This is what researchers call an “uncontrolled landing.” (Image courtesy of Will Kirk/Johns Hopkins University.)
With sales of drones steadily increasing
, many manufacturers are jumping on the bandwagon to produce low-cost unmanned aerial vehicles (UAVs) for amateur hobbyists.
These drones, however, are often at risk from determined individuals trying to take them down. While anti-drone measures are in the works to protect the public, identifying security vulnerabilities in UAVs is often an afterthought by manufacturers and designers.
Enter a research team from Johns Hopkins University, which has endeavored to identify, test and report on these vulnerabilities in a common hobbyist-level drone.
The team of five grad students and their supervisor was able to identify three cybersecurity measures absent from the drone, and exploit them to cause it to either land or crash using the following approaches:
- By bombarding the drone with numerous wireless connection requests in rapid succession, the researchers were able to overload the drone’s CPU, causing it to shut down. This caused an “uncontrolled landing.”
- Another crash was caused by sending the drone an exceptionally large data packet, exceeding the capacity of a buffer in the aircraft's flight application.
- Lastly, the researchers repeatedly sent a fake digital packet from their laptop to the drone's controller, telling it that the packet's sender was the drone itself. Eventually, the controller identified the data as its own, breaking connection to the actual UAV. This forced an emergency landing.
Lanier A. Watkins, a senior cybersecurity researcher at the university's Whiting School of Engineering who supervised the recent drone research, noted the importance of cybersecurity in readily available UAVs.
"You see it with a lot of new technology. Security is often an afterthought. The value of our work is in showing that the technology in these drones is highly vulnerable to hackers," Watkins noted.
"We found three points that were actually vulnerable, and they were vulnerable in a way that we could actually build exploits for. We demonstrated here that not only could someone remotely force the drone to land, but they could also remotely crash it in their yard and just take it," he added.
Watkins and his team reported the findings to the manufacturer in question, and have moved on to larger and more expensive drone models, hoping to find that their security measures are vulnerability free.
Hopefully, the drones being developed for use in logistics and package deliveries will avoid these issues; otherwise, someone else may end up with your Amazon order on their lawn.