Even a $35,000 government-ready flying machine can’t escape hackers.
Pricier means more secure, right? Not exactly.
A security researcher has found that many expensive police drones are vulnerable to hacks.
At San Francisco’s RSA conference this week, Nils Rodday showed off flaws in a $35,000 drone’s radio connection, opening the device to hackers more than a mile away.
According to Wired, Rodday was able to take full control of a government-ready quadcopter using only a laptop and cheap radio chip.
But any hacker who can reverse-engineer the drone’s flight software can take control of the device, sending new navigation commands and blocking those from the actual operator.
Rodday, an IT security consultant with IBM Germany, conducted his drone research as a graduate student at the University of Twente in the Netherlands and University of Trento in Italy.
The results were published in a final project called “Exploring Security Vulnerabilities of Unmanned Aerial Vehicles.”
Sworn to secrecy by the drone manufacturer, Rodday did not disclose the specific machine he tested, or who sells it.
But he did reveal two serious security oversights: poorly encrypted Wi-Fi connecting the drone to its user, and an even less-secure radio protocol.
The unprotected drone is an easy target for a man-in-the-middle attack conducted by someone who could be more than a mile away, sending commands to reroute or reprogram the flying machine.
“If you think as an attacker, someone could do this only for fun, or also to cause harm or to make a mess out of a daily surveillance procedure,” Rodday told Wired. “You can send a command to the camera, to turn it to the wrong side so they don’t receive the desired information…or you can steal the drone, all the equipment attached to it, and its information.”
The unidentified manufacturer has been alerted to the security flaws, and intends to fix the problem in its next model, the magazine said. Unfortunately, the same patch cannot be applied to those drones already flying around. What’s worse, Rodday’s discovery is likely not confined to just one unmanned aerial vehicle; it could extend to commercial quadcopters, as well.
In December 2013, hacker and security analyst Samy Kamkar built SkyJack—a Parrot AR UAV equipped with a Raspberry Pi, engineered to autonomously seek out, hack, and wirelessly take over other drones within Wi-Fi distance.