Researchers warn of vulnerabilities that affect the protocol for radio-controlled (RC) drones, named ExpressLRS, which can be exploited to take over unmanned vehicles.
ExpressLRS is a high-performance open-source radio control link that provides a low latency radio control link while also achieving maximum range.
According to a bulletin recently published, an attacker can take control of any receiver by observing the traffic from the associated transmitter.
Using only a standard ExpressLRS compatible transmitter, it is possible to take control of any receiver after observing traffic from a corresponding transmitter.
Security issues in the binding phase can allow an attacker to extract part of the identifier shared between the receiver and transmitter. The analysis of this part, along with brute force attack, can allow attackers to discover the remaining part of the identifier. Once the attacker has obtained the complete identifier, it can take over the craft containing the receiver, with no knowledge of the binding phrase, by using a transmitter. This attack scenario is feasible in software using standard ExpressLRS compatible hardware.
“ExpressLRS uses a ‘binding phrase’, built into the firmware at compile time to bind a transmitter to a receiver. ExpressLRS states that the binding phrase is not for security, it is anti-collision.” reads a bulletin published by NccGroup. “Due to weaknesses related to the binding phase, it is possible to extract part of the identifier shared between the receiver and transmitter. A combination of analysis and brute force can be utilised to determine the remaining portion of the identifier. Once the full identifier is discovered, it is then possible to use an attacker’s transmitter to control the craft containing the receiver with no knowledge of the binding phrase. This is possible entirely in software using standard ExpressLRS compatible hardware.”
The phrase used by the ExpressLRS protocol is encrypted using the hashing algorithm MD5 which is known to be cryptographically broken.
The experts observed that the “sync packets” that are exchanged between transmitter and receiver at regular intervals for synchronizing purposes leak a major part of the binding phrase’s unique identifier (UID). An attacker can determine the remaining part via brute-force attacks or by observing packets over the air without brute-forcing the sequences.
“Three weaknesses were identified, which allow for the discovery of the four bytes of the required UID to take control of the link. Two of these issues relate to the contents of the sync packet.
The third weakness occurs in the FHSS sequence generation.
The advisory recommends avoiding sending the UID over the control link. The data used to generate the FHSS sequence should not be sent over the air. It also recommends to improve the random number generator by using a more secure algorithm or adjusting the existing algorithm to work around repeated sequences.
(SecurityAffairs – hacking, drones)