How to Skyjack Drones for $400

Type threatpost
Reporter Dennis Fisher
Modified 2013-12-05T14:51:24


UPDATE–The skies may soon be full of drones–some run by law enforcement agencies, others run by intelligence agencies and still others delivering novels and cases of diapers from Amazon. But a new project by a well-known hacker Samy Kamkar may give control of some drones to anyone with $400 and an hour of free time.

Small drones can be quite inexpensive and easy to use. Some models can be controlled from an iPhone, tablet or Android device and can be modified fairly easily, as well. Kamkar, a veteran security researcher and hacker, has taken advantage of these properties and put together his own drone platform, called Skyjack. The drone has the ability to forcibly disconnect another drone from its controller and then force the target to accept commands from the Skyjack drone. All of this is done wirelessly and doesn’t require the use of any exploit or security vulnerability.

The drone platform that Kamkar built uses readily available components such as a Raspberry Pi and open-source software he developed. He said that, using the detailed instructions he’s published, anyone with a familiarity with Linux could build a Skyjack drone of his own in under an hour. With that and a controller, the builder is then ready to hijack his neighbor’s drone. The Parrot drones are available for less than $300 and the other components are relatively inexpensive, as well.

“My instructions are pretty detailed, I’ve made the code entirely free and open source, and fortunately all the technology is so low-cost and easy to acquire (< $400 for all of it, including your very own drone) that to put it all together from my instructions would take someone under an hour if they were familiar with Linux,” Kamkar said via email.

“I may also release an ISO that users can simply drop onto a Raspberry Pi without performing any configuration at all, and in that case it would potentially just take minutes without any setup required besides plugging components in!”

The method that Kamkar’s code uses to take over a target drone is deceptively simple. The Skyjack drone detects the wireless signal sent out by a target drone, injects WiFi packets into the target’s connection, de-authenticates it from its real controller and then authenticates it to the Skyjack drone. Kamkar then has the ability to send any commands he wants to the hijacked drone. This can all be done from the ground, as well, he said, using a normal Linux box and his code.

Kamkar uses Aircrack-ng, a wireless key cracking application, to find target drones and then the Skyjack software deactivates the clients and then connects to them. He finds the drones by looking for MAC addresses owned by Parrot, the company that makes the small drones he used for his project. The target range of the Skyjack drones is limited by the range of the WiFi card, but Kamkar said he uses a very powerful WiFi adapter called the Alfa AWUS036H, which produces 1000mW of power.

“The only security on the Parrot drones is that when the owner is connected to it, no one else is able to control it. This is why I need to use a wifi chipset that allows me to inject packets as I need to exploit wifi and deauthenticate the true owner who is controlling it,” Kamkar said.

“Once deauth’d, I can then take over control without ever actually exploiting the Parrot itself since it creates its own open, wireless network.”

Amazon’s Jeff Bezos said the company’s Prime Air drone delivery program is several years away yet, and it’s unclear which drone platform it will use if it’s ever deployed. Kamkar’s Skyjack code is available free on Github.

This story was updated on Dec. 4 to clarify that not all drones use WiFi and that Skyjack isn’t meant to work against all drone platforms.

Image from Flickr photos of Unten44.