a state of the art of drone (in)security - dusitdusithost.dusit.ac.th/~juthawut_cha/download/a state...

A State of the Art of

Drone (In)Security

Yves Roudier1 Tullio Joseph Tanzi2,3

Journées scientifiques URSI France – JS’17

Radiosciences au service de l’humanité

February 1‐3, 2017, Sophia Antipolis, France,

1 I3S – CNRS – Université de Nice Sophia Antipolis, [email protected]

2 Institut Mines-Telecom, Telecom ParisTech, LTCI ,

06904 Sophia Antipolis cedex, France, [email protected]

3 URSI France, Commission F

mailto:[email protected]


Outline

02/02/2017 JS’17, February 1-3, Sophia Antipolis2

Introduction

• Lightweight drones

• Potential applications to humanitarian missions

Attacking Communications: Access and Hijack

Denial of Service and Interception

Onboard Sensor Attacks

Conclusion and Future work

Lightweight Drones (UAV)

3

Hewitt-Sperry automatic airplane (1917),

the ancestor of the drone.

JS’17, February 1-3, Sophia Antipolis

Communication and coordination – RISK: information leaks• Maintenance of the communication link (black-out)

• Creation of an alternative communication network

• Data Filtering

• System Security, …

Terrain reconnaissance – RISK: crashes• Exploration of an area of research

• Specialization of the payload (Lidar, Radar, etc.),…

Search And Rescue (SAR) operations – RISK: privacy of victims• People detection

• People classification and counting

• Contact and inform, …

Motivation: Potential Applications to

Humanitarian Missions

02/02/20174 JS’17, February 1-3, Sophia Antipolis

T1. Scan area T2. Locate device T3. Drone-device

communicationT4. Drone information

relaying

Attacking Communications: Access and

Hijack

Remote control link: • Unencrypted Wi-Fi [Samland et al. 2012] [Marty 2014] [Luo 2015] [Trujano et

al. 2016]

• XBEE Man-In-The-Middle (MITM) attack [Rodday 2016]

• [Rodday et al 2016]

• Protocol stack vulnerabilities [Hooper et al. 2016]

Tablet / Remote attacks• Makes it possible to take control of the drone too! [Rodday 2016]

Drone subsystems• Onboard devices like cameras can be attacked independently

• Firmware analysis: retrieval of ssh key data and configuration, /etc/shadow…

Attacks:• Drone Hijacking / unauthorized command hijacking: Disconnecting remote

controller and reconnecting attacker’s controller (thieves have actually used such attacks to steal drones!)

• Eavesdropping on remote sensing and video streams (in real-life: American drones in Irak)



Hijack

Drone system communication links

• Wif-Fi key uncovered through brute-force attack

• Only WEP protection


[Rodday 2016]


Hijack

Xbee MITM Attack

• More complex bruteforcing

• Due to poor design choices (Xbee)

that reveal part of data in cleartext


[Rodday 2016]

Approach: Cryptography

Encryption (implemented in recent communication protocols)• At link- and possibly application-level if distributed remote control

platform

• Dji proprietary protocols: Lightbridge (Phantom, Inspire 1) and Ocusync(Mavic)

• Independent academic proposals: eCLSC-TKEM [Won et al. 2015]

Authentication objectives:• Prevent replay attacks for commands

• Prevent the injection of bogus telemetry

Data Integrity:• Prevent controlled modifications of data (telemetry, video) [Marty 2014]

Problems• Protocol synchronization in noisy or jammed environments?

• Performance and cost of encryption? (especially for drone subsystems)


DoS and interception

Jamming: force UAV to fall or return home

• Many commercial systems …

• Hackers too for Wi-Fi jamming: e.g. SkyJack

[Kamkar 2013], Wifi jamming with Raspberry Pi

+ cantenna [Chapman 2016]

• Proven attacks [Lee et al. 2016]



Radio Jamming (continued)

• FHSS resists congestion but random jammer can reduce SNR

• Still vulnerable to technical attacker: can extract FHSS hopping

sequences using SDR [Shin et al. 2015]


FrSKY DJT Radio Telemetry (RF

module) / FlySky FHTH9XFrSKY D4R-II 4Ch Receiver

Partial sequence extraction with

GNUradio [Shin et al. 2015]


Of course, many other approaches too …

• Vibrating gyroscopes with sound [Son et al. 2015]

• Capture nets

• Guns …

• Even eagles!


Approach: Data protection + Autonomy

Data sensing: we should assume drone can be captured and encrypt data

• Potential privacy issues (victims, information leaks, …)

• Problem: PRNG for large data streams, especially with lightweight UAVs

• Also, once encrypted, data can no longer be exploited onboard for data fusion …

Autonomous behavior

• The UAV should adapt its navigation and mission in realtime in case communications are no longer possible (including if malicious denial of service)

• The UAV should also be able to trigger emergency systems to mitigate hard crashes and delete cryptographic material based on attack sensing


Attacks over Onboard Sensors

Objective: Take control, land drone, crash drone even in autonomous mode• Location or environment sensing

• Gain scheduling [Kim et al. 2012]

GPS spoofing• [Humphreys et al. 2008] [Kerns et al.

2014]

• More recently, technology developed on simpler SDR equipment [Yuan 2015] [Marty 2014]

Optical sensors• [Davidson et al. 2016]

LIDARs, sonars• Proofs of concept for automotive cars,

drones might also be susceptible to similar attacks


Approach: Correlated Sensing and Spoofing

Detection

Plausibility checks and anomaly/intrusion detection

• Safety purposes (failing sensors)

• Combine multiple sensors to

detect inconsistencies

• Intrusion Detection Systems [Boukhdir et al. 2015]

• Amazon patent: majority vote in a drone fleet [Amazon 2014]

Spoofing detection

• Detection approaches have been proposed for GPS

• Signal direction ([Psiaki 2013]), auxiliary peak tracking (SPREE

[Ranganathan et al. 2016]) …


Conclusions and perspectives

Many attacks have been imagined against drones• Increasingly accessible to hackers

• Also increasingly used in the wild

Need to evolve system architecture for security• Encrypted and authenticated remote control and data storage

• Autonomy in order to complete mission

• Prevent sensor spoofing using anomaly detection and correlation

Actual usage of drones anyway will require autonomy• Complex missions, difficult contexts

• Will require specific validation: attackers might exploit autonomous behavior! How to represent and monitor behavior? [Birnbaum et al. 2015]

Fleets of drones• Specialized sensors, multiple sensing locations

• Multi-hop communications


References

[Kim et al. 2012] Alan Kim, Brandon Wampler, James Goppert, Inseok Hwang and Hal Aldridge. Cyber Attack Vulnerabilities Analysis for Unmanned Aerial Vehicles. June 2012. American Institute of Aeronautics and Astronautics.

[Hartmann et al. 2013] Kim Hartmann and Christoph Steup. The Vulnerability of UAVs to CyberAttacks - An Approach to the Risk Assessment. 5th International Conference on Cyber Conflict, K. Podins, J. Stinissen, M. Maybaum (Eds.), 2013 © NATO CCD COE Publications, Tallinn.

[Petrovsky 2015] Oleg Petrovsky. Attack on the drones: security vulnerabilities of unmanned aerial vehicles. VB2015 (The Virus Bulletin Conference). Wednesday 30 September 2015, Prague, Czech Republic.

[Shin et al. 2015] Hocheol Shin, Kibum Choi, Youngseok Park, JaeyeongChoi, Yongdae Kim. Security Analysis of FHSS-type Drone Controller.. 16th Workshop on Information Security Applications (WISA 2015), pp. 240-253, August 20-22, 2015.

[Davidson et al. 2016] Drew Davidson, Hao Wu, Robert Jellinek, Thomas Ristenpart, Vikas Singh. Controlling UAVs with Sensor Input Spoofing Attacks. WOOT’16, 10th USENIX Workshop On Offensive Technologies, Austin, TX, August 8-9, 2016.

[Amazon 2014] Countermeasures for threats to an uncrewed autonomous vehicle. US Patent 9,524,648 B1

16 JS’17, February 1-3, Sophia Antipolis

References

[Won et al. 2015] Jongho Won, Seung-Hyun Seo, Elisa Bertino. A Secure Communication Protocol for Drones and Smart Objects. ASIA CCS’15, April 14–17, 2015, Singapore.

[Birnbaum et al. 2015] Zachary Birnbaum, Andrey Dolgikh, Victor Skormin, Edward O’Brien, Daniel Muller, Christina Stracquodaine. Unmanned Aerial Vehicle Security using Behavioral Profiling. 2015 International Conference on Unmanned Aircraft Systems (ICUAS), Denver Marriott Tech Center, Denver, Colorado, USA, June 9-12, 2015

[Boukhdir et al. 2015] K.Boukhdir, F.Marzouk, H.Medromi, S.Tallal, S.Benhadou. Secured UAV based on multi-agent systems and embedded Intrusion Detection and Prevention Systems. American Journal of Engineering Research (AJER). e-ISSN: 2320-0847 p-ISSN : 2320-0936, Volume-4, Issue-8, pp-186-190, 2015.

[Son et al. 2015] Yunmok Son, Hocheol Shin, Dongkwan Kim, Youngseok Park, Juhwan Noh, Kibum Choi, Jungwoo Choi, and Yongdae Kim. Rocking drones with intentional sound noise on gyroscopic sensors. In 24th USENIX Security Symposium (USENIX Security 15), pages 881–896, Washington, D.C., 2015. USENIX Association.

[Kamkar 2013] S. Kamkar. SkyJack. http://www.samy.pl/ skyjack, December 2013

[Rodday 2016] Nils Rodday. Hacking a Professional Drone. RSA Conference 2016. February 29 – March 4. San Francisco, USA.

[Rodday et al 2016] Nils Miro Rodday, Ricardo de O. Schmidt and Aiko Pras. Exploring Security Vulnerabilities of Unmanned Aerial Vehicles. Network Operations and Management Symposium (NOMS), 2016 IEEE/IFIP


http://www.samy.pl/

References

[Trujano et al. 2016] Fernando Trujano, Benjamin Chan, Greg Beams, Reece Rivera. Security Analysis of DJI Phantom 3 Standard. May 11, 2016

[Lee et al. 2016] Young Sil Lee, Young-Jin Kang, Sang-Gon Lee, HoonJaeLee, YoungJae Ryu. An Overview of Unmanned Aerial Vehicle: Cyber Security Perspective. Asia-pacific Proceedings of Applied Science and Engineering for Better Human Life, Vol.4 (2016) pp. 128-131.

[Samland et al. 2012] Fred Samland, Jana Fruth, Mario Hildebrandt, Tobias Hoppe, Jana Dittmann. AR.Drone: security threat analysis and exemplary attack to track persons. Proc. SPIE 8301, Intelligent Robots and Computer Vision XXIX: Algorithms and Techniques, 83010G (23 January 2012); doi: 10.1117/12.902990

[Marty 2014] Joseph A. Marty. VULNERABILITY ANALYSIS OF THE MAVLINK PROTOCOL FOR COMMAND AND CONTROL OF UNMANNED AIRCRAFT. PhD thesis. AFIT-ENG-14-M-50. AIR FORCE INSTITUTE OF TECHNOLOGY, DEPARTMENT OF THE AIR FORCE AIR UNIVERSITY. March 2014.

[Luo 2015] Aaron Luo. Drones Hijacking - multi-dimensional attack vectors and countermeasures. DEFCON 24. August 2015, 4-7, Las Vegas.

[Hooper et al. 2016] Michael Hooper ,Yifan Tian, Runzuan Zhou, Bin Cao, Adrian P. Lauf, Lanier Watkins, William H. Robinson, Wlajimir Alexis. Securing Commercial WiFi-Based UAVs From Common Security Attacks. Military Communications Conference, MILCOM 2016 - 2016 IEEE


References

[Humphreys 2008] Todd E Humphreys, Brent M Ledvina, Mark L Psiaki, Brady W O’Hanlon, Paul M Kintner Jr. Assessing the spoofing threat: Development of a portable GPS civilian spoofer. Proceedings of the ION GNSS international technical meeting of the satellite division. September 16, 2008. Vol . 55, p. 56.

[Kerns et al. 2014] Andrew J. Kerns, Daniel P. Shepard, Jahshan A. Bhatti, and Todd E. Humphreys. Unmanned Aircraft Capture and Control via GPS Spoofing. Journal of Field Robotics archive, Volume 31 Issue 4, July 2014, Pages 617-636 , John Wiley and Sons.

[Psiaki 2013] Psiaki, M.L., Powell, S.P., O'Hanlon, B.W., "GNSS Spoofing Detection using High-Frequency Antenna Motion and Carrier-Phase Data," Proceedings of the 26th International Technical Meeting of The Satellite Division of the Institute of Navigation (ION GNSS+ 2013), Nashville, TN, September 2013, pp. 2949-2991

[Ranganathan et al. 2016] Aanjhan Ranganathan, Hildur Ólafsdóttir, SrdjanCapkun. SPREE: A Spoofing Resistant GPS Receiver. MobiCom '16 Proceedings of the 22nd Annual International Conference on Mobile Computing and Networking. Pages 348-360. New York City, New York —October 03 - 07, 2016

[Yuan 2015] Jian Yuan. GPS Spoofing of UAV. Syscan 360 Information Security Conference. Beijing, 21.10.2015 - 22.10.2015.


20

Thanks for your attention …

URSI Commission F

1 I3S – CNRS- Université de Nice, 06904 Sophia Antipolis cedex, France, [email protected]

2 Institut Mines-Telecom, Telecom ParisTech, LTCI CNRS,

06904 Sophia Antipolis cedex, France, [email protected]

3 URSI France, Commission F

Yves Roudier1, Tullio Joseph Tanzi2,3

JS’17, February 1-3, Sophia Antipolis


mailto:pr%C3%[email protected]


a state of the art of drone (in)security - dusitdusithost.dusit.ac.th/~juthawut_cha/download/a state...

Documents