If you were watching Iranian state TV in early December 2011, you would have seen an unusual flying object paraded in front of viewers. Windowless, squat, with a pointed nose, its two wings made it the shape of a manta ray. The trophy on show was an RQ-170 Sentinel stealth drone, a key weapon in the intelligence gathering arsenal of the US Central Intelligence Agency (CIA). Standing in a hangar on a military airfield, the drone was seemingly undamaged. Indeed, Iranian officials insisted that it had not been shot down; rather, they claimed an unusual coup: to have hacked the drone while it was flying near Iran’s border over Afghanistan and forced it to land.
Outside Iran, many snorted in disbelief at hearing such claims. Todd Humphreys, assistant professor of aerospace engineering at the University of Texas in Austin, US, was one of the sceptics. Soon, though, he would prove himself wrong.
So, how easy is it to hack a drone? Along with the military, could police and private citizens also lose control of their aircraft? And if so, what might a hacker do with a stolen drone?
One way to hack a drone involves messing with the system it uses to navigate. US military drones use encrypted frequencies of the Global Positioning System (GPS), and this was the RQ-170’s Achilles heel, said the Iranians. They first jammed its communications links, which disconnected it from ground controllers and made it switch to autopilot; it also interrupted the secure data flow from the GPS satellites. The drone was forced to search for unencrypted GPS frequencies normally used by commercial aircraft. At this point, the Iranians said, they used a technique called “spoofing” – sending the plane wrong GPS coordinates, tricking it into believing that it was near its home base in Afghanistan. And so it landed on Iranian territory, directly into the welcoming arms of its kidnappers.
The US rejected the hacking scenario, insisting that its flying robot simply had malfunctioned. Military drones usually have a back-up system to guide them home automatically if contact with operators is lost. But that clearly didn’t work.
The more Humphreys thought about the incident, the more he felt that such an attack might work, at least in theory. Together with students at his university’s Radionavigation Lab, which he directs, he invited the US Department of Homeland Security (DHS) to watch how his team could spoof a civilian drone mid-air.
Using equipment costing less than $2,000, Humphreys mimicked the unencrypted signals sent to the GPS receiver on board a small university-owned drone. With DHS officials watching, he managed to fool the drone in a matter of minutes to follow his commands. “I first dismissed the Iranians’ claims as extremely unlikely, but have since revised my estimate to ‘remotely plausible’,” he says.
Jamming GPS satellite signals “so the drone's sense of its own location begins to drift away from the truth” is quite doable for both military and commercial drones, he says, because these signals are so weak. “The US military is scrambling right now to reduce their drones' susceptibility to GPS jamming, but it's going to take some time before they've got a satisfactory fix.”
There are other vulnerabilities, too. Intercepting data links from the drone, such as knowing precisely what the plane is looking at, is also easy to do if the feeds are not encrypted. In 2008, Iraqi militants intercepted unencrypted video feeds from unmanned US spy planes. And in 2012, drones at Creech Air Force Base in Nevada were reportedly infected with malware after an operator apparently had used a drone’s computer to play “Mafia Wars” – and in the process installed a virus on the PC.
A military drone hacked by criminals is obviously a dangerous scenario. But what if hackers were to gain control of civilian flying robots? Drones are already being exploited for search and rescue organisations, police authorities for surveillance, or for crop or wildlife monitoring, for example, and they may soon be joined by postal services and online retailers.
Independent IT security analyst Samy Kamkar showed that taking control of a civilian drone was possible in December 2013. He equipped a Parrot AR Drone 2.0 with a tiny Raspberry Pi computer, a battery and two wireless transmitters. The microcomputer ran a simple piece of software, which directed the drone to search for the wi-fi signals used to control nearby Parrot drones. Once his drone had found a victim, the program used the wireless transmitters to sever the target drone’s link to its owner and took control. According to Kamkar, a handheld computer on the ground can do the trick too.
Humphreys calls Kamkar’s work “a clever hack” and predicts that “it won't be the last one against commercial drones; hackers will find flaws and exploit them.”
David Mascarenas, who works for the National Security Education Center at Los Alamos National Labs, agrees. As drones are nothing but flying computers, he says they “have the potential to exhibit never before seen security flaws that couple both cyber and physical security concerns.”
Yet what would be the motivation for a hacker to take control of a civilian drone?
“The reason to hack a drone would be like any other reason people hack,” says Peter Singer, director of the Center for 21st Century Security and Intelligence at Brookings Institution, a think-tank based in Washington DC. “It might be to cause an act of terror, an act of mischief, to carry out some kind of crime, or the “white hat” type, to show that it can be done in order to warn others of the vulnerabilities.”
Delivery drones could be hacked to steal their cargo, the expensive machine itself, or even to encourage black market activities. “If a drone can deliver a book, it can also be used to deliver narcotics” or sneak contraband into a prison, says Mascarenas. Indeed a drone has already been used for smuggling cigarettes into a prison yard in Georgia, US.
Another example might be corporate espionage. A drone that normally operates within a factory could be redirected and tagged with a tiny broadcasting camera, allowing a hacker to spy on sensitive commercial information.
Then there may simply be people who don’t want drones spying on them. One town in Colorado has already proposed drone “hunting licences” that would allow people to shoot down drones. While Humphreys says the idea is farcical, the anti-surveillance sentiment behind it is real. “If I saw an unfamiliar drone snooping around my back yard, you can bet I'd be sorely tempted to jam its GPS receiver to shoo it away – or bring it down,” he says. “GPS jammers can be purchased for less than $50 online and they're quite effective.”
So can the threat be prevented? At the Los Alamos National Laboratory Engineering Institute, Mascarenas and colleagues are testing software that would make drones unpredictable – for example by taking random paths while still achieving their goals – to reduce the possibility of ambush.
Yet such methods will likely prove to be the start of an arms race between hackers and the security professionals who wish to stop them. “The bottom line is that a drone is a flying computer. And computers can be hacked,” says Singer.