Nozomi Networks detects three vulnerabilities in BlueMark DroneScout ds230 Remote ID receiver

Researchers from Nozomi Networks Labs disclosed on Tuesday three vulnerabilities (critical, high, and medium risk) that affect BlueMark DroneScout ds230 device. Two of these vulnerabilities could allow an attacker to spoof Remote ID information forcing the DroneScout ds230 to drop Remote ID information transmitted by legitimately communicating drones. The consequence of this is the attacker being able to inject fake locations associated with the legitimate drones detected by the DroneScout. 

The researchers added that the third vulnerability discovered demonstrates the capability to install malicious firmware updates on the DroneScout appliance. The crafted update could contain arbitrary files which, in turn, could lead the attacker to gain administrative privileges on the underlying Linux operating system.

“The manufacturer BlueMark Innovations has, upon discovery, solved the vulnerabilities in firmware version 20230605-1350. Users of the ds230 are urged to upgrade the device to the latest firmware,” the Nozomi Networks Labs team wrote in a blog post. “Two of these are rated critical and high risk and could impact the reliability of the data provided by the DroneScout appliance and the security of the asset owners’ networks. We urge owners of the BlueMark DroneScout ds230 and system integrators using the device to apply the available firmware upgrade to prevent adversaries from exploiting the presented vulnerabilities,” it added.

Nozomi also identified that remote ID policies and standards which require drones to periodically broadcast their telemetry information will play an essential role in the future of aviation. “This is true both in terms of airspace security and safety as they allow entities such as low enforcement and critical infrastructure authorities to be aware of the drones surrounding a certain area. If vulnerabilities are not addressed, the potential to spoof legitimate telemetry data across a growing number of commercial drones presents a potentially dangerous risk to the integrity of Remote ID policies and broadcasted telemetry information,” the blog added.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) outlined that the safe and secure integration of UAS (unmanned aircraft systems), or drones, into the national airspace system and across critical infrastructure organizations is essential to maintain the security and resilience of national critical functions. “A whole-of-government approach is required to incorporate cybersecurity and physical security into the policies and procedures that support secure drone operations, reliable threat discrimination through air domain awareness, and the effective mitigation of credible threats to national security and public safety,” the agency added.

The Federal Aviation Administration (FAA) said that drones are prohibited from flying over designated national security-sensitive facilities. Operations are prohibited from the ground up to 400 feet above ground level and apply to all types and purposes of UAS flight operations. Examples of these locations are military bases designated as Department of Defense (DoD) facilities; national landmarks, such as the Statue of Liberty, Hoover Dam, and Mt. Rushmore; and certain critical infrastructure, such as nuclear power plants.

The FAA is continuing to consider additional requests by eligible federal security agencies for UAS-specific flight restrictions as they are received.

The DroneScout ds230 appliance, manufactured by BlueMark Innovations, is a (direct/broadcast) Remote ID receiver capable of receiving and interpreting telemetry messages periodically broadcast by drones, the Nozomi researchers revealed. In particular, the DroneScout is based on the Open Drone ID (ODID) open-source framework which makes it compatible with both the DIN EN 4709-002 standard (EU) and the ASTM F3411-22a-RID-B standard (USA).

The device is equipped with two independent Wi-Fi (802.11) interfaces and one Bluetooth interface and supports various transmission protocols, including Bluetooth legacy, Bluetooth Long Range, WiFi NaN, and WiFi Beacon. These come across all frequency bands (2.4, 5.2, and 5.8 GHz) currently required by the different Remote ID standards.

Nozomi outlines that the DroneScout ds230 is not a device intended for the final user, it is instead designed for system integrators that want to integrate the functionalities provided by the DroneScout into their own products. “Also, the DroneScout is not a stand-alone device and requires an MQTT (Message Queuing Telemetry Transport) broker (typically provided by the system integrator) for collecting the Remote ID information detected by the ds230 appliance. Finally, beyond the wireless interfaces introduced earlier, the DroneScout is equipped with an ethernet interface which allows asset owners to connect it to their own networks and that is used by the device to communicate with the MQTT broker,” it added.

The post added that from a high-level point of view, the DroneScout uses its internal wireless interfaces to scan both Wi-Fi and Bluetooth channels continuously. From the wireless point of view, the DroneScout is a completely passive device. It never transmits anything over wireless and the wireless interfaces are configured in monitor mode. When a frame (Wi-Fi or Bluetooth) containing Remote ID information is detected, it parses the content of the Open Drone ID message. It associates the parsed Remote ID information to the source MAC address of the drone sending the Remote ID message.

Lastly, it identified that collected Remote ID information is periodically transmitted over the ethernet interface to the third-party managed MQTT broker (the system integrator). The content of the MQTT messages is JSON (JavaScript Object Notation) formatted.

The researchers said that the most impactful vulnerability is CVE-2023-31191. “With this vulnerability, the DroneScout can be forced to drop Remote ID telemetry information broadcast by real drones and instead generate and transmit JSON encoded MQTT messages containing fake Remote ID information injected by the attacker. Consequently, the system integrator running the MQTT broker will have no access to the legitimate drones’ Remote ID telemetry information,” they added.

DroneScout’s firmware version 20230104-1650 introduced an algorithm “to suppress WLAN transponder signals on neighboring channels in case the RSSI is very strong. (If for instance a transponder is detected on channel 6 at -45 dBm, it will also be detected at channel 4, 5 7 and 8. The algorithm will suppress those detections on adjacent channels.)”

An attacker can exploit the algorithm by creating an ODID message with spoofed source MAC address Md and containing crafted Remote ID data; and then injecting the ODID message with the spoofed source MAC address on an adjacent channel ‘Ca’ (e.g., if the drone D is transmitting on channel 6, the attacker can transmit on channel 8). Finally, they transmit the Wi-Fi frames with high enough power such that they are received by the DroneScout with an RSSI ‘Ra’ that satisfies the condition. This can be achieved by using a transmitter amplifier or a high gain/directional antenna.

If the conditions above are satisfied, the researchers said that when the DroneScout receives the ODID message spoofed by the attacker it will set Md->channel to Ca and Md->RSSI to Ra, and from this moment forward it will start dropping the ODID messages received from drone D on channel C.

With CVE-2023-31190 an attacker that can execute a ‘man-in-the-middle’ attack could prompt the DroneScout ds230 to install a crafted malicious firmware update containing arbitrary files, and gain administrative (root) privileges on the underlying Linux operating system, the researchers said. “This is possible because of a vulnerability in the updated procedure used by the DroneScout appliance. The user can manually update the DroneScout to the latest firmware by executing the update script /root/update[dot]sh.”

The researchers recommend that “asset owners and systems integrators quickly apply the updated firmware (version 20230605-1350) released by BlueMark Innovations on June 5, 2023 (or more recent firmware releases when available),” the post added.

Last week, Nozomi revealed five new vulnerabilities affecting the American Megatrends (AMI) MegaRAC BMC software solution. They specifically affect the AMI MegaRAC SP-X codebase, based on the firmware of multiple baseboard management controllers (BMCs) devices. As this firmware is adopted by numerous vendors for creating their unique remote management solutions, these vulnerabilities affect all vendors’ products, including OT (operational technology), IoT, and IT devices whose BMC firmware is derived from the affected codebase.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.