ExpressLRS is an open-source Radio Link for Radio Control applications that focuses on range and latency. It is very popular in FPV drone racing and other remote control aircraft.
It runs on a wide variety of hardware in both 900 Mhz and 2.4 GHz frequencies. The 900MHz version of ExpressLRS runs at a maximum 200Hz update rate, which is higher than Crossfire’s 150Hz. The 2.4GHz version can even run at 500Hz.
Experts notify that flaws in the drone protocol result in full control over the target craft, which affects the control issues causing a crash.
Weaknesses in Drone Protocol
ExpressLRS uses a ‘binding phrase’, built into the firmware at compile time to bind a transmitter to a receiver. It is a kind of identifier that makes sure the correct transmitter is talking to the correct receiver. It states that the binding phrase is not for security, it is anti-collision.
“Due to weaknesses related to the binding phase, it is possible to extract part of the identifier shared between the receiver and transmitter”, according to the recent technical advisory published.
This helps to find out the remaining portion of the identifier. Once the full identifier is discovered, it is then possible to use an attacker’s transmitter to control the craft containing the receiver with no knowledge of the binding phase.
This binding phrase is encrypted using MD5, a hashing algorithm that’s been considered broken (PDF) for nearly a decade. In this case, the first 6 bytes are stored as a shared UID between the receiver and the transmitter, and last 4 bytes of the UID are used as a seed to generate a random frequency hopping spread spectrum (FHSS) sequence.
A ‘sync’ packet is sent from the transmitter to the receiver through the FHSS sequence. CRC checks initialised using the last two bytes of the UID to ensure that packets have been received intact.
- The sync packet holds the final three bytes of the UID, which are used to verify that the transmitter has the same binding phrase as the receiver, to avoid a collision. Observation of a single sync packet, therefore, gives 75% of the bytes required to take over the link.
- The CRC initializer uses the final two bytes of the UID sent with the sync packet, making it extremely easy to create a CRC check.
- Weakness occurs in the FHSS sequence generation, the second 128 values of the final byte of the 4-byte seed produce the same FHSS sequence as the first 128.
Actions to be Applied
- Do not send the UID over the control link. The data used to generate the FHSS sequence should not be sent over the air.
- Improve the random number generator. This could involve using a more secure algorithm, or adjusting the existing algorithm to work around repeated sequences.
These are the recommended actions to be taken to patch over the weaknesses in ExpressLRS.