Drone Hacking Analysis: Drones Drop From Sky During Light Show
The use of drones to replace fireworks during celebratory events and concerts has seen a huge increase in the past 12 months. Beyond the obvious "wow" factor of this uptake in drone technology as an entertainment tool, the use of drones instead of fireworks is also better for the environment, they're reusable, they don't scare our pets, but are they safer "out of the box"?
A recent drone incident during one such light show in Taiwan highlights the importance of embedding cybersecurity into drone use as a matter of safety.
48 out of 800 drones used during a light show performance crashed during the middle of the ‘drone fireworks’ light show performance. In an official report, “signal” or electromagnetic interference was detected; however, origin of interference was not discovered.
800 drones were designated to perform a light show at the Taiwan Lantern Festival in Taichung City when forty-eight of the drones crashed during the performance. While there was electromagnetic interference detected before the show, the source of the interference was not located despite engaging the telecommunication police.
Taiwan telecommunication police uses detection guns and signal monitoring vans to detect origins of unknown signals and interferences. While the interferences were postulated to have overlapped with that used by other radio-frequency devices, it was rumoured that interference could have been a deliberate action by protesting drone operators who are against the government’s new regulations, scheduled to take effect on March 31, 2020. The regulation required all drones weighing over 250 grams to be registered and drones can only fly up to 120 meters above ground level.
A bit of a watershed moment for the innovation and seemingly positive-guided news across drone light shows (or drone fireworks) in recent times. Overcoming environmental, sound and fire-sparking negatives of traditional fireworks, there is now a need for mitigation strategies into Drone Fireworks as a safety and public precaution. The problem defines itself from a number of angles – if it was indeed an illegal jamming in the name of a protestor, what could a malicious operator do with illegal protocol manipulation or hijacking techniques? Suddenly, a number of swarm-based activities become available to nefarious individuals.
Further to this (simply from a Red Teamer’s perspective), these light shows can be easily automated and pre-programmed. You have to wonder if the control link was jammed and overridden with a pre-set path, there could certainly be room for a Not-Safe-For-Work or even anti-propaganda message displayed in the sky, to the malicious operator’s creative designs. This is a limited attack scenario compared to sending those drones into the crowd, or a busy helicopter causeway. Most importantly, something with the attention of a fireworks demonstration draws a large crowd and is often backed by the city – it’s an attractive target for malicious individuals and one that would cause a lot of fear, uncertainty and doubt in the innovation and technology.
Electromagnetic interference, or jamming, is one of the many methods which have been employed worldwide as a counter-drone solution. Jammers works by sending out strong bursts of radio frequency similar to the target frequency, overpowering the real signal, disrupting the target from receiving any incoming signals.
However, jammers, while able to shut down a drone, essentially shuts out the frequency which affects surrounding appliances, gadgets or tools running on that same frequency. With that said, it can be quite costly (publicly and commercially) to implement an electromagnetic counter-drone solution as drones can run on several frequencies ranging from 433MHz to 5.8Ghz, with most being on 2.4GHz and 5.8GHz. Concurrently, the latter two frequencies are also Wi-Fi frequencies which is widely used today in most smart cities.
As a rogue drone activist, implementing a jammer or electronic interference to dampen the use of drones is easily implemented as well. Low-powered portable jammers, easily available off the market, can effectively shut down frequencies about 15 meters away and extended with amplifiers. However, detecting jammers are costly and takes a longer process than to emit a jamming frequency. Using a spectrum analyser, usually costing from hundreds to several thousand, does not give an exact location of the jammer itself, requiring several data points before the seeker is able to pinpoint the rough estimate location of the jammer. By then, the jammer could have already served its purpose and the operator moved on.
When using Wi-Fi-based drone light shows, ensure the drones have been modified to operate on custom-named SSID’s, channels and enforce complex passwords to join the wireless network (supporting reasonable encryption). Where possible, ensure protected management frames are utilised (when supported by the hardware and wireless adapter and thoroughly tested) to prevent common de-authentication attack techniques. These typical wireless security methodologies could prevent low-hanging fruit attacks against your average skilled hacker and their generic wireless-based hacking kit.
For automated-GPS or RF-based light shows not utilising the 802.11x protocol, ensure the control link is secure, high-powered and physical redundancy is in place in the event the drones drop or fall out of the sky. Ensure a soft-kill, hard-kill or telemetry failure has a default action such as Return-to-Home or complete rotor stop on path deviation.
Lastly, in the event something like this occurs, the crew should have a forensic or incident response kit ready (for that particular drone make/model and associated equipment) and waiting to collect the evidence, hardware and software data to piece together the story of what happened. Logging on both the drone, controllers and interconnected systems/software should provide enough telemetry data to discern what is accidental link-failure, bird strike or operator mistake over a malicious de-authentication attack, signal jam or protocol manipulation of the devices.
It’s always recommended to select a (drone and control link) brand that has been independently tested from a security and penetration testing point of view, and if running a Drone Light Show, conduct a simulation catering for malicious individuals targeting the event for mitigation and remediation purposes. This is something DroneSec provides as a core speciality – please contact us to enquire about Red Teaming services.
This analysis was first published in our DroneSec Notify Threat Intelligence release. To get the latest information on rogue drone incidents, regulation changes, and technological advances for the drone, counter-drone, and UTM System industries, subscribe here:
As with any newsletter service, you can unsubscribe at any time.
However, DroneSec Notify intelligence is so valuable we're sure that you'll never want to.