If you had any lingering doubts that drones had truly gone mainstream, good news: Like most other consumer technology products, your drone can get malware now, too.
Security researcher Rahul Sasi unveiled a new proof-of-concept malware called Maldrone that claims to give an attacker backdoor access to the popular hobbyist quadrocopter Parrot AR.Drone 2.0. According to Sasi, Maldrone can be installed on the drone remotely, over a wireless connection, without the operator knowing.
Once in place, an attacker can take control of the drone, perform remote surveillance using the drone's video camera, and possibly even spread itself to other drones, too. In theory, the attack isn’t just limited to the Parrot AR.Drone, either, but any drone with an ARM processor and Linux-based operating system. Sasi says that more technical details will be presented at a conference called Nullcon in Goa, India next month. "As Parrot is currently investigating this, they don’t have any comments to share at this time," wrote Katie Geralds of Parrot USA's PR company Airfoil Group in an email.
Though Maldrone is billed as the world’s first drone malware by Sasi, there have technically been other attacks that have taken control of drones before too. At the end of 2013, researcher Samy Kamkar published code for a project called SkyJack. Using a Parrot AR.Drone 2.0, a Raspberry Pi, and a wireless transmitter, Kamkar was able to exploit a Parrot Drone's wireless connection with its operator, and force the target drone to connect to his drone instead.
Skyjack "authenticates with the target drone pretending to be its owner, then feeds commands to it and all other possessed zombie drones at my will," Kamkar wrote. Another previous hack took control of Parrot drones, which in-turn infected other drones, using commands typically reserved for developers.
"But the one we're discussing now, you're actually using a vulnerability in the drone's software to completely take it over,” said Jean-Philippe Taggart, a senior security researcher at Malwarebytes. Sasi’s attack instead replaces the Parrot AR.Drone firmware itself with a slightly modified version.
According to Sasi, drones such as the Parrot AR.Drone and DJI Phantom typically automate certain operations, such as take-off, landing and stability in-flight. Maldrone inserts itself between the drone's automation software and its communication with the hardware—including rotors, LEDs, navigation, accelerometer, camera and other sensors—enabling a remote attacker to "intercept and modify data on the fly."
In a short video, Sasi takes a Parrot AR.Drone outside and, after infecting the drone with Maldrone, disable's the drone's rotors from a MacBook nearby. The Parrot AR.Drone drops from mid-air into Sasi's hands. "Once connection is established we can interact with the software as well as drivers/sensors of the drone directly," Sasi wrote in a post describe Maldrone. "There is an existing AR.Drone piloting program. Our backdoors kills the autopilot and takes control."
The backdoor is apparently persistent, even if the drone is reset to its factory defaults. The only way to remove the backdoor is to reinstall an original, uninfected copy of the drone’s software. In an email to Motherboard, Sasi said there are no security checks in Parrot’s software preventing a modified version of the AR.Drone software from being installed on the drone in the first place.
“Any device that accepts wireless firmware updates should download the update over an encrypted connection and check that the update is correctly signed before accepting it,” wrote Mikko Hypponen, chief research officer with online security and privacy company F-Secure, in an email. “Apparently this wasn't done here.”
Sasi suggested it might even be possible to combine Maldrone with SkyJack, and spread the malware to other Parrot drones in-flight, but has yet to test this scenario against other drones. And while the Maladrone malware itself could theoretically infect other ARM-Linux based drones—such as DJI’s Phantom series of drones—the delivery mechanism in this case is unique to the Parrot AR.Drone. Parrot, for example, allow users to update its drone's firmware wirelessly from a computer, or via the company's iPhone app, while DJI requires its Phantom to be plugged in via USB. (Sasi said he hasn’t tested the exploit on a DJI Phantom drone, but that, given the similarities it should work.)
"I find from a security perspective what you're seeing there is a glimpse of something that could be much worse,” Taggart said, describing a future world of autonomous Amazon delivery drones and self-driving cars. “More serious would be if you were attacking the infrastructure of a commercial entity." For now, however, let’s be glad Sasi is only attacking toys.