Evaluation of Drone Neutralization Methods Using Radio Jamming And Spoofing Techniques

(1)

IN

DEGREE PROJECT INFORMATION AND COMMUNICATION TECHNOLOGY,

SECOND CYCLE, 30 CREDITS STOCKHOLM SWEDEN 2020,

Evaluation of Drone Neutralization Methods Using Radio Jamming And Spoofing Techniques

DAVID JAN ROZENBEEK

(2)

(3)

Evaluation of Drone Neutralization Methods Using Radio Jamming And Spoofing Techniques

DAVID JAN ROZENBEEK

Master in Electrical Engineering Date: May 6, 2020

Supervisor: Dr. Peng Wang

Examiner: Assoc. Prof. Marina Petrova

School of Electrical Engineering and Computer Science Host company: Skysense AB

(4)

(5)

Abstract

The usage of drones is steadily increasing as drones are becoming more available and useful to the general public, but drone usage also leads to problems as for example airports have had to shutdown due to drone sightings. It has become clear that a counter-drone system must be in place to neutralize intruding drones.

However, neutralizing a drone is not an easy task, the risk of causing collateral damage and interfering with other radio systems must be highly considered when designing a counter-drone system.

In this thesis a set of consumer drones was selected based on market popularity. By studying the wireless communication links of the selected drones a set of drone neutralization methods was identified.

For each neutralization method a set of jamming and spoofing techniques was selected from current research. The techniques was used in practise by subjecting the drones to the techniques in a series of drone behaviour experiments. The results was used to evaluate the techniques in four criteria based on avoiding collateral damage, mitigating radio interference, identification requirement and handling multiple intruding drones. The evaluation was then summarized to discuss suitable drone neutralization methods and jamming & spoofing techniques.

The results showed that there are neutralization methods that could potentially avoid causing collateral damage for certain drones. A full-band barrage jamming technique was shown to best the best performing based on the evaluation criteria, but was also the technique that theoretically induced the most radio interference. Furthermore, drones operating in way-point mode can only be neutralized using a GNSS jamming or spoofing neutralization method. Also using a GPS spoofing neutralization method was shown to be difficult to implement in practise.

Keywords: C-UAS, Drone, UAV, Counter-drone, Jamming, GPS Spoofing

(6)

Sammanfattning

Populariteten av att flyga drönare ökar stadigt i och med att drönartekniken blir mer tillgänglig och an- vändbart för allmänheten. Men användningen av drönare leder också till problem när till exempel flyg- platser har varit tvungna att stänga av på grund av drönar observationer. Det har blivit tydligt att ett anti-drönarsystem måste vara på plats för att neutralisera inkräktande drönare. Men att neutralisera en drönare är inte en enkel uppgift, risken för att orsaka sido-skador på personer, byggander eller objekt;

eller störa andra radiosystem måste beaktas starkt när man utformar ett anti-drönarsystem.

I detta examensarbete valdes en uppsättning konsumentdrönare ut baserat på marknadens popula- ritet. Genom att studera de trådlösa kommunikationslänkarna för de valda drönarna identifierades en uppsättning av drönar-neutraliseringsmetoder. För varje neutraliseringsmetod valdes en uppsättning av störnings- och spoofing-tekniker ut från aktuell forskning. Teknikerna användes i praktiken genom att utsätta drönarna för teknikerna i en serie drönar-beteendeexperiment. Resultaten användes sedan för att utvärdera teknikerna i fyra utvärderingskriterier baserade på att undvika sido-skador, mildra radiostör- ningar, identifieringsbehov och hantering av flera inkräktande drönare. Utvärderingen sammanfattades sedan för att diskutera lämpliga drönar-neutraliseringsmetoder och störnings- spoofing-tekniker.

Resultaten visade att det finns neutraliseringsmetoder som potentiellt kan undvika att orsaka sido- skador eller radio-störningar för vissa typer av drönare. En full-bands störningsteknik visade sig vara bäst presterande baserat på utvärderingskriterierna, men var också den teknik som teoretiskt inducerade mest radiostörningar. Dessutom visades det att drönare som flyger i navigeringsläge endast kan neutraliseras med hjälp av en GNSS-störnings- eller spoofing metoder. Att använda en GPS-spoofing metod visade sig också vara svår att implementera i praktiken.

(7)

Acknowledgements

I would first like to thank Robby de Candido at Skysense AB for giving me the opportunity to pursue this thesis. A special thanks to Peng Wang for being my supervisor and being a great support throughout the thesis. Thank you Marina Petrova for being my examiner and making sure all bureaucratic work has been going smooth. Also, thank you Magnus Lundmark, Victor Ortman, and the rest of Skysense for being great co-workers and helping me with my thesis. Special thank to Johanna Kilegran for proofreading the thesis.

(8)

List of Figures

1.1 Photographs showing a consumer drone performing aerial photography, and a industry

drone performing inspection of crops. . . 1

1.2 Image showing a no-fly zone map by DJI of the central Stockholm area. Highlighted areas show where flight restrictions apply. . . 3

1.3 Illustration showing the essential components of a counter-drone system. This thesis focuses on the neutralization component, therefore it is marked with a bold line in the illustration. . . 4

2.1 Illustration showing the wireless communication links for a consumer market drone. . . . 8

2.2 Pie-chart plot showing the market share of top drone brands as of 2018 in USA. Source: [6]. . . 10

2.3 Bar-graph plot showing the most popular DJI models as of 2018 in USA. Source: [6]. . . 10

2.4 Pictures showing the selected drones for the thesis. . . 11

2.5 Illustrations showing examples of an OFDM and a FHSS type of signal in the frequency- domain. Note that frequency and time axis do not scale between the plots. The OFDM signal spans over 10MHz and the FHSS signal spans over 80MHz with 2MHz wide channels, also note that the Z-axis represents relative signal strength. . . 13

2.6 Illustrations showing the difference between signal shapes in the frequency domain of the barrage, sweep, tone and protocol-aware type of jammers. The protocol-aware shows the envelope of a GPS signal for example purposes. . . 16

2.7 Illustrations showing the difference between overt and covert GPS spoofing. . . 18

5.1 Figure showing the architecture of the experiment platform used for the behaviour experiment. . . 29

5.2 Picture showing the interior of the experiment platform. . . 30

5.3 Picture showing the setup of the platform and external PC. . . 30

5.4 Illustration showing the method when testing the drone stationary. . . 31

5.5 Illustration showing the method when testing the drone while it moves. . . 31

6.1 Visualization plot of the DJI Mavic Pro 1 & 2’s FHSS sequence. . . 39

6.2 Visualization plot of the DJI Phantom 4’s FHSS sequence. . . 39

6.3 Visualization plot of the DIY-drone’s FHSS sequence. . . 40

A.1 Gnu-radio block diagram of the RC/Video barrage jammer. . . 58

A.2 Gnu-radio block diagram of the FHSS sweep-jammer. . . 59

(12)

A.3 Gnu-radio block diagram of the Frequency-Hopping Spread Spectrum (FHSS) protocol- aware jammer. . . 60 A.4 Gnu-radio block diagram of the GPS and GLONASS jammer. . . 61

(13)

List of Tables

2.1 Comparison of the communication-links the selected drones use. Sources: [7] [8] [9]. . . 12 2.2 The WiFi protocol, frequencies & channels in the 2.4 GHz and 5 GHz-band used by the

DJI Mavic Air, Yuneec Mantis Q and Parrot ANAFI. Sources: DJI Mavic Air: [10] [11]

Yuneec Mantis Q: [12] [13] Parrot ANAFI: [14] [15] . . . 14 2.3 The FHSS protocol, frequencies & channels in the 2.4 GHz and 5 GHz-band used by

the DJI Mavic Pro (1 & 2), DJI Phantom 4 and the DIY-drone. BW =Bandwidth no.ch = Number of Channels ch. sep = Channel Separation. Sources: DJI Mavic Pro 2: [16] [17]

DJI Mavic Pro: [18] [19] DJI Phantom 4: [20] [21] DIY-Drone: [22] . . . 14 2.4 Comparison of Global Navigation Satellite System (GNSS) with global coverage. The

systems and bands considered in this thesis is marked in bold text. Source: [23] [24]. . . 15 4.1 Summary of the identified neutralization methods. . . 24 4.2 The identified neutralization methods and considered jamming & spoofing techniques.

The over-lined techniques were not tested in the behavior experiment, since they were not feasible to implement within the scope of this thesis. . . 26 6.1 The results of jamming the RC- and video-link of the WiFi drones. . . 38 6.2 The results of simulating the disruption of the RC- and video-link of the FHSS drones. . 40 6.3 The results of jamming the video-link of the FHSS drones. . . 41 6.4 The results of jamming the GPS and GLONASS-links when flying the drones manu-

ally. A Yes means that the RTH function was still functioning and a No that it was not functioning during the experiment. . . 42 6.5 The results of jamming the GPS and GLONASS navigation-links when flying in way-

point mode. Note that the DJI Mavic Air and Yuneec Mantis Q does not have a way-point mode installed. . . 42 6.6 The results of the GPS spoofing experiment. Note that the DJI Mavic Air and Yuneec

Mantis Q are not able to operate in way-point mode. . . 43 6.7 The result of simultaneously jamming GPS & GLONASS and simulating RC-disruption. 43 7.1 The evaluation results of the jamming techniques for the RC-/video-link jamming of WiFi

drones. *Based on the results from the single band barrage jammer. . . 45

(14)

7.2 The evaluation results of the jamming techniques for the RC-link jamming of FHSS drones. (A higher score is consider better) *Note that the full-band and tone jammer’s score is based on the results from the sweep and protocol-aware jammers. **The results are based on simulating the disruption, since the actual techniques did not successfully disrupt the RC-link in practise. . . 46 7.3 The evaluation results of the jamming techniques for the Video-link jamming of FHSS

drones. (A higher score is consider better) *Note that the full-band and tone jammer’s score is based on the results from the single channel jamming technique. . . 47 7.4 The evaluation results of the jamming techniques for the GPS/GLONASS jamming. (A

higher score is consider better). Since using this method standalone was deemed not feasible, no total score was given. *Technique did not succeed in neutralizing the drone. . 47 7.5 The evaluation results of the jamming techniques for the GPS/GLONASS jamming. (A

higher score is consider better). *Potential behaviour. **Based on related works . . . 48 7.6 The evaluation results of the jamming techniques for the GPS/GLONASS jamming. (A

higher score is consider better) *Results based on the single channel barrage jammer. . . 49 8.1 Summary of the total score for the identified neutralization techniques and selected jam-

ming/spoofing techniques. The score in parenthesis shows the score when the technique is used on a DIY-drone. *Technique did not succeed in neutralizing the drones. **Score based on theoretical results. . . 51

(15)

Acronyms

3GPP 3rd Generation Partnership Program

ACCST Advanced Continuous Channel Shifting Technology AP Access Point

BW BandWidth

CDMA Code Division Multiple Access CF Correction Factor

COTS Commercial-Of-The-Shelf

CSMA/CD Carrier Sense Multiple Access / Collision Detection DESST DJI Enhanced Spread Spectrum Technology

DIY Do It Yourself

EMC Electro-Magnetic Compatibility

FASST Futaba Advanced Spread Spectrum Technology FCC Federal Communications Commission

FDM Frequency-Division Multiplexing FHSS Frequency-Hopping Spread Spectrum GNSS Global Navigation Satellite System GPS Global Positioning System

IMU Inertial Measurement Unit JSR Jam-to-Signal-Ratio LOS Line-Of-Sight

MAC Media Acess Control NLOS No-Line-Of-Sight

OFDM Orthogonal Frequency Division Multiplexing OSI Open System Interconnection

PA Power Amplifier PC Personal Computer

(16)

PVT Position Velocity Time PLE Path Loss Exponent PoE Power over Ethernet RF Radio Frequency RTH Return To Home RMa Rural Macro-cell RC Remote Control

SDR Software Defined Radio SNR Signal to Noise Ratio UAV Unmanned Aerial Vehicles UMa Urban Macro-cell

(17)

Chapter 1

Introduction

Unmanned Aerial Vehicles (UAVs), commonly known as drones, have been prevalent in the military for decades. The decreasing cost and increased availability of drones, have also made them widespread in the consumer and industrial markets. Drones are used by consumers to take breathtaking photos and videos of nature landscapes, cities, events and other sights. Figure 1.1a shows a drone performing aerial photography. Drone-racing is also an increasingly popular hobby where pilots competes around a track for the fastest time. In the industry, drones are dominant in the construction, agricultural and transport market segments. For example, drones are used for precision measurements of construction sites or airborne inspection of crops in the agricultural industry. Figure 1.1b shows a drone in the agricultural industry.

(a) Consumer Drone (b) Industrial drone

Figure 1.1: Photographs showing a consumer drone performing aerial photography, and a industry drone performing inspection of crops.

1.1 Disadvantages of Drone Usage

Although drones could be useful in many ways, they pose a great risk of danger when being used im- properly. On the 19th of December, 2018, two drones where spotted flying over the runway at Gatwick Airport, London. The airport was immediately shutdown and all flights were halted. The incident would

(18)

continue for several days, until two drone enthusiasts were arrested the 21th of December. It was later established that around 1000 flights and 140’000 passengers were affected by the events, leading to huge amount of compensation claims for the airlines [1]. On March 29, 2018, a drone was used to drop a large bag of drugs into the Autry State Prison in Pelham, USA [2]. On September 10, 2018, a man was arrested in central London for flying a drone close to a government official[3]. These events show that the potential risk of drones physically injuring persons or damaging property is considerable.

Personal and corporate privacy are other concerns to why drone operations should be mitigated.

There has been numerous occurrences where drones have spied on people for various reasons [4]. Com- panies have been subject to drones spying outside conference room windows, or even drones conducting illegal signal intelligence with a WiFi Pineapple [5]. The privacy concern clarifies the issue of drone-use even more. Regardless if drones are flown for a mischievous reasons or not, it is evident that malicious drones has to be prevent from operating in certain areas.

1.2 Why is a Counter-Drone System Needed?

Many countries have laws enforcing pilots to not fly in restricted areas, so called no-fly zones, and also laws limiting the allowed altitude and weight of the drone. Some countries also requires a certificate for the pilot to be allowed to operate a drone. However, laws are difficult to enforce when pilots can not be seen operating from a long distance, and thus are difficult to get caught by law-enforcement. Drones can also be flown in the dark or at far distances, making it even more challenging to detect the drone and the pilot.

Drone manufacturers, such as DJI, Parrot, Yuneec, have been implored to address the issue by pre- venting drones from flying in so called no-fly zone. The position of the drone is compared with a no-fly zone map, such as one that can been seen in figure 1.2¹. However, restrictions in the drone software could potentially be circumvented exploiting hardware of software flaws. Also, drones not equipped with a GNSS receiver, or drones that use software that does not enforce no-fly zones, could be flown without restrictions. This highlight that sites in need of protection from drones cannot entrust lawmakers or drone manufacturers to prevent malicious drones from flying into restricted areas, and thus requires a counter-drone system for safeguarding.

(19)

Figure 1.2: Image showing a no-fly zone map by DJI of the central Stockholm area. Highlighted areas show where flight restrictions apply.

1.3 Counter-Drone Systems

Figure 1.3 shows the fundamental components of a counter-drone system. The first three components of the system detects, identifies and locates the drone. This is important to make counter-drone operators aware of a threat and be able to pin-point the drone. Identifying the drone is also important in order to select the most suitable method of neutralization. The detect- and localization components of the system commonly use Radio Frequency (RF) surveillance, radars, optical cameras, sound processing or a combination of techniques. When a drone has been detected and located, a neutralization component of the counter-drone system could be used to prevent the drone from entering or further flying in a restricted area. Neutralizing a drone is not a simple task. There are numerous problems to take into account when designing the system. The top most concern will always be to avoid unwanted collateral damage. The important question will be how the counter-drone system can neutralize a drone in the most safe way possible.

The rest of this section explains the difference between hard- and soft-kill type counter-drone systems, the importance of avoiding collateral damage and radio interference, and other consideration a counter- drone system must account for.

(20)

Figure 1.3: Illustration showing the essential components of a counter-drone system. This thesis focuses on the neutralization component, therefore it is marked with a bold line in the illustration.

1.3.1 Hard-Kill vs. Soft-Kill

Counter-drone systems can be divided into hard- and soft-kill type of systems depending on the nature of the method used, a brief definition follows below.

Hard-kill systems have a destructive approach to neutralize the drone. These systems involves targeting the drone with kinetic projectiles, net, laser beam, birds or a collision-drone to destroy the drone in mid-air. These types of system has the advantage of being effective in neutralizing a drone, but could potentially induce unwanted collateral damage.

Soft-kill systems utilizes electronic countermeasures to interfere with drone communication (jamming) or imitate the drone communication signals to gain control of the drone (spoofing). These system could potentially be used to command the drone into a controlled landing or deter the drone from the area.

Soft-kill systems have a fast response time and are less destructive than hard-kill systems, but soft-kill systems are inherently complex as the countermeasures has to be adapted to the targeted drone.

1.3.2 Collateral Damage & Radio Interference

Counter-drone systems need to account for the potential of collateral damage and radio interference that the system might inflict, a definition follows below.

Collateral damage refers to any death, injury or other damage inflicted. That is an unintended result of the system operation. A counter-drone system could potentially risk collateral damage by crashing the drone in an unexpected way or by the counter-drone system itself inflicting damage, this is especially troublesome for hard-kill systems. The importance of avoiding collateral damage is tied to the site being protected. An airport with wide open fields could possibly care less about collateral damage, since the drone would operate far from people or other objects. A counter-drone system operating in an urban environment, with lots of people roaming around, would need to be very accurate to not inflict damage.

Radio interference refers to the unwanted disturbance or blockage of other radio system in the vicinity that could be affected by a soft-kill system. Even tough radio interference might not be as serious as collateral damage it is still important to consider. For example, many critical system uses GNSS for positioning and time-synchronization. Any unwanted interference of GNSS signals for a period of time might lead to severe consequences.

(21)

1.3.3 Other Considerations

There are other considerations a counter-drone systems must take into account. The following list takes up challenges that should be investigated when designing a counter-drone system.

Hand-held, Stationary or UAV-platform - The system could be hand-held in form of a rifle, stationary on a building or mounted on a counter-Unmanned Aerial Vehicles (UAV). Depending on the site that need protection from drones, each platform offers different pros and cons. A hand-held platform would always need an operator to use the equipment, but would be very agile and could cover a large protected area. A stationary platform would be able to work autonomously, respond to treats immediately and work in the dark, but would on the other hand not be able to be moved easily and only cover a certain area. A UAV-platform could be flown to the intruding drone to deploy counter measures, but this would require a operator or an advanced control system.

Response Time - The system needs to be able to deal with intruding drones in a fast manner. Each second the drone is intruding the protected area means more risk of harm and loss of operation for the site. The response time of the system will be depending on how fast an operator can arm and use the system or if the system is able to respond to treats autonomously.

Multi-drone scenario - In certain scenarios multiple-drone might be intruding the protected area at the same time. The counter-drone system will potentially need to handle this type of scenario.

Legal Issues - A counter-system must conform to laws regulating its operation. For example, a hard-kill system could potentially harm a innocent bystander. Will the pilot operating the drone be responsible or the counter-drone system itself? Drones are also protected by civil aviation laws in certain countries and are thus protected from sabotage by law, meaning that a counter-drone system can not just blindly neutralize drone without making sure it is flying for a malicious reason.

There are also laws regulating how much emission a radio system is permitted to have. Jammers are inherently constructed to interfere with radio communication, and may disable critical infrastructure such as cell-phone networks or GNSS-systems. This could lead to people not being able to call emergency services or critical computer network being disabled because the time-reference from a GPS receiver is offline. A counter-drone system using any sort of jammer or spoofer must carefully investigate the impact it can have on surrounding radio systems.

1.4 Problem Statement

The problem statement of this thesis is as follows, Which drone neutralization methods, based on jam- ming/spoofing techniques, ought to be used to efficiently neutralize intruding drones, while to the greatest extent possible avoid causing collateral damage or interfering with other radio systems? A drone neu- tralization method is, in this thesis, defined as a procedure to gain control (spoof) or disrupt (jam), one or more of a drone’s communication-links. A jamming or spoofing technique is defined as the way to achieve the disruption or take over of a single communication link. In summary, a neutralization method is defined as what procedure is used to neutralize the drone, and a jamming or spoofing technique is defined as how the neutralization method is implemented. The topic of this thesis was selected because of two main reasons.

Firstly, research in radio jamming for drone neutralization have generally focused on the most ef- ficient method in the course of power and range to disrupt a communication-link of a drone, while not considering how the drone behaves when being subject to neutralization. Safety is the most important

(22)

concern of a counter-drone system. When neutralizing a drone it must be done in a controlled way to avoid collateral damage. Therefore, studying the behaviour of drones when subjected to radio jamming was the first focus of this thesis.

Secondly, a few papers have discussed the possibility of using GPS spoofing to safely neutralize a drone by steering it towards a safe area to either auto-land or crash. The research has shown promising results, but none of the research has considered a combination of radio jamming and GPS spoofing.

Accordingly, the second focus in this thesis was to practically evaluate the feasibility of GPS spoofing in combination with radio jamming.

1.5 Limitations

Since the nature of a hard-kill system is to destroy the intruding drone, and potentially induce a lot of damage, these type of system will not be considered in this thesis. A soft-kill system is the most suitable type to minimize collateral damage, and since these systems use electronic counter-measures, this thesis will use a Software Defined Radio (SDR)-based platform to explore different radio jamming and spoofing techniques. This also means, as mentioned in section 1.3.2, that radio interference would need to be considered when designing these type of systems.

The range of the neutralization system is important to consider. Power and antenna gain/type is fundamental metrics to realize the system. For example, should a omni- or a directional-antenna be used? How much power is needed? Although this is important, this thesis has decided not to focus on this parameters. Instead the importance lays within which neutralization method that is to most suitable to use. Therefore it is assumed when evaluating the methods an omni-directional antenna is used that can affect all radio systems in the vicinity.

The focus in this thesis was to evaluate methods to neutralize drones, therefore a detection- and localization-system will be assumed to already be in place. Also, only consumer drones were covered since these segment of drones is the most available to people and thus more likely to cause problem.

Furthermore, a stationary ground-based system will be in mind when designing the system, as these kind of system has fewer limitation and less complexity than hand-held or UAV-based systems.

1.6 Ethics and Sustainability

From an ethics perspective all research concerning hacking, disruption or similar activities on drones or other equipment was approved in advanced by the owner of the equipment. When conducting radio jamming or spoofing techniques in this thesis, special care was taken to asses the potential effect on other radio systems in proximity.

From a sustainability perspective this research contributes to safer drone neutralization methods, which potentially avoids collateral damage in the form of injuring people or damaging object. This could reduce the potential cost for healthcare or repairs, that could be the result of un-safe drone neutralization methods. Moreover, finding methods that potentially avoids interfering with radio system, such as cell- phone networks, flight navigation systems or other critical radio systems contribute to a more reliable infrastructure in society. Furthermore, this research contributes to counter-drone systems that mitigate the risk of crime. For example, flight sabotage, burglary, intrusion of intellectual privacy, or industrial-, military- or governmental-espionage.

(23)

1.7 Thesis Outline

The paper is organized as follows. Chapter 2 gives an introduction to consumer drone wireless communication system, followed by an analysis of the current consumer drone market to make a selection of drones to be used in the thesis. Then a background in radio jamming and spoofing techniques is given.

Chapter 3 discusses the related work to this thesis and the identification of neutralization methods and selection of jamming and spoofing techniques. Chapter 5 presents the method, platform, setup and results of the drone behavioural experiments that were conducted on the selected drones. Chapter 7 discloses the evaluation of the neutralization methods. Finally chapter 9 concludes the thesis.

1Map published under Open Database License. Cartography available by CC BY-SA license. More info on

"www.openstreetmap.org/copyright".

(24)

Chapter 2

Background

This chapter is intended to familiarize the reader with the theory and concepts used in the rest of this thesis. The chapter begins with a fundamental description of consumer drones’ communication links. It is followed by an analysis of the consumer drone market, to select a set of drones that was used as subjects in this thesis. The next section gives a description of the wireless protocols and frequency bands/channels the selected drones use. The last section gives a definition of different types of jamming and spoofing techniques that were used on the selected drone’s communication-links.

2.1 Consumer Drone Wireless Communication Links

Figure 2.1: Illustration showing the wireless communication links for a consumer market drone.

(25)

Figure 2.1 shows a typical wireless communication system for a consumer drone. The rest of the section gives a brief description of the purpose of the communication-links. To not confuse the reader the fol- lowing nomenclature is used. A communication-link refers to the general wireless connection between a transmitter and receiver. A channel refers to a specific frequency in a band. Protocol refers to the wireless communication protocol, such as 802.11x WiFi or other protocols.

A pilot on the ground is operating the drone with a controller. A smartphone is connected to the controller to primarily display the video down-link from the on-board drone camera, and also display telemetry information such as battery levels, position, altitude, etc. Moreover, the smartphone is used to change settings, like radio channels, flight limitations, pre-program a route for the drone to follow, among other things. It should be noted that the drone could also be operated directly with the smartphone, utilizing the built-in WiFi chipset in the phone, but with less range and capabilities than with the controller.

The RC-link gives the drone information about the pilot’s intentions to maneuver or configure the drone. The information is usually sent in small data packages at a high rate, often in a redundant way, to achieve a stable and low latency link. The telemetry-link provides status data of the drone, such as battery levels, speed, position, etc, back to the controller. The video-link is used to stream the video feed from the drone’s on-board camera back to the pilot’s controller and smartphone. The RC, Telemetry and Video-links could be separated on different protocols and channels, as shown in figure 2.1, but they could also be combined into a single protocol and channel, which is common in drones using WiFi. In this thesis the video and telemetry-link will be considered as the same link for all drones, and only reefer to the links as the video-link.

The navigation-link is used by a GNSS receiver on-board, providing the drone with Position Velocity Time (PVT)-data. The PVT of the drone is streamed back to the pilot through the telemetry link, so the pilot can locate the drone on a map and know its whereabouts. The PVT-data is also used on-board the drone to enable the drone to fly back to a home position. This is called the Return To Home (RTH) function. The home position is usually where the drone first took flight, but can also change dynamically with the position of the pilot. The drone could also be programmed in advance to follow a route, which it then follows using the PVT-data without the pilot needing to maneuver the drone. Moreover, the on- board GNSS receiver is used to make the drone hover more stable in the air, meaning the PVT is processed to compensate for the drone drifting due to wind. Note that not all drones are equipped with a GNSS receiver, for example a toy- or racing drones are usually not in need of a GNSS receiver and thus may not be equipped with one.

2.2 Drone Consumer Market Analysis

There are a vast variety of drone-brands and models on the consumer market. The ambition of a counter- drone system should be to neutralize all drone brands and models, but attempting at first to mitigate all drone is not feasible since there would be an abundance of drones to cover. In order to take the first step in choosing neutralization techniques, a set of drones was selected based on popularity on the consumer drone market.

(26)

Figure 2.2: Pie-chart plot showing the market share of top drone brands as of 2018 in USA. Source: [6].

Figure 2.3: Bar-graph plot showing the most popular DJI models as of 2018 in USA. Source: [6].

Figure 2.2 shows the top dominating drone brands that consumer obtained in the USA as of 2018, the data was collected from the "2018 Drone Market Sector Report" by Skylogic Research [6]. As can be seen DJI has around 74% of the market, followed by Yunnec, custom built drones (referred to as Do It Yourself (DIY)-drones), Parrot, 3D-robotics, Syma and others. As DJI is the market leader a considerable slice of drones was selected from them. Figure 2.3 shows the most popular DJI models, the data is collected from the same report as in figure 2.2 [6]. The Phantom 4 series is the most popular, followed by the Mavic Pro, Inspire Series, Mavic Air, Matrice series, Phantom 3 series, Spark and other models.

Based on the market share data, and availability of drones at the time of conducting the thesis, the drones selected for the thesis was the DJI Mavic Pro 2, DJI Mavic Pro (1), DJI Mavic Air, DJI Phantom 4, Yuneec Mantis Q, Parrot ANAFI and a custom built drone (referred to as the DIY-drone). The DIY-

(27)

drone uses an FrSky RC system, an analog video transmitter and was not equipped with a GNSS receiver.

The selected drones can be seen in figure 2.4.

(a) DJI Mavic Pro 2 (b) DJI Mavic Pro (1) (c) DJI Mavic Air

(d) DJI Phantom 4SE (e) Yuneec Mantis Q (f) Parrot ANAFI

(g) DIY-drone

Figure 2.4: Pictures showing the selected drones for the thesis.

2.3 Wireless Communication Links Used by Selected Drones

Table 2.1 shows a comparison of the wireless communication used by the selected drones. The table lists the wireless protocol that the drone uses for the RC, video & navigation-link, which type of signal transmission method the protocol uses and which frequency band the link can operate in. Further examination of the table shows that for the RC-link, either a FHSS or WiFi (Orthogonal Frequency Division Multi- plexing (OFDM)) type of signal transmission is used. For the video-link OFDM is dominating type of wireless link, with the exception of the DIY drone that uses an analog video-link. What should be noted is that some drones can operate in both the 2.4 GHz and 5 GHz band, while other drones only operate in one of the bands. GPS and GLONASS are primarily used for the GNSS navigation, with the exception of the Parrot ANAFI that only uses GPS and the DIY drone that is not equipped with a GNSS receiver.

Note that all GNSS receivers of the selected drones are only capable on receiving the L1 band. Further description of each communication-link is presented next.

(28)

Table 2.1: Comparison of the communication-links the selected drones use. Sources: [7] [8] [9].

Remote Control Video GNSS

Brand & Model Protocol (Type) 2.4 GHz 5 GHz Protocol (Type) 2.4 GHz 5 GHz System Band DJI - Mavic Pro 2 OcuSync 2.0 (FHSS) X X OcuSync 2.0 (OFDM) X X GPS + GLONASS L1

DJI - Mavic Pro 1 OcuSync (FHSS) X - OcuSync (OFDM) X - GPS + GLONASS L1

DJI - Phantom 4 Lightbridge (FHSS) X - Lightbridge (OFDM) X - GPS + GLONASS L1

DJI - Mavic Air DJI Enhanced WiFi (OFDM) X X DJI Enhanced WiFi (OFDM) X X GPS + GLONASS L1 Yuneec - Mantis Q WiFi 802.11a/n (OFDM) - X WiFi 802.11a/n (OFDM) - X GPS + GLONASS L1

Parrot - ANAFI WiFi 802.11b/g/n (OFDM) X X 802.11a/an (OFDM) X X GPS L1

DIY FrSky (FHSS) X - Analog - X No GNSS -

2.3.1 Remote Control (RC) - Link

The dominant type of signal transmission methods used for the RC-link is either based on OFDM or FHSS, an illustration of the difference between the types can be seen in figure 2.5.

OFDM is a type of Frequency-Division Multiplexing (FDM) scheme that encodes digital data onto closely spaced carrier frequencies. The signal bandwidth can range from 5 MHz to 40MHz. The over- laying protocol is typically WiFi 802.11n or 802.11ac. These protocols are used by the Yuneec Mantis Q and Parrot ANAFI. DJI Mavic Air uses a special protocol called Enhanced WiFi which is a proprietary protocol developed by DJI.

FHSS is a method of transmitting radio signals by rapidly changing the carrier frequency of the signal. The signal is said to "hop" between channels based on a pseudo-random sequence known by both the transmitter (controller) and receiver (drone). At initialization of the communication-link the transmitter and receiver synchronizes the hopping sequence with each other. The carrier frequencies are divided into channels uniformly spread over a full frequency-band, which in this context means the whole 2.4 GHz-band (2.4 GHz to 2.5 GHz) or the 5.8G-band (5.725 GHz - 5.875 GHz). A usual number of channels can range from 30 to 60 with 2MHz spacing between them. The signal bandwidth for one channel is typically around 1.5 to 2MHz. DJI has developed their own protocol based on FHSS for the RC-link, called Lightbridge (used by Phantom 4), Ocusync 1.0 used by Mavic Pro and Ocusync 2.0 used by Mavic Pro 2. Also the DIY-drone is equipped with a receiver from FrSky which uses FHSS.

(29)

(a) OFDM

(b) FHSS

Figure 2.5: Illustrations showing examples of an OFDM and a FHSS type of signal in the frequency- domain. Note that frequency and time axis do not scale between the plots. The OFDM signal spans over 10MHz and the FHSS signal spans over 80MHz with 2MHz wide channels, also note that the Z-axis represents relative signal strength.

2.3.2 Video - Link

The drone’s on-board camera feed is streamed down to the pilot via the video-link. Drones used primarily for photography/video purposes normally use a OFDM type of signal for the video-link, as OFDM offers high throughput and stability which is necessary to stream high quality video. A drone used for racing requires a low latency video-link, and usually use an analog video-link.

2.3.3 WiFi versus FHSS drones.

The DJI Mavic Air, Yuneec Mantis Q and Parrot ANAFI drones are using WiFi (OFDM) for the RC and video - link. Table 2.2 shows the WiFi protocol, frequencies and channels the drones use. Note that only the DJI Mavic Air uses a different protocol when being controlled using either the controller or the smart-phone. Also note that the Yuneec Mantis Q is only able to operate in the 5 GHz-band.

(30)

The DJI Mavic Pro (1 & 2), DJI Phantom 4 and the DIY-drone use FHSS for the RC-link and OFDM for the video-link on a separate channel. Table 2.3 shows information about the FHSS signals used by the drones. All the drones use the 2.4 GHz-band with the number of channels ranging from 30 to 47 channels. Note that the DJI Mavic Pro 2 is the only drone that can use the 5 GHz-band for the FHSS signal.

Table 2.2: The WiFi protocol, frequencies & channels in the 2.4 GHz and 5 GHz-band used by the DJI Mavic Air, Yuneec Mantis Q and Parrot ANAFI. Sources: DJI Mavic Air: [10] [11] Yuneec Mantis Q:

[12] [13] Parrot ANAFI: [14] [15]

DJI Mavic Air Yunnec Mantis Q Parrot ANAFI

Controller Smart-phone Controller & Smart-phone Controller & Smart-phone Protocol DJI Enhanced WiFi 802.11 b/g/n 802.11 a/n 802.11 b/g/n(2.4 GHz) | a/n (5 GHz)

Bandwidth 10MHz 20MHz 20 MHz 10 MHz / 20 MHz

2.4 GHz - Frequency 2.412-2.462GHz - 2.412-2.462GHz

2.4 GHz - channels 1 - 13 1 - 13 - 1 - 13

5 GHz - Frequency 5.745-5.825GHz 5.18-5.24GHz & 5.745-5.825GHz 5.18-5.24GHz & 5.745-5.825GHz 5 GHz - channels 149,153,157,161,165 149,153,157,161,165 36, 44, 48, 149, 157, 165 36, 44, 48, 149, 157, 165

Table 2.3: The FHSS protocol, frequencies & channels in the 2.4 GHz and 5 GHz-band used by the DJI Mavic Pro (1 & 2), DJI Phantom 4 and the DIY-drone. BW =Bandwidth no.ch = Number of Channels ch.

sep = Channel Separation. Sources: DJI Mavic Pro 2: [16] [17] DJI Mavic Pro: [18] [19] DJI Phantom 4: [20] [21] DIY-Drone: [22]

DJI Mavic Pro 2 DJI Mavic Pro DJI Phantom 4 DIY - drone

Protocol Ocusync 2.0 Ocusync (1) Lightbridge FrSky ACCST

BW 1.4 MHz 1.4 MHz 1.4 MHz 30 KHz

Ton 1.1 ms 1.1 ms 2.17 ms 4.89 ms

T_{on+of f} 10.0 ms 10.0 ms 14 ms 9.46 ms

2.4 GHz - Freq 2407.5-2465.5 MHz 2403.5-2477.5 MHz 2404-2470 MHz 2408-2477.5 MHz

2.4 GHz - no. ch 30 38 34 47

2.4 GHz - ch. sep 2 MHz 2 MHz 2 MHz 1.5 MHz

5 GHz - Freq 5728.5-5846.5MHz - - -

5 GHz - no. ch 60 - - -

5 GHz - ch. sep 2 MHz - - -

2.3.4 Navigation - Link

Table 2.4 shows a comparison of the four GNSS systems with global coverage. Most important is the frequencies and bands that the systems are operating on, note that the table only shows the frequencies available for civilian use. Comparing table 2.4 with table 2.1 shows that the selected drones only uses GPS and GLONASS on the L1 band, except the DIY drone that is not equipped with a GNSS receiver.

This shows that only the GPS and GLONASS on the L1 band was needed to be considered in this thesis.

(31)

Table 2.4: Comparison of GNSS with global coverage. The systems and bands considered in this thesis is marked in bold text. Source: [23] [24].

System GPS GLONASS Galileo BeiDou

Owner United States Russia European Union China

Coding CDMA FDMA & CDMA CDMA CDMA

Frequency (Band)

1.563–1.587 GHz (L1) 1.215–1.2396 GHz (L2) 1.164–1.189 GHz (L5)

1.593–1.610 GHz (L1) 1.237–1.254 GHz (L2) 1.189–1.214 GHz (L3)

1.559–1.592 GHz (L1) 1.164–1.215 GHz (L5a/b) 1.260–1.300 GHz (E6)

1.561098 GHz (L1) 1.589742 GHz (L1-2) 1.20714 GHz (L2) 1.26852 GHz (E6)

2.4 Radio Jamming

The definition of radio jamming is to deliberately interfere, disrupt or block authentic radio communications between a transmitter and a receiver. The different type of jammers used in this thesis is presented in this section, divided into three categorizes which follows the lower media layers of the Open System Interconnection (OSI) model.

2.4.1 Physical Layer

Jammers in the physical layer attacks the "raw" radio signal sent between the transmitter and the receiver.

The simplest form of jammers are transmitting a powerful noise signal, in various shapes and patterns, intended to decrease the Signal to Noise Ratio (SNR) at the receiver. This makes the receiver unable to distinguish the authentic signal from the noise. This thesis has selected to use three kinds of physical layer jammers: the barrage, the sweep and the protocol-aware. The tone jammer is included for reference. A short description between the different type of jammers follows next. Illustrations showing the difference between signal shape in the frequency domain of the jammers can be seen in figure 2.6.

(32)

(a) Barrage (b) Sweep

(c) Tone (d) Protocol-aware

Figure 2.6: Illustrations showing the difference between signal shapes in the frequency domain of the barrage, sweep, tone and protocol-aware type of jammers. The protocol-aware shows the envelope of a GPS signal for example purposes.

The barrage jammer amplifies a wide-band noise signal. The bandwidth of the noise signal could be as wide as a single channel or span over a full frequency-band. The barrage jammer’s advantage is its simplicity and ability to jam any type of radio communication, but on the other hand the jammer needs a powerful signal generator to successfully jam another signal. The power level needed is increasing with the bandwidth, making a full-band noise jammer demanding to realize in practice. Also, since the barrage jammer disturbs any type of radio communication it induces the most radio interference of all the physical jammer types.

The sweep jammer is transmitting a narrow bandwidth signal in a sweeping motion over a full band.

The rate of the motion is called the sweeping rate. The advantages of the sweep jammer is that it is easier to realize in practise than the barrage jammer. If the sweeping rate is sufficiently high the sweep jammer would reassemble the barrage jammer.

The tone jammer divides the noise signal into discrete tones, either transmitting the tones simulta- neously or in a sweeping motion which is then refereed to as a chirp jammer. The advantages of this type of jammer is that it potentially induces less interference with other radio communication, but the tone jammer would only be suitable for specific type of signals (FHSS type of signals).

A protocol-aware jammer mimics the authentic signal as close as possible, using the same transmit- ter architecture but transmitting corrupted data. The intention is that the receiver will be more susceptible to pick up the jamming signal, since the receiver would not be able to filter out the noise signal as with the previous jammers.The disadvantage is that the protocol jammer has to be specifically tailored to a specific type of communication (and probably a specific drone brand or model), which puts more strain on the detection part of the counter-drone system to correctly identify the brand, model and communication type of the targeted drone.

(33)

2.4.2 Data - Link Layer

The data-link controls the flow of data between nodes in the network. A common mechanism in wireless networks is the Carrier Sense Multiple Access / Collision Detection (CSMA/CD). As suggested in paper [25] this mechanism could be attacked by transmitting short pulses of noise when a wireless device is trying to access the network, this way the network could be kept "busy" at all time. This type of jammer could be suitable for network with multiple devices communicating with a single access point. However, since the drone’s wireless network usually does not involve several drones that are communicating on the same channel, this type of jamming was deemed not suitable.

2.4.3 Network Layer

The network layer of the wireless network of drones using the WiFi protocol implements encryption with security protocols, which could be attacked with different techniques. For example, as suggested in paper [26], drones using the 802.11b/g/n protocol could be disconnected from the controller (access point) by issuing a de-authentication frame. This would make the controller disconnect the drone from the network. By continuously issuing de-authentication frames the drone would be kept from connecting to the network again.

2.5 Spoofing

In radio communication systems, spoofing refers to sending a counterfeit signal that is validated as an authentic signal by the receiving radio system. In this context spoofing could potentially be used to take over the maneuverability of the drone and steer it away from the protected area. Spoofing could be exerted on the drone’s RC-link or navigation-link which is further discussed below.

2.5.1 RC Spoofing

The objective with RC spoofing is to fully gain control over the drone via the RC-link. This could be done by either first disrupting the link between the drone and the authentic controller, and then connect a spoofing controller to the drone. Another way would be to directly send spoofed data packets to the drone, but this assumes that the communication-link is not encrypted or that the encryption has been cracked.

Since most of the drones selected for this thesis uses a secure network with high level of encryption, this type of spoofing was deemed too complex to implement within the time scope of this thesis.

2.5.2 GNSS Spoofing

Since civilian GNSS is not encrypted and the PRN-codes for the Code Division Multiple Access (CDMA) modulation is publicly known, anyone could send out a GNSS spoofing signal that a targeted receiver could lock onto. By altering the position that the spoofing signal sends out, the drone’s navigation system could be tricked into believing that the drone is somewhere else. It only exists one open-source software to generate GPS spoofing signals [27]. This means that the GLONASS, as of the time writing this thesis, does not have any open-source software to conduct spoofing attack with. Therefore, only GPS based spoofing was conducted in this thesis. When performing a GPS spoofing attack there is a distinction

(34)

between overt and covert spoofing [28]. Figure 2.7 show an illustration of the difference between overt and covert GPS spoofing.

Overt GPS spoofing initially disrupts the authentic GPS signal at the receiver by transmitting a higher power signal, working similar to a jammer. The targeted GPS receiver then performs a cold start, essen- tially rebooting the acquisition loop, and later locks on to the spoofing signal.

Covert GPS spoofing is misleading the targeted GPS receiver by gradually increasing the signal strength of the spoofing signal, while also recording the PVT of the drone and transmitting a signal with the same time and coordinates as the drone. This method would lure the drone’s GPS receiver to not lose GPS lock and thus not be detected by the drone’s navigation system.

(a) Overt GPS Spoofing

(b) Covert GPS Spoofing

Figure 2.7: Illustrations showing the difference between overt and covert GPS spoofing.

(35)

Chapter 3

Related Works

In this chapter we review the related works to this thesis in the topic of jamming and spoofing techniques.

3.1 Related Works in Jamming Techniques

Multerer et al. used in work [29] a MIMO radar to both detect a drone and also to steer a directional antenna towards the drone to jam the RC link. The paper showed that a directional antenna could be suited for jamming a drone while avoiding interference with other wireless systems. However, the directional antenna would have to be controlled by a sophisticated localization system that could map the position of the drone in a three dimensional space.

In work [30] Shi et al. the authors researched and compiled an overview of technologies to detect and neutralize drones that existed at that time. Based on the research a counter-drone system called ADS-ZJU was developed. The system used an acoustic array, optical cameras and RF sensors to detect and localize a drone. To neutralize the drone a directional antenna mounted on a servo was targeted towards the drone to jam it, similar to the jammer in paper [29]. The developed system showcased a detection probability of greater than 97% at 100 m when fusing sensor data together. The work did not disclose any data on the RF jammer efficiency and only stated that a set of drones were able to be jammed by the system.

Ferreira et el. explored in [31] different jamming methods using low-cost SDR platforms to jam GPS at L1 frequencies. Methods considered was barrage, sweep, successive pulse, tone and protocol-aware jamming. Based on spectral-/energy efficiency and complexity is was concluded that the protocol-aware jammer, which used a radio architecture similar to the GPS satellite transmitters, was the best performing jammer.

In paper [32] Pärlin et al. proposed a protocol-aware jammer to be used on the Futaba Advanced Spread Spectrum Technology (FASST) and Advanced Continuous Channel Shifting Technology (ACCST) protocols, which both utilizes FHSS type of signal for the RC-link. The protocol aware jammer was compared against a barrage, tone and sweep jammer, and was found to be significantly more efficient in power consumption and range. The authors were also able to transmit valid RC packets to take over the drone, but they remarked that the method requires plentiful knowledge of the drone’s RC-protocol to be able to do so. The proposed jammer was only tested in a closed lab environment with coaxial-wires connecting the drone and controller directly to the jammer on a lab bench, the jammer was thus not tested in a real scenario. Paper [33] evaluated different types of jamming methods to interfere with the drone’s RC communication link. The paper concluded that a barrage jammer was the best option to use when the

(36)

target signal protocol is unknown. However, if the targeted drone’s radio protocol can be determined, a protocol-aware jammer was shown to have a better range performance than the barrage jammer. The experiments were conducted in a more realistic scenario using a SDR with an antenna, but instead of a drone the authors decided to use a RC-car.

Sun et al. demonstrated in [26] a WiFi based drone defense system that used an exploit in the 802.11 protocol to send a de-authentication frame to the Access Point (AP) (the controller), which would then disconnect the communication link to the drone. The method was successful against a DJI Phantom 3 and a DJI Spark. The report also emphasizes that this type of attack will be patched in the 802.11 standard, making this method inapplicable on drones using newer versions of the 802.11 protocol. Also, drones that do not use the 802.11 WiFi for the RC-link, for example the DJI Phantom 4 (Lightbridge protocol), would not be affected by this type of attack.

In paper [25] Thuente et al. studied various protocol-aware jamming attacks in the Media Acess Control (MAC)-layer on 802.11b networks. The jammer presented in the paper exploited the CSMA/CD mechanism in 802.11b networks. The paper showed that this attack could be useful in networks connecting several nodes to one AP.

3.2 Related Works in Spoofing Techniques

In work [34] Noh et al. subjected drones to GPS spoofing with the intention of not making the drone crash or land but safely steer the drone away. This was called safe-hijacking. Using a SDR based GPS spoofer and a commercial GLONASS jammer they were able to make a drone lock on to their GPS spoofing signal, but discovered that drones implement different styles of GPS fail-safe behaviours. The fail-safe mechanism would prevent the drone from being controlled by the spoofing signal. Based on the fail-safe behaviour they developed a taxonomy of methods to use in order to safely steer the drone away.

The authors worked on the assumption that the RC link between the pilot and the drone had already been jammed, but did not implement any system to do so. Also, the authors did not fully consider how the spoofing GPS signal should be used to safely steer the drone. In the paper they only succeeded in making the drone crash.

Kerns et al. determined in [28] necessary conditions for drone capture via GPS spoofing and also examined which possibilities the spoofer have over the drone post-capture. The paper discloses two types of GPS spoofing methods, the first being overt (the spoofer does not try to conceal the attack), the other being covert (the spoofer tries to avoid being detected). The paper also shows an UAV - model to be used in order to control the drone post-capture. A field-test using the overt methods disclosed that a GPS spoofing attack is feasible, but post-capture control is difficult to achieve.

Hermans et al. investigated in [35]0 if it is possible to spoof a GPS receiver using two directional antennas, at geographically dispersed locations, that would each transmit three satellite signals of the GPS spectrum. The idea was that the targeted GPS receiver would only lock on to the spoofing signal at the intersection of the two antenna’s main beam, while other GPS receiver far from the intersection would not be affected by the spoofing signals. However, the research was unable to determine if this method completely isolated the GPS spoofing signals to the receiver. Also, time synchronization between the two transmitting antennas was a major challenge and thus deemed the method unusable.

In [36] Gaspar et al. used an overt GPS spoofing methods to spoof a smartphone and two Commercial- Of-The-Shelf (COTS) GNSS receivers, an u-Blox MAX-7Q and an u-Blox M8. These GNSS receivers are common to be found in consumer drones. The authors spoofed the receivers outdoors, after a lock

(37)

had been established on authentic GNSS satellites. The results shown that the smartphone and the u- Blox MAX-7Q accepted the GPS spoofing signals without hesitance, but the u-Blox M8 did not accept the spoofing signals until after a period of 30 min. This might incline that the u-Blox M8 chip contains anti-spoofing and jamming features that will prevent the chip from acquiring a position when a spoofing signal is detected.

(38)

Chapter 4

Method of The Thesis

This chapter presents the method of the thesis. The chapter begins with an introduction to the method of the thesis. Then follows a description of the drone neutralization methods that were identified by studying the wireless communication links of the selected drones. The chapter continues with a description of the jamming and spoofing techniques that were selected for each neutralization method. The chapter ends with a review of the evaluation criteria that was used to evaluate the selected techniques.

4.1 Introduction to The Method of The Thesis

The purpose of the thesis was to evaluate drone neutralization methods combining jamming and spoofing techniques. An introduction to the method of the thesis is presented below.

1. A set of consumer drones were selected based on consumer market popularity. The drones were used as subjects in the thesis. The wireless communication links, protocol, frequencies, channels, etc of the selected drones were investigated by finding information on the drone manufacturers’

website and the Federal Communications Commission (FCC) online database. This is presented previously in chapter 2.

2. A literature study was conducted to find related works in jamming and spoofing techniques. The related works were found be searching academic databases and online search engines for the keywords: Radio, Jamming, Spoofing, UAV, C-UAS, counter-drone, drone neutralization, drone communication, drones, GNSS, GLONASS, GPS, WiFi attack, wireless hacking. The related works was presented in chapter 3.

3. A set of neutralization methods were identified based on the previous investigation of the selected drone’s wireless communication links and the related works. The neutralization methods were then selected based on the technical feasibility to either disrupt (jam) or take over (spoof) the selected drone’s communication-links. Drones with similar wireless protocol, frequencies or other characteristics were grouped together. The selected neutralization methods are presented in section 4.2.

(39)

4. For each neutralization method a set of suitable jamming and spoofing techniques were found from related works. The techniques were based on if they could achieve the neutralization method. The techniques were then selected based on if the technique could be implemented within the time frame of the thesis, also open-source hardware/software were preferred. The selected techniques are presented in section 4.3 and 4.4.

5. The jamming and spoofing techniques were used in practise by subjecting the techniques on the selected drones in a series of drone behaviour experiments. The result was acquired by studying the behaviour of the drone when subjected to the technique and answering a set of research questions.

The experiment method, platform and setup is presented in chapter 5, and the result is disclosed in chapter 6.

6. The result was used to evaluate each technique in four criteria by setting a score based on the performance of the neutralization method. The evaluation scores were then summarized to determine the best technique for each neutralization method. The evaluation criteria devised for this thesis are presented in section 4.6 in this chapter, and is later used to evaluate the techniques in chapter 7.

4.2 Identified Drone Neutralization Methods

A set of neutralization methods were identified by studying the wireless communication link of the selected drones. Table 4.1 shows a summary of the identified neutralization methods. The methods were based on if it was feasible to disrupt(jam) or take over (spoof) the links. Starting with the RC-link, only disrupting the link was considered since spoofing the RC-link would not be feasible as mentioned in section 2.5.1. The video-link was likewise only applicable to disrupt, because spoofing the video-link would not make sense. Finally, the navigation link was feasible to both disrupt and/or take over.

Further studying the wireless links of the selected drones it was noticed that drones using the WiFi protocol transmits the RC and video-link on the same channel using an OFDM type of signal, while drones using a FHSS type of signal for the RC-link have a separate video-channel. This means that the first method (Table 4.1-(1)) was focused on only WiFi drones, where the RC and video-link can be disrupted simultaneously. For FHSS type of drones two separate methods (Table 4.1-(2),(3)) were considered, one focused on disrupting the RC-link and the other on disrupting the video-link.

The navigation link can either be disrupted or taken over. The selected drones uses GPS and/or GLONASS for the navigation-link. Therefore the fourth method (Table 4.1-(4)) focused on disrupting the GPS and/or GLONASS navigation-link. The fifth method (Table 4.1-(5)) explored if it was feasible to take over the navigation-link with GPS spoofing. Finally, the last method (Table 4.1-(6)) considered disrupting a combination of the RC, video and navigation-link.

Following the identification of neutralization methods a set of jamming and spoofing techniques were picked for each method by analyzing the related works in the respective topic.

(40)

Table 4.1: Summary of the identified neutralization methods.

Neutralization Methods

1 RC/Video-link jamming on WiFi drones 2 RC-link jamming on FHSS drones 3 Video-link jamming on FHSS drones 4 GPS and GLONASS jamming

5 GPS Spoofing

6 Combination of GPS/GLONASS jamming and RC/Video-link jamming

4.3 Selected Jamming Techniques

For drones using 802.11x WiFi (Yuneec Mantis Q, Parrot ANAFI) or DJI Enhanced WiFi (DJI Mavic Air), the RC- and video- link are transmitted on the same channel using OFDM in either the 2.4 GHz or 5 GHz - band. Four techniques were found to be interesting from the related works in jamming techniques.

1 Full-band (2.4 GHz and 5 GHz) barrage jamming technique could be used to disrupt all communication on the band. This technique would require a wide-band noise generator that spans over the full 2.4 GHz band of 100 MHz and the full 5.8 GHz band of 150 MHz. This would require a very powerful signal source which could unfortunately not be obtained within the time frame of the thesis.

2 Single channel barrage jamming technique could be used to disrupt the link by transmitting a noise signal that is only as wide as the targeted signal. For WiFi drones this signal is between 2MHz up to 40MHz. This technique would be feasible to implement within the scope of the thesis.

3 De-authentication attack could be used on the WiFi-link. An open-source penetration testing suite was found online that could launch this type of attack.

4 CSMA/CA attack as described in section 2.4.2 could also be used, but was deemed too complex to implement within the time frame of this thesis and was dismissed. The technique might also not work since drones might not use this mechanism.

For drone using a FHSS type of signal for the RC-link (DJI Mavic Pro 1&2, DJI Phantom 4, DIY- drone), the RC- and video-link are transmitted on separate protocols in either the 2.4 GHz or 5 GHz band.

To disrupt the FHSS signal of the RC-link suitable methods were to use a full-band barrage, sweep, tone or a protocol-aware jammer. No tone jammer was found available on the internet and was thus dismissed.

The video-link of the FHSS drones uses OFDM to transmit the video stream, except the DIY-drone that uses an analog signal. Similar to the WiFi drones the video-link of FHSS drones could be disrupted with either a full-band or single channel barrage jammer.

The selected drones use GPS and/or GLONASS on L1 band for the navigation link. To disrupt these links a full-band L1 barrage jammer was selected.

Evaluation of Drone Neutralization Methods Using Radio Jamming And Spoofing Techniques

Evaluation of Drone Neutralization Methods Using Radio Jamming And Spoofing Techniques

DAVID JAN ROZENBEEK

Evaluation of Drone Neutralization Methods Using Radio Jamming And Spoofing Techniques

Abstract

Sammanfattning

Acknowledgements

Contents

List of Figures

List of Tables

Acronyms

Chapter 1

Introduction

1.1 Disadvantages of Drone Usage

1.2 Why is a Counter-Drone System Needed?

1.3 Counter-Drone Systems

1.4 Problem Statement

1.5 Limitations

1.6 Ethics and Sustainability

1.7 Thesis Outline

Chapter 2

Background

2.1 Consumer Drone Wireless Communication Links

2.2 Drone Consumer Market Analysis

2.3 Wireless Communication Links Used by Selected Drones

2.4 Radio Jamming

2.5 Spoofing

Chapter 3

Related Works

3.1 Related Works in Jamming Techniques

3.2 Related Works in Spoofing Techniques

Chapter 4

Method of The Thesis

4.1 Introduction to The Method of The Thesis

4.2 Identified Drone Neutralization Methods

Neutralization Methods

1 RC/Video-link jamming on WiFi drones 2 RC-link jamming on FHSS drones 3 Video-link jamming on FHSS drones 4 GPS and GLONASS jamming

5 GPS Spoofing

6 Combination of GPS/GLONASS jamming and RC/Video-link jamming

4.3 Selected Jamming Techniques