The FAA predicts that there will be ~3.4M consumer drones and ~327K commercial sUAS (sUAS, or commonly known as drones) operating in the U.S. by 2020. Drones are increasingly used by law enforcement, ..
The FAA predicts that there will be ~3.4M consumer drones and ~327K commercial sUAS (sUAS, or commonly known as drones) operating in the U.S. by 2020. Drones are increasingly used by law enforcement, emergency services, utility companies, large agricultural providers, and many other economic sectors. A drone’s components align closely with that of small computing devices, with the addition of aeronautical hardware. As such, they may be susceptible to the same forms of attacks that are increasingly common among computing devices. To test this theory, we conducted a study to identify cyber-related vulnerabilities against a consumer model drone. We conducted a vulnerability assessment to identify vulnerabilities, and then attempted to exploit these vulnerabilities through various means. We performed attacks to identify the feasibility, practicality, and significance of the attack, as well as their effects on the drone’s ability to maintain safe, functional flight. Vulnerabilities included no authentication mechanism connecting from smartphone to drone, exposed unencrypted services requiring no authentication leading to an unrestricted superuser account, and the ability to forcibly disconnect the first-person view (FPV) camera. Additionally, the FPV feed is unencrypted (potentially leading to eavesdropping), and the drone’s communication links are susceptible to signal disruption. Based on our findings we provide a set of recommendations to improve the security of the drone. Improvements to security include closing open and insecure ports, using encrypted services, and requiring authentication.