Johns Hopkins University engineering graduate students and their professor discovered three different ways to send rogue commands from a computer laptop and interfere with an airborne hobbyist drone’s normal operation. The hacks either force the machine to land or send it plummeting. Their research has raised concerns over the security of drones, particularly as sales have continued to rise.
The finding is important because drones, also called unmanned aerial vehicles, are flying off the shelves. From hobby drones flown for fun or aerial photography, to commercial drones used to monitor crops or deliver packages, the unmanned aerial vehicles have already found their place in the market, analysts say. The Federal Aviation Administration projected $2.5 million in sales of drones in the U.S. this year, swelling to $7 million by 2020. However, in their haste to satisfy consumer demand, drone makers may have left digital doors unlocked. “You see it with a lot of new technology,” Lanier Watkins, a senior cybersecurity research scientist who supervised the study at Johns Hopkins said in a statement. “Security is often an afterthought. The value of our work is in showing that the technology in these drones is highly vulnerable to hackers.” The students performed wireless network penetration testing on a popular hobby drone and developed ‘exploits’ from the vulnerabilities found to disrupt the process of operators to control flights. An ‘exploit,’ explained Michael Hooper, one of the student researchers in a Johns Hopkins video, “is a piece of software typically directed at a computer program or device to take advantage of a programming error or flaw in that device.” In the first successful exploit, the team attacked the drone with about 1,000 wireless connection requests, one right after another, each one asked to take control of the airborne device, overwhelming the processor and forcing the drone to land. “We determined an attacker could take over a drone, hijack it and use it in a way it’s not designed to be used,” Hooper said in the video. In a second successful hack, the team sent the drone a remarkably large data packet, exceeding the capacity of a buffer in the aircraft’s flight application. Again, this caused the drone to crash. For the third exploit, the researchers constantly sent a fake digital packet from their laptop to the drone’s on-ground controller, telling it that the packet’s sender was the drone itself. In the end, the drone’s controller started to “believe” that aircraft was indeed the sender, the researchers say. It cut off contact with the real drone, which finally led to an emergency landing. “We found three points that were actually vulnerable, and they were vulnerable in a way that we could actually build exploits for,” Watkins says. “We demonstrated here that not only could someone remotely force the drone to land, but they could also remotely crash it in their yard and just take it.” “We found three points that were actually vulnerable, and they were vulnerable in a way that we could actually build exploits for,” Watkins said in the statement. “We demonstrated here that not only could someone remotely force the drone to land, but they could also remotely crash it in their yard and just take it.” In compliance with university policy, the researchers disclosed their findings early this year to the maker of the drone they tested. However, they have not yet responded. Recently, the team has begun testing their hacking methods on higher-priced drone models to see if these devices are similarly vulnerable. “We have released two disclosures to the company stating that there are some immediate security concerns,” Watkins told Live Science. He also hopes that future drones for recreation, aerial photography, package deliveries and other commercial and public safety tasks consider the studies as a bugle call and leave the factories with improved security features on board, instead of relying on later “bug fix” updates, when it may be too late.