How to hack a Parrot drone on the fly

Two security researchers at the recent Def Con conference presented the results of their studies on hacking Parrot drones.  Their findings are surprising.

At the recent Def Con conference in Las Vegas, security experts demonstrated in two different talks how to exploit vulnerabilities in commercial drones manufactured by Parrot.

In one of the attacks, the researchers were able to shoot down the aircraft making it fall, the technique was able also to hit the Bebop model.

The circumstance is disconcerting if we think that an attacker can use the drone to hit a target.

Ryan Satterfield, a security expert from the Planet Zuda firm, demonstrated a takedown of a Parrot A. R. Drone by exploiting the drone’s built-in Wi-Fi, the researchers accessed the UAV through an open Telnet port in the implementation of the BusyBox OS. The expert connected to the drone through the open port, gaining root access to the controller, then it was a joke for him to kill the processes used to control the flight of the drone.

Below the video PoC of the attack Ryan Satterfield demonstrated at the DEF CON conference.

The day after the Satterfield’s presentation the security researcher Michael Robinson, adjunct professor at Stevenson University in Maryland and George Mason University, illustrated the findings of his research on the Parriot Bebop drone.

In the talk titled “Knocking My Neighbor’s Kid’s Cruddy Drone Offline” he explained how to exploit a Parrot’s open Wi-Fi connection to control the drone. Anyone with the free Parrot app on a mobile device could be able to control the Parrot drone while it is flying.

The principle of the attack is simple, in a first phase the attacker disconnects the legitimate control app from the drone, then he takes control with his app from another device.

It is important to note that the hack demonstrated by Robinson leaves forensic artifacts on mobile devices, including the serial number of the drone.

In both hacks demonstrated at the Def Con conference, the hackers exploited a well-known feature of the Parrot drones, the open telnet port could be accessed to gain root privileges on the controller.

A blog post published by Ars Technica highlight that this feature is widely-known and mentioned in a number of specialized forums.

The post explains that some Parrot drone owners have used the same feature to upgrade the WiFi security of their aircrafts, adopting the WPA2 standard.

Robinson discovered other security issued in the Parrot Bebop model, the aircraft uses an open FTP server to transfer pictures and video back to the control system. The open FTP port could be exploited by an attacker to remotely access, delete and replace videos gathered by the Parrot drone.

Another issue discovered by the expert is related to the management of the GPS signal implemented by the Parrot model Bepop. It an attacker uses a jammer to disturb the GPS signal, the return-home function implemented by the drone controller fails even when GPS signal returned.

Robinson also tested the security features implemented by the professional DJI Phantom III drone. The Phantom is not vulnerable to hijacking because it uses radio controls rather than Wi-Fi. Jamming attacks are able to cause problem for the return-home function. The GPS interference has other dangerous effects for the drone, the video returned from the aircraft was unstable and the drone’s internal magnetic compass is disturbed causing it to not take off.

The researchers reported the security issues to Parrot which confirmed it was aware of them, at the time I’m writing it’s not clear when the company will fix it.

Pierluigi Paganini

(Security Affairs – hacking, Parrot Drones)