Students of the University of Tartu proved that drones can be hijacked
Erasmus exchange students of the Institute of Computer Science of the University of Tartu have demonstrated that it is possible to fully take over the control of commercial drones. Weak drone security leads to cyber attack opportunities against drones.
Drones (e.g. quadcopters) are more and more widely available for recreational, business and military purposes. Drones can be used to monitor the movement of the enemy in war situations, to guard the state border or to help find missing people. Statistics show that in Europe, the use of drones increases by 30% each year, which raises concerns about drone security.
Drones have also found its way into everyday use in Estonia. Drones are actively used for aerial photo- and videography. “One example was the Estonian song celebration where several drones were flying over our heads. Also politicians have used drones for political stunts: flying drones behind the back of the opponent to ruin their live TV broadcast,” illustrated the Head of the Institute of Computer Science and Professor of Bioinformatics Jaak Vilo, adding that often drones are flown illegally, without permission, which raises even more concerns about drone-related hazards.
Many nations are imposing no-fly zones for drones, but there is no actual easy protection against them. Another thing to consider is that the majority of drones currently flying over our heads are totally lacking security protections. “There is no protection for their rightful controllers, so anyone could gain their control and attempt something malevolent. This may create an undesired threat to this fast-evolving commercial and security-related area,” deliberated Vilo.
In a project performed at the University of Tartu, students have demonstrated that it is possible to fully take over the control of commercial drones. The project was completed only in a couple of months by Erasmus exchange students Manuel Kramer and Martin Schmeisser from the University of Bremen, Germany. They worked under the guidance of Rafik Chaabouni, a visiting researcher from the Swiss Federal Institute of Technology in Lausanne, and Amnir Hadachi, a Research Fellow of the University of Tartu.
The students who participated in the project explained that in the first part of the project they proved that they can spy on the video stream sent out by a drone without getting detected. In the second part, they demonstrated that it is possible to hijack the drone in several ways: “First, we can take over the controls. Second, we can block out the original owner of the drone – the person originally operating the remote control. Third, we can capture the video of the drone and send it to the ground station or the other drone, and fourth, we can order the hijacked drone to follow the hijacker simply by visual video processing,” described Manuel Kramer and Martin Schmeisser.
“According to the nightmare scenario, another drone approaches your drone, takes over its controls and flies away, your drone following that another drone. In this project, the students have shown that this is a perfectly doable scenario,” said the supervisor of the students Rafik Chaabouni, recognising their work. He added that all the necessary IT processing can be installed on the very cheap Raspberry Pi computer that can be carried by a similar drone.
“The students have shown that the communication of most drones is currently unsecure, making drones vulnerable. It only takes a bit of programming, an antenna, and it is possible to implement all scenarios described above,” said Vilo, adding that by exposing such scenarios the researchers want to raise the awareness of the risks of sloppy data security at the time of more and more autonomous flying machines.
Additional information: Jaak Vilo, Head of the UT Institute of Computer Science, Professor of Bioinformatics, tel: +372 50 49 365, email: vilo [ät] ut.ee.