News

Researchers propose using electromagnetic attacks to hack drones

Security Parrot Editorial Team

Researchers Demonstrate Vulnerability of Drones to EMFI Attacks

Experts from IOActive have demonstrated that drones are vulnerable to side-channel EM fault injection (EMFI) attacks that allow malicious code to run on the device. For their experiments, the researchers chose one of the popular drone models – DJI Mavic Pro.

Attacking the Device

DJI is a well-established manufacturer that pays special attention to the security of its products, including the use of encrypted firmware, as well as Trusted Execution Environment (TEE) and Secure Boot. A drone can be attacked using different vectors, including the server side, its mobile application, radio frequency communications, and the physical device itself. Experts took the path of attacking the device itself and used electromagnetic radiation to implement EMFI-type attacks.

Extracting the Key

During the first experiment, the researchers tried to use electromagnetic radiation to obtain an encryption key and use it to decrypt the firmware. They found an area on the drone’s circuit board with a strong electromagnetic signal, placed a probe there, and eventually recorded enough data to extract the key.
After identifying the zone with the strongest signal, the experts tried to figure out how to bypass the signature verification that occurs before decrypting the firmware. After several days of tests and data analysis, it was found that the probability of successfully bypassing the signature is less than 0.5%. In fact, this made key recovery impossible.

Bypassing Signature Verification

Then IOActive analysts went the other way and took as a basis the ideas previously published by Riscure specialists. In their study, they proposed to provoke a failure in order to force one instruction to transform into another and seize control, for example, of the PC registry.
As a result, an installation was assembled in IOActive. To implement the attack, they needed a laptop (used as a controller), a power supply, a Riscure Spider (used for i trigger generation), oscilloscope, XYZ table and EMFI pulse generator.

Malicious Payload

In fact, the use of electromagnetic signals for memory corruption has been found to be applicable to the delivery of a payload that enables code execution. An attacker can use this exploit to take control of a specific device, leak sensitive data, enable ADB access, and leak encryption keys.
“We have demonstrated that it is possible to compromise a target device by introducing a specific electromagnetic glitch at the right time during a firmware update. This will allow an attacker to achieve code execution on the main processor [of the device] and gain access to the Android OS, which implements the core functionality of the drone,” experts say.

Conclusion

The researchers summarize that during these tests, they tried to understand whether such attacks on a complex and modern device are generally possible. Since it has been proven that it is possible to take control of a device during firmware processing, the next step is to apply the knowledge gained on another DJI model that does not have the same level of security.

Weekly Updates For Our Loyal Readers!

Share this Article
Lost your password?