Dark Wolf Solutions’ Ronald Broberg talks cybersecurity and the importance of hacking lessons to Peter Donaldson

Hack our Drone was the intriguing title of a workshop held at the most recent Xponential, which took place in San Diego in May. Leading the well-attended session was Ronald Broberg, penetration tester at cybersecurity company Dark Wolf Solutions. With the aid of several colleagues, he guided a class of aspiring youngsters through the process of hacking a small quadcopter.

The existence of the hacking class naturally raises the question of why such an ostensibly nefarious activity should be taught.

“Primarily, I hope to raise awareness among UAS product engineers of how cybersecurity testing is done, and why they need to become more aware of cybersecurity design, implementation, testing and maintenance,” Broberg says.

“My second purpose is to help raise awareness among the cybersecurity community of how freaking awesome this field is with the intersection of Linux, IoT [Internet of Things], mobile and wireless security domains.”

From satellites to UAVs

Broberg’s journey into cybersecurity began when he was a programmer at Lockheed Martin (LM), where he worked on space systems, followed by building research and development systems using Linux.

He then moved into supporting integrated command-and-control (C2) testbeds, subsequently supporting those C2 systems at both the endpoint and network level.

Broberg’s involvement with uncrewed systems came through his work on satellites.

“My last two years with Lockheed Martin involved developing new test approaches for securing satellite systems. When I moved from LM to Dark Wolf Solutions, there was a striking similarity between the system architectures, even while the implementation on drones was vastly different,” he explains.

Dark Wolf has performed security assessments of 30 UAS from more than a dozen manufacturers as part of cybersecurity evaluations requested by those companies, in the process, building a picture of where they tend to have weaknesses.

“Unfortunately, the most common vulnerabilities are fairly well-understood weaknesses in poorly configured IoT systems, such as weak passwords, excessive user privileges, and unencrypted sensitive data in logs and configurations,” Broberg says.

“These are usually seen in those UAS start-ups that haven’t really thought about the security of their systems and have focused on getting to market. Unfortunately again, designing security into the system after the initial engineering is far more costly and complicated than including it in the early phases.”

Hack our Drone

Each workshop participant was provided with a drone, along with a smartphone-based controller, a laptop with Kali Linux either installed or with a bootable thumb drive from which to run it, tutorial guides, and a set of hand tools and cables.

Kali is an open-source Linux distribution, based on Debian, which is focused on information security tasks such as penetration testing, security research, computer forensics and reverse engineering. It comes packaged with around 600 penetration testing programs, all set up and configured for a security professional to use immediately.

The quadcopters that workshop participants subjected to their hacking attempts were based on the Beaglebone Blue single-board computer, while the GCS consisted of small handsets with joysticks and switches, with computing power provided by a smartphone.

“I like the use of smartphones over most other operating system choices for ground-control systems,” Broberg says. “My personal opinion is that smartphones are the most cybersecurity-hardened device available off the shelf.”

However, with physical access to both the smartphone GCS and the drone computer, passwords are likely to succumb to cracking tools such as John the Ripper, allowing access to and mapping of the network, operating system and firmware. These can then be analysed for vulnerabilities using other tools that come packaged with Kali, including Nmap for identifying hosts and IP addresses of all the devices, Binwalk for searching a binary image for embedded files and executable code, the Firmware Analysis Toolkit, plus Android-, Windows- and Linux-specific tools, and more.

The next steps are discovery, in which the information gathered in the mapping phase is used to identify vulnerabilities, and exploitation in which those vulnerabilities are used to gain unauthorised access, escalate privileges or execute unauthorised actions. While these are beyond the scope of a short workshop session, they are covered in Dark Wolf’s full course.

To protect against cyber threats that try to exploit vulnerabilities, UAS developers’ engineering teams must be aware of the cybersecurity requirements that their products will need to meet from both a regulatory and a due diligence point of view, anticipating them for their potential customer base, Broberg says.

“Fortunately, they do not have to reinvent the wheel. For one common architecture, just applying baseline Linux security configurations to the UAV, Android security lockdowns to the GCS, reviewing their communication protocols and then documenting that security configuration will bring them a long way towards meeting any compliance requirements,” he adds.

While the participants in Dark Wolf’s workshop have physical access to vehicles and ground-control stations, they can be hacked remotely, just like any computer system connected to a network. There are, for example, weaknesses in wireless communication protocols that can be exploited, especially weak or default passwords or encryption keys.

Insecure firmware/software update processes can be compromised to inject vulnerabilities into UAS, and an increasing number of UAVs are monitored, updated or even controlled remotely, and those remote network services can be vulnerable to attack, Broberg says.

UAVs have similarities to and differences from other networked systems that affect how they can be protected and attacked.

“We draw heavily on the evolving suite of security testing tools and techniques for Linux, Android and RF systems, and apply them to UAS systems. Likewise, malicious hackers can do the same,” Broberg explains.

On the other hand, he says, UAS systems can cause physical harm; an attribute they share with other vehicles and many industrial control systems/operational technology (ICS/OT) implementations, but that is usually not present in something like enterprise network security for corporations, small office/home office and personal devices.

In Broberg’s experience, the level of cyber awareness in the uncrewed systems industry varies widely. “The team of which I am part has seen some of the most insecure products of our careers in the UAS domain – and some of the most secured systems. Unfortunately, an in-house security team is expensive, but those companies with the ability and desire to build such a team are delivering more secure products,” he says.

Attack surface

All the components of a UAV system, including computer hardware, software and protocols have their vulnerabilities, and together they comprise a large attack surface, made larger still by the interfaces between them.

“For the middle of my LM career, I was a ‘systems integrator’,” Broberg says. “Understanding systems architecture and integration is a strong basis to start finding the security faultlines in systems I had not seen before. It is often in the junction of disparate systems that security vulnerabilities appear.”

The key pieces of hardware aboard UAVs include flight controllers, companion computers, payloads and software-defined radio (SDR) systems, with the ground-control station the key offboard component.

In addition to the microcontroller at its heart, a typical flight controller contains a set of motion sensors and draws power from the vehicle’s battery, but it also includes input/output interfaces that allow it to communicate with the remote-control radio receiver, the UAV’s motors/control surfaces via electronic speed controllers and servos and, potentially, payload mechanisms.

Unsecured flight controllers can be exploited by adversaries to hijack drones, intercept sensitive telemetry data or disrupt operational integrity. Therefore, they should be protected by implementing secure coding practices, encryption of communication channels, regular software updates and penetration testing, Broberg explains.

Companion computers such as the Raspberry Pi, and higher-end units from NVIDIA and Intel, augment flight controllers, providing the extra processing power to handle data processing, computer vision and communication with ground-control stations.

According to Dark Wolf, potential vulnerabilities in these devices include: outdated or insecure versions of firmware or operating systems; insecurely configured network services; weak or default credentials; improper authentication mechanisms or inadequate access controls; insecure communication protocols that can be intercepted, tampered with, or eavesdropped upon; and software vulnerabilities, such as buffer overflows, code injection or insecure handling of user inputs.

They may also lack secure boot mechanisms or proper firmware integrity checks, and might not get regular updates and patches to firmware, operating systems and software applications.

Payloads such as sensors and communications relays present their own cybersecurity risks. Sensor data can be very sensitive, with video feeds containing private information and Lidar data potentially exposing details of secure facilities, while communication payloads may be vulnerable to disruption of service, eavesdropping or data interception.

GCS vulnerabilities can leave the system open to unauthorised control of the drone, data breaches or operational disruption. All of the communication protocols commonly used in UAV systems are also potentially vulnerable, whether they are wireless and inherently susceptible to eavesdropping, such as MAVLink, ZigBee, Bluetooth, wi-fi, 5G/4G/LTE, or wired but unencrypted, like CAN.

Monitor the radios

Of the individual subsystems in most UAV systems, however, the most vulnerable are radios in air vehicles and GCS units.

“By design, radios are third-party products that are integrated into a UAS, and the design team sees them as a black box of capabilities,” Broberg says. “Thus, the radios can be delivered to the end-user with default passwords and no documentation to modify them. Beyond that, however, the radios are often running software with exploitable vulnerabilities that exist over multiple products for an extended period of time.

“But that might be changing. My sense is there is a raised level of concern over such vulnerabilities, and vendors are getting more feedback from end-users, and responding appropriately with updates and patches.”

Dark Wolf provides a cybersecurity checklist containing actions that make all of these potential vulnerabilities much harder to exploit. The list contains items that will be familiar to any IT professional, such as strong access control with complex passwords and two-factor authentication, regular software and firmware updates, comms link encryption, disabling of unused ports, regular penetration testing and good physical security.

“I am proud of the cybersecurity assessments that our team has performed, knowing we are helping secure systems that need securing. Likewise, working with teammates on finding and reporting on exploitable vulnerabilities in communication gear is very satisfying,” Broberg says.

“I am probably most proud of developing and presenting our workshop, which helps communicate this work to a wide audience.”

His current work is focused on expanding the company’s level of knowledge and its range of effective testing processes in cybersecurity for all forms of wireless communication, which in practical terms means that he spends most of his time “playing with radios”.

Broberg notes that he is nearing the end of his career, but suspects he will always be involved with the technology.

“These last three years have been a wonderful capstone to my cybersecurity career, but I am not sure I will ever be able to completely let go of my SDR as I pursue deeper knowledge of radio communication in autonomous vehicles.”

Ronald Broberg

Ronald Broberg earned a Bachelor of Science degree in Physics from Colorado State University, where he studied from 1991-95. He joined Lockheed Martin in 1996, where he spent 25 years in software engineering, working on satellite systems, and then command-and-control technologies, including the Theatre Battle Management Core System (TBMCS).

Broberg left in October 2021 to join Dark Wolf Solutions, where he reports to a cybersecurity director. He also holds certificates as a wireless security professional and a wireless network administrator.

As a child and young adult, he “spent an inordinate amount of time in metal armour, beating on people with wooden swords”; a recreation that chimes with his enthusiasm for fantasy and science fiction.

These interests also colour Broberg’s personal and business philosophy, as he insists that everything you need to know about geopolitics and business can be learned from sci-fi classic Dune and action fantasy Conan the Barbarian, respectively. “Everything you need to know about love, well, you have to live that yourself,” he adds.

This romantic streak is balanced by a deep interest in physics, mathematics and philosophy, which were his favourite subjects at school and in higher education.

And in his free time, he loves to dance the tango.