UAV Control Systems

UAV Control SystemsImplementation, Protocols, and Vulnerabilities

Kyle SwensonIntroductionMilitary grade systemsGeneral UAV control overviewFrequency reviewFrequency bands used and associated characteristicsProtocolsCDL, TCDLSecurityConsumer grade systemsCommunication optionsRangePowerMilitary UAVsTwo channels:Full duplex for controlHalf duplex or simplex for video (downlink)Operate on multiple frequency bandsDrone type and sizeMan PortableTacticalTheater

Frequency Bands Used by UAVsUAVs use multiple bands:L-Band (800 MHz to 2 GHz)Military telemetryGPSS-Band (2 to 4 GHz)Weather radarSome satellite communicationIEEE 802.11Unlicensed ISM band in North America (2.4 GHz)C-Band (4 to 8 GHz)Terrestrial microwave radio relay communication systemsOpen satellite communications: TV networks and raw satellite feedsAssociated with television receive-only satellite systemsWeather radarVery congested and commonly used

Frequency Bands Used by UAVsX-Band (8 to 12 GHz)Used by military communications satellitesDownlink 7.25 to 7.75 GHz, uplink 7.9 to 8.4 GHzNot normally used by UAVsKu-Band (12 to 18 GHz)Designated exclusively for satellite systemsSome TV broadcast systems depending on locationMuch less interference compared to C-band (fewer civilian uses)Doesnt need to increase power to compensate for noiseMore focused beam than C-Band1 meter dish used to differentiate between satellites 2 degrees awayVehicle speed detection by law enforcement in EuropeNon- satellite, used because there is little congestionProblems with atmospheric interferenceRain and snow fadeRF CommunicationsGeneral rules:As frequency increases, so doesCost of equipment WeightDistance BandwidthPowerEffect of weather impairmentsAll of these bands except for X-Band have non-military activityCOTS products exist

Man Portable CommunicationsSmall dronesDesert Hawk, Dragon Eye, Pointer, RavenL-Band digital for controlL-Band analog for video1.71-1.85 GHz, 140 MHz BandwidthLower frequenciesSimpler equipmentLower costShort rangeAbout 10 kmTactical UAV CommunicationsBigger dronesHunter, IGNAT, Pioneer, Scan Eagle, ShadowUse C-Band analog for video downlink (Hunter, IGNAT, Pioneer, Shadow)4.4 to 5.85 GHz, 1.45 GHz bandwidthScan Eagle2.4 GHz for videoControl system depend on UAV modelC-Band LOS (IGNAT)L-Band 900 MHz (Scan Eagle)S-Band LOS (Shadow)2-4 GHz rangeDistance depends on power and equipment50 km 200 km

Theater UAV CommunicationsBiggest dronesGlobal Hawk, Predator/Warrior A, ReaperGlobal HawkControlUHF (300 MHz 3GHz) LOSSub L-Band, L-Band and S-BandKu-Band SATCOMVideoX-Band (7.0 to 11.2 GHz) Ku-BandPredator and Reaper Communications: LOSLine of sight data linkUsed for control while in range of GCSUsed for video downlink for troops on the fieldVideo downlink uses C-Band digital5.25GHz to 5.85 GHz

http://static.ddmcdn.com/gif/predator-system.gifPredator and Reaper Communications:BLOSBeyond line of sight data linkSatellite relaySATCOMKu-BandUsed for control, communications relay

http://static.ddmcdn.com/gif/predator-system.gifProtocols: CDLCommon Data Link (CDL)Full duplexKu BandData rates up to 274 MbpsSecurable US military communications protocolImagery and signals intelligenceFY06 Authorization ActRequires the use of CDL for all imagery unless a waiver is obtained300 pound radios on a small UAVExpect a 2 pound version by 2010Protocols: CDL21 May 2013 RFIUS government asking for ideas to get a CDL radio that can fit on man portable UAVsResearchers at Idaho National Laboratories, Idaho Falls8 to 10 ouncesUnder 35 W of power50 to 110 nautical milesInterested in multi-band linksL, S, C, KuClose link with ground control8.448 Mbps to 44.736 MbpsSupport encryptionFull TCP/IP capabilities

Protocols: TCDLTactical Common Data Link (development)Secure data link designed for UAVsSpecifically MQ-8B Fire ScoutIn development to transmit:Radar, imagery, video and other sensor informationRates from 1.544 Mbps to 10.7 Mbps, 200 km rangeUses Ku bandAccept data from many different sourcesEncrypt, multiplex, encode, transmitKu narrowband uplinkVehicle controlKu wideband downlink for data transferStreaming videoSecurityJuly 2008Iraqi Shiite militants intercepted live video feeds from PredatorUnencrypted downlink between UAV and GCS (C-band)Video feeds to troops on the ground also use C-BandFirst found drone video on Shiite laptopIraq, AfghanistanIts part of their kit nowPentagon has known about the vulnerability since Bosnia campaign in the 1990sAssumed that local adversaries wouldnt know how to exploit itClaim that encrypting this information is difficult The communications protocol is proprietaryDecade old network is hard to changeHeavy encryption equipment

SecurityOctober 2012Militants in Iran also captured Predator and Reaper video feedsOnly 30-40 % of UAVs are using fully encrypted transmissionsFull encryption expected around 2014Problem is that full encryption systems are really heavyMotivation behind the RFI, TCDLCurrently use a mobile-phone size device with AES and triple DES. Slowing integrating these into the fleetMuch more limited than the RFI desiresSkyGrabberRussian software by SkyWare ($26)Listens on frequencies and hops around depending on protocolScanning mechanism to determine FHSS sequence of signalDecoded the UAV FHSS sequenceDeveloped to intercept music, photos, video, programs.Intercepted downloadable contentPossible because the C-Band and Ku-Band also carries internet and TV broadcastsMakes the satellites cheap and legalLots of tutorials on how to do this

Consumer Grade Drone ControlUsually uses unlicensed ISM bandIndustrial, scientific and medical902 MHz to 928 MHz in Region 1 (North America)2.4 GHz to 2.5 GHz5.725 GHz to 5.875 GHzISM Band TechnologyIEEE 802.11 protocol (WiFi)Range varies depending on power and line of sightLots of overhead (software and hardware) for relatively simple controlUses a lot of powerEasy to secure, but easy to hack if not securedNo custom remote requiredSmartphone, computer, any WiFi device

ISM Band TechnologyCustom ISMRequires a custom transceiver and remoteIncreases development timeCustom protocolMakes it difficult to hack even with unencrypted payloadMinimum overheadCustom FHSS sequenceLess interference with WiFi devicesHop to different frequencies (5.8GHz, 2.4 GHz, 900 MHz) if there is too much noise.Wide rangeDepending on power, up to 1 km LOSLimited by the FCCLow powerSacrifice range to increase battery life

Questions?Sourceshttp://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=1460867&tag=1http://www.bth.se/fou/cuppsats.nsf/all/e91df00b763f080cc12572990052d819/$file/Masters_Thesis%5B1%5D.pdfhttp://science.howstuffworks.com/predator6.htmhttp://defense-update.com/products/p/predator.htmhttp://info.publicintelligence.net/JSC-04-054.pdfhttp://cryptome.org/predator-read.pdfhttp://online.wsj.com/news/articles/SB126102247889095011http://www.advtecheng.com/uploads/ATEI_Ku-Band_Opt_Trade.pdfhttp://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=4106321&tag=1https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=16&ved=0CEYQFjAFOAo&url=http%3A%2F%2Fwww.dtic.mil%2Fcgi-bin%2FGetTRDoc%3FAD%3DADP010757&ei=PkVpUrDjI4jTigKNsoDwBQ&usg=AFQjCNHWoDGA-oEKbWo5m6u9OniiXPfwfg&cad=rjahttp://www.nps.edu/Academics/Institutes/Meyer/docs/A%20study%20of%20reconnaissance%20surveillance%20UAV.pdfhttp://www.telesat.com/sites/default/files/telesat/files/whitepapers/UAV-Briefing.pdfhttp://ftp.rta.nato.int/public/PubFulltext/RTO/MP/RTO-MP-044/MP-044-B10.pdfhttp://web.ecs.baylor.edu/faculty/dong/paper/dong_wcnc07_T2S05P05.pdfhttp://www.richardsilverstein.com/2013/10/09/third-israeli-drone-sabotaged-by-hacking/http://www.homelandsecuritynewswire.com/pentagon-says-us-fixed-drones-hacked-iraqi-insurgentshttp://www.google.com/hostednews/afp/article/ALeqM5gVfpsQcogZoD0Bx0efyryW0QK63Q?hl=enhttp://www.dailytech.com/Iran+Yes+We+Hacked+the+USs+Drone+and+Heres+How+We+Did+It/article23533.htmhttp://resources.infosecinstitute.com/hacking-drones-overview-of-the-main-threats/http://www.syssec.ethz.ch/research/ccs139-tippenhauer.pdfhttp://jiangbian.info/papers/2013/uav-wsn-icns-2013-abstract.pdfhttp://www.electronicsweekly.com/news/design/communications/avionics-security-challenges-in-unmanned-vehicle-development-2009-07/http://en.wikipedia.org/wiki/C_bandhttp://privat.bahnhof.se/wb907234/killuav.htmhttp://12160.info/profiles/blogs/how-to-kill-a-drone-since-drones-can-kill-americans-americans-canhttp://gizmodo.com/5906292/flying-your-own-military-drone-a-user-manualhttp://info.publicintelligence.net/JFCOM-UAS-PocketGuide.pdfhttp://privat.bahnhof.se/wb907234/pics/skygrab.pdfhttp://info.publicintelligence.net/JSC-03-024.pdfhttp://publicintelligence.net/dod-joint-spectrum-center-predator-drone-frequency-analysis-reports/http://www.wired.com/dangerroom/2012/10/hack-proof-drone/http://en.wikipedia.org/wiki/Common_Data_Linkhttp://jitc.fhu.disa.mil/brochure/cdl_.pdfhttp://www.fas.org/irp/program/disseminate/tcdl.htmhttp://uscrow.org/2013/08/05/how-to-kill-predator-drones-uavs/http://www.gdfortress.com/Technology-Article/44-ghz-c-band.htmlhttp://www.level421.com/index.php?id=1721http://www.scatmag.com/technical/techarticle-mar05.pdfhttp://en.wikipedia.org/wiki/K_bandhttp://www.militaryaerospace.com/articles/2013/05/Small-UAV-CDL.htmlhttps://www.fbo.gov/index?s=opportunity&mode=form&id=5fa993abd4c637827fd0bda5718ed3ce&tab=core&_cview=1http://www.inetdaemon.com/tutorials/satellite/communications/frequency-bands/