05 December 2013 | Written by  BBC |

Drones 'vulnerable to flying hack'

 

 

 

 

A security researcher has created a flying contraption that he says can hijack control of other flying drones made by one of the industry's leading manufacturers, Parrot.

Samy Kamkar said he was able to achieve the feat because the company's products do not support a way of encrypting or authenticating the wi-fi data they use.

The BBC understands that the company is looking into the allegation.

Other experts said Parrot appeared to have ignored well-known guidelines.

However, they played down Mr Kamkar's suggestion that the technique might one day be adapted to hijack drones used by Amazon and others.

A spokesman for Parrot said he was unable to comment yet.

Mr Kamkar has previously made a name for himself by developing malware that exposed a flaw in the MySpace social network and for revealing that several smartphones were sending back location data identifying their owners' movements to the makers of their operating systems.

"I think it's critical that drones have some additional protection," he told the BBC.

"While the drones I'm demonstrating this attack on are consumer-based, they're still flying unmanned-vehicles, and the fact that they're this easy to take over is scary, especially when they will be much more ubiquitous soon."

'Design blunder'

In his latest blog - entitled Skyjack - he reveals how he combined a Parrot Drone with a Raspberry Pi computer, a wi-fi transmitter, a battery pack, existing hacking software and his own code.

"The Parrots actually launch their own wireless network which is how the owner of the drone connects," he explained.

"We take over by deauthenticating the owner, then connecting now that the drone is waiting for its owner to connect back in, exploiting the fact that we destroyed their wireless connection."

He said that the hack took advantage of the fact that Parrot's drones used a specific block of publicly registered MAC addresses to identify themselves, meaning the attack drone could pick them out from other wi-fi connected equipment in the area.

Mr Kamkar added that the SkyJack technique could also be run from computer equipment on the ground to hijack Parrot drones flying overhead.

"This appears to be a basic design blunder," Prof Ross Anderson, head of the University of Cambridge's computer security research group, told the BBC.

He explained Parrot had two easily implemented options to prevent the hack:

Use a secret key, shared by the controller and the drone, to authenticate each command message sent to the drone

Encrypt the data sent between the machines, which has the added benefit of ensuring the content of any message remains private

Parrot targets its drones at enthusiasts who want to take videos or photos from above, controlling the devices via their smartphones or tablets.

The firm's latest model can fly at up to 40km/h (25mph) and at altitudes of 165m (540ft).

The news site Ars Technica has highlighted the fact that at least half a million Parrot drones have been sold since 2010.

Delivery drones

Mr Kamkar's blog appears to have been inspired by Amazon's announcement that it is carrying out tests of drone-based deliveries.

"How fun would it be to take over drones, carrying Amazon packages… or take over any other drones, and make them my little zombie drones?" Mr Kamkar wrote.

Package service UPS and Domino's Pizza are among other companies to have declared they are investigating a similar use of the technology.

However, one security consultant suggested such firms would be unlikely to ignore security guidelines if they ever brought their products to market.

"Both the ISO27001 and PCI DSS voluntary best practice standards state that any management traffic must be authenticated and encrypted," said Vladimir Jirasek from Jirasek Consulting Services.

"If Parrot is not following good practice this could lead to security incident, potentially followed by an accident. Imagine a drone disturbing traffic on a motorway.

"But I do not think Amazon would be lax in its security measures."