sensors
Article
A Robot Operating System Framework for Secure UAV
Communications
Hyojun Lee 1 , Jiyoung Yoon 2 , Min-Seong Jang 1






Citation: Lee, H.; Yoon, J.;
Jang, M.-S.; Park, K.-J. A Robot
Operating System Framework for
Secure UAV Communications.
Sensors 2021, 21, 1369. https://
doi.org/10.3390/s21041369
Academic Editor: Andrey V. Savkin
Received: 30 December 2020
Accepted: 7 February 2021
Published: 15 February 2021
Publisher’s Note: MDPI stays neutral
with regard to jurisdictional claims in
published maps and institutional affil-
iations.
Copyright: © 2021 by the authors.
Licensee MDPI, Basel, Switzerland.
This article is an open access article
distributed under the terms and
conditions of the Creative Commons
Attribution (CC BY) license (https://
creativecommons.org/licenses/by/
4.0/).
Sensors 2021, 21, 1369. https://doi.org/10.3390/s21041369
and Kyung-Joon Park 1, *
1 Department of Information and Communication Engineering, Daegu Gyeongbuk Institute of Science and
Technology, Daegu 42988, Korea; [email protected] (H.L.); [email protected] (M.-S.J.)
2 INTUSEER Inc., Daegu 41260, Korea; [email protected]
* Correspondence: [email protected]; Tel.: +82-53-785-6314
Abstract: To perform advanced operations with unmanned aerial vehicles (UAVs), it is crucial that
components other than the existing ones such as flight controller, network devices, and ground
control station (GCS) are also used. The inevitable addition of hardware and software to accomplish
UAV operations may lead to security vulnerabilities through various vectors. Hence, we propose
a security framework in this study to improve the security of an unmanned aerial system (UAS).
The proposed framework operates in the robot operating system (ROS) and is designed to focus on
several perspectives, such as overhead arising from additional security elements and security issues
essential for flight missions. The UAS is operated in a nonnative and native ROS environment. The
performance of the proposed framework in both environments is verified through experiments.
Keywords: unmanned aerial vehicles; cyber-physical systems; network attack; security
1. Introduction
Unmanned aerial vehicles (UAVs), commonly known as drones, have been recently
deployed in various environments to perform numerous tasks [1–4]. One of the most
representative drone services is Amazon’s Prime Air, which is currently under develop-
ment [5]. Other companies are also preparing various drone projects such as storm damage
evaluation, property damage assessment, and shale gas asset monitoring. The increase in
the use of UAVs in various fields has resulted in growing concerns regarding the security
of the unmanned aerial system (UAS). According to the “FAA Aviation Forecast 2019–2029”
released by the Federal Aviation Administration along with the example described earlier,
the commercial drone market is expected to triple by 2023. As the utilization of UAVs
increases, there is a need to manage the security of the UAS. The need to manage the
system security is not merely theoretical; it can be illustrated by real-life incidents. The 2011
drone hijacking incident, one of the most widely known cases of UAV cyberattacks, is an
event in which Iranian cyber units cut off UAV communications links in the United States
and diverted the UAVs into Iranian territory by manipulating the GPS (global positioning
system) coordinates. Although there are many arguments about the authenticity of the
case, it should be realized that cyberattacks on UAVs are possible. In addition, the most
common vector in attack cases is the radio communication provided by the UAV platform.
UASs belong to a category of cyber-physical systems (CPSs). Unlike traditional em-
bedded systems that operate individually, a CPS requires the close interaction of computing
and physical systems. Ultimately, a CPS can be seen as the integration of computational,
networking, and physical processes. It is a system in which information and software
technologies combine with mechanical components to deliver and exchange data as well as
monitor or control its subject by infrastructure such as the Internet in real time. The UAV
network incorporates communications devices, computing functions, and control modules
to form a single closed loop from data recognition, information exchange, decision making,
https://www.mdpi.com/journal/sensors
Sensors 2021, 21, 1369 2 of 20

Sensors 2021, 21, 1369 2 of 19

decision making, to final execution, and it can be referred to as a CPS. In these CPSs, stud-
ies on system vulnerabilities, one of which is vulnerability in the network, are actively
underway
to [6–10]. and it can be referred to as a CPS. In these CPSs, studies on system
final execution,
Robot
vulnerabilities,Operating Systemis (ROS)
one of which is the middleware
vulnerability in the network, for robot software
are actively development.
underway [6–10].
Unlike the operating
Robot Operatingsystems
Systemused (ROS) in is
computers, ROS provides
the middleware for robotservices
softwaresuchdevelopment.
as hardware
abstraction,
Unlike low-levelsystems
the operating device control, and message
used in computers, ROSdelivery between
provides servicesprocesses
such asfor system
hardware
abstraction,
operation. Itlow-level
is used indevice
variouscontrol,
robot and message
industries and delivery
research between processes
fields due for system
to its advantages
operation.
such as activeIt is community
used in various androbot industries
efficient and research
development. In an fields
UAS, dueROStoisitsinstalled
advantages and
such
used asonactive
the UAVcommunity
exteriorandboard efficient development.
for advanced In an UAS,
operations such asROS is installed and used
autonomous clus-
on theUAV.
tered UAV However,
exterior boardROS for
lacksadvanced
design foroperations such as autonomous
system security. Basic safety and toolsclustered
are pro-
UAV.
vided,However, ROS focus
but these tools lacks ondesignsystem for failure,
systemsuch
security.
as timeBasic safety tools are
synchronization andprovided,
program
but
partthese toolsthere
accuracy; focusareonnosystem
measures failure,
for such
systemas attacks.
time synchronization and program part
accuracy;
In thisthere are we
paper, no measures
explain the forvulnerability
system attacks.in an ROS-based UAV and propose a se-
curityInframework
this paper,towe explain
solve the vulnerability
it. Section 3 describes thein an ROS-based UAV
vulnerabilities and propose
in ROS-based UAVs a
security framework to solve it. Section 3 describes the vulnerabilities
and how attacks are planned using them. Section 4 describes the studies and tools that in ROS-based UAVs
and
havehowbeenattacks are planned
undertaken usingthe
to address them. Section
problem. 4 describes
Section the studies
5 describes and tools pro-
the framework that
have been undertaken to address the problem. Section 5 describes
posed for vulnerabilities in ROS. The performance and overhead of the proposed frame- the framework proposed
for
work vulnerabilities
are shown in in ROS. The with
comparison performance andtools
those of the overhead of the
described in proposed
Section 4; framework
a low over-
are shown in comparison with those of the tools described in
head security solution is proposed that can address vulnerabilities in ROS. Section Section 4; a low overhead
6 de-
security solution is proposed that can address vulnerabilities in
scribes the proposed security framework with actual implementation and verification. ROS. Section 6 describes
the proposed security framework with actual implementation and verification.
2. Background
2. Background
2.1. Unmanned
2.1. Unmanned AerialAerial System (UAS)
System (UAS)
UAS is
UAS is aa generic
generictermtermused
usedtotodenote
denotethe
thecombination
combination ofof a drone
a drone and and a ground
a ground con-
control
trol station (GCS), as well as the communication system between the two.
station (GCS), as well as the communication system between the two. A drone refers to an A drone refers
to an aircraft
aircraft that fliesthatautomatically
flies automatically or in semiautomatic
or in semiautomatic mode without
mode without a realonpilot
a real pilot on
board.
board. It performs its missions by controlling its altitude and position through
It performs its missions by controlling its altitude and position through an internal flight an internal
flight controller.
controller. The flight
The flight missionmission is performed
is performed eithereither by transmission
by transmission fromfromthe the
GCSGCS or byor
by built-in
built-in algorithms.
algorithms. TheThe conventional
conventional media
media usedused
for for communication
communication are are
RC RC transmit-
transmitters,
ters, Bluetooth,
Bluetooth, Wi-Fi, Wi-Fi,
and and radio.
radio. Drones
Drones cancan send
send and
and receivecommands
receive commandsand andstatus
status from
from
the GCS through these media using the MAVLink message protocol
the GCS through these media using the MAVLink message protocol [11]. MAVLink is [11]. MAVLink is aa
light messaging protocol for onboard communication or components
messaging protocol for onboard communication or components of drones. It can of drones. It can be
implemented
be implemented in 14 languages,
in 14 languages,including
includingC and
C andC++; various
C++; high-level
various high-levelAPIs exist
APIs for for
exist in-
teraction between
interaction betweenother othersystems
systemssuchsuchasasdrones
dronesandandROS.
ROS.TheThe protocol
protocol can also be used used
by at least seven GCS software programs (e.g., QGroundControlQGroundControl and and Mission
Mission Planner)
Planner) to to
communicate with the drone. Figure 1 shows the MAVLink MAVLink protocol
protocol message.
message. Figure 22
shows QGroundControl, an illustrative GCS in UAS UAS configuration.
configuration. Figure 3 shows shows thethe
UAV used
UAV used in
in this
this paper.
paper.

Figure 1. MAVLink protocol

protocol message
message [12].
[12].
Sensors 2021, 21, 1369 3 of 19
Sensors
Sensors2021,
2021,21,
21,1369
1369 3 of 203 of 20

Figure 2.
Figure 2. QGroundControl
QGroundControlas
asthe
theground
groundcontrol
controlstation (GCS).
station (GCS).
Figure 2. QGroundControl as the ground control station (GCS).

Figure 3. Unmanned aerial vehicle (UAV).

Figure
Figure
2.2. 3.3.Unmanned
Robot Unmanned aerialvehicle
Operating aerial
System vehicle (UAV).
(ROS)(UAV).

2.2. As mentioned earlier, ROS is the middleware for robot software development [13].
2.2.Robot
RobotOperating
OperatingSystemSystem(ROS)
(ROS)
Unlike the operating systems used in computers, it provides services such as hardware
As
As mentioned
mentioned earlier,
abstraction, low-level device ROS
earlier, ROS isisthe
control, andmiddleware
the middleware
message deliveryfor
for robot
robot software
software
between development
for system[13].
development
processes [13].
Unlike the
Unlike theFor
operation. operating
operating systems
systems
asynchronous used in computers,
used in computers,
communication it provides
in ROS,ittheprovides services such as
services such model
publisher-subscriber hardware
as hardware
is
abstraction,
abstraction,
adopted; thelow-level
low-level
topic field device
device
is usedcontrol,
control, and
andmessage
messagedelivery
for communication deliverythe
between between
between processes
processes
publisher and thefor
forsystem
system
sub-
operation.
operation.
scriber. For
For4asynchronous
Figure asynchronous
shows the structuredcommunication
communication in
model of ROS.inROS,
ROS, the
The ROSthepublisher-subscriber
of the master,model
publisher-subscriber
consists modelisis
pub-
adopted;
adopted;
lisher, andthe
the topic
topic
subscriberfield is used
field
node. isThe for
used communication
for
master communication
node connects between
the the publisher
between
subscriberthenode and
thethe
publisher
to andsubscriber.
the sub-
publisher
Figure
node 4
thatshows
wants the structured
access to a model
specific of
topic.ROS.
With The
the ROS
help consists
of the of
masterthe
scriber. Figure 4 shows the structured model of ROS. The ROS consists of the master, pub- master,
node, the publisher,
connected and
subscriber
publisher
lisher, andandnode. The
subscriber
subscriber master
nodes
node. node
Thewill connects
be able
master the
to send
node subscriber
and receive
connects node to the
the desired
the subscriber publisher
nodedata node
through
to the that
publisher
wants
the
node access
topic.
that wantsto a access
specifictotopic. Withtopic.
a specific the help
Withof the
the help
master node,
of the the connected
master node, the publisher
connected
and subscriber
publisher nodes will nodes
and subscriber be ablewillto send andtoreceive
be able send andthe receive
desired the
datadesired
through thethrough
data topic.
the topic.
2.3. Rosbridge
Rosbridge is a package of ROS that allows us to use topics and services in ROS
even if the client does not have ROS installed. This is possible because the JSON-based
rosbridge protocol is used on the server with ROS installed. When a rosbridge server
that communicates with WebSocket on the ROS server side is executed, it is possible to
communicate with the node of the ROS server through various front-end devices such
as the web browser, and the service is also available. Figure 5 describes the concept of
rosbridge [14].
Sensors 2021, 21, 1369 4 of 19
Sensors 2021, 21, 1369 4 of 20

Figure 4. Robot operating system (ROS) structure.

2.3. Rosbridge
Rosbridge is a package of ROS that allows us to use topics and services in ROS even
if the client does not have ROS installed. This is possible because the JSON-based
rosbridge protocol is used on the server with ROS installed. When a rosbridge server that
communicates with WebSocket on the ROS server side is executed, it is possible to com-
municate with the node of the ROS server through various front-end devices such as the
web browser, and the 4.
Figure service is also available.
Robotoperating
operating Figurestructure.
system(ROS)
(ROS) 5 describes the concept of rosbridge
Figure 4. Robot system structure.
[14].
2.3. Rosbridge
Rosbridge is a package of ROS that allows us to use topics and services in ROS even
if the client does not have ROS installed. This is possible because the JSON-based
rosbridge protocol is used on the server with ROS installed. When a rosbridge server that
communicates with WebSocket on the ROS server side is executed, it is possible to com-
municate with the node of the ROS server through various front-end devices such as the
web browser, and the service is also available. Figure 5 describes the concept of rosbridge
[14].

Figure 5. Rosbridge concept. Figure 5. Rosbridge concept.

2.4. Safety Tool of ROS

2.4. Safety Tool of ROS
To ensure the safe operation
To ensure of ROS,
the safe there are
operation several
of ROS, services
there that are
are several provided
services thatby are provided by
ROS. The ROSROS. teamThe is aware that because of the nature of the current system,
ROS team is aware that because of the nature of the current system, the system the system
can be attacked can due
be to vulnerabilities
attacked in the network.
due to vulnerabilities inTotheaddress
network. this,Tothey
addressproposed
this, theya proposed a
method which method
is not a direct
whichfunction of ROS
is not a direct but a part
function of thebut
of ROS configuration
a part of theof the networkof the network
configuration
used for ROS [15]. They suggest restricting access to the network
used for ROS [15]. They suggest restricting access to the network and and not disclosing thenot disclosing
ROS master. ThereFigure
the are
ROS two strategies
5. Rosbridge
master. There for
concept. achieving this. The first method involves
are two strategies for achieving this. The first method involvesrestrict-
ing hosts that restricting
can access hoststhe system.
that canFor example,
access there are
the system. Forways to create
example, thereisolated
are waysnet- to create isolated
works or use firewalls. The
2.4. SafetyorTool
networks second method
useoffirewalls.
ROS involves giving orders
The second method involves giving orders toto authenticate users
authenticate users
before allowing themTo
before access
allowing
ensure to them
the system.
the access
safe However,
to the system.
operation theseHowever,
of ROS, methods
there are not
these
are several implemented
methods
services are notare
that implemented
provided by
within ROS; rather,
within the role of protecting ROS is given to network settings
ROS. The ROS team is aware that because of the nature of the current system, theROS.
ROS; rather, the role of protecting ROS is given to outside
network ROS.
settings outside system
By default,can message
By filtering
be default,
attacked is to
message
due performed
filteringthrough
vulnerabilities in these
is performed three functions
through
the network. these
To [16].this,
three
address First,they proposed
functions [16]. First,a
there is a subscriber
there
method that
is acts as
awhich
subscriber a top-level
is not athat acts
direct filter;
as aittop-level
function forwards
of ROS but messages
filter; offrom
it forwards
a part ROS to con- of
messages
the configuration from
the ROS to
network
nected filters. Second,
connected the
used for ROS time
filters. synchronization
Second,
[15]. They the filter serves
time synchronization
suggest to
restricting accessfilter synchronize
to theserves to the same
to synchronize
network and to the same
not disclosing the
channels by referring to the time stamp in the headers of the receiving
ROS master. There are two strategies for achieving this. The first method involves restrict- channels. The third
function
ing hosts is that
the time sequencer.
can access The time
the system. Forsequencer
example,filterthereensures
are ways thattocallbacks are made
create isolated net-
inworks
temporal order according to the header timestamp of the
or use firewalls. The second method involves giving orders to authenticate users message. When operating a
robot system, the corresponding node may not be able to
before allowing them access to the system. However, these methods are not implemented process the message on time,
owing
withintoROS;various factors
rather, at the
the role oftime the message
protecting ROS iswas givengenerated.
to network When operating
settings outsidea robot
ROS.
that requires
By default, message filtering is performed through these three functions [16].toFirst,
time-sensitive command input, the message filter allows the message be
processed sequentially.
there is a subscriber that acts as a top-level filter; it forwards messages from ROS to con-
nected filters. Second, the time synchronization filter serves to synchronize to the same
Sensors 2021, 21, 1369 5 of 19

ROS also provides a tool to prepare for system failures. The Watchdog timer is a tool
used for high reliability systems [17], and it is implemented in ROS. The Watchdog timer
monitors the CPU and restores the system to normal conditions when abnormal or infinite
loops occur. While ROS provides a Watchdog timer for these functions, it only provides
the detection function and entrusts developers with a way to reconfigure the system.
The subsequent version of ROS, ROS2, introduced the concept of a management node,
also called the lifecycle node [18]. It is designed for the enhanced control of the state of
the ROS system. There are four node states: unconfigured, inactive, active, and finalized.
Seven switching actions can be performed: create, configure, cleanup, activate, deactivate,
shutdown, and destroy. When a switching operation is performed, it goes through six
switching states: configuring, cleaning up, shutting down, activating, deactivating, and
error processing. This node state transition is introduced to enhance the overall security
of ROS.
Recently, ROS2 was officially released, and the biggest difference and feature of the
previous version is the adoption of the Data Distribution Service (DDS) as middleware.
DDS has several security requirements, including authentication, access control, and
cryptographic operations [19]. This shows that security is important for mission-critical
ROS environments. However, since ROS and ROS2 are incompatible with each other in a
native environment, security issues still remain in systems using ROS.

3. Vulnerability Definition of UAV Using ROS

This section introduces the types of network attacks occurring in CPSs and the vulner-
abilities that exist in the communication mechanisms of UAVs using the current version
of ROS.

3.1. Model of ROS-Based UAS

Advanced operations in UAVs require hardware and software capable of additional
computing functions as well as flight controllers. The ability to provide additional assis-
tance to the flight using information and computing power outside the flight controller is
called offboard mode. The UAS assumed in this paper has a structure in which offboard
computers are connected to the flight controller and communicate with each other. In
addition, offboard computers support communication between flight controllers, external
sensors, and offboard computers via ROS. Figure 6 schematizes the UAS with the afore-
mentioned communication architecture from a CPS perspective. As with the CPS, this
figure incorporates the plant, sensor, controller, and actuator to form a closed loop from
data recognition, information exchange, decision making, to final execution. The red box
indicates the part to which ROS is applied.
ROS is middleware for the development of robot software. This allows for the con-
figuration of a UAS. The ROS adopted a publisher–subscriber (pub-sub) model for com-
munication between each component that forms the robot. It is a structure in which two
nodes, which exchange node information with the help of the master node, send messages
through the publishing and subscribing functions as needed. ROS provides MAVROS,
a MAVLink expandable communication node. This allows the UAV to receive the data
needed for the flight over the ROS.
Figure 7, the system model of UAV with ROS through the aforementioned procedure.
The /sensor node present in the external sensor publishes the message to the /process
node in the offboard computer using /topic. /Process nodes deliver command messages
for UAV control to /MAVROS node based on sensor data. /MAVROS node forwards the
data to the flight controller via MAVLink.
 Sensors 2021, 21, 1369
2021, 21, 1369 6 of 20 6 of 19

Figure 6. Feedback loop in an unmanned aerial system (UAS).

Figure 7, the system model of UAV with ROS through the aforementioned procedure.
The /sensor node present in the external sensor publishes the message to the /process node
in the offboard computer using /topic. /Process nodes deliver command messages for
UAV control to /MAVROS node based on sensor data. /MAVROS node forwards the data
to the6.flight controller 6. Feedback loop in an unmanned aerial system (UAS).
Figure via
Figure Feedback loop in an MAVLink.
unmanned aerial system (UAS).

Figure 7, the system model of UAV with ROS through the aforementioned procedure.
The /sensor node present in the external sensor publishes the message to the /process node
in the offboard computer using /topic. /Process nodes deliver command messages for
UAV control to /MAVROS node based on sensor data. /MAVROS node forwards the data
to the flight controller via MAVLink.

Figure 7. System Model of UAV with ROS.

Figure 7. System Model of UAV with ROS.
3.2. Vulnerability of ROS-Based UAS
3.2. Vulnerability of ROS-Based UAS the terms for each component in ROS. As explained in Section 2.4,
Table 1 defines
Table 1 defines
ROS does the terms
not havefor each component
fundamental in ROS.
security As explained
elements; hence, in Section 2.4,
malicious nodes other than
ROS does not have normal fundamental
nodes can security
easily beelements;
connected. hence, malicious
It is easy to breaknodes
intoother than nor-moreover, there
the network;
mal nodes can is easily be connected.
a possibility It is easy toattacks
of masquerade break into
and the network;
false moreover,
data injection. Oncethere
theisPA (i.e., attack
a possibility
Figure ofpublisher)
7. System masquerade
Model attacks
is able
of UAV withtoROS.and falsecommunication
configure data injection. Once S (subscriber)
with the PA (i.e., attackabout T (topic) through
pub-
the master node, the false data,
lisher) is able to configure communication with S (subscriber)msg PAST , can be sent to S. If the attack
about T (topic) through the is made, the flight
3.2. Vulnerability
master node, the offalse
ROS-Based
controller data, UAS
willmsg
not be ,able
PAST can tobecontrol
sent tothe exact
S. If position
the attack is and
made, altitude in a given
the flight con- environment,
troller will1not
Table thus
be able
defines allowing
thetoterms the
forattacker
control the
each exactto position
destroy in
component the
and system.
ROS. altitude in a giveninenvironment,
As explained Section 2.4,
thusdoes
ROS allowing the attacker
not have fundamentalto destroy
security theelements;
system. hence, malicious nodes other than nor-
are Table
three 1. The terms
why used
such in
mal nodes can easily be connected. It is easy to are
There reasons ROS.
attacks possible.
break into the First, the master
network; node does
moreover, therenot
is
acheck whether
possibility the node making
of masquerade attacks
Terms
the
and request
false is a injection.
data normal node Once orthe
a malicious
PA (i.e.,
Concept
node.pub-
attack This
allowsisan
lisher) attacker
able to gain communication
to configure unauthorized access with to ROS. Hence,about
S (subscriber) this enables
T (topic) attacks
through suchtheas
eavesdropping T Topic
master node, theorfalsemasquerade.
data, msgPAST, can be sent to S. If the attack is made, the flight con-
P Publisher to send information about a particular topic
troller will not be able to control S the exact position and altitude
Subscriber in a information
to receive given environment,
about a particular topic
thus allowing the attacker to destroy A the system. Attacker node
There are three reasonsmsg why PSTsuch attacks are possible. First, the master
Message between node does
P and notT
S for
check whether the node making msgPAST the request is a normal node Message between PA
or a malicious and SThis
node. for T
msgPSAT
allows an attacker to gain unauthorized access to ROS. Hence,Message between
this enables P andsuch
attacks SA forasT
eavesdropping or masquerade.
There are three reasons why such attacks are possible. First, the master node does not
check whether the node making the request is a normal node or a malicious node. This
allows an attacker to gain unauthorized access to ROS. Hence, this enables attacks such as
eavesdropping or masquerade.
Sensors 2021, 21, 1369 7 of 19

Second, the master node does not check whether data from connected nodes through
monitoring is within the acceptable range of the system. In any command, dropping
data that exceeds a user-defined threshold protects the system from malicious false data
injection. However, when an attack is authorized within the scope, the system cannot
defend itself.
Third, the system does not guarantee the integrity of messages transmitted in ROS.
If the system ensures that the data are authorized and not changed, it can protect itself
against active attacks such as masquerade and injection attacks. Active attacks, unlike
passive attacks that only eavesdrop on systems, hurt integrity and availability, and they
directly affect the flight of UAVs in a short time. The second problem above can be covered
if the data integrity check is satisfied. Checking data integrity can also protect the system
against masquerade attacks.
The most effective attacks on the system in UAS operation are the active attacks that
change the system, such as masquerade, injection, replay, etc. To protect the system against
this, we need a solution that can solve the aforementioned problems. In addition, the
method should not have large overheads and not obstruct the flight. We propose a security
framework that addresses vulnerabilities in ROS-based UAS and has low overhead.

4. Related Work
In this section, we discuss the studies that were conducted to ensure the security of
UAVs. First, we present the studies for a ROS-based system. For each study, the method and
direction of security application for authentication, authorization, and message verification
areas are discussed.
Jeff Huang et al. [20] proposed ROSRV, a runtime verification framework for ROS-
based robot applications. A node called ROSRV is placed under the master node. The
node that needs to be registered as a publisher or subscriber node is identified and is
connected to the other node. The second function then places the monitoring node between
all publishers and subscribers within the ROS to drop commands or messages outside
the user-specified range. The two functions satisfy the requirements of authorization and
message verification. Thus, this can address the first and second vulnerabilities described
in Section 3.2 at present. However, there are several reasons why it is difficult to apply this
to UAVs, and these points are covered in Section 5.
Russell Toris et al. [21] proposed rosauth, an authentication service to enhance the se-
curity of the connection of nonnative clients in ROS. As mentioned, there is a package called
rosbridge in ROS that allows clients to communicate synchronously and asynchronously
with ROS, even if not in an ROS environment. The author proposed a method of authenti-
cating whether the client accessing the ROS server using the message authentication code
(MAC) is an authorized node. This project can solve the first vulnerability mentioned
in Section 3.2. However, the nodes are verified using MAC only at the point of client
connection. It does not guarantee the security for message tampering that occurs after
the connection. In other words, it does not guarantee data integrity, the most important
vulnerability in ROS-based UAS.
Bernhard Dieber et al. [22] treated ROS as a black box and used an authentication
server (AS) to ensure communication between authorized nodes. In this approach, the
publisher receives a key from the AS, encrypts, signs it with the message, and then forwards
it to the subscriber. The subscriber can decode and verify whether the message has been
tampered with. However, every time we send a message, we have two encryption over-
heads and a decryption overhead. Furthermore, RSA (Rivest-Shamir-Adleman) signatures
are slow.
Roland Dóczi et al. [23] proposed a security enhancement solution for ROS-based med-
ical surgical robots. The author used authorization and authentication (AA) to eliminate
security problems arising from ROS. They implemented an AA node for the AA function.
The node receives its name and password from the connection request node, checks the
DB, and passes the key if the information is the correct. The node then requests the master
Sensors 2021, 21, 1369 8 of 19

node to connect with the other node along with the key; the master node sends the key to
AA to verify that it is a valid node. However, methods of authenticating using names and
passwords can easily be overridden by attackers.
Ruffin White et al. [24] proposed SROS. SROS is a set of security enhancements for ROS,
such as native TLS support for all socket transport within ROS, the use of x.509 certificates
permitting chains of trust, definable namespace globbing for ROS node restrictions and
permitted roles, as well as covenant user-space tooling to auto generate node key pairs,
audit ROS networks, and construct/train access control policies. However, it is currently in
an experimental development phase, and developers warn that it should not be considered
as production-grade. Moreover, it is also not available to developers who use other
languages because it is considered only for python development.
Manuel J. Fernandez et al. [25] used Elliptic Curve Digital Signature Algorithm
(ECDSA)-based digital signatures to eliminate the security problem of communication
between GCS and UAVs. ECDSA is a digital signature method based on elliptic curve
encryption, and it can achieve the same level of security performance as RSA with smaller
keys. Systems applying the method can address the most important security issues for the
flight of UAVs by satisfying the part about message validation. The point of protecting
the system through digital signatures in their study has a similar direction as our work.
However, it has a concept of securing data from GCS and does not guarantee behavior
in nonnative environments. Furthermore, as much as we deal with time-sensitive UAVs,
we can compare the corresponding method with our proposed framework in terms of
overhead. In Section 5.3.1, we compare ECDSA with the overhead of digital signatures
based on SHA-256.
In addition, the security of UAV is also studied in other layers of communication. We
discuss securing the UAV communications in the physical layer. Guangchi Zhang et al. [26]
studied how to secure UAV-to-ground (U2G) and ground-to-UAV (G2U) communications
by jointly optimizing the UAV’s trajectory to maximize the average secrecy rates of the
U2G and G2U transmissions. Andrey V. Savkin et al. [27] studied the wireless commu-
nication security between a UAV to the ground node by the online planning of a UAV’s
3D trajectory. For that, they proposed a new navigation scheme with proven optimization
and developed a model predictive control algorithm. Huici Wu et al. [28] developed an
analytical framework for analyzing secrecy coverage performance and secrecy capacity
performance. For that, they investigated secrecy performance in the air-to-ground wiretap
system by considering the unique features of the UAV communication platform.

5. Proposed Method
The work was carried out in an environment with MAVROS, an extension package
for UAV in ROS (see Section 3 for details). We found that the vulnerability of ROS makes
the ROS-based UAS vulnerable. To solve this, we implemented security measures in the
master, publisher, and subscriber nodes. This does not address all security issues in the
system, but it ensures that the two security issues that are key to UAS operation are dealt
with (see Section 4 for details),
1. Unauthorized users registering nodes on the system without permission
2. Unauthorized registered node infusing incorrect data and affecting drone flight.
Message transmission in the current ROS has the following procedure. There is
the S-node that receives information about a particular topic T. P-node tries to transmit
information about T and thus attempts to connect with the node that receives the T through
the master node. The master node connects P to S. P broadcasts msgPST and delivers it
to S. Then, S receives the information and performs calculations to control the UAV. The
procedure unconditionally trusts the node and operates the robot. Thus, if a PA-node (i.e.,
the node that publishes the wrong data) accesses the system, the following occurs. PA
requests a connection to the master node with a node that receives information for a specific
topic T. The PA connected to the system injects the wrong data, i.e., msgPAST , into the S at
a faster rate than P. S does not recognize that the data are incorrect and uses that data to
 mation about T and thus attempts to connect with the node that receives the T through
the master node. The master node connects P to S. P broadcasts msgPST and delivers it to
S. Then, S receives the information and performs calculations to control the UAV. The
procedure unconditionally trusts the node and operates the robot. Thus, if a PA-node (i.e.,
Sensors 2021, 21, 1369 the node that publishes the wrong data) accesses the system, the following occurs. PA
9 of 19
requests a connection to the master node with a node that receives information for a spe-
cific topic T. The PA connected to the system injects the wrong data, i.e., msgPAST, into the
S at a faster rate than P. S does not recognize that the data are incorrect and uses that data
control
to controlUAVs.
UAVs. The
Thecurrent
currentprocedure
procedurecannot
cannotdetermine
determinewhether
whetherthethe node
node that requests
that requests
registration to the master is an authorized node. It is also not known whether the
registration to the master is an authorized node. It is also not known whether the data that data that
are being transmitted are modulated or are from an accredited node. For this
are being transmitted are modulated or are from an accredited node. For this reason, we reason, we
propose a security framework for ROS-based UAS to implement a UAS
propose a security framework for ROS-based UAS to implement a UAS that is safe from that is safe from
such intrusions.
such intrusions. ROS
ROS with
with frameworks
frameworks can
can be
be schematized
schematized as as shown
shown in
in Figure
Figure 8.8. Table
Table 22
defines the terms for each component of the proposed framework.
defines the terms for each component of the proposed framework.

Figure
Figure 8.
8. Proposed
Proposed access
access control
control procedures.
procedures.

Table 2. The terms used in the framework.

Table 2. The terms used in the framework.
Terms Concept
Terms Concept
ACT Access list for P and S accessing specific topic T
d(X) ACT list for Pfor
Access Digest and S accessing
node X specific topic T
d(X) Digest for node X
H(k, msg)H(k, msg) Getting aGetting
hash ofa hash
the message (msg) (msg)
of the message usingusing
a keya (k)
key (k)
Pname, SPname
name , Sname Node name Nodeof P and
name of PSand S
Sign(k, Sign(k,
msg) msg) DigitallyDigitally
signing signing for message
for message msg using
msg using k k
the key
the key
Verify(s)Verify(s) Verification
Verification processprocess for signed
for signed data data
s. s.

5.1. Registration
5.1. Registration ofof aa New
New Node
Node
Access control is the function of
Access control is the function of allowing
allowing or or denying
denyingsomeone
someonethe theuse
useofofaaresource.
resource.
We apply
We applyaccess
accesscontrol
control to to
ROS, thus
ROS, preventing
thus unauthorized
preventing unauthorizedsystem registration
system of nodes.
registration of
nodes. ACT means a list of access rights for nodes accessing a particular topic T. This includes
nodes ACTwith accessa to
means listT of
and can be
access expressed
rights as ACT
for nodes = [x, y,az].particular
accessing Here, d(P) andT.
topic d(S) mean
This in-
digests for P and S respectively, and d(P) can be expressed in H(k, P
cludes nodes with access to T and can be expressed as ACT = [x, y, z]. Here, d(P) and d(S)
name ||T). The ROS with
accessdigests
mean controlfor
registers
P andthe node using the
S respectively, andfollowing
d(P) canprocedure:
be expressed in H(k, Pname||T). The
ROS
1. with access control
All publishers and registers
subscriberstheaccessing
node using the following
a specific topic Tprocedure:
before ROS operation are
listed and recorded in ACT. The information recorded
1. All publishers and subscribers accessing a specific topic T before in ACT is d(P)
ROS and d(S), which
operation are
are digests of P and S. The reason for recording the digest is to make
listed and recorded in ACT. The information recorded in ACT is d(P) and d(S), which it impossible for an
attacker to masquerade itself as a node that sees the digest and has authority over T.
2. P requests the master node to register P as a publisher of T.
3. The master node obtains d(P), which is the digest for P.
4. The master checks whether the digest is in ACT. If there is digest in ACT, P is allowed
to publish to T.
Figure 8 is a diagram showing the registration procedures of the ROS with added
access control.
Sensors 2021, 21, 1369 10 of 19

5.2. Signature with HMAC

A digital signature is a security tool that uses encryption for data integrity, authentica-
tion and denial prevention. Generally, when key sharing is not possible, we use a digital
signature using RSA or ECDSA. This means that when a message is signed and sent by the
private key, the receiver verifies the message with the public key. In addition to RSA, there
is also a signature method using the hash-based message authentication code (HMAC).
If the network is in an environment that does not require key exchange, HMAC has
many advantages over using RSA and ECDSA. First of all, it is very fast to sign and verify,
and it is simple to implement. It also has advantages in safety issues. A characteristic of
ECDSA is that for the hash function used, it must be collision-resistant, but the HMAC does
not have such a characteristic. Given these characteristics, digital signatures using HMAC
are more advantageous than RSA and ECDSA in networks operating UAS. Therefore, we
ensure data integrity by using HMAC to sign messages sent from ROS.
H(k, msg) obtains digests for the message (msg) using the key k. At this time, k should
be exchanged between transceivers in advance. There are several types of hash functions,
but SHA-256 was used in the solution. The SHA-256 algorithm used in the experiments is
impossible to break while operating the UAS. Even if an attacker takes the time to find out
what the hash is, it is also impossible for the actual system to fail because of the short cycle
in which the key k is exchanged. The hash function can be used as the agreed function
between the sender and receiver. Here, a||b means the connection between the letters a
and b. For example, the result of a||b is “ab”.
The subscriber and publisher of ROS, where the verification process has been added,
sends and receives data through the following procedure:
1. S and P for a specific topic T make a registration request to the Master node.
2. P performs a signature on msgPST . Sign(k, msgPST ), the signature procedure, means
H(k, msgPST )||msgPST .
3. P, which carried out the signature, sends s = Sign(k, msgPST ) to S.
4. S performs a Verify(s) on the received s.
5. Separate s = H(k, msgPST )||msgPST from H(k, msgPST ) and msgPST .
6. For separated msgPST , perform H(k, msgPST ) using a preshared key k, where k is the
same symmetric key used by P.
7. Compare the two H(k, msgPST ) and inspect them for the same value.
8. If there is no problem with msgPST , use that data.
Sensors 2021, 21, 1369 11 of
Figure 9 is a diagram showing the data transmission procedures of the ROS with the20
added verification.

Figure 9.
Figure 9. Proposed signature procedures.
Proposed signature procedures.

5.3. Performance and Conceptual Comparison

5.3.1. Encryption Overhead
The proposed security framework has additional features to address vulnerabilities
in the existing ROS. This function results in additional overhead for data size and compu-
tation. First, the computational overhead that occurs during access control execution oc-
Sensors 2021, 21, 1369 11 of 19

5.3. Performance and Conceptual Comparison

5.3.1. Encryption Overhead
The proposed security framework has additional features to address vulnerabilities in
the existing ROS. This function results in additional overhead for data size and computation.
First, the computational overhead that occurs during access control execution occurs once
upon initial connection, so it does not affect UAV operation. However, for signatures that
use HMAC, data overhead and computational overhead exist for each transfer.
Previously studied [22,25] also used cryptographic methods to address vulnerabilities
in ROS, and there exists overhead for them. First of all, for data overhead, existing 69-byte
size geometry_msgs/PoseStamped messages have 256 bytes of overhead when using RSA-
2048 signatures, as in [22]. Using 256-bit ECDSA signatures used in [25] results in 64 bytes
of overhead.
The computational overhead indicates how long it takes to perform an encryption.
Figure 10 is the benchmarking result using the crypto++ library, with RSA-2048 taking
2.32 ms to sign and 0.05 ms to verify. ECDSA takes 1.03 ms to sign and 0.82 ms to verify.
With HMAC digital signatures used in our proposed framework, the data overhead is
32 bytes. For computational overhead, 295 MiB per second can be processed when using
128-bit keys. This means that it takes 0.0029 ms to process 101 bytes of data that combines
the original message with the data overhead. Because digital signatures using HMAC use
symmetric keys, verifying takes the same amount of time as signing.
Based on these results, we can see that the proposed security framework has very
Sensors 2021, 21, 1369 little overhead compared to the existing studied systems and has little impact on 12 the
of 20
performance of the existing ROS.

Figure10.
Figure 10.Digital
Digitalsignature
signaturebenchmark
benchmarkresult.
result.

5.3.2.
5.3.2.The
TheUse
Useof
ofMAC
MAC
We
Weensured
ensuredintegrity
integritythrough
throughverification
verificationofofthe
thedata
datatransmitted
transmittedwithin
withinthethesystem
system
using MAC. Similarly, rosauth [21] in Section 4 wanted to use MAC to
using MAC. Similarly, rosauth [21] in Section 4 wanted to use MAC to improve the secu- improve the security
of ROS.
rity However,
of ROS. its use its
However, is different from thefrom
use is different one in this
the study.
one In previous
in this study. Inwork, MACwork,
previous was
used
MACinwasa nonnative
used in aenvironment early in the connection
nonnative environment early in thetoconnection
enable clients to authenticate
to enable clients to
themselves
authenticatewith the server
themselves with as the
validated
server asclients. However,
validated clients.asHowever,
there is no assolution
there is noforsolu-
the
integrity of the
tion for the data transmitted,
integrity of the data the system will
transmitted, thebe breached
system will ifbeanbreached
attacker ifattempts
an attackeran
MITM attack on an already connected channel. Conversely, the framework
attempts an MITM attack on an already connected channel. Conversely, the framework proposed in this
study uses in
proposed MACthisto ensure
study usesdata
MAC integrity and authentication
to ensure data integrity andwithauthentication
each transmission withsince
each
the beginning of the connection. In addition, only nodes authorized through
transmission since the beginning of the connection. In addition, only nodes authorized access control
can be registered.
through Furthermore,
access control the proposed
can be registered. frameworkthe
Furthermore, can be secured
proposed in a nonnative
framework can be
environment, similar to their
secured in a nonnative study. This
environment, is demonstrated
similar in Section
to their study. This is6demonstrated
with an experiment.
in Sec-
tion 6 with an experiment.

5.3.3. Message Verification Performance

In our proposed framework, we can verify the presence of abnormalities in messages
using HMAC digital signatures. Similarly, the ROSRV [20] in Section 4 differs from our
Sensors 2021, 21, 1369 12 of 19

5.3.3. Message Verification Performance

In our proposed framework, we can verify the presence of abnormalities in messages
using HMAC digital signatures. Similarly, the ROSRV [20] in Section 4 differs from our
method. Even though the authors studied message verification, there are some limitations
to this solution. First, for monitoring purposes, the monitoring node between the publisher
and the subscriber verifies the message. This will take twice the transmission time in the
existing publisher–subscriber model. The second is that if a large number of nodes are
connected to a centralized ROSRV, there will be a delay in the monitoring node. In addition,
if the data are modulated within the monitoring range, it will not be detected. The existence
of two overheads and the absence of integrity make it difficult to apply ROSRV to UAS.
In our proposed method, on the other hand, the sender sends the message with a
digital signature, and the receiver checks the message’s digital signature to proceed with
the message verification. Therefore, there is no overhead for transmission time other
than the overhead described in Section 5.3.1, and there is no bottleneck in transmitting
the message.

6. Test
This section describes an experiment that studies the consequences that can be caused
by the vulnerabilities in an existing ROS-based UAS and the impact on the UAS after
applying the security framework. First, we describe the experimental environment of the
drones that make up the UAS for the experiment and the arrangement of the components.
The results are presented with an explanation about the operation of the proposed security
framework in a native ROS environment and a nonnative ROS environment.

6.1. Experiment Environment of UAS

Figure 11 shows the UAS environment configured for experimentation. Pixhawk is
an industry standard autopilot developed and jointly developed by 3DR Robotics and
Ardupilot Group. Various robots such as RC cars, airplanes, and multicopters can be made,
and firmware is provided for them using Pixhawk. We made quadcopters that belong to a
class of multicopters, and we used them for the experiment. Pixhawk typically uses two
firmware, i.e., Ardupilot and PX4. We used PX4 firmware that supports offboard mode in
the experiment because we assumed UAS to operate advanced drones such as autonomous
driving and cluster flight using offboard mode. Pixhawk uses the MAVLink protocol for
communication. MAVLink is a light messaging protocol for onboard communication or
components of drones. This can be implemented in 14 languages, including C and C++,
and various high-level APIs exist for the interaction between other systems such as drones
and ROS. The companion computer used Raspberry Pi, which is an embedded Linux-based
development small computer, and Ubuntu MATE, which is a Linux-based OS, was used
in the computer. In using ROS with Raspberry Pi, this setup has better compatibility
on a variety of issues, such as packages and kernels. ROS stands for Robot Operating
System, which is not similar to the conventional operating systems used in computers. It
is a middleware concept for robot development that is installed on an OS such as Linux
or Windows. We installed ROS Kinetic for the experiment. ROS supports node-to-node
communication using XML-RPC and TCP. XML-RPC is an XML-based distributed system
communication method that is simple and portable RPC protocol over HTTP. This is used
in ROS by the publisher and the subscriber to communicate with the master node to connect
with each other. When the publisher sends data for a particular topic after the connection,
it serializes the data and sends the data to TCP payload. The subscriber receives the packet
and receives the data by deserializing it. We use the MAVROS package, which is an ROS
expansion package. This package enables MAVLink communication between Raspberry Pi
and Pixhawk where ROS runs. Hence, the /mavros node, which receives data related to
the flight from the publisher, forwards the data to Pixhawk through the MAVLink protocol.
Upon receiving this, Pixhawk calculates flight control from the flight stack based on the
corresponding data.
 Sensors 2021, 21, 1369 13 of 19

The overall experimental environment is described above. We conducted the experi-

ment in this experimental environment by considering two situations. In Figure 11, two
computers and one sensor that are authorized can be found attached to the ROS through
the wireless network. These devices can access the ROS in a native environment or, de-
pending on the intention of the user, the ROS can be accessed in a nonnative environment.
In these two environments, the approach to ROS is as follows: First of all, if the client is
in a native ROS environment, the client has ROS installed, and by running the launch file,
the client accesses the ROS server and creates a node. If the client is in a nonnative ROS
environment, the client does not have ROS installed and requests the master to connect to
the communication for a particular topic on the front-end implemented with the roslibjs
2021, 21, 1369 library. After connection, the client encodes the data in JSON and sends
14 of 20the data to the
rosbridge server. On the server side, rosbridge is run, which transmits data received by
clients to nodes that subscribe to the topic.

Figure 11. Experiment environment.

Figure 11. Experiment environment.

6.2. Experiment6.2. Experiment

on Native ROS on Native ROS Attack
Attack
This section describes
This section describes the modes of attacks the modes of attacks
in native ROS andin native
the ways ROS and
that canthe
beways that can
used to defendbe theused to defend
native the native
ROS through ROS through
the proposed the proposed
framework. framework.
The attacks The attacks in the
in the envi-
ronment are shown in Figure 12. First, the accredited device sends the data and commands the data and
environment are shown in Figure 12. First, the accredited device sends
commands
necessary for the necessary
flight to /mavros viafor the flight
a specific to /mavros
topic. The droneviaperforms
a specificnormal
topic. flights
The drone performs
based on their data. At this time, a malicious computer breaks into the network with thebreaks into the
normal flights based on their data. At this time, a malicious computer
network
aim of sabotaging with the
the system aim
and of sabotaging
then register thethe system and
publisher then
with theregister
ROS that thetransmits
publisher with the ROS
that transmits the /mavros/local_position/pose topic. An attacker could then influence
the /mavros/local_position/pose topic. An attacker could then influence the flight path of
the flight path of the drone by means of the corresponding topic. This experiment can be
the drone by means of the corresponding topic. This experiment can be found in [29,30].
found in [29,30].
The actual experiment was conducted by flying a normal drone driving at a height
The actual experiment was conducted by flying a normal drone driving at a height of
of 2 m while considering the drone, property, and human casualties, and by returning the
2 m while considering the drone, property, and human casualties, and by returning the
drone to its starting point. Figure 13 shows the state of the UAV during an attack. The X-
drone to its starting point. Figure 13 shows the state of the UAV during an attack. The X-
and Y-axis in Figure 13 denote the time and the altitude of the drone, respectively. It can
and Y-axis in Figure 13 denote the time and the altitude of the drone, respectively. It can be
be seen in the figure that up to the 30 s point, only the accredited node approaches the
seen in the figure that up to the 30 s point, only the accredited node approaches the ROS
ROS and transmits the /mavros/local_position/force topic, resulting in a 2 m high UAV
and transmits the /mavros/local_position/force topic, resulting in a 2 m high UAV flight.
flight. After that, the attacker node can then approach the ROS and inject itself into the
After that, the attacker node can then approach the ROS and inject itself into the UAV to fly
UAV to fly the drone at an altitude of 0 m to confirm that the altitude of the UAV is slowly
the drone at an altitude of 0 m to confirm that the altitude of the UAV is slowly converging
converging at 0atm.0 m.
The reason forThethis reason
attack isforthethis
lackattack
of verification
is the lack and
of data integrityand
verification for newly reg-
data integrity for newly
istered nodes. registered
We apply nodes.
a security framework to the existing ROS for it to defend itself
We apply a security framework to the existing ROS for it to defend itself
against such attacks.
againstFigure 14 shows
such attacks. how 14
Figure HMAC
showsishowapplied
HMACto ROS to sendtoand
is applied ROS receive
to send and receive
data. The framework is applied to each computer running publisher and to the computer
data. The framework is applied to each computer running publisher and to the computer
running MAVROS. We demonstrate through experiments that UAV with these security
frameworks have no impact on existing methods of attack Figure 15 shows the state of the
UAV during an attack in the same scenario as the above. An attack was made near 30 s,
but it can be confirmed that the UAV flies at an altitude of 2 m until the experiment is
over.
 Sensors 2021, 21, 1369 14 of 19

running MAVROS. We demonstrate through experiments that UAV with these security
frameworks have no impact on existing methods of attack Figure 15 shows the state of the
Sensors 2021,
Sensors 21, 21,
2021, 13691369 15 of 20 20
ors 2021, 21, 1369 UAV during an attack in the same scenario as the above. An attack was made
15 of 20 near1530ofs,
but it can be confirmed that the UAV flies at an altitude of 2 m until the experiment is over.

Figure 12. Attack in native ROS.

Figure 12.12.
Figure Attack in native
Attack ROS.
in native ROS.
Figure 12. Attack in native ROS.

2.52.5
2.5

2 2
2

1.51.5
Altitude
Altitude

1.5
Altitude

1 1
1

0.50.5
0.5

0 0
0
0 0 10 10 20 20 30 30 40 40 50 50
0 10 20 30 40 50
Time
Time
Time

Figure 13.13.
Figure UAVUAVflight altitude
flight without
altitude security
without framework
security in native
framework ROS.
in native ROS.
Figure
Figure 13. UAV flight13. UAV flight
altitude altitude
without without
security securityinframework
framework in native ROS.
native ROS.

Figure 14.14.
Figure Security framework
Security frameworkforfor
ROS.
ROS.
Figure 14. Security framework for14.
Figure ROS.
Security framework for ROS.
21, 1369 16 of 20

Sensors 2021, 21, 1369 15 of 19

Sensors 2021, 21, 1369 2.5 16 of 20

2
2.5
1.5
Altitude

1
1.5

0.5 Altitude 1

0 0.5
0 10 20 30 40 50
0 Time
0 10 20 30 40 50

Figure 15. UAV flight altitude with security frameworkTime

in native ROS.

6.3. Experiment on Nonnative

Figure
Figure 15. UAV ROS
15. UAV flightAttack
altitude with security framework in native ROS.
flight altitude with security framework in native ROS.
Rosbridge is a package that enables the synchronous and asynchronous communica-
6.3.Experiment
6.3. Experimenton onNonnative
NonnativeROS ROSAttack
Attack
tion of ROS in an environment where ROS is not installed. We implemented a web client
Rosbridgeisisaapackage
Rosbridge packagethat thatenables
enablesthe thesynchronous
synchronousand andasynchronous
asynchronouscommunica-
communica-
that can use ROS using the roslibjs library for experiments. At this time, the server side
tionof
tion ofROS
ROSininan anenvironment
environmentwhere whereROS ROSisisnotnotinstalled.
installed.We Weimplemented
implementedaaweb webclient
client
should run rosbridge
that
to create a nodethe that sends data to the MAVROS. Figure 16 briefly
thatcan
canuse
useROSROSusing
using theroslibjs
roslibjslibrary
libraryfor
forexperiments.
experiments.At Atthis
thistime,
time,the theserver
serverside
side
describes the rosbridge
should
shouldrun used.
run For practical
rosbridge
rosbridge to createause
tocreate anode
nodeof that
rosbridge,
thatsends
sendsdata three
data to applications
tothe MAVROS.must
theMAVROS. Figure
Figure be16
16briefly
briefly
run on the server side. The
describes
describes thefirst
the is ROS,
rosbridge
rosbridge andFor
used.
used. thepractical
For second use
practical is
use the
of rosbridge
ofrosbridge, server.
rosbridge,three When themust
threeapplications
applications mustbebe
rosbridge server runreceives
on the a message
server
run on the server side. from
The the
first client
is ROS, regarding
and the which
second is topic
the to send,
rosbridge
The first is ROS, and the second is the rosbridge server. When it at-
server. Whenthe
tempts to connectthe with
rosbridge theserver
rosbridge subscriber
server
receives receiving
receivesa message the
a message topic.
fromfrom In
thethe Figure
client
client 16, thewhich
regarding
regarding corresponding
which topic
topic to to send,
send, it
it at-
attempts
subscriber is /mavros.
tempts to toconnect
The connect with the
third with the subscriber
application subscriber
is thereceiving
web server. the topic.
The In
topic. In Figure
web 16,
16,the
server
Figure thecorresponding
provides
corresponding
roslibjs servicessubscriber
subscriber
to isis/mavros.
clients via /mavros.
web pages The
Theandthird
third application
application
helps is
is the
theweb
them communicate webserver.
server. The
Theweb
indirectly web server
with server
ROS provides
provides
roslibjs services to clients via web pages and helps them communicate
through rosbridge.roslibjs services
These threetoapplications
clients via web dopages
not and helps them
necessarily communicate
have one com-withwith
indirectly
to run on indirectly ROS
ROS through
through rosbridge.
rosbridge. These These
threethree applications
applications do do
not not necessarily
necessarily have have
to runto on
runoneon com-
one
puter, and they can also run on multiple server computers. This will allow the client with-
computer,
puter, andand theythey
can can
alsoalso
run run on multiple
on multiple server
server computers.
computers. This This will allow
will allow the client
the client with-
out ROS to communicate
without with
ROS to the ROS installed
communicate with computers.
the ROS Thiscomputers.
installed experimentThis canexperiment
be found can be
out ROS to communicate with the ROS installed computers. This experiment can be found
in [31,32]. found in [31,32].
in [31,32].

Figure 16. Rosbridge diagram.

Figure 16. Rosbridge diagram.
Figure 16. Rosbridge diagram.
Theattack
The attackand
anddefense
defense experiments
experiments in in nonnative
nonnative environments,
environments, as inasprevious
in previous ex-
experi-
periments,
The attackments,
and defense proceeded
proceeded with
experiments an
with an attack attack
in that that
nonnative lowered the
loweredenvironments, UAV flying at
the UAV flying atascertain certain
in previous altitudes
altitudesex-to 0 m and0
to
m
periments, proceeded and a scenario
with
a scenario that
thatandefendeddefended
attack that
them. them.
lowered
Figure 17Figure
theshows17
UAVthe shows
flyingthe method
at certain
method of attack
altitudes
of attack into nonnative
a
in a nonnative0 ROS
m and a scenario that defended them. Figure 17 shows the method of attack in a nonnative a ma-
ROS environment.
environment. An An attacker
attacker can can
executeexecute
an an unauthorized
unauthorized web web
server server
to to
execute execute
a malicious
licious
node onnode
the ROSon the ROS the
through through the rosbridge
rosbridge server.
server. These These
nodes cannodes
breakcanUASbreak UAS by
by injecting
ROS environment. An attacker can execute an unauthorized web server to execute a ma-
licious node on the ROS through the rosbridge server. These nodes can break UAS by
021, 21, 1369
Sensors 2021, 21, 1369 17 of 20 17 of 20

Sensors 2021, 21, 1369 16 of 19

injecting incorrect data into

injecting the system,
incorrect data into such theassystem,
malicious such nodes in a native
as malicious ROSinenviron-
nodes a native ROS environ-
ment. When a user enters an altitude in the text box of a web
ment. When a user enters an altitude in the text box of a web page page sent from a web server,
sent from a web server,
incorrect
the UAV flies to data into the system, such as malicious nodes in a native ROS environment. When
thethat
UAV altitude.
flies toFigure 18 shows
that altitude. the status
Figure 18 shows of the UAV
the status affected
of the byUAVtheaffected
cor- by the cor-
a
responding attackuser enters
method. an altitude
Upon in the
receiving text box of a web page
/mavros/local_position/pose sent from a web
topic server,
data the
from UAV flies
responding attack method. Upon receiving /mavros/local_position/pose topic data from
to that
normal web clients, altitude.
theweb Figure
UAV flies at 18 shows
anUAValtitudethe status of the UAV affected by the corresponding attack
normal
method. Uponclients,
receiving the fliesofat2anm altitude
/mavros/local_position/pose
during 30 of s. After
2topic
m 30 s,30
during
data from
ans.attacker
After web
normal 30 s,clients,
an attacker
uses rosbridgeuses
to connect
rosbridge a malicious
to connect node to the
a malicious ROS and inject false data to lower the
the UAV flies at an altitude of 2 m duringnode 30 s.toAfter
the ROS
30 s, anandattacker
inject false
uses data to lower
rosbridge to the
altitude of the altitude
UAV. We performed dataperformed
integrity and node verification by verification
applying the
connect a malicious node to the ROS and inject false data to lower the altitude of the UAV. the
of the UAV. We data integrity and node by applying
HMAC-basedWe security
HMAC-based framework
performed data security to Web servers and
framework
integrity and nodetoverification
Web MAVROS.
servers Experiments
and
by applying MAVROS. show that security
Experiments
the HMAC-based show that
existing attackframework
methods have
existing attackto Webno impact
methods
servers have on UAVs with that
no impactExperiments
and MAVROS. method.
on UAVs with show Figure
that 19 shows
thatmethod. the
existing Figure 19 shows the
attack methods
state of UAV when
have an
stateno attackwhen
of impact
UAV is
onmade inwith
an attack
UAVs the that
same
is made scenario as
in theFigure
method. earlier.
same scenario
19 An attack
shows as wasofAn
theearlier.
state made
UAV attack
whenwasanmade
near 30 s, but attack
UAV
near 30 can
is s, confirm
made thethat
butinUAV canitscenario
same performs
confirm as aearlier.
that highly Annormal
it performs attack flight
was
a highly of
made 2near
normalm until
30 s, the
flight but
of UAV can the
2 m until
experiment is confirm
over.
experimentthat itisperforms
over. a highly normal flight of 2 m until the experiment is over.

Figure 17. AttackFigure

in nonnativeFigure
in 17.
ROS.
17. Attack Attack inROS.
nonnative nonnative ROS.

3 3

2.5 2.5

2 2
Altitude

Altitude

1.5 1.5

1 1

0.5 0.5

0 0
0 10 0 20 10 30 20 40 30 50 40 60 50 60
Time Time

Figure 18. UAV Figure

flight altitude
18. UAV without securitywithout
flight altitude framework in nonnative
security ROS.
framework in nonnative ROS.
Figure 18. UAV flight altitude without security framework in nonnative ROS.
Sensors 2021, 21, 1369 17 of 19
Sensors 2021, 21, 1369 18 of 20

2.5

1.5

Alititude
1

0.5

0
0 10 20 30 40 50 60
Time

Figure19.
Figure 19.UAV
UAVflight
flightaltitude
altitudewith
withsecurity
securityframework
frameworkininnonnative
nonnativeROS.
ROS.

7.7.Conclusions
Conclusions
With
Withthe thenoticeable
noticeablegrowth
growthininthe theuse
useofofUAV,
UAV, thethe
security
security of of
thethesystem
system hashas
become
become a
major
a major concern
concernin recent years.
in recent Due to
years. thetoabsence
Due of system
the absence security,security,
of system UAVs that UAVsare applied
that are
in diverseinplaces
applied diverse areplaces
exposedare to potential
exposed to risks. Therefore,
potential it is necessary
risks. Therefore, to be aware
it is necessary to of
be
this fact and study the security of the system of
aware of this fact and study the security of the system of UAVs. UAVs.
For
Foradvanced
advancedoperation
operationof ofUAVs,
UAVs,computers
computersthat thatcan
canoperate
operateand andcommunicate
communicateare are
required
required in addition to the flight controller, which is referred to as offboardsystems.
in addition to the flight controller, which is referred to as offboard systems.UAS UAS
isis aa generic
generic term term forfor controls,
controls, communications equipment, etc.
communications equipment, etc. totooperate
operateUAVs,
UAVs,and andit
itfalls
fallsunder
underthe thecategory
category ofof CPS.
CPS. WeWe investigated
investigated thethe vulnerability
vulnerability of the
of the UAS UAS using
using off-
offboard systems in terms of the CPS, and we proposed a security
board systems in terms of the CPS, and we proposed a security framework to address it. framework to address
it.
The The framework
framework ensures
ensures the the integrity
integrity of data
of the the data transmitted
transmitted in theinsystem
the system
through through
digital
digital
signatures and prevents unauthorized nodes from accessing the system withoutwithout
signatures and prevents unauthorized nodes from accessing the system authori-
authorization,
zation, hidinghiding their identities.
their identities. By measuring
By measuring overheadoverhead for computations,
for computations, data,trans-
data, and and
transmission
mission speeds as the framework’s functions are added, the framework is shown to be to
speeds as the framework’s functions are added, the framework is shown an
be an appropriate framework
appropriate framework for UAVs. for UAVs.
InInthis
thisstudy,
study,the thereal-time
real-timeexperiment
experimentshows
showsthat thatthe
theUAS
UASfails
failsto tofunction
functionproperly
properly
through
through cyberattacks that use the vulnerability of the ROS and install ROSin
cyberattacks that use the vulnerability of the ROS and install ROS inthe
theoffboard
offboard
computer.
computer.To Toaddress
addressthis,
this,the
theproposed
proposedsecurity
securityframework
frameworkwas wasapplied
appliedtotothethesystem
systemtoto
demonstrate system security through practical experimentation.
demonstrate system security through practical experimentation.
In the current framework, the system was defended against attacks that inject abnor-
In the current framework, the system was defended against attacks that inject abnor-
mal data into UAV flight by granting only access control and integrity. As a future work,
mal data into UAV flight by granting only access control and integrity. As a future work,
we will develop a customized module that can easily upload various functions necessary
we will develop a customized module that can easily upload various functions necessary
for system security into the framework.
for system security into the framework.
Author Contributions: Conceptualization, H.L. and J.Y.; methodology, H.L., J.Y. and K.-J.P.; soft-
Author Contributions: Conceptualization, H.L. and J.Y.; methodology, H.L., J.Y. and K.-J.P.; soft-
ware, H.L. and J.Y.; validation, H.L. and K.-J.P.; formal analysis, H.L. and K.-J.P.; investigation,
ware, H.L. and J.Y.; validation, H.L. and K.-J.P.; formal analysis, H.L. and K.-J.P.; investigation, H.L.;
H.L.; resources, H.L.; data curation, H.L.; writing—original draft preparation, H.L. and K.-J.P.;
resources, H.L.; data curation, H.L.; writing—original draft preparation, H.L. and K.-J.P.; writing—
writing—review and editing, H.L., M.-S.J., and K.-J.P.; visualization, H.L.; supervision, K.-J.P.; project
review and editing, H.L., M.-S.J., and K.-J.P.; visualization, H.L.; supervision, K.-J.P.; project admin-
administration, H.L. and K.-J.P.; funding acquisition, K.-J.P. All authors have read and agreed to the
istration, H.L. and K.-J.P.; funding acquisition, K.-J.P. All authors have read and agreed to the pub-
published version of the manuscript.
lished version of the manuscript.
Funding: This work was supported by the National Research Foundation of Korea (NRF) grant
Funding: This work was supported by the National Research Foundation of Korea (NRF) grant
funded by the Korea government (MSIT) (NRF-2019R1A2C1088092).
funded by the Korea government (MSIT) (NRF-2019R1A2C1088092).
Institutional Review Board Statement: Not applicable.
Institutional Review Board Statement: Not applicable.
Informed Consent Statement: Not applicable.
Informed Consent Statement: Not applicable.
Data Availability Statement: Not applicable.
Sensors 2021, 21, 1369 18 of 19

Data Availability Statement: Not applicable.

Conflicts of Interest: The authors declare no conflict of interest.

References
1. Khan, M.A.; Ectors, W.; Bellemans, T.; Janssens, D.; Wets, G. UAV-Based Traffic Analysis: A Universal Guiding Framework Based
on Literature Survey. Transp. Res. Procedia 2017, 22, 541–550. [CrossRef]
2. Vacca, G.; Dessì, A.; Sacco, A. The Use of Nadir and Oblique UAV Images for Building Knowledge. ISPRS Int. J. Geo-Inf. 2017, 6, 393.
[CrossRef]
3. Kang, J.-H.; Kwon, Y.-M.; Park, K.-J. Cooperative Spatial Retreat for Resilient Drone Networks. Sensors 2017, 17, 1018. [CrossRef]
[PubMed]
4. Bithas, P.S.; Michailidis, E.T.; Nomikos, N.; Vouyioukas, D.; Kanatas, A.G. A Survey on Machine-Learning Techniques for
UAV-Based Communications. Sensors 2019, 19, 5170. [CrossRef]
5. Surprising Drone Uses (Besides Amazon Delivery). 2020. Available online: https://www.nationalgeographic.com/news/2013/1
2/131202-drone-uav-uas-amazon-octocopter-bezos-science-aircraft-unmanned-robot/ (accessed on 17 December 2020).
6. Wang, E.K.; Ye, Y.; Xu, X.; Yiu, S.M.; Hui, L.C.K.; Chow, K.P. Security Issues and Challenges for Cyber Physical System. In
Proceedings of the 2010 IEEE/ACM Int’l Conference on Green Computing and Communications & Int’l Conference on Cyber,
Physical and Social Computing, Hangzhou, China, 18–20 December 2010.
7. Kwon, Y.-M.; Yu, J.; Cho, B.-M.; Eun, Y.; Park, K.-J. Empirical Analysis of MAVLink Protocol Vulnerability for Attacking
Unmanned Aerial Vehicles. IEEE Access 2018, 6, 43203–43212. [CrossRef]
8. Zhao, N.; Li, Y.; Zhang, S.; Chen, Y.; Lu, W.; Wang, J.; Wang, X. Security Enhancement for NOMA-UAV Networks. IEEE Trans.
Veh. Technol. 2020, 69, 3994–4005. [CrossRef]
9. Hartmann, K.; Steup, C. The vulnerability of UAVs to cyber attacks-An approach to the risk assessment. In Proceedings of the
2013 5th International Conference on Cyber Conflict (CYCON 2013), Tallinn, Estonia, 4–7 June 2013; pp. 1–23.
10. Yoon, K.; Park, D.; Yim, Y.; Kim, K.; Yang, S.K.; Robinson, M. Security authentication system using encrypted channel on uav
network. In Proceedings of the 2017 First IEEE International Conference on Robotic Computing (IRC), Taichung, Taiwan, 10–12
April 2017; pp. 393–398.
11. MAVLink. 2020. Available online: https://mavlink.io/en/guide/serialization (accessed on 17 December 2020).
12. MAVLink Format. 2020. Available online: https://mavlink.io/en/guide/serialization.html (accessed on 17 December 2020).
13. ROS. 2020. Available online: https://www.ros.org/core-components/ (accessed on 17 December 2020).
14. Rosbridge. 2020. Available online: http://wiki.ros.org/rosbridge (accessed on 17 December 2020).
15. ROS Security. 2020. Available online: http://wiki.ros.org/Security (accessed on 17 December 2020).
16. ROS Message Filter. 2020. Available online: http://wiki.ros.org/message_filters (accessed on 17 December 2020).
17. ROS Watchdog Timer. 2020. Available online: http://library.isr.ist.utl.pt/docs/roswiki/watchdog_timer.html (accessed on 17
December 2020).
18. ROS2 Lifecycle. 2020. Available online: https://design.ros2.org/articles/node_lifecycle.html (accessed on 17 December 2020).
19. ROS 2 DDS-Security integration. 2020. Available online: https://design.ros2.org/articles/ros2_dds_security.html (accessed on 17
December 2020).
20. Huang, J.; Erdogan, C.; Zhang, Y.; Moore, B.; Luo, Q.; Sundaresan, A.; Rosu, G. ROSRV: Runtime Verification for Robots. In
Runtime Verification; Springer International Publishing: Berlin/Heidelberg, Germany, 2014; pp. 247–254.
21. Toris, R.; Shue, C.; Chernova, S. Message Authentication Codes for Secure Remote Non-Native Client Connections to ROS
Enabled Robots. In Proceedings of the 2014 IEEE International Conference on Technologies for Practical Robot Applications
(TePRA), Woburn, MA, USA, 14–15 April 2014.
22. Dieber, B.; Kacianka, S.; Rass, S.; Schartner, P. Application-Level Security for ROS-Based Applications. In Proceedings of the 2016
IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS), Daejeon, Korea, 9–14 October 2016.
23. Doczi, R.; Kis, F.; Suto, B.; Poser, V.; Kronreif, G.; Josvai, E.; Kozlovszky, M. Increasing ROS 1.x Communication Security for
Medical Surgery Robot. In Proceedings of the 2016 IEEE International Conference on Systems, Man, and Cybernetics (SMC),
Budapest, Hungary, 9–12 October 2016.
24. White, R.; Christensen, D.; Henrik, I.; Quigley, D. SROS: Securing ROS over the wire, in the graph, and through the kernel. arXiv
2016, arXiv:1611.07060.
25. Fernandez, M.J.; Sanchez-Cuevas, P.J.; Heredia, G.; Ollero, A. Securing UAV Communications Using ROS with Custom ECIES-
Based Method. In Proceedings of the 2019 Workshop on Research, Education and Development of Unmanned Aerial Systems
(RED UAS), Cranfield, UK, 25–27 November 2019.
26. Zhang, G.; Wu, Q.; Cui, M.; Zhang, R. Securing UAV Communications via Joint Trajectory and Power Control. IEEE Trans. Wirel.
Commun. 2019, 18, 1376–1389. [CrossRef]
27. Savkin, A.V.; Huang, H.; Ni, W. Securing UAV Communication in the Presence of Stationary or Mobile Eavesdroppers via Online
3D Trajectory Planning. IEEE Wirel. Commun. Lett. 2020, 9, 1211–1215. [CrossRef]
28. Wu, H.; Li, H.; Wei, Z.; Zhang, N.; Tao, X. Secrecy Performance Analysis of Air-to-Ground Communication with UAV Jitter and
Multiple Random Walking Eavesdroppers. IEEE Trans. Veh. Technol. 2021, 70, 572–584. [CrossRef]
Sensors 2021, 21, 1369 19 of 19

29. ROS-Based UAV Attack Experiment in Native Environment. 2020. Available online: https://youtu.be/m6oT---Y36Q (accessed
on 17 December 2020).
30. ROS-Based UAV Framework Experiment in Native Environment. 2020. Available online: https://youtu.be/MUmTsNmxMsM
(accessed on 17 December 2020).
31. ROS-Based UAV Attack Experiment in Non-Native Environment. 2020. Available online: https://youtu.be/ODzQ1fQpUwE
(accessed on 17 December 2020).
32. ROS-Based UAV Framework Experiment in Non-Native Environment. 2020. Available online: https://youtu.be/NgvpGi9mzhI
(accessed on 17 December 2020).