Drones that don’t have any known security weaknesses could be the target of electromagnetic fault injection (EMFI) attacks, potentially enabling a threat actor to achieve arbitrary code execution and compromise their functionality and safety.
The research comes from IOActive, which found that it is “feasible to compromise the targeted device by injecting a specific EM glitch at the right time during a firmware update.”
“This would allow an attacker to gain code execution on the main processor, gaining access to the Android OS that implements the core functionality of the drone,” Gabriel Gonzalez, director of hardware security at the company, said in a report published this month.
The study, which was undertaken to determine the current security posture of Unmanned Aerial Vehicles (UAVs), was carried out on Mavic Pro, a popular quadcopter drone manufactured by DJI that employs various security features like signed and encrypted firmware, Trusted Execution Environment (TEE), and Secure Boot.
Side-channel attacks typically work by indirectly gathering information about a target system by exploiting unintended information leakages arising from variations in power consumption, electromagnetic emanations, and the time it takes to perform different mathematical operations.
EMFI aims to induce a hardware disruption by placing a metal coil in close physical proximity to the Android-based Control CPU of the drone, ultimately resulting in memory corruption, which could then be exploited to achieve code execution.
“This could allow an attacker to fully control one device, leak all of its sensitive content, enable ADB access, and potentially leak the encryption keys,” Gonzalez said.
As for mitigations, it’s recommended that drone developers incorporate hardware- and software-based EMFI countermeasures.
This is not the first time IOActive has highlighted uncommon attack vectors that could be weaponized to target systems. In June 2020, the company detailed a novel method that makes it possible to attack industrial control systems (ICS) using barcode scanners.
Other assessments have illustrated security misconfigurations in the Long Range Wide Area Network (LoRaWAN) protocol that make it susceptible to hacking and cyber attacks as well as vulnerabilities in the Power Line Communications (PLC) component used in tractor trailers.
