Where’ve you been flying? Your drone’s Wi-Fi is telling everyone
With drones flying overhead taking high definition video or high res pictures there is widespread concern about sensitive data and images ending up in the wrong hands. However, nobody worries about the privacy of the drone operator. In this article we will see how the bad guys can easily locate the usual flying sites for a given drone, then using any of the multiple vulnerabilities to hijack the signal or cause it to crash. Or if the owner’s house is identified, thieves could sneak in to steal the drone and any other expensive device that the drone pilot may possess.
Wi-Fi is used as a control system in some types of drones, from expensive professional unmanned aerial vehicles to inexpensive toys.
Most drone remote control communicates through the RC radio protocols like DSM2 or Flysky from controller to a receiver module on the drone. But Wifi drones does it differently. Instead of a radio module, the drone comes outfitted with a Wi-Fi access point. Pilot need to disconnect from any other Wi-Fi networks and explicitly connect to the drone Access Point in order to control drone functions.
Worse yet, some manufacturers failed to implement the system securely. The Wi-Fi pre-shared key is the same for all drones or have no security at all. In a previous article we learned how the drones operated by Wi-Fi are the easiest to hack.
The access point usually has a unique SSID in the format. For example the $1300 Parrot Disco flying wing uses the format <DISCO-nnnnnn>, where “n” are numbers. Few pilots modify this configuration, but even if the owner changes the name of the network it is still possible to identify the drone using its MAC address.
In wireless networks the first three bytes of the address are the OUI. The organization unique identifier is a 24-bit number that uniquely identifies a vendor or manufacturer.
This meant anyone is able to search wigle.net and easily geolocate drone flying zones or even owners homes. WiGLE, or (Wireless Geographic Logging Engine), is a website for collecting information about the different wireless hotspots around the world. Users can register on the website and upload hotspot data like GPS coordinates, SSID, MAC address and the encryption type used on the hotspots discovered. The wiggle database is accessed and distributed under a freeware license.
Drone pilots often have preferred places where they are go to fly to improve their skills, so these places would stand out strongly in the Wigle database since they will probably have multiple observations. But in the case of small size drones designed to fly indoor normally will not leave owners home or when pilot turn on the drone wifi at home to download videos, these locations may also end up in the public database.
Countermeasures are for most cases not available, although many manufacturers allow you to configure a password for the Wifi access point, few allow to change the name of the network or the address of the wifi adapter.