-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RVD#3316: No authentication in MAVLink protocol #3316
Comments
Been reviewing the release notes of PX4 and from the outlook, versions prior than NOTE: for the sake of time, no actual code review was done to confirm the presence and/or implementation of MAVLink 2.0 in For reference: https://github.com/PX4/Firmware/releases?after=v1.7.4beta |
Further extended ticket with:
|
This has the potential to harm humans if a bad operator takes control of the device and it goes kamikaze. Please consider changing the Hazard value from H:U to H:H |
Mmmm I'm a bit hesitant about that. This vuln itself affects the robot components and would need to be chained with other flaws to affect humans, don't you think so? That's why i left it as unknown. |
Fair enough. LGTM! |
Fine then, filed for a CVE ID CVEProject/cvelist#4246 |
Hello, I don't understand the point of this ticket... It is clearly stated that mavlink 1.0 protocol doesn't provide any system of authentification.... About mavlink2.0 with signing, if somebody got the signing key, yes you got an issue but that like for all systems when you lose a key. About ArduPilot, we use mavlink2.0 by default since some time. So we aren't vulnerable to this. |
Hi @khancyr,
That's right. MAVLink 1.0 does not implement authentication or authorization but while that design decision is respectable (and likely appropriate for that time), it still includes with it a security flaw which is what's described in this ticket and what's captured with a CVE ID. The lack of authentication is thereby a vulnerability on MAVLink's version 1.0.
Last time I checked the source code of PX4 and ArduPilot (a couple of months ago) noticed that for backwards compatibility (and to support several GCSs), the autopilot allows to negotiate communications with both MAVLink 1.0 and 2.0 endpoints. Depending on how intialization and handshake process is established, it's somewhat trivial to get the autopilot to exchange messages using the insecure and unauthenticated version 1.0. This is somewhat covered at https://mavlink.io/en/guide/mavlink_version.html#negotiating_versions. I cooked a simple exploit PoC for PX4 which validated this. Never got the time or resources to test it also in ArduPilot but I'm happy to review it if anyone can support us in the process with some resources. Frankly, I scrolled quickly through the ArduPilot code so I might have missed something but happy to double check it if you can provide pointers where there's evidence that ArduPilot implements only a subset of MAVLink, and thereby discards this characteristic (negotiation of the version). That certainly would be a proper mitigation, though it'll break backwards compatibility. Let me now if you something to add in here but for the time being, I'm keeping this open based on this rationale for ArduPilot. |
That is only an issue if you are using mavlink protocol with SiK or RFD like radio ( even if this have aes encryption) because they are serial over the air radio and thus implement OSI layer 3 and 4 with MAVLINK. On other case, like with IP protocola, MAVLINK isn't subject to vunerability as it implements just the layer 7, mavlink is just a binarised messaging system such as protobuf or rosmsg. So that insn't really the MAVLINK protocol that is vunerable but the way to distribute mavlink messages. Second point, on the drone PX4 and ArduPilot are using MAVLINK on multiple serial as layer 3 and 4 without authentication but I doubt that is an issue as that is just a way to pass message between sensor, such as I2C/SPI/1-wire etc. Is that a vunerability to have unsecured communication between sensors on a drone ? In conclusion, where is the issue with MAVLINK? On the radio using it : sure. On the protocol itself ? I fail to see where... Ps: a proper analysis of mavlink system would have shown you that some implementations are subject to heartbleed like vulnerability... |
I agree that serial telemetry radios are subject to attack vectors exploiting this vulnerability.
I disagree kindly with this. My analysis focused not on ArduPilot but it's applicable to autopilots implementing MAVLink protocol and using it over any of its different (enabled) channels. The following graph from a recent presentation I gave at PX4 conference slides depicts a few examples: Moreover, here's a screenshot from the analysis I performed recently of MAVLink as payload over UDP: The whole protocol is implemented as a transport-layer payload. I dissected the protocol and crafted a few funny packages for the PoC demonstrating a few interesting issues such as the one discussed above. It's thereby possible over UDP/IP to act as a "malicious end-point/malicious GCS" and downgrade to MAVLink 1.0 in the "version negotiation" process, bypassing some of the security features enabled in MAVLink version 2.0. Nevertheless, all this is to my understanding, is beyond the scope of this ticket and would require a somewhat knowledgeable attacker. Also, the ticket in here is just pointing to
Interesting! Do you have a PoC or cycles to demonstrate something like this? I'd be more than happy to review a ticket coming from you and help/support collecting evidence. |
Hey @khancyr, do you have any additional input or insights on this? |
If you are using UDP then the transport layer is UDP not mavlink ... On the schema you gave MAVLINK comes from UDP or uart from another peripherical. UDP is securable easily, for uart you can just put some encryption on both side... That is what exist on RFD like radio. You have encrypted paired radio using mavlink... |
This cannot be a CVE, and it is a misuse of the term. A CVE by definition requires that there is an underlying security policy, for which a vulnerability has been found. But there is no such policy, Or to put it differently that there was a design distinction between authorized, and unauthorized, access. Again not the case with Mavlink 1.0. In short, this is like saying that a public place that has been made accessible to anyone has a CVE because it has a gate with no lock, or no fence. Well ... no. You could call Mavlink 1.0 insecure, or open. But that's about it. |
Thanks @OlivierJB for jumping in and adding your view.
Interesting. What you say makes sense to since AFAIK MAVLink didn't consider security at its inception but at the same time, to my understanding (and research so far), a On what basis do you claim that a CVE can "only be assigned if there is an underlying security policy"? Can you provide a reference that help me dive deeper? While it might be obvious to an experienced drone developer that MAVLink isn't secure (and on this basis you may judge, it's not necessary to have an ID), my current standpoint is that lots of technologies in robotics don't have such policies (security was completely disregarded) yet there're plenty of security vulnerabilities which should be registered and considered when designing a robotic application. An ID helps manufacturers (and other stakeholders) identify quickly what security issues affect a particular technology, regardless of their expertise with a flight stack or any of its underlaying technologies. |
then please open a CVE for :
Those are most of the protocol supported by ArduPilot and all are vulnerable |
@khancyr I have read about MAVlink protocol which works with UDP in wireless/wifi. If we use WPA2 security at both ends ground control station and drone, then every MAVlink packet is encrypted with end to end encryption. How does someone sniffs or capture the drone? I am also confused about where the MAVlink protocol works in the UART scenario on the data link layer? Where is routing because it has an id of sender and destination id in numbers etc.? |
@khancyr, as per your above comments, we need encryption at both ends by using UART, so these encryption standards should follow the MAVlink protocol's working requirements, and these algorithms will be vulnerable. |
Just encode your mavlink message, then crypt it with the algorithm you want and send it on UART... This has nothing to do with mavlink protocol |
So no need to add authentication in the MAVlink protocol. Add another layer of security encryption on UART. I have a question can it affect the performance of drones like computational cost or latency after implementing any encryption algorithm on UART? |
Yes, encryption always come with some CPU usage |
But the internet of drones is also a concern of MAVlink usages, if commands/Mavlink messages are traveling without encryption in-network, any adversary can capture these packets and use them for malicious purposes. |
such as any non-encrypted communication. If you want encryption, just use encryption on your transport layer. if you chose to send raw tcp socket with mavlink message over the net, the issue isn't on mavlink but on your way to communicate. That apply to any communication |
The text was updated successfully, but these errors were encountered: