A security researcher has reported finding a way to hijack a high-end drone, using parts costing as little as $40 (£29).
The expert says it is possible to start the octocopter’s engines, engage auto-takeoff, control its camera and, potentially, crash the machine.
He will present his findings at the RSA security conference in San Francisco, and has published a thesis.
The drone’s manufacturer has been informed.
However, the researcher told Wired magazine there would be “no easy fix” to the problem, meaning units might have to be recalled for a hardware update.
Nils Rodday is currently a security consultant at IBM, but carried out his research at the Netherlands’ University of Twente.
His work focused on an unmanned aerial vehicle (UAV) used by police forces for surveillance.
He said it cost about 20,000 euros ($21,700; £15,400).
It is more expensive than consumer drones because it:
features eight rotors
can carry loads of up to 2.9kg (6.4lb)
can stay airborne for more than half an hour
The UAV is also used for power-line inspections, professional photography and agriculture applications
The aircraft’s maker lent Mr Rodday a copy of its machine on condition its name was not disclosed.
Image copyright Rodday
Image caption Mr Rodday created devices using Xbee chips to send commands to the drone
Mr Rodday focused on its use of a telemetry module fitted with an Xbee radio chip, made by the company Digi International.
The module converts wi-fi commands sent by a computer app into low frequency radio waves, which are then transmitted to another Xbee chip on the drone.
This allows the operator to control it from a greater distance than would otherwise be possible.
To achieve the hack, Mr Rodday required two Xbee chips of his own, among other low-cost components, as well as the use of a computer.
The hack consisted of two parts:
Intercepting the initial wi-fi connection and displacing the legitimate user. Since the link was only protected by an encryption protocol with known vulnerabilities, Mr Rodday said he could crack it in little time
Transmitting his own commands to the drone’s Xbee chip
The second step had been relatively easy, Mr Rodday said, because the drone-maker had opted not to make use of Xbee’s built-in encryption features.
The reason for this was that they would have extended the lag between the operator sending a command and the drone reacting.
Image copyright Rodday
Image caption Mr Rodday said that changing the last digits of a command’s code controlled different functions
“The whole communication is sent in clear text,” wrote Mr Rodday in his thesis.
“As long as the arriving data is syntactically and semantically correct, the data is forwarded to the application.”
Countermeasures were possible to prevent such attacks, he added, but they would “require better hardware, which leads to increased production cost”.
The drone manufacturer intends to fix the problem when it releases its next-generation model.
But Mr Rodday believes other similar high-end aircraft may also face the same issue.
To raise awareness, he intends to hack a drone on stage at the RSA.
“[I] will make the UAV engine’s spin, so the UAV will have to be tied to something heavy during the presentation,” he said.
Another expert, who has previously spoken out about the risks that drones pose, said he was concerned.