Researcher Develops First Drone Malware

Small unmanned aerial vehicles (UAVs), often referred to collectively as “drones” are all the rage right now. From delivering packages for Amazon to crashing on the White House lawn, it seems every week there is some new debate about the usefulness and potential danger of the widespread availability of what was once a technology limited primarily to the military.

Questions as to the safety and security of what essentially boils down to a flying computer is unlikely to abate with the news that security researcher Rahul Sasi has developed what he claims to be the world’s first drone malware: Maldrone.

 

Maldrone

The full details of Sasi’s research won’t be revealed until nullcon in February, but he’s already put a demonstration video up on YouTube and described the general idea on his blog. While there are still some unanswered questions, what Sasi has already shown is enough to call into question how secure some of these consumer-level “drones” really are.

For his research Sasi targeted the AR.Drone, manufactured by Parrot, a Linux powered drone that users can control with their smartphone or tablet over WiFi. In his demonstration, Sasi shows a Python script (drone_expoit.py) which uploads a payload to the AR.Drone over the local WiFi network, to which the drone responds a few seconds later with a reverse shell connection.

Sasi’s software then demonstrates running some standard Linux commands on the drone’s onboard computer, which in this case simply returns the version of Linux it’s running, but could just as easily report data from the drone’s sensors back to the attacker. Finally, the malware shuts off the drone’s autopilot system, causing it to drop out of the sky like a brick.

This demonstration is simply a teaser for Sasi’s larger reveal, but it proves there is real potential to turn these drones against their masters. With the number of sensors onboard these vehicles (GPS, camera, WiFi radio, etc), they could be used for remote surveillance without the legitimate operators knowledge, or simply stolen from the owner by commanding the drone to fly back to the attacker’s location.

One big issue not fully addressed in the demonstration video or the accompanying blog post is whether this exploit can be performed remotely on a stock-firmware AR.Drone, or if the drone in the demonstration has already been compromised by way of a modified firmware. Obviously, the attack is much more potent if it works on the out of the box drone, so the answer to that question will go a long way to prove Maldrone as a valid threat.

 

Picking on Parrots

Parrot’s AR.Drone line is no stranger to security audits. In 2013, Parrot’s AR.Drone 2 (an enhanced version of the one Sasi is working with) was used in Samy Kamkar’s SkyJack. Kamkar strapped a Raspberry Pi and Alfa AWUS036H onto the AR.Drone 2, and loaded with his software it was able to knock other drone operators off of the WiFi network. With the legitimate user’s smartphone or tablet off the network, Skyjack was able to establish a new connection and remotely command the drone.

The reason the AR.Drone has been targeted in both of these demonstrations is pretty simple; rather than using a custom radio communication protocol like more advanced remote controlled vehicles, Parrot chose to simply go with standard WiFi. This means the AR.Drone is susceptible to a lot of the traditional WiFi tools and exploits, making it a much easier target. That also means that security vulnerabilities in the AR.Drone’s control systems aren’t necessarily indicative of problems with drones technology in general.

That said, increased scrutiny of drone security is coming. The impressive computational power and suite of sensors required to keep one of these vehicles in the air is simply too tempting of a target to be ignored for long, especially as commercialized drone services (such as package delivery) start becoming mainstream.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *