Paralyzing Drones via EMI Signal Injection on

Sensory Communication Channels

Joonha Jang∗†, Mangi Cho∗†, Jaehoon Kim†, Dongkwan Kim‡, and Yongdae Kim†

†KAIST, ‡Samsung SDS

Anti-drone technology that instantly neutralizing drones by injecting electromagnetic interference (EMI) into the control unit of drones.

This paper was accpeted at Network and Distributed Systems Security (NDSS) Syposium, 2023.

Overview

We propose a novel anti-drone technique that effectively distorts the communication channel between the IMU and control unit of the drone by using an electromagnetic interference (EMI) signal injection. Experimentally, for a given control unit board, regardless of the sensor used, we discovered a distinct susceptible frequency at which an EMI signal greatly distorted the sensor data. Compared to a general EM pulse (EMP) attack, our work requires considerably less power since it targets the specific susceptible frequency. It can also reduce collateral damage from the EMP attack. For practical evaluations, we demonstrated the feasibility of the attack using real drones.

Comparison with other anti-drone technologies

Attack Principle

Fig.2.: Analysis of the influence of the communication channel distortion on the data flow of the attitude control algorithm.

The control unit retrieves the IMU data based on the interpretation of the communication signals. If the communication between the sensor and control unit is disrupted, the control unit would not retrieve the correct IMU data. Then, incorrect IMU data causes the state estimator to return the current attitude away from the actual measurement, thereby resulting in an incorrect target angle (① in Fig. 2). Additionally, the internal

PID loop yields the wrong force required to reach the target angle based on the distorted x, y, and z-axis angular velocities (② in Fig. 2). Consequently, the rotors generate torque, thereby causing the drone’s attitude to deviate considerably from stable flight (③ in Fig. 2). Since the aforementioned problems are fed into the closed-feedback loop, creating an increasingly unstable attitude, the drone eventually crashes to the ground.

Experiment setup

Experimental Setup of the EMI Injection

Near-field EMC scanner


Remote EMI Injection Testing in a Shielded Room


Main Attack Demo Videos


IMU-6 EM injection experiments on a hovering drone at 0.44m.

Backdoor coupling frequency EM injection causes irregular motor rotation and motor stop of the drone. While hovering the drone using a hovering frame, as soon as the EM injection started, one of the motor stopped and hovering immediately stopped (the drone should have went down).



IMU-7-2 EM injection experiments on a hovering drone at 2.4m.

IMU-8 Targeted EM Injection Experiments with NANO and Pixhawk4 Boards

When remote EMI injection was performed at the Pixhawk4's susceptible frequencies on both the Pixhawk4 and the NANO board, only the Pixhawk4 was affected.


Additional Attack Demo Videos

IMU-1 Disturbing original signal on I2C communication channel between IMU and Control unit.

Disturbed SDA channel: The control unit received significantly fluctuating data.

Disturbed SCL channel: The control unit received significantly fluctuating data.

Disturbed both SDA and SCL channels: The control unit received significantly fluctuating data. We observed the abnormal data transmission while the SCL and SDA signals were disturbed simultaneously.

IMU-2 An experiment showing that the drone rotor command signal became irregular due to EM injection.

we experimentally confirmed that EM injection disrupted the I2C communication signals between the IMU and the control unit, causing abnormal behavior of the system.

Also, the malfunction of the system induced by EM was similar to the malfunction of the system induced by direct channel disturbance.

IMU-2 -1 Shielding the wire and the IMU sensor

An EM injection caused communication signal corruption. In other words, there was no noticeable difference between the shielded and unshielded conditions.

IMU-2 -2 Shielding only part of the control unit board

Using our RF generator (maximum power = 100 mW) we failed to cause communication signal corruption even in a very short distance. (3cm).


IMU-3 Attack simulation with PX4 SITL (Software In The Loop).

Attack evaluation demonstration using PX4 SITL environment: If our attack occurs on a drone hovering, it crashes at 5.61m in 1.07 seconds. (see 31s in our demo video). We used PX4 software-in-the-loop (SITL) to investigate how a fluctuating IMU data stream propagates into the rotor operation and its effects to evaluate the impact of our attack

IMU-4 An experiment showing that the drone rotor command signal became irregular due to EM injection.

In a stationary situation (without starting rotors), this demo shows how rotor commands change upon an EM injection. After 35 seconds, the rotor commands (top right corner) became extremely fluctuating.

IMU-5 EM injection experiments on a stationary drone.

  • We confirmed the irregular change and irregular stop of the drone rotor speed with this experiment.

In a stationary situation after rotors start, this demo shows how rotors and their commands change upon an EM injection at 9 sec. The rotor commands (in the white box) became irregular. Some rotors even stopped temporarily.

IMU-7-1 Attack Distance Experiment

Using backdoor coupling, we confirmed that considerable data distortion occurred at a maximum of 0.84m at a frequency of 258 Mhz and a power of 100 mW.

Post Mortem Analysis of Our Attack

Accelometer data

Gyroscope data

Magneometor data

Rotor command

Fig.3.: llustrations of the IMU sensor values and rotor commands when the EMI signal is injected. All IMU sensor values significantly fluctuate right after the attack (517th sample). Additionally, all rotor commands are significantly affected right after the corruption of the IMU sensor values (517th sample). For example, rotor 4’s command immediately drops to 1100, lowering its speed to its minimum (stop). It indicates that our attack corrupted IMU values, affecting rotor commands immediately.


Attacking Other Sensors : CMOS Image Sesnor

CMOS-1 Disturbing original signal on SPI communication channel between CMOS image sensor and Control unit.

We observed the corrupted image data while the system didn’t update the newer image.

CMOS-2 EM injection experiment on a CMOS image sensor.

We observed corrupted frames in the updated image of the system.

CMOS-3 EM injection experiment on another CMOS image sensor.

We observed corrupted frames in the updated image of the system.

Similar attacks: Thor (The tactical high power operational responder)

Restrictions on EMI attacks on commercial drones


In order to evaluate more practical points in addition to the promised experiments, we tried to perform remote EMI attacks on DJI drones and Pixhawk drones.

At this time, we radiated an EMI output of over 100W. For reference, this output has no choice but to be done in a shielded chamber due to electromagnetic wave radiation regulations. Also, for safety, the position and radius of the drone must be fixed. (high-voltage equipment)

In this process, we found the following limitations:

1. The shielded chamber blocks all electromagnetic waves, including GPS signals.

2. Without a GPS signal, the Pixhawk drone could not hover.

3. DJI can hover without a GPS signal, but it requires a height of at least 15 meters, and its radius is very large both horizontally and vertically, so it is very dangerous because it can damage high-voltage devices. [https://www.dji.com/mini-2/specs]

4. As mentioned in 3, when the DJI is tied to a payload and forced to take off, only the maximum rotor output is repeated for takeoff flight, so drone do pendlam movement and cannot hover.

Paper information

JoonHa Jang, Mangi Cho, Jaehoon Kim, Dongwan Kim, Yongdae Kim, "Paralyzing Drones via EMI Signal Injectgion on Sensory Communication Channels", Network and Distributed Systems Security (NDSS) Syposium, 2023, Paper link


LaTex:BibTex

@inproceedings{jang2023paralyzing,

title={Paralyzing Drones via EMI Signal Injection on Sensory Communication Channels},

author={Jang, Joonha and Cho, Mangi and Kim, Jaehoon and Kim, Dongkwan and Kim, Yongdae},

booktitle={Network and Distributed Systems Security (NDSS) Symposium},

year={2023}

}

Contact

If you have any questions or comments, please don't hesitate to contact the first author JoonHa Jang (cyber040946@kaist.ac.kr), a PhD student at System Security Lab at KAIST, Korea.