The use of Unmanned Aerial Vehicles (UAVs), commonly referred to as drones, continues to grow. Drones implement varying levels of security, with more advanced modules being resistant to typical embedded device attacks. IOActive’s interest is in developing one or more viable Fault Injection attacks against hardened UAVs.

This paper covers IOActive’s work in setting up a platform for launching side-channel and fault injection attacks using a commercially available UAV. We describe how we developed a threat model, selected a preliminary target, and prepared the components for attack, as well as discussing what we hoped to achieve and the final result of the project.

IOActive set out to explore the possibility of achieving code execution on a commercially available drone with publicly disclosed vulnerabilities using non-invasive techniques, such as electromagnetic (EM) sidechannel attacks and EM fault injection (EMFI). If successful, we could apply the lessons learned to a completely black-box approach and attempt to compromise devices with no well-known vulnerabilities.

As a target, we chose DJI, a seasoned manufacturer that emphasizes security in their products, such as
signed and encrypted firmware, Trusted Execution Environment (TEE), and Secure Boot. We used a controlled environment to investigate the impact of side-channel attacks and EMFI techniques.

We demonstrated that is feasible to compromise the targeted device by injecting a specific EM glitch at the right time during a firmware update. This would allow an attacker to gain code execution on the main processor, gaining access to the Android OS that implements the core functionality of the drone.


Leave a Reply

Your email address will not be published. Required fields are marked *