A good day to hack a drone
Student project team competes against sponsor Belcan in two hacking competitions
On a crisp spring day, the Michigan – Aerospace Cybersecurity Team (M-ACT) geared up for a thrilling hackathon showdown with their corporate partners, Belcan. The members of the Model-Based Systems Engineering (MBSE) lab were determined to learn everything they could about cybersecurity and identify their vulnerabilities. As they prepared for their 1 v 1 match, caffeine and adrenaline coursed through their veins (the team was up all night preparing), fueling their competitive spirits. “We’re all about learning and fostering support between our Belcan and Collins Aerospace partners,” said the M-ACT team, their eyes ablaze with the thrill of the competition.
The M-ACT team had been working tirelessly throughout the school year, partnering with some of the biggest names in the aerospace industry such as Belcan, Siemens, Vayu Aerospace, and Collins Aerospace, to retrofit a drone and make it hack-proof. But this wasn’t just any ordinary drone, it had to exhibit both cyber hardening and cyber resilience, and be able to withstand the toughest of attacks from some of the best professionals in drone cybersecurity.
Through trial and error and with critical guidance from their faculty advisor Vasilieos Tzoumas, the team slowly became ready for the friendly competition where Belcan would attempt to hack into the M-ACT drone. The competition had a panel of judges composed of x88 staff to review the score sheets and assign the final points in each match phase.
The big showdown
The match took place at the M-Air facility over the course of one day and was composed of two parts.
The first tested the drone’s cyber hardness, and the second tested its cyber resilience. In part one, the drone was powered on and operational, though it remained stationary. The drone’s camera was aimed at a poster with an encrypted secret message that the hacker team attempted to steal. The team’s ultimate objective was to build a cyber defense to block attacks and prevent its system’s security from being compromised before even beginning flight.
“Drones are used for various security purposes in the private and military sectors, often using cameras to gather sensitive information. Hackers have been able to intercept video communications between drones and their mission controls team to spy on victims. Part I of this competition will test the cyber hardness of the drone by testing its ability to withstand the attempts of hackers to break into the drone’s system and steal confidential information,” the team explains.
In the second phase, the M-ACT team was to design a route for their drone to fly that visited mission checkpoints inside the M-Air facility and program a hacking detection method. They built a “limp home landing” program so the drone could return to home base if attacked.
This second phase had three rounds, each 10 minutes long, where the drone was to start at a “home base” station, then fly to checkpoint one and hover for at least 15 seconds. It then had to fly to checkpoint two and repeat its hover time there before flying to checkpoint three to hover again for another 15 seconds. At the end of each round, the drone had to return to the home base landing pad before the time was up. Each of these steps were repeated for all three rounds of phase 2. For a checkpoint to be hit, the drone had to hover within a 1-meter radius of the checkpoint which was physically marked, and judges had to confirm that the drone flew within the radius visually.
“Many drone missions involve meeting checkpoints on a route and being timely about gathering important data. Attacks are inevitable and it is hard to predict what approaches hackers will use when invading a system. However, a resilient system should be able to detect unwanted behavior and have fail-proof measures against it.”
Meanwhile, it was the hackers from Belcan’s mission to retrieve confidential data and then caused a critical mission failure. Each successful hacking method for the drone could only be used in one round to allow for a more thorough test of the drone’s resilience abilities. Each time Belcan successfully hacked into the drone, points were awarded. If Belcan was unsuccessful, then the M-ACT team was awarded the points until the end of the match round.
And the winner is…
It’s a mixed bag, but only because of the short time limit. The M-ACT team won the first phase during the competition with their 63-character-long password encryption, which Belcan wasn’t able to break before time ran out. The team was unsuccessful in the second phase, resulting in Belcan hacking into the drone, causing it not to complete its intended flying route inside the M-Air facility.
“I like the idea that they tried things and failed and learned from those mistakes because oftentimes you learn more from failure than you do from success,” course professor George Halow comments after the competition.
“They designed, engineered, built, tried and tested, and they had setbacks. I wouldn’t even call them failures, they are setbacks, and then they went around and did them again. Then they came here and had a hacker come in, and he was partially successful, and even from the things they were able to fend off, that reinforced that they could do the same thing next time. Then the fact that he was able to hack in, they learned from that experience as well, and they can learn in the future how to do things differently to be better prepared to defend them next time.”
This year was the first-ever friendly hackathon project in the MBSE lab but the M-ACT team hopes to compile their findings and become better equipped for the event next year. The team commented, “We didn’t really know each other before we came together and started designing our drone. Throughout the year, we became very close and grew to depend on each other and our roles in the design and build process.”
They hope to consider what they have learned to make improvements and alterations to the drone and the competition itself. The M-ACT project, in partnership with some of the best companies in drone manufacturing and cybersecurity, provided students with an incredible opportunity to take their classroom MBSE experience to the next level with a real, practical design, build, fly project. We can’t wait to see what they have in store for us next year!