Dronejacking – a disaster waiting to happen.

Last year, customers of Amazon in Cambridge began signing up for a novel delivery option.  A 25kg drone, which is able to fly up to 10 miles gripping a book-sized package underneath, took just 13 minutes to fly from the warehouse nearby, landing briefly to drop the order on a delivery mat marked with the distributor’s single-letter logo in the customer’s rear garden.

Amazon plans to slowly roll out the service if the limited trial proves successful, aware that regulatory restrictions over flying robot couriers could prove to be a major obstacle. Aviation authorities are concerned about the safety aspects of unattended, battery-powered robot aircraft routinely zipping around the skies. In the UK, drones cannot fly legally out of sight of their operator or close to buildings without a special licence, but drone delivery may have another problem. The package may never reach its intended destination, with the drone itself becoming part of a criminal or even a terrorist network.

In the McAfee Labs 2017 Threats Prediction report published at the end of 2016, Intel cyber-security and privacy director Bruce Snell predicted drone hijacking will become a practical reality in the coming months. He argues that 2017 will see the availability of hacking toolkits: prepackaged software and code to make hijacking easy. As a result, he speculates that 2017 is the year that we will start to see stories of commercial drones being taken out of the sky not by shotguns or birds of prey but by software.

Snell sees a key risk emerging for delivery companies if drone-transported stock is stolen. Criminals may simply steal expensive camera equipment from drones used to capture video and take high-quality photos of the Earth underneath.

But this isn’t the most important problem, according to Cesare Garlati, chief security strategist for the pprl Foundation, which develops open-source embedded software. He believes the real threat from dronejacking comes from the scale at which drones could conceivably be hijacked – and the possibilities for terrorism.

Garlati cites the Mirai botnet, the malware that last year managed to take down large swathes of the internet by targeting the major services like Twitter and Netflix. It quickly emerged that the huge distributed denial of service (DDoS) attack wasn’t the result of thousands of personal computers working together, the usual weapons of choice for these activitites. They were instead, armies of home security cameras and internet routers.

Garlati sees drones as potentially suffering from the same problem, as there are now thousands of devices out in the wild running insecure firmware. But instead of being used to attack cyberspace, they can be let loose on the physical world.

Sure, consumer drones are just toys – but en masse they could represent a different level of threat. “BB guns are toys,” Garlati says. “You don’t die if someone shoots at you with a BB gun. But now if they shoot at you with a thousand BB guns you’re going to be in big trouble.”

He suggests that a nightmare scenario might be something like an intentional version of what happened with the ‘Miracle on the Hudson’. In the 2009 incident, which was dramatised in the film ‘Sully’, an Airbus A320 leaving LaGuardia airport in New York City was struck by a flock of birds, which caused the engines to lose power. Captain Sullenberger avoided disaster by landing the aircraft on the Hudson River. What if, the implication is, a swarm of consumer drones could be deliberately piloted to cause the same sorts of collisions?

So how to actually take control of a drone? One technique is to fool the onboard navigation system. When the Iranian government took control of a US military drone in 2011, some engineers thought it was done by GPS spoofing. The signals from the orbiting network of satellites are comparatively weak and are easily masked by a local transmitter. US military experts discounted the possibility of GPS hacking alone being responsible for the capture. Since the invention of cruise missiles, military avionics designers have favoured inertial guidance systems with GPS used as a backup, because the internal accelerometers and gyroscopes are less vulnerable to electronic attack.

For a commercial hacker, GPS spoofing is likely to be overkill. Hackers can take direct control of many consumer drones with disturbing ease. The reason is simple: it’s because, like the devices attacked by Mirai, many have with pretty lax security. Many consumer drones use Wi-Fi to communicate with the pilot’s controls. Often they use easily cracked protocols such as WEP, or in some cases, no encryption at all.

No encryption might sound crazy, but this is something even military and law-​enforcement agencies have neglected. Last year IBM security consultant Nils Rodday  was able to demonstrate how a £27,000 drone used by police could be compromised with hardware costing just £30. It did this by targeting the on-board Xbee chip which is found in many drones, and intercepting packets of data sent by the Android app that controls it.

Security researcher Jonathan Andersson has already shown that dronejacking kits are feasible. He created a pocket-sized device he calls Icarus after the mythical ancient Greek figure who lost his wings by flying too close to the sun. This is essentially an all-in-one toolkit that will analyse the wireless signals looking for telltale data packets. Using this data it will figure out how to break in using a brute force hack and will then take control.

Samy Kamkar, though, perhaps takes the crown as the most ingenius drone hacker so far. He has built a similar device – using a Raspberry Pi mini-computer powered by a USB battery pack, and has attached it to a drone of his own. The Skyjack drone, as Kamkar has dubbed it, is capable of patrolling the skies sniffing out other drones  and then hacking into them to take control.

Skyjack looks for drones that Wi-Fi identification numbers that correspond with those owned by Parrot, one of the largest manufacturers of drones. In common with other network protocols such as Ethernet, Wi-Fi devices send messages to each other using their media access control (MAC) address. These need to be unique, so manufacturers of network hardware are assigned blocks of addresses that they then put into their products. Hackers can easily identify the manufacturer by the first couple of characters in the address.

Kamkar’s drone can connect to multiple other UAVs simultaneously, and he can pilot them or he can just view the camera live by connecting through his own phone or tablet. It is easy to see how such technology could be used to summon a drone swarm for launching attacks of the type described by Garlati .

How can the industry deal with the problem? “It’s not a simple question”, says Intel Security CTO Raj Samani, owing to the different forces that influence drone production. For the smallest, cheapest drones, where consumers are presumably likely to be most price-conscious, he wonders whether they are going to consider security if it adds to the bottom line.

Samani does, however, suggest some things that could be done: having an approved and agreed communications standard, encrypting the signal and using stronger authentication. The last point is especially important. The drone software should verify the source of the commands it is receiving and reject those coming from unapproved transmitters. Drone software could also build in measures to automatically detect common attacks such as replay attacks, which use the same principles as a DDoS attack to bombard the target device with commands in order to disrupt or gain entry.

“These are simple principles that we’ve been doing for years in computing. I don’t see why having these devices flying over our heads should be any different,” Raj says.

One obvious question is that of regulation: is it time for the government to step in and set the rules? Garlati believes this could be a mixed blessing. “Be careful what you wish for,” he warns. “Their role is to establish rules, put stakes in the ground, so that the end result is that when a regulator comes in, innovation suffers.”

Garlati says regulators can be counter­productive to effective security. To explain, he gives the example of the US Federal Communications Commission (FCC) approach to Wi-Fi routers. Installing custom firmware on routers was becoming increasingly common, as it enabled users to use wireless channels that were forbidden in the US. The result was less congested airspace, and thus faster Wi-Fi at the cost of interference with users of other services in the adjacent channels. To counter this trend, the FCC effectively mandated that router firmware should be locked down, so that new software could not be installed. But this creates an obvious problem: no software is perfect, so removing the ability to install updates through official channels ends up leaving the locked down routers vulnerable to malware and attack.

With respect to drones, Garlati argues everyone should be responsible for ensuring they are secure – including industry, government and individuals. “The end user should refuse to buy a product that refuses to add some minimum security posture”, he says. “Food is not much different. You can buy any kind of junk food but at least you get a [nutritional] label on the box.”

Unfortunately though, to a certain extent this conversation may be happening too late. “This isn’t discussing the future, this is happening today,” Cesare warns.

Raj says similar. “We can replace drones with connected cars, slow cookers and ovens. All of these smart devices that are coming out… is anyone ever updating them?” he asks. “That’s a bigger challenge that we face. There just isn’t the incentive for people to go out and install firmware updates [on a system] that seems to be working.”

Without people paying more attention to how their drones could be taken over, they may become very unfriendly skies.