Police Drones Can Be Hijacked From a Mile Away

Even in 2016, we still haven't learned our lesson: Encrypt everything. If your device transmits information over a radio connection, it needs to be encrypted. Period.

Otherwise, some enterprising hacker will find a way to manipulate it — or, if you're lucky, a security researcher. One enterprising expert recently found a way to hack a very expensive drone from more than a mile away, at minimal cost.

A professional-grade Xbee drone, but not necessarily the one hacked in this story. | Credit: AscTec

(Image credit: A professional-grade Xbee drone, but not necessarily the one hacked in this story. | Credit: AscTec)

The ingenious idea comes courtesy of Nils Rodday, an IBM security researcher based in Germany, who gave a presentation today (April 1) at the Black Hat Asia conference in Singapore. Rodday shared his presentation on the Black Hat website, while The Register covered his talk and provided additional details. The hack targets professional-grade drones, often used by police and security forces, that tend to cost about $30,000 apiece.

MORE: Best Drones

Without getting too far into the weeds, here's how the hack works. The specific model tested — Rodday would not name the manufacturer, but there are several with similar setups — uses a long-range Xbee chip to transmit radio signals between the drone and the Android tablet controlling it.

Because Android tablets don't have Xbee chips themselves, there's an intermediary relay box that talks to the tablet via Wi-Fi, and to the drone via Xbee. (The box is mounted on a short-range regular RC hand-held controller that plays no part in the hack.)

The Xbee chip is not quite powerful enough to support encryption without a performance hit, and the Wi-Fi chip uses WEP encryption. WEP is not a terribly secure protocol; there's a reason why most Wi-Fi networks have switched over to WPA.

Using about $40 worth of kit, Rodday figured out two ways to intercept and redirect a drone's signal. The first to hijack the  Wi-Fi signal, which was easy. Free software tools can crack WEP in seconds, and researchers have been demonstrating Wi-Fi based drone hijacks for a couple of years.

What's new is the Xbee hack. Rodday reverse-engineered the proprietary Xbee-based protocol, then transmitted his own signals with his $40 kit. An attacker with an Xbee radio chip of his or her own could use this method hijack the connection and start sending their own commands to the drone. An experienced handler could fly the drone right into his or her own hands, while a more brutish attacker may just disable the engines while it's flying high.

Of course, hackers could also just his first method to take control of a drone by disrupting the Wi-Fi connection between the controlling Android tablet and the vehicle. But Rodday pointed out that they would have to be within 100 meters of the controller and its relay box, whereas an Xbee attack could take place from anywhere within a 1.2-mile radius.

As is usually the case with security research, there's no evidence that anyone has ever tried this in the wild. Furthermore, drone manufacturers are already trying to find solutions to their Xbee woes. However, a lack of encryption is a limitation of the chip, not a software or firmware issue. There may not be much they can do, short of manufacturing new drones equipped with more powerful chips that would eat into battery life.

Xbee chips are present in a variety of consumer drones, although Rodday did not test whether he could hijack them all. Presumably, a hack that works on a $30,000 drone would work on a $1,000 counterpart, but if you want to try, perhaps it's better to test it on your own drone than a friend's.

Readers who want more technical details might like to read Rodday's master's thesis, available here as an English-language PDF.

TOPICS
Marshall Honorof

Marshall Honorof is a senior editor for Tom's Guide, overseeing the site's coverage of gaming hardware and software. He comes from a science writing background, having studied paleomammalogy, biological anthropology, and the history of science and technology. After hours, you can find him practicing taekwondo or doing deep dives on classic sci-fi. 

Latest in Tech
Casetify Bounce Suitcase
I ditched my Away Carry-On for a bright red suitcase made by a phone case brand, and I was shocked by how much I liked it
Columbia Sportswear and Intuitive Machines partnership
Columbia Sportswear’s UV-blocking technology just landed on the moon, and I spoke to the materials scientist who designed it
iPhone 16e review.
What Tom’s Guide tested this week — the iPhone 16e is the most polarizing phone of the year
A split screen photo showing a coffee grinder on one side and a smart watch on the other
What Tom’s Guide tested this week: Sony, OnePlus, Corsair and more
A split screen image showing an instant camera on the left and a Dyson vacuum on the right
What Tom’s Guide tested this week: Expert reviews of Dyson, Insta360 and more
A composite of Soundcore Space One Pro headphones and Sony ZV-1F vlogging camera
What Tom’s Guide tested this week: 5 products that won our expert reviewers’ hearts
Latest in News
NYTimes Connections
NYT Connections today hints and answers — Thursday, March 20 (#648)
A phone with the Plex logo in front of an out-of-focus background of movie posters
Yikes! Plex is getting a price hike and this key feature is going behind a pay wall
back of Iris Pixel 9a
Google Pixel 9a pre-orders delayed due to 'component quality issue' — here's when you can get one
An open lock depicting a data breach
Half a million teachers hit in major data breach with SSNs, financial data and more exposed — what to do now
Sony A95K QD-OLED TV in front of windows in a living room
This new TV breakthrough looks like a game-changer for OLED TVs
Apple iPhone 16 & 16 Plus hands-on.
Forget USB-C — a truly portless iPhone just got the all-clear from the EU