Scientists expose security flaws in drones

In an attempt to drive home the point to drone manufacturers that security should not be an afterthought, researchers at Johns Hopkins University demonstrated how they could use a laptop to easily take down a commercially available drone.

mit rfid

Security flaws cause drones to crash land.
(Credit: Will Kirk/Johns Hopkins University)

In one of the scenarios, they used a laptop to send thousands of processing requests to the drone, overwhelming the processor and causing the drone to crash. In so doing, they demonstrated how someone who wanted to hijack a drone could easily do so – their tests were conducted on a popular drone sold in retail stores.

Researchers say the finding is important because drones, otherwise known as unmanned aerial vehicles (UAVs), have become so popular that they're literally flying off store shelves. A Fortune report said drone sales have tripled in the past year. The Federal Aviation Administration predicts that 2.5 million hobby-type and commercial drones will be sold in 2016.

Drones are expected to play an increasing role in wireless in 5G, but they're already the source of LTE tests and trials with wireless operators and their vendors. Some operators use drones to remotely check on the condition of towers.

The Johns Hopkins researchers say that drone manufacturers, however, are not paying enough attention to security. "You see it with a lot of new technology," said Lanier A. Watkins, who supervised the drone research at JHU's Homewood campus, in a press release. "Security is often an afterthought. The value of our work is in showing that the technology in these drones is highly vulnerable to hackers."

During the past school year, Watkins' graduate students were required to apply what they'd learned about information security by completing a capstone project. Watkins suggested they do wireless network penetration testing on a popular hobby drone and develop "exploits" from the vulnerabilities found to disrupt the process that enables a drone's operator on the ground to manage its flight.

"We found three points that were actually vulnerable, and they were vulnerable in a way that we could actually build exploits for," Watkins said. "We demonstrated here that not only could someone remotely force the drone to land, but they could also remotely crash it in their yard and just take it."

Per university policy, the researchers described their drone exploit findings in a Vulnerability Disclosure Package and sent it early this year to the maker of the drone that was tested; the press release did not identify the drone maker but said that by the end of May, the company had not responded to the findings. More recently, the researchers have begun testing higher-priced drone models to see if such devices are similarly vulnerable to hacking.

Watkins said he hopes the studies serve as a wake-up call so that future drones for recreation, aerial photography, package deliveries and other commercial and public safety tasks will leave the factories with enhanced security features already on board, instead of relying on later "bug fix" updates, when it may be too late.

For more:
- see this JHU post

Related articles:
Qualcomm gets OK to test drones in Class B airspace at its San Diego campus
AT&T, Intel agree to test drones on LTE network
Intel goes big on drones with another acquisition, collision-dodging CES demos