UT Dallas Cyber-Physical Systems Security Lab’s YouTube
Watch A Very Vulnerable $140 Quadcopter Drone Get Hacked Out Of The Sky
With so many reports of poor security on consumer drones, UAV enthusiasts would be forgiven for thinking manufacturers would have added mitigations against the most basic attacks. But, looking at one particularly popular model of drone, such hopes might be misplaced.
Earlier this month, the U.S. government-sponsored Carnegie Mellon Computer Emergency Response Team was compelled to put out a warning on the DBPOWER Quadcopter, which was vulnerable to a rudimentary attack that allowed anyone within range of the drone’s Wi-Fi connection to take it out of the sky. The researchers who uncovered the bug, from the Cyber-Physical Systems Security Lab at University of Texas at Dallas, put together a video for Forbes showing how they quickly obtained root access to the quadcopter and cut its power.
The Chinese-made drone is currently listed as a best seller at $140 on Amazon (though it’s been reduced to $80). It contained a number of worrying vulnerabilities, according to UT Dallas researcher Junia Valente.
She explained that the misconfigured FTP access allowed the researchers to overwrite a system file to remove the password for the root user. That gave them complete control of the drone and shut the power off, preventing the drone owner from controlling their flying machine with the system’s proprietary smartphone app.
As the drone could take photos and record videos, a malicious hacker could also download the footage without the victim ever knowing, Valente noted.
A widespread problem?
The manufacturer of the original device appears to be China’s Chenghai UDIRC Toys Co., as the name came up when the researchers searched by the drone FCC ID on the UAV.
Forbes also carried out a search on Amazon for the “UDI U818A Wi-Fi” drone model, which is being resold by DBPOWER under its own name. Variants of the quadcopter were available, with different branding and some cosmetic changes. That included the UDIRC-branded quadcopter selling for $120.
It may be that those models are also vulnerable to the same attacks, but the researchers had not tested them at the time of publication. “The UDI U818A WiFi drone model appears to be very popular and sold by a variety of vendors,” noted UT Dallas’s Alvaro Cardenas. “It appears that what most vendors do is modify the U818A Wi-Fi model superficially (different colors, apps, etc.) but the core drone functionalities appear to be the same. We believe that this vulnerability would be applicable to all of these models.”
Indeed, the researchers recently bought another quadcopter drone, the $140 Force1 UDI U818A Wi-fi FPV Drone sold by USA Toyz, verifying they could take control of the machine and kill it mid-flight with the same attack as the DBPOWER hack.
None of the manufacturers had responded to requests for comment. The Carnegie Mellon CERT was also unable to contact DBPOWER. It had a somewhat depressing note in its release, concluding it was “currently unaware of a practical solution to this problem.”