drone hacking guide
Sander's guide to hacking many different types of drones (Medium)

“How can drones be hacked?” An insightful article by Sander Walters on Medium, elaborating on the current approaches to Drone Hacking.


Author Foreword

Commercial drones and radio-controlled aircraft are of increasing concern, with commercial airlines afraid of collision and property owners worrying that their privacy is being invaded.

Another risk is the possibility of hijacking or jamming a drone in flight. In recent years several security researchers have made public vulnerabilities for these flying machines. In some cases even providing full source code or tools to play their attacks.

I will be sponsoring an effort for compilation of vulnerable drone and vulnerability testing/exploit methodologies. As part of that effort, this report has been prepared to provide a ready reference of vulnerable drones and associated attack tools. This document compilation should promote a better understanding of how drone vulnerability is currently exploited, and how future drone will take advantage of improvements in available vulnerability research data. I’ll try to keep this page updated as new drone vulnerability details go out.

 


Skyjack

Attack type: Hijack

Vulnerable drone: Parrot AR.Drone 2.0

References: http://samy.pl/skyjack/

Download: https://github.com/samyk/skyjack

 


Parrot AR.Drone 2 – WiFi Attack

Attack type: Hijack

Vulnerable drone: Parrot AR.Drone 2.0

References:

  1. https://github.com/markszabo/drone-hacking
  2. https://github.com/dronehacker

Hacking the Parrot AR.DRONE 2.0

Drone Hacking Code
Spoofing Land command with Scapy
Source: (https://medium.com/@swalters/how-can-drones-be-hacked-the-updated-list-of-vulnerable-drones-attack-tools-dd2e006d6809#.opw98rfbc)

 


Bebop WiFi Attack

Attack type: Hijack

Vulnerable drone: Parrot Bebop

References: How to Hack a Drone in Kali Linux — Wireless Attacking the Parrot Bebop [Youtube]

 


GPS Spoofing

Attack type: Hijack

Attack Hardware: HackRF ($300) or BladeRF x40 ($420)

Vulnerable drone: Most GPS enabled drones ( DJI Phantom 1/2/3/4, DJI Inspire, DJI Mavic, Yuneec Brezee, Yuneec Thypoon, Yuneec Tornado, etc)

References:

GPS Spoofing a UAV (DJI Phantom)

Unmanned Aircraft Capture and Control via GPS Spoofing

How to spoof GPS with HackRF

GPS Spoofing set up
GPS Spoofing set up
Source: (https://medium.com/@swalters/how-can-drones-be-hacked-the-updated-list-of-vulnerable-drones-attack-tools-dd2e006d6809#.opw98rfbc)

GPS Jammer

Attack type: DoS

Vulnerable drone: Most GPS enabled drones ( DJI Phantom 1/2/3/4, DJI Inspire, DJI Mavic, Yuneec Brezee, Yuneec Thypoon, Yuneec Tornado, etc)

References: Review & Teardown of a cheap GPS Jammer

20 GPS Jammer
$20 GPS Jammer
Source: (https://medium.com/@swalters/how-can-drones-be-hacked-the-updated-list-of-vulnerable-drones-attack-tools-dd2e006d6809#.opw98rfbc)

 


FPV Drone video downlink jammer

Attack type: DoS

Vulnerable drone: Most FPV race drones.

References: http://www.thingiverse.com/thing:1639683

 


DeviationTX NRF24L01 Hijack

Attack type: Hijack ( Bind before owner , overpower fixed freq/fixed ID)

Vulnerable drone: Most toy drones from Attop, Bayang, Cheerson, Eachine, Floueron, Hisky, JJRC, JD, Syma & WLToys) Complete list.

References: DeviationTX with $5 nrf24l01 module the universal drone remote.

DHD & Cheerson toy drones with NRF24L01 module.
DHD & Cheerson toy drones with NRF24L01 module.
Source: (https://medium.com/@swalters/how-can-drones-be-hacked-the-updated-list-of-vulnerable-drones-attack-tools-dd2e006d6809#.opw98rfbc)

 


ICARUS

Attack type: Hijack

Vulnerable drone: Most hobby/professional grade drones & RC airplanes using DSMx protocol.

References: Attacking DSMx with SDR (PacSec 2016 — English 英語)

 


Nils Rodday Attack

Attack type: Hijack

Vulnerable drone: Aerialtronics Altura Zenith (Law Enforcement Drone)

References:

Hacker Says He Can Hijack a $35K Police Drone a Mile Away

Hacking a professional drone by Nils Rodday

 


Drone Duel

Attack type: Hijack

Vulnerable drone: Cheerson CX-10 (Micro quadcopter)

References: Drone Hacking is becoming childs play

Download: Drone Duel Github

CX-10 binding handshake
CX-10 binding handshake
Source: (https://medium.com/@swalters/how-can-drones-be-hacked-the-updated-list-of-vulnerable-drones-attack-tools-dd2e006d6809#.opw98rfbc)

Fb1h2s Maldrone

Attack type: Backdoor

Vulnerable drone: Parrot AR

References: http://garage4hackers.com/entry.php?b=3105

 


Aaron Luo DJI Phantom 3 hijack

Attack type: Hijack

Vulnerable drone: DJI Phantom 3

Phantom 3 Architecture
Phantom 3 Architecture
Source: (https://medium.com/@swalters/how-can-drones-be-hacked-the-updated-list-of-vulnerable-drones-attack-tools-dd2e006d6809#.opw98rfbc)

References:

DEFCON 24 Drones Hijacking: Cyber Safety Solution multi-dimensional attack vectors and countermeasure [pdf]

 


DJI Phantom 3 default settings

Attack type: Hijack

Vulnerable drone: DJI Phantom 3

DJI Phantom 3 camera default passwords
DJI Phantom 3 camera default passwords
Source: (https://medium.com/@swalters/how-can-drones-be-hacked-the-updated-list-of-vulnerable-drones-attack-tools-dd2e006d6809#.opw98rfbc)

References:

Security Analysis of DJI Phantom 3 Standard by Fernando Trujano, Benjamin Chan, Greg Beams, Reece Rivera [pdf]


 

Sololink Hack

Attack type: Hijack

Vulnerable drone: 3DR Solo

References:

Shelling out on 3DR Sologetting root on a ‘Smart drone’ [pdf]

Sololink uses Atheros WiFi chipset
Sololink uses Atheros WiFi chipset
Source: (https://medium.com/@swalters/how-can-drones-be-hacked-the-updated-list-of-vulnerable-drones-attack-tools-dd2e006d6809#.opw98rfbc)


~ Sander Walters


This is a post written by Sander Walters, originally published on the website Medium, where the original content can be found.

As a site dedicated to drone security, hardening, and hacking this post by Sander definitely caught our interest! Dronesec does not condone nor support drone hacking when conducted illegally, however it’s increasingly important to be aware of the type of attacks out there and how to defend against them.

Thanks again Sander for this insightful post – we welcome readers to speak their mind and accept submissions for guest posts here.