Flying malware: the Virus Copter

At the latest San Francisco Drone Olympics (now called DroneGames, thanks, no doubt, to awful bullying from the organized crime syndicate known as the International Olympic Committee), there were many fascinating entries, but the champion was James "substack" Halliday's Virus-Copter (github), which made wireless contact with its competitors, infected them with viruses that put them under its control, sent them off to infect the rest of the cohort, and then caused them to "run amok."

Many people have written to point out that Virus-Copter shares some DNA with one of the plot elements in my novel Pirate Cinema, but I assure you the resemblance is entirely coincidental. Drones, after all, are stranger than technothrillers.

Here's the $300 drone the competitors were flying.

The payload virus.tar includes:

node cross-compiled for the ARM chips running on the drones
* felixge's ar-drone module
* some iwconfig/iwlist wrappers in lib/iw.js
* open wireless networks in nodes.json (gathered by the deployment computer)

Report from the DroneGames (formerly Drone Olympics ;-))


  1. That’s how you win a fucking competition! The next competition will be 10 times as interesting; everyone will have to include defensive software, wireless link encryption, and for those bold enough, attack software. The crazy ones will go ahead and add actual weaponry.

        1. Weapons will never be used, especially now that the links are shown to be insecure even against other drones.

  2. FIRST Robotics has the same problem. The problem is the use of WiFi to control machines. They had some yahoo with a laptop bring down the competition network during their big finale.

    Designing your remote-control gizmo to use a dirt-simple comm link instead of a standard wireless network is slightly more inconvenient, but it eliminates an entire class of trouble. 

  3. Ah yes the organized crime syndicate known as the International Olympic Committee, much like the terrorist organization known as the National Football League, and the supranational revenge and extortion confederacy known as the Union of European Football Associations.

    1.  The examples of the IOC being dicks about other people using the word Olympics are many and varied, for example they’ve gone after a group of knitters who watched the olympics and worked on themed projects, the logic of which baffles me. Why would you go after people who are encouraging others to watch your broadcasts??

      1. Of course the “Olympics of the Mind” comes to mind.  A challenging competition for school kids, they learned to innovate, design, problem solve, create, work hard, have fun, and maybe even be recognized and rewarded for the above. 
        For a couple decades now they have been “Odyssey of the Mind” thanks to the IOC.  Maybe they need to get permission from the Greeks?  Or pay homage to Homer?  Or money to Greece?  (On second thought, maybe the IOC owes Greece something for intellectual property use of their brand?)

      1. Just because some NFL owners are bigoted or because the IOC is aggressively defending their I.P. beyond the point of good business practice and good sense, doesn’t make them criminals. I prefer to keep the term organized crime syndicate for groups that are collaborating to break the law, rather than collaborating to do things we might find distasteful.

        1.  Seems to me that any organisation that is large enough to change, or have laws changed, is unlikely to ever allow itself the actual moniker of “criminal”.

  4. Everyone’s only talking about this relative to future iterations of this event… I’m wondering how many hackers are now contemplating using cheap modified drones to take over computers/networks that they’re having trouble remotely accessing and can physically access with a drone but wouldn’t be able to in-person.

    1. I was about to reply with a few reasons I don’t think this would be likely but the more I thought about it the more possibilities I came up with. The on board flight computers wouldn’t be powerful enough to be used in an attack but I could see a drone being used as a delivery platform for a disposable drop box.

    2. How do you imagine that working?

      Without insecure wireless (which you wouldn’t really need a drone to get at, just a can antenna) at the target, you have… what?

      The drone commandeering a keyboard? Plugging into ethernet? While hoping you don’t lose your control link when it goes indoors?

      It’d be orders of magnitude easier to simply lie (“social engineer”) your way in.

  5. For the last couple of weeks I’ve had a series of conversations in which I’ve tried to convince people that they need to be more concerned about the security of the software and firmware that runs machines other than laptops and servers. Think CNC routers, printers, mining trucks, drones, industrial robots. We have just seen the very beginning of the malware threats to the great array of devices on the “Internet of Things”.

    1.  Do you think IPV6 will have an impact on this by giving essentially every Internet facing device a unique address? Already five minutes using Shodan can (theoretically of course) get me access to a huge number of systems that aren’t mine.

      1. Yes, I think exactly that. And yes, I was also thinking about the Shodan searches which can show you so many interesting things. One of the things about Shodan is that you can see what sorts of devices are sitting out there on the ‘Net all naked and available for pwnage. But, I think that the *real* threat has less to do with that sort of “I found an open machine by chance” thing and far more to do with organized attacks on machines in specific industries and/or specific geographic locations.

        1.  Absolutely, Shodan is fun for finding IP cameras and network printers but much less valuable for targeted attacks. I subscribed to your blog, some interesting reading :)

    2. I work on a radio telescope, and it’s connected to the Internet. I sometimes wonder about that, and in fact I once had a spectrometer-control computer I installed there get pwned through an old FTP vulnerability.

      But our computer guy has a good line of defense these days, with a whitelist and access attempt reporting. We also have an operator on site at all times who would notice if something went awry.

      1. When you say “I work on a radio telescope” is that the physical location of your office, or more of an abstraction of your job focus?

        I’m seriously hoping for the former. But either way: sweet!

        1. Not that I’m jealous or anything. Holy flipping hells, I’m a computer programmer, how awesome is that?!!! There’s bleeps and bloops, and blinking lights, and all sorts of cool stuff (although I must admit, there’s no way the whining sound of a laser printer can compare to the chugging out of green-bar paper).

          There ain’t no cheap flying cars, but we are living in the future, it’s pretty well distributed [in my first world] — we’re just blinded by its ubiquity.

Comments are closed.