Reports of AUTEL drones losing control at the edge of the no-fly zone
https://www.autelrobotics.com/
Shenzhen AUTEL Intelligent Aviation Technology Co., Ltd. was founded on 29 May 2014, which is a company focusing on the research, development, production and sales of drones, and its main business scope includes the production of civil avionics equipment, automatic control equipment, civil unmanned aerial vehicles, radio data transmission systems, filming equipment, camera products, electronic components, and computer software. AUTEL drones currently occupy 7 per cent of the global market share.
Consider the scenario where there are two roles in the use of drones: the manufacturer (managing the cloud server) and the operator (controlling the drone through the remote controller). Upon purchasing the Autel-NANO drone, users receive both the drone itself and a remote controller. The remote controller needs to be connected to a mobile phone, and a specific app (AutelSky) must be opened on the phone for operation.
In normal operations, a benign operator following the rules while using the drone in a flyable zone should not experience situations where the drone loses control or can only make a vertical descent in a hazardous area.
When the exploit is triggered, the drone will be completely immobile, including attempting to move away from the no-fly zone, and will only be able to descend vertically at its current location. Depending on the setup of the return point path, this landing point could be over water, trees or a crowd.And this trigger process is followed throughout the use of the rules and no danger alerts.
The original strategy for the AUTEL drone should have been to trigger one of the two:
After a drone has somehow taken off in a no-fly zone (e.g. forcing it to take off without detecting a GPS signal), the drone will not be able to move any further but will have to land in situ if the position information is subsequently detected and the no-fly zone is triggered.
When a drone approaches a no-fly zone while flying in a flyable area, it will be prevented from approaching further forward to avoid entering the no-fly zone. There should be no loss of control of the drone when there is a GPS signal and the drone is performing a legal manoeuvre in a flyable area.
The reason for the loss of control is that the AUTEL drone's no-fly zone policy has a logical loophole and the setup of the return point is not checked, the return point is allowed to be set inside the no-fly zone (compare to DJI drone, which will do a pre-check and refuse to set up the return point inside the no-fly zone). The user sets the return point inside the no-fly zone and turns on the return function, the drone will automatically fly to the return point and approach the no-fly zone at a very slow speed when it is at the edge of the no-fly zone (probably because the gps signal is not accurate enough and there are fluctuations in judgement of whether the drone is already inside the no-fly zone, so it fluctuates and allows the drone to fly further into the no-fly zone).
Autel Drone Model: NANO Drone
Firmware Version 1.6.5
Remote Control Firmware Version: 1.6.5
- After taking off the drone in the flyable area at the edge of the no-fly zone, set a customised return point in the remote control APP;
- Select the return point in the no-fly zone;
- Turn on the return function;
- Wait for a period of time (30s-1min after the drone approaches the edge of the no-fly zone), the drone will be stuck at the edge of the no-fly zone and can only descend in place.
PS: 1.Entering return mode is not a necessary process to trigger the vulnerability, but rather a benign user can easily trigger the vulnerability by incorrectly setting the return point resulting in loss of control of the drone.
-
There is no indication on the map of the customised return point setting interface that the return point cannot be set inside the no-fly zone, and it is entirely possible for the user to set the return point inside the no-fly zone;
-
During the return process, the aircraft will be automatically raised to a minimum height of 25 metres or more, and will be out of the operator's line of sight, and will not be detected to be stuck at the edge of the no-fly zone at the first time.
-
Please pay attention to the environmental safety of the aircraft landing site during the test.
Video 1 (Screen Recording of Remote Controller Operation):
0:00-0:09 The aircraft takes off normally in the flyable zone, with a good GPS signal.
0:10-0:32 Demonstrates that the Autel drone can set a return point within a no-fly zone.
0:33-2:00 The aircraft enters return mode, ascends to 25m altitude, approaches the return point, and slowly advances along the edge of the no-fly zone. It quickly gets stuck at the no-fly zone and can only rotate in place or descend, unable to move forward, backward, left, right, or ascend (including moving away from the no-fly zone).
Video 2 (Third-Person View of the Same Flight):
0:00-2:16 The aircraft takes off, sets a return point, enters return mode, and quickly gets stuck at the edge of the no-fly zone.
2:17-2:41 The remote controller is unable to change the drone's position. The left joystick, when pushed up, is ascent, pulled down is descent, and left or right is rotation in place. The right joystick, when pushed up, is forward, pulled down is backward, and left or right is lateral movement. It can be observed that only descent and rotation in place are functional.
Video 3 (Demonstration of Drone Getting Stuck Process):
0:00-0:17 Drone takes off.
0:18-0:41 Drone slowly approaches the no-fly zone and gets stuck at the edge.
0:42-1:41 Drone loses control and can only perform an emergency landing in place
The vulnerability has been reviewed by CNVD for a number(CNVD-2023-861988), but has not yet been publicized.
