What if you could physically manipulate a high-quality drone to corrupt its memory, gain control of it, and potentially leak its data?

Security research firm IOActive put that theory to the test earlier this year when it conducted an experiment on DJI’s Mavic Pro that was detailed in a whitepaper published Monday.

DJI Technology is a Chinese technology company headquartered in Shenzen, Guangdong, whose drone sales make up 70 percent of the market, according to analysis from CNBC. DJI’s Mavic Pro series is one of the most popular commercially available drone models and is regularly available for second-hand sales online.

Gabriel Gonzalez, director of hardware security at IOActive, says DJI’s presence in the drone marketplace and its emphasis on security features for its products is one of the reasons they chose the Mavic Pro as their test subject.

“These are not cheap drones,” Gonzalez adds. DJI “invests heavily in security; their firmware is encrypted and signed. They have a trusted execution environment. They’re not an easy target.”

The Tests

About one year ago, Gonzalez selected DJI’s Mavic Pro to conduct an experiment to see if he could achieve a code execution on the drone using publicly disclosed vulnerabilities and non-invasive techniques. These techniques would include electromagnetic (EM) side-channel attacks and EM fault injection (EMFI).

• Side-channel attacks: “A security exploit that aims to gather information from or influence the program execution of a system by measuring or exploiting indirect effects of the system or its hardware, rather than targeting the program or its code directly,” according to TechTarget.
  
  
• EMFI: “Enables an adversary to inject errors on a circuit to gain knowledge of sensitive information or to bypass security features,” according to a paper published by the International Association for Cryptographic Research.

The side-channel approach. IOActive purchased the FI/Side-Channel Analysis (SCA) suite from Riscure. The researchers then set up their equipment to conduct a test to try to retrieve the drone’s encryption key and decrypt its firmware. They removed the drone’s printed circuit board (PCB) and identified part of the board with a strong electromagnetic signal, which could potentially be probed to record traces to extract the key to decrypt the firmware.

“After several days of testing and data analysis, we found that the probability of successful signature bypass was less than 0.5 percent,” according to a blog post from Gonzalez. “This rendered key recovery unfeasible, since it would have required us to collect tens of thousands of traces.”

The EMFI approach. After the side-channel attack, the IOActive researchers decided to attempt an EMFI-based approach using a process originally published by Riscure. They collected their equipment—a laptop (used as a controller), a power supply, Riscure’s Spider (a device used to generate a trigger), an oscilloscope (a device to view varying electrical voltages), an XYZ table (a table designed to hold machinery), and the EMFI pulse-generator.

The IOActive researchers then used these tools to create a glitch on the PCB, modify that glitch, and caused memory corruption. In short, the exploit was successful.

“Having achieved this result, the next step would be to write a proper payload that turns this memory corruption into a code execution exploit,” according to the whitepaper. “This could allow an attacker to fully control one device, leak all of its sensitive content, enable [Android Debug Bridge] access, and potentially leak the encryption keys.”

This exploit does require physical access to the drone—meaning a threat actor would need to have the drone in their possession and time to conduct the exploit.

“It’s not the same as finding a remote vulnerability, but it is the initial first step to getting there,” Gonzalez says.

Next Steps

To address the vulnerability that the researchers identified, Gonzalez recommended product developers implement EMFI countermeasures in their products.

“Hardware countermeasures are very efficient at preventing EMFI attacks, but could be expensive and must be planned during the early design stages,” the whitepaper explained. “Software countermeasures, on the other hand, can be added during the final stages of development, but might be less effective in mitigating certain attacks.”

In line with best practices for disclosing vulnerabilities, Gonzalez says IOActive’s research was shared with DJI before the whitepaper was published.

A DJI spokesperson confirmed that the company has been in contact with Gonzalez and has reviewed the exploit. Currently, DJI engineers are working to recreate the exploit to achieve code execution.

"We are in the process of developing mitigation measures against this physical attack," the spokesperson wrote in a statement to Security Management. "EMFI attack is a common challenge in the industry, and we’ve been working on effective solutions for both hardware and software."

Prior to releasing the Mavic Pro series to the market, DJI conducted internal and external penetration testing on the drones. The company also maintains a bug bounty program, which began in 2017, that 191 information security experts have used to submit 387 reports on potential vulnerabilities in DJI products.

"To minimize the risk of being exploited, we strongly advise our users take special precautions to avoid unauthorized physical access to their drones," the spokesperson explained.

In the meantime, Gonzalez says he is interested in conducting more research on drones. The proposed next step is to apply the knowledge from this research study on another DJI drone model with no previously known vulnerabilities. This kind of research is important because drones are increasingly used across industry verticals and more tools are available to the general public that could allow people to conduct similar exploits on drones.

“We used sophisticated tools, but in the past years there have been companies and researchers using simpler tools,” Gonzalez says. “The goal of this was to study whether these things are feasible.”

Gonzalez also emphasizes that security practitioners using drones for surveillance and monitoring—especially for sensitive areas—ensure that the manufacturer they’re purchasing from has placed additional security protections on their products.

For end users in physical security, “law enforcement, or filmmakers who use drones for filming movies and things they want to keep secret, they might require additional protections,” Gonzalez adds. “You can ask the manufacturer if they have protections for physical attacks. You can engage with a third-party company that provides security evaluations to define the security features the drone has.”

For more on how security practitioners are using drones across industries, check out our Focus on Uncrewed Aerial Systems content series.

 

MOST POPULAR ARTICLES

1. Fast Facts: What is Concierge Security?

2. Q&A: What Skills Turn Guards into Concierge-Minded Security Professionals?

3. Alarming Trends in Cannabis Crime—There’s a Standard for That