While more and more consumer drones are abused in recent attacks, there is still very little systematical research on countering malicious consumer drones. In this paper, we focus on this issue and develop effective attacks to common autopilot control algorithms to compromise the flight paths of autopiloted drones, e.g., leading them away from its preset paths. We consider attacking an autopiloted drone in three phases: attacking its onboard sensors, attacking its state estimation, and attacking its autopilot algorithms. Several firstphase attacks have been developed (e.g., –); second-phase attacks (including our previous work , ) have also been investigated. In this paper, we focus on the third-phase attacks. We examine three common autopilot algorithms, and design several attacks by exploiting their weaknesses to mislead a drone from its preset path to a manipulated path. We present the formal analysis of the scope of such manipulated paths. We further discuss how to apply the proposed attacks to disrupt preset drone missions, such as missing a target in searching an area or misleading a drone to intercept another drone, etc. Many potential attacks can be built on top of the proposed attacks. We are currently investigating different models to apply such attacks onmore »
Manipulating Drone Position Control
Although consumer drones have been used in many attacks, besides specific methods such as jamming, very little research has been conducted on systematical methods to counter these drones. In this paper, we develop generic methods to compromise drone position control algorithms in order to make malicious drones deviate from their targets. Taking advantage of existing methods to remotely manipulate drone sensors through cyber or physical attacks (e.g., , ), we exploited the weaknesses of position estimation and autopilot controller algorithms on consumer drones in the proposed attacks. For compromising drone position control, we first designed two state estimation attacks: a maximum False Data Injection (FDI) attack and a generic FDI attack that compromised the Kalman-Filter-based position estimation (arguably the most popular method). Furthermore, based on the above attacks, we proposed two attacks on autopilot-based navigation, to compromise the actual position of a malicious drone. To the best of our knowledge, this is the first piece of work in this area. Our analysis and simulation results show that the proposed attacks can significantly affect the position estimation and the actual positions of drones. We also proposed potential countermeasures to address these attacks.
- Award ID(s):
- Publication Date:
- NSF-PAR ID:
- Journal Name:
- 2019 IEEE Conference on Communications and Network Security (CNS)
- Page Range or eLocation-ID:
- 1 to 9
- Sponsoring Org:
- National Science Foundation
More Like this
Although some existing counterdrone measures can disrupt the invasion of certain consumer drone, to the best of our knowledge, none of them can accurately redirect it to a given location for defense. In this paper, we proposed a Drone Position Manipulation (DPM) attack to address this issue by utilizing the vulnerabilities of control and navigation algorithms used on consumer drones. As such drones usually depend on GPS for autopiloting, we carefully spoof GPS signals based on where we want to redirect a drone to, such that we indirectly affect its position estimates that are used by its navigation algorithm. By carefully manipulating these states, we make a drone gradually move to a path based on our requirements. This unique attack exploits the entire stack of sensing, state estimation, and navigation control together for quantitative manipulation of flight paths, different from all existing methods. In addition, we have formally analyzed the feasible range of redirected destinations for a given target. Our evaluation on open-source ArduPilot system shows that DPM is able to not only accurately lead a drone to a redirected destination but also achieve a large redirection range.
BBR is a new congestion control algorithm proposed by Google that builds a model of the network path consisting of its bottleneck bandwidth and RTT to govern its sending rate rather than packet loss (like CUBIC and many other popular congestion control algorithms). Loss-based congestion control has been shown to be vulnerable to acknowledgment manipulation attacks. However, no prior work has investigated how to design such attacks for BBR, nor how effective they are in practice. In this paper we systematically analyze the vulnerability of BBR to acknowledgement manipulation attacks. We create the first detailed BBR finite state machine and a novel algorithm for inferring its current BBR state at runtime by passively observing network traffic.We then adapt and apply a TCP fuzzer to the Linux TCP BBR v1.0 implementation. Our approach generated 30,297 attack strategies, of which 8,859 misled BBR about actual network conditions. From these, we identify 5 classes of attacks causing BBR to send faster, slower or stall. We also found that BBR is immune to acknowledgment burst, division and duplication attacks that were previously shown to be effective against loss-based congestion control such as TCP New Reno.
With the deployment of artificial intelligent (AI) algorithms in a large variety of applications, there creates an increasing need for high-performance computing capabilities. As a result, different hardware platforms have been utilized for acceleration purposes. Among these hardware-based accelerators, the field-programmable gate arrays (FPGAs) have gained a lot of attention due to their re-programmable characteristics, which provide customized control logic and computing operators. For example, FPGAs have recently been adopted for on-demand cloud services by the leading cloud providers like Amazon and Microsoft, providing acceleration for various compute-intensive tasks. While the co-residency of multiple tenants on a cloud FPGA chip increases the efficiency of resource utilization, it also creates unique attack surfaces that are under-explored. In this paper, we exploit the vulnerability associated with the shared power distribution network on cloud FPGAs. We present a stealthy power attack that can be remotely launched by a malicious tenant, shutting down the entire chip and resulting in denial-of-service for other co-located benign tenants. Specifically, we propose stealthy-shutdown: a well-timed power attack that can be implemented in two steps: (1) an attacker monitors the realtime FPGA power-consumption detected by ring-oscillator-based voltage sensors, and (2) when capturing high power-consuming moments, i.e., the power consumptionmore »
Aerial drones are becoming an integral part of application domains including but not limited to, military operations, package delivery, construction, monitoring and search/rescue operations. It is critical to ensure the cyber security of networked aerial drone systems in these applications. Standard cryptographic services can be deployed to provide basic security services; however, they have been shown to be inefﬁcient in terms of energy and time consumption, especially for small aerial drones with resource-limited processors. Therefore, there is a signiﬁcant need for an efﬁcient cryptographic framework that can meet the requirements of small aerial drones. We propose an improved cryptographic framework for small aerial drones, which offers signiﬁcant energy efﬁciency and speed advantages over standard cryptographic techniques. (i) We create (to the best of our knowledge) the ﬁrst optimized public key infrastructure (PKI) based framework for small aerial drones, which provides energy efﬁcient techniques by harnessing special precomputation methods and optimized elliptic curves. (ii) We also integrate recent light-weight symmetric primitives into our PKI techniques to provide a full-ﬂedged cryptographic framework. (iii) We implemented standard counterparts and our proposed techniques on an actual small aerial drone (Crazyﬂie 2.0), and provided an in-depth energy analysis. Our experiments showed that our improved cryptographicmore »