UPDATE–The skies may soon be full of drones–some run by law enforcement agencies, others run by intelligence agencies and still others delivering novels and cases of diapers from Amazon. But a new project by a well-known hacker Samy Kamkar may give control of some drones to anyone with $400 and an hour of free time.

Small drones can be quite inexpensive and easy to use. Some models can be controlled from an iPhone, tablet or Android device and can be modified fairly easily, as well. Kamkar, a veteran security researcher and hacker, has taken advantage of these properties and put together his own drone platform, called Skyjack. The drone has the ability to forcibly disconnect another drone from its controller and then force the target to accept commands from the Skyjack drone. All of this is done wirelessly and doesn’t require the use of any exploit or security vulnerability.

The drone platform that Kamkar built uses readily available components such as a Raspberry Pi and open-source software he developed. He said that, using the detailed instructions he’s published, anyone with a familiarity with Linux could build a Skyjack drone of his own in under an hour. With that and a controller, the builder is then ready to hijack his neighbor’s drone. The Parrot drones are available for less than $300 and the other components are relatively inexpensive, as well.

“My instructions are pretty detailed, I’ve made the code entirely free and open source, and fortunately all the technology is so low-cost and easy to acquire (< $400 for all of it, including your very own drone) that to put it all together from my instructions would take someone under an hour if they were familiar with Linux,” Kamkar said via email.

“I may also release an ISO that users can simply drop onto a Raspberry Pi without performing any configuration at all, and in that case it would potentially just take minutes without any setup required besides plugging components in!”

The method that Kamkar’s code uses to take over a target drone is deceptively simple. The Skyjack drone detects the wireless signal sent out by a target drone, injects WiFi packets into the target’s connection, de-authenticates it from its real controller and then authenticates it to the Skyjack drone. Kamkar then has the ability to send any commands he wants to the hijacked drone. This can all be done from the ground, as well, he said, using a normal Linux box and his code.

Kamkar uses Aircrack-ng, a wireless key cracking application, to find target drones and then the Skyjack software deactivates the clients and then connects to them. He finds the drones by looking for MAC addresses owned by Parrot, the company that makes the small drones he used for his project. The target range of the Skyjack drones is limited by the range of the WiFi card, but Kamkar said he uses a very powerful WiFi adapter called the Alfa AWUS036H, which produces 1000mW of power.

“The only security on the Parrot drones is that when the owner is connected to it, no one else is able to control it. This is why I need to use a wifi chipset that allows me to inject packets as I need to exploit wifi and deauthenticate the true owner who is controlling it,” Kamkar said.

“Once deauth’d, I can then take over control without ever actually exploiting the Parrot itself since it creates its own open, wireless network.”

Amazon’s Jeff Bezos said the company’s Prime Air drone delivery program is several years away yet, and it’s unclear which drone platform it will use if it’s ever deployed. Kamkar’s Skyjack code is available free on Github.

This story was updated on Dec. 4 to clarify that not all drones use WiFi and that Skyjack isn’t meant to work against all drone platforms.

Image from Flickr photos of Unten44.

 

Categories: Hacks, Mobile Security

Comments (16)

  1. Observer
    1

    Great project. Just a misleading title here as only one brand of drones can be manipulated here. Should read: How to Hijack ‘Parrot AR’ Drones in an Hour for less than $400.

    Reply
    • Blind-Pilot
      2

      I agree, this is a toy grade hack, nothing more. I fly rc and have done so since the 72 mhz days, with todays 2.4 ghz there is almost zero likely hood of overriding someones signal barring using a jammer which would crash the vehicle and not allow you to take over control.

      Nice use of redirection for web traffic though.

      Reply
  2. Matt Peterson
    3

    Amazon drones will not be wifi-operated. No commercial drones are. The Parrot AR drone is a toy. There are ways to compromise security, intelligence, delivery drones, but not through the wifi attack described here and completely taking over control would be much more difficult.

    Reply
  3. Matt Peterson
    4

    Specifically, this is incorrect: “Small drones, like the ones that Amazon is planning to use to deliver small packages in short timeframes in a few years, are quite inexpensive and easy to use. They can be controlled from an iPhone, tablet or Android device and can be modified fairly easily, as well.”

    Only a handful of toy drones can be controlled this way. Even hobbyist-grade drones use encrypted spread-spectrum RF signals that is much more difficult to hack. Autonomous commercial and government drones are much more sophisticated than even that.

    Reply
  4. OMFG Really?
    5

    Looked through the code. There’s nothing there. A few shell commands wrapped in a Perl eval{…} in case something goes wrong.

    All it does is try to hack the wifi on the drone and take over it. Uses some Node.JS scripts to control it (take-off, rotate, etc).

    Too many assumptions are made here. As if there were some kind of unified command library to control any drone hovering around.

    Seriously.

    This is not journalism. This is yellow journalism.

    Give me a break.

    Reply
  5. demodeed
    6

    Who the heck uses WiFi on a drone? LIRC all the big drone users are on proprietary 2.4 R/C systems or something the military uses. And WiFi over 350ft? that’s with LOS on a good day, even with a 1W antenna. And 350ft is nothing when drones are running 500+ft.

    This is just a basic wifi hack. And yes, that AR.Drones run on open WiFi channels… which they could fix easily since it runs a linux variant.

    Reply
    • olle73
      7

      “And WiFi over 350ft?”

      if you were in the drone community you would know that the three main topics are antennas, antennas and antennas.

      with the right high gain home builts several miles wifi connections are perfectly possible. the proprietary 2.4GHz radio systems are, while not wifi, all built with hardware originally intended for wifi applications.

      Reply
  6. Michael
    8

    Why the article assumes that all drones work like the parrot one? There are several points that are absurd:
    - It is just absurd assuming they will all be connected through wifi and using the same means that parrot drones, even if they do use wifi the connections can be secured to the point it is not trivial at all to hack it.
    - Why are you comparing a toy made by parrot with any other small drone? Sure, a drone can even be controlled by a toaster if we put a computer in it, oh and if we know how to communicate with the drone (physical connection and protocol) and how to control the drone, assuming all of these steps are known and trivial is non-sense.

    Kamkar built a nice project to hijack parrot drones by breaking into a network working with a popular broken encryption scheme, it is a pretty cool project but it can’t be generalized.

    Reply
  7. rotimi A
    9

    welcome to Wild Wild West, we are slowly moving to technology environment with high physical contact and risk exposure to hackers, 2 combinations that result in high impact.

    Reply
  8. osiair
    10

    Well be my guest to hijack my drone.
    What you talk about is not to be able to hijack ANY drone. You talk about to be able to hijack some of the toy drones using Wifi.
    What about more sophisticatef radio layers?
    Your project is funny for sure. But you overstate what you can do with it. Remember a Reaper Drone is also part of the “any drone” claim. Have loads of fun with that as well… PR is the art of being loud and have a story which can be believed. Yours failed here ;)
    check my system at http://www.osiworx.com

    Reply
  9. Larry Constantine (Lior Samson)
    12

    The comments demonstrate how easy it is for us propeller-heads to get caught up in refuting the technical details and decrying the journalistic exaggeration but miss the whole dang point. Complex systems are vulnerable and every communications link, every port, is a potential point of access. Wireless hacking into a Reaper would take a lot more than an hour and cost a lot more than $400, but that does not say it is impossible. You can safely bet that well-staffed and well-funded teams in more than one country are already working on precisely that kind of scenario. Whether terrorists could ever pull off a drone hijacking is a debate that would get us into interesting but sensitive territory, not something suitable for an online comments thread.

    –Larry Constantine (pen name, Lior Samson)

    Reply
  10. AJ
    14

    Hijacking drones is very easy its called 12 gauge shotgun (your choice of shot/slug) only problem is there is not much meat on them!

    Reply
  11. BIG BAD BEAR
    16

    Come on gentlemen, Pony up for a freq. roller that locks on to the controller freq. and then initiate redirect or jam !Better yet , latch onto their changing freq. or jamming freq. and go single side band

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>