With more than a half million drones now flying in the U.S. skies, it’s safe to say that drone sales are soaring, but new research is raising concerns about how easily hackers could take them over.
But in order to expose hidden design flaws and to learn how hackers could send rogue commands to hobby drones, a Johns Hopkins computer security team first had to do a little hacking of their own.
Drones — or unmanned aerial vehicles (UAVs) — have become so popular that they are literally flying off the shelves, even after the Federal Aviation Administration (FAA) began requiring all drones owners to register their devices. In 2016 alone, the FAA predicts that 2.5 million hobby-type and commercial drones will be sold. And by 2030, experts predict there could be more than 7 million.
Most people buy hobby drones for recreational purposes. However, more advanced commercial drones are entering the market that can handle more challenging and demanding tasks. For example, according to Johns Hopkins’ Phil Sneiderman, farmers have begun using drones with specialized cameras to survey their fields and help determine when and where water and fertilizer should be applied. Commercial drones can also help in search and rescue missions located in challenging terrain. And some businesses, such as Amazon, are exploring the use of drones to deliver merchandise to their customers.
However, drone makers may have left a few digital doors unlocked. “You see it with a lot of new technology,” said. Lanier A. Watkins, who supervised the recent drone research at Johns Hopkins’ Homewood campus. “Security is often an afterthought. The value of our work is in showing that the technology in these drones is highly vulnerable to hackers.”
During the past school year, Watkins tasked his master’s degree students with applying what they’d learned about information security, suggesting they do wireless network penetration testing on a popular hobby drone and develop “exploits” from the vulnerabilities found to disrupt the process that enables a drone’s operator on the ground to manage its flight, Sneiderman reports.
See Also: Eagles Are Being Trained To Destroy Drones
An “exploit,” explained Michael Hooper, one of the student researchers, “is a piece of software typically directed at a computer program or device to take advantage of a programming error or flaw in that device.”
Johns Hopkins computer science graduate students and their professor discovered three security flaws in a popular hobby drone, all of which could which cause the small aircraft to make an “uncontrolled landing.” Will Kirk/Johns Hopkins University
The students first bombarded a drone with about 1,000 wireless connection requests in rapid succession, each asking for control of the airborne device, which ultimately overloaded the aircraft’s central processing unit, causing it to shut down. That sent the drone into what the team referred to as “an uncontrolled landing.” Basically, they crashed it.
The team then sent the drone an exceptionally large data packet, exceeding the capacity of a buffer in the aircraft’s flight application. Again, this caused the drone to come crashing down.
For their third try, the team sent a fake digital packet to the drone’s controller, telling it that the packet’s sender was the drone itself. This caused the drone’s controller to believe the packet sender was indeed the aircraft itself, whereby it severed its own contact resulting in an emergency landing.
“We found three points that were actually vulnerable, and they were vulnerable in a way that we could actually build exploits for,” Watkins said. “We demonstrated here that not only could someone remotely force the drone to land, but they could also remotely crash it in their yard and just take it.”
The researchers reached out to the maker of the drone that was tested, but the company has yet to respond. More recently, the researchers have begun testing higher-priced drone models to see if these devices are similarly vulnerable to hacking.
Watkins said he hopes the studies serve as a wake-up call so that future drones for recreation, aerial photography, package deliveries and other commercial and public safety tasks will leave the factories with enhanced security features already on board, instead of relying on later “bug fix” updates, when it may be too late.
The other four Johns Hopkins grad students who participated in this research with Watkins were Yifan Tian, Runzuan Zhou, Bin Cao and Wlajimir Alexis.
See Also: Dastardly Drones And The Creatures (And People) Who Hate Them
Follow us on Facebook page and Twitter