If you own a UDI U818A family drone, then you should read this article. Why? Because you are the proud owner of a very, very, very vulnerable drone. Consider yourself warned.
With so many reports of poor security on consumer drones, UAV enthusiasts would be forgiven for thinking manufacturers would have added mitigations against the most basic attacks. But, looking at one particularly popular model of drone, such hopes might be misplaced.
Earlier this month, the U.S. government-sponsored Carnegie Mellon Computer Emergency Response Team was compelled to put out a warning on the DBPOWER Quadcopter, which was vulnerable to a rudimentary attack that allowed anyone within range of the drone’s Wi-Fi connection to take it out of the sky. The researchers who uncovered the bug, from the Cyber-Physical Systems Security Lab at University of Texas at Dallas, put together a video for Forbes showing how they quickly obtained root access to the quadcopter and cut its power.
The Chinese-made drone is currently listed as a best seller at $140 on Amazon (though it’s been reduced to $80).
The UDI U818A drone family features:
- Intelligent Orientation Control/Headless – The UDI U818A HD has the Headless/IOC function. Usually, the forward direction of a flying multi-rotor is the same as the nose direction. By using Headless/IOC, the forward direction has nothing to do with nose direction. This lessens the steepness of the learning curve and allows the pilot to enjoy flight while slowly learning each specific orientation of the quadcopter.
- 6-axis Gyro – Equipped with the latest 6-axis flight control systems, 3D lock, More scheduled flight, operating more to the force!
- 360° Eversion – One key 360° roll, continuous roll for perfect action and wonderful performance
- HD Video Camera – U818A HD equipped with 1MP HD video camera (Resolution: 1280 x 720; Frame rate: 30 Fps), lets you control the aircraft Enjoy taking pictures/video of the pleasure flights.
- Upgraded Accessories – Extend your play time with two LiPO Battery and a upgraded 4GB Micro SD memory card.
It’s important to note I said “drone family” and not “drone.” Why? It appears the same core hardware is being resold by a number of different vendors,.
“The UDI U818A WiFi drone model appears to be very popular and sold by a variety of vendors,” noted UT Dallas’s Alvaro Cardenas. “It appears that what most vendors do is modify the U818A Wi-Fi model superficially (different colors, apps, etc.) but the core drone functionalities appear to be the same. We believe that this vulnerability would be applicable to all of these models.”
Please don’t be fooled by the perceived “bang-for-your-buck” here, this is one vulnerable drone. Don’t just take my word for it, watch the video from the CY-PHY Security Lab @ UT Dallas below:
U818A WIFI quadcopter drone – vulnerability
We show in this video that a misconfigured FTP server allows us to overwrite system files on the Udirc U818A WIFI quadcopter drone.
In this demo, we overwrite the “/etc/shadow” to remove the password for the root user. As a result, we are able to remote login to the device as root and have full access to the operating system via telnet, and all the built-in utilities in the drone.
Here we show that we are able to take down a flying drone from the air. We do this by forcing the person who is flying the drone (via the proprietary app) to lose control of the drone. At that point the drone falls to the ground.
- DBPOWER UDI U818A WiFi FPV Quadcopter Drone $89.99
- Force1 UDI U818A Wifi FPV Drone with HD Camera $139.99
- UDI RC Discovery U818A WiFi Drone $37.50
- and possibly many more
This vulnerability was discovered and disclosed to US-CERT by Junia Valente, a Ph.D. candidate in software engineering at UT Dallas under the supervision of Dr. Alvaro Cardenas.
US-CERT has published a Note regarding this vulnerability:
DBPOWER U818A WIFI quadcopter drone allows full filesystem permissions to anonymous FTP
For more details on:
CWE-276: Incorrect Default Permissions – CVE-2017-3209
See the published Note:
CY-PHY Security Lab @ UT Dallas
Video credit: Junia Valente (on the laptop), Paul Murley (flying the drone), and Travis Neyland Wright (on the camera). Junia is a doctoral candidate in Software Engineering at UT Dallas and Research Assistant at the CY-PHY Security Research Lab @ UT Dallas. Paul and Travis are students in Computer Science at UT Dallas but are not affiliated with the CY-PHY Security Research Lab.
While the original article I cited has pricing at $140, according to my research, pricing on U818A drones varies greatly. I’ve provided a few links below*:
- $119.95 – UDI U818A WiFi FPV Drone with Live Camera Feed – RC Quadcopter Drone with HD Camera and VR Headset Compatibility – Extra Battery and Power Bank For Longer Flight Time
- $53.25 – UDI U818A-HD 2.4GHz 4 CH 6 Axis Headless RC Quadcopter w/ HD Camera, Extra Battery
- $37.50 – UDI U818A 2.4GHz 4 CH 6 Axis Gyro RC Quadcopter with Camera RTF Mode 2
With a documented vulnerability, I wouldn’t recommend that you purchase this drone for any reason other than research.
* Please note, my list is based on an Amazon search for U8181A, I have not validated the vulnerability works with all listed drones.