General security

Hack-Proof Drones Possible with HACMS Technology

Pierluigi Paganini
June 3, 2014 by
Pierluigi Paganini


Unmanned Aerial Vehicles (UAVs) are one of the most flexible and useful solutions adopted by the military and private industries. Drones could be used in commercial contexts as in high critical environments, and the production of even more sophisticated models is expanding their possibilities of use. UAVs are considered technological jewels, the military research on their design is providing significant improvements, and recent conflicts were characterized by a large use of Unmanned Aerial Vehicles in critical missions. Reconnaissance of wide areas like national borders, as well as strikes, are the principal uses of drone technology in military industry.

"The drone industry is growing at a rapid pace. Aerospace research company Teal Group has estimated that sales of military and civilian drones will total over $89 billion in the next 10 years. The possible fields of application for UAVs are unlimited."

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

The electronic component is pushed to the highest levels of technology as well as the materials used in their construction. It is clear that security plays a vital role. Military use is playing a driver role for drone technology, and many governments, including the US and Israel, use UAVs for offensive purposes. In a previous post, I have mentioned the data from the Federal Aviation Administration (FAA) -- by 2020 it has been estimated that in the US sky the number of flying drones will reach 30,000 units. Use of drones also hides many pitfalls. Unmanned vehicles could be targeted by hackers who could steal the information they manage, or in the worst case, to sabotage them.

Another factor to consider is the significant difference between UAVs in military and civil industries; the opening to drones for commercial uses is raising a heated debate on the level of security and privacy offered by their architecture. Attackers could easily compromise civil drones, and hackers could hijack or destroy them, with serious repercussions on public security and on the continuity of the services they provide.

Drones could be destroyed by cyber-attacks, but in the most worrying scenario, attackers could hack them to gain complete remote control of them. Security expert Samy Kamkar presented to the security community the SkyJack software, an application that he designed to gain control over a drone while it's still flying. Kamkar published the details on his website. The researcher defined SkyJack as the "Zombie drone" in the proof of concept, and he provided that he would run the software on a Parrot AR.Drone 2.

The system he designed is able to scan for wireless signals of other UAVs in the vicinity. Once it has detected the target, he is able to hack it control system, interrupting the communication with a legitimate control center.

The choice of this specific drone is not casual. The young expert has demonstrated that anyone can create their own UAV to hunt down other drones and control them. This is the demonstration that security must be within critical requirements for Unmanned Aerial Vehicles.

The Use of Unmanned Aerial Vehicles in the US Army

Drones are widely used in the military industry; initially they were mainly used for surveillance and espionage purposes in a mission critical environment. With technological improvements, these vehicles are becoming even more sophisticated, and the military has started to use them as a weapon in strategic operations. Unmanned Aerial Vehicles could be used to infiltrate the territory of adversaries or to fly on a battlefield in stealth mode. In recent years they were used to monitor and strike specific targets with high precision, thanks to the use of sophisticated pointing devices. The US authorities and manufacturers sustain that use of UAVs in the military minimizes collateral damages and loss of human lives in case of attack.

The US government is one of the governments that is making larger uses of drone technology. It has deployed military installations for the launch of drones in the Strait of Hormuz, for the surveillance of critical tribal areas of countries such as Iraq, Afghanistan, Yemen, and Pakistan, and monitoring of the African territories such as Djibouti, Ethiopia, and Niger to mitigate possible offensives of extremist groups.

In ten years, the number of UAVs has been constantly growing. The US government has officially more than 8,000 drones, and principal manufacturers are already working for the provisioning of new power vehicles.

Drones as weapons and the use of drones for "targeted killings" in the above areas is debated by principal governments. In many cases the diplomacy has expressed criticism on UAV strikes in foreign areas conducted by the US Army. The US has been accused of violating other states' sovereignty if their governments do not authorize the US to operate in their territory. This is the case with numerous strikes in Pakistan.

The Hack-Proof Drone

More than a year ago, Defense Advanced Research Projects Agency (DARPA) announced that their researchers were working on a project codenamed HACMS (High Assurance Cyber Military Systems) for the design of a software that is able to thwart cyber attacks once deployed in any context, like a defense system or an Unmanned Aerial Vehicle.

The secret project has been underway for several years, according to Kathleen Fischer, HACMS program manager for DARPA. The project originated at the University of California, San Diego and the University of Washington, and has made possible the definition of a new generation of drones equipped with secure software developed with principles of the HACMS program. The drones used a software that prevents cyber attacks, in particular any interference with the control and navigation systems of the vehicle from hackers.

"The software is designed to make sure a hacker cannot take over control of a UAS. The software is mathematically proven to be invulnerable to large classes of attack," explained Kathleen Fisher.

The researchers at DARPA have deployed their secure software on a mini drone trying to hack it, but the onboard application was mathematically armored, making it invulnerable to external cyber attacks. Kathleen Fisher mentioned the "red-team" exercises wherein cyber experts tried to hack into the quadcopter and failed.

In this type of exercise, two groups of hackers engage in a battle, trying to undermine each other's instrument and systems, in this case the innovative HACMS software. Fisher asserted that the experts at DARPA have defined the prototype quadcopter as the most secure UAS in the world.

"We started out with the observation that many vehicles are easy for malicious hackers to tamper with the software and take control remotely. We've replaced all the software with our high assurance software that was developed using the tools and techniques that were invented in the program," Fisher said.

The experts at DARPA focused their efforts in protecting the on-board systems in drones during communication with other systems. Many units that constantly exchange information with external sources in real time compose unmanned Aerial Vehicles (UAVs). Hackers exploiting vulnerabilities or security issues in implemented network protocols or on-board software could easily attack these communications.

"The software is mathematically proven to be invulnerable to large classes of attack … Many things have computers inside and those computers are networked to talk to other things. Whenever you have that situation, you have the possibility for remote vulnerabilities where somebody can use the network connection to take over and get the device to do what the attacker wants instead of what the owner wants," HACMS program manager Kathleen Fisher told Defense Tech.

Below are the most common technique of attacks against drones:

  • GPS spoofing attack – attackers send to the control system of the drone fake geographic coordinates to deceive the on-board system and hijack the vehicle to move to a different place than where it is commanded.
  • GPS signal jamming – attackers, using jamming techniques, interrupt the on-board GPS system from receiving data transmitted to the UAV. In this scenario, the aircraft could potentially lose the capability to monitor its route and to calculate its location, altitude, and the direction in which it is traveling. With this technique is possible to force the drone to a secure landing operation.
  • Malware-based cyber attacks – any software component which runs on a drone could be hit by malicious code that could be able to exploit a vulnerability in its systems. "The menace is concrete and it probably already happened in US military networks. In October 2011, Wired Magazine reported a virus infected drone remote control system, in particular the malware captured strokes on a keyboard in drones' cockpits at Creech Air Force Base in Nevada, made it tricky for the pilots who remotely fly assault drones like the Predator and Reaper. The malware used did not appear sophisticated but security experts spent a couple weeks before to completely immunize the system."
  • Electromagnetic pulse (EMP) attacks – attackers hit the vehicle with a short burst of electromagnetic energy. Such a pulse can be originated in the form of a radiated electric or magnetic field or conducted electrical current depending on the source used for the attack. The effect of an EMP attack is the interference or the damaging of the electronic equipment of the drone.

I expect that software designed for the High Assurance Cyber Military Systems project could protect vehicles from any kind of attack that try to deceive the control system of the vehicle providing bogus data. The drone prototype designed by the experts at DARPA is just one of the 100 projects and 29 advanced research programs presented by the agency recently at DARPA Demo Day.

Despite that the software was tested on a small vehicle, DARPA plans to extend its uses for more complex vehicles, like Boeing's Unmanned Little Bird helicopter. As explained by the researcher, the HACMS technology could be rapidly deployed in embedded systems of many other critical applications including weapons systems, defense systems, supervisory control and data acquisition (SCADA) systems, and medical devices and telecommunication systems.

"The software is foundational so it could be used for a large number of systems," Fisher added.

A Close Look at the DARPA HACMS Research Program

Technology in modern warfare has assumed a crucial role. Governments are developing sophisticated new cyber capabilities to prevent and mitigate cyber threats.

UAVs are just a sample of sophisticated weapons used by the military. Every component of these vehicles could be affected by a "pervasive vulnerability" that exposes them to the concrete risks of hijacking.

The concept of "pervasive vulnerability" is widely discussed and it's subject of deep study by various entities, including the Defense Advanced Research Projects Agency, but a pervasive vulnerability concept is not related only to UAVs, because weaknesses also affect SCADA systems, medical devices, computer peripherals and communication devices.

"Such devices have been networking for a variety of reasons, including the ability to conveniently access diagnostic information, perform software updates, provide innovative features, lower costs, and improve ease of use. Researchers and hackers have shown that these kinds of networked embedded systems are vulnerable to remote attack, and such attacks can cause physical damage while hiding the effects from monitors," reports in the project page on DARPA website.

Figure - Pervasive Vulnerability (DARPA)

The patch management for this category of vulnerabilities, especially in the military sector, is very complex. The deployment of a fix for a flaw in the control system of a UAC needs, in the majority of cases, the re-certifying for the entire aircraft. Every path must be carefully analyzed and tested to avoid the introduction of further vulnerabilities in the flawed system.

Which is the main cause of the presence of such critical vulnerabilities?

Dr. Kathleen Fisher, a Tufts University scientist and a program manager at DARPA, explained that the problem is related to the design of control algorithms that are often written without respecting essential security requirements. The project High-Assurance Cyber Military Systems, or HACMS, assigned to Fisher has a four-year effort and an estimated cost of $60 million with the purpose of defining an innovative and secure practice of coding.

The program is described on the DARPA website with the following statements:

"The High-Assurance Cyber Military Systems (HACMS) program seeks to create technology for the construction of systems that are functionally correct and satisfy appropriate safety and security properties … Our vision for HACMS is to adopt a clean-slate, formal method-based approach to enable semi-automated code synthesis from executable, formal specifications," explained Kathleen Fisher, DARPA program manager.

Deliverable for HACMS are the design of secure code and the production of a machine-checkable proof that the generated code satisfies functional specifications as well as security and safety policies. A key technical challenge is the development of mathematical techniques to ensure that such proofs are composable, allowing the construction of high-assurance systems out of high-assurance components.

The growing connectivity between information systems, the Internet, and other infrastructures creates opportunities for attackers to interfere and disrupt systems in critical infrastructures, as explained by Dennis C. Blair, Director of National Intelligence in 2009.

Drone control systems, SCADA systems and medical devices are privileged victims of cyber attacks. Events like the Stuxnet case and the various news on the hijacking of drones are the demonstration that hackers could exploit vulnerabilities to compromise these complex systems that lack secure coding.

Fisher, during a presentation of her study, declared:

"Many of these systems share a common structure: They have an insecure cyber perimeter, constructed from standard software components, surrounding control systems designed for safety but not for security."

The perfect code is impossible to realize. Coding requests a long and complex work that involve highly skilled personnel. To give an idea of the effort necessary for code validation and analysis, let's consider that a group of researchers in Australia has checked the core of their "microkernel" composed of 8,000 lines of code spending a workload of 11 persons for twelve months. It's an amazing time if we consider the time to market of military devices and complexity of mission critical systems. The overall project will have a duration of 4.5 years split into three 18-month phases and is composed of 5 Technical Areas (TAs):

  • TA1 – Military Vehicle Experts
  • TA2 – Formal Methods and Synthesis for OS Components
  • TA3 – Formal Methods and Synthesis for Control Systems
  • TA4 – Research Integration
  • Sub-area 1: Formal-Methods Workbench
  • Sub-area 2: Integration of High-Assurance Components
  • TA5 – Red Team


The government is interested in the definition of tools and formal methods-based techniques to develop secure control algorithms. The goal is the creation of a new generation of hack-proof military vehicles. The final control algorithms will be tested on various defense vehicles such as Rockwell Collins drones, Boeing helicopters and Black-I-Robotics ground robots, but the project is more ambitious. Its principal goal is the definition of "a software that can write near-flawless code on its own".

Reading the presentation of the HACMS program, I was attracted by the Technical Area 5: Red Team ("Voice of the Offense") that includes the static and dynamic assess the security of the targeted vehicles. The phase also includes a specific task for the mitigation of attacks based on the injection of arbitrary code on the targeted systems and to make a system resilient to the reception of bogus values to the sensors of the vehicle. These are the most common attack scenarios observed until now. The program is also interested to preserve mission objectives from hacker attacks. In the past, hackers hacking the control system of real vehicles were able to gather sensitive information during a conflict, such as the goal of the mission (e.g. reconnaissance or bombing), the locations of the troops on the territory and final targets of the attacks.

The deliverables of HACMS will be a set of publicly available tools integrated into a high-assurance framework, which will be distributed for use in both the military and commercial software industries. The purpose is to promote these tools to generate high-assurance and open-source operating system and control system components.


The various attack scenarios against drones described in this paper highlight the importance of cyber security for these complex vehicles. Foreign governments and cyber terrorists could exploit vulnerabilities in the technology used to build these machines to hit a country and its infrastructure. It is necessary to set a maximum level of alert for UAV manufacturers. In the next years these technologies will be largely used for different purposes, including in commercial activities. UAVs will crowd the sky and security must be the first requirement.

If the next tests on the HACMS technology will provide positive results, hack-proof software developed by DARPA will be extended also to commercial use.

"HACMS will likely transition its technology to both the defense and commercial communities."

HACMS will enable high-assurance military systems based on a new generation of software able to respond also to the most sophisticated cyber attacks. HACMS will be deployed in a wide range of systems, from unmanned vehicles (e.g., UAVs, UGVs, and UUVs) to weapons systems, satellites, and command and control devices.

Is it really possible to design a new generation of systems that are hack-proof?

Today, experience suggests that every software could be attacked, and either way the definition of rules and practices for secure coding is necessary to prevent cyber attacks.

In this sense, HACMS is a pioneer approach in the definition of a new generation software that can write near-flawless code on its own. HACMS is just the evidence of the state of the art of the research that every government is conducting to produce robust applications.


FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.