Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Consumer UAV Cybersecurity Vulnerability Assessment Using Fuzzing Tests

David Rudo, Kai Zeng

TL;DR

A new UAV vulnerability is explored with related UAV security practices identified for possible exploitation using large streams of data sent at specific ports and countermeasures to combat the exploitation will be discussed.

Abstract

Unmanned Aerial Vehicles (UAVs) are remote-controlled vehicles capable of flight and are present in a variety of environments from military operations to domestic enjoyment. These vehicles are great assets, but just as their pilot can control them remotely, cyberattacks can be executed in a similar manner. Cyber attacks on UAVs can bring a plethora of issues to physical and virtual systems. Such malfunctions are capable of giving an attacker the ability to steal data, incapacitate the UAV, or hijack the UAV. To mitigate such attacks, it is necessary to identify and patch vulnerabilities that may be maliciously exploited. In this paper, a new UAV vulnerability is explored with related UAV security practices identified for possible exploitation using large streams of data sent at specific ports. The more in-depth model involves strings of data involving FTP-specific keywords sent to the UAV's FTP port in the form of a fuzzing test and launching thousands of packets at other ports on the UAV as well. During these tests, virtual and physical systems are monitored extensively to identify specific patterns and vulnerabilities. This model is applied to a Parrot Bebop 2, which accurately portrays a UAV that had their network compromised by an attacker and portrays many lower-end UAV models for domestic use. During testings, the Parrot Bebop 2 is monitored for degradation in GPS performance, video speed, the UAV's reactivity to the pilot, motor function, and the accuracy of the UAV's sensor data. All these points of monitoring give a comprehensive view of the UAV's reaction to each individual test. In this paper, countermeasures to combat the exploitation of this vulnerability will be discussed as well as possible attacks that can branch from the fuzzing tests.

Consumer UAV Cybersecurity Vulnerability Assessment Using Fuzzing Tests

TL;DR

A new UAV vulnerability is explored with related UAV security practices identified for possible exploitation using large streams of data sent at specific ports and countermeasures to combat the exploitation will be discussed.

Abstract

Unmanned Aerial Vehicles (UAVs) are remote-controlled vehicles capable of flight and are present in a variety of environments from military operations to domestic enjoyment. These vehicles are great assets, but just as their pilot can control them remotely, cyberattacks can be executed in a similar manner. Cyber attacks on UAVs can bring a plethora of issues to physical and virtual systems. Such malfunctions are capable of giving an attacker the ability to steal data, incapacitate the UAV, or hijack the UAV. To mitigate such attacks, it is necessary to identify and patch vulnerabilities that may be maliciously exploited. In this paper, a new UAV vulnerability is explored with related UAV security practices identified for possible exploitation using large streams of data sent at specific ports. The more in-depth model involves strings of data involving FTP-specific keywords sent to the UAV's FTP port in the form of a fuzzing test and launching thousands of packets at other ports on the UAV as well. During these tests, virtual and physical systems are monitored extensively to identify specific patterns and vulnerabilities. This model is applied to a Parrot Bebop 2, which accurately portrays a UAV that had their network compromised by an attacker and portrays many lower-end UAV models for domestic use. During testings, the Parrot Bebop 2 is monitored for degradation in GPS performance, video speed, the UAV's reactivity to the pilot, motor function, and the accuracy of the UAV's sensor data. All these points of monitoring give a comprehensive view of the UAV's reaction to each individual test. In this paper, countermeasures to combat the exploitation of this vulnerability will be discussed as well as possible attacks that can branch from the fuzzing tests.

Paper Structure

This paper contains 41 sections, 7 figures, 1 table.

Table of Contents

  1. Introduction
  2. Related Work
  3. Overview of UAV Security
  4. Physical Attacks
  5. Logical Attacks
  6. Forensics
  7. Fuzzing
  8. IoT Networks
  9. Testing Methodology And Results
  10. Hardware and Tools
  11. Fuzzing Tests and FTP Anonymous
  12. FTP Commands
  13. Metasploit FTP Fuzzer Module
  14. Testing Overview
  15. User Action Commands
  16. ...and 26 more sections

Figures (7)

  • Figure 1: Parrot Bebop 2 drone used for testing
  • Figure 2: The basic structure of an FTP network connection ftp
  • Figure 3: The two arrays in the Metasploit ftp_pre_post module with one containing FTP commands while the other stores special characters
  • Figure 4: The enhanced for-loop that is running every combination of commands and special characters in the Metasploit ftp_pre_post module
  • Figure 5: The blue globe is an indicator that the GPS function is unavailable. When a fuzzing test occurs, the video feed in [a] will be displayed with [b]'s blue globe instead
  • ...and 2 more figures