How Can Drones Be Hacked? The updated list of vulnerable drones & attack tools
Commercial drones and radio-controlled aircraft are of increasing concern, with commercial airlines afraid of collision and property owners worrying that their privacy is being invaded.
Another risk is the possibility of hijacking or jamming a drone in flight. In recent years several security researchers have made public vulnerabilities for these flying machines. In some cases even providing full source code or tools to play their attacks.
I will be sponsoring an effort for compilation of vulnerable drone and vulnerability testing/exploit methodologies. As part of that effort, this report has been prepared to provide a ready reference of vulnerable drones and associated attack tools. This document compilation should promote a better understanding of how drone vulnerability is currently exploited, and how future drone will take advantage of improvements in available vulnerability research data. I’ll try to keep this page updated as new drone vulnerability details go out.
Last updated: October 18, 2021
For more detail on how setup your own drone security learning environment, check my article on How To Set Up A Drone Vulnerability Testing Lab
Reverse engineering Yuneec Q500 Zigbee
Attack type: Radio protocol Rev Eng
Vulnerable drone: Yuneec Q500
References: http://www.codemakesitgo.com/yuneec-q500-zigbee-decoded/
Yuneec Zigbee protocol spreadsheet: http://www.codemakesitgo.com/wp-content/uploads/2019/02/Yuneec-Protocol.xlsx
Reverse engineering FIMI A3
Attack type: Firmware Rev Eng
Vulnerable drone: Xiaomi FIMI A3
References: https://medium.com/@konrad_it/brief-reverse-engineering-work-on-fimi-a3-5422d93db560
GitHub repository: https://github.com/KonradIT/fimi_a3
Skyjack
Attack type: Hijack
Vulnerable drone: Parrot AR.Drone 2.0
References: http://samy.pl/skyjack/
Download: https://github.com/samyk/skyjack
Parrot AR.Drone 2 - WiFi Attack
Attack type: Hijack
Vulnerable drone: Parrot AR.Drone 2.0
References: https://github.com/markszabo/drone-hacking
Bebop WiFi Attack
Attack type: Hijack
Vulnerable drone: Parrot Bebop
References: How to Hack a Drone in Kali Linux — Wireless Attacking the Parrot Bebop [Youtube]
DroneJack
Attack type: Detect/Hijack
Vulnerable drone: Parrot Bebop
References: DroneJack: Kiss your drones goodbye! [PDF]
Bebop Wi-Fi Drone Disabler with Raspberry Pi
Attack type: Hijack
Vulnerable drone: Parrot Bebop
References: Makezine Build a Wi-Fi Drone Disabler with Raspberry Pi
GPS SpoofingGPS Spoofing
Attack type: Hijack
Attack Hardware: HackRF ($300) or BladeRF x40 ($420)
Vulnerable drone: Most GPS enabled drones ( DJI Phantom 1/2/3/4, DJI Inspire, DJI Mavic, Yuneec Brezee, Yuneec Thypoon, Yuneec Tornado, etc)
References:
GPS Spoofing a UAV (DJI Phantom)
GPS Jammer
Attack type: DoS
Vulnerable drone: Most GPS enabled drones ( DJI Phantom 1/2/3/4, DJI Inspire, DJI Mavic, Yuneec Brezee, Yuneec Thypoon, Yuneec Tornado, etc)
References: Review & Teardown of a cheap GPS Jammer
FPV Drone video downlink jammer
Attack type: DoS
Vulnerable drone: Most FPV race drones.
References: http://www.thingiverse.com/thing:1639683
DeviationTX NRF24L01 Hijack
Attack type: Hijack ( Bind before owner , overpower fixed freq/fixed ID)
Vulnerable drone: Most toy drones from Attop, Bayang, Cheerson, Eachine, Floueron, Hisky, JJRC, JD, Syma & WLToys) Complete list.
References: DeviationTX with $5 nrf24l01 module the universal drone remote.
ICARUS
Attack type: Hijack
Vulnerable drone: Most hobby/professional grade drones & RC airplanes using DSMx protocol.
References: Attacking DSMx with SDR (PacSec 2016 — English 英語)
Security Analysis of FHSS-type Drone
Controller
Attack type: Hijack
Vulnerable drone: FHSS-type hobby/professional grade controllers (Frsky ACCST).
References: Security Analysis of FHSS-type Drone
Controller.
Nils Rodday Attack
Attack type: Hijack
Vulnerable drone: Aerialtronics Altura Zenith (Law Enforcement Drone)
References:
Drone Duel
Attack type: Hijack
Vulnerable drone: Cheerson CX-10 (Micro quadcopter)
References: Drone Hacking is becoming childs play
Download: Drone Duel Github
Michael Melchio’s QC 360 A1 Reverse Engineering
Attack type: Hijack/Intercept
Vulnerable drone: QC 360 A1 ( LIDL Toy Quadcopter)
References:
Ezequiel’s Syma X5SW Reverse Engineering
Attack type: Hijack/Intercept
Vulnerable drone: Syma X5SW
References: Love is in the air: Reverse Engineering a shitty drone
Fb1h2s Maldrone
Attack type: Backdoor
Vulnerable drone: Parrot AR
References: http://garage4hackers.com/entry.php?b=3105
Aaron Luo DJI Phantom 3 hijack
Attack type: Hijack
Vulnerable drone: DJI Phantom 3
References:
DJI Phantom 3 default settings
Attack type: Hijack
Vulnerable drone: DJI Phantom 3
References:
DROP (DRone Open source Parser): Forensic analysis of the DJI Phantom IIIDJI Phantom 3
Attack type: Computer Forensics
Vulnerable drone: DJI Phantom 3
Voidsec Hacking DJI Phantom 3
Attack type: Hijack
Vulnerable drone: DJI Phantom 3
References:
DJI Phantom 4 RevEng by Vessial
Attack type: Reverse engineering
Vulnerable drone: DJI Phantom 4
References:
Kevin Finisterre DJI infrastructure comprise
Attack type: Leaked AWS keys
Vulnerable drone: All DJI Customers
References:
Hacking DJI Naza M
Attack type: Reverse Eng.
Vulnerable drone: DJI Naza M Flight Controller
References:
Note, tools & musings on the DJI Naza M Flight Controller
seasonalvegetables3
DJI Spark hijacking
Attack type: Hijack / Rev Eng
Vulnerable drone: DJI Spark
Reference: https://embedi.com/blog/dji-spark-hijacking/
Optical sensor spoofing
Attack type: Hijack
Vulnerable drone: Arducopter, AR.Drone 2.0
References:
Sololink Hack
Attack type: Hijack
Vulnerable drone: 3DR Solo
References:
Shelling out on 3DR Sologetting root on a ‘Smart drone’ [pdf]
E012 SDR transmitter
Attack type: Reverse Eng.
Vulnerable drone: Eachine E012 mini quadcopter
References:
Drone Hijacking by Arthur Garipov
Attack type: Hijack
Vulnerable drone: Multiple
References:
Drone Hijacking and other IoT hacking with GNU Radio and SDR by Arthur Garipov [pdf]
Hacking Toy Flyers
Attack type: Hijack
Vulnerable drone: Multiple (MAVSTAR , MC2, REELY, DelFly)
References: