Sometimes leading a team of benevolent hackers means having unusual conversations with customer service. Just ask Michigan State University’s Qiben Yan.
One of his projects involves drones, the quadcopters that make stunning aerial photography a snap for hobbyists and professionals alike. There are more than 865,000 drones registered in the United States, according to the Federal Aviation Administration. For comparison, that’s just shy of the number of residents living in South Dakota.
MSU Assistant Professor Qiben Yan
“When we started this project, we accidentally broke a drone,” said Yan, an assistant professor of computer science and engineering. When he got in touch with customer service about repairs, the company’s service reps were curious about what he was using the drone for. So he told them.
His team was developing a stealthy, simple adversarial attack that exploits a vulnerability in camera systems that could allow a hacker to seize control of a drone from its pilot.
“The company was very interested,” Yan said. “We’re kind of ‘white hat’ hackers. We attack products so their manufacturers can fix problems and protect consumers before somebody malicious takes advantage.”
What Yan’s Secure and Intelligent Things Lab in the College of Engineering had discovered was that it was possible to trick drones into thinking they were heading for an obstacle. And all that what was required was two bright spots of light, for example from projectors or flashlights.
By shining the lights in certain ways into a drone’s cameras, the researchers could essentially make the drone hallucinate. The drone’s software would interpret the lights as a single obstacle in its path and engage the drone’s autonomous controls designed to avoid collisions. By adjusting the lights, the team could control where this phantom object appeared to the drone and steer the vehicle.
“We can start manipulating the drone by controlling the angles and intensity of the light,” Yan said. “By controlling the ‘object’ location, we can control in which way the drone moves.”
The team successfully targeted quadcopters from dozens of yards away, enough for would-be attackers to gain control of a drone and avoid being detected by its rightful operator. As companies are working to use drones in a variety of applications — such as delivery and inspection services — losing control of a quadcopter to thieves could mean losing property and information.
“Imagine that an Amazon delivery drone is under such an attack,” Yan said. “Your packages would be effectively seized by the attacker, while the drone pilot has no idea why it’s happening.”
The USENIX Security Symposium, one of the world’s leading cybersecurity conferences, has just accepted the research for presentation at …….