Drones: Detect, Identify, Intercept, and Hijack

Drones have become readily available and more affordable. They are quite easy to use now and gone are the days whereby stable flight relied on the dexterous skills of an experienced operator. With the addition of GPS positioning, a drone operator can program a flight path using point-and-click software and have it executed by the drone. They are capable of flying long distances, carrying multiple types of payload and return home when signal is lost, or batteries are running low. Media attention into drones and their misuse is on the increase, as is the capabilities of such drones.

Definition

The term “Drone” refers to any unmanned, remotely piloted craft, ranging from something as small as an insect to craft with a wingspan of 120m. These are not limited to air-based vehicles as there are many land and water-based drones.

In this blog post we investigate the Unmanned Aerial Vehicle (UAV) category of drones.

UAV Basics

UAVs come in various shapes and sizes which range from 2cm insect mimicking machines (e.g. Robobee [10]) to aircraft with a wingspan of up to 120m (SolarEagle [11]).

Cost of UAVs

UAVs can cost from £50 and go above £35,000,000 for military specification UAVs.  A good rule of thumb is the higher the UAV cost, the greater capabilities it will have. For UAVs with Wi-Fi, RF and GPS capabilities the cost starts at around £1,000 and increases depending on the carrying load, stabilisation hardware, flight time/range and other features.

Examples of Malicious UAV Uses

Due to the widespread availability and enhanced capabilities of UAVs, they have been used for the following malicious purposes:

• Smuggle contraband into prisons. In April 2014 a UAV was used in an attempt to smuggle drugs and energy drinks into a South Carolina correctional institute. Though this particular delivery attempt failed with the contraband tangled around a nearby power line, the director of states facilities believes other deliveries have been successful [28].
• Vandalise billboards. In May 2015 graffiti artist KATSU used a DJI Phantom UAV to spray paint a Calvin Klein billboard. Though the results were not artistically impressive, it was the first published proof-of-concept graffiti attack [23].
• Disrupt major sporting events. During the US Open in September 2016 a UAV flew around the tennis court before crashing into the seating area and disrupted the match temporarily. Elsewhere, in October 2014 during the Euro 2016 qualifiers a match between Albania and Serbia was abandoned when unknown parties flew a flag-carrying UAV into the stadium during the match. Trouble escalated when Serbia defender Stefan Mitrovic pulled down the flag, which several Albania players then attempted to retrieve and a melee then ensued. Luckily no serious injuries were reported (unlike when Enrique Iglesias grabbed a UAV during his concert and nearly lost his fingers) [25] [24] [32].
• Used by terrorist organisations for reconnaissance. ISIS has reportedly used UAVs in Raqqa in northern Syria to fly past potential targets in an effort to gather intelligence.  (ISIS) [27]
• Used by protesters to deliver radioactive material to a Japanese government building. In April 2015, a UAV with traces of radioactive material landed on the roof of Prime Minister Shinzo Abe’s office. According to the Kyodo news agency, this was to protest against the country’s nuclear energy policy [26].
• Hacking by using UAVs to hack into home Wi-Fi and corporate printers. This style of attack involves flying a UAV close to a home Wi-Fi router or corporate printers that are Wi-Fi enabled. Once in range they attempt to compromise the devices and use them for malicious purposes [21] [30].
• Arming of a UAV with a gun. Austin Haughwout, an 18-year-old engineering student from Connecticut created a video showing semi-automatic handgun mounted to a UAV and being fired in July 2015. The video has since racked up more than three million views on YouTube and sparked an FAA investigation. Haughwout first hit the headlines in May 2014 after allegedly being physically assaulted while flying a drone in the vicinity of Hammonasset Beach State Park. His alleged attacker, Andrea Mears, accused Haughwout of using his UAV to shoot photographs of girls sunbathing in bikinis before calling the police and then allegedly assaulting Haughwout.  [22] [33].

Methods of UAV Control

Bluetooth – These are short range (up to 20m) with a limited flight time and are generally classed as ‘toy’ category UAVs.

Wi-Fi – Again short range (up to 50m) with a limited flight time and are also classed as ‘toy’ category UAVs.

Radio (RF) – These operate on various frequencies (900MHz, 1.3GHz, 2.4 GHz and 5.8 GHz). The majority of commercially available UAVs operate in the 2.4GHz and 5.8GHz ranges and some use both at the same time to enable flight control and live video playback [9] and all ranges have various pros and cons [8]. Reception range is dependent on a number of factors including power, interference/obstacles etc. For the smaller recreational UAVs it is approximately 2km. However, with the right antenna and receivers, sufficient power and minimal interference it could be up to 75km [3].

3G/4G – Long range and these usually have Internet-based communications. The maximum range is only limited by UAV endurance (power resources for flight) and available mobile carrier signal.

Satellite – Long range. The maximum range is only limited by UAV endurance.

GPS – Autonomous control. The UAV operator creates and uploads flight plan which is executed by the UAV via GPS. The maximum range is only limited by UAV endurance.

Terrain – True autonomous control. The UAV operator creates and uploads flight plan which is executed by the UAV by following terrain contours and ‘clutter’ (buildings and other above ground structures e.g. trees). The maximum range is only limited by UAV endurance.

Methods of Detection

There are various methods to detect UAVs: Audio, Visual, Thermal, Radar, Radio (RF) and Wi-Fi [1].

Audio – External sounds are monitored and cross checked against a database of known UAV audio signatures. However, this method can be unreliable in a noisy environment such as urban areas and many of the higher-end UAVs are modified with custom propellers and engines which would affect their audio signature.

Visual – This form of detection utilises a camera which locates moving aerial object and attempts to differentiate between UAVs and birds based on size, flight path and style of movement.  But it has been recognised that certain key indicators of UAV flight (such as hovering) is also performed by many bird species.

Thermal – Identifies the heat signature of a UAV, but due to the construction of most UAVs in plastic, it radiates a minimal heat signature.

Radio (RF) – Detection involves the monitoring of the 2.4GHz and 5.8GHz frequencies for UAV transmissions.

Wi-Fi – Detection possible as many of the low-end commercial UAVs have identifiable SSIDs and MAC addresses which are broadcast.

Radar – Detection is not possible using standard aircraft detecting radar systems. Specialised 360-degree continuous coverage radar is able to identify very small and slow moving objects such as UAVs, and using advanced signal processing techniques can differentiate between birds and UAVs [6].

UAV Countermeasures

There are many documented methods to disable, disrupt or hijack UAVs ranging from physical to digital attacks.

Ballistic – Disabling of a UAV using a projectile e.g. Paintball gun, shotgun, catapult and net guns.

Laser – High powered laser to melt UAV components [5].

Jamming – Multiple methods are available to jam directional instructions or positional data being received by the UAV. Most jamming devices have a limited range (under 30m), however military equipment is capable of jamming large areas of RF, 3G/4G, Wi-Fi and GPS. For example, in 2012 North Korea interfered with the GPS reception of South Korea [4]

Microwave Cannon – Produces a focused beam of energy designed to disrupt/destroy internal components [31].

Sound – The use of certain frequencies of sound to disrupt the internal workings of a UAV [14]

Animal – UAVs have been targeted by birds of prey (though it is understood that the bird in question was operating under its own agenda opposed to acting on behalf of a handler).

Predator UAVs – Specially designed UAVs which interfere with the Wi-Fi communications, launch/carry nets, or use kamikaze tactics to disable other UAVs by crashing into them.

Water – US fire departments have reportedly used hoses on UAVs that have been flying around incidents they have attended.

Hijacking – Wi-Fi hijacking has been proved successful through the use of de-authentication attacks which break to communications between the UAV and controller and establishes a new connection with the attacker. Many of the low-end ‘toy’ UAVs have no security on the Wi-Fi connection and consequently any ‘client’ can connect to the UAV. SkyJack is a program which detects Parrot AR UAVs, deactivates any clients connected to UAV and then connects to the now free Parrot AR UAV as its owner [15]. The ECU Security Research Institute performed similar tests on a Parrot AR UAV [17]. More recently a new attack has been partially documented. This involved remotely installing malware on a flying UAV and hijacking the operations [16]. It appears that a SkyJack type program is used to connect to the UAV and the controlling flight program is killed and replaced with the malware. Communications between a UAV controller and a satellite have been hijacked using SkyGrabber [18]. In 2009 Iraqi insurgents reportedly used this software to download feeds from US UAVs [19].

Spoofing – RF or GPS spoofing techniques can be used to relay false information to a UAV. In December 2011 Iran claimed to have obtained a US UAV by disrupting satellite communications and transmitted false GPS data to get the UAV to land in Iran [13]. The University of Texas conducted a GPS spoofing attack on a UAV form a distance of 600m (University of Texas). Alvaro Reyes reverse engineered a Proto X UAV and its RF communication protocols. He designed a program which would scan all channels until it found the transmissions of a Proto X UAV. From that point the program is able to extract the device ID and inject malicious commands [7].

Cloud-Based Attacks – A suite of cloud-based control software is available which allows commercial UAV companies to manage fleets of UAVs. It is possible that the cloud based technology is vulnerable to attacks which would allow a malicious person to assume control of fleets of UAVs.

Client-Based Attacks – The software provided by UAV manufacturers is rarely security hardened and it has been discovered that by reverse engineering the client-side applications vulnerabilities in the communications can be found.

References

1. DroneLab – http://www.net-security.org/article.php?id=2297 p=1
2. Drone Survival Guide  – http://www.dronesurvivalguide.org/
3. FPV Calculator – http://www.fpvhobby.com/fpv12.htm
4. GPS Jamming – http://arstechnica.com/information-technology/2012/05/north-korea-pumps-up-the-gps-jamming-in-week-long-attack/
5. UAV Laser countermeasures – http://www.wired.com/2015/08/welcome-world-drone-killing-laser-cannon/
6. Plextex – http://www.plextek.com/about-us/press/press-releases/745-press-article-59.html
7. Protox – https://github.com/alvarop/protox
8. RC Explorer – http://rcexplorer.se/educational/2009/09/fpv-starting-guide/
9. FPV Starting Guide – http://rcexplorer.se/educational/2009/09/fpv-starting-guide/
10. Robobee – http://robobees.seas.harvard.edu/
11. SolarEagle – http://boeing.mediaroom.com/2010-09-16-Boeing-Wins-DARPA-Vulture-II-Program
12. University of Texas – http://gpsworld.com/drone-hack/
13. Iran captures US Drone – https://en.wikipedia.org/wiki/Iran%E2%80%93U.S._RQ-170_incident
14. Rocking Drones with Intentional Sound Noise on Gyroscopic Sensors – https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-son-updated.pdf
15. Skyjack – https://github.com/samyk/skyjack
16. MalDrone – http://garage4hackers.com/entry.php?b=3105
17. Towards Detection and Control of Civilian Unmanned Aerial Vehicles – https://www.ecu.edu.au/__data/assets/pdf_file/0011/583049/35_IWAR_Peacock_Towards-Detection-and-Control-of-Civilian-Unmanned-Aerial-Vehicles.pdf
18. SkyGrabber – http://blog.taragana.com/index.php/archive/us-drones-hacked-via-skygrabber/
19. U.S. Drones Hacked via SkyGrabber – http://tech.gaeatimes.com/index.php/archive/us-drones-hacked-via-skygrabber/
20. Kelvin Hughes UAV detection – https://www.kelvinhughes.com/security/uav-drone-detection
21. SkyNET – https://www.usenix.org/legacy/event/woot11/tech/final_files/Reed.pdf
22. Arming a UAV –  http://www.telegraph.co.uk/news/worldnews/northamerica/usa/11754428/Handgun-mounted-on-drone-fires-in-mid-air-in-Connecticut-park.html
23. Graffiti by UAV- http://gizmodo.com/drone-vandalism-is-now-a-thing-1703483667
24. Euro 2016 Drone – http://www.bbc.co.uk/sport/0/football/29624259
25. US Open Drone – http://edition.cnn.com/2015/09/04/us/us-open-tennis-drone-arrest/
26. Transporting Radio Active Material – http://edition.cnn.com/2015/04/24/asia/japan-prime-minister-radioaction-drone-arrest/
27. Drone use by ISIS – http://www.vocativ.com/world/syria-world/new-video-shows-isis-using-drones-plan-battles/
28. Contraband smuggling – http://www.nytimes.com/2015/04/23/us/drones-smuggle-contraband-over-prison-walls.html?_r=1
29. HAK5 Drones Hacking Drones –  https://www.youtube.com/watch?v=xKfY0PmKDRE
30. Drone hacking printers – http://www.wired.com/2015/10/drones-robot-vacuums-can-spy-office-printer/
31. Anti-Drone Microwave Gun – http://www.popularmechanics.com/military/weapons/a16044/russian-anti-drone-microwave-gun/
32. Drone at Concert – http://www.theguardian.com/music/2015/jun/03/drone-injury-grounds-enrique-iglesias-for-longer-than-expected
33. Assault of Drone Operator – http://petapixel.com/2015/03/09/woman-who-attacked-drone-photographer-for-being-a-pervert-may-have-charges-dropped/

Published date:  02 December 2015

Written by:  Mike Richardson