ABSTRACT
Robotic vehicles (RVs) are cyber-physical systems that operate in the physical world under the control of software functions. They are increasing in adoption in many industrial sectors. RVs rely on sensors and actuators for system operations and navigation. Control algorithm based estimation techniques have been used in RVs to minimize the effects of noisy sensors, prevent faulty actuator output, and recently, in detecting attacks against RVs. In this paper, we propose three kinds of attacks to evade the control-based detection techniques and cause RVs to malfunction. We also propose automated algorithms for performing the attacks without requiring the attacker to expend significant effort or know specific details of the RV, making the attacks applicable to a wide range of RVs. We demonstrate these attacks on ArduPilot simulators and two real RVs (a drone and a rover) in the presence of an Intrusion Detection System (IDS) using control estimation models to monitor the runtime behavior of the system. We find that the control models are incapable of detecting our stealthy attacks, and that the attacks can have significant adverse impact on the RV's mission (e.g., cause the RV to crash or deviate from its target significantly).
- Sridhar Adepu and Aditya Mathur. 2016. Using process invariants to detect cyber attacks on a water treatment system. In IFIP International Information Security and Privacy Conference. 91--104.Google ScholarCross Ref
- Ekta Aggarwal, Mehdi Karimibiuki, Karthik Pattabiraman, and André Ivanov. 2018. CORGIDS: A Correlation-based Generic Intrusion Detection System. In Proceedings of the 2018 Workshop on Cyber-Physical Systems Security and PrivaCy (CPS-SPC '18). ACM, New York, NY, USA, 24--35. Google ScholarDigital Library
- Chuadhry Mujeeb Ahmed, Jianying Zhou, and Aditya P. Mathur. 2018. Noise Matters: Using Sensor and Process Noise Fingerprint to Detect Stealthy Cyber Attacks and Authenticate Sensors in CPS. In Proceedings of the 34th Annual Computer Security Applications Conference (ACSAC '18). ACM, New York, NY, USA, 566--581. Google ScholarDigital Library
- H. Alemzadeh, D. Chen, X. Li, T. Kesavadas, Z. T. Kalbarczyk, and R. K. Iyer. 2016. Targeted Attacks on Teleoperated Surgical Robots: Dynamic Model-Based Detection and Mitigation. In 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). 395--406. Google ScholarCross Ref
- Maryam Raiyat Aliabadi, Amita Ajith Kamath, Julien Gascon-Samson, and Karthik Pattabiraman. 2017. ARTINALI: Dynamic Invariant Detection for Cyber-physical System Security. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering (ESEC/FSE 2017). ACM, New York, NY, USA, 349--361. Google ScholarDigital Library
- Amazon Prime [n. d.]. Amazon Prime Delivery. Retrieved January 24, 2019 from https://www.amazon.com/Amazon-Prime-Air/b?node=8037720011Google Scholar
- ArduPilot [n. d.]. Ardupilot - Software in the Loop. Retrieved May 24, 2018 from http://ardupilot.org/dev/docs/sitl-simulator-software-in-the-loop.htmlGoogle Scholar
- Aryn Baker. [n. d.]. Zipline Drone Delivery. Retrieved January 24, 2019 from http://www.flyzipline.com/Google Scholar
- P.-J. Bristeau, E. Dorveaux, D. VissiÃĺre, and N. Petit. 2010. Hardware and software architecture for state estimation on an experimental low-cost small-scaled helicopter. Control Engineering Practice 18, 7 (2010), 733 -- 746. Special Issue on Aerial Robotics. Google ScholarCross Ref
- Stephen Burns. [n. d.]. Drone meets delivery truck. Retrieved May 24, 2019 from https://www.ups.com/us/es/services/knowledge-center/article.page?name=drone-meets-delivery-truck&kid=cd18bdc2Google Scholar
- Y. Chen, C. M. Poskitt, and J. Sun. 2018. Learning from Mutants: Using Code Mutation to Learn and Monitor Invariants of a Cyber-Physical System. In 2018 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, Los Alamitos, CA, USA, 648--660. Google ScholarCross Ref
- Hongjun Choi, Wen-Chuan Lee, Yousra Aafer, Fan Fei, Zhan Tu, Xiangyu Zhang, Dongyan Xu, and Xinyan Deng. 2018. Detecting Attacks Against Robotic Vehicles: A Control Invariant Approach. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS '18). ACM, New York, NY, USA, 801--816. Google ScholarDigital Library
- A. Choudhari, H. Ramaprasad, T. Paul, J. W. Kimball, M. Zawodniok, B. McMillin, and S. Chellappan. 2013. Stability of a Cyber-physical Smart Grid System Using Cooperating Invariants. In 2013 IEEE 37th Annual Computer Software and Applications Conference. 760--769. Google ScholarDigital Library
- Keywhan Chung, Zbigniew T. Kalbarczyk, and Ravishankar K. Iyer. 2019. Availability Attacks on Computing Systems Through Alteration of Environmental Control: Smart Malware Approach. In Proceedings of the 10th ACM/IEEE International Conference on Cyber-Physical Systems (ICCPS '19). ACM, New York, NY, USA, 1--12. Google ScholarDigital Library
- Keywhan Chung, Xiao Li, Peicheng Tang, Zeran Zhu, Zbigniew T. Kalbarczyk, Ravishankar K. Iyer, and Thenkurussi Kesavadas. 2019. Smart Malware that Uses Leaked Control Data of Robotic Applications: The Case of Raven-II Surgical Robots. In 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019). USENIX Association, Chaoyang District, Beijing, 337--351. https://www.usenix.org/conference/raid2019/presentation/chungGoogle Scholar
- G. Dan and H. Sandberg. 2010. Stealth Attacks and Protection Schemes for State Estimators in Power Systems. In 2010 First IEEE International Conference on Smart Grid Communications. 214--219. Google ScholarCross Ref
- Drew Davidson, Hao Wu, Rob Jellinek, Vikas Singh, and Thomas Ristenpart. 2016. Controlling UAVs with Sensor Input Spoofing Attacks. In 10th USENIX Workshop on Offensive Technologies (WOOT 16). USENIX Association, Austin, TX. https://www.usenix.org/conference/woot16/workshop-program/presentation/davidsonGoogle Scholar
- ETH-Agile and Dexterous Robotics Lab. [n. d.]. Control Toolbox. https://ethz-adrl.github.io/ct/ct_doc/doc/html/index.htmlGoogle Scholar
- Gene F. Franklin, J. David Powell, and Abbas Emami-Naeini. 2018. Feedback Control of Dynamic Systems (8th Edition) (What's New in Engineering). Pearson. https://www.amazon.com/Feedback-Control-Dynamic-Systems-Engineering/dp/0134685717?SubscriptionId=AKIAIOBINVZYXZQZ2U3A&tag=chimbori05-20&linkCode=xm2&camp=2025&creative=165953&creativeASIN=0134685717Google Scholar
- Luis Garcia, Ferdinand Brasser, Mehmet Hazar Cintuglu, Ahmad-Reza Sadeghi, Osama A. Mohammed, and Saman A. Zonouz. 2017. Hey, My Malware Knows Physics! Attacking PLCs with Physical Model Aware Rootkit. In NDSS.Google Scholar
- R. M. GÃşes, E. Kang, R. Kwong, and S. Lafortune. 2017. Stealthy deception attacks for cyber-physical systems. In 2017 IEEE 56th Annual Conference on Decision and Control (CDC). 4224--4230. Google ScholarCross Ref
- D. Halperin, T. S. Heydt-Benjamin, B. Ransford, S. S. Clark, B. Defend, W. Morgan, K. Fu, T. Kohno, and W. H. Maisel. 2008. Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses. In 2008 IEEE Symposium on Security and Privacy (sp 2008). 129--142. Google ScholarDigital Library
- Jason Baker (Red Hat). [n. d.]. Open source drone projects. https://opensource.com/article/18/2/drone-projectsGoogle Scholar
- Andrew J. Hawkins. [n. d.]. UPS will use drones to deliver medical supplies in North Carolina. Retrieved May 24, 2019 from https://www.theverge.com/2019/3/26/18282291/ups-drone-delivery-hospital-nc-matternetGoogle Scholar
- Todd E. Humphreys. 2008. Assessing the Spoofing Threat: Development of a Portable GPS Civilian Spoofer. In In Proceedings of the Institute of Navigation GNSS (ION GNSS.Google Scholar
- Saurabh Jha, Subho S. Banerjee, Timothy Tsai, Siva Kumar Sastry Hari, Michael B. Sullivan, Zbigniew T. Kalbarczyk, Stephen W. Keckler, and Ravishankar K. Iyer. 2019. ML-based Fault Injection for Autonomous Vehicles: A Case for Bayesian Fault Injection. CoRR abs/1907.01051 (2019). arXiv:1907.01051 http://arxiv.org/abs/1907.01051Google Scholar
- JSMSim [n. d.]. JSBSim Open Source Flight Dynamics Model. Retrieved May 24, 2018 from "http://jsbsim.sourceforge.net/"Google Scholar
- S. Karnouskos. 2011. Stuxnet worm impact on industrial cyber-physical system security. In IECON 2011 - 37th Annual Conference of the IEEE Industrial Electronics Society. 4490--4494. Google ScholarCross Ref
- Taegyu Kim, Chung Hwan Kim, Junghwan Rhee, Fan Fei, Zhan Tu, Gregory Walkup, Xiangyu Zhang, Xinyan Deng, and Dongyan Xu. 2019. RVFuzzer: Finding Input Validation Bugs in Robotic Vehicles through Control-Guided Testing. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA, 425--442. https://www.usenix.org/conference/usenixsecurity19/presentation/kimGoogle Scholar
- Robert M. Lee, Michael J. Assante, and Tim Conway. 2016. Analysis of the Cyber Attack on the Ukrainian Power Grid. Technical Report. Electricity Information Sharing and Analysis Center (E-ISAC) (2016).Google Scholar
- J. Li and Y. Li. 2011. Dynamic analysis and PID control for a quadrotor. In 2011 IEEE International Conference on Mechatronics and Automation. 573--578. Google ScholarCross Ref
- Yao Liu, Peng Ning, and Michael K. Reiter. 2009. False Data Injection Attacks Against State Estimation in Electric Power Grids. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS '09). ACM, New York, NY, USA, 21--32. Google ScholarDigital Library
- K. Manandhar, X. Cao, F. Hu, and Y. Liu. 2014. Detection of Faults and Attacks Including False Data Injection Attack in Smart Grid Using Kalman Filter. IEEE Transactions on Control of Network Systems 1, 4 (Dec 2014), 370--379. Google ScholarCross Ref
- MATLAB. [n. d.]. System Identification Overview. ([n. d.]). https://www.mathworks.com/help/ident/gs/about-system-identification.htmlGoogle Scholar
- MATLAB. [n. d.]. System Identification Toolbox. ([n. d.]). https://www.mathworks.com/products/sysid.htmlGoogle Scholar
- S. McLaughlin and S. Zonouz. 2014. Controller-aware false data injection against programmable logic controllers. In 2014 IEEE International Conference on Smart Grid Communications (SmartGridComm). 848--853. Google ScholarCross Ref
- Lorenz Meier, Petri Tanskanen, Friedrich Fraundorfer, and Marc Pollefeys. 2011. Pixhawk: A system for autonomous flight using onboard computer vision. In 2011 IEEE International Conference on Robotics and Automation. IEEE, 2992--2997.Google ScholarCross Ref
- MARS 2020 Mission. [n. d.]. MARS Exploration Rover. https://mars.nasa.gov/mer/mission/rover/Google Scholar
- Robert Mitchell and Ing-Ray Chen. 2012. Specification based intrusion detection for unmanned aircraft systems. In Proceedings of the first ACM MobiHoc workshop on Airborne Networks and Communications (2012), 31--36.Google ScholarDigital Library
- Robert Mitchell and Ing-Ray Chen. 2014. Adaptive intrusion detection of malicious unmanned air vehicles using behavior rule specifications. IEEE Transactions on Systems, Man, and Cybernetics: Systems 44, 5 (2014), 2014.Google ScholarCross Ref
- GNU Octave. [n. d.]. GNU Octave Scientific Programming Language. https://www.gnu.org/software/octave/Google Scholar
- Out of Control. [n. d.]. Artificial Delay Attack Demo Video. https://drive.google.com/open?id=1_CHITopKSraKZXnAIyeUoQZqki8fgUXeGoogle Scholar
- Out of Control. [n. d.]. False Data Injection Attack Demo Video. https://drive.google.com/open?id=1JgrCpwspsBiYdNvKUxeKnl-bZQ9WS_CgGoogle Scholar
- Out of Control. [n. d.]. Switch Mode Attack Demo Video. https://drive.google.com/open?id=1yUSGa5GoBQYl0GTiTbcPFN5NnjBHXL-YGoogle Scholar
- Hadi Ravanbakhsh, Sina Aghli, Christoffer Heckman, and Sriram Sankaranarayanan. 2018. Path-Following through Control Funnel Functions. CoRR abs/1804.05288 (2018). arXiv:1804.05288 http://arxiv.org/abs/1804.05288Google Scholar
- Brent A. Renfro, Miquela Stein, Nicholas Boeker, Emery Reed, and Eduardo Villalba. [n. d.]. An Analysis of Global Positioning System (GPS) Standard Positioning Service (SPS) Performance for 2018.Google Scholar
- Aion Robotics. [n. d.]. R1 ArduPilot Edition. https://docs.aionrobotics.com/en/latest/r1-ugv.htmlGoogle Scholar
- H. Sakoe and S. Chiba. 1978. Dynamic programming algorithm optimization for spoken word recognition. IEEE Transactions on Acoustics, Speech, and Signal Processing 26, 1 (February 1978), 43--49. Google ScholarCross Ref
- Nicolas Sheilds. [n. d.]. Walmart Drone Delivery. Retrieved December 09, 2018 from https://www.businessinsider.com/walmart-blockchain-drone-delivery-patent-2018-9Google Scholar
- Yasser Shoukry, Paul Martin, Paulo Tabuada, and Mani Srivastava. 2013. Non-invasive Spoofing Attacks for Anti-lock Braking Systems. In Cryptographic Hardware and Embedded Systems - CHES 2013, Guido Bertoni and Jean-Sebastien Coron (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 55--72.Google Scholar
- Yunmok Son, Hocheol Shin, Dongkwan Kim, Youngseok Park, Juhwan Noh, Kibum Choi, Jungwoo Choi, and Yongdae Kim. 2015. Rocking Drones with Intentional Sound Noise on Gyroscopic Sensors. In 24th USENIX Security Symposium (USENIX Security 15). USENIX Association, Washington, D.C., 881--896. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/sonGoogle Scholar
- Christopher Steiner. [n. d.]. Bot-In-Time Delivery. https://www.forbes.com/forbes/2009/0316/040_bot_time_saves_nine.html#68ee53d9b942Google Scholar
- ArduPilot Development Team. [n. d.]. Building ArduPilot. https://github.com/ArduPilot/ardupilot/blob/master/BUILD.mdGoogle Scholar
- Paparazzi Development Team. [n. d.]. Paparazzi - The Free Autopilot. https://wiki.paparazziuav.org/wiki/Main_PageGoogle Scholar
- Pixhawk Development Team. [n. d.]. Pixhawk AutoPilot. https://docs.px4.io/en/flight_controller/pixhawk_series.htmlGoogle Scholar
- Nils Ole Tippenhauer, Christina Pöpper, Kasper Bonne Rasmussen, and Srdjan Capkun. 2011. On the Requirements for Successful GPS Spoofing Attacks. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS '11). ACM, New York, NY, USA, 75--86. Google ScholarDigital Library
- T. Trippel, O. Weisse, W. Xu, P. Honeyman, and K. Fu. 2017. WALNUT: Waging Doubt on the Integrity of MEMS Accelerometers with Acoustic Injection Attacks. In 2017 IEEE European Symposium on Security and Privacy (EuroS P). 3--18. Google ScholarCross Ref
- Zhaolin Yang, Feng Lin, and B. M. Chen. 2016. Survey of autopilot for multi-rotor unmanned aerial vehicles. In IECON 2016 - 42nd Annual Conference of the IEEE Industrial Electronics Society. 6122--6127. Google ScholarCross Ref
Index Terms
- Out of control: stealthy attacks against robotic vehicles protected by control-based techniques
Recommendations
Stealthy Attacks against Robotic Vehicles Protected by Control-based Intrusion Detection Techniques
Special Issue on ACSAC'19: Part 2Robotic vehicles (RV) are increasing in adoption in many industrial sectors. RVs use auto-pilot software for perception and navigation and rely on sensors and actuators for operating autonomously in the physical world. Control algorithms have been used ...
Modeling and control of Cyber-Physical Systems subject to cyber attacks: A survey of recent advances and challenges
Highlights- In general, the cyber-attacks in the literature can be classified into three main types: denial of service (DoS) attacks, deception attacks, and replay ...
AbstractCyber Physical Systems (CPS) are almost everywhere; they can be accessed and controlled remotely. These features make them more vulnerable to cyber attacks. Since these systems provide critical services, having them under attack would ...
A comparative risk analysis on CyberShip system with STPA-Sec, STRIDE and CORAS
AbstractThe widespread use of software-intensive cyber systems in critical infrastructures such as ships (CyberShips) has brought huge benefits, yet it has also opened new avenues for cyber attacks to potentially disrupt operations. Cyber risk assessment ...
Comments