How To Hijack a Drone For $400 In Less Than an Hour 161
Trailrunner7 writes "The skies may soon be full of drones – some run by law enforcement agencies, others run by intelligence agencies and still others delivering novels and cases of diapers from Amazon. But a new project by a well-known hacker Samy Kamkar may give control of those drones to anyone with $400 and an hour of free time. Small drones, like the ones that Amazon is planning to use to deliver small packages in short timeframes in a few years, are quite inexpensive and easy to use. They can be controlled from an iPhone, tablet or Android device and can be modified fairly easily, as well. Kamkar, a veteran security researcher and hacker, has taken advantage of these properties and put together his own drone platform, called Skyjack. The drone has the ability to forcibly disconnect another drone from its controller and then force the target to accept commands from the Skyjack drone. All of this is done wirelessly and doesn't require the use of any exploit or security vulnerability."
No, this will not work on Amazon's drones. (Score:5, Insightful)
In TFA he is hacking a Parrot AR wifi drone. If Amazon ever gets off the ground (ahem) with their drones, they will likely be autonomous, using GPS to guide them to their location. Monitoring and flight plan changes would likely occur by satellite as well. That's not to say that they are immune from attack, but none of the types of drones described in the summary (law enforcement, intelligence agencies, Amazon) are going to be susceptible to his attack.
Re: (Score:2)
Without a security vulnerability? (Score:5, Insightful)
"All of this is done wirelessly and doesn't require the use of any exploit or security vulnerability"
"...detects the wireless signal sent out by a target drone, injects WiFi packets into the target’s connection, de-authenticates it from its real controller and then authenticates it to the Skyjack drone"
Uhh... for what definition of "security vulnerability" is this not a "security vulnerability"?
Re: (Score:3, Interesting)
A security vulnerability implies that at some level, there had to have been the faintest vague attempt at being secure.
He exploited a vulnerability, to be sure, but he seems uncomfortable calling it a security vulnerability.
Re: (Score:2)
Because the product is designed to behave this way. If it's documented, it's a feature, not a bug.
Re: (Score:2)
so there is no option to use wpa or any wifi security at all? that's what it implies.
breaking wpa would imply a security vulnurability.
and dunno how it could be "like those used by amazon" since amazon doesn't yet use or have any.
Re: (Score:2)
It sounds like it does what ever the AR done software does when it pairs with the drone. There is no screen or keyboard on the drone to enter a WPA key.
What ever they're doing, its not new. This was discussed two years ago http://www.ardrone-flyers.com/forum/viewtopic.php?t=2151 [ardrone-flyers.com]
No vulnerabilities? Really? (Score:4, Insightful)
All of this is done wirelessly and doesn't require the use of any exploit or security vulnerability.
Between me and the author of this sentence, I think we have two different definitions of "security vulnerability".
Re: (Score:2)
If he is referring to the unlikely Amazon delivery drones, I really don't understand that sentence at all. How would he know what security the drones will have in place? It's a safe bet Amazon wouldn't communicate unencrypted with them.
Comment removed (Score:5, Interesting)
Re: (Score:2)
I was wondering about that, too. Maybe they'll have the drone autonomously fly to the target's address, then have a human pilot land it on the doorstep, guiding it via GPRS, 4G, or something similar.
Re: (Score:1)
It would likely be a Destination Landing Pad. I suspect the optimal setup would be a subscription service, and the landing pad would be part of the subscription.
Re: (Score:2)
I don't think they're smart enough to reliably drop packages on the roof or even in the pool, but I understand they're motion capturing paper boys on their routes to see if they can learn the secret.
Re: (Score:3, Interesting)
Re: (Score:2)
Re: (Score:2)
Within hours of Bozos or whatever his name is deploying one, the country (whichever country) will be blanketed with people "hacking" their own fakes using paper, a ruler, a pen and some ingenuity.
If you deployed a paper "target" with the address for someone one street further away from the Amazon depot compared to your house, and the Amazon drone delivered the parcel to you, would tha
Re: (Score:2)
The "Parrot AR.Drone 2.0 Quadricopter" ships at a 4 pounds weight and a shipping size of 23in by 23in (by 0.5in - I don't believe that last one ; probably 5in deep). Say that the Amaz-drone has twice the landing weight (for 5lb of payload, and some improvements in lightening the airframe and battery). Then to a first approximation you'd t
Re:Simple: just turn off the wireless (Score:4, Funny)
Actually I'm still wondering if the drone would be smart enough to land on pavement or miss entirely and drop packages on a customer roof or balcony
Hopefully they don't use the code that delivers care packages in Call of Duty then.
Re: (Score:2)
GPS is not reliable or accurate enough for doorstep deliveries, will need some human controller.
The max. accuracy of normal GPS is about 1m, which is already a bit coarse for doorstep delivery and in urban areas receivers may get confused by reflections off of buildings. And even if GPS were accurate enough, you'd need to know really accurate coordinates of that doorstep, or that park bench where the person ordering the pizza is.
So certainly a human operator will have to do the last part of the trip.
Re:Simple: just turn off the wireless (Score:5, Insightful)
DGPS can get 10cm resolution if done right, and DGPS coverage is not a problem for most residences in the US and certainly not in the areas I'm sure Amazon will pilot (no pun intended) this system. Vision systems are getting more sophisticated and can probably find the front door reliably with sufficient accuracy once on the scene. I'm curious to know how it will handle apartments, though.
Re:Simple: just turn off the wireless (Score:4, Funny)
I'm curious to know how it will handle apartments, though.
A cannon to launch the parcel through the window?
Re: (Score:3)
Apartments are easy! Just drop it on the communal stoop, wait for someone to steal the package, and send an SMS alert about "successful delivery" some hours later.
Just like it works right now, with UPS, USPS, FedEx [...].
(Speaking of SMS delivery alerts: A decade or more ago, I was getting delivery alerts in near real-time to my (then) fancy-pants alphanumeric pager (via SMTP). I'd greet the driver at the door, and usually by the time I was unboxing the stuff my pager would go off.
What happened to the ti
DR Garage (Score:2)
I want to know who this DR Garage is! He signs for all of my UPS deliveries!
Re: (Score:2)
The accuracy of GPS is not the problem. The problem is places where GPS is useless.
To be honest, if I can order something and it be in my drive in about 1/2 an hour, that is good enough, where I am living now. I can keep an eye out for it. I live in the middle of nowhere, and there's no chance of it being picked up by someone else. I have lived in towns and cities, though. Some of my previous residences had hundreds of people walking by the front door every hour. GPS does not work there, and it never
Re: (Score:2)
That sounds about like my normal CoD support drop...
Re: (Score:2)
I'm still wondering if the drone would be smart enough to land on pavement,
Rats. I was so looking forward to telling it, "Thanks. Now get off my lawn..."
Haar cascade? (Score:2)
Does anyone have any haar-like classifiers for drones yet? Just for research of course.
Congratulations! (Score:2)
You just gave Bigcorp a good testbed for free.
No security vulnerability (Score:2)
Because accepting a wifi connection without authenticating its source is totally not a vulnerability.
In other news, you could own every single computer connected to the internet, without using any security vulnerabilities, as long as it runs an ssh server without a root password.
Re: (Score:2)
The logic is that you can't circumvent security if the security is nonexistent. I suppose it's still considered "breaking and entering" if you just walk in their unlocked front door (or is it just trespassing unless you commit some other crime in the process?), although you didn't break anything.
Arrr! (Score:3)
Finally a method of DVD piracy that the DMCA can't touch!
Stealing an Amazon Drone (Score:3)
Re: (Score:1)
My plan is almost complete! MUAHAHAHA
http://www.armaghplanet.com/blog/wp-content/uploads/2012/05/image-of-James-bond-spaceships.png [armaghplanet.com]
ALT - (Photo is from James Bond, US Space ship getting eaten by Spectre ship in an attempt at starting world war)
Re:Stealing an Amazon Drone (Score:4, Insightful)
What's to stop someone from forcefully taking down an Amazon drone, then placing it into a Faraday cage while they disassemble it and get the free hardware?
The fact that it's vapourware and will never see active service?
Re: (Score:2)
Re: (Score:1, Troll)
Re: (Score:2)
And after taking control over that thing, what's stopping you from disconnecting the video stream as well?
Re: (Score:3)
Jeff Bezos circling above in an Apache attack helicopter.
Re: (Score:2)
What's to stop someone from forcefully taking a UPS truck, then placing it into a garage while they disassemble it and get the free hardware?
Not much, other than the law. People steal delivery trucks sometimes, and they're a lot easier to steal than an aircraft in flight. The concept of delivering packages by wheeled vehicle still seems to work despite this flaw.
Re: (Score:2)
Re: (Score:2)
'round my parts, a horde of kids will be chasing them drones with Louisville Sluggers, while chanting:
"Pinata! Pinata! Pinata!"
"Hey! Mine had an iPhone in it! Cool!"
"Su Madre! Mine had yet another copy of "Fifty Shades of Grey" . . .
Re:Stealing an Amazon Drone (Score:5, Insightful)
a truck driver
Re: (Score:2)
a truck driver
You believe a UPS worker getting paid $12/hr is going to stop someone with a gun who wants to take his fully insured company truck?
Re: (Score:3, Funny)
Re: (Score:2)
I was thinking more along the lines of "decorating" my house with balloons on wires (kind of like the navy did in WWII), and if any of these flies over my house, there's a good chance it will end up "crashed" in my yard.
Re: (Score:2)
2. Risk of being caught.
3. Length of sentence when you do get caught.
None of these apply to drone 'interference'. Kids will be knocking these things out of the sky with rocks, the whole idea is unfeasible.
Skyjack only works for WiFi drones! (Score:5, Informative)
Re: (Score:1)
Maybe not. But I'm willing to bet many will be lost to .308 or .30-06 rounds...
Re: (Score:2)
Re: (Score:3)
and the drone will handle *every* control aspect from there on out, as it should.
I don't think so. I think they'll plot the entire route, waypoint by waypoint, down to delivery of the actual package. The drone will do waypoint following and collision avoidance, but that's it. That's a lot cheaper in terms of power budget, because your drone doesn't have to be quite so clever.
Re: (Score:2)
It doesn't really matter what the various drones use. They will get hacked, because they're convenient targets designed to accept remote communications from someone.
Law Enforcement Drones? (Score:4, Insightful)
Re: (Score:2)
Wha? Yagi wifi antennas are certainly NOT 10 feet tall. 18" long - http://www.mfjenterprises.com/Product.php?productid=MFJ-1800 [mfjenterprises.com]. 15 dbi (so if your current antenna is 3 dbi this is a 12 dbi increase, or say 100x+ish). Very directional, though.
And no one sane running a drone "program" would use normal wifi - they'd get a control frequency from the FCC and go that route.
Re: (Score:2)
And no one sane running a drone "program" would use normal wifi - they'd get a control frequency from the FCC and go that route.
That was my main point. The articles mention law enforcement and amazon. They are not going to control the drones with wifi.
Re: (Score:2)
I think he's talking about building for about $400, then flying that drone close enough to another drone where the wifi magic works, and take control of it that way.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
You're forgetting something important: Radio is traditionally used for broadcast and does not traditionally suffer the problems of long-range point-to-point Wifi links.
Who said Amazon's drones would be controlled with Wifi, anyway? There's a myriad of other ways of efficient, reliable, low-speed (and inefficient, less reliable, high-speed) wireless technologies.
Remember POCSAG? It's what is (still!) used for 1-way alphanumeric pagers. It's plenty fast enough to tell a swarm of drones where to go, and ca
How To Hijack UPS For $200 In Less Than 5 minutes (Score:1)
A gun.
Illegal will still be illegal.
Re: (Score:2)
So if you have a toy drone... (Score:2)
So if you have a toy drone you can take over other toy drones? Could be great fun at a toy drone party but I don't see how it has anything to do with law enforcement drones or Amazon drones.
I'm sure it would never cross the minds of intelligence agencies, law enforcement agencies or Amazon to authenticate the controller.
Warflying (Score:2)
"High-power"? (Score:2)
So this "very powerful" Wi Fi outputs 1000 milliwatts ... which equals one watt.
Am I missing something, or is this just bad reporting?
Re: (Score:2)
That's the highest power WiFi you can broadcast without violating FCC regulations. With a highly directional antenna, it should reach pretty far.
Security Vulnerability (Score:2)
Related article (Score:1)
How to disable a drone for $150 in less than a minute [wikipedia.org]
What I fear will happen (Score:3)
If Amazon can make a drone to deliver packages ---- then someone else can make a drone to "tail" Amazon drones, and grab the package after delivery; taking it off to some prescribed location for reappropriation.
Re: (Score:2)
Or you could just, you know, walk down the street and pick up packages left by the UPS guy today.
I see this type of comment all the time and yet I get packages from Amazon left on my doorstep multiple times a week. They're left in plain view, just like the drone would, and in 5 years of living here I haven't lost a single one. Sure if I lived in a large city I might not have a doorstep to leave it on, but I get the impression they're aiming this plan pretty squarely at the suburbs, and package theft just do
Re: (Score:2)
Or you could just, you know, walk down the street and pick up packages left by the UPS guy today.
You would look very suspicious if you did this, and there would be a great risk that a neighbor or homeowner would see you. Most packages left on a porch not requiring signature are not very valuable, so you would need many before it began to be worth it for the criminal ---- like winning the lottery, and the average criminal isn't going to think it's worth the high risk.
Drones may change the equation
Re: (Score:2)
One fun approach to the preservation of privacy (Score:2)
Three words: "Drone Knockout Game".
They are not remote controlled (Score:1)
The Amazon drones aren't even remote controlled, but autonomous http://youtu.be/6in-MZeeeGk?t=12m26s [youtu.be]
(And even though there's probably some backup control channel and remote telemetrics it's very likely not wifi.)
Everything old is new again (Score:5, Insightful)
Ok, so hang on, In a previous life as a military contractor, I used to do this with 1980's technology. This (TFA) sounds like a cheap, brute force approach, that actually works fairly well. You overwhelm the subject with a much stronger signal, and depend on the receiver's automatic gain control to limit the amplitude, putting the "real" control signal down in the noise. You then have the drone's full attention.
The usual countermeasure is to encrypt the control signal. Then, you can still do a DOS (in today's terminology), but you can't get the drone to obey your commands.
The counter-counter measure to this is to break the encryption so you can control the craft. Flash back to those supercomputers that hobbyists were building by clustering lots and lots of game consoles. Just saying'.
Then, there's counter-counter-counter measures like hopping between frequencies and so forth, but for every technique there's a counter-technique, and I suspect computers have gotten fast enough to analyze tricky incoming signals and mimic them fairly quickly.
Someone brought up GPS -- Amazon's little copters can't be hacked because they're autonomous, using GPS for navigation. Well guess what -- GPS is just another signal. As we learned in the middle east, it is possible to spoof those signals and get a drone to land in a place it didn't expect.
The counter to *that* is inertial guidance. But realistically, Amazon and most government agencies probably won't have the budget for that.
Optical guidance? (and optical surveillance in general) Green lasers with automated tracking and aiming triangulating by noise, or emitted RF, or visual recognition. Anyone with robotics experience should be able to at least theorize a solution.
Wow, the next few years are going to be *fun*.
Re: (Score:2)
The counter to *that* is inertial guidance. But realistically, Amazon and most government agencies probably won't have the budget for that.
An off-the-shelf IMU costing less than $100 as a completed product gives you enough information to tell if your position is shifting in the way that the GPS claims, with a little software trickery. You can certainly detect something like that, and then start retracing your steps. One or two retries and the drone just flies home.
Re: (Score:2)
The counter to *that* is inertial guidance. But realistically, Amazon and most government agencies probably won't have the budget for that.
An off-the-shelf IMU costing less than $100 as a completed product gives you enough information to tell if your position is shifting in the way that the GPS claims, with a little software trickery. You can certainly detect something like that, and then start retracing your steps. One or two retries and the drone just flies home.
I wasn't aware that IMUs had gotten that cheap. (I haven't done this stuff in many years.) But that just takes us to the next level, where IMU accumulated error and gradual GPS draw-off techniques are employed. More difficult, but still possible.
Re: (Score:2)
So you spoof the GPS to be within the dead reckoning band of the IMU and wind allowances (which can't easily be accounted for). It takes longer to hijack and transfer to a safe spot for collection, but not out of the bounds of possibility.
Re: (Score:2)
The counter-counter measure to this is to break the encryption so you can control the craft. Flash back to those supercomputers that hobbyists were building by clustering lots and lots of game consoles.
If you use decent encryption in your counter measure, this counter-counter measure is useless. It doesn't matter even if the attacker has a cluster of real supercomputers.
Re: (Score:2)
A lot of groups doing 'import/export' work are going to be spending big on counter-counter measures to ensure their shipments are not tracked
Re: (Score:2)
Thank you for summing up the state of affairs. You've done better than most. :)
Inertial guidance isn't so far-fetched. Ridiculously-small accelerometers are getting mighty good, as are tiny gyroscopes (both of which can be found in many modern smartphones, sipping very little power indeed). Combine both of them with sufficient resolution, and you've got inertial guidance.
Combine that with other signals (constant transmitters of any type, including local TV and radio stations... even Wifi AP broadcasts ar
Re: (Score:2)
I'm not interested in people who do it for laughs. (Although, there will probably be some who do it just to see what kind of chaos they can create. The same morons who point laser pointers at commercial aircraft.) As soon as the profit/risk ratio is favorable, someone will do it, either to acquire the cargo, acquire the craft itself, or prevent the craft from doing whatever it was trying to do. Just pointing out that there are known techniques.
Re: (Score:2)
There are, but there's always a risk of this sort of thing, as has been pointed out delivery drivers aren't immune from theft either.
Re: (Score:2)
There are, but there's always a risk of this sort of thing, as has been pointed out delivery drivers aren't immune from theft either.
Absolutely true, as anyone who delivers pizzas for a living can tell you. I wonder if part of the equation might be that the penalty for stealing/destroying a drone may be less than robbing/injuring a human? (Probably true, as long as the drone is non-military.)
Re: (Score:2)
Jeeze, calm down. Yes, the satnav in my truck also has rudimentary inertial guidance. It has an electronic compass and is aware of the truck's speed, and doesn't have to deal with altitude. It also tends to be "sticky" to roads, assuming that you must be on the nearest road even if the guidance indicates you're driving through a field. (And sometimes it gets it wrong.) As a current military contractor, you know about accumulated error in inertial guidance systems -- it just takes longer and is more dif
What the hell? (Score:2)
“The only security on the Parrot drones is that when the owner is connected to it, no one else is able to control it. This is why I need to use a wifi chipset that allows me to inject packets as I need to exploit wifi and deauthenticate the true owner who is controlling it,” Kamkar said.
So I've gotta ask, what would stop someone from doing this same thing on either side. On one side, you've got those that could hijack your parrot using the same tactics that you are using to hijack the drone. On the other side, whatever you do to protect your parrot, could be implemented to protect the drone, right? Am I missing something? Also, what's to stop parrots from buzzing around doing the same "evil" that Google did with wireless routers.
$400? (Score:3)
You can do it for less than that. Just use a fishing net with a very long pole.
CAPTCHA: patience.
Drone wars (Score:3)
magnetron (Score:3)
Microwave oven magnetron and a small parabolic dish wifi antenna and all your drone belong to me.
WooHoo! Sky Pirates finally arrive! (Score:2)
Misleading... (Score:2)
Re: (Score:1)
Is anybody suggesting that it's no longer stealing just because there's a cool hack involved?
Re: (Score:1)
If someone is flying a drone that's programmed to follow any unauthenticated instructions broadcast to it from anyone, and someone takes the drone up on that offer and broadcasts instructions to it, what are they doing wrong?
Re: (Score:2)
Sending instructions? Nothing (on the surface) wrong with that... but the content of those instructions is crucial to an ethical evaluation of them. Steal a drone / kidnap a kid? Bad. Make the drone do a little dance upon delivering a package / teach the kid a funny joke? Not bad.
Re: (Score:3, Funny)
Re: (Score:2)
They'll only outlaw "assault drones", regular drones with the same capabilities as assault drones but who look less scary will be legal.
Says the CIA (Criminals In Action).
Re: (Score:2)
Re: (Score:2)
Actually, I'll have to go and check that now ... or would if I cared about a defunct measurement system that I don't actually have to deal with weights in - just measures. Is it 12 or 16 ounces to the pound. Or drachams to the goat, or something? 14 stones to the pound? Insane.
Re: Here we go... (Score:4, Funny)
Re: (Score:2)
Someone [pvponline.com] beat you to it already.
Re: (Score:2)
RF Safe-Stop Shuts Down Car Engines With Radio Pulse
As the vehicle entered the range of the RF Safe-stop, its dashboard warning lights and dials behaved erratically, the engine stopped and the car rolled gently to a halt. Digital audio and video recording devices in the vehicle were also affected.''It's a small radar transmitter,' said Andy Wood, product manager for the machine. 'The RF [radio frequency] is pulsed from the unit just as it would be in radar, it couples into the wiring in the car and that disrupts and confuses the electronics in the car causing the engine to stall.'"
Should do the trick for the encrypted ones.
Re: (Score:2)