RC aircraft protocol vulnerability enables remote takeovers

Threatpost reports that malicious actors could easily exploit a vulnerability in the ExpressLRS protocol for radio-controlled aircraft to achieve remote takeovers. Communications between an ExpressLRS transmitter and receiver could be hijacked by anyone that has monitored traffic between the two channels, an NCC Group bulletin showed. "An aircraft already in the air would likely experience control issues causing a crash," said the advisory. The vulnerability stems from sync packets that expose 75% of the binding phrase's unique identified needed for link takeover, while the remainder could be abused in brute-force attacks or collected through "observing packets over the air without brute forcing the sequences, but that this can be more time consuming and error prone." Users of drone aircraft have been urged to immediately address ExpressLRS flaws and refrain from using the control link for sending the UID, as well as bolster the random number generator. NCC Group also discouraged over-the-air sending of data used for FHSS sequence generation.