3D Printing Hack Downs Drone
May 18, 2017
by Karen Haywood Queen Mechanical Engineering Magazine
The 3D-printed consumer drone hovers in mid-air, as pulsing percussion hints of doom. Then, less than two minutes into its first flight, which was captured on a YouTube video, the drone spins out of control and crashes.
The cause of the crash? The first successful attempt to hack into a computer and sabotage an additive manufacturing design, said researcher Mark Yampolskiy of the University of South Alabama, the coauthor, with researchers from Ben Gurion University and Singapore University of Technology and Design, of a paper on the hack.
The YouTube video, posted in August 2016 and watched by more than 36,000 people so far, could be the Cliff’s Notes for the paper.
Manufacturers are already making parts for jet engines and other machines using additive manufacturing. "Engineers are generally very good at accounting for random natural variations of physical processes,” Yampolskiy said, both during manufacturing itself and in real-life conditions a manufactured part will be exposed to.
“These are often accounted for by incorporating a safety factor in the design. Unfortunately, engineers also generally overlook security aspects,” he said.
Previous demonstration sabotages of 3D printing designs started with the perpetrator already inside the computer hosting the design. Then the perpetrator simply manipulated blueprints and showed that it could harm mechanical properties, Yampolskiy said.
His team’s attack went a step further. They used an ordinary phishing attack, sending an e-mail that downloaded an infected zip file. That gave the researchers what they called a “reverse tunnel” into the computer hosting the design. They manipulated the design and inserted cavities into the propeller blades. The cavities caused the propeller to break in mid-air.
In theory, the quality-control process could catch defective parts made from a sabotaged design. But in this case, the additively manufactured drone wing was sabotaged in a way that would escape detection during typical quality-control measures.
“All of these tests have limits [in terms of] defects that can be detected,” Yampolskiy said. A physical inspection could also have revealed the problem, said Sven Schrecker, chief architect for IoT security solutions at Intel. However, “the novelty in this particular attack is that the compromise is digital, the tampering is very subtle and may not have been caught, as it is not visible to the human eye,” he said.
The part was also sabotaged to not fail right away—another way for the product to make it through manufacturing quality control, then fail when in use. To prevent sabotage attempts, one possible solution would be to create designs of functional parts with a higher safety factor, Yampolskiy said. But this would increase size, weight, and cost, which would make this approach impractical and unlikely, he said. Another approach would be to develop the ability to detect ongoing or already successful attacks, but this would require better quality control measures than are currently available.
The demonstration is already forcing the additive manufacturing industry to adopt cybersecurity best practices by making sure software and firmware are up to date; constantly monitoring network traffic; and creating an air gap between the internet and the production network, he said.
The integrity of each product and component in the supply chain must also be attested to, Schrecker said. “The owner or operator of the equipment must be able to interrogate each component of the system to attest to that element’s integrity. Each component, in turn, interrogates its subcomponents to attest to their integrity and, when complete, reports its findings.”
After successfully showing that 3D-printed designs can be hacked and sabotaged, Elovici and Yampolskiy have turned to preventing attacks before they succeed. A thwarted sabotage may not make for an exciting YouTube video, but it would be an important step forward.
Karen Haywood Queen is a technology writer based in Williamsburg, VA.
Engineers are generally very good at accounting for random natural variations of physical processes… Unfortunately, engineers also generally overlook security aspects. Prof. Mark Yampolskiy, University of South Alabama