Hijacked Drones: Not Even Law Enforcement is Safe from Commjacking

Dror Liwer Blog

Law enforcement agencies are increasingly using drones for surveillance, but a new discovery shows that police will also have to keep an eye out for commjackers.

IBM researcher Nils Rodday demonstrated at the RSA Conference in March that he can commjack security drones from a mile away. He took control of a $30,000 professional-grade quadcopter by exploiting an unencrypted on-board chip.

Add drones to the list of devices that can be commjacked: Personal devices such as smartphones and laptops, cars, airplanes and even children’s toys are all vulnerable. Rodday showed that no matter the technology, with the right tools just about anyone can find vulnerabilities in a wireless device and thus intercept and manipulate its transmissions.

The dangers of commjacking have prompted individuals and organizations to reconsider how they use smartphones, tablets and laptops on WiFi networks at cafes, libraries, hotels and other public places – not to mention cellular networks. Now, law enforcement agencies will similarly have to worry about their expensive security drones being commjacked and taken out of the sky by only a single keystroke.

Tapping Outdated WEP to Commjack

As International Business Tribune described, Rodday used $40 worth of hardware on an Android tablet app to take control of the $30,000 security drone. He exploited the means in which the drone communicates with the app.

Because the tablet doesn’t have an XBee ZigBee RF chip that is also on the drone, an intermediary relay telemetry box serves as a go-between, sending the radio signals intercepted from the drone to the tablet via WiFi.

XBee chips support encryption, but that function is not activated on drones because it affects their performance. The WiFi part of the connection is secured at altitudes lower than 328 feet, but the protection is provided by the Wired Equivalent Privacy (WEP) security protocol, which was originally designed for wireless local area networks.

WEP stopped being used as a security standard in 2004 because it’s not secure, and most WiFi networks nowadays are instead secured using the WiFi Protected Access (WPA) protocol. But because the drone relies on WEP and not the encryption found on the XBee, it’s quite easy, as Rodday showed, to perform a man-in-the-middle attack and inject commands between the drone and the telemetry box.

Expensive Equipment at Risk

A commjacker who can reverse-engineer the drone’s flight software can impersonate the controller and send navigation commands, while blocking all commands from the drone’s legitimate operator.

“You can inject packets and alter waypoints, change data on the flight computer, set a different coming home position,” Rodday told Wired. [Tweet ““Everything the original operator can do, you can do as well.””]

Rodday got help with his experiment: The drone manufacturer loaned the quadcopter for testing as long as its name was not disclosed. According to International Business Tribune, the manufacturer is evaluating how best to close the security gap to prevent commjackings.

Law enforcement agencies will certainly hope for a quick security fix on the unnamed drone and other drones. For that matter, all WiFi- and cellular-network technologies used by police are at risk of commjacking, and that’s a sober reality for those who serve and protect the public.

With the help of security solutions like CoroNet, however, law enforcement agencies can at least protect their laptops, tablets and smartphones from commjackers while waiting for a fix to the drone security gap.