Hijacking Quadcopters With A MAVLink Exploit

Not many people would like a quadcopter with an HD camera hovering above their property, and until now there’s no technical resource to tell drone pilots to buzz off. That would require actually talking to a person. Horrors. Why be reasonable when you can use a Raspberry Pi to hijack a drone? It’s the only reasonable thing to do, really.

The folks at shellIntel have been messing around with quads for a while, and have recently stumbled upon a vulnerability in the Pixhawk flight controller and every other quadcopter that uses the MAVLink protocol. This includes the Parrot AR.drone, ArduPilot, PX4FMU, pxIMU, SmartAP, MatrixPilot, Armazila 10dM3UOP88, Hexo+, TauLabs and AutoQuad. Right now, the only requirement to make a drone fall out of the sky is a simple radio module and a computer. A Raspberry Pi was used in shellIntel’s demo.

The exploit is a consequence of the MAVLink sending the channel or NetID used to send commands from the transmitter to the quadcopter in each radio frame. This NetID number is used so multiple transmitters don’t interfere with each other; if two transmitters use the same NetID, there will be a conflict and two very confused pilots. Unfortunately, this also means anyone with a MAVLink radio using the same NetID can disarm a quadcopter remotely, and anyone with a MAVLink radio can tell a quad to turn off, or even emulate the DJI Phantom’s ‘Return to China’ function.

The only required hardware for this exploit is a $100 radio and three lines of code. It is certainly possible to build a Raspberry Pi-based box that would shut down any Pixhawk-equipped quadcopter within radio range, although the folks at shellIntel didn’t go that far just yet. Now it’s just a proof of concept to demonstrate that there’s always a technical solution to your privacy concerns. Video below.

Continue reading “Hijacking Quadcopters With A MAVLink Exploit”