How Can Drones Be Hacked? The updated list of vulnerable drones & attack tools

Commercial drones and radio-controlled aircraft are of increasing concern, with commercial airlines afraid of collision and property owners worrying that their privacy is being invaded.

Another risk is the possibility of hijacking or jamming a drone in flight. In recent years several security researchers have made public vulnerabilities for these flying machines. In some cases even providing full source code or tools to play their attacks.

I will be sponsoring an effort for compilation of vulnerable drone and vulnerability testing/exploit methodologies. As part of that effort, this report has been prepared to provide a ready reference of vulnerable drones and associated attack tools. This document compilation should promote a better understanding of how drone vulnerability is currently exploited, and how future drone will take advantage of improvements in available vulnerability research data. I’ll try to keep this page updated as new drone vulnerability details go out.

Last updated: Wednesday, March 1, 2017


For more detail on how setup your own drone security learning enviroment, check my article on How To Set Up A Drone Vulnerability Testing Lab


Skyjack

Attack type: Hijack

Vulnerable drone: Parrot AR.Drone 2.0

References: http://samy.pl/skyjack/

Download: https://github.com/samyk/skyjack


Parrot AR.Drone 2 - WiFi Attack

Attack type: Hijack

Vulnerable drone: Parrot AR.Drone 2.0

References: https://github.com/markszabo/drone-hacking

Spoofing Land command with Scapy

Bebop WiFi Attack

Attack type: Hijack

Vulnerable drone: Parrot Bebop

References: How to Hack a Drone in Kali Linux — Wireless Attacking the Parrot Bebop [Youtube]


Bebop Wi-Fi Drone Disabler with Raspberry Pi

Attack type: Hijack

Vulnerable drone: Parrot Bebop

References: Makezine Build a Wi-Fi Drone Disabler with Raspberry Pi

Makezine Bebop disabler

GPS Spoofing

Attack type: Hijack

Attack Hardware: HackRF ($300) or BladeRF x40 ($420)

Vulnerable drone: Most GPS enabled drones ( DJI Phantom 1/2/3/4, DJI Inspire, DJI Mavic, Yuneec Brezee, Yuneec Thypoon, Yuneec Tornado, etc)

References:

GPS Spoofing a UAV (DJI Phantom)

Unmanned Aircraft Capture and Control via GPS Spoofing

How to spoof GPS with HackRF

GPS Spoofing set up

GPS Jammer

Attack type: DoS

Vulnerable drone: Most GPS enabled drones ( DJI Phantom 1/2/3/4, DJI Inspire, DJI Mavic, Yuneec Brezee, Yuneec Thypoon, Yuneec Tornado, etc)

References: Review & Teardown of a cheap GPS Jammer

$20 GPS Jammer

FPV Drone video downlink jammer

Attack type: DoS

Vulnerable drone: Most FPV race drones.

References: http://www.thingiverse.com/thing:1639683


DeviationTX NRF24L01 Hijack

Attack type: Hijack ( Bind before owner , overpower fixed freq/fixed ID)

Vulnerable drone: Most toy drones from Attop, Bayang, Cheerson, Eachine, Floueron, Hisky, JJRC, JD, Syma & WLToys) Complete list.

References: DeviationTX with $5 nrf24l01 module the universal drone remote.

DHD & Cheerson toy drones with NRF24L01 module.

ICARUS

Attack type: Hijack

Vulnerable drone: Most hobby/professional grade drones & RC airplanes using DSMx protocol.

References: Attacking DSMx with SDR (PacSec 2016 — English 英語)

ICARUS setup.

Nils Rodday Attack

Attack type: Hijack

Vulnerable drone: Aerialtronics Altura Zenith (Law Enforcement Drone)

References:

Hacker Says He Can Hijack a $35K Police Drone a Mile Away

Hacking a professional drone by Nils Rodday


Drone Duel

Attack type: Hijack

Vulnerable drone: Cheerson CX-10 (Micro quadcopter)

References: Drone Hacking is becoming childs play

Download: Drone Duel Github

CX-10 binding handshake


Fb1h2s Maldrone

Attack type: Backdoor

Vulnerable drone: Parrot AR

References: http://garage4hackers.com/entry.php?b=3105

First Backdoor for Drones. Maldrone aka Malware for Drones By Rahul Sasi

Aaron Luo DJI Phantom 3 hijack

Attack type: Hijack

Vulnerable drone: DJI Phantom 3

Phantom 3 Architecture

References:

DEFCON 24 Drones Hijacking: Cyber Safety Solution multi-dimensional attack vectors and countermeasure [pdf]


DJI Phantom 3 default settings

Attack type: Hijack

Vulnerable drone: DJI Phantom 3

DJI Phantom 3 camera default passwords

References:

Security Analysis of DJI Phantom 3 Standard by Fernando Trujano, Benjamin Chan, Greg Beams, Reece Rivera [pdf]


Voidsec Hacking DJI Phantom 3

Attack type: Hijack

Vulnerable drone: DJI Phantom 3

References:

Hacking the DJI Phantom 3 By voidsec


Sololink Hack

Attack type: Hijack

Vulnerable drone: 3DR Solo

References:

Shelling out on 3DR Sologetting root on a ‘Smart drone’ [pdf]

Sololink uses Atheros WiFi chipset
(Complete Video) How To Change the 3DR Solo Smart Drone Sololink Password and WHY???