a state of the art of drone (in)security - dusitdusithost.dusit.ac.th/~juthawut_cha/download/a state...
TRANSCRIPT
A State of the Art of
Drone (In)Security
Yves Roudier1 Tullio Joseph Tanzi2,3
Journées scientifiques URSI France – JS’17
Radiosciences au service de l’humanité
February 1‐3, 2017, Sophia Antipolis, France,
1 I3S – CNRS – Université de Nice Sophia Antipolis, [email protected]
2 Institut Mines-Telecom, Telecom ParisTech, LTCI ,
06904 Sophia Antipolis cedex, France, [email protected]
3 URSI France, Commission F
Outline
02/02/2017 JS’17, February 1-3, Sophia Antipolis2
Introduction
• Lightweight drones
• Potential applications to humanitarian missions
Attacking Communications: Access and Hijack
Denial of Service and Interception
Onboard Sensor Attacks
Conclusion and Future work
Lightweight Drones (UAV)
3
Hewitt-Sperry automatic airplane (1917),
the ancestor of the drone.
JS’17, February 1-3, Sophia Antipolis
Communication and coordination – RISK: information leaks• Maintenance of the communication link (black-out)
• Creation of an alternative communication network
• Data Filtering
• System Security, …
Terrain reconnaissance – RISK: crashes• Exploration of an area of research
• Specialization of the payload (Lidar, Radar, etc.),…
Search And Rescue (SAR) operations – RISK: privacy of victims• People detection
• People classification and counting
• Contact and inform, …
Motivation: Potential Applications to
Humanitarian Missions
02/02/20174 JS’17, February 1-3, Sophia Antipolis
T1. Scan area T2. Locate device T3. Drone-device
communicationT4. Drone information
relaying
Attacking Communications: Access and
Hijack
Remote control link: • Unencrypted Wi-Fi [Samland et al. 2012] [Marty 2014] [Luo 2015] [Trujano et
al. 2016]
• XBEE Man-In-The-Middle (MITM) attack [Rodday 2016]
• [Rodday et al 2016]
• Protocol stack vulnerabilities [Hooper et al. 2016]
Tablet / Remote attacks• Makes it possible to take control of the drone too! [Rodday 2016]
Drone subsystems• Onboard devices like cameras can be attacked independently
• Firmware analysis: retrieval of ssh key data and configuration, /etc/shadow…
Attacks:• Drone Hijacking / unauthorized command hijacking: Disconnecting remote
controller and reconnecting attacker’s controller (thieves have actually used such attacks to steal drones!)
• Eavesdropping on remote sensing and video streams (in real-life: American drones in Irak)
02/02/2017 JS’17, February 1-3, Sophia Antipolis5
Attacking Communications: Access and
Hijack
Drone system communication links
• Wif-Fi key uncovered through brute-force attack
• Only WEP protection
02/02/2017 JS’17, February 1-3, Sophia Antipolis6
[Rodday 2016]
Attacking Communications: Access and
Hijack
Xbee MITM Attack
• More complex bruteforcing
• Due to poor design choices (Xbee)
that reveal part of data in cleartext
02/02/2017 JS’17, February 1-3, Sophia Antipolis7
[Rodday 2016]
Approach: Cryptography
Encryption (implemented in recent communication protocols)• At link- and possibly application-level if distributed remote control
platform
• Dji proprietary protocols: Lightbridge (Phantom, Inspire 1) and Ocusync(Mavic)
• Independent academic proposals: eCLSC-TKEM [Won et al. 2015]
Authentication objectives:• Prevent replay attacks for commands
• Prevent the injection of bogus telemetry
Data Integrity:• Prevent controlled modifications of data (telemetry, video) [Marty 2014]
Problems• Protocol synchronization in noisy or jammed environments?
• Performance and cost of encryption? (especially for drone subsystems)
02/02/2017 JS’17, February 1-3, Sophia Antipolis8
DoS and interception
Jamming: force UAV to fall or return home
• Many commercial systems …
• Hackers too for Wi-Fi jamming: e.g. SkyJack
[Kamkar 2013], Wifi jamming with Raspberry Pi
+ cantenna [Chapman 2016]
• Proven attacks [Lee et al. 2016]
02/02/2017 JS’17, February 1-3, Sophia Antipolis9
DoS and interception
Radio Jamming (continued)
• FHSS resists congestion but random jammer can reduce SNR
• Still vulnerable to technical attacker: can extract FHSS hopping
sequences using SDR [Shin et al. 2015]
02/02/2017 JS’17, February 1-3, Sophia Antipolis10
FrSKY DJT Radio Telemetry (RF
module) / FlySky FHTH9XFrSKY D4R-II 4Ch Receiver
Partial sequence extraction with
GNUradio [Shin et al. 2015]
DoS and interception
Of course, many other approaches too …
• Vibrating gyroscopes with sound [Son et al. 2015]
• Capture nets
• Guns …
• Even eagles!
02/02/2017 JS’17, February 1-3, Sophia Antipolis11
Approach: Data protection + Autonomy
Data sensing: we should assume drone can be captured and encrypt data
• Potential privacy issues (victims, information leaks, …)
• Problem: PRNG for large data streams, especially with lightweight UAVs
• Also, once encrypted, data can no longer be exploited onboard for data fusion …
Autonomous behavior
• The UAV should adapt its navigation and mission in realtime in case communications are no longer possible (including if malicious denial of service)
• The UAV should also be able to trigger emergency systems to mitigate hard crashes and delete cryptographic material based on attack sensing
02/02/2017 JS’17, February 1-3, Sophia Antipolis12
Attacks over Onboard Sensors
Objective: Take control, land drone, crash drone even in autonomous mode• Location or environment sensing
• Gain scheduling [Kim et al. 2012]
GPS spoofing• [Humphreys et al. 2008] [Kerns et al.
2014]
• More recently, technology developed on simpler SDR equipment [Yuan 2015] [Marty 2014]
Optical sensors• [Davidson et al. 2016]
LIDARs, sonars• Proofs of concept for automotive cars,
drones might also be susceptible to similar attacks
02/02/2017 JS’17, February 1-3, Sophia Antipolis13
Approach: Correlated Sensing and Spoofing
Detection
Plausibility checks and anomaly/intrusion detection
• Safety purposes (failing sensors)
• Combine multiple sensors to
detect inconsistencies
• Intrusion Detection Systems [Boukhdir et al. 2015]
• Amazon patent: majority vote in a drone fleet [Amazon 2014]
Spoofing detection
• Detection approaches have been proposed for GPS
• Signal direction ([Psiaki 2013]), auxiliary peak tracking (SPREE
[Ranganathan et al. 2016]) …
02/02/2017 JS’17, February 1-3, Sophia Antipolis14
Conclusions and perspectives
Many attacks have been imagined against drones• Increasingly accessible to hackers
• Also increasingly used in the wild
Need to evolve system architecture for security• Encrypted and authenticated remote control and data storage
• Autonomy in order to complete mission
• Prevent sensor spoofing using anomaly detection and correlation
Actual usage of drones anyway will require autonomy• Complex missions, difficult contexts
• Will require specific validation: attackers might exploit autonomous behavior! How to represent and monitor behavior? [Birnbaum et al. 2015]
Fleets of drones• Specialized sensors, multiple sensing locations
• Multi-hop communications
02/02/2017 JS’17, February 1-3, Sophia Antipolis15
References
[Kim et al. 2012] Alan Kim, Brandon Wampler, James Goppert, Inseok Hwang and Hal Aldridge. Cyber Attack Vulnerabilities Analysis for Unmanned Aerial Vehicles. June 2012. American Institute of Aeronautics and Astronautics.
[Hartmann et al. 2013] Kim Hartmann and Christoph Steup. The Vulnerability of UAVs to CyberAttacks - An Approach to the Risk Assessment. 5th International Conference on Cyber Conflict, K. Podins, J. Stinissen, M. Maybaum (Eds.), 2013 © NATO CCD COE Publications, Tallinn.
[Petrovsky 2015] Oleg Petrovsky. Attack on the drones: security vulnerabilities of unmanned aerial vehicles. VB2015 (The Virus Bulletin Conference). Wednesday 30 September 2015, Prague, Czech Republic.
[Shin et al. 2015] Hocheol Shin, Kibum Choi, Youngseok Park, JaeyeongChoi, Yongdae Kim. Security Analysis of FHSS-type Drone Controller.. 16th Workshop on Information Security Applications (WISA 2015), pp. 240-253, August 20-22, 2015.
[Davidson et al. 2016] Drew Davidson, Hao Wu, Robert Jellinek, Thomas Ristenpart, Vikas Singh. Controlling UAVs with Sensor Input Spoofing Attacks. WOOT’16, 10th USENIX Workshop On Offensive Technologies, Austin, TX, August 8-9, 2016.
[Amazon 2014] Countermeasures for threats to an uncrewed autonomous vehicle. US Patent 9,524,648 B1
16 JS’17, February 1-3, Sophia Antipolis
References
[Won et al. 2015] Jongho Won, Seung-Hyun Seo, Elisa Bertino. A Secure Communication Protocol for Drones and Smart Objects. ASIA CCS’15, April 14–17, 2015, Singapore.
[Birnbaum et al. 2015] Zachary Birnbaum, Andrey Dolgikh, Victor Skormin, Edward O’Brien, Daniel Muller, Christina Stracquodaine. Unmanned Aerial Vehicle Security using Behavioral Profiling. 2015 International Conference on Unmanned Aircraft Systems (ICUAS), Denver Marriott Tech Center, Denver, Colorado, USA, June 9-12, 2015
[Boukhdir et al. 2015] K.Boukhdir, F.Marzouk, H.Medromi, S.Tallal, S.Benhadou. Secured UAV based on multi-agent systems and embedded Intrusion Detection and Prevention Systems. American Journal of Engineering Research (AJER). e-ISSN: 2320-0847 p-ISSN : 2320-0936, Volume-4, Issue-8, pp-186-190, 2015.
[Son et al. 2015] Yunmok Son, Hocheol Shin, Dongkwan Kim, Youngseok Park, Juhwan Noh, Kibum Choi, Jungwoo Choi, and Yongdae Kim. Rocking drones with intentional sound noise on gyroscopic sensors. In 24th USENIX Security Symposium (USENIX Security 15), pages 881–896, Washington, D.C., 2015. USENIX Association.
[Kamkar 2013] S. Kamkar. SkyJack. http://www.samy.pl/ skyjack, December 2013
[Rodday 2016] Nils Rodday. Hacking a Professional Drone. RSA Conference 2016. February 29 – March 4. San Francisco, USA.
[Rodday et al 2016] Nils Miro Rodday, Ricardo de O. Schmidt and Aiko Pras. Exploring Security Vulnerabilities of Unmanned Aerial Vehicles. Network Operations and Management Symposium (NOMS), 2016 IEEE/IFIP
17 JS’17, February 1-3, Sophia Antipolis
References
[Trujano et al. 2016] Fernando Trujano, Benjamin Chan, Greg Beams, Reece Rivera. Security Analysis of DJI Phantom 3 Standard. May 11, 2016
[Lee et al. 2016] Young Sil Lee, Young-Jin Kang, Sang-Gon Lee, HoonJaeLee, YoungJae Ryu. An Overview of Unmanned Aerial Vehicle: Cyber Security Perspective. Asia-pacific Proceedings of Applied Science and Engineering for Better Human Life, Vol.4 (2016) pp. 128-131.
[Samland et al. 2012] Fred Samland, Jana Fruth, Mario Hildebrandt, Tobias Hoppe, Jana Dittmann. AR.Drone: security threat analysis and exemplary attack to track persons. Proc. SPIE 8301, Intelligent Robots and Computer Vision XXIX: Algorithms and Techniques, 83010G (23 January 2012); doi: 10.1117/12.902990
[Marty 2014] Joseph A. Marty. VULNERABILITY ANALYSIS OF THE MAVLINK PROTOCOL FOR COMMAND AND CONTROL OF UNMANNED AIRCRAFT. PhD thesis. AFIT-ENG-14-M-50. AIR FORCE INSTITUTE OF TECHNOLOGY, DEPARTMENT OF THE AIR FORCE AIR UNIVERSITY. March 2014.
[Luo 2015] Aaron Luo. Drones Hijacking - multi-dimensional attack vectors and countermeasures. DEFCON 24. August 2015, 4-7, Las Vegas.
[Hooper et al. 2016] Michael Hooper ,Yifan Tian, Runzuan Zhou, Bin Cao, Adrian P. Lauf, Lanier Watkins, William H. Robinson, Wlajimir Alexis. Securing Commercial WiFi-Based UAVs From Common Security Attacks. Military Communications Conference, MILCOM 2016 - 2016 IEEE
18 JS’17, February 1-3, Sophia Antipolis
References
[Humphreys 2008] Todd E Humphreys, Brent M Ledvina, Mark L Psiaki, Brady W O’Hanlon, Paul M Kintner Jr. Assessing the spoofing threat: Development of a portable GPS civilian spoofer. Proceedings of the ION GNSS international technical meeting of the satellite division. September 16, 2008. Vol . 55, p. 56.
[Kerns et al. 2014] Andrew J. Kerns, Daniel P. Shepard, Jahshan A. Bhatti, and Todd E. Humphreys. Unmanned Aircraft Capture and Control via GPS Spoofing. Journal of Field Robotics archive, Volume 31 Issue 4, July 2014, Pages 617-636 , John Wiley and Sons.
[Psiaki 2013] Psiaki, M.L., Powell, S.P., O'Hanlon, B.W., "GNSS Spoofing Detection using High-Frequency Antenna Motion and Carrier-Phase Data," Proceedings of the 26th International Technical Meeting of The Satellite Division of the Institute of Navigation (ION GNSS+ 2013), Nashville, TN, September 2013, pp. 2949-2991
[Ranganathan et al. 2016] Aanjhan Ranganathan, Hildur Ólafsdóttir, SrdjanCapkun. SPREE: A Spoofing Resistant GPS Receiver. MobiCom '16 Proceedings of the 22nd Annual International Conference on Mobile Computing and Networking. Pages 348-360. New York City, New York —October 03 - 07, 2016
[Yuan 2015] Jian Yuan. GPS Spoofing of UAV. Syscan 360 Information Security Conference. Beijing, 21.10.2015 - 22.10.2015.
19 JS’17, February 1-3, Sophia Antipolis
20
Thanks for your attention …
URSI Commission F
1 I3S – CNRS- Université de Nice, 06904 Sophia Antipolis cedex, France, [email protected]
2 Institut Mines-Telecom, Telecom ParisTech, LTCI CNRS,
06904 Sophia Antipolis cedex, France, [email protected]
3 URSI France, Commission F
Yves Roudier1, Tullio Joseph Tanzi2,3
JS’17, February 1-3, Sophia Antipolis