Brick-a-copter device

Ground Stations and utilities for Windows, Linux, Android, & others

Brick-a-copter device

Postby Trnquill » Fri Oct 16, 2015 8:13 am

Have you heard or came to think of this simple exploit that allows you to basically take control and even disarm any Mavlink radio equipped copter flying nearby? http://www.shellntel.com/blog/2015/9/25 ... -execution

Is there any plans to improve AQ security regarding this? Well, it's not an "AQ security" issue per se, but cheap unencrypted radio exploit if I understood it correctly. What AQ compatible and readily available radio would not have such vulnerability? Can you encrypt XBee traffic, for example?
Trnquill
 
Posts: 158
Joined: Thu Jun 06, 2013 9:35 am

Re: Brick-a-copter device

Postby aBUGSworstnightmare » Fri Oct 16, 2015 10:39 am

Trnquill wrote:Have you heard or came to think of this simple exploit that allows you to basically take control and even disarm any Mavlink radio equipped copter flying nearby? http://www.shellntel.com/blog/2015/9/25 ... -execution

Is there any plans to improve AQ security regarding this? Well, it's not an "AQ security" issue per se, but cheap unencrypted radio exploit if I understood it correctly. What AQ compatible and readily available radio would not have such vulnerability? Can you encrypt XBee traffic, for example?


Any XBEE Radio allows for encrypted data transfer (as well as some other RF links (i.e. 868MHz Radios). So you need to be able to decode 128bit encrypted RF data from i.e. a Zigbee protocol to figure out the NetID ...
aBUGSworstnightmare
 
Posts: 1460
Joined: Fri Jun 22, 2012 5:24 pm

Re: Brick-a-copter device

Postby kinderkram » Fri Oct 16, 2015 6:56 pm

The problem is well known for a couple of years now. Though I haven´t seen anyone demonstrating it.
For a safe operation you should use XBees or the like.

Afaik AQ doesn´t accept arm/disarm commands via MAVlink but could be compromised by other means, especially when on a mission. Even then the radio switched to manual mode would be the pilot´s last resort.

Anyway, the demonstration should make us think about possible flaws in the chain of control commands.
kinderkram
 
Posts: 2911
Joined: Fri Jun 22, 2012 7:47 am

Re: Brick-a-copter device

Postby Max » Fri Oct 16, 2015 9:34 pm

Mavlink is not secure on its own, nor does one need to hack any code to take advantage of it. There is pretty much no way around that w/out using heavy encryption on the transmission (and/or an elaborate key exchange to verify identity, like with HTTPS protocol). Most MCUs that run autopilots would not be able to handle that onboard (and certainly not several years ago when Mavlink was designed), so it makes sense to offload that to another device if one needs it.

That said, claims of "hijacking" and disarming remotely are somewhat overblown, definitely in the case of AQ (which is specifically mentioned in that article). There is no way to arm or disarm AQ via Mavlink, and even if there was, it would never disarm while flying. There is no way to remotely guide the AQ except in mission mode -- which is easily cancelled by the pilot switching to PH mode.

The AQ firmware versions that have the "follow me" feature are a bit more vulnerable because the pilot would need to switch to full manual mode to avoid a remote hijack. This will prevent the hijack but the MR would need to be close enough for visual orientation and so on, so it could potentially be a bit more dangerous.

Another potential vulnerability would be changing parameter values while flying, which AQ does not allow.

kinderkram wrote:Anyway, the demonstration should make us think about possible flaws in the chain of control commands.


You mean most people don't already think of these things routinely? :lol:

-Max
Max
 
Posts: 2814
Joined: Mon Aug 13, 2012 9:45 pm
Location: Near Ithaca, NY, USA

Re: Brick-a-copter device

Postby kinderkram » Sat Oct 17, 2015 9:29 am

Max wrote:
You mean most people don't already think of these things routinely? :lol:

-Max

Well, 3DR obviously didn´t when they introduced arm/disarm functions in their GUIs to make the IRIS one of those follow-me-gadgets.

Update: I submitted a comment in the above linked blog.
kinderkram
 
Posts: 2911
Joined: Fri Jun 22, 2012 7:47 am


Return to AQ Software

Who is online

Users browsing this forum: No registered users and 6 guests

cron