Moriah Frazier: Protecting drones – by hacking them

Like most rising seniors at West Virginia University, Moriah Frazier began searching for the perfect capstone thesis project as she approached her final year at the University. But Frazier, who hails from Clarksburg, Maryland, is a cybersecurity major at the Benjamin M. Statler College of Mineral Resources and Engineering. A fairly new program, cybersecurity didn’t yet have many established capstone projects for her to choose from. 

Story by Micaela Morrissette, Research Writer, WVU Research Communications
Submitted Photo

Benjamin M. Statler College of Engineering and Mineral Resources

Undaunted, Frazier asked Teaching Assistant Professor Tom Devine to help. With Devine, she began envisioning a brand-new cybersecurity capstone concept: research that exposes drones to cyberattacks in order to figure out how to protect the drones from attacks that are real – and hostile. Devine sought industry sponsorship on her behalf and received logistical and technical support from Trilogy Innovations Inc. Brandon Downey, Trilogy's CEO, and Randy Cottle, chief operating officer and vice president, played crucial roles.

Frazier reached out to other undergraduates who were set to earn degrees in cybersecurity or computer science in December 2023, and soon collaborators Emerson Foringer, Tom Hasselman, Jack Lizmi and Ethan Washington had joined her research group. As the team lead, Frazier plans meetings, assigns tasks, finds funding – and works with Devine on ways to make the project “even more awesome for future capstone generations,” she said.

Q: What are you looking to accomplish in this research, and how did you land on that goal?

A: Our primary focus is understanding a drone’s vulnerabilities by practicing, in a controlled environment, the same attacks that threat actors might attempt. Learning about specific drone vulnerabilities will allow companies to take steps to harden drone security.

Drones are all over the world now, playing roles in shopping, first aid, security and military applications. With all of these come security concerns. How are signals being transmitted from the user to the drone, and how are those signals protected from outside parties?

Some threat actors may be hacking drones for malicious purposes, like causing harm to people or property. Others might be conducting espionage and gathering sensitive data.

Q: What stage are you at in the project?

A: First, our team got an understanding of FCC rules, and the basics of capturing, examining and exploiting drone data. Then we researched different attacks that could be performed on a drone, established a few attacks we wanted to use for the platform and tested the attacks to see if we could successfully hack the drone.

Our platform can scan for drones in the nearby area, select an attack, perform the attack on a drone, then generate a detailed “post-exploitation” report outlining what happened to the drone during the attack.

Throughout the fall 2023 semester, we’ll keep developing our software, which will be hosted on the cloud and contain interfaces for users to perform different attacks on a drone. By the end of our capstone, we expect to have fully working software that’s capable of hacking drones, as well as a full analysis of drone vulnerabilities and how to fix them.

Q: How does your tool attack drones?

A: Users of our software will be able to select from several different attack modules. Deauthentication attacks, for example, disrupt the connection between a user and Wi-Fi access point, and are used to gain control of a drone. Replay attacks have the same objective of taking over a drone, but they work by intercepting and recording the signals sent from a drone’s controller to the drone.

In “GPS spoofing,” false GPS signals are sent to a drone’s navigation system, causing it to misinterpret its location and direction. Then there are “handshake captures,” which record and store the communication between a user’s device and a Wi-Fi network, allowing for later decryption and potential unauthorized access.

Our software enables other kinds of attacks, too: dictionary attacks, denial-of-service attacks and video takeovers.

Q: Are there already products out there for protecting drones against cyberattack?

A: There are quite a few, but they all have downsides. For example, there’s DroneDefender, which is a gun-shaped tool that you point and aim and that can scramble a drone’s function. That’s much more expensive than our tool, and a pain to carry around. Very different from that is SkyJack software, which can take over drones within Wi-Fi distance, creating “zombie” drones. But it only works on cheap, consumer drones, not serious drones designed for scientific, industrial or military applications.

Q: Why WVU?

A: Both my parents attended WVU, and I started going to WVU football games when I was 3. Since then, the school has been like home.

Q: Did you come here wanting to pursue a cybersecurity degree?

A: I didn’t intend to study computer science, though I did know I wanted to be in STEM. In fact, I came here intending to become a pharmacist. But cybersecurity is a fast-growing field that’s more and more in demand. There are so many different aspects to cybersecurity that it could never get old.

Q: What song will be playing in your head when you’re doing a slow-motion walk across the stage on Commencement Day?

A: “Moment 4 Life,” by Nicki Minaj featuring Drake.

Q: What’s next for you?

A: I have a job offer to start as a cyber, risk and regulatory associate at PricewaterhouseCoopers after I graduate.

---