ExpressLRS is an open-source Radio Link for Radio Control applications that focuses on range and latency. It is very popular in FPV drone racing and other remote control aircraft.
It runs on a wide variety of hardware in both 900 Mhz and 2.4 GHz frequencies. The 900MHz version of ExpressLRS runs at a maximum 200Hz update rate, which is higher than Crossfire’s 150Hz. The 2.4GHz version can even run at 500Hz. Hd Video Sender
Experts notify that flaws in the drone protocol result in full control over the target craft, which affects the control issues causing a crash.
ExpressLRS uses a ‘binding phrase’, built into the firmware at compile time to bind a transmitter to a receiver. It is a kind of identifier that makes sure the correct transmitter is talking to the correct receiver. It states that the binding phrase is not for security, it is anti-collision.
“Due to weaknesses related to the binding phase, it is possible to extract part of the identifier shared between the receiver and transmitter”, according to the recent technical advisory published.
This helps to find out the remaining portion of the identifier. Once the full identifier is discovered, it is then possible to use an attacker’s transmitter to control the craft containing the receiver with no knowledge of the binding phase.
This binding phrase is encrypted using MD5, a hashing algorithm that’s been considered broken (PDF) for nearly a decade. In this case, the first 6 bytes are stored as a shared UID between the receiver and the transmitter, and last 4 bytes of the UID are used as a seed to generate a random frequency hopping spread spectrum (FHSS) sequence.
A ‘sync’ packet is sent from the transmitter to the receiver through the FHSS sequence. CRC checks initialised using the last two bytes of the UID to ensure that packets have been received intact.
These are the recommended actions to be taken to patch over the weaknesses in ExpressLRS.
Video Camera Wireless Transmitter You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates.