skip to main content

Explore Research Products in the NSF-PAR

Title: A Security Assessment for Consumer WiFi Drones
Small-scale unmanned aerial vehicles (UAVs) have become an increased presence in recent years due to their decreasing price and ease of use. Similarly, ways to detect drones through easily accessible programs like WireShark have raised more potential threats, including an increase in ease of jamming and spoofing drones utilizing commercially of the shelf (COTS) equipment like software defined radio (SDR). Given these advancements, an active area of research is drone security. Recent research has focused on using a HackRF SDR to perform eavesdropping or jamming attacks; however, most have failed to show a proposed remediation. Similarly, many research papers show post analysis of communications, but seem to lack a conclusive demonstration of command manipulation. Our security assessment shows clear steps in the manipulation of a WiFi drone using the aircrack-ng suite without the need for additional equipment like a SDR. This shows that anyone with access to a computer could potentially take down a drone. Alarmingly, we found that the COTS WiFi drone in our experiment still lacked the simple security measure of a password, and were very easily able to take over the drone in a deauthorization attack. We include a proposed remediation to mitigate the preformed attack and assess the entire process using the STRIDE and DREAD models. In doing so, we demonstrate a full attack process and provide a resolution to said attack.  more » « less
Award ID(s):
1757781
NSF-PAR ID:
10157750
Author(s) / Creator(s):
; ; ;
Date Published:
Journal Name:
2019 IEEE International Conference on Industrial Internet (ICII)
Page Range / eLocation ID:
1 to 5
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. ; ; ; ; ; ( , ACM Transactions on Cyber-Physical Systems)

    Cheapcommercial off-the-shelf (COTS)First-Person View (FPV)drones have become widely available for consumers in recent years. Unfortunately, they also provide low-cost attack opportunities to malicious users. Thus, effective methods to detect the presence of unknown and non-cooperating drones within a restricted area are highly demanded. Approaches based on detection of drones based on emitted video stream have been proposed, but were not yet shown to work against other similar benign traffic, such as that generated by wireless security cameras. Most importantly, these approaches were not studied in the context of detecting new unprofiled drone types. In this work, we propose a novel drone detection framework, which leverages specific patterns in video traffic transmitted by drones. The patterns consist of repetitive synchronization packets (we call pivots), which we use as features for a machine learning classifier. We show that our framework can achieve up to 99% in detection accuracy over an encrypted WiFi channel using only 170 packets originated from the drone within 820ms time period. Our framework is able to identify drone transmissions even among very similar WiFi transmissions (such as video streams originated from security cameras) as well as in noisy scenarios with background traffic. Furthermore, the design of our pivot features enables the classifier to detect unprofiled drones in which the classifier has never trained on and is refined using a novel feature selection strategy that selects the features that have the discriminative power of detecting new unprofiled drones.

     

    more » « less
  2. ; ; ( , 2019 IEEE Conference on Communications and Network Security (CNS))
    Although consumer drones have been used in many attacks, besides specific methods such as jamming, very little research has been conducted on systematical methods to counter these drones. In this paper, we develop generic methods to compromise drone position control algorithms in order to make malicious drones deviate from their targets. Taking advantage of existing methods to remotely manipulate drone sensors through cyber or physical attacks (e.g., [1], [2]), we exploited the weaknesses of position estimation and autopilot controller algorithms on consumer drones in the proposed attacks. For compromising drone position control, we first designed two state estimation attacks: a maximum False Data Injection (FDI) attack and a generic FDI attack that compromised the Kalman-Filter-based position estimation (arguably the most popular method). Furthermore, based on the above attacks, we proposed two attacks on autopilot-based navigation, to compromise the actual position of a malicious drone. To the best of our knowledge, this is the first piece of work in this area. Our analysis and simulation results show that the proposed attacks can significantly affect the position estimation and the actual positions of drones. We also proposed potential countermeasures to address these attacks. 
    more » « less
  3. ; ; ( , IEEE Consumer Communications and Networking Conference (CCNC))
    Although some existing counterdrone measures can disrupt the invasion of certain consumer drone, to the best of our knowledge, none of them can accurately redirect it to a given location for defense. In this paper, we proposed a Drone Position Manipulation (DPM) attack to address this issue by utilizing the vulnerabilities of control and navigation algorithms used on consumer drones. As such drones usually depend on GPS for autopiloting, we carefully spoof GPS signals based on where we want to redirect a drone to, such that we indirectly affect its position estimates that are used by its navigation algorithm. By carefully manipulating these states, we make a drone gradually move to a path based on our requirements. This unique attack exploits the entire stack of sensing, state estimation, and navigation control together for quantitative manipulation of flight paths, different from all existing methods. In addition, we have formally analyzed the feasible range of redirected destinations for a given target. Our evaluation on open-source ArduPilot system shows that DPM is able to not only accurately lead a drone to a redirected destination but also achieve a large redirection range. 
    more » « less
  4. ; ; ; ; ; ; ( , Proceedings of the 3rd ACM Workshop on Wireless Security and Machine Learning)
    null (Ed.)
    In this paper, a machine learning (ML) approach is proposed to detect and classify jamming attacks on unmanned aerial vehicles (UAVs). Four attack types are implemented using software-defined radio (SDR); namely, barrage, single-tone, successive-pulse, and protocol-aware jamming. Each type is launched against a drone that uses orthogonal frequency division multiplexing (OFDM) communication to qualitatively analyze its impacts considering jamming range, complexity, and severity. Then, an SDR is utilized in proximity to the drone and in systematic testing scenarios to record the radiometric parameters before and after each attack is launched. Signal-to-noise ratio (SNR), energy threshold, and several OFDM parameters are exploited as features and fed to six ML algorithms to explore and enable autonomous jamming detection/classification. The algorithms are quantitatively evaluated with metrics including detection and false alarm rates to evaluate the received signals and facilitate efficient decision-making for improved reception integrity and reliability. The resulting ML approach detects and classifies jamming with an accuracy of 92.2% and a false-alarm rate of 1.35%. 
    more » « less
  5. ; ; ; ; ; ( , 2019 IEEE International Conference on Industrial Internet (ICII))
    When people connect to the Internet with their mobile devices, they do not often think about the security of their data; however, the prevalence of rogue access points has taken advantage of a false sense of safety in unsuspecting victims. This paper analyzes the methods an attacker would use to create rogue WiFi access points using software-defined radio (SDR). To construct a rogue access point, a few essential layers of WiFi need simulation: the physical layer, link layer, network layer, and transport layer. Radio waves carrying WiFi packets, transmitted between two Universal Software Radio Peripherals (USRPs), emulate the physical layer. The link layer consists of the connection between those same USRPs communicating directly to each other, and the network layer expands on this communication by using the network tunneling/network tapping (TUN/TAP) interfaces to tunnel IP packets between the host and the access point. Finally, the establishment of the transport layer constitutes transceiving the packets that pass through the USRPs. In the end, we found that creating a rogue access point and capturing the stream of data from a fabricated "victim" on the Internet was effective and cheap with SDRs as inexpensive as $20 USD. Our work aims to expose how a cybercriminal could carry out an attack like this in order to prevent and defend against them in the future. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email