A security researcher has devised a method of hijacking a wide variety of radio- controlled airplanes, helicopters, cars, boats and other devices that use a popular wireless transmission technology.
The attack was developed by Jonathan Andersson, manager of the Advanced Security Research Group at Trend Micro DVLabs, and targets a “wideband, frequency-agile 2.4GHz signal protocol” called DSMx. This protocol is used in radio-control (R/C) toys, including in drones, that are owned by millions of users.
Andersson’s attack exploits weaknesses in DSMx and was presented in detail Wednesday at the PacSec security conference in Tokyo. The researcher built a device that he dubbed Icarus, using off-the-shelf electronic components and software-defined radio (SDR). With it, he can take over the control of drones or other R/C devices and lock out their real owners in seconds.
The hijacking is possible because the various bits of secret information needed to pair a remote transmitter to a DSMx receiver can be extracted from the protocol or can be brute-forced, the researcher explained in his presentation. Furthermore, a timing vulnerability allows sending control packets before the legitimate transmitter, causing the receiver to ignore the latter.
Horizon Hobby, a global distributor and manufacturer of R/C products headquartered in Champaign, Illinois, which developed the DSMx technology, did not immediately respond to a request for comment.
Hobbyist R/C airplanes, helicopters and other flying drones are increasingly causing problems for manned aircraft and even for home owners who feel that their privacy is being invaded when these devices are flown close to their private property. There are certain no-fly areas for drones, for example near airports, but some users ignore these restrictions.
The rising number of drone sightings in no-fly areas and of near-miss incidents between drones and manned aircraft have led regulators in the U.S. and Europe to consider legislation that would restrict the use of such devices. It has also led to the development of commercial solutions for disabling in-flight drones. There have even been reports of people, including police, shooting down drones.
Hijacking drones and landing them safely instead of shooting them down and damaging them is a more elegant solution and could make possible trespassing investigations easier. Andersson noted in his presentation that his technique can also be used to passively monitor areas for unwanted drone activity and to record unique drone IDs that could later be used to identify their owners.