Cyber Incident Victim: Orqa
Date:
Apr 2023
Location:
Japan
Summary
A drone goggles manufacturer, Orqa, suffered a deliberate firmware sabotage incident. A former contractor allegedly implanted a time bomb in the device bootloader years earlier, which activated and bricked customer devices. The perpetrator then publicly released an unauthorized firmware update to purportedly fix the issue, which the company warned was likely compromised. Orqa developed an official security fix for the affected devices, which was undergoing final testing before public release.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 29, 2023, Orqa, a manufacturer of First Person View (FPV) drone racing goggles, began receiving reports from customers that their FPV.One V1 goggles had become inoperable. The devices were entering bootloader mode upon power-up, rendering them unusable, a state commonly referred to as "bricked." The initial reports originated from pilots in Japan during the early hours of the morning, European time, which was still late Friday night or very early Saturday for the company. Shortly thereafter, additional reports emerged from a race event taking place in Turkey, indicating a widespread issue affecting users in different geographic locations simultaneously. The company initially identified the problem as a firmware bug related to a date and time feature within the software, a diagnosis that was communicated to customers as the investigation began.
Within approximately five to six hours of the first reports, by early Saturday afternoon in Europe, Orqa's investigation uncovered the true cause of the widespread device failure. The company determined that the issue was not a simple bug but was instead the result of malicious code deliberately inserted into the firmware. Orqa stated that a former contractor had secretly planted this code into the bootloader of the devices several years prior. The code was designed to act as a time bomb, set to trigger on a specific date and render the devices inoperable. The company characterized the event as a "ransomware time-bomb attack," with the alleged intent of the perpetrator being to extort an exorbitant ransom payment from the company after the devices were disabled. The timing of the detonation appeared to be calculated to cause maximum disruption, coinciding with a weekend and a racing event.
Orqa described the former contractor as particularly perfidious, noting that the individual had maintained occasional business relations with the company over the intervening years between the code's insertion and its eventual activation. The company suggested this continued contact was a deliberate tactic to avoid raising suspicion and to allow the company's business and market share to grow, thereby potentially increasing the amount of ransom that could be demanded. The destructive payload activated on or around April 29, 2023, and its effect was immediate, preventing legitimate users from accessing their device's core functions.
Following the activation of the time bomb, the alleged perpetrator took further action by publicly posting an unauthorized binary file online. This file was purportedly a piece of firmware designed to address the bug and unbrick the affected FPV.One goggles. Orqa became aware of this development and issued a strong warning to its customer base, advising them not to install this or any other unofficial firmware on their devices. The company expressed concern that the posted binary was likely another compromised piece of software that could further jeopardize device security and user safety. This public posting by the alleged attacker forced Orqa to change its communication strategy; the company decided it was in the users' best interest to be made fully aware of the malicious situation and the significant risks associated with installing unofficial software.
In response to the incident, Orqa's technical team initiated a security review of the affected code. This review found that only a specific fraction of the firmware's codebase was affected by the malicious time bomb. The company began working on an official fix for the compromised bootloader. The development of a safe, official firmware update was prioritized. The company enlisted the help of a small number of beta testers to rigorously test the new firmware version to ensure it was safe and effective before a widespread public release. Orqa provided a timeline to its users, stating that the fixed official firmware was expected to be available by the end of the day following the completion of this testing, pending the version being deemed safe for all users. The primary containment action was the rapid development and validation of a clean software patch to restore device functionality without requiring hardware replacement.
The impact of the incident was direct and operational, resulting in the immediate and simultaneous bricking of an unknown number of Orqa FPV.One V1 goggles across at least two continents. This rendered the expensive specialized equipment useless for pilots, disrupting racing events and personal use. The company's reputation was directly challenged by a sophisticated supply chain attack originating from a trusted third party. The need to develop, test, and deploy an emergency firmware update under extreme time pressure represented a significant resource burden on the company. Furthermore, the situation was exacerbated by the public release of a potential second malicious firmware by the alleged attacker, creating a parallel threat that the company had to actively warn its user base against, adding confusion and potential secondary victimization to the initial destructive attack. The incident stands as a notable example of a software supply chain attack with a delayed payload specifically targeting embedded devices in a niche market.