Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Transportation Security

Glaring Vulnerabilities Make Many Commercial Drones 'Insecure by Design' (threatpost.com) 22

Slashdot reader msm1267 quotes ThreatPost: Drones, many readily available on ecommerce shops such as Amazon, are plagued by vulnerabilities that could give attackers full root access, read or delete files, or crash the device. The United States Computer Emergency Readiness Team (US-CERT) published a warning about one model, the DBPOWER U818A WiFi quadcopter, last month, but according to the researcher who reported the vulnerabilities, multiple drone models -- manufactured by the same company but sold under different names -- are also vulnerable.

They contain two appealing attack vectors: an open access point and a misconfigured FTP server. If an attacker was within WiFi range of the drone they could easily obtain read and write permissions to the drone's filesystem and modify its root password... Like any attack dependent on Wi-Fi, an attacker would need to be in close proximity to the drone to carry out an attack, but an attacker could connect their computer to the drone access point, essentially treating it as a proxy to spy on the device's live feed or the drone's open ports.

This discussion has been archived. No new comments can be posted.

Glaring Vulnerabilities Make Many Commercial Drones 'Insecure by Design'

Comments Filter:
  • Commercial? (Score:4, Insightful)

    by ColdWetDog ( 752185 ) on Sunday May 07, 2017 @10:10AM (#54371189) Homepage

    TFA makes a big deal about vulnerabilities in 'commercial' UAVs but then goes on about obtaining root in an obvious 'toy' quadcopter. Not the $60,000 big boys that might be fun (or lucrative) to steal or, more threateningly, drop on somebody's head. A half kilogram plastic thing that might poke your eye out if you tried hard enough.

    Hell, I (and a whole bunch of others) would love for somebody to root the DJI quads. Then we can get rid of some of the more recent 'improvements' in the firmware.

    Really, I'm not seeing this. Somebody pops the innards of a cheap, Chinese toy.

    Woot!

    • Exactly.

      " plagued by vulnerabilities that could give attackers full root access, read or delete files, or crash the device"

      It's a feature. And a lot quieter than using a shotgun on them, or hiring eagles [youtube.com] to kill them dead.

      • DJI already has that as a built in feature. A quick perusal of the various forum threads shows that the two most common behaviors are crashing or just running away.

        The other way to look at this, however, is perhaps they're learning. They're taking the first steps towards Skynet. Hiding in crevices, sewers, old Novell servers hidden in back rooms. Waiting for the final reflash.

        (Stares at the pair of Phantoms on the shelf.)

      • Meh, that's for wooses. Russian solution is more economical [youtube.com].
    • It's even got crappy plastic prop guards. This thing is not even a very good toy.

      Come back when someone can hack an Inspire in flight.

    • TFA makes a big deal about vulnerabilities in 'commercial' UAVs but then goes on about obtaining root in an obvious 'toy' quadcopter. Not the $60,000 big boys that might be fun (or lucrative) to steal or, more threateningly, drop on somebody's head. A half kilogram plastic thing that might poke your eye out if you tried hard enough.

      Hell, I (and a whole bunch of others) would love for somebody to root the DJI quads. Then we can get rid of some of the more recent 'improvements' in the firmware.

      Really, I'm not seeing this. Somebody pops the innards of a cheap, Chinese toy.

      Woot!

      Drop a drone into 8 lanes of freeway traffic, and tell me again how a "toy" should always be dismissed as harmless as chaos ensues from distracting drivers.

      And if you have suggestions for vendors to correct 'improvements' their hardware, then let them know instead of sitting around waiting for a hack.

  • The Internet of Shit has been known to be insecure for a long time. [twitter.com] Now there are people bricking these shitty devices which I do not object to because it's only possible due to neglect by the device maker.

  • a reality check (Score:4, Interesting)

    by Max_W ( 812974 ) on Sunday May 07, 2017 @11:45AM (#54371517)
    A car with a speed of 320 km/h, an engine of 500 hp, and a weight of 3 tons is potentially much more dangerous than a tiny drone, isn't it? Still basically anyone can buy and drive a car.
    • by hey! ( 33014 )

      As easy as it is to overlook how dangerous a car is, it's also just as easy to overlook how much effort we put into dealing with that. An alien anthropologist would be astonished by how much time and money we put into automobile regulation.

      We think of police as crime fighting organizations, but that hypothetical alien anthropologist, going strictly by observations, would conclude that their primary purpose is to control automobiles. Automobile licensing is the sole thing for which the majority of the popu

  • How else do you allow updates to the system without root access?

  • Someone evidently saw this talk [youtube.com] and decided to try it at home. These vulnerabilities have been public for a couple years now.

When the weight of the paperwork equals the weight of the plane, the plane will fly. -- Donald Douglas

Working...