Police Drones Can Be Hijacked From a Mile Away

Even in 2016, we still haven't learned our lesson: Encrypt everything. If your device transmits information over a radio connection, it needs to be encrypted. Period.

Otherwise, some enterprising hacker will find a way to manipulate it — or, if you're lucky, a security researcher. One enterprising expert recently found a way to hack a very expensive drone from more than a mile away, at minimal cost.

A professional-grade Xbee drone, but not necessarily the one hacked in this story. | Credit: AscTec

(Image credit: A professional-grade Xbee drone, but not necessarily the one hacked in this story. | Credit: AscTec)

The ingenious idea comes courtesy of Nils Rodday, an IBM security researcher based in Germany, who gave a presentation today (April 1) at the Black Hat Asia conference in Singapore. Rodday shared his presentation on the Black Hat website, while The Register covered his talk and provided additional details. The hack targets professional-grade drones, often used by police and security forces, that tend to cost about $30,000 apiece.

MORE: Best Drones

Without getting too far into the weeds, here's how the hack works. The specific model tested — Rodday would not name the manufacturer, but there are several with similar setups — uses a long-range Xbee chip to transmit radio signals between the drone and the Android tablet controlling it.

Because Android tablets don't have Xbee chips themselves, there's an intermediary relay box that talks to the tablet via Wi-Fi, and to the drone via Xbee. (The box is mounted on a short-range regular RC hand-held controller that plays no part in the hack.)

The Xbee chip is not quite powerful enough to support encryption without a performance hit, and the Wi-Fi chip uses WEP encryption. WEP is not a terribly secure protocol; there's a reason why most Wi-Fi networks have switched over to WPA.

Using about $40 worth of kit, Rodday figured out two ways to intercept and redirect a drone's signal. The first to hijack the  Wi-Fi signal, which was easy. Free software tools can crack WEP in seconds, and researchers have been demonstrating Wi-Fi based drone hijacks for a couple of years.

What's new is the Xbee hack. Rodday reverse-engineered the proprietary Xbee-based protocol, then transmitted his own signals with his $40 kit. An attacker with an Xbee radio chip of his or her own could use this method hijack the connection and start sending their own commands to the drone. An experienced handler could fly the drone right into his or her own hands, while a more brutish attacker may just disable the engines while it's flying high.

Of course, hackers could also just his first method to take control of a drone by disrupting the Wi-Fi connection between the controlling Android tablet and the vehicle. But Rodday pointed out that they would have to be within 100 meters of the controller and its relay box, whereas an Xbee attack could take place from anywhere within a 1.2-mile radius.

As is usually the case with security research, there's no evidence that anyone has ever tried this in the wild. Furthermore, drone manufacturers are already trying to find solutions to their Xbee woes. However, a lack of encryption is a limitation of the chip, not a software or firmware issue. There may not be much they can do, short of manufacturing new drones equipped with more powerful chips that would eat into battery life.

Xbee chips are present in a variety of consumer drones, although Rodday did not test whether he could hijack them all. Presumably, a hack that works on a $30,000 drone would work on a $1,000 counterpart, but if you want to try, perhaps it's better to test it on your own drone than a friend's.

Readers who want more technical details might like to read Rodday's master's thesis, available here as an English-language PDF.