A Robot Operating System Framework for Secure UAV Communications

sensors

Article A Robot Operating System Framework for Secure UAV Communications

Hyojun Lee 1 , Jiyoung Yoon 2 , Min-Seong Jang 1 and Kyung-Joon Park 1,*

1 Department of Information and Communication Engineering, Daegu Gyeongbuk Institute of Science and Technology, Daegu 42988, Korea; [email protected] (H.L.); [email protected] (M.-S.J.) 2 INTUSEER Inc., Daegu 41260, Korea; [email protected] * Correspondence: [email protected]; Tel.: +82-53-785-6314

Abstract: To perform advanced operations with unmanned aerial vehicles (UAVs), it is crucial that components other than the existing ones such as flight controller, network devices, and ground control station (GCS) are also used. The inevitable addition of hardware and software to accomplish UAV operations may lead to security vulnerabilities through various vectors. Hence, we propose a security framework in this study to improve the security of an unmanned aerial system (UAS). The proposed framework operates in the robot operating system (ROS) and is designed to focus on several perspectives, such as overhead arising from additional security elements and security issues essential for flight missions. The UAS is operated in a nonnative and native ROS environment. The performance of the proposed framework in both environments is verified through experiments.

Keywords: unmanned aerial vehicles; cyber-physical systems; network attack; security

Citation: Lee, H.; Yoon, J.; 1. Introduction Jang, M.-S.; Park, K.-J. A Robot Unmanned aerial vehicles (UAVs), commonly known as drones, have been recently Operating System Framework for deployed in various environments to perform numerous tasks [1–4]. One of the most Secure UAV Communications. representative drone services is Amazon’s Prime Air, which is currently under develop- Sensors 2021, 21, 1369. https:// ment [5]. Other companies are also preparing various drone projects such as storm damage doi.org/10.3390/s21041369 evaluation, property damage assessment, and shale gas asset monitoring. The increase in the use of UAVs in various ﬁelds has resulted in growing concerns regarding the security Academic Editor: Andrey V. Savkin of the unmanned aerial system (UAS). According to the “FAA Aviation Forecast 2019–2029” released by the Federal Aviation Administration along with the example described earlier, Received: 30 December 2020 the commercial drone market is expected to triple by 2023. As the utilization of UAVs Accepted: 7 February 2021 increases, there is a need to manage the security of the UAS. The need to manage the Published: 15 February 2021 system security is not merely theoretical; it can be illustrated by real-life incidents. The 2011 drone hijacking incident, one of the most widely known cases of UAV cyberattacks, is an Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in event in which Iranian cyber units cut off UAV communications links in the United States published maps and institutional afﬁl- and diverted the UAVs into Iranian territory by manipulating the GPS (global positioning iations. system) coordinates. Although there are many arguments about the authenticity of the case, it should be realized that cyberattacks on UAVs are possible. In addition, the most common vector in attack cases is the radio communication provided by the UAV platform. UASs belong to a category of cyber-physical systems (CPSs). Unlike traditional embedded systems that operate individually, a CPS requires the close interaction of computing Copyright: © 2021 by the authors. and physical systems. Ultimately, a CPS can be seen as the integration of computational, Licensee MDPI, Basel, Switzerland. networking, and physical processes. It is a system in which information and software This article is an open access article distributed under the terms and technologies combine with mechanical components to deliver and exchange data as well as conditions of the Creative Commons monitor or control its subject by infrastructure such as the Internet in real time. The UAV Attribution (CC BY) license (https:// network incorporates communications devices, computing functions, and control modules creativecommons.org/licenses/by/ to form a single closed loop from data recognition, information exchange, decision making, 4.0/).

Sensors 2021, 21, 1369. https://doi.org/10.3390/s21041369 https://www.mdpi.com/journal/sensors Sensors 2021, 21, 1369 2 of 20

Sensors 2021, 21, 1369 2 of 19 decision making, to final execution, and it can be referred to as a CPS. In these CPSs, studies on system vulnerabilities, one of which is vulnerability in the network, are actively tounderway final execution, [6–10]. and it can be referred to as a CPS. In these CPSs, studies on system vulnerabilities,Robot Operating one of whichSystem is (ROS) vulnerability is the middl in theeware network, for robot are actively software underway development. [6–10]. UnlikeRobot the operating Operating systems System us (ROS)ed in iscomputers, the middleware ROS provides for robot services software such development. as hardware Unlikeabstraction, the operating low-level systems device control, used in computers,and message ROS delivery provides between services processes such as for hardware system abstraction,operation. It low-level is used in device various control, robot andindustries message and delivery research between fields due processes to its advantages for system operation.such as active It is community used in various and robotefficient industries development. and research In an fieldsUAS, dueROS to is its installed advantages and suchused ason active the UAV community exterior and board efficient for advanced development. operations In an UAS,such as ROS autonomous is installed and usedclus- ontered the UAV. UAV However, exterior board ROS forlacks advanced design for operations system security. such as autonomous Basic safety andtools clustered are pro- UAV.vided, However, but these tools ROS focus lacks on design system for failur systeme, such security. as time Basic sync safetyhronization tools areand provided, program butpart theseaccuracy; tools there focus are on no system measures failure, for suchsystem as attacks. time synchronization and program part accuracy;In this there paper, are we no measuresexplain the for vulnerability system attacks. in an ROS-based UAV and propose a se- curityIn framework this paper, to we solve explain it. Section the vulnerability 3 describes the in anvulnerabilities ROS-based UAVin ROS-based and propose UAVs a securityand how framework attacks are to planned solve it. using Section them.3 describes Section the 4 describes vulnerabilities the studies in ROS-based and tools UAVs that andhave how been attacks undertaken are planned to address using the them. problem. Section Section4 describes 5 describes the studies the framework and tools thatpro- haveposed been for vulnerabilities undertaken to addressin ROS. theThe problem. performance Section and5 describes overhead the of frameworkthe proposed proposed frame- forwork vulnerabilities are shown in incomparison ROS. The with performance those of the and tools overhead described of the in proposedSection 4; frameworka low over- arehead shown security in comparisonsolution is proposed with those that of can the toolsaddress described vulnerabilities in Section in 4ROS.; a low Section overhead 6 de- securityscribes the solution proposed is proposed security thatframework can address with vulnerabilitiesactual implementation in ROS. and Section verification.6 describes the proposed security framework with actual implementation and verification. 2. Background 2. Background 2.1. Unmanned Aerial System (UAS) UAS is aa genericgeneric termterm usedused to to denote denote the the combination combination of of a dronea drone and and a grounda ground control con- stationtrol station (GCS), (GCS), as well as well as the as communication the communicat systemion system between between the two. the Atwo. drone A drone refers refers to an aircraftto an aircraft that flies that automatically flies automatically or in semiautomaticor in semiautomatic mode withoutmode without a real pilota real on pilot board. on Itboard. performs It performs its missions its missions by controlling by controlling its altitude its altitude and position and position through through an internal an internal flight controller.flight controller. The flight The flight mission mission is performed is performed either either by transmission by transmission from from the the GCS GCS or byor built-inby built-in algorithms. algorithms. The The conventional conventional media media used used for for communication communication are are RC RC transmitters, transmit- Bluetooth,ters, Bluetooth, Wi-Fi, Wi-Fi, and and radio. radio. Drones Drones can can send send and and receive receive commands commands and andstatus status fromfrom the GCS through these media using the MAVLinkMAVLink messagemessage protocolprotocol [[11].11]. MAVLink isis aa light messaging messaging protocol protocol for for onboard onboard communica communicationtion or or components components of of drones. drones. It can It can be beimplemented implemented in 14 in 14languages, languages, including including C and C and C++; C++; various various high-level high-level APIs APIs exist exist for forin- interactionteraction between between other other systems systems such such as as drones drones and and ROS. ROS. The The protocol protocol can can also be usedused by at least seven GCS software programs (e.g., QGroundControl andand MissionMission Planner)Planner) toto communicate with the drone. Figure 11 showsshows thethe MAVLinkMAVLink protocol protocol message. message. FigureFigure2 2 shows QGroundControl, an illustrative GCS in UASUAS configuration.configuration. Figure 33 shows shows thethe UAV usedused inin thisthis paper.paper.

Figure 1. MAVLink protocol messagemessage [[12].12].

Sensors 2021, 21, 1369 3 of 19 SensorsSensors 2021 2021, ,21 21, ,1369 1369 3 of 203 of 20

FigureFigure 2. QGroundControl as as the the ground ground control control station station (GCS). (GCS). Figure 2. QGroundControl as the ground control station (GCS).

Figure 3. Unmanned aerial vehicle (UAV). Figure2.2.Figure Robot 3.3.Unmanned Unmanned Operating aerialSystemaerial vehiclevehicle (ROS) (UAV). (UAV). As mentioned earlier, ROS is the middleware for robot software development [13]. 2.2.2.2. RobotRobot OperatingOperating SystemSystem (ROS)(ROS) Unlike the operating systems used in computers, it provides services such as hardware abstraction,AsAs mentionedmentioned low-level earlier,earlier, device ROSROScontrol, isis the theand middlewaremiddleware message delivery forfor robotrobot between softwaresoftware processes developmentdevelopment for system [ [13].13]. Unlikeoperation.Unlike thethe For operatingoperating asynchronous systemssystems communication usedused inin computers,computer in ROS,s, itit providestheprovides publisher-subscriber servicesservices suchsuch as modelas hardwarehardware is abstraction,adopted;abstraction, the low-level low-leveltopic field devicedevice is used control,control, for communication andand messagemessage deliverybetweendelivery the betweenbetween publisher processesprocesses and the for for sub- system system operation.scriber.operation. Figure ForFor 4 asynchronous asynchronousshows the structured communicationcommunication model of ROS. inin ROS,ROS, The ROS thethe publisher-subscriber consistspublisher-subscriber of the master, modelpub-model isis adopted;lisher,adopted; and the the subscriber topic topic ﬁeld field node. is usedis The used for master for communication communication node connects between the between subscriber the publisher the node publisher to and the the publisher and subscriber. the sub- Figurenodescriber. that4 shows Figure wants the 4 access shows structured to the a specific structured model topic. of ROS.model With The theof ROSROS. help consists ofThe the ROS master of consists the node, master, of the the publisher, connected master, andpub- subscriberpublisherlisher, and and node. subscriber subscriber The master node. nodes The node will master connects be able node to the sendconnects subscriber and receivethe nodesubscriber the to desired the node publisher data to the through node publisher that wantsthenode topic. that access wants to a access speciﬁc to topic. a specific With topic. the help With of the the help master of the node, master the connected node, the publisherconnected andpublisher subscriber and subscriber nodes will nodes be able will to send be able and to receive send and the receive desired the data desired through data the through topic. the topic. 2.3. Rosbridge Rosbridge is a package of ROS that allows us to use topics and services in ROS even if the client does not have ROS installed. This is possible because the JSON-based rosbridge protocol is used on the server with ROS installed. When a rosbridge server that communicates with WebSocket on the ROS server side is executed, it is possible to communicate with the node of the ROS server through various front-end devices such as the web browser, and the service is also available. Figure5 describes the concept of rosbridge [14].

Sensors 2021, 21, 1369 4 of 20

Sensors 2021, 21, 1369 4 of 19 Sensors 2021, 21, 1369 4 of 20

Figure 4. Robot operating system (ROS) structure.

2.3. Rosbridge Rosbridge is a package of ROS that allows us to use topics and services in ROS even if the client does not have ROS installed. This is possible because the JSON-based rosbridge protocol is used on the server with ROS installed. When a rosbridge server that communicates with WebSocket on the ROS server side is executed, it is possible to communicate with the node of the ROS server through various front-end devices such as the web browser, and the service is also available. Figure 5 describes the concept of rosbridge FigureFigure 4. 4.Robot Robot operating operating system system (ROS) (ROS) structure. structure. [14]. 2.3. Rosbridge Rosbridge is a package of ROS that allows us to use topics and services in ROS even if the client does not have ROS installed. This is possible because the JSON-based rosbridge protocol is used on the server with ROS installed. When a rosbridge server that communicates with WebSocket on the ROS server side is executed, it is possible to communicate with the node of the ROS server through various front-end devices such as the web browser, and the service is also available. Figure 5 describes the concept of rosbridge [14].

Figure 5. Rosbridge concept. Figure 5. Rosbridge concept.

2.4. Safety Tool of ROS 2.4. Safety Tool of ROS To ensure the safeTo ensure operation the safeof ROS, operation there are of ROS, several there services are several that are services provided that by are provided by ROS. The ROSROS. team Theis aware ROS teamthat because is aware of that the becausenature of of the the current nature system, of the current the system system, the system can be attackedcan due be to attacked vulnerabilities due to vulnerabilitiesin the network. in To the address network. this, To they address proposed this, they a proposed a method which methodis not a direct which function is not a directof ROS function but a part of ROSof the but configuration a part of the of configuration the network of the network used for ROS [15].used They for ROS suggest [15]. restricting They suggest access restricting to the network access and to thenot networkdisclosing and the not disclosing ROS master. TheretheFigure ROS are 5. two Rosbridge master. strategies There concept. for are achieving two strategies this. The for first achieving method this. involves The restrict- first method involves ing hosts that restrictingcan access hoststhe system. that can For access exam theple, system. there are For ways example, to create there isolated are ways net- to create isolated works or use firewalls.networks2.4. Safety The or Tool use second of firewalls. ROS method The involves second method giving involvesorders to giving authenticate orders tousers authenticate users before allowingbefore themTo allowingaccess ensure to themthe system.safe access operation However, to the system.of ROS, these However,there methods are several theseare not methods servicesimplemented are that not are implemented provided by within ROS; rather,withinROS. the The ROS; role ROS rather, of teamprotecting the is roleaware ROS of protectingthat is given because to ROS networkof isthe given nature settings to networkof the outside current settings ROS. system, outside the ROS. system By default,can message Bybe default,attacked filtering message due is toperformed vulnerabilities filtering through is performed in thesethe network. throughthree functions To these address three [16]. this, functionsFirst, they proposed [16]. First, a there is a subscribertheremethod isthat a which subscriberacts as is nota top-level a that direct acts filter;function as ait top-levelforwards of ROS but filter;messages a part it forwardsof from the configuration ROS messages to con- of from the ROSnetwork to nected filters. Second,connectedused for the ROS filters. time [15]. Second,synchronizatio They thesuggest timen synchronizationrestrictingfilter serves access to synchronize filter to the serves network to synchronizethe and same not disclosing to the same the channelsROS master. by referring There are to two the timestrategies stamp for in achieving the headers this. of The the receivingfirst method channels. involves The restrict- third functioning hosts is that the timecan access sequencer. the system. The time For sequencer example, filter there ensures are ways that to callbacks create isolated are made net- inworks temporal or use order firewalls. according The tosecond the header method timestamp involves ofgiving the message. orders to When authenticate operating users a robotbefore system, allowing the them corresponding access to the node system. may However, not be able these to processmethods the are message not implemented on time, owingwithin to ROS; various rather, factors the role at the of timeprotecting the message ROS is was given generated. to network When settings operating outside a robotROS. that requiresBy default, time-sensitive message filtering command is performed input, the messagethrough these filter allowsthree functions the message [16]. to First, be processedthere is a sequentially.subscriber that acts as a top-level filter; it forwards messages from ROS to connected filters. Second, the time synchronization filter serves to synchronize to the same

Sensors 2021, 21, 1369 5 of 19

ROS also provides a tool to prepare for system failures. The Watchdog timer is a tool used for high reliability systems [17], and it is implemented in ROS. The Watchdog timer monitors the CPU and restores the system to normal conditions when abnormal or infinite loops occur. While ROS provides a Watchdog timer for these functions, it only provides the detection function and entrusts developers with a way to reconfigure the system. The subsequent version of ROS, ROS2, introduced the concept of a management node, also called the lifecycle node [18]. It is designed for the enhanced control of the state of the ROS system. There are four node states: unconfigured, inactive, active, and finalized. Seven switching actions can be performed: create, configure, cleanup, activate, deactivate, shutdown, and destroy. When a switching operation is performed, it goes through six switching states: configuring, cleaning up, shutting down, activating, deactivating, and error processing. This node state transition is introduced to enhance the overall security of ROS. Recently, ROS2 was officially released, and the biggest difference and feature of the previous version is the adoption of the Data Distribution Service (DDS) as middleware. DDS has several security requirements, including authentication, access control, and cryptographic operations [19]. This shows that security is important for mission-critical ROS environments. However, since ROS and ROS2 are incompatible with each other in a native environment, security issues still remain in systems using ROS.

3. Vulnerability Deﬁnition of UAV Using ROS This section introduces the types of network attacks occurring in CPSs and the vulnerabilities that exist in the communication mechanisms of UAVs using the current version of ROS.

3.1. Model of ROS-Based UAS Advanced operations in UAVs require hardware and software capable of additional computing functions as well as flight controllers. The ability to provide additional assis- tance to the flight using information and computing power outside the flight controller is called offboard mode. The UAS assumed in this paper has a structure in which offboard computers are connected to the flight controller and communicate with each other. In addition, offboard computers support communication between flight controllers, external sensors, and offboard computers via ROS. Figure6 schematizes the UAS with the aforementioned communication architecture from a CPS perspective. As with the CPS, this figure incorporates the plant, sensor, controller, and actuator to form a closed loop from data recognition, information exchange, decision making, to final execution. The red box indicates the part to which ROS is applied. ROS is middleware for the development of robot software. This allows for the configuration of a UAS. The ROS adopted a publisher–subscriber (pub-sub) model for communication between each component that forms the robot. It is a structure in which two nodes, which exchange node information with the help of the master node, send messages through the publishing and subscribing functions as needed. ROS provides MAVROS, a MAVLink expandable communication node. This allows the UAV to receive the data needed for the flight over the ROS. Figure7, the system model of UAV with ROS through the aforementioned procedure. The /sensor node present in the external sensor publishes the message to the /process node in the offboard computer using /topic. /Process nodes deliver command messages for UAV control to /MAVROS node based on sensor data. /MAVROS node forwards the data to the flight controller via MAVLink. Sensors 2021, 21, 1369 6 of 20

Sensors 2021, 21, 1369Sensors 2021, 21, 1369 6 of 20 6 of 19

Figure 6. Feedback loop in an unmanned aerial system (UAS).

Figure 7, the system model of UAV with ROS through the aforementioned procedure. The /sensor node present in the external sensor publishes the message to the /process node in the offboard computer using /topic. /Process nodes deliver command messages for UAV control to /MAVROS node based on sensor data. /MAVROS node forwards the data Figure 6. Feedback loop in an unmanned aerial system (UAS). Figureto the 6.flight Feedback controller loop in via an MAVLink.unmanned aerial system (UAS).

Figure 7. System Model of UAV with ROS. Figure 7. System Model of UAV with ROS. 3.2. Vulnerability of ROS-Based UAS 3.2. Vulnerability of ROS-BasedTable1 defines UAS the terms for each component in ROS. As explained in Section 2.4, Table 1 definesROS does the terms not have for each fundamental component security in ROS. elements; As explained hence, in malicious Section 2.4, nodes other than ROS does not havenormal fundamental nodes can security easily be elements; connected. hence, It is easymalicious to break nodes into other the network; than nor- moreover, there mal nodes can iseasily a possibility be connected. of masquerade It is easy to attacks break into and the false network; data injection. moreover, Once there the is PA (i.e., attack Figurea possibility 7. System of publisher) Modelmasquerade of UAV is able attackswith to ROS. configure and false communicationdata injection. Once with theS (subscriber) PA (i.e., attack about pub-T (topic) through lisher) is able tothe configure master node,communication the false data, withmsg S (subscriber)PAST, can be about sent toT S(topic). If the through attack is the made, the flight 3.2.master Vulnerability node, thecontroller of false ROS-Based data, will msg notUASPAST be , able can tobe control sent to the S. If exact the attack position is andmade, altitude the flight in a givencon- environment, trollerTable will 1 not definesthus be able allowingthe to terms control the for attacker theeach exact component to position destroy in theand ROS. system. altitude As explained in a given in environment, Section 2.4, ROSthus does allowing not have the attackerfundamental to destroy security the elements; system. hence, malicious nodes other than normal nodesThere can are easily Tablethree 1.reasonsbeThe connected. terms why used such It inis attackseasy ROS. to arebreak possible. into the First, network; the master moreover, node doesthere not is check whether the node making the request is a normal node or a malicious node. This a possibility of masquerade attacksTerms and false data injection. Once the PA Concept (i.e., attack publisher)allows is an able attacker to configure to gain communicationunauthorized access with toS (subscriber)ROS. Hence, about this enables T (topic) attacks through such the as T Topic mastereavesdropping node, the or false masquerade. data, msg PAST, can be sent to S. If the attack is made, the flight con- P Publisher to send information about a particular topic troller will not be able to controlS the exact positionSubscriber and altitude to receive in a informationgiven environment, about a particular topic thus allowing the attacker to destroyA the system. Attacker node There are three reasons msgwhyPST such attacks are possible. First,Message the master between nodeP and doesS for notT check whether the node makingmsgPAST the request is a normal nodeMessage or a malicious between PA node.and SThisfor T allows an attacker to gain unauthorizedmsgPSAT access to ROS. Hence,Message this enables between attacksP and suchSA for asT eavesdropping or masquerade. There are three reasons why such attacks are possible. First, the master node does not check whether the node making the request is a normal node or a malicious node. This allows an attacker to gain unauthorized access to ROS. Hence, this enables attacks such as eavesdropping or masquerade.

Sensors 2021, 21, 1369 7 of 19

Second, the master node does not check whether data from connected nodes through monitoring is within the acceptable range of the system. In any command, dropping data that exceeds a user-defined threshold protects the system from malicious false data injection. However, when an attack is authorized within the scope, the system cannot defend itself. Third, the system does not guarantee the integrity of messages transmitted in ROS. If the system ensures that the data are authorized and not changed, it can protect itself against active attacks such as masquerade and injection attacks. Active attacks, unlike passive attacks that only eavesdrop on systems, hurt integrity and availability, and they directly affect the flight of UAVs in a short time. The second problem above can be covered if the data integrity check is satisfied. Checking data integrity can also protect the system against masquerade attacks. The most effective attacks on the system in UAS operation are the active attacks that change the system, such as masquerade, injection, replay, etc. To protect the system against this, we need a solution that can solve the aforementioned problems. In addition, the method should not have large overheads and not obstruct the flight. We propose a security framework that addresses vulnerabilities in ROS-based UAS and has low overhead.

4. Related Work In this section, we discuss the studies that were conducted to ensure the security of UAVs. First, we present the studies for a ROS-based system. For each study, the method and direction of security application for authentication, authorization, and message verification areas are discussed. Jeff Huang et al. [20] proposed ROSRV, a runtime verification framework for ROS- based robot applications. A node called ROSRV is placed under the master node. The node that needs to be registered as a publisher or subscriber node is identified and is connected to the other node. The second function then places the monitoring node between all publishers and subscribers within the ROS to drop commands or messages outside the user-specified range. The two functions satisfy the requirements of authorization and message verification. Thus, this can address the first and second vulnerabilities described in Section 3.2 at present. However, there are several reasons why it is difficult to apply this to UAVs, and these points are covered in Section5. Russell Toris et al. [21] proposed rosauth, an authentication service to enhance the security of the connection of nonnative clients in ROS. As mentioned, there is a package called rosbridge in ROS that allows clients to communicate synchronously and asynchronously with ROS, even if not in an ROS environment. The author proposed a method of authenticating whether the client accessing the ROS server using the message authentication code (MAC) is an authorized node. This project can solve the first vulnerability mentioned in Section 3.2. However, the nodes are verified using MAC only at the point of client connection. It does not guarantee the security for message tampering that occurs after the connection. In other words, it does not guarantee data integrity, the most important vulnerability in ROS-based UAS. Bernhard Dieber et al. [22] treated ROS as a black box and used an authentication server (AS) to ensure communication between authorized nodes. In this approach, the publisher receives a key from the AS, encrypts, signs it with the message, and then forwards it to the subscriber. The subscriber can decode and verify whether the message has been tampered with. However, every time we send a message, we have two encryption overheads and a decryption overhead. Furthermore, RSA (Rivest-Shamir-Adleman) signatures are slow. Roland Dóczi et al. [23] proposed a security enhancement solution for ROS-based medical surgical robots. The author used authorization and authentication (AA) to eliminate security problems arising from ROS. They implemented an AA node for the AA function. The node receives its name and password from the connection request node, checks the DB, and passes the key if the information is the correct. The node then requests the master Sensors 2021, 21, 1369 8 of 19

node to connect with the other node along with the key; the master node sends the key to AA to verify that it is a valid node. However, methods of authenticating using names and passwords can easily be overridden by attackers. Ruffin White et al. [24] proposed SROS. SROS is a set of security enhancements for ROS, such as native TLS support for all socket transport within ROS, the use of x.509 certificates permitting chains of trust, definable namespace globbing for ROS node restrictions and permitted roles, as well as covenant user-space tooling to auto generate node key pairs, audit ROS networks, and construct/train access control policies. However, it is currently in an experimental development phase, and developers warn that it should not be considered as production-grade. Moreover, it is also not available to developers who use other languages because it is considered only for python development. Manuel J. Fernandez et al. [25] used Elliptic Curve Digital Signature Algorithm (ECDSA)-based digital signatures to eliminate the security problem of communication between GCS and UAVs. ECDSA is a digital signature method based on elliptic curve encryption, and it can achieve the same level of security performance as RSA with smaller keys. Systems applying the method can address the most important security issues for the flight of UAVs by satisfying the part about message validation. The point of protecting the system through digital signatures in their study has a similar direction as our work. However, it has a concept of securing data from GCS and does not guarantee behavior in nonnative environments. Furthermore, as much as we deal with time-sensitive UAVs, we can compare the corresponding method with our proposed framework in terms of overhead. In Section 5.3.1, we compare ECDSA with the overhead of digital signatures based on SHA-256. In addition, the security of UAV is also studied in other layers of communication. We discuss securing the UAV communications in the physical layer. Guangchi Zhang et al. [26] studied how to secure UAV-to-ground (U2G) and ground-to-UAV (G2U) communications by jointly optimizing the UAV’s trajectory to maximize the average secrecy rates of the U2G and G2U transmissions. Andrey V. Savkin et al. [27] studied the wireless communication security between a UAV to the ground node by the online planning of a UAV’s 3D trajectory. For that, they proposed a new navigation scheme with proven optimization and developed a model predictive control algorithm. Huici Wu et al. [28] developed an analytical framework for analyzing secrecy coverage performance and secrecy capacity performance. For that, they investigated secrecy performance in the air-to-ground wiretap system by considering the unique features of the UAV communication platform.

5. Proposed Method The work was carried out in an environment with MAVROS, an extension package for UAV in ROS (see Section3 for details). We found that the vulnerability of ROS makes the ROS-based UAS vulnerable. To solve this, we implemented security measures in the master, publisher, and subscriber nodes. This does not address all security issues in the system, but it ensures that the two security issues that are key to UAS operation are dealt with (see Section4 for details), 1. Unauthorized users registering nodes on the system without permission 2. Unauthorized registered node infusing incorrect data and affecting drone ﬂight. Message transmission in the current ROS has the following procedure. There is the S-node that receives information about a particular topic T. P-node tries to transmit information about T and thus attempts to connect with the node that receives the T through the master node. The master node connects P to S. P broadcasts msgPST and delivers it to S. Then, S receives the information and performs calculations to control the UAV. The procedure unconditionally trusts the node and operates the robot. Thus, if a PA-node (i.e., the node that publishes the wrong data) accesses the system, the following occurs. PA requests a connection to the master node with a node that receives information for a speciﬁc topic T. The PA connected to the system injects the wrong data, i.e., msgPAST, into the S at a faster rate than P. S does not recognize that the data are incorrect and uses that data to Sensors 2021, 21, 1369 9 of 20

1. Unauthorized users registering nodes on the system without permission 2. Unauthorized registered node infusing incorrect data and affecting drone flight. Message transmission in the current ROS has the following procedure. There is the S-node that receives information about a particular topic T. P-node tries to transmit information about T and thus attempts to connect with the node that receives the T through the master node. The master node connects P to S. P broadcasts msgPST and delivers it to S. Then, S receives the information and performs calculations to control the UAV. The procedure unconditionally trusts the node and operates the robot. Thus, if a PA-node (i.e., Sensors 2021, 21, 1369 the node that publishes the wrong data) accesses the system, the following occurs.9 ofPA 19 requests a connection to the master node with a node that receives information for a specific topic T. The PA connected to the system injects the wrong data, i.e., msgPAST, into the S at a faster rate than P. S does not recognize that the data are incorrect and uses that data tocontrol control UAVs. UAVs. The The current current procedure procedure cannot cannot determine determinewhether whether thethe nodenode that requests registrationregistration to the the master master is is an an authorized authorized node node.. It It is is also also not not known known whether whether the the data data that that areare being being transmitted transmitted are are modulated modulated or or are are from an accredited node. For For this reason, we proposepropose a a security framework framework for for ROS-based ROS-based UA UASS to to implement implement a a UAS UAS that is safe from suchsuch intrusions. intrusions. ROS ROS with with frameworks frameworks can can be be schematized schematized as as shown shown in in Figure Figure 88.. TableTable2 2 deﬁnes the terms for each component of the proposed framework. defines the terms for each component of the proposed framework.

FigureFigure 8. 8. ProposedProposed access access control control procedures. procedures.

Table 2. The terms used in the framework. Table 2. The terms used in the framework. Terms Concept Terms Concept ACT Access list for P and S accessing specific topic T d(X) ACT AccessDigest list for Pforand nodeS accessing X speciﬁc topic T d(X) Digest for node X H(k, msg)H(k, msg) Getting aGetting hash of a hashthe message of the message (msg) (usingmsg) using a key a ( keyk) (k) Pname, SPnamename ,Sname Node nameNode of name P and of PSand S Sign(k, Sign(k,msg) msg) DigitallyDigitally signing signingfor message for message msg usingmsg using the key the keyk k Verify(s)Verify(s) VerificationVeriﬁcation process process for signed for signed data datas. s.

5.1.5.1. Registration Registration of of a a New New Node Node AccessAccess control control is is the the function function of of allowing allowing or or denying denying someone someone the the use use of of a a resource. resource. WeWe applyapply accessaccess control control to to ROS, ROS, thus thus preventing preventing unauthorized unauthorized system system registration registration of nodes. of nodes.ACT means a list of access rights for nodes accessing a particular topic T. This includes nodesACT with means access a tolistT ofand access can berights expressed for nodes as ACT accessing = [x, y, a z ].particular Here, d(P) topicand Td(S). Thismean in- cludesdigests nodes for P and withS accessrespectively, to T and and cand(P) becan expressed be expressed as ACT in H(k,= [x, Py,name z]. ||T)Here,. Thed(P) ROS and withd(S) meanaccess digests control for registers P andthe S respectively, node usingthe and following d(P) can procedure:be expressed in H(k, Pname||T). The ROS1. withAll publishers access control and registers subscribers the accessingnode using a speciﬁcthe following topic T procedure: before ROS operation are 1. Alllisted publishers and recorded and subscribers in ACT. The accessing information a specific recorded topic in TACT beforeis d(P) ROSand operationd(S), which are listedare digests and recorded of P and inS. TheACT reason. The information for recording recorded the digest in is ACT to make is d(P) it impossible and d(S), which for an attacker to masquerade itself as a node that sees the digest and has authority over T. 2. P requests the master node to register P as a publisher of T. 3. The master node obtains d(P), which is the digest for P. 4. The master checks whether the digest is in ACT. If there is digest in ACT, P is allowed to publish to T. Figure8 is a diagram showing the registration procedures of the ROS with added access control. Sensors 2021, 21, 1369 10 of 19

5.2. Signature with HMAC A digital signature is a security tool that uses encryption for data integrity, authentication and denial prevention. Generally, when key sharing is not possible, we use a digital signature using RSA or ECDSA. This means that when a message is signed and sent by the private key, the receiver verifies the message with the public key. In addition to RSA, there is also a signature method using the hash-based message authentication code (HMAC). If the network is in an environment that does not require key exchange, HMAC has many advantages over using RSA and ECDSA. First of all, it is very fast to sign and verify, and it is simple to implement. It also has advantages in safety issues. A characteristic of ECDSA is that for the hash function used, it must be collision-resistant, but the HMAC does not have such a characteristic. Given these characteristics, digital signatures using HMAC are more advantageous than RSA and ECDSA in networks operating UAS. Therefore, we ensure data integrity by using HMAC to sign messages sent from ROS. H(k, msg) obtains digests for the message (msg) using the key k. At this time, k should be exchanged between transceivers in advance. There are several types of hash functions, but SHA-256 was used in the solution. The SHA-256 algorithm used in the experiments is impossible to break while operating the UAS. Even if an attacker takes the time to find out what the hash is, it is also impossible for the actual system to fail because of the short cycle in which the key k is exchanged. The hash function can be used as the agreed function between the sender and receiver. Here, a||b means the connection between the letters a and b. For example, the result of a||b is “ab”. The subscriber and publisher of ROS, where the verification process has been added, sends and receives data through the following procedure: 1. S and P for a specific topic T make a registration request to the Master node. 2. P performs a signature on msgPST. Sign(k, msgPST), the signature procedure, means H(k, msgPST)||msgPST. 3. P, which carried out the signature, sends s = Sign(k, msgPST) to S. 4. S performs a Verify(s) on the received s. 5. Separate s = H(k, msgPST)||msgPST from H(k, msgPST) and msgPST. 6. For separated msgPST, perform H(k, msgPST) using a preshared key k, where k is the same symmetric key used by P. 7. Compare the two H(k, msgPST) and inspect them for the same value. 8. If there is no problem with msgPST, use that data. Sensors 2021, 21, 1369 11 of 20 Figure9 is a diagram showing the data transmission procedures of the ROS with the added verification.

Figure 9. Proposed signature procedures.

5.3. Performance and Conceptual Comparison 5.3.1. Encryption Overhead The proposed security framework has additional features to address vulnerabilities in the existing ROS. This function results in additional overhead for data size and computation. First, the computational overhead that occurs during access control execution occurs once upon initial connection, so it does not affect UAV operation. However, for signatures that use HMAC, data overhead and computational overhead exist for each transfer. Previously studied [22] and [25] also used cryptographic methods to address vulnerabilities in ROS, and there exists overhead for them. First of all, for data overhead, existing 69-byte size geometry_msgs/PoseStamped messages have 256 bytes of overhead when using RSA-2048 signatures, as in [22]. Using 256-bit ECDSA signatures used in [25] results in 64 bytes of overhead. The computational overhead indicates how long it takes to perform an encryption. Figure 10 is the benchmarking result using the crypto++ library, with RSA-2048 taking 2.32 ms to sign and 0.05 ms to verify. ECDSA takes 1.03 ms to sign and 0.82 ms to verify. With HMAC digital signatures used in our proposed framework, the data overhead is 32 bytes. For computational overhead, 295 MiB per second can be processed when using 128-bit keys. This means that it takes 0.0029 ms to process 101 bytes of data that combines the original message with the data overhead. Because digital signatures using HMAC use symmetric keys, verifying takes the same amount of time as signing. Based on these results, we can see that the proposed security framework has very little overhead compared to the existing studied systems and has little impact on the performance of the existing ROS.

Sensors 2021, 21, 1369 11 of 19

5.3. Performance and Conceptual Comparison 5.3.1. Encryption Overhead The proposed security framework has additional features to address vulnerabilities in the existing ROS. This function results in additional overhead for data size and computation. First, the computational overhead that occurs during access control execution occurs once upon initial connection, so it does not affect UAV operation. However, for signatures that use HMAC, data overhead and computational overhead exist for each transfer. Previously studied [22,25] also used cryptographic methods to address vulnerabilities in ROS, and there exists overhead for them. First of all, for data overhead, existing 69-byte size geometry_msgs/PoseStamped messages have 256 bytes of overhead when using RSA- 2048 signatures, as in [22]. Using 256-bit ECDSA signatures used in [25] results in 64 bytes of overhead. The computational overhead indicates how long it takes to perform an encryption. Figure 10 is the benchmarking result using the crypto++ library, with RSA-2048 taking 2.32 ms to sign and 0.05 ms to verify. ECDSA takes 1.03 ms to sign and 0.82 ms to verify. With HMAC digital signatures used in our proposed framework, the data overhead is 32 bytes. For computational overhead, 295 MiB per second can be processed when using 128-bit keys. This means that it takes 0.0029 ms to process 101 bytes of data that combines the original message with the data overhead. Because digital signatures using HMAC use symmetric keys, verifying takes the same amount of time as signing. Based on these results, we can see that the proposed security framework has very Sensors 2021, 21, 1369 little overhead compared to the existing studied systems and has little impact on12 theof 20

performance of the existing ROS.

FigureFigure 10. 10.Digital Digital signaturesignature benchmarkbenchmark result. result.

5.3.2.5.3.2. TheThe UseUse ofof MACMAC WeWe ensured ensured integrity integrity through through veriﬁcation verification of of the the data data transmitted transmitted within within the the system system usingusing MAC. MAC. Similarly, Similarly, rosauth rosauth [21 [21]] in in Section Section4 wanted 4 wanted to useto use MAC MAC to improve to improve the securitythe secu- ofrity ROS. of ROS. However, However, its use its is differentuse is different from the from one inthe this one study. in this In previousstudy. In work, previous MAC work, was usedMAC in was a nonnative used in a environment nonnative environment early in the connectionearly in the to connection enable clients to enable to authenticate clients to themselvesauthenticate with themselves the server with as the validated server as clients. validated However, clients. as However, there is no as solutionthere is no for solu- the integritytion for the of the integrity data transmitted, of the data thetransmitted, system will the be system breached will ifbe an breached attacker if attempts an attacker an MITMattempts attack an onMITM an already attack connectedon an already channel. connected Conversely, channel. the frameworkConversely, proposed the framework in this studyproposed uses in MAC this tostudy ensure uses data MAC integrity to ensure and authenticationdata integrity and with authentication each transmission with since each thetransmission beginning ofsince the the connection. beginning In addition,of the conne onlyction. nodes In authorized addition, only through nodes access authorized control canthrough be registered. access control Furthermore, can be registered. the proposed Furthermore, framework the can proposed be secured framework in a nonnative can be environment,secured in a nonnative similar to theirenvironm study.ent, This similar is demonstrated to their study. in Section This is6 demonstratedwith an experiment. in Sec- tion 6 with an experiment.

5.3.3. Message Verification Performance In our proposed framework, we can verify the presence of abnormalities in messages using HMAC digital signatures. Similarly, the ROSRV [20] in Section 4 differs from our method. Even though the authors studied message verification, there are some limitations to this solution. First, for monitoring purposes, the monitoring node between the publisher and the subscriber verifies the message. This will take twice the transmission time in the existing publisher–subscriber model. The second is that if a large number of nodes are connected to a centralized ROSRV, there will be a delay in the monitoring node. In addition, if the data are modulated within the monitoring range, it will not be detected. The existence of two overheads and the absence of integrity make it difficult to apply ROSRV to UAS. In our proposed method, on the other hand, the sender sends the message with a digital signature, and the receiver checks the message’s digital signature to proceed with the message verification. Therefore, there is no overhead for transmission time other than the overhead described in Section 5.3.1, and there is no bottleneck in transmitting the message.

Sensors 2021, 21, 1369 12 of 19

5.3.3. Message Verification Performance In our proposed framework, we can verify the presence of abnormalities in messages using HMAC digital signatures. Similarly, the ROSRV [20] in Section4 differs from our method. Even though the authors studied message verification, there are some limitations to this solution. First, for monitoring purposes, the monitoring node between the publisher and the subscriber verifies the message. This will take twice the transmission time in the existing publisher–subscriber model. The second is that if a large number of nodes are connected to a centralized ROSRV, there will be a delay in the monitoring node. In addition, if the data are modulated within the monitoring range, it will not be detected. The existence of two overheads and the absence of integrity make it difficult to apply ROSRV to UAS. In our proposed method, on the other hand, the sender sends the message with a digital signature, and the receiver checks the message’s digital signature to proceed with the message verification. Therefore, there is no overhead for transmission time other than the overhead described in Section 5.3.1, and there is no bottleneck in transmitting the message.

6. Test This section describes an experiment that studies the consequences that can be caused by the vulnerabilities in an existing ROS-based UAS and the impact on the UAS after applying the security framework. First, we describe the experimental environment of the drones that make up the UAS for the experiment and the arrangement of the components. The results are presented with an explanation about the operation of the proposed security framework in a native ROS environment and a nonnative ROS environment.

6.1. Experiment Environment of UAS Figure 11 shows the UAS environment configured for experimentation. Pixhawk is an industry standard autopilot developed and jointly developed by 3DR Robotics and Ardupilot Group. Various robots such as RC cars, airplanes, and multicopters can be made, and firmware is provided for them using Pixhawk. We made quadcopters that belong to a class of multicopters, and we used them for the experiment. Pixhawk typically uses two firmware, i.e., Ardupilot and PX4. We used PX4 firmware that supports offboard mode in the experiment because we assumed UAS to operate advanced drones such as autonomous driving and cluster flight using offboard mode. Pixhawk uses the MAVLink protocol for communication. MAVLink is a light messaging protocol for onboard communication or components of drones. This can be implemented in 14 languages, including C and C++, and various high-level APIs exist for the interaction between other systems such as drones and ROS. The companion computer used Raspberry Pi, which is an embedded Linux-based development small computer, and Ubuntu MATE, which is a Linux-based OS, was used in the computer. In using ROS with Raspberry Pi, this setup has better compatibility on a variety of issues, such as packages and kernels. ROS stands for Robot Operating System, which is not similar to the conventional operating systems used in computers. It is a middleware concept for robot development that is installed on an OS such as Linux or Windows. We installed ROS Kinetic for the experiment. ROS supports node-to-node communication using XML-RPC and TCP. XML-RPC is an XML-based distributed system communication method that is simple and portable RPC protocol over HTTP. This is used in ROS by the publisher and the subscriber to communicate with the master node to connect with each other. When the publisher sends data for a particular topic after the connection, it serializes the data and sends the data to TCP payload. The subscriber receives the packet and receives the data by deserializing it. We use the MAVROS package, which is an ROS expansion package. This package enables MAVLink communication between Raspberry Pi and Pixhawk where ROS runs. Hence, the /mavros node, which receives data related to the flight from the publisher, forwards the data to Pixhawk through the MAVLink protocol. Upon receiving this, Pixhawk calculates flight control from the flight stack based on the corresponding data. Sensors 2021, 21, 1369 13 of 19

The overall experimental environment is described above. We conducted the experiment in this experimental environment by considering two situations. In Figure 11, two computers and one sensor that are authorized can be found attached to the ROS through the wireless network. These devices can access the ROS in a native environment or, de- pending on the intention of the user, the ROS can be accessed in a nonnative environment. In these two environments, the approach to ROS is as follows: First of all, if the client is in a native ROS environment, the client has ROS installed, and by running the launch ﬁle, the client accesses the ROS server and creates a node. If the client is in a nonnative ROS environment, the client does not have ROS installed and requests the master to connect to the communication for a particular topic on the front-end implemented with the roslibjs Sensors 2021, 21, 1369 library. After connection, the client encodes the data in JSON and sends14 of 20 the data to the rosbridge server. On the server side, rosbridge is run, which transmits data received by clients to nodes that subscribe to the topic.

Figure 11. Experiment environment.Figure 11. Experiment environment.

6.2. Experiment6.2. on Native Experiment ROS onAttack Native ROS Attack This section describesThis section the modes describes of attacks the modes in native of attacks ROS and in nativethe ways ROS that and can the be ways that can used to defendbe the used native to defendROS through the native the proposed ROS through framework. the proposed The attacks framework. in the envi- The attacks in the ronment are shownenvironment in Figureare 12. First, shown the in accredited Figure 12 device. First, sends the accreditedthe data and device commands sends the data and necessary for thecommands flight to /mavros necessary via for a specif the flightic topic. to /mavros The drone via pe arforms specific normal topic. flights The drone performs based on their normaldata. At flights this time, based a malicious on their data.computer At this breaks time, into a malicious the network computer with the breaks into the aim of sabotagingnetwork the system with the and aim then of sabotaging register the the publisher system and with then the registerROS that the transmits publisher with the ROS that transmits the /mavros/local_position/pose topic. An attacker could then influence the /mavros/local_position/pose topic. An attacker could then influence the flight path of the flight path of the drone by means of the corresponding topic. This experiment can be the drone by means of the corresponding topic. This experiment can be found in [29,30]. found in [29,30]. The actual experiment was conducted by flying a normal drone driving at a height The actual experiment was conducted by flying a normal drone driving at a height of of 2 m while considering the drone, property, and human casualties, and by returning the 2 m while considering the drone, property, and human casualties, and by returning the drone to its starting point. Figure 13 shows the state of the UAV during an attack. The X- drone to its starting point. Figure 13 shows the state of the UAV during an attack. The X- and Y-axis in Figure 13 denote the time and the altitude of the drone, respectively. It can and Y-axis in Figure 13 denote the time and the altitude of the drone, respectively. It can be be seen in the figure that up to the 30 s point, only the accredited node approaches the seen in the figure that up to the 30 s point, only the accredited node approaches the ROS ROS and transmits the /mavros/local_position/force topic, resulting in a 2 m high UAV and transmits the /mavros/local_position/force topic, resulting in a 2 m high UAV flight. flight. After that, the attacker node can then approach the ROS and inject itself into the After that, the attacker node can then approach the ROS and inject itself into the UAV to fly UAV to fly the drone at an altitude of 0 m to confirm that the altitude of the UAV is slowly the drone at an altitude of 0 m to confirm that the altitude of the UAV is slowly converging converging at 0at m. 0 m. The reason for Thethis reasonattack is for the this lack attack of verification is the lack and of data verification integrity and for newly data integrity reg- for newly istered nodes. registeredWe apply nodes.a security We applyframework a security to the framework existing ROS to the for existing it to defend ROS for itself it to defend itself against such attacks.against Figure such attacks.14 shows Figure how 14HM showsAC is howapplied HMAC to ROS is applied to send to and ROS receive to send and receive data. The frameworkdata. The is applied framework to each is applied computer to each running computer publisher running and publisherto the computer and to the computer running MAVROS. We demonstrate through experiments that UAV with these security frameworks have no impact on existing methods of attack Figure 15 shows the state of the UAV during an attack in the same scenario as the above. An attack was made near 30 s, but it can be confirmed that the UAV flies at an altitude of 2 m until the experiment is over.

Sensors 2021, 21, 1369 14 of 19

running MAVROS. We demonstrate through experiments that UAV with these security frameworks have no impact on existing methods of attack Figure 15 shows the state of the SensorsSensors 2021 2021, 21,, 211369, 1369 15 of15 20 of 20 Sensors 2021, 21, 1369 UAV during an attack in the same scenario as the above. An attack was15 of made 20 near 30 s, but it can be conﬁrmed that the UAV ﬂies at an altitude of 2 m until the experiment is over.

Figure 12. Attack in native ROS. FigureFigure 12. 12.Attack Attack in nativein native ROS. ROS. Figure 12. Attack in native ROS.

2.52.5 2.5

2 2 2

1.51.5 1.5 Altitude Altitude 1 1 Altitude 1

0.50.5 0.5

0 0 0 00 1020304050 1020304050 0 1020304050 TimeTime Time

FigureFigure 13. 13.UAV UAV flight flight altitude altitude without without secu securityrity framework framework in nativein native ROS. ROS. Figure 13. UAVFigure flight 13. altitudeUAV ﬂight without altitude security without framework security in framework native ROS. in native ROS.

FigureFigure 14. 14.Security Security framework framework for for ROS. ROS. Figure 14. Security frameworkFigure for14. ROS.Security framework for ROS.

Sensors 2021, 21, 1369 16 of 20

Sensors 2021, 21, 1369 15 of 19 Sensors 2021, 21, 1369 2.5 16 of 20

2 2.5 1.5 2

Altitude 1 1.5

0.5

Altitude 1

0 0.5 0 1020304050

0 Time 0 1020304050 Figure 15. UAV flight altitude with security frameworkTime in native ROS.

Figure 15. UAV flight altitude with security framework in native ROS. 6.3. Experiment onFigure Nonnative 15. UAV ROS flight altitudeAttack with security framework in native ROS. Rosbridge is a package that enables the synchronous and asynchronous communica- 6.3.6.3. ExperimentExperiment onon NonnativeNonnative ROSROS Attack Attack tion of ROS in an environment where ROS is not installed. We implemented a web client that can use ROS usingRosbridgeRosbridge the roslibjs is is a a packagepackage library thatthat for enablesenables experiments. thethe synchronoussynchronous At this and time,and asynchronousasynchronous the server side communica-communicationtion of of ROS ROS in in an an environment environment where where ROS ROS is is not not installed. installed. We We implemented implemented a a web web client client should run rosbridge to create a node that sends data to the MAVROS. Figure 16 briefly thatthatcan can use use ROS ROS using using the the roslibjs roslibjs library library for for experiments. experiments. AtAt this this time, time, the the server server side side describes the rosbridgeshouldshould runrun used. rosbridgerosbridge For practical toto createcreate ausea node node of thatrosbridge,thatsends sends data datathree toto theapplicationsthe MAVROS. MAVROS. must Figure Figure be 16 16 briefly briefly run on the serverdescribesdescribes side. The thethe first rosbridgerosbridge is ROS, used.used. and ForFor the practicalpractical second use isuse the ofof rosbridge,rosbridgerosbridge, three server.three applications applications When the must must be be rosbridge serverrunrun receives onon thethe serveraserver message side. fromThe The first first the is isclient ROS, ROS, andregarding and the the second second which is isthe topic the rosbridge rosbridge to send, server. server. it at- When When the tempts to connecttherosbridge with rosbridge the server subscriber server receives receives receivin a message a messageg the from topic. from the the Inclient Figure client regarding regarding 16, the which corresponding which topic topic to tosend, send, it at- it subscriber is /mavros.attemptstempts toThe to connect connect third withapplication with the the subscriber subscriber is the receivin receivingweb server.g the topic.topic. The InwebIn FigureFigure server 1616,, theprovidesthe correspondingcorresponding roslibjs servicessubscriber tosubscriber clients via isis /mavros. /mavros. web pages TheThe and thirdthird helps applicationapplication them communicate isis thethe webweb server.server. indirectly TheThe web web with server server ROS provides provides through rosbridge.roslibjsroslibjs These servicesservices three to applications clients clients via via web web do pages pagesnot andnecessarily and helps helps them themhave communicate communicateto run on indirectlyone indirectly com- with with ROS ROS through rosbridge. These three applications do not necessarily have to run on one puter, and they canthrough also rosbridge.run on multiple These threeserver applications computers. do This not necessarilywill allow thehave client to run with- on one com- computer, and they can also run on multiple server computers. This will allow the client out ROS to communicateputer, and with they thecan ROSalso run installed on multiple computers. server computers. This experiment This will can allow be foundthe client with- withoutout ROS ROS to communicate to communicate with with the ROS the ROSinstalled installed computers. computers. This experiment This experiment can be can found be in [31,32]. foundin [31,32]. in [31 ,32].

Figure 16. Rosbridge diagram. Figure 16. Rosbridge diagram. Figure 16. Rosbridge diagram. TheThe attack attack and and defense defense experiments experiments in in nonnative nonnative environments, environments, as in as previous in previous experi- ex- The attackments, periments,and defense proceeded proceeded experiments with anwith attack an in attack thatnonna lowered thattive lowe environments, thered UAV the ﬂying UAV at flyingas certain in atprevious certain altitudes altitudes ex- to 0 m and to 0 periments, proceededam scenario and awith scenario that an defended attack that defended that them. lowe Figure them.red Figure17the shows UAV 17 shows theflying method the at methodcertain of attack ofaltitudes attack in a nonnative in to a nonnative0 ROS m and a scenarioenvironment.ROS that environment. defended An attackerthem. An attacker Figure can execute 17can shows execute an unauthorized the an method unauthorized webof attack server web in server to a executenonnative to execute a malicious a malicious node on the ROS through the rosbridge server. These nodes can break UAS by ROS environment.node An on attacker the ROS throughcan execute the rosbridge an unauthorized server. These web nodes server can to breakexecute UAS a ma- by injecting licious node on the ROS through the rosbridge server. These nodes can break UAS by

Sensors 2021, 21, 1369Sensors 2021, 21, 1369 17 of 20 17 of 20

Sensors 2021, 21, 1369 16 of 19

injecting incorrectinjecting data intoincorrect the system, data into such the as system, malicious such nodes as malicious in a native nodes ROS in environ- a native ROS environment. When a userment. enters When an a altitudeuser enters in the an textaltitude box ofin athe web text page box sentof a fromweb page a web sent server, from a web server, incorrect data into the system, such as malicious nodes in a native ROS environment. When the UAV flies tothe that UAV altitude. flies to Figure that altitude. 18 shows Figure the status 18 shows of the the UAV status affected of the byUAV the affected cor- by the cor- a user enters an altitude in the text box of a web page sent from a web server, the UAV flies responding attackresponding method. attack Upon method. receiving Upon /mavros/local_position/pose receiving /mavros/local_position/pose topic data from topic data from normal web clients,to that the altitude. UAV Figure flies at 18 an shows altitude the statusof 2 m of during the UAV 30 affecteds. After by30 thes, an corresponding attacker attack method.normal Uponweb clients, receiving the /mavros/local_position/pose UAV flies at an altitude of 2 topic m during data from 30 s. normal After web30 s, clients,an attacker uses rosbridge to connect a malicious node to the ROS and inject false data to lower the theuses UAV rosbridge flies at anto connect altitude ofa malicious 2 m during node 30 s. to After the ROS 30 s, anand attacker inject false uses data rosbridge to lower to the altitude of the UAV. We performed data integrity and node verification by applying the connectaltitude a of malicious the UAV. node We to performed the ROS and data inject inte falsegrity data and to node lower verification the altitude by of theapplying UAV. the HMAC-based security framework to Web servers and MAVROS. Experiments show that WeHMAC-based performed data security integrity framework and node to verification Web servers by applyingand MAVROS. the HMAC-based Experiments security show that existing attackframework existingmethods attack have to Web nomethods servers impact have and on MAVROS.UAVs no impact with Experiments onthat UAVs method. with show Figure that that method. 19 existing shows Figure attack the methods19 shows the state of UAV whenhavestate no anof impactUAVattack when is on made UAVs an attackin with the thatsais memade method. scenario in the Figure assa meearlier. 19scenario shows An attack as the earlier. state was of Anmade UAV attack when was an made near 30 s, but attackUAVnear 30 iscan mades, confirmbut in UAV the that same can it scenarioconfirmperforms asthat a earlier. highly it performs An normal attack a highly wasflight made ofnormal 2 nearm until flight 30 s, the but of UAV2 m until can the experiment is confirmover.experiment that itis performs over. a highly normal flight of 2 m until the experiment is over.

Figure 17. AttackFigure in nonnative 17. AttackFigure ROS. in 17.nonnativeAttack in ROS. nonnative ROS.

3 3

2.5 2.5

2 2

1.5 1.5 Altitude Altitude 1 1

0.5 0.5

0 0 0 1020304050600 102030405060 Time Time

Figure 18. UAV flight altitude without security framework in nonnative ROS. FigureFigure 18. 18.UAV UAV ﬂight flight altitude altitude without without security securi frameworkty framework in nonnative in nonnative ROS. ROS.

Sensors 2021, 21, 1369 17 of 19 Sensors 2021, 21, 1369 18 of 20

2.5

1.5

Alititude 1

0.5

0 0 102030405060 Time

FigureFigure 19. 19.UAV UAV ﬂight flight altitude altitude with with security security framework framework in in nonnative nonnative ROS. ROS.

7.7. ConclusionsConclusions WithWith the the noticeable noticeable growth growth in in the the use use of of UAV, UAV, the the security security of of the the system system has has become become a majora major concern concern in recent in recent years. years. Due toDue the to absence the absence of system of system security, security, UAVs that UAVs are appliedthat are inapplied diverse in places diverse are places exposed are toexposed potential to risks.potent Therefore,ial risks. Therefore, it is necessary it is necessary to be aware to ofbe thisaware fact of and this study fact and the securitystudy the of security the system of the of UAVs.system of UAVs. ForFor advancedadvanced operationoperation ofof UAVs,UAVs, computers computers that that can can operate operate and and communicate communicate are are requiredrequired in in addition addition to to the the ﬂight flight controller, controller, which which is is referred referred to to as as offboard offboard systems. systems. UAS UAS isis aa genericgeneric termterm forfor controls,controls, communicationscommunications equipment, etc. etc. to to operate operate UAVs, UAVs, and and it itfalls falls under under the the category category of ofCPS. CPS. We We investig investigatedated the the vulnerability vulnerability of the of theUAS UAS using using off- offboardboard systems systems in interms terms of ofthe the CPS, CPS, and and we we proposed proposed a asecurity security framework framework to to address address it. it.The The framework framework ensures ensures the theintegrity integrity of the of data the datatransmitted transmitted in the in system the system through through digital digitalsignatures signatures and prevents and prevents unauthorized unauthorized nodes from nodes accessing from accessing the system the systemwithout without authori- authorization,zation, hiding hidingtheir identities. their identities. By measuring By measuring overhead overhead for computations, for computations, data, and data, trans- and transmissionmission speeds speeds as the as framework’s the framework’s functions functions are added, are added, the framework the framework is shown is shown to be toan beappropriate an appropriate framework framework for UAVs. for UAVs. InIn thisthis study,study, the the real-time real-time experiment experiment shows shows that that the the UAS UAS fails fails to to function function properly properly throughthrough cyberattacks cyberattacks that that use use the the vulnerability vulnerability of of the the ROS ROS and and install install ROS ROS in in the the offboardoffboard computer.computer. To To address address this, this, the the proposed proposed security security framework framework was was applied applied to to the the system system to to demonstrate system security through practical experimentation. demonstrate system security through practical experimentation. In the current framework, the system was defended against attacks that inject abnor- In the current framework, the system was defended against attacks that inject abnormal data into UAV ﬂight by granting only access control and integrity. As a future work, mal data into UAV flight by granting only access control and integrity. As a future work, we will develop a customized module that can easily upload various functions necessary we will develop a customized module that can easily upload various functions necessary for system security into the framework. for system security into the framework. Author Contributions: Conceptualization, H.L. and J.Y.; methodology, H.L., J.Y. and K.-J.P.; soft- Author Contributions: Conceptualization, H.L. and J.Y.; methodology, H.L., J.Y. and K.-J.P.; software, H.L. and J.Y.; validation, H.L. and K.-J.P.; formal analysis, H.L. and K.-J.P.; investigation, ware, H.L. and J.Y.; validation, H.L. and K.-J.P.; formal analysis, H.L. and K.-J.P.; investigation, H.L.; H.L.; resources, H.L.; data curation, H.L.; writing—original draft preparation, H.L. and K.-J.P.; resources, H.L.; data curation, H.L.; writing—original draft preparation, H.L. and K.-J.P.; writing— writing—review and editing, H.L., M.-S.J., and K.-J.P.; visualization, H.L.; supervision, K.-J.P.; project review and editing, H.L., M.-S.J., and K.-J.P.; visualization, H.L.; supervision, K.-J.P.; project admin- administration, H.L. and K.-J.P.; funding acquisition, K.-J.P. All authors have read and agreed to the istration, H.L. and K.-J.P.; funding acquisition, K.-J.P. All authors have read and agreed to the pub- published version of the manuscript. lished version of the manuscript. Funding: This work was supported by the National Research Foundation of Korea (NRF) grant Funding: This work was supported by the National Research Foundation of Korea (NRF) grant funded by the Korea government (MSIT) (NRF-2019R1A2C1088092). funded by the Korea government (MSIT) (NRF-2019R1A2C1088092). Institutional Review Board Statement: Not applicable. Institutional Review Board Statement: Not applicable. Informed Consent Statement: Not applicable. Informed Consent Statement: Not applicable. Data Availability Statement: Not applicable.

Sensors 2021, 21, 1369 18 of 19

Data Availability Statement: Not applicable. Conﬂicts of Interest: The authors declare no conﬂict of interest.

References 1. Khan, M.A.; Ectors, W.; Bellemans, T.; Janssens, D.; Wets, G. UAV-Based Traffic Analysis: A Universal Guiding Framework Based on Literature Survey. Transp. Res. Procedia 2017, 22, 541–550. [CrossRef] 2. Vacca, G.; Dessì, A.; Sacco, A. The Use of Nadir and Oblique UAV Images for Building Knowledge. ISPRS Int. J. Geo-Inf. 2017, 6, 393. [CrossRef] 3. Kang, J.-H.; Kwon, Y.-M.; Park, K.-J. Cooperative Spatial Retreat for Resilient Drone Networks. Sensors 2017, 17, 1018. [CrossRef] [PubMed] 4. Bithas, P.S.; Michailidis, E.T.; Nomikos, N.; Vouyioukas, D.; Kanatas, A.G. A Survey on Machine-Learning Techniques for UAV-Based Communications. Sensors 2019, 19, 5170. [CrossRef] 5. Surprising Drone Uses (Besides Amazon Delivery). 2020. Available online: https://www.nationalgeographic.com/news/2013/1 2/131202-drone-uav-uas-amazon-octocopter-bezos-science-aircraft-unmanned-robot/ (accessed on 17 December 2020). 6. Wang, E.K.; Ye, Y.; Xu, X.; Yiu, S.M.; Hui, L.C.K.; Chow, K.P. Security Issues and Challenges for Cyber Physical System. In Proceedings of the 2010 IEEE/ACM Int’l Conference on Green Computing and Communications & Int’l Conference on Cyber, Physical and Social Computing, Hangzhou, China, 18–20 December 2010. 7. Kwon, Y.-M.; Yu, J.; Cho, B.-M.; Eun, Y.; Park, K.-J. Empirical Analysis of MAVLink Protocol Vulnerability for Attacking Unmanned Aerial Vehicles. IEEE Access 2018, 6, 43203–43212. [CrossRef] 8. Zhao, N.; Li, Y.; Zhang, S.; Chen, Y.; Lu, W.; Wang, J.; Wang, X. Security Enhancement for NOMA-UAV Networks. IEEE Trans. Veh. Technol. 2020, 69, 3994–4005. [CrossRef] 9. Hartmann, K.; Steup, C. The vulnerability of UAVs to cyber attacks-An approach to the risk assessment. In Proceedings of the 2013 5th International Conference on Cyber Conflict (CYCON 2013), Tallinn, Estonia, 4–7 June 2013; pp. 1–23. 10. Yoon, K.; Park, D.; Yim, Y.; Kim, K.; Yang, S.K.; Robinson, M. Security authentication system using encrypted channel on uav network. In Proceedings of the 2017 First IEEE International Conference on Robotic Computing (IRC), Taichung, Taiwan, 10–12 April 2017; pp. 393–398. 11. MAVLink. 2020. Available online: https://mavlink.io/en/guide/serialization (accessed on 17 December 2020). 12. MAVLink Format. 2020. Available online: https://mavlink.io/en/guide/serialization.html (accessed on 17 December 2020). 13. ROS. 2020. Available online: https://www.ros.org/core-components/ (accessed on 17 December 2020). 14. Rosbridge. 2020. Available online: http://wiki.ros.org/rosbridge (accessed on 17 December 2020). 15. ROS Security. 2020. Available online: http://wiki.ros.org/Security (accessed on 17 December 2020). 16. ROS Message Filter. 2020. Available online: http://wiki.ros.org/message_filters (accessed on 17 December 2020). 17. ROS Watchdog Timer. 2020. Available online: http://library.isr.ist.utl.pt/docs/roswiki/watchdog_timer.html (accessed on 17 December 2020). 18. ROS2 Lifecycle. 2020. Available online: https://design.ros2.org/articles/node_lifecycle.html (accessed on 17 December 2020). 19. ROS 2 DDS-Security integration. 2020. Available online: https://design.ros2.org/articles/ros2_dds_security.html (accessed on 17 December 2020). 20. Huang, J.; Erdogan, C.; Zhang, Y.; Moore, B.; Luo, Q.; Sundaresan, A.; Rosu, G. ROSRV: Runtime Verification for Robots. In Runtime Verification; Springer International Publishing: Berlin/Heidelberg, Germany, 2014; pp. 247–254. 21. Toris, R.; Shue, C.; Chernova, S. Message Authentication Codes for Secure Remote Non-Native Client Connections to ROS Enabled Robots. In Proceedings of the 2014 IEEE International Conference on Technologies for Practical Robot Applications (TePRA), Woburn, MA, USA, 14–15 April 2014. 22. Dieber, B.; Kacianka, S.; Rass, S.; Schartner, P. Application-Level Security for ROS-Based Applications. In Proceedings of the 2016 IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS), Daejeon, Korea, 9–14 October 2016. 23. Doczi, R.; Kis, F.; Suto, B.; Poser, V.; Kronreif, G.; Josvai, E.; Kozlovszky, M. Increasing ROS 1.x Communication Security for Medical Surgery Robot. In Proceedings of the 2016 IEEE International Conference on Systems, Man, and Cybernetics (SMC), Budapest, Hungary, 9–12 October 2016. 24. White, R.; Christensen, D.; Henrik, I.; Quigley, D. SROS: Securing ROS over the wire, in the graph, and through the kernel. arXiv 2016, arXiv:1611.07060. 25. Fernandez, M.J.; Sanchez-Cuevas, P.J.; Heredia, G.; Ollero, A. Securing UAV Communications Using ROS with Custom ECIES- Based Method. In Proceedings of the 2019 Workshop on Research, Education and Development of Unmanned Aerial Systems (RED UAS), Cranfield, UK, 25–27 November 2019. 26. Zhang, G.; Wu, Q.; Cui, M.; Zhang, R. Securing UAV Communications via Joint Trajectory and Power Control. IEEE Trans. Wirel. Commun. 2019, 18, 1376–1389. [CrossRef] 27. Savkin, A.V.; Huang, H.; Ni, W. Securing UAV Communication in the Presence of Stationary or Mobile Eavesdroppers via Online 3D Trajectory Planning. IEEE Wirel. Commun. Lett. 2020, 9, 1211–1215. [CrossRef] 28. Wu, H.; Li, H.; Wei, Z.; Zhang, N.; Tao, X. Secrecy Performance Analysis of Air-to-Ground Communication with UAV Jitter and Multiple Random Walking Eavesdroppers. IEEE Trans. Veh. Technol. 2021, 70, 572–584. [CrossRef] Sensors 2021, 21, 1369 19 of 19

29. ROS-Based UAV Attack Experiment in Native Environment. 2020. Available online: https://youtu.be/m6oT---Y36Q (accessed on 17 December 2020). 30. ROS-Based UAV Framework Experiment in Native Environment. 2020. Available online: https://youtu.be/MUmTsNmxMsM (accessed on 17 December 2020). 31. ROS-Based UAV Attack Experiment in Non-Native Environment. 2020. Available online: https://youtu.be/ODzQ1fQpUwE (accessed on 17 December 2020). 32. ROS-Based UAV Framework Experiment in Non-Native Environment. 2020. Available online: https://youtu.be/NgvpGi9mzhI (accessed on 17 December 2020).