Hacking a Professional Drone

Hacking 

a Professional 

Drone 

Nils Rodday 

rodday@arcor.de 

https://de.linkedin.com/in/nilsrodday

Goal 

The goal of this talk is to give insights into the security of 

Unmanned Aerial Vehicles (UAVs) and to show that professional 

UAVs are not as secure as one might think. 

2

Agenda 

The UAV 

Attacks 

Live Demonstration 

Remediation 

Impact 

3 

Q&A 

Lessons Learned

The UAV – Specifications 

25k – 30k € 

30k – 35k $ 

Add-ons 

3kg Payload 

7lb Payload 

Advanced 

Features 

30 – 45min 

Endurance 

4

The UAV 

Data flow 

Telemetry Box 

802.11 WiFi link (WEP) 

Not connected 

(two separate devices) 

XBee 868LP link 

Data flow 

Video link 

Data flow 

GPS Receiver 

©IEEE 

Remote Control 

2.4 Ghz 


link 

5

The UAV – Wifi focus 

Data flow 



Data flow 

Video link 

GPS Receiver 

Data flow 

2.4 Ghz 


link 

6

The UAV – Wifi attack 

Attacker's tablet 

Communication route 

after attack 

Original 

communication 

route 

Original tablet 

7

The UAV – XBee focus 

Data flow 



Data flow 

Video link 

GPS Receiver 

Data flow 

2.4 Ghz 


link 

8

XBee – Chips 

9

10

XBee – Reading the manual... 

1. API mode 

2. Broadcast 

3. Remote AT 

Commands 

It's not a bug, it's a feature 

11

XBee – Man-in-the-Middle Attack 

Attacker 

Communication route 

after attack 

Original 

communication 

route 

5. Remote AT Command: 

Write 

1. Broadcast 

3. Remote AT Command: 

Change DH + DL 

Tablet Remote Control UAV 

©IEEE 

12

What´s next? 

We can read/send data on the XBee channel. 

But what does that data stream mean? 

13

Decompilation of Android APK 

14

Decompilation of Android APK 

15 

Decimal –> Hex 

36 

87 

73 

70 

73 

paramByte 

paramByte 

paramByte 

24 

57 

49 

46 

49 

XX 

XX 

XX 

. 

. 

.

Example Commands 

24 57 49 46 49 XX XX XX 

24 57 49 46 49 89 89 89 (Start-Engines) 

24 57 49 46 49 58 58 58 (Auto-Takeoff) 

24 57 49 46 49 97 97 97 (Enable Autopilot) 

16

Demonstration

Remediation – XBee Onboard Encryption 

• Secures Data ONLY on the XBee channel 

• Prevents Remote-AT-Commands 

• Mitigates Man-in-the-Middle 

18

Remediation – Add. Hardware Encryption 

• Does NOT prevent Remote-AT-Commands 

• Does NOT mitigate Man-in-the-Middle 

• Ensures CONFIDENTIALITY 

19

Remediation – Application-layer Encryption 

• Does NOT prevent Remote-AT-Commands 

• Does NOT mitigate Man-in-the-Middle 

• Ensures CONFIDENTIALITY 

20

Impact 

• Cost of attack: 40$ 

• UAV is currently in use 

• Multiple manufacturers are using similar 

setups 

21

Lessons Learned 

Use strong 

encryption 

Alter passphrases 

Test your product 

22

Credits 

Prof. Dr. Aiko Pras 

Dr. Ricardo de O. Schmidt 

Ruud Verbij 

Matthieu Paques 

Atul Kumar 

Annika Dahms 

23

Nils Rodday 

https://de.linkedin.com/in/nilsrodday 


24

Hacking 

a Professional 

Drone 

Nils Rodday 


https://de.linkedin.com/in/nilsrodday

26

• Slide 5 & 12: Photo credit to: 978-1-5090-0223-8/16/$31.00 © 2016 IEEE 

27

Hacking a Professional Drone

Create successful ePaper yourself

Delete template?

Save as template?