University researchers were able to sabotage a drone by hacking the computer controlling the 3D printer that made its parts, according to a research paper released Thursday. By changing the design of the propellor before printing, they caused the $1,000 drone to “smash into the ground” and break, shortly after take off.
The paper, titled dr0wned – Cyber-Physical Attack with Additive Manufacturing, was a joint effort from researchers at Ben-Gurion University of the Negev (BGU), the University of South Alabama, and Singapore University of Technology and Design. In the paper, the researchers explained how they committed the cyberattack, and what the attack could mean for the future of 3D printing security.
Using a phishing attack, the researchers gained access to the PC that was connected to the 3D printer. Then, after finding the design files for the propellor of the DJI drone they used, they replaced the file with an altered version that, after being printed and installed, performed incorrectly and caused a crash.
“Initially we focused on checking whether the 3D-printer can be hacked,” said BGU professor Yuval Elovici. “Quickly, we realized that such an attack cannot scale due to the huge variety of 3D printers, and thus we decided to focus on how attackers may intervene in a generic way in the process between design and production.”
In the original field trial, which you can see a video of here, the team was able to fly the drone for about two minutes before the propeller failed. A big part of this demonstration was the ability to make a change to the design that would not be detectable in a simple visual inspection. So, the researchers worked on augmenting the attachment surface joints with gaps, which weakened the attachment and sped up the rate of fatigue that it experienced.
“The attacker designed the cavities such that the propeller will break after two minutes of intensive operation, assuming that the drone will be already high in the air (will guarantee that the drone will break),” Elovici said.
Image: Sofia Belikovetsky, Mark Yampolskiy, Jinghui Toh, Yuval Elovici
While the attack was performed on a commercially-available consumer drone, a press release announcing the research said that the larger goal was to illustrate “how a cyber attack and malicious manipulation of blueprints can fatally damage production of a device or machine.”
This is especially important to note due to the growth of 3D printing and other forms of additive manufacturing. Citing the Wohlers Report, the release claimed that 32.5% percent of all objects made through additive manufacturing “are used as functional parts.” Security vulnerabilities in these new technologies are critical to understand if they scale up the manufacturing chain to devices with a bigger impact.
“Imagine that an adversary can sabotage functional parts employed in an airplane’s jet engines. Such an attack could cost lives, cause economic loss, disrupt industry, and threaten a country’s national security,” Elovici said in the press release.
While the research presented in the paper isn’t a new concept, it is the first “full chain of attack” that began with a cyberattack on a 3D printer, according to the report. The researchers mention that the attack took place on a private computer connected to a personal 3D printer, but they argue that a similar type of attack is possible on an industrial system, even one producing metal parts for critical applications.
Elovici said that manufacturers need to understand how severe the threat is to additive manufacturing. He also said that digital manufacturing should be treated as “critical infrastructure.”
“In addition, and more specifically to additive manufacturing, before printing an object, there is a need to check that the file was not modified and there are many cryptographic means that can be used in order to achieve this goal,” Elovici said. “The research community is currently engaged in developing innovative methods that involve innovative data verification techniques that verify that what is printed is exactly [the] content of the original design.”
The 3 big takeaways for TechRepublic readers
- Researchers at three universities hacked a 3D printer and manipulated design files, causing a printed drone propellor to fail and the drone to crash.
- The design had to be altered in a way that wasn’t visible, so the team changed the internal joint of the propeller.
- This isn’t the first exploration of this concept, but it is the first “full chain of attack,” according to the report, and could be replicated on an industrial system.