ExpressLRS Protocol vulnerability allows drone control takeover


Due to flaws in the algorithm of connection of the transmitter and receiver, the drone’s radio control system is vulnerable to long-range takeovers.

According to an announcement published last week, a popular radio-controlled (RC) aircraft protocol called ExpressLRS (ELRS) could be hacked in just a few steps.

ELRS is an open-source long-range radio link for RC applications such as first-person view (FPV) drones.

The protocol’s vulnerability is related to the fact that some of the information sent over the wireless packets is connection data that third parties can use to hijack the connection between the drone operator and the drone.

Anyone able to monitor the traffic between the ExpressLRS transmitter and receiver could hijack the communication, which “could lead to complete control of the target vehicle.” A plane already in the air could experience control issues that led to the crash. “

Explanation of the vulnerability

The ExpressLRS protocol uses a “binding phrase,” an identifier that ensures the correct sender communicates with the correct receiver.

The sentence is encrypted using MD5 – a hashing algorithm compromised for nearly a decade.

The announcement says that “the binding phrase is not for security, it is anti-collision,” and the vulnerability associated with the phrase could allow an attacker to “extract part of the identifier shared between the receiver and transmitter”.

The core of the problem has to do with “sync packets” – data that are periodically exchanged between sender and receiver to ensure they are in sync. In these packets most of the unique identifier (UID) of the bind phrase – specifically “75% of the bytes needed to get the connection” is absent.

This leaves only 25% (i.e. only one data byte) open. At this point, the report’s author explains that the remaining bits of the UID can be collected “by observing packets over the air without brute-forcing the sequences, but that this can be more time consuming and error-prone,” or just brute-forced.

If the attacker has the UID in hand, he can connect to the receiver – the target aircraft – and take over control of it, at least in part.

The bulletin authors recommend the following actions to patch the vulnerability in ExpressLRS:

  • Do not send UIDs over the control connection.
  • The data used to generate the FHSS sequence should not be sent over the air.
  • Improve random number generator.

This may involve using more secure algorithms or adapting existing algorithms to bypass repeating sequences.