

Phone | 010-82030532 Mobile | 18501361766
WeChat | tech9999 Email | [email protected]
Source: Drones
Author: Drones
IOActive’s latest blog post introduces a white paper titled “Drone Security and Fault Injection Attacks” ( https://ioac.tv/3N005Bn ), summarizing the current security landscape in the drone industry, describing how the company’s researchers developed threat models, selected initial targets, prepared attack components, and discussed their intended goals and the final outcomes of the project.


IOActive has been researching the possibility of using non-invasive techniques, such as Electromagnetic (EM) bypass attacks or EM Fault Injection (EMFI), to achieve code execution on commercial drones with significant security features. For this work, the researchers selected one of the most popular drone models, the DJI Mavic Pro. DJI is an experienced manufacturer that emphasizes the security of its products, featuring signed and encrypted firmware, Trusted Execution Environment (TEE), and secure boot.

1. Technical Performance Indicators
Drones are used for various applications, including military, commercial, and recreational. Like any other technology, drones are susceptible to various types of attacks that can compromise their functionality and security.
As shown in the figure above, drones expose several attack surfaces: (1) Backend, (2) Mobile applications, (3) RF (Radio Frequency) communication, and (4) Physical devices. As described in the white paper ( https://ioac.tv/3N005Bn), IOActive utilizes EM emissions and EMFI because they are non-invasive. The researchers used Riscure products as the primary tools for this study. The following image shows a PCB being analyzed after being removed from the drone; power has been connected to an external power source.

Attack Methods
The first method is to attempt to use EM emissions to decrypt firmware and retrieve encryption keys. First, locate an area on the drone’s PCB with a strong EM signal, allowing a probe to be placed and sufficient traces to be recorded to extract the key.
After identifying the location with the strongest signal, the researchers worked to understand how to bypass the signature verification that occurs before firmware decryption. After several days of testing and data analysis, they found that the probability of successfully bypassing the signature was less than 0.5%. This made key recovery impractical, as it required the researchers to collect thousands of traces.
The second method is to use EMFI based on ideas published by Riscure. Riscure suggests using small faults to convert one instruction into another and gain control over, for example, PC registers. The following image shows the setup used for this method, which includes a laptop (used as a controller), power supply, Riscure’s Spider (for generating triggers), oscilloscope, XYZ table, and EMFI pulse generator.

After determining a sufficiently small area on the PCB, the researchers modified the shape and timing of the glitches until they observed successful results. The target process crashed, as shown in the following image: The program received signal SIGSEGV, segmentation fault. 0x2a002f44 in ?? ()#0 0x2a002f44 in ?? ()#1 0x2a000f5a in ?? ()#2 0x2a0011de in ?? ()#3 0x2a000b04 in ?? ()#4 __libc_init () at 0xb6f9b42c from /system/lib/libc.so#5 0x2a00099c in ?? Backtrace stopped: previous frame is identical to this frame (corrupted stack?) r0 0x41414141 1094795585r1 0x41414141 1094795585r2 0xbefff6dc 3204445916r3 0x41414141 1094795585r4 0x41414141 1094795585r5 0xbefffbc4 3204447172r6 0x85242d9a 2233740698r7 0xbefff6f0 3204445936r8 0xb6b4e008 3065307144r9 0xb6b4e1e8 3065307624r10 0xbefffad0 3204446928r11 0x2d7160 2978144r12 0xbefff6ec 3204445932sp 0xbefff6c8 0xbefff6c8lr 0xde 222pc 0x2a002f44 0x2a002f44cpsr 0x60000030 1610612784The researchers’ payload appeared in several registers. Upon examining the code at the target address, they determined that they had found a successful combination of timing, location, and glitch shape. The following capture shows the instruction that caused the segmentation fault:
The capture clearly shows the load instruction copying the researchers’ data into registers R0 and R1. Additionally, the GDB output also shows registers R3 and R4 ending with controlled data. More details can be found in the white paper ( https://ioac.tv/3N005Bn ).
After successfully causing memory corruption, the next step would be to design an appropriate payload to achieve code execution. An attacker could exploit this condition to gain full control of a device, leak all sensitive content, enable ADB queries, and potentially leak encryption keys.

Mitigation Measures
As for mitigation measures, IOActive recommends that manufacturers implement hardware and software countermeasures against EMFI attacks. However, the security company notes that the cost of hardware countermeasures can be high and should be considered early in the design phase. Software mitigations can be added at a later stage, but they may not be as effective.

Although the experiments were conducted on DJI drones, the EMFI attack method—if proven effective—could be applied to any type of drone.
SecurityWeek has reached out to DJI to inquire whether the company is currently implementing or planning to implement EMFI protections for its drones.


