Hack Allows Drone Takeover Via ‘ExpressLRS’ Protocol

A radio control system for drones is vulnerable to remote takeover, thanks to a weakness in the mechanism that binds transmitter and receiver.

The popular protocol for radio controlled (RC) aircraft called ExpressLRS can be hacked in only a few steps, according to a bulletin published last week.

ExpressLRS is an open-source long range radio link for RC applications, such as first-person view (FPV) drones. “Designed to be the best FPV Racing link,” wrote its authors on Github. According to the report the hack utilizes “a highly optimized over-the-air packet structure, giving simultaneous range and latency advantages.”

The vulnerability in the protocol is tied to the fact some of the information sent over via over-the-air packets is link data that a third-party can use to hijack the connection between drone operator and drone.

Infosec Insiders Newsletter

Anyone with the ability to monitor traffic between an ExpressLRS transmitter and receiver can hijack the communication, which “could result in full control over the target craft. An aircraft already in the air would likely experience control issues causing a crash.”

Weakness in Drone Protocol 

The ExpressLRS protocol utilizes what is called a “binding phrase,” a kind of identifier that ensures the correct transmitter is talking to the correct receiver. The phrase is encrypted using MD5 – a hashing algorithm that’s been considered broken (PDF) for nearly a decade. As noted in the bulletin, “the binding phrase is not for security, it is anti-collision,” and security weaknesses associated with the phrase could allow an attacker to “extract part of the identifier shared between the receiver and transmitter.”

The core of the problem is tied to the “sync packets” – data communicated between transmitter and receiver at regular intervals to ensure they are synced up. These packets leak much of the binding phrase’s unique identifier (UID) – specifically, “75% of the bytes required to take over the link.”

That leaves only 25% – only one byte of data – left open. At this point, the report author explained, the remaining bit of the UID can be brute forced, or gathered “by observing packets over the air without brute forcing the sequences, but that this can be more time consuming and error prone.”

If an attacker has the UID in hand, they can connect with the receiver – the target aircraft – and take at least partial control over it.

The author of the bulletin recommended the following actions be taken, to patch over the vulnerabilities in ExpressLRS. Do not send the UID over the control link. The data used to generate the FHSS sequence should not be sent over the air. Improve the random number generator. This could involve using a more secure algorithm, or adjusting the existing algorithm to work around repeated sequences.

Register Now for this LIVE EVENT on MONDAY JULY 11: Join Threatpost and Intel Security’s Tom Garrison in a live conversation about innovation enabling stakeholders to stay ahead of a dynamic threat landscape and what Intel Security learned from their latest study in partnership with Ponemon Institue. Event attendees are encouraged to preview the report and ask questions during the live discussion. Learn more and register here.


Suggested articles