Hackrf Drone Detection
Elenio Guardado
Drones have become increasingly popular in recent years, but their widespread use also raises concerns about safety and security. One way to address these concerns is to develop systems for detecting and tracking drones. One such system is the HackRF One, a software-defined radio (SDR) that can be used for a variety of radio frequency (RF) applications, including drone detection.
The HackRF One is a versatile tool that can be used to detect and track drones by analyzing the RF signals they emit. Drones typically use radio frequencies in the 2.4 GHz and 5.8 GHz bands for communication and navigation. The HackRF One can be configured to tune into these frequencies and capture the signals emitted by drones. Once the signals are captured, they can be analyzed to identify the drone and its location.
Drone defense is a problem that is plaguing airports, cities, sensitive buildings and the military. These days anyone with a low cost off the shelf drone can cause havoc. Solutions so far have included net guns, drone deployed nets, wideband jammers, GPS spoofers, traditional and passive radar systems, visual camera detection, propeller noise detection, microwave lasers and SDR based point and shoot drone jamming guns like the IXI Dronekiller.
Both the expensive made for military IXI Dronekiller SDR gun, and the LimeSDR Dronesense work in a similar way. They begin by initially using their scanning feature to detect and find potential drone signals. If a drone signal is detected, it will emit a jamming signal on that particular frequency, resulting in the drone entering a fail-safe mode and either returning to base or immediately landing. Specifically targeting the drone's frequency should help make the jammers compliant with radio regulations as they won't jam other legitimate users at the same time. We note that this method might not stop drones using custom RF communications, or fully autonomous drones.
However, unlike the IXI Dronekiller gun, Dronesense requires no pointing and aiming of a gun like device. Instead it appears to be mounted on another drone, with an omnidirectional jamming antenna. It runs with a GNU Radio based flowgraph which decides if a detected signal is from a drone, and if so activates the jammer. Unfortunately the software and further details don't appear to be available due to non-disclosure agreements.
During this project, we explored possible attacks and countermeasures against civilian UAVs. Cheap civilian drones have not just become a fun hobby for FPV racers and film enthusiasts, but also a danger for aviation safety and privacy. They are used in the field to provide intelligence against opposing forces or to combat them with deadly precision.
Intelligence is everything on the modern battlefield, and civilian drones have proven to be valuable assets in this regard. They provide spotting capabilities for artillery or carry explosives for sabotage operations and precision strikes. Outside of combat zones, they pose a significant threat to aviation safety and general privacy. These circumstances make drones interesting targets for remote attacks, which we wanted to explore in this post.
Due to budget and time constraints, we focussed our research primarily on fairly cheap, Chinese FPV drones. We only conducted experiments using low power soft-kill systems, since hard-kill measures, like net- or projectile launchers or high power jammers would have a high chance of destroying drones or causing collateral damage.
Drone
The main criteria for choosing the drone, were availability and compatibility with our existing FPV hardware. Specifically, it had to support the FrySky D8 protocol and send video signals over the 5.8GHz band. The final decision was made in favor of the Mobula 6 from Happymodel.
SDR
To be able to flexibly send and receive data on different frequency bands, we also needed a software defined radio. Because it was affordable and covered all required bands (1MHz - 6GHz), we chose the HackRF One.
Antennas
For video transmission/reception we utilized one of the FPV goggles 5.8GHz antennas and for omnidirectional capture/jamming of RC signals a 2.4GHz antenna of an ALFA Wi-Fi card.To get a more predictable and focussed jamming arch, we also purchased a 2.4GHz Yagi antenna.
Software
To analyze and replay RC signals, we primarily used the Universal Radio Hacker. For capturing and (de)modulating video transmissions, we chose SDRangel. Our jammers were constructed using GnuRadio with a few custom blocks. The drone was configured using Betaflight.
Most FPV drones offer two primary attack vectors. The video stream broadcasted by the drone and received by the FPV goggles, as well as the RC signal send by the controller and interpreted by the drone's flight controller. Our drone uses the 5.8GHz bands to transmit video and the 2.4GHz bands for remote control. Since almost all consumer hardware using radio signals, which is sold in the US, has to be registered by the FCC, getting specific frequency ranges for devices like our controller is quite easy. They can be found in the official and publically available FCC database using their unique ID. Our controller for example utilizes the 2416-2466MHz range and has a power output of 43.9mW. The frequency for the video signal can more or less be set freely by the operator prior to flight. Happymodel provides a table of recommended frequency channels. Having this information, we can jam, spoof and capture these signals.
Other drones provide additional targets such as GPS or drone location protocols (e.g. DJI DroneID) which can be used to track drone and pilot movement. GPS may also be spoofed to circumvent geofencing or to abuse return-to-home functionality.
As mentioned above, the drone operator can freely choose any band in the 5.8GHz spectrum to broadcast video. So the first step in capturing or hijacking the streaming signal, is detecting the frequency used. This task can be accomplished fairly easily by using a simple spectrum analyzer, roughly tuned to the center of the 5.8GHz spectrum. Now we simply tune the frequency up and down, while watching our waterfall output. Even at greater distances, the video stream signal can be spotted with no issues.
Knowing the more or less exact frequency used in the transmission, we can either capture live video or send our own data to take the operator's vision. Should the operator not have visual contact with the drone, this will, in most cases, result in a crash. He is also unable to change the used frequency band, since this would require a wired connection to a computer. It should be noted, that for this attack to be effective, the antenna used for sending the signal has to be directed at the operator and his goggles and not the drone itself. The smaller the distance to the operator or the stronger the signal send, the more likely the attack will succeed.
Since our drone is fairly simple, it uses an analog signal to broadcast the video feed. Using the ATV demodulator in SDRangel we can demodulate and view the stream. This particular (de)modulator does not support color, even though it would be possible in theory.
Doing so, we achieved a reliable hijack/jamming range of around 5 meters. At greater distances, the interference was noticeable, but not strong enough to effectively hinder flight.The broadcasting power of the drone, configured by the operator in Betaflight, also influenced the jamming success.
During our research and measurements, we discovered that the FrySky protocol utilized by our Drone, uses FHSS (Frequency-hopping spread spectrum). This means, that in contrast to the 5.8GHz video signal, which uses one single frequency band, the RC transmission is divided into multiple smaller sub-bands. The signal rapidly switches between these bands in a pseudo-random manner, making it significantly less vulnerable to interference or jamming. The seed used to determine the switching pattern is exchanged during the initial binding procedure with the remote controller. By recording and analyzing the signal, we were able to determine, that the drone communication utilizes 49 channels, with 1.5MHz spacing, adding up to a total bandwidth of around 70MHz. Since our SDR was only capable of transmitting over a 20MHz bandwidth, this posed a significant challenge.
Our first approach was to record different RC commands like disarms (full deactivation of flight systems) or erratic control inputs, which could cause the drone to crash. By analyzing the signals of the remote controller, we determined a handful of channels and their specific frequencies and attempted to replay the captured signals on them in an endless loop. We were hoping to get lucky and hit one of the channels while the drone was expecting commands from that frequency. For this to work, our signal would have to be more powerful than the remote controller. After multiple attempts, we were able to crash the drone occasionally. To make this attack work more reliably, one would have to analyze the full signal bandwidth, calculate the FHSS seed and determine the next channel to be used.
Since our replay attack was unreliable, we attempted a jamming approach next. Instead of sending spoofed RC commands, we would send as much noise, with as much power as possible, to drown out the controller's signal and cause the drone to lose its connection. Depending on the configured failsafe, this could either cause the drone to land on the spot, return to predetermined GPS coordinates or, as was the case with our drone, drop to the ground. Of course, we would be unable to simply jam the entire 70MHz bandwidth, so we had to develop a slightly more sophisticated jammer. The best jammers use so called protocol-aware jamming, which, similar to what we mentioned above, attempts to calculate the used FHSS seed and reactively jam the next channels. Implementing a protocol-aware jammer requires either two SDRs or a single, full-duplex capable SDR. Neither was available to us at the time. We therefor chose a slightly cruder method: sweep jamming.
93ddb68554