8/16/2021 Flashpoint - Threats To Uavs (August 12, 2021)

Intelligence Report

lightbulb_outline Threats to UAVs

August 12, 2021

EXECUTIVE OVERVIEW
Uncrewed (or unmanned) aerial vehicles (UAVs), also referred to as uncrewed aerial systems (UAS) or “drones,” are emerging as a powerful in-air
flight technology that use state-of-the-art sensors and transport payloads to difficult-to-access or largely impassable areas. They have a near-unique
ability to provide valuable information and conduct specialized payload operations. Global demand for the UAV market is anticipated to exceed $56
billion by 2027, according to Emergen research [1]. Prior reporting from the US Transportation Department estimates that total federal and state
government demand for UAVs will amount to approximately 36,000 vehicles by 2035 [2].

Commercial demand for UAVs are also expected to increase as they begin to be used in commercial delivery. For example, Amazon Prime Air plans
to deliver products to customers within thirty minutes of purchase in the United States, United Kingdom, Austria, France, and Israel [3].

Successful UAV operations depend on an available power supply, effective radio communications between users, and computer networks that send
and receive data from a variety of sources. Interference with these interactions affect UAV radio frequency communication and data transmissions.
Possible attack methods could involve affecting the data confidentiality, integrity, and availability of network and radio frequency resources inherent
to UAV operations, which could result in disruptions, delays, and ending UAV missions.

This report evaluates the cyber risks to UAV operations for governments. Future updates will evaluate cyber and physical security risks to critical
infrastructure from criminal, terror, or state-directed UAV operations.

Background
UAV Cyber Vulnerabilities
• Denial-of-Service
• Unauthorized Access
UAV Cyber Exploits
• UAV Detection
• Person-in-the-Middle
• GPS Spoofing
• GPS Jamming
Cyber Threats to UAV
• IRGC Attacks on US Drones
Use of UAVs in Attacks (added 8/12/21)
UAV Threat Mitigations
https://flashpoint.761link.net/home/intelligence/reports/report/CPV2_tw2SxmDCEK-QSeLNg 1/8
8/16/2021 Flashpoint - Threats To Uavs (August 12, 2021)

Citations
Change Log

BACKGROUND
[Contents]

Uncrewed aerial vehicles (UAVs), commonly referred to as drones, are essentially flying sensors. As their use becomes more widespread in both the
government and the commercial sectors, they will involve more capabilities, requiring increasing numbers of systems interactions. UAV
cybersecurity is already a concern, and as their capabilities increase, so will their attack surface.

Image 1: UAVs as used in the US Army, according to NASA. [4]

Image 2: UAV mission sets, according to NASA. [5]

Commercially employed UAVs are not built with security in mind: They lack encryption features and protection against exposure or unauthorized
access to uplink and downlink communications with networks, have only minimal authentication in their communication with command and control
(C2) and sensors, and have minimal confidentiality protection and integrity checks for GPS or satellite navigation.

UAV CYBER VULNERABILITIES

DENIAL-OF-SERVICE
[Contents]

Commercial off-the-shelf (COTS) UAVs can be vulnerable to data packet–originated denial-of-service attacks affecting different OSI layers.

In 2016, researchers at Johns Hopkins University conducted three kinds of external attacks against COTS hobbyist UAV flight operations, resulting
in a crash landing each time [6].

• In the first attack, the drone was overloaded with 1,000 successive wireless connection requests, each asking for control of the
device. As a result, the drone’s central processing unit (CPU) shut down, causing it to crash. This is a layer 4 denial-of-service
attack, where excessive requests to execute commands outstrips the available memory allocated to the drone’s operating system.

• In the second attack, the team sent data packets that exceeded the UAV’s allocated buffer capacity, resulting in subsequent disruption
and crash.

• In the last attack, the team programmed a device to pose as the drone by constantly sending spoofed packets to the UAV’s controller.
This led to communications being cut off with the drone, which then caused it to perform an emergency landing. This attack is a type
of deauthentication or disassociation flood attack targeting the drone user connected to the MAC address.

According to research from Los Alamos National Laboratories, civilian GPS signal is unencrypted and has several known unclassified
vulnerabilities that can result in blocking, jamming, and spoofing [7]. GPS signal strength can also be overcome, and then either improperly directed
or jammed, by stronger emitters at a given frequency. As a result, UAVs employing civilian GPS are vulnerable to various attacks that could impact
the integrity of navigation and resulting flight operations, potentially ending in a denial of service.

Radio frequency is an important communication node for uplinks and downlinks for COTS UAV. For both operated and automated COTS UAVs,
radio frequency range may be within the industrial, scientific, and medical (ISM) range (2.4 to 5.8 GHz); LTE (450MHz to 6 GHz); or 5G (24-52
GHz). In the United States they can also use the frequency 915 MHz, and internationally they can use the range 433 to 868 MHz [8].

Band Frequency Usage

https://flashpoint.761link.net/home/intelligence/reports/report/CPV2_tw2SxmDCEK-QSeLNg 2/8
8/16/2021 Flashpoint - Threats To Uavs (August 12, 2021)
Ka 27-40 Ghz Satellite datalink, high-altitude UAV

K 18-27 Ghz Satellite datalink, high-altitude UAV

Ku 12-18 Ghz Satellite datalink, high-altitude UAV

C 4-8 Ghz Standard Wi-Fi, small and hobbyist UAV

S 2-4 Ghz Popular alternative for UAV; penetrates urban structures

L 1-2 Ghz Synthetic Aperture Radar, possible but not common UAV

<1 Ghz Popular for long-range and low-power UAV

Chart 1: IEEE data on UAV frequency ranges. [9, 10]

Radio frequencies transmissions are vulnerable to jamming, intercepts, and interference. Adversely impacting UAV radio frequencies can be an
avenue of attack toward denial-of-service.

UNAUTHORIZED ACCESS
[Contents]

Short-range UAVs involve telemetry, manual remote controls (RC), and video links. The manual RC link allows for basic steering within a range of
100 meters. The telemetry link has more advanced control features, such as setting waypoints and automated flying. The telemetry link comes from
a tablet that connects to the telemetry box via Wi-Fi, which in turn talks to the UAV via XBee 868LP chips [11]. The range of the telemetry link
reaches several kilometers, allowing for full control even if the UAV is far out of sight.

However, there is a security gap in the Wi-Fi link: Many COTS UAV employ the weaker WEP (Wired Equivalent Privacy) as an encryption scheme,
which is vulnerable to password-cracking and thus unauthorized access. However, this attack would require the attacker to be within 100 meters of
the Wi-Fi link. An attacker could also target the XBee 868LP chips via remote AT commands, remotely changing the internal parameters of the
chips and routing traffic to their device. [12]

UAV CYBER EXPLOITS

UAV DETECTION
[Contents]

UAV detection is the process of finding UAV within a given range for defensive or offensive purposes. UAV detection allows a person or
organization to determine the presence of UAVs within an established area of interest.

US-based company Apollo Shield offers a full line of products for UAV detection and UAV countering, such as RF rifles that can disable UAV flight
operations. While these are intended for detection and defense against rogue UAVs, they could potentially be used illegally against government-
employed UAVs. Flashpoint is not aware of any specific incidents or reporting of UAV defense products being used offensively against government
UAV employment, but analysts continue to monitor multiple public web, gray literature, and Deep and Dark Web (DDW) sources for these
instances.

Some mentions of UAV detection technologies appear within FP[.]tools, including reposts of press releases and chatter on related topics. The
detection technologies discussed include recent academic developments and commercial offerings.

On September 28, 2020, an anonymous Pastebin user reposted a finding from a research team at the Daegu Gyeongbuk Institute of Science and
Technology (DGIST). The research concerned a radar system that used AI to detect UAVs up to 3 km away.

Image 1: Beginning of a Pastebin post about DGIST UAV detector technology.

Further in the post, a link was provided to a China-based company called CTS Technology that sells UAV detection platforms. According to the CTS
Technology website, the company sells the following [13]:

• Drone detector/jammer. Advertised range: 200 m

• Human-portable UAV detector. Advertised range: 3 km

https://flashpoint.761link.net/home/intelligence/reports/report/CPV2_tw2SxmDCEK-QSeLNg 3/8
8/16/2021 Flashpoint - Threats To Uavs (August 12, 2021)

• Super range Glonass GPS Jammer. Advertised range: 25 km

• 30° Phase Sweep 10.2GHz UAV radar detector. Advertised range: 100 km

The registrar for ctstechnologys[.]com is Alibaba Cloud Computing (Beijing) Co. Ltd. The domain ctstechnologys[.]com does not correspond with
any malware engines in VirusTotal.

PERSON-IN-THE-MIDDLE
[Contents]

Flashpoint’s collections on illicit and underground communities reveal discussion of a number of cyber-hacking tools designed to target UAVs. For
example, on September 1, 2019, Kelvin Security—a group that focuses on hacking tools, security information, and network security, and has a
presence on Telegram, Deep and Dark Web forums, and a blog—posted a list of UAV exploit tools. Most are designed to target specific UAV models
in the smaller, hobbyist category.

Image 2: A list of “drone hacking tools” provided on Kelvin Security.

Kelvin Security described the following drone hacking tools that can be used against small UAVs:

• Sky Jack

• Attack type: Remote hijack

• Model affected: Parrot AR.Drone 2.0

• Parrot AR.Drone 2 – Wi-Fi Attack

• Attack type: Remote hijack

•Bebop Wi-Fi Attack Parrot AR.Drone 2.0

Model affected:

•
• Attack type: Remote hijack

• Model affected: Parrot Beebop

• DroneJack

• Attack type: detect, hijack

• Model affected: Parrot Bebop

• Bebop Wi-Fi Drone Disabler with Raspberry Pi

• Attack type: Remote hijack

• Model affected: Parrot Beebop

• GPS Spoofing

• Attack type: Remote hijack

https://flashpoint.761link.net/home/intelligence/reports/report/CPV2_tw2SxmDCEK-QSeLNg 4/8
8/16/2021 Flashpoint - Threats To Uavs (August 12, 2021)

•GPS Jammer
Model affected: DJI Phantom

•
• Attack type: Denial of Service
Model affected: DJI phantom, DJI inspire, DJI Mavic, Yuneec Breeze, Yuneec Typhoon, Yuneec Tornado

• FPV
•• Drone video downlink jammer
Attack type: Denial of Service

• Model affected: Most hobbyist drones

• ICARUS

• Attack type: Remote hijack

• Model affected: Most hobbyist and professional grade drones

• Nils Rodday Attack

• Attack type: Remote hijack

• Model affected: Aerialtronics Altura Zenith, Law Enforcement drone

While the majority of these cyber-related exploits target smaller UAVs, Flashpoint analysts assess that they could potentially scale up to be used
against larger and higher-altitude classes of UAVs, potentially through lower-frequency, longer-range emissions or satellite-assisted data
transmission.

GPS SPOOFING
[Contents]

GPS spoofing involves overriding GPS signal strength with a stronger RF signal from a terrestrial emitter with false coordinate information. GPS
spoofing technologies are readily available and relatively affordable. GPS spoofing attacks against UAV become more hardware-intensive as the size
and altitude of the target UAV increases.

The most high-visibility GPS spoofing exploit involved an Iranian cyber warfare unit that in 2011 allegedly used a Russian mobile intelligence
system, the “Avtobaza” (Kvant 1L222 Avtobaza), to bring down the US Lockheed Martin RQ-170 by spoofing coordinates on the UAV’s GPS
system [14]. Further information on this incident appears below.

GPS JAMMING
[Contents]

GPS jamming can be conducted in a similar manner as GPS spoofing.

Russia has developed a device known as Rex-1 that blocks the connection between a UAV and its controller, forces the UAV to land, and prevents
reconnection by blocking Global System for Mobile Communications (GSM) and Wi-Fi signals [17]. This technology was created to interfere with
legitimately purchased drones that are operated illicitly.

Another tool suggested to prevent this abuse is low-cost software-defined radio (SDR) platforms, which could be used to interfere with signals of the
UAV GPS. Portuguese researchers experimented with five unique techniques to interfere with GPS signals [18]. These techniques were
accomplished and assessed using low-cost SDR platforms and the GNU Radio software development toolkit. They determined that the most
effective technique was Protocol-Aware Jamming—it could effectively interfere with signals sent to a GPS receiver.

Flashpoint analysts have also uncovered vendors offering UAV jamming technologies. On September 29, 2020 pastebin account user “stoersender”
advertised a UAV jamming vendor called jammer-mart[.]com. The vendor’s technology is allegedly capable of jamming ISM-band frequencies
typically used for uplink/downlink communications at an effective range of up to 5 km.

Image 3: “stoersender” advertises drone jamming equipment.

https://flashpoint.761link.net/home/intelligence/reports/report/CPV2_tw2SxmDCEK-QSeLNg 5/8
8/16/2021 Flashpoint - Threats To Uavs (August 12, 2021)

According to the Jammer Mart website, the company’s corporate headquarters are located in Shenzhen, China. jammer-mart[.]com IPs geolocate to
the United States and belong to a US-based internet service provider. [15] However, use of GPS jammers or signal-blocking applications in the
United States is a violation of US federal laws [16], which could complicate purchases, especially those originating from the US.

CYBER THREATS TO UAV

[Contents]

UAV technology is still relatively new. As a result, there have been very few high-profile cyber incidents targeting US government UAVs. These few
known incidents include attempts to harm US government-operated UAVs through cyberattacks, as well as high-profile state-sponsored efforts to
target US military UAVs.

IRGC ATTACKS ON US DRONES

[Contents]

Iran and its military are known to be capable of intercepting and controlling higher-category US drones employed by the Department of Defense and
US Army. Flashpoint assesses that the Islamic Revolutionary Guard Corps (IRGC) Electronic Warfare and Cyber Defense Organization may be
responsible for Iran’s takeovers of US UAVs. However, this is not confirmed beyond through open source reporting.
As mentioned above, in 2011 Iran allegedly hacked an RQ-170 UAV and landed it inside Iran. Iranian operators were allegedly able to cut off
communication links to the RQ-170, possibly through the use of the Russian advanced mobile jamming and intelligence system "Avtobaza," which
Iran had recently procured at the time. They were then able to spoof the geographic coordinates of the drone’s GPS navigation system [20][21].
Iranian engineers subsequently reverse engineered the recovered intact RQ-170 to produce the Shahed 171 Simorgh UAV and the Saegheh UAV,
both of which were developed by Iran’s Shahed Aviation Industries and are nearly identical to the RQ-170.

In early February 2019, IRGC Brigadier General Amir Ali Hajizadeh posted a video claiming that Iran hacked into the controls of an unidentified
US military UAV and forced it to make a hard landing within the Iraqi desert approximately 10 miles from a US military base [19].

Analysts have identified some Persian-language discussions on the topic of hacking UAVs in Flashpoint collections. However, Flashpoint has not
identified any new or novel methods discussed by Iranian threat actors for hacking UAVs, outside of the GPS spoofing technique allegedly used in
the RQ-170 incident.

USE OF UAVS IN ATTACKS (added 8/12/21)

[Contents]

UAVs are often used to haul and release payloads to areas that are difficult to access. As a result, UAVs can pose a great threat to critical
infrastructure.

In May 2021, Hamas claimed to have hit an Israeli chemical plant in the settlement of Nir Oz with a Shehab UAV. [24] This UAV somewhat
resembles the Iranian drone HESA Ababil, but Shehab has boxy lines and sharp angles, while HESA Ababil has smoother curves. Additionally,
Shehab has a warhead built in so that it can be used as a kamikaze drone. As proof of their claim, Hamas publicized a video showing the successful
attack against the chemical plant, which was posted in the Telegram channel “Global Resistance News.”

Image 4: Post including a video of a drone attack against an Israeli chemical plant in Nir Oz.

Another instance of a UAV-related attack against critical infrastructure occurred in September 2019: The Yemeni Houthis attacked Saudi state-
owned oil company Saudi Aramco with drones. A spokesperson for the Houthis said they had deployed ten drones in the attack. The attack resulted
in crude oil production being reduced by 5.7 million barrels a day. [25] Then US secretary of state Mike Pompeo said he believed that Iran, not the
Houthis, was behind the attacks.

Flashpoint has observed discussions on weaponizing UAVs in the United States. Some recent posts were broad, with no specific target intended: In
January 2021, for example, an anonymous user of the forum Desuarchive asked how to weaponize a hobby drone. In March 2021, an anonymous
4chan user had a more specific question, asking how drones could be weaponized against police or government forces in an urban riot situation.
They requested guidance on making this idea possible.

https://flashpoint.761link.net/home/intelligence/reports/report/CPV2_tw2SxmDCEK-QSeLNg 6/8
8/16/2021 Flashpoint - Threats To Uavs (August 12, 2021)

Image 5: 4chan post asking for information about weaponizing of drones

Actors in far-right communities such as MeWe and 4chan have also introduced conspiracy theories about possible increased targeting of critical
infrastructure via cyber or physical attack, possibly using UAV technology. This speculation appears to be at least partially in response to recent
ransomware incidents, notably the Colonial Pipeline ransomware attack. These actors substantiated their theories about forthcoming attacks using a
June 2021 article from ZeroHedge—an anonymous far-right financial website—about a February 2021 incident in which a drone reportedly flew
over critical infrastructure. [26] Similarly, on June 7, 2021, an actor operating under the alias “pamelahasbara” reposted an article on MeWe that
stated the Chinese government would soon be carrying out an attack against US critical infrastructure, which would include drone attacks on critical
infrastructure.

UAV THREAT MITIGATIONS

[Contents]

In smaller, commercial UAV models, potential software vulnerabilities can be mitigated via Bounded Model Checking (BMC) and fuzzing. BMC is
a verification technique that has recently been used to discover safety issues in hardware [22]—it typically involves analyzing system performance
and its underlying operations over a period of tests to validate performance while gaining insight into vulnerabilities. Since the software used in
upscaled UAV missions, particularly those conducted by the US government, has increased in size and complexity, BMC may be less useful.

Fuzzing uses a large amount of random data to find security vulnerabilities in software [23]. In the context of UAVs, fuzzing could involve first
enumerating available ports on the UAV, and then sending anonymous data packets to these ports to elicit different responses—this can reveal
authentication vulnerabilities. However, conducting fuzzing tests on some government-employed UAVs may require greater resources, including
longer-range data transmission, power outlays, or specific target development.

Flashpoint also recommends only purchasing UAVs from trusted vendors. These vendors should provide follow-on guidance on securing
confidentiality, integrity, and availability of any data uplinks-downlinks, GPS and other sensor data communications, and all spectral
communications for UAVs to be employed on government-service-related missions.

CITATIONS
[Contents]

[1] www[.]globenewswire[.]com/news-release/2020/12/22/2149086/0/en/Unmanned-Aerial-Vehicle-UAV-Market-Size-To-Be-Worth-USD-56-18-
Billion-by-2027-Emergen-Research.html
[2] www[.]hsdl[.]org/?abstract&did=749449
[3] www[.]amazon[.]com/Amazon-Prime-Air/b?ie=UTF8&node=8037720011
[4] www[.]nasa[.]gov/centers/dryden/pdf/111761main_UAV_Capabilities_Assessment.pdf
[5] fas[.]org/irp/program/collect/uas-army.pdf
[6] releases[.]jhu[.]edu/2016/06/08/johns-hopkins-team-makes-hobby-drones-crash-to-expose-design-flaws/
[7] permalink[.]lanl[.]gov/object/tr?what=info:lanl-repo/lareport/LA-UR-03-6163
[8] arxiv[.]org/pdf/1912.13379.pdf
[9] arxiv[.]org/pdf/1912.13379.pdf
[10] researchgate[.]net/publication/296467457_Exploring_Security_Vulnerabilities_of_Unmanned_Aerial_Vehicles
[11] researchgate[.]net/publication/296467457_Exploring_Security_Vulnerabilities_of_Unmanned_Aerial_Vehicles
[12] www[.]microwaves101[.]com/encyclopedias/frequency-letter-bands
[13] ctstechnologys[.]com/30-phase-sweep-10-2ghz-100km-uav-radar-detector.html
[14] www[.]csmonitor[.]com/World/Middle-East/2011/1215/Exclusive-Iran-hijacked-US-drone-says-Iranian-engineer
[15] community[.]riskiq[.]com/search/jammer-store[.]com/resolutions
[16] www[.]gps[.]gov/spectrum/jamming/
[17] researchgate[.]net/publication/339824302_Effective_GPS_Jamming_Techniques_for_UAVs_Using_Low-Cost_SDR_Platforms
[18] researchgate[.]net/publication/339824302_Effective_GPS_Jamming_Techniques_for_UAVs_Using_Low-Cost_SDR_Platforms
[19] [ ]b lli t / /2019/10/01/h i b h ki d
https://flashpoint.761link.net/home/intelligence/reports/report/CPV2_tw2SxmDCEK-QSeLNg 7/8
8/16/2021 Flashpoint - Threats To Uavs (August 12, 2021)
[19] www[.]bellingcat.com/news/2019/10/01/has-iran-been-hacking-u-s-drones
[20] www[.]csmonitor[.]com/World/Middle-East/2011/1215/Exclusive-Iran-hijacked-US-drone-says-Iranian-engineer
[21] www[.]csmonitor[.]com/World/Middle-East/2011/1209/Downed-US-drone-How-Iran-caught-the-beast
[22] ssvlab[.]github[.]io/lucasccordeiro/papers/siot2019[.]pdf
[23] ssvlab[.]github[.]io/lucasccordeiro/papers/siot2019[.]pdf
[24] hxxp://forbes[.]com/sites/davidhambling/2021/05/14/hamas-throws-kamikaze-drones-into-attacks-on-israel-claims-hit-on-chemical-plant/
[25] hxxp://bbc[.]com/news/world-middle-east-49703143
[26] hxxp://zerohedge[.]com/geopolitical/new-details-emerge-highly-modified-drone-snooping-critical-infrastructure

Header image: Courtesy of Jordan Cormack via Unsplash, hxxps://unsplash[.]com/photos/DwMuY7PFPg0.

CHANGE LOG
[Contents]

• 4/15/21: First publication

• 8/12/21: Use of UAVs in Attacks (added)

=======

All Flashpoint intelligence reports, related data, and content are the property of Flashpoint, and are protected under all applicable laws. Flashpoint
reports and data are intended solely for the internal use of the individual and organization to which they are addressed, and are subject to the
applicable terms and conditions of your Subscription Agreement with Flashpoint and/or your NDA, as applicable. Flashpoint reports and data are
Flashpoint Confidential Information, and as such, may not be shared outside of your company or disclosed publicly for any purposes without
Flashpoint’s written consent; provided, however, that you may share such materials to third parties if legally required, or on a need-to-know basis,
and then only to those parties who are bound by confidentiality obligations no less protective of Flashpoint than those contained in your Agreement
and/or your NDA.

=======

©2021 Flashpoint

https://flashpoint.761link.net/home/intelligence/reports/report/CPV2_tw2SxmDCEK-QSeLNg 8/8