How Can Drones Be Hacked? The updated list of vulnerable drones & attack tools

Commercial drones and radio-controlled aircraft are of increasing concern, with commercial airlines afraid of collision and property owners worrying that their privacy is being invaded.

Another risk is the possibility of hijacking or jamming a drone in flight. In recent years several security researchers have made public vulnerabilities for these flying machines. In some cases even providing full source code or tools to play their attacks.

I will be sponsoring an effort for compilation of vulnerable drone and vulnerability testing/exploit methodologies. As part of that effort, this report has been prepared to provide a ready reference of vulnerable drones and associated attack tools. This document compilation should promote a better understanding of how drone vulnerability is currently exploited, and how future drone will take advantage of improvements in available vulnerability research data. I’ll try to keep this page updated as new drone vulnerability details go out.

Last updated: October 18, 2021

For more detail on how setup your own drone security learning environment, check my article on How To Set Up A Drone Vulnerability Testing Lab

Reverse engineering Yuneec Q500 Zigbee

Attack type: Radio protocol Rev Eng

Vulnerable drone: Yuneec Q500

References: http://www.codemakesitgo.com/yuneec-q500-zigbee-decoded/

Yuneec Zigbee protocol spreadsheet: http://www.codemakesitgo.com/wp-content/uploads/2019/02/Yuneec-Protocol.xlsx

Reverse engineering FIMI A3

Attack type: Firmware Rev Eng

Vulnerable drone: Xiaomi FIMI A3

References: https://medium.com/@konrad_it/brief-reverse-engineering-work-on-fimi-a3-5422d93db560

GitHub repository: https://github.com/KonradIT/fimi_a3

Xiaomi FIMI

Skyjack

Attack type: Hijack

Vulnerable drone: Parrot AR.Drone 2.0

References: http://samy.pl/skyjack/

Download: https://github.com/samyk/skyjack

Parrot AR.Drone 2 - WiFi Attack

Attack type: Hijack

Vulnerable drone: Parrot AR.Drone 2.0

References: https://github.com/markszabo/drone-hacking

Spoofing Land command with Scapy

Bebop WiFi Attack

Attack type: Hijack

Vulnerable drone: Parrot Bebop

References: How to Hack a Drone in Kali Linux — Wireless Attacking the Parrot Bebop [Youtube]

DroneJack

Attack type: Detect/Hijack

Vulnerable drone: Parrot Bebop

References: DroneJack: Kiss your drones goodbye! [PDF]

Bebop Wi-Fi Drone Disabler with Raspberry Pi

Attack type: Hijack

Vulnerable drone: Parrot Bebop

References: Makezine Build a Wi-Fi Drone Disabler with Raspberry Pi

Makezine Bebop disabler

GPS SpoofingGPS Spoofing

Attack type: Hijack

Attack Hardware: HackRF ($300) or BladeRF x40 ($420)

Vulnerable drone: Most GPS enabled drones ( DJI Phantom 1/2/3/4, DJI Inspire, DJI Mavic, Yuneec Brezee, Yuneec Thypoon, Yuneec Tornado, etc)

References:

GPS Spoofing a UAV (DJI Phantom)

Unmanned Aircraft Capture and Control via GPS Spoofing

How to spoof GPS with HackRF

GPS Spoofing set up

GPS Jammer

Attack type: DoS

Vulnerable drone: Most GPS enabled drones ( DJI Phantom 1/2/3/4, DJI Inspire, DJI Mavic, Yuneec Brezee, Yuneec Thypoon, Yuneec Tornado, etc)

References: Review & Teardown of a cheap GPS Jammer

$20 GPS Jammer

FPV Drone video downlink jammer

Attack type: DoS

Vulnerable drone: Most FPV race drones.

References: http://www.thingiverse.com/thing:1639683

DeviationTX NRF24L01 Hijack

Attack type: Hijack ( Bind before owner , overpower fixed freq/fixed ID)

Vulnerable drone: Most toy drones from Attop, Bayang, Cheerson, Eachine, Floueron, Hisky, JJRC, JD, Syma & WLToys) Complete list.

References: DeviationTX with $5 nrf24l01 module the universal drone remote.

DHD & Cheerson toy drones with NRF24L01 module.

ICARUS

Attack type: Hijack

Vulnerable drone: Most hobby/professional grade drones & RC airplanes using DSMx protocol.

References: Attacking DSMx with SDR (PacSec 2016 — English 英語)

ICARUS setup.

Security Analysis of FHSS-type Drone
Controller

Attack type: Hijack

Vulnerable drone: FHSS-type hobby/professional grade controllers (Frsky ACCST).

References: Security Analysis of FHSS-type Drone
Controller.

Nils Rodday Attack

Attack type: Hijack

Vulnerable drone: Aerialtronics Altura Zenith (Law Enforcement Drone)

References:

Hacker Says He Can Hijack a $35K Police Drone a Mile Away

Hacking a professional drone by Nils Rodday

Drone Duel

Attack type: Hijack

Vulnerable drone: Cheerson CX-10 (Micro quadcopter)

References: Drone Hacking is becoming childs play

Download: Drone Duel Github

CX-10 binding handshake

Michael Melchio’s QC 360 A1 Reverse Engineering

Attack type: Hijack/Intercept

Vulnerable drone: QC 360 A1 ( LIDL Toy Quadcopter)

References:

Reverse Engineering a Quadcopter RC, or: How to not miss the needle while throwing the haystack in the air (Part 1)

Reverse Engineering a Quadcopter RC, or: How to not miss the needle while throwing the haystack in the air (Part 2)

Reverse Engineering a Quadcopter RC, or: How to not miss the needle while throwing the haystack in the air (Part 3)

Ezequiel’s Syma X5SW Reverse Engineering

Attack type: Hijack/Intercept

Vulnerable drone: Syma X5SW

References: Love is in the air: Reverse Engineering a shitty drone

Fb1h2s Maldrone

Attack type: Backdoor

Vulnerable drone: Parrot AR

References: http://garage4hackers.com/entry.php?b=3105

First Backdoor for Drones. Maldrone aka Malware for Drones By Rahul Sasi

Aaron Luo DJI Phantom 3 hijack

Attack type: Hijack

Vulnerable drone: DJI Phantom 3

Phantom 3 Architecture

References:

DEFCON 24 Drones Hijacking: Cyber Safety Solution multi-dimensional attack vectors and countermeasure [pdf]

DJI Phantom 3 default settings

Attack type: Hijack

Vulnerable drone: DJI Phantom 3

DJI Phantom 3 camera default passwords

References:

Security Analysis of DJI Phantom 3 Standard by Fernando Trujano, Benjamin Chan, Greg Beams, Reece Rivera [pdf]

DROP (DRone Open source Parser): Forensic analysis of the DJI Phantom IIIDJI Phantom 3

Attack type: Computer Forensics

Vulnerable drone: DJI Phantom 3

References: DROP (DRone Open source Parser) your drone: Forensic analysis of the DJI Phantom III by Devon R. Clark, Christopher Meffert, Ibrahim Baggili, Frank Breitinger [PDF]

Voidsec Hacking DJI Phantom 3

Attack type: Hijack

Vulnerable drone: DJI Phantom 3

References:

Hacking the DJI Phantom 3 By voidsec

DJI Phantom 4 RevEng by Vessial

Attack type: Reverse engineering

Vulnerable drone: DJI Phantom 4

References:

Hacking the DJI Phantom 4 by vessial (chinese PDF)

Kevin Finisterre DJI infrastructure comprise

Attack type: Leaked AWS keys

Vulnerable drone: All DJI Customers

References:

Why I walked away from $30,000 of DJI bounty money [PDF]

Hacking DJI Naza M

Attack type: Reverse Eng.

Vulnerable drone: DJI Naza M Flight Controller

DJI Naza M

References:

Note, tools & musings on the DJI Naza M Flight Controller
seasonalvegetables3

DJI Spark hijacking

Attack type: Hijack / Rev Eng

Vulnerable drone: DJI Spark

Reference: https://embedi.com/blog/dji-spark-hijacking/

Optical sensor spoofing

Attack type: Hijack

Vulnerable drone: Arducopter, AR.Drone 2.0

References:

Controlling UAVs with Sensor Input Spoofing Attacks [pdf]

Optical sensor spoofing

Sololink Hack

Attack type: Hijack

Vulnerable drone: 3DR Solo

References:

Shelling out on 3DR Sologetting root on a ‘Smart drone’ [pdf]

Sololink uses Atheros WiFi chipset

(Complete Video) How To Change the 3DR Solo Smart Drone Sololink Password and WHY???

E012 SDR transmitter

Attack type: Reverse Eng.

Vulnerable drone: Eachine E012 mini quadcopter

Goebish D. Eachine E012 mini quadcopter SDR transmitter

References:

https://github.com/goebish/E012-SDR-transmitter

Drone Hijacking by Arthur Garipov

Attack type: Hijack

Vulnerable drone: Multiple

References:

Drone Hijacking and other IoT hacking with GNU Radio and SDR by Arthur Garipov [pdf]

Hacking Toy Flyers

Attack type: Hijack

Vulnerable drone: Multiple (MAVSTAR , MC2, REELY, DelFly)

References:

Hacking and controlling toy flyers — (BioRob) [PDF]

Alien Jump jet connected to a PC platform.