Drone Hijacker

Project information

During the winter 0f 2021 I undertook a personal cyber-physical security project. The project was inspired to some extent by the idea of drone deliveries, and how one would be able to ensure that their package reaches their apartment safely. How easy would it be for an individual to pick drones out of the sky, What level of control could be aquired over a drone, and to what extent could this be an exploitable problem were all questions I wanted answered.

This problem is best split into 3 individual aspects: The network interfacing, drone interfacing, and the hardware interfacing. From a network interfacing perspective the project entailed successfully a wpa2 wifi network. The tello drones work akin to a wifi router in their default state. As the drones is turned on it begins broadcasting a connection for all to hear. Once a user is connected communication channels are established to control the drone. The cracking of the network was done using 2 primary tools. A wifi network interface that could be set to monitor mode and the aircrack-ng packet. As per wpa2 network standard I had to establish the attacked mac address of the drone and capture its 4 way handshake. Finding the mac address was done by cross-referencing the possible mac address the drone could have with the viewable ones by the wifi monitor, thankfully all companies are required by law to buy mac address blocks so finding a tello drone network was as seamless as just scanning across the declared mac address blocks until the signals viewed matched one of the addresses. Afterwards, I forced users to deathentificate from the network. In doing so, when a user attempted to reconnect All I had to do was capture the access key and run it against a password key to obtain the final password of the drone.

Once the password was discovered, my next task was to interace with the drone itself. I did so by once more deathentificating the connected user, however this time instead of them reconnecting It was I who connected with the known password. The tello drone functions through udp packet transmissions. This means a string is sent to the drone, and based on that string received the drone executes an action. Dji in their official documentation for the drone provides said strings so that users program their own drones. Using the above information one could create attack scripts dictacting commands to the drone once it has been penetrated. One such script I created opens up the UDP port of the drone and allows for it to have messages sent to it from the command line.

Finally in terms of hardware I decided to use a raspberry as my main attack machine, due to its portability. It is worth keeping in mind that despite this project focusing on drones, any wpa2 is vulnerable to them with some modifications. As such one would only have to carry the tool with them and get cracking. On top of that the raspberry pi was chosen to be equipped with an lcd screen, a portable keyboard, and 2 wifi cards. One for injection, and one to connect to the drone with.

To answer the questions I began with, it is as easy to crack into drones as it is to crack into wifi network, and a high level of control can be achieved due to the ability to send commands to a drone. The benefits of such an exploit are minimal however, meaning that you can control an external drone however unless getting the drone intact and caputered is your goal there are more quick solutions.