Meet the Drone That Mind Controls Other Drones

Impact
ByTom McKay

The news: Meet SkyJack, a drone developed by U.S. hacker Samy Kamkar to seek out other drones, disconnect them from their control devices, and bring them under the command of SkyJack's pilot.

Samy Kamkar is a former black hat hacker convicted of developing the Samy computer worm which took down MySpace in 2005. Now he's devoted his career to legitimate cyber-security research exposing security flaws in other platforms. SkyJack is his latest creation, a Parrot AR.Drone 2.0 radio-controlled quadcopter, one of the most popular models for drone hobbyists.

The AR.Drone 2.0 has a built-in wireless internet controller used to interface with Android or iOS devices like smartphones or tablets, which are used to steer the drone and receive a video feed from its onboard camera. That same internet controller necessary to steer a Parrot drone is also a major security flaw. See what Kamkar did below:

Kamkar's release notes say that:

"Today Amazon announced they're planning to use unmanned drones to deliver some packages to customers within five years. Cool! How fun would it be to take over drones, carrying Amazon packages…or take over any other drones, and make them my little zombie drones. Awesome.

Using a Parrot AR.Drone 2, a Raspberry Pi, a USB battery, an Alfa AWUS036H wireless transmitter, aircrack-ng, node-ar-drone, node.js, and my SkyJack software, I developed a drone that flies around, seeks the wireless signal of any other drone in the area, forcefully disconnects the wireless connection of the true owner of the target drone, then authenticates with the target drone pretending to be its owner, then feeds commands to it and all other possessed zombie drones at my will."

All the onboard-equipment the SkyJack drone possesses makes it a truly mobile hacking system, capable of roving around to find other Parrot drones and turn them into little more than slaves usable for anything from casual joyriding to spying their original owners. But the software itself is usable from any device capable of broadcasting a signal to nearby Parrot drones.

What's it mean? Currently, not much — it's a security hole in a single hobbyist product line, with limited applications. SkyJack could also likely be defeated with simple enhancements to encryption or firmware updates to Parrot AR.Drone 2. SkyJack as it stands is probably not much more than a fun prank to play on fellow hobbyists or a cool software toy to have fun with, and it requires a fair amount of technical know-how and a modest budget to reconfigure a standard Parrot drone to carry the zombie-making signal. But it has ominous overtones.

Totally unmanned vehicles are uniquely susceptible to cyber-attacks, specifically because there's no human directly controlling any facet of the hardware. Either the device runs entirely on internal programming or — much more likely — the pilot interfaces with the device via an authenticated two-way wireless signal. With plans for drone-based Amazon delivery in the near future, and countless other economic uses for drones, SkyJack represents the genesis of a whole new type of cyber-crime: drone-jacking.

Even the cheapest drones are worth hundreds of dollars, and soon they might be carrying potentially valuable Amazon cargo. It's hardly a stretch to imagine that hackers with more time and resources than Kamkar and less moral concerns could develop futurer iterations of SkyJack-esque software capable of snatching other kinds of drones out of the sky for resale or pirating their valuable content. Or even contemplate drone identity theft; drug dealers could steal a civilian delivery drone to send shipments across borders, for example.

Yeesh! And while the security protecting military drones, for example, is probably very difficult to defeat, that just means that other countries could scale up their hacking operations accordingly. China's People's Liberation Army, for example, already is suspected to have a hacking organization with hundreds or thousands of staff responsible for hundreds of attacks on Western companies. In the wars of the future, military drones could be susceptible to cyber-attacks, possibly deploying their sensor equipment and weapons against formerly friendly targets.