Security Researcher Demonstrates It's Easy to Hijack Airborne Drones

By Wayne Rash  |  Posted 2013-12-08

Security Researcher Demonstrates It's Easy to Hijack Airborne Drones

Security and privacy researcher Samy Kamkar told eWEEK exactly how easy it is to take over a small drone while it's in flight and then turn the device to your own ends.

In effect, he says, it's not only possible to steal a drone, it's easy and cheap, especially when the system was designed without strong security features. He also said that there are things a drone user can do to prevent this from happening.

There are also some limitations. Kamkar said that his method of hijacking a drone currently only works with devices made by Parrot, which is one of the most commonly used remotely piloted drones. It also requires a software application, called Skyjack, that was developed in part by Kamkar.

The security of drone communications has become an issue since founder and CEO Jeff Bezos revealed on a Dec. 1 broadcast of the CBS news feature show "60 Minutes" that his company is developing airborne drones capable of delivering packages to customers. This has triggered a public debate on whether an express delivery service based on unmanned drones could be operated safely and reliably, especially in urban areas.

Kamkar is a long-time security researcher and developer of security systems. He is founder of Unleak, a start up that is beta testing an enterprise data security product. He was also the co-founder of Fonality and Global Domains. His work with drones is part of his ongoing cyber-security research.

The Parrot AR drone is widely used in news and video applications as well as for use in law enforcement besides being widely used by hobbyists. For its size, it's a sophisticated device with a wide range of options and it can be purchased from for under $300.

Kamkar said that his hijacking method will not work if drone operators take security precautions such as encrypting the data link. "SkyJack will not work if the drone is using an encrypted com link," Kamkar said in an email. "It currently only works with Parrot-based systems, all of which are unencrypted."

But what would-be drone delivery companies, such as Amazon and UPS, should be worried about is that the same method of taking over a drone could work on their devices, once the details about their operation are known. Kamkar used those details about Parrot drones to program his own drone to take them over.

As Kamkar explains on his site, he installs a Raspberry Pi computer, a battery and a wireless transmitter on his own drone. He's installed Linux on the computer and runs Skyjack software, which is the application that does the actual drone takeover.

"The software works with a queuing mechanism," Kamkar explained in his email to eWEEK. "Taking over one drone at a time until all drones it sees are Skyjacked, and then repeats looking for additional drones to control."

Kamkar's drone can operate autonomously, flying around near his Los Angeles home encountering drones it can take over. But Kamkar also said that the software does not need to be installed on a drone to function. In fact, it can be installed on a ground-based computer and simply take over any drone it can detect.

Security Researcher Demonstrates It's Easy to Hijack Airborne Drones

The Skyjack software identifies Parrot drones by detecting their unique MAC (Media Access Control) addresses from their built-in WiFi radios. Once the software has identified the Parrot drone, it commands it to drop its existing WiFi connection. Once it obeys that command, the software connects to the drone's control system, passing control of the device over to the Skyjack operator who gains full control over the target drone.

The operator can fly that drone anywhere and use its existing onboard cameras. If the drone were carrying a package, they could command it to land, and drop off the package.

The single most important vulnerability that Kamkar has found is that these drones are using unencrypted data links. However, the fact that they are so easily identified by their MAC address certainly plays a role. All that's required is an automated system to take over the onboard control system, pass control to the new operator, and then move on to the next device.

Of course, the proposed Amazon or UPS drones, if they ever make it past the regulatory authorities, aren't likely to be running Parrot control systems. But they are each likely to be running control systems that are easily identified by their own control link signals. And therein lies the problem.

The commercial drones are certainly going to be larger and more substantial in their construction compared to the relatively flimsy construction of devices hobbyists can afford to buy on Amazon. But unless the companies operating those drones make sure they add some significant security to their radio control links, there's no reason they can't also be taken over in the same way.

Such a take-over of a delivery drone could make theft more likely in the course of a delivery. But there are other more troubling possibilities. Someone could, for example, fly such a drone into the path of a landing airliner and even if the drone didn't actually make it crash, the surprise to the pilot could easily cause a loss of control all by itself.

Likewise, such a drone, if being used for law enforcement or public safety, could have its capabilities subverted. Not only would the drone not be looking at what it's supposed to, it could reveal information that the new operator wants to see.

While Kamkar's revelations will give drone hobbyists some fun, they point to a serious vulnerability. If these devices are to be used commercially, they need to be highly secure and not easily taken over. Hopefully, the security of the data link will be a significant factor in approving unmanned vehicles for flight in populated areas. Without it, drone operators are simply asking for trouble.

Rocket Fuel