Forgot your password?
typodupeerror
Security

How To Hijack a Drone For $400 In Less Than an Hour 161

Posted by Soulskill
from the step-1:-buy-$400-shotgun dept.
Trailrunner7 writes "The skies may soon be full of drones – some run by law enforcement agencies, others run by intelligence agencies and still others delivering novels and cases of diapers from Amazon. But a new project by a well-known hacker Samy Kamkar may give control of those drones to anyone with $400 and an hour of free time. Small drones, like the ones that Amazon is planning to use to deliver small packages in short timeframes in a few years, are quite inexpensive and easy to use. They can be controlled from an iPhone, tablet or Android device and can be modified fairly easily, as well. Kamkar, a veteran security researcher and hacker, has taken advantage of these properties and put together his own drone platform, called Skyjack. The drone has the ability to forcibly disconnect another drone from its controller and then force the target to accept commands from the Skyjack drone. All of this is done wirelessly and doesn't require the use of any exploit or security vulnerability."
This discussion has been archived. No new comments can be posted.

How To Hijack a Drone For $400 In Less Than an Hour

Comments Filter:
  • by Anonymous Coward on Tuesday December 03, 2013 @07:46PM (#45590191)

    In TFA he is hacking a Parrot AR wifi drone. If Amazon ever gets off the ground (ahem) with their drones, they will likely be autonomous, using GPS to guide them to their location. Monitoring and flight plan changes would likely occur by satellite as well. That's not to say that they are immune from attack, but none of the types of drones described in the summary (law enforcement, intelligence agencies, Amazon) are going to be susceptible to his attack.

  • by sheetsda (230887) <doug...sheets@@@gmail...com> on Tuesday December 03, 2013 @07:47PM (#45590199)

    "All of this is done wirelessly and doesn't require the use of any exploit or security vulnerability"

    "...detects the wireless signal sent out by a target drone, injects WiFi packets into the target’s connection, de-authenticates it from its real controller and then authenticates it to the Skyjack drone"

    Uhh... for what definition of "security vulnerability" is this not a "security vulnerability"?

    • Re: (Score:3, Interesting)

      by plover (150551)

      A security vulnerability implies that at some level, there had to have been the faintest vague attempt at being secure.

      He exploited a vulnerability, to be sure, but he seems uncomfortable calling it a security vulnerability.

    • Because the product is designed to behave this way. If it's documented, it's a feature, not a bug.

      • by gl4ss (559668)

        so there is no option to use wpa or any wifi security at all? that's what it implies.

        breaking wpa would imply a security vulnurability.

        and dunno how it could be "like those used by amazon" since amazon doesn't yet use or have any.

  • by Anonymous Coward on Tuesday December 03, 2013 @07:47PM (#45590203)

    All of this is done wirelessly and doesn't require the use of any exploit or security vulnerability.

    Between me and the author of this sentence, I think we have two different definitions of "security vulnerability".

    • by Control-Z (321144)

      If he is referring to the unlikely Amazon delivery drones, I really don't understand that sentence at all. How would he know what security the drones will have in place? It's a safe bet Amazon wouldn't communicate unencrypted with them.

  • by Neo-Rio-101 (700494) on Tuesday December 03, 2013 @07:50PM (#45590217)
    For something like Amazon's purported drones... all you'd have to do is to hardcode the delivery address and HQ into the drone before flying, and make sure it doesn't accept any incoming signals by turning the wireless off. Now, if we want to talk about trying to get the drone's GPS systems confused, that would be something else! (Actually I'm still wondering if the drone would be smart enough to land on pavement or miss entirely and drop packages on a customer roof or balcony.)
    • by plover (150551)

      I was wondering about that, too. Maybe they'll have the drone autonomously fly to the target's address, then have a human pilot land it on the doorstep, guiding it via GPRS, 4G, or something similar.

      • by Anonymous Coward

        It would likely be a Destination Landing Pad. I suspect the optimal setup would be a subscription service, and the landing pad would be part of the subscription.

    • by sjames (1099)

      I don't think they're smart enough to reliably drop packages on the roof or even in the pool, but I understand they're motion capturing paper boys on their routes to see if they can learn the secret.

    • Re: (Score:3, Interesting)

      by Zwergin (572487)
      (Sorry, did not realize I was not signed in. ) It would likely be a Destination Landing Pad. I suspect the optimal setup would be a subscription service, and the landing pad would be part of the subscription. ~Zwergin
      • That's a pretty good idea. That way you could ensure that the drone lands in your backyard so that the package and drone doesn't get swiped from your front door by a passerby.
    • by Fnord666 (889225) on Tuesday December 03, 2013 @09:09PM (#45590767) Journal

      Actually I'm still wondering if the drone would be smart enough to land on pavement or miss entirely and drop packages on a customer roof or balcony

      Hopefully they don't use the code that delivers care packages in Call of Duty then.

    • by wvmarle (1070040)

      GPS is not reliable or accurate enough for doorstep deliveries, will need some human controller.

      The max. accuracy of normal GPS is about 1m, which is already a bit coarse for doorstep delivery and in urban areas receivers may get confused by reflections off of buildings. And even if GPS were accurate enough, you'd need to know really accurate coordinates of that doorstep, or that park bench where the person ordering the pizza is.

      So certainly a human operator will have to do the last part of the trip.

      • by rk (6314) on Tuesday December 03, 2013 @10:19PM (#45591211) Journal

        DGPS can get 10cm resolution if done right, and DGPS coverage is not a problem for most residences in the US and certainly not in the areas I'm sure Amazon will pilot (no pun intended) this system. Vision systems are getting more sophisticated and can probably find the front door reliably with sufficient accuracy once on the scene. I'm curious to know how it will handle apartments, though.

        • by Dan541 (1032000) on Tuesday December 03, 2013 @10:35PM (#45591321) Homepage

          I'm curious to know how it will handle apartments, though.

          A cannon to launch the parcel through the window?

        • by adolf (21054)

          Apartments are easy! Just drop it on the communal stoop, wait for someone to steal the package, and send an SMS alert about "successful delivery" some hours later.

          Just like it works right now, with UPS, USPS, FedEx [...].

          (Speaking of SMS delivery alerts: A decade or more ago, I was getting delivery alerts in near real-time to my (then) fancy-pants alphanumeric pager (via SMTP). I'd greet the driver at the door, and usually by the time I was unboxing the stuff my pager would go off.

          What happened to the ti

      • by Smauler (915644)

        The accuracy of GPS is not the problem. The problem is places where GPS is useless.

        To be honest, if I can order something and it be in my drive in about 1/2 an hour, that is good enough, where I am living now. I can keep an eye out for it. I live in the middle of nowhere, and there's no chance of it being picked up by someone else. I have lived in towns and cities, though. Some of my previous residences had hundreds of people walking by the front door every hour. GPS does not work there, and it never

    • by asmkm22 (1902712)

      That sounds about like my normal CoD support drop...

    • by MollyB (162595)

      I'm still wondering if the drone would be smart enough to land on pavement,

      Rats. I was so looking forward to telling it, "Thanks. Now get off my lawn..."

  • Does anyone have any haar-like classifiers for drones yet? Just for research of course.

  • You just gave Bigcorp a good testbed for free.

  • Because accepting a wifi connection without authenticating its source is totally not a vulnerability.

    In other news, you could own every single computer connected to the internet, without using any security vulnerabilities, as long as it runs an ssh server without a root password.

    • The logic is that you can't circumvent security if the security is nonexistent. I suppose it's still considered "breaking and entering" if you just walk in their unlocked front door (or is it just trespassing unless you commit some other crime in the process?), although you didn't break anything.

  • by RDW (41497) on Tuesday December 03, 2013 @08:00PM (#45590309)

    Finally a method of DVD piracy that the DMCA can't touch!

  • by Metabolife (961249) on Tuesday December 03, 2013 @08:00PM (#45590311)
    What's to stop someone from forcefully taking down an Amazon drone, then placing it into a Faraday cage while they disassemble it and get the free hardware?
    • My plan is almost complete! MUAHAHAHA

      http://www.armaghplanet.com/blog/wp-content/uploads/2012/05/image-of-James-bond-spaceships.png [armaghplanet.com]

      ALT - (Photo is from James Bond, US Space ship getting eaten by Spectre ship in an attempt at starting world war)

    • by umafuckit (2980809) on Tuesday December 03, 2013 @08:20PM (#45590427)

      What's to stop someone from forcefully taking down an Amazon drone, then placing it into a Faraday cage while they disassemble it and get the free hardware?

      The fact that it's vapourware and will never see active service?

      • There's also the fear of prison. These things will be transmitting live video feeds back to home base. If they actually existed, that is.
        • Re: (Score:1, Troll)

          by Dunbal (464142) *
          Yes, thank goodness we live in a crime free world where the fear of prison prevents all crimes.
        • by wvmarle (1070040)

          And after taking control over that thing, what's stopping you from disconnecting the video stream as well?

    • Jeff Bezos circling above in an Apache attack helicopter.

    • by radish (98371)

      What's to stop someone from forcefully taking a UPS truck, then placing it into a garage while they disassemble it and get the free hardware?

      Not much, other than the law. People steal delivery trucks sometimes, and they're a lot easier to steal than an aircraft in flight. The concept of delivering packages by wheeled vehicle still seems to work despite this flaw.

      • It's a lot harder to hide a truck. Any 12 year old can knock a drone out of the sky (with some skill/luck) and stomp on it.
    • 'round my parts, a horde of kids will be chasing them drones with Louisville Sluggers, while chanting:

      "Pinata! Pinata! Pinata!"

      "Hey! Mine had an iPhone in it! Cool!"

      "Su Madre! Mine had yet another copy of "Fifty Shades of Grey" . . .

  • by cciRRus (889392) on Tuesday December 03, 2013 @08:02PM (#45590327)
    While pro-grade multicopters like those to be deployed by Amazon operate at 2.4GHz, they do not use WiFi as their radio system! Typically, these multicopters are fitted radio systems such as Futaba, JR, Spektrum or 9X, and therefore Skyjack will not be able to take them down.
    • by Anonymous Coward

      Maybe not. But I'm willing to bet many will be lost to .308 or .30-06 rounds...

    • I *highly* doubt the Amazon drones will be operated by some hobbyist Futaba or Spektrum protocol. Doing such a thing would be absolutely ludicrous from just about every angle possible. First of all, such protocols are nothing more than "stream-of-servo" positioning commands, and very badly suited to autonomous drone control. Honestly they're pretty badly suited to manual drone control IMO. Second, they are even less secure than WiFi. I'm going to take a wild guess and say that the Amazon drones will be
      • by drinkypoo (153816)

        and the drone will handle *every* control aspect from there on out, as it should.

        I don't think so. I think they'll plot the entire route, waypoint by waypoint, down to delivery of the actual package. The drone will do waypoint following and collision avoidance, but that's it. That's a lot cheaper in terms of power budget, because your drone doesn't have to be quite so clever.

    • by asmkm22 (1902712)

      It doesn't really matter what the various drones use. They will get hacked, because they're convenient targets designed to accept remote communications from someone.

  • by codegen (103601) on Tuesday December 03, 2013 @08:08PM (#45590355) Journal
    The articles describe a wifi hack. Last I checked wifi has a range of 300 feet. There are some ways in which this can be extended to several miles but that involves large (i.e. 10ft) antennas. If you honestly think that law enforcement and amazon are using wifi to control their drones then I think you need to look a bit closer.
    • by cdwiegand (2267)

      Wha? Yagi wifi antennas are certainly NOT 10 feet tall. 18" long - http://www.mfjenterprises.com/Product.php?productid=MFJ-1800 [mfjenterprises.com]. 15 dbi (so if your current antenna is 3 dbi this is a 12 dbi increase, or say 100x+ish). Very directional, though.

      And no one sane running a drone "program" would use normal wifi - they'd get a control frequency from the FCC and go that route.

      • by codegen (103601)

        And no one sane running a drone "program" would use normal wifi - they'd get a control frequency from the FCC and go that route.

        That was my main point. The articles mention law enforcement and amazon. They are not going to control the drones with wifi.

    • by asmkm22 (1902712)

      I think he's talking about building for about $400, then flying that drone close enough to another drone where the wifi magic works, and take control of it that way.

      • by codegen (103601)
        My point is neither law enforcement or Amazon is going to use a drone that uses wifi at all.
  • A gun.
    Illegal will still be illegal.

    • Sure. But. The number of people willing to steal remotely is an order of magnitude greater than the number of people willing to do up close and personal armed robbery. Mira! A car analogy: It's like killing a person with your pickup instead of with a knife.
  • So if you have a toy drone you can take over other toy drones? Could be great fun at a toy drone party but I don't see how it has anything to do with law enforcement drones or Amazon drones.

    I'm sure it would never cross the minds of intelligence agencies, law enforcement agencies or Amazon to authenticate the controller.

  • I have all those components except the parrotAr2 drone. Early Christmas present?
  • The target range of the Skyjack drones is limited by the range of the WiFi card, but Kamkar said he uses a very powerful WiFi adapter called the Alfa AWUS036H, which produces 1000mW of power.

    So this "very powerful" Wi Fi outputs 1000 milliwatts ... which equals one watt.

    Am I missing something, or is this just bad reporting?

    • So this "very powerful" Wi Fi outputs 1000 milliwatts ... which equals one watt.

      Am I missing something, or is this just bad reporting?

      That's the highest power WiFi you can broadcast without violating FCC regulations. With a highly directional antenna, it should reach pretty far.

  • "You keep using that word. I don't think that means what you think it means."
  • by mysidia (191772) on Tuesday December 03, 2013 @08:57PM (#45590663)

    If Amazon can make a drone to deliver packages ---- then someone else can make a drone to "tail" Amazon drones, and grab the package after delivery; taking it off to some prescribed location for reappropriation.

    • by radish (98371)

      Or you could just, you know, walk down the street and pick up packages left by the UPS guy today.

      I see this type of comment all the time and yet I get packages from Amazon left on my doorstep multiple times a week. They're left in plain view, just like the drone would, and in 5 years of living here I haven't lost a single one. Sure if I lived in a large city I might not have a doorstep to leave it on, but I get the impression they're aiming this plan pretty squarely at the suburbs, and package theft just do

      • by mysidia (191772)

        Or you could just, you know, walk down the street and pick up packages left by the UPS guy today.

        You would look very suspicious if you did this, and there would be a great risk that a neighbor or homeowner would see you. Most packages left on a porch not requiring signature are not very valuable, so you would need many before it began to be worth it for the criminal ---- like winning the lottery, and the average criminal isn't going to think it's worth the high risk.

        Drones may change the equation

  • Three words: "Drone Knockout Game".

  • The Amazon drones aren't even remote controlled, but autonomous http://youtu.be/6in-MZeeeGk?t=12m26s [youtu.be]

    (And even though there's probably some backup control channel and remote telemetrics it's very likely not wifi.)

  • by roc97007 (608802) on Tuesday December 03, 2013 @09:22PM (#45590831) Journal

    Ok, so hang on, In a previous life as a military contractor, I used to do this with 1980's technology. This (TFA) sounds like a cheap, brute force approach, that actually works fairly well. You overwhelm the subject with a much stronger signal, and depend on the receiver's automatic gain control to limit the amplitude, putting the "real" control signal down in the noise. You then have the drone's full attention.

    The usual countermeasure is to encrypt the control signal. Then, you can still do a DOS (in today's terminology), but you can't get the drone to obey your commands.

    The counter-counter measure to this is to break the encryption so you can control the craft. Flash back to those supercomputers that hobbyists were building by clustering lots and lots of game consoles. Just saying'.

    Then, there's counter-counter-counter measures like hopping between frequencies and so forth, but for every technique there's a counter-technique, and I suspect computers have gotten fast enough to analyze tricky incoming signals and mimic them fairly quickly.

    Someone brought up GPS -- Amazon's little copters can't be hacked because they're autonomous, using GPS for navigation. Well guess what -- GPS is just another signal. As we learned in the middle east, it is possible to spoof those signals and get a drone to land in a place it didn't expect.

    The counter to *that* is inertial guidance. But realistically, Amazon and most government agencies probably won't have the budget for that.

    Optical guidance? (and optical surveillance in general) Green lasers with automated tracking and aiming triangulating by noise, or emitted RF, or visual recognition. Anyone with robotics experience should be able to at least theorize a solution.

    Wow, the next few years are going to be *fun*.

    • by drinkypoo (153816)

      The counter to *that* is inertial guidance. But realistically, Amazon and most government agencies probably won't have the budget for that.

      An off-the-shelf IMU costing less than $100 as a completed product gives you enough information to tell if your position is shifting in the way that the GPS claims, with a little software trickery. You can certainly detect something like that, and then start retracing your steps. One or two retries and the drone just flies home.

      • by roc97007 (608802)

        The counter to *that* is inertial guidance. But realistically, Amazon and most government agencies probably won't have the budget for that.

        An off-the-shelf IMU costing less than $100 as a completed product gives you enough information to tell if your position is shifting in the way that the GPS claims, with a little software trickery. You can certainly detect something like that, and then start retracing your steps. One or two retries and the drone just flies home.

        I wasn't aware that IMUs had gotten that cheap. (I haven't done this stuff in many years.) But that just takes us to the next level, where IMU accumulated error and gradual GPS draw-off techniques are employed. More difficult, but still possible.

      • So you spoof the GPS to be within the dead reckoning band of the IMU and wind allowances (which can't easily be accounted for). It takes longer to hijack and transfer to a safe spot for collection, but not out of the bounds of possibility.

    • by swillden (191260)

      The counter-counter measure to this is to break the encryption so you can control the craft. Flash back to those supercomputers that hobbyists were building by clustering lots and lots of game consoles.

      If you use decent encryption in your counter measure, this counter-counter measure is useless. It doesn't matter even if the attacker has a cluster of real supercomputers.

    • by AHuxley (892839)
      The US gov handed out a lot of old 'mil' tech (~small tanks, weapons systems) and drones to a lot of "small" cities over the past 10 years. With FAA approval now more understood the drones will soon be watching more regional ports, truck movements, airports and main roads 24/7.
      A lot of groups doing 'import/export' work are going to be spending big on counter-counter measures to ensure their shipments are not tracked :)
    • by adolf (21054)

      Thank you for summing up the state of affairs. You've done better than most. :)

      Inertial guidance isn't so far-fetched. Ridiculously-small accelerometers are getting mighty good, as are tiny gyroscopes (both of which can be found in many modern smartphones, sipping very little power indeed). Combine both of them with sufficient resolution, and you've got inertial guidance.

      Combine that with other signals (constant transmitters of any type, including local TV and radio stations... even Wifi AP broadcasts ar

  • “The only security on the Parrot drones is that when the owner is connected to it, no one else is able to control it. This is why I need to use a wifi chipset that allows me to inject packets as I need to exploit wifi and deauthenticate the true owner who is controlling it,” Kamkar said.

    So I've gotta ask, what would stop someone from doing this same thing on either side. On one side, you've got those that could hijack your parrot using the same tactics that you are using to hijack the drone. On the other side, whatever you do to protect your parrot, could be implemented to protect the drone, right? Am I missing something? Also, what's to stop parrots from buzzing around doing the same "evil" that Google did with wireless routers.

  • by gallondr00nk (868673) on Tuesday December 03, 2013 @10:11PM (#45591147)

    You can do it for less than that. Just use a fishing net with a very long pole.

    CAPTCHA: patience.

  • by Wolfling1 (1808594) on Tuesday December 03, 2013 @10:59PM (#45591439) Journal
    Begun the drone wars have
  • by codepunk (167897) on Wednesday December 04, 2013 @02:03AM (#45592259)

    Microwave oven magnetron and a small parabolic dish wifi antenna and all your drone belong to me.

  • No airships but steam/diesel punk is bleeding into the real world!
  • The author is giving misleading statements. What he's done is hacked a Parrot, this is not the type of drone nor system Amazon is likely to use. In fact what they showed in their video doesn't use a Wifi connection at all. It uses 2.4 ghz wireless that has automatic rolling channels to eliminate the possibility of squelching anothers frequency. The transmissions from drone to controller are also encrypted.

FORTRAN is a good example of a language which is easier to parse using ad hoc techniques. -- D. Gries [What's good about it? Ed.]

Working...