Although consumer drones have been used in
many attacks, besides specific methods such as jamming, very
little research has been conducted on systematical methods
to counter these drones. In this paper, we develop generic
methods to compromise drone position control algorithms in
order to make malicious drones deviate from their targets.
Taking advantage of existing methods to remotely manipulate
drone sensors through cyber or physical attacks (e.g., [1],
[2]), we exploited the weaknesses of position estimation and
autopilot controller algorithms on consumer drones in the
proposed attacks. For compromising drone position control,
we first designed two state estimation attacks: a maximum
False Data Injection (FDI) attack and a generic FDI attack
that compromised the Kalman-Filter-based position estimation
(arguably the most popular method). Furthermore, based on
the above attacks, we proposed two attacks on autopilot-based
navigation, to compromise the actual position of a malicious
drone. To the best of our knowledge, this is the first piece of
work in this area. Our analysis and simulation results show
that the proposed attacks can significantly affect the position
estimation and the actual positions of drones. We also proposed
potential countermeasures to address these attacks.
more »
« less
Accurately Redirecting a Malicious Drone
Although some existing counterdrone measures can
disrupt the invasion of certain consumer drone, to the best of
our knowledge, none of them can accurately redirect it to a
given location for defense. In this paper, we proposed a Drone
Position Manipulation (DPM) attack to address this issue by
utilizing the vulnerabilities of control and navigation algorithms
used on consumer drones. As such drones usually depend on
GPS for autopiloting, we carefully spoof GPS signals based on
where we want to redirect a drone to, such that we indirectly
affect its position estimates that are used by its navigation
algorithm. By carefully manipulating these states, we make a
drone gradually move to a path based on our requirements. This
unique attack exploits the entire stack of sensing, state estimation,
and navigation control together for quantitative manipulation of
flight paths, different from all existing methods. In addition,
we have formally analyzed the feasible range of redirected
destinations for a given target. Our evaluation on open-source
ArduPilot system shows that DPM is able to not only accurately
lead a drone to a redirected destination but also achieve a large
redirection range.
more »
« less
- Award ID(s):
- 1662487
- NSF-PAR ID:
- 10312068
- Date Published:
- Journal Name:
- IEEE Consumer Communications and Networking Conference (CCNC)
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
Drone simulators are often used to reduce training costs and prepare operators for various ad-hoc scenarios, as well as to test the quality of algorithmic and communication aspects in collaborative scenarios. An important aspect of drone missions in simulated (as well as real life) environments is the operational lifetime of a given drone, in both solo and collaborative fleet settings. Its importance stems from the fact that the capacity of the on-board batteries in untethered (i.e., free-flying) drones determines the range and/or the length of the trajectory that a drone can travel in the course of its surveilance or delivery missions. Most of the existing simulators incorporate some kind of a consumption model based on different parameters of the drone and its flight trajectory. However, to our knowledge, the existing simulators are not capable of incorporating data obtained from actual physical measurements/observations into the consumption model. In this work, we take a first step towards enabling the (users of) drones simulator to incorporate the speed and direction of the wind into the model and monitor its impact on the battery consumption as the direction of the flight changes relative to the wind. We have also developed a proof-of-concept implementation with DJI Mavic 3 and Parrot ANAFI drones.more » « less
-
Location information is critical to a wide variety of navigation and tracking applications. GPS, today's de-facto outdoor localization system has been shown to be vulnerable to signal spoofing attacks. Inertial Navigation Systems (INS) are emerging as a popular complementary system, especially in road transportation systems as they enable improved navigation and tracking as well as offer resilience to wireless signals spoofing and jamming attacks. In this paper, we evaluate the security guarantees of INS-aided GPS tracking and navigation for road transportation systems. We consider an adversary required to travel from a source location to a destination and monitored by an INS-aided GPS system. The goal of the adversary is to travel to alternate locations without being detected. We develop and evaluate algorithms that achieve this goal, providing the adversary significant latitude. Our algorithms build a graph model for a given road network and enable us to derive potential destinations an attacker can reach without raising alarms even with the INS-aided GPS tracking and navigation system. The algorithms render the gyroscope and accelerometer sensors useless as they generate road trajectories indistinguishable from plausible paths (both in terms of turn angles and roads curvature). We also design, build and demonstrate that the magnetometer can be actively spoofed using a combination of carefully controlled coils. To experimentally demonstrate and evaluate the feasibility of the attack in real-world, we implement a first real-time integrated GPS/INS spoofer that accounts for traffic fluidity, congestion, lights, and dynamically generates corresponding spoofing signals. Furthermore, we evaluate our attack on ten different cities using driving traces and publicly available city plans. Our evaluations show that it is possible for an attacker to reach destinations that are as far as 30 km away from the actual destination without being detected. We also show that it is possible for the adversary to reach almost 60--80% of possible points within the target region in some cities. Such results are only a lower-bound, as an adversary can adjust our parameters to spend more resources (e.g., time) on the target source/destination than we did for our performance evaluations of thousands of paths. We propose countermeasures that limit an attacker's ability, without the need for any hardware modifications. Our system can be used as the foundation for countering such attacks, both detecting and recommending paths that are difficult to spoof.more » « less
-
We introduce Spatial Predictive Control (SPC), a technique for solving the following problem: given a collection of robotic agents with black-box positional low-level controllers (PLLCs) and a mission-specific distributed cost function, how can a distributed controller achieve and maintain cost-function minimization without a plant model and only positional observations of the environment? Our fully distributed SPC controller is based strictly on the position of the agent itself and on those of its neighboring agents. This information is used in every time step to compute the gradient of the cost function and to perform a spatial look-ahead to predict the best next target position for the PLLC. Using a simulation environment, we show that SPC outperforms Potential Field Controllers, a related class of controllers, on the drone flocking problem. We also show that SPC works on real hardware, and is therefore able to cope with the potential sim-to-real transfer gap. We demonstrate its performance using as many as 16 Crazyflie 2.1 drones in a number of scenarios, including obstacle avoidance.more » « less
-
Small-scale unmanned aerial vehicles (UAVs) have become an increased presence in recent years due to their decreasing price and ease of use. Similarly, ways to detect drones through easily accessible programs like WireShark have raised more potential threats, including an increase in ease of jamming and spoofing drones utilizing commercially of the shelf (COTS) equipment like software defined radio (SDR). Given these advancements, an active area of research is drone security. Recent research has focused on using a HackRF SDR to perform eavesdropping or jamming attacks; however, most have failed to show a proposed remediation. Similarly, many research papers show post analysis of communications, but seem to lack a conclusive demonstration of command manipulation. Our security assessment shows clear steps in the manipulation of a WiFi drone using the aircrack-ng suite without the need for additional equipment like a SDR. This shows that anyone with access to a computer could potentially take down a drone. Alarmingly, we found that the COTS WiFi drone in our experiment still lacked the simple security measure of a password, and were very easily able to take over the drone in a deauthorization attack. We include a proposed remediation to mitigate the preformed attack and assess the entire process using the STRIDE and DREAD models. In doing so, we demonstrate a full attack process and provide a resolution to said attack.more » « less