because a jammer identifies them as a threat…

    1. Then the challenge will be to send high power fake GPS data to the drone in order to make it believe it is elsewhere, then by analyzing its route corrections calculate where it is trying to go and find with that data its launch base.

  4. I’d just place devices along the fence line where people and wifi shouldn’t be then find any AP’s or clients and de-auth the crap out of them. That gets around FAA rules and stops the ‘drones’ from being controlled. Range can be limited by controlling radio power. Those with fail-safes will fly home. Those without ….

    1. De-auth doesn’t work with a transmission that’s not WiFi based. E.g. all three of the quadcopters and the model plane i own. And basically any other “proper” RC model, which does not require an iPhone or an Android phone to function.

  5. I too am wondering what the overall aim is, to stop stupid people this would probably work 99% of the time, but they’ve already been stopped in software, and right up to the moment of publication it would have been just as effective against terrorism.
    Now that they have disclosed all the defence mechanisms in place it’s fairly easy to work around them.
    Has no one read the art of war, Specifically the part on not disclosing all you battle/defence plans?
    As a member of an EOD unit we would develop ways to deal with “bomblets” only to have mad scientists develop ways to scupper our plans, so we kept them secret.

      1. If you are good at keep the secret under that obscurity layer, then it’s a valid tactic that works 100% of the times.
        Otherwise we would be able to circumvent things like Intel ME or reverse engineer closed drivers binary blobs in a breeze. Sadly we can’t.

      2. Secrecy is better thought of as a stalling tactic to buy time and give your side a chance to detect the enemy. Keeping a drone defense system secret might only keep out two or three terrorist drones before the bad guys find a way around it – but that’s two or three drones that could potentially be recovered (or at least the pieces, if one assumes it’s an exploding drone) and used as clues to track down the terrorist plot. An approach that would not work to secure a million commercial devices that a black hat would be able to tear apart in a lab still makes sense if you have a unique site that people are actively defending.

    1. That is my issue with this. Birds are way more dangerous than the above-average hobby ‘drone’.

      And they cannot predict exactly what a drone is going to do one the signal is jammed. Could be some idiot who is flying too close to the airport but has no intentions of breaking the law or flying any closer.
      Anti-drone fence activates and the drone might ‘fly home’ right into the airport.

      They should just use trained Hawks like the have been for decades! Or was it trained Eagles?

  6. Preventing idiots from putting a drone into a jet engine is good enough.

    Idiots generate an average of 40k to 50k medically-referred traffic accidents over a Labor Day weekend, with a fatality rate of about 1%. The fatality rate for plane-related accidents is usually either 0% or 100%.

    I think Napoleon said, “never attribute to malice what can be adequately explained by stupidity,” but enough stupidity can make malice pale by comparison.

  7. DIY copters are mostly controlled by RC remotes. Ther are only a hand full different flavours in the market. The protocols all have no security worth mentioning. So it should be easy to spoof commands and controll the RC aircraft.

  8. I can see it working for stupid people flying too close to an airport. However, anyone purposefully trying to fly in that space there are too many work arounds – GPS waypoints and control via mobile data being the simplest to implement and the hardest to work against.

  9. I’d do a “canned” RTL-SDR/LNA/Downconverter based active scan for RF signals common to R/C aircraft bands – use both analog (old style Futaba) and the new digital types (Spektrum?) frequencies – as well as the 2.4 Ghz bands common to the “WiFi Pilots” drones. Utilize one dedicated transceiver in each unit for each frequency group. Put enough brains (Friendly Arm M3 or T3) in it to not be a “pi” box. Link all your units together with some form of high-speed data-link that can average point-to-point communications times. Pull your timing signal at each unit using a dedicated GPS (UBlox 8T in timing mode?) to create a wide-baseline quasi-coherent receiver. Most non-encrypted use MAVLINK – which is a borked protocol. Scan for a transmitter where there shouldn’t be one, and then use the entire network of transmitters to bury/deauth/white noise the system. If you really wanted to be cute, use the tx subsystems as a virtual broad-side phased array antenna to push power where you wanted it.

  10. I just built my first quadcopter a Flame Wheel clone with a PixHawk clone fight controller. It can navigate waypoints that I have pre-programmed on it’s own using the onboard GPS I’ve installed OR it can do dead reckoning using its IMU to navigate, though not as precisely. But the idea of a “drone fence” using RF jamming or spoofing is a non-starter for anyone other than the average joe, that seeing the election results is likely to be pretty fucking dumb, flying their drone where they shouldn’t. Unfortunately, bad guys tend to be pretty smart.

    So it keeps dumb people out, but not people with bad intentions. Slow clap….

    I will be flying my quadcopter over the empty fields of the Midwest, far from any airports.

    1. Airports are already covered by microwave guns. It’s called radar….. And you are not going to get enough focused microwave energy on a fast moving, or slow moving drone for that matter for it to do anything. Without spending wayyyy more money than this is a big enough problem to warrant, anyway. And then you are not going to get approval to operate that kind of system anywhere near an airport.

        1. I may well live a little too close to a major military airfield at the moment to test anything large. Let alone dragging a couple of 3kw generators and a suspicious thing under a tarp into the middle of nowhere could be a little suspicious too :D

    1. First sensible comment I read going down the list…
      They may stop some hobby copters driven by someone who bought it in a store, but the assumption here is that the communications are know and can be jammed… What if it doesn’t have any communications? I’ve been programming autonomous robots for quite a while now – and it’s pretty amazing what you can get them to do with modern processors – and I can see copters moving in that direction quite easily.. Then there are no coms to detect and block, so you are left with physically stopping them… Get out the shotgun!

  11. “Airfence, which is designed to (where allowed by law or regulation) override the radio communication between drone and operator, and either force the drone to land in a designated area, or at least force it to land where it is. Even if the unmanned aircraft uses encrypted communication protocols, Airfence can still triangulate drone and operator, and take control of the drone to a high degree. It even has a form of artificial intelligence, a built-in ability to reverse engineer the communications between drone and operator of a system it has never detected before.”

    That part doesn’t sound right, but it actually reminds me of a project I completed in college. I was trying to reverse engineer the IR protocol to fly a tiny little Air Hogs RC helicopter from an Arduino. The control bits were all pretty obvious when moving the control sticks around, but there were two bits at the end that I didn’t understand. I’m sure they were some kind of error checking code, but after reading about parity bits and checksums and CRCs I still had no idea how they were generated – but the helicopter wouldn’t fly without them. Since the control inputs were so small (five bits of throttle and 3 bits for steering) I decided to just record all possible control inputs and their check codes, then play back the ones I wanted. (I just twirled the joysticks for a few minutes while my computer recorded the codes. There were a few gaps, but it worked :)

    I wonder if the Airfence is doing something similar when it encounters a new RC protocol – if it can simply replay commands to the mystery quad that it has already recorded the real operator making? But if the quad uses a real rolling encryption technique, that surely wouldn’t work? brb going to read about that DSMX hack…

  12. “Imagine that your copter ran encrypted on 2.4 GHz”

    just generate a 2.4 ghz carrier and sweep it up and down so any and all 2.4 ghz device includes but not limited to wifi.

  13. Am I the only person thinking that this “snake oil” can be 100% bypassed by a malicious actor using USRP/LimeSDR/HackRF/… to TX a custom control protocol at a random frequency between 24MHz to 1.8GHz and using a $10 RTL-SDR in the custom built drone of evil to RX. And to mitigate any jamming the protocol can have high error correction coding, and either use spread spectrum of frequency hopping. In fact if designed really well, the control signals would look very much like random noise.

    1. Frequency agile systems have been in use for a long time – but they’re typically not “available” to the general public and of course regulated by the FCC. Also, commercial frequency agile systems are generally limited to a specific band.

      A truly agile system (one that could scale from, say, 6 meters to 70cm and places in-between) would be nearly impossible to jam without disrupting everything else. How easy is it?

      Well, perhaps a bit harder than you may initially assume. An SDR with a TX would require a wide band amp to kick the signal above the surrounding noise floor and travel the distance to the drone. Then, your receiver’s selectivity would have to be somewhat above and beyond what most low-cost SDR’s offer because now you’re dealing with fairly precise timing chains in a high speed data stream that’s passing through a direct conversion system.

      I’m sure there are a number of very intelligent folks on here that could pull it off though. With sufficient motivation and a bit of time and some clever software and RF hardware hacks, you bet.

      Easier still? (C’mon now, think… keep it simple, right? What CAN’T they jam or take-over? Hint: roadside bombers love them.)

      A simple, cheap and significantly un-jammable system would be based on a modern cellphone. To jam that, the perps would have to jam everything on a local cell tower, and depending on the location, they’d have to jam not one, but several towers. Use a cellphone and write yourself a custom controller application. Hint: Just about every modern cellphone has a micro USB jack, and it doesn’t take a genius to interface an IO board to it.

      The smart engineer would also use a back-channel interface…

      Their take over system might work for the bulk of Toys-R-Us drones, but once someone implements a “measure” there are people who will implement a “counter-measure.”

      1. You could avoid the amp by broadcasting each bit spread spectrum over 2MHz (while still frequency hopping) and although the signal would be below the surrounding noise floor, with synchronised knowledge of the spreading function the resulting detected signal would not be. Or as in the case with WSPR increase the error correction and the duration of each transmission. I do agree with your use of GSM, but an off the book modulation is much harder to block. I suspect any FCC laws would be totally ignored by someone intent on illegally getting a drone into FAA airspace.

        1. The custom approach is ultimately more satisfying to make, and along the way, one tends to usually learn a great deal.
          I’ve often toyed with the idea of having a night-drone silently launch and stay between 150 and 200 feet AGL – the payload being an SDR coupled with some SoC programmed to log everything in a sweep, saving the raw IQ for later playback. Program the drone to navigate close to your local black site and just loiter while logging.

          Nice chip. Gotta love modern RF design. The capability of that chip would have had it in the ‘classified’ military-only category in the 80’s and 90’s. I should buy one just to prank everyone on this floor wearing Bluetooth headsets… :-)

  14. I love how many people see a device that can be easily bypassed by a malicious actor and conclude not that the device isn’t truly designed to stop determined attackers, but that they’re just *that much* smarter than the people designing this system.

    1. I don’t think they think they’re smarter, just that to block a drone 100% of the time, you have to do things that would interfere with normal operating activity of the airport and airplane instruments.
      Or that 95% of the time, it’s gonna be some kid or unscrupulous stringer with an off the shelf drone, so why would a company prepare for the 5% it’s not? Especially when the airport has other threats to contend with using a limited budget.

  15. So they expended the 5% of effort required to cover 95% of cases, that is how profitable businesses operate. Could it stop something I built with such defences in mind? Not a chance. For one I can use optical flow for navigation and google maps to train a NN to navigate without needing external data, other than the optical input. And it gets more dangerous and scarier from there, but I’m not going to discuss such things publicly as that would be irresponsible.

    1. Heh, understood. I’m in the “decline to prove it because I don’t want to give the skiddies a recipe” camp also… or anyone else, but for sure it’s not going to stop state actors or well funded isms.

    2. In my opinion not discussing things and keeping them secret does not help in creating viable defences. If you do not know of the flaws you can not create a solution.

      IMO RF jamming is a dead end.
      One solution I’m thinking about, was triggered by thinking about low energy bullets used on planes. So you measure the 3D position of the drone (using audio, cameras, radar) and calculate it’s direction vector. Then calculate multiple ballistic interception points, using a number of different detonation charge strengths. And then select the minimum charge to knock out the target, or adjust the arc of the ballistic path. Of course measurements of wind strength, rain, sleet, would need to be included as factors. One nice thing is that you could calculate where the debris, and interception device, would go and only intercept when you can safely bring it down on unpopulated land.

          1. I meant WE as a species. I did include both branches of the German scientists – the Soviet space program and NASA. Which I though would be very clear that “we” as a species was implied.

  16. You know what everyone.
    I’m glad that most of use are on the good side of the Law.( Or at least on the line.)
    I know that if a small group of us got together that we would be able to do almost anything just short of sending some one to the moon. And I know that some of you would be saying yes I could.
    Lets keep things going. But the one thing that keeps bugging me. We are losing more and more freedom of being able to do things legally. The large companies are trying to remove our rights to explore our devices and software that we paid for and should be owers.
    and not made to believe we own it more so the hardware.
    EXAMPLE : lets say I got a laptop, I believe that I payed for it. So I should be able to put in more ram or upgrade the DVD to a Blu Ray and not void the warranty. This as a very very simple example.

  17. I was thinking go with the K.I.S.S. rule. Why go for complex method of radio jamming when you can use a aerial denial method of using security drone interceptors coupled with DEWs to blind the intruder’s on-board camera and a chemical attack on the quad’s electric motors? Here is a conceptual diagram. It also addresses unauthorized boat drones too: https://goo.gl/l3pRLE

    I would like to nickname it The Bermuda Triangle Method (tongue-in cheek reference). :-D

  18. Why not build an “anti-bird” Nerf launcher or Q-copter (Then you can keep the Nerf missiles on string, or just bump it)?

    If the latter, your QC could chase it within the perimeter and generally just be disruptive.

  19. How does this thing know the channel assignment of each system that “real” RC controllers use, as in TEAR or AETR.
    If it gets this wrong, either the plane or copter goes into RTH or some other failsafe mode, or it goes out of control causing a crash, which can be more dangerous than just leaving it alone.

  20. Here is the first step. Give up! Am I supposed to believe they are going to install anything like this near an airport? Passive detectors seem like fair game but what airport is willing to install active RF devices that could do more damage then the devices they are trying to stop? Where is this money coming from? Who takes care of the possible liability if there is an accident? Maybe if someone yells terrorist loud enough or if a drone is linked to a terror attack.

  21. There are a few problems with this that people who aren’t into RC probably don’t realize. Even if you “take over” the receiver you have no way to know the channel assignments and orientations or the travel limits and subtrim and there is no standard for that so at best you’re going to cause a crash. On something like a large 700 class single rotor helicopter this would be very dangerous as you would now have an out of control 5hp flying lawnmover zagging off in some random direction that can easily cause property damage or death. On a traditional helicopter all it would take is for one servo to be reversed on the swashplate (typically one or two of the servos have to be reversed in the radio setup to get them to all move in the right direction). The same thing holds true for large planes, channel assignments and orientations will vary depending on the model and electronics equipment installed on it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s