Hacking: Hijacking someone else’s drone.

Hacking: Hijacking someone else’s drone.

Simultaneously with the development of the Internet of things, the methods of hacking smart devices are also evolving. Already now there is a whole zoo of Trojans for IoT, but only routers, set-top boxes and IP-cameras the range of intelligent devices is not exhaustive. Drones are of particular interest from the point of view of information security – many people dream to learn how to operate another’s aircraft. Are there any ways to intercept copters by control? Let’s find out now!

K question history

States spend millions of dollars annually to combat drones and to regulate their use by the population, though without much success. A recent rumor has it that Britain’s Gatwick airport has been paralyzed for days by incompetent copters, for whose destruction the government even had to attract snipers. What can we say about the officials, who are not given a rest by drones with video cameras bouncing over their estates, as well as trying to slip their annoying lens into someone else’s private life. Eh, if there was a reliable way to intercept drone control, the cherished dream of many statesmen would become a reality. Or does this method still exist?

If things had been as simple as they seem, government officials would not have invented ingenious ways to combat flying electronic evil, such as training hunting falcons, developing networks of interceptor drones and creating other electromagnetic guns. But if we look at the problem from the engineering point of view, any copter is by and large an electronic device with remote control, which means that the radio channel through which control commands are transmitted can be compromised.

To begin with, I propose to separate the two-winged insects from the meat dishes of fried minced meat. When it comes to AliExpress toys, which do not use authorization when connected to the receiver, “interception” is not very technically difficult. If immediately after switching on the power to the copter or connecting the battery, at the moment when the LED indicator on the drone is blinking rapidly and the device is in the transmitter search mode, the first to turn on the similar transmitter nearby (when using “universal” consoles will still have to press the Bind button), the drone with a high degree of probability will “pick up” exactly to it and “lose” the original one. But if we are talking about a more or less serious technique, the situation is much more complicated.

Pod of the hood

Many remote-controlled aircraft (as well as radio-controlled toys) use the DSM2/DSMX protocol for data exchange, with SLT technology as a common alternative. DSM is used in broadband transmitters with a frequency of 2.4 GHz and is considered well protected against accidental interference in the radio channel. This protocol allows flight data to be stored in a log file, with DSM2 supporting a shutdown detection function (e.g., in the event of a power failure) and DSMX not, but both standards are compatible. The SLT protocol operates on the same frequency and is compatible with transmitters from different manufacturers, but the Tactic and Hitec devices are native iron.

Another protocol supported by some unmanned aircraft is called MAVlink, which is often used to transmit telemetry. MAVlink is open source, implemented as a Python module and distributed under an LGPL license. This protocol does not use encryption by default for communications, and is therefore theoretically more vulnerable to attack than competing technologies where it is available.

The kernel of copters that can be managed from any modern smartphone uses an 802.11 wireless network with WEP encryption as the transmission medium. Much has been written about Wi-Fi security in detail, so there’s no point in repeating it. Hacking into such a network can be called a routine procedure, and the arsenal of hardware available for it is quite extensive.
And now let’s move from the general to the private.

Step in sixty seconds

First of all, let’s talk about drones working via wireless network. This is why the creators of the copters decided to use a crackable WEP as an encryption algorithm instead of the more common WPA/WPA2a mystery covered in darkness, but this is most likely due to the speed of data transmission and processing by aircraft equipment.
It’s one thing if the local network suddenly starts to lag, and quite another thing if the channel of communication with the drone flying ten meters above the alien’s garden fails. The consequences will be quite different.

Like any other similar device, the copter with Wi-Fi on board is equipped with a network adapter that has a MAC-address by which it can be identified. For example, this is how parrot flight devices work. A smartphone with an app installed serves as the equivalent of a remote control from which the drone receives commands.

To identify the control device, a ID Key is used, a unique tag “bound” to the Flight control software installed on the smartphone and to the current session. The principle of the hack is simple: the attacker connects to the drone network, identifies the unique tag, and then sends a command to the copter, which will force him to disconnect from the current control device and start receiving commands from the attacker’s smartphone, which has a “copied” tag of the original device.

In practice, we have used an application to hack into a drone network that we have talked about on more than one channel – Aircrack-ng. The program can monitor the airwaves in search of protected Wi-Fi networks, intercept packets and export data from them for further analysis, as well as apply various algorithms of network attacks.

However, simply hacking into the network is not enough and the data transmitted between the drone and the operator must be intercepted. An example of such an interception was demonstrated by a guy named Samy Kamkar who collected a special device based on a single board computer Raspberry Pi and recorded his experiments on video.

The essence of his method is briefly:.

The dude used a Raspberry Pi with a Wi-Fi-Dongle plugged into his USB port and an external Alfa AWUS036H adapter, which he actually used to hack into the network. The single board was battery powered by Micro USB and was used as a scanner to probe the airwaves and determine the MAC addresses of the devices connected to wireless networks.
The chip is that all Parrot copters use similar MAC addresses from a single block, which can be found in public sources.

  • The video in question used a node-ar-drone client written in Node.js and designed to work with Parrot AR Drone 2.0. The sources for this library can be found at GitHub. Node-ar-drone allows you to interact with Parrot drones using JavaScript commands: change flight direction and altitude, receive video streaming or copter camera shots, and do other fun things with it.

Samy Camcard installed Raspberry Pi on his own quad and launched it in search of other drones Parrot. Having discovered the network of such a drone, the hacker hacked it using Aircrack-ng, established a connection with the “enemy” drone, and then using node-ar-drone intercepted the video stream coming from the copter. This way, he could see everything that came into the field of view of the camera “cracked” drone, to control the drone as possible, as you have already understood.

The Syma ATV control intercepts look similar:
The same idea was put in here: Raspberry Pi as a channel scanner to track nearby transmitters and intercept the drone’s unique ID. It is on checking this identifier that the entire security system of the control protocol used by Syma copters is built. If you hammer this identifier into a program that emulates the operation of the remote control, you will be able to control the drone.

Once the emulator is started, connected to the RF transmitter, the drone is connected to two remote controls at the same time: the real one, which is in the hands of the RC pilot, and the fake one, which responds to commands from both remote controls. The essence of the hack is that the program running on the intruder’s console can send control commands to the drone twice as often as the original remote control. If the operator, for example, gives a command to the copter to decrease, two commands to increase the speed may be received from the intruder in the same discrete unit of time. The Firewall will obediently process all of them, but the resulting action will be altitude gain, as more directives have come in. Using this tricky feature of executing commands one by one, the thief can take the drone out of the original control area and safely land it in a nearby forest.

Big toys

The previous section dealt with inexpensive and rather simple in design aircraft. What about the “serious” technique that uses encryption, or drones that transmit data via DSM2/DSMX or SLT protocols without any smartphones? Is it possible to intercept the control of, say, a DJI product?

Here, as some girls like to say, everything is complicated. First of all, manufacturers try to encrypt not only in the literal sense, but also in the portable, for example, erase the markings on the chips mounted in receivers and transmitters, although connoisseurs already know perfectly well what chips are used there. Secondly, even though all such transmitters work with a specific set of frequencies, the frequency is automatically changed at an interval of two milliseconds, i.e. every second the copter passes from one frequency to another about 500 times. Thirdly, all commands transmitted through the control channel are mixed with pseudo-random data, so even if you “hear” on the air signal of such a drone, to replace it will be very difficult.

In theory, this is certainly possible: you need to pass the drone firmware, disassemble it, find out the algorithm by which the change of frequencies and the generation of digital “noise”, and then write the emulator.

It is also possible to exploit protocol vulnerabilities, if they can be detected. From this point of view, the MAVlink protocol is the most promising, because it has sources (except for proprietary components) and a lot of documentation. Only in this case the cost of effort and nerves may be disproportionate to the result obtained.

If the main task is not to steal the copter, but simply to prevent it from flying over a certain geographical point, simpler methods like GPS spoofing can be used.

This technology explains the phenomenon of redirecting users of GPS-navigators to Sheremetyevo airport, when they are near the Kremlin. The devices used for GPS-spoofing jam the signal of navigation satellites and transmit their own signal broadcasting false coordinates to the receiving device. Because of this device believes that it is in the vicinity of the nearest airport. The expectation is that the firmware of most drones includes a ban on flights over civil air harbors – when approaching the airport, the drone automatically lands or tries to fly it.

According to the plan of the special services, this measure should reliably protect the most important persons from an unexpected attack from the air. And such fears, it should be noted, are not without reason: for example, last year, the attack on Venezuelan President Nicolas Maduro was stuffed with explosives by a drone. And in Syria, the militants have long used cheap drones to attack military infrastructure. On the other hand, in the same Gatwick, the attackers’ copters flew for hours over the runways and taxiways, while still feeling fine…

It is noteworthy that the cost of programmable radio transmitters, which can be used to jam or spoof the GPS signal, today is relatively small and is only a few hundred dollars, and you can buy everything you need on the Internet. All the more so even for “professional” copters excessively powerful jammers are absolutely superfluous: there are cases when big drones like Phantom were “lost” near the antennas of mobile operators’ base stations or high voltage power lines. If the copter gets into the area of such a jammer, it is very likely to start drifting in the wind, and due to the lack of signal from navigation satellites will not be able to correctly determine its current location to return to the point of departure. Further, as they say, options are possible.


So is it possible to steal a drone after all? As we can see, it is possible, technically for this there are no insurmountable obstacles. However, everything depends, of course, on the device itself, on the software it uses and data transfer protocols.

WARNING! All links in the articles may lead to malicious sites or contain viruses. Follow them at your own risk. Those who purposely visit the article know what they are doing. Do not click on everything thoughtlessly.


0 0 vote
Article Rating
Notify of
Inline Feedbacks
View all comments

Do NOT follow this link or you will be banned from the site!
Would love your thoughts, please comment.x

Spelling error report

The following text will be sent to our editors: