Security Analysis of ExpressLRS Drone Radio Control Links
Category: Wireless security
Location: Thun / Zurich
Contact:
Daniel Dorigatti
ExpressLRS (ELRS) is a high-performance open-source radio control link widely used in FPV drone racing and remote control aircraft. It operates on both 900 MHz and 2.4 GHz frequencies, providing low-latency control with maximum range. However, recent security research has revealed critical vulnerabilities that allow attackers to hijack control links using only standard ExpressLRS compatible hardware.
In 2022, NCC Group published a technical advisory [1] demonstrating that ExpressLRS vulnerabilities allow for complete hijacking of control links. The attack involves extracting part of the identifier shared between receiver and transmitter through analysis of sync packets, then using brute force to determine the remaining portion. Once the full identifier is discovered, an attacker can control any craft with no knowledge of the binding phrase, potentially causing crashes or unauthorized control.
The vulnerabilities stem from weaknesses in the binding phase, where sync packets contain the final three bytes of the UID, and CRC initializers use the final two bytes. Combined with weaknesses in the random number generator for frequency hopping sequences, this allows attackers to determine the complete UID with minimal effort.
In response to these security concerns, projects like PrivacyLRS [2] have emerged as privacy-protecting forks that implement strong encryption for both RC commands and telemetry data. However, the broader ExpressLRS ecosystem remains vulnerable to these attacks.
The goal of this project is to build a comprehensive demodulator for ExpressLRS protocols and perform state-of-the-art attacks to assess the current security posture of deployed systems. This will involve:
- Developing a software-defined radio (SDR) based demodulator for ExpressLRS protocols
- Implementing the attack techniques described in the NCC Group advisory
- Conducting security analysis of real-world ExpressLRS deployments
- Evaluating the effectiveness of mitigation strategies like PrivacyLRS
- Developing improved detection and prevention mechanisms
This research will contribute to understanding the real-world impact of ExpressLRS vulnerabilities and help develop more robust security measures for drone control systems.
Required Skills:
- Signal processing and digital communications
- Programming in Python/C/C++
- Software-defined radio (SDR) experience
- Reverse engineering and protocol analysis
- Wireless security and cryptography
[1] Technical Advisory – ExpressLRS vulnerabilities allow for hijack of control link R Appleby, NCC Group Research Blog, 2022 https://www.nccgroup.com/us/research-blog/technical-advisory-expresslrs-vulnerabilities-allow-for-hijack-of-control-link/
[2] PrivacyLRS: Privacy-protecting fork of ExpressLRS https://github.com/sensei-hacker/PrivacyLRS