Is it possible to hijack a P3?

[43k]

Just wondering if anyone know how secure the protocol used to control the P3 is.

How hard would it be to build some equipment that could somehow take control of a P3?

And what about linking/pairing/binding the remote controller; would it be possible to bind another controller to the P3 without having access to the link button on the P3?

Edit:
http://arstechnica.com/security/201...ken-down-or-hijacked-researchers-demonstrate/

 

[bobmyers]

Just wondering if anyone know how secure the protocol used to control the P3 is.

How hard would it be to build some equipment that could somehow take control of a P3?

And what about linking/pairing/binding the remote controller; would it be possible to bind another controller to the P3 without having access to the link button on the P3?

Yes, there are articles out -- read one on this forum-- regarding the hacking of drones-- and taking control -- don't know how that works and what the immediate risks are-- but it can be done according to the article.

 

[Buckaye]

I don't know that it's a paranoid question... it's just a question. If the OP was saying he was super worried about it... that might be different. But theoretically they could be hijacked - in fact they have recently reported that even car controls can be hacked into. doesn't mean it will happen... and if they start doing it (whoever they are) then I am sure DJI will increase their security protocol on the device.

 

[43k]

^Paranoid - Any thoughts on the media cover up of the beheadings in the Ikea store in Vasteras? Bit off topic - Sorry

No, not paranoid, and wtf are you rambling about?

Was thinking more in the direction of others having their P3 fly away, one poster in another thread claims it flew away even before the remote controller was powered up.
Others claiming fly away mid flight.

 

[Joao Carlos]

Id imagine it is (possible), some idiot with nothing better to do is trying right now and soon it will be on the news. An isolated case? Surely nothing widespread with drones flying around like the apocalypse is coming. If it happens squawk 7500 and you should be fine.

 

[BenDronePilot]

No, not paranoid, and wtf are you rambling about?

Was thinking more in the direction of others having their P3 fly away, one poster in another thread claims it flew away even before the remote controller was powered up.
Others claiming fly away mid flight.

Myself and others think some of those claims may be full of it. Bs, nonsense, etc. if not that then random malfunction from use of 3rd party apps.

 

[43k]

I'll just leave this here ...
http://arstechnica.com/security/201...ken-down-or-hijacked-researchers-demonstrate/

Robinson also tested the security of the more expensive DJI Phantom III drone, with somewhat different results. The Phantom uses radio controls rather than Wi-Fi, so it was not vulnerable to hijacking. GPS interference caused problems for the return-home function and also, strangely, made video return from the Phantom unstable. And magnetic field interference could throw off the drone's internal magnetic compass, causing it to not take off; Robinson was unable to test the effects of magnetic interference in flight.

 

[Man.Of.Kent]

Was thinking more in the direction of others having their P3 fly away, one poster in another thread claims it flew away even before the remote controller was powered up.
Others claiming fly away mid flight.

All wise advice seems to say that the controller should always be powered up before the quad. This is probably why.

 

[ianwood]

Parrot drones are Wi-Fi based and have left gaping holes in their IP implementation. Phantom 2 Vision also had (has?) some vulnerabilities. P3 would be a whole lot harder.

Lightbridge is proprietary. To take control, you'd need to be able to replicate the protocol including TDM muxing, know the binding code (assuming it is some sort of pre-shared key) and the hash that is hopefully XORed with the PSK.

Receiving and decoding your dowlink video and the telemetry encoded in the audio channel is probably a whole lot easier.

 

[Youngbill]

With the right equipment and being in range when you first turn on your P3, it is possible to hijack. But rest assured, it takes specialized equipment that most people would not have or know how to use.

 

[ianwood]

With the right equipment and being in range when you first turn on your P3, it is possible to hijack. But rest assured, it takes specialized equipment that most people would not have or know how to use.

What equipment would that be? I know of no specialized equipment that talks Lightbridge other than Lightbridge.

 

[Oso]

Does it count as "hijacking" if it's the government taking control of your drone and flying it away from crowds/airports? Of course, you should not be flying there anyway so I guess you would then be bringing this "hijacking" upon yourself. Still count?

http://www.reuters.com/article/2015/08/20/us-usa-drones-security-idUSKCN0QP0BB20150820

"At crowded venues such as Times Square or the Super Bowl, police want to be able to take control of a drone, steer it safely away from the public and guide it back to the operators, who can then be identified, the sources said."

 

[Youngbill]

What equipment would that be? I know of no specialized equipment that talks Lightbridge other than Lightbridge.

A P32 Space Modulator of course.....all kidding aside, there is equipment that can "talk lightbridge" but we don't call it lightbridge since that's DJI's term. I wouldn't expect you to know about it yet. [emoji6] We have a team of people, much smarter then I, who get to play with some very sophisticated software and proprietary chipsets. They seem to enjoy it!

 

[ianwood]

I wouldn't expect you to know about it yet.

No disrespect intended, but translated through the Internet BS detector, that reads as:

I am pretending to know of something but I don't.

Lightbridge is proprietary. It's a home grown TDM OFDM/FHSS mash up. There are other MIMO OFDM wireless HD systems including DVB based ones but they are not Lightbridge and most are proprietary in the upper layers. Decoding a Lightbridge OFDM downlink is not the same as being able to demux the two-way communication or even transmit within the same session not to mention syncing TDM frames.

 

[Take Flight]

Reading this thread my first thought was, "I hope this thread does not teach someone how to hijack a P3." I think it's good to be aware it could happen, but I don't think discussing specifics on how it could be accomplished are in any of our best interest. Just my two cents...

 

[Youngbill]

No disrespect intended, but translated through the Internet BS detector, that reads as:


Lightbridge is proprietary. It's a home grown TDM OFDM/FHSS mash up. There are other MIMO OFDM wireless HD systems including DVB based ones but they are not Lightbridge and most are proprietary in the upper layers. Decoding a Lightbridge OFDM downlink is not the same as being able to demux the two-way communication or even transmit within the same session not to mention syncing TDM frames.

Thank you for you "moderator" wisdom, Ian. Judging by your resume you know a bit about wireless protocols. Your entitled to your opinion of course, but you would have to agree that not everyone knows everything. I'm not here to have a pissing match with you. I was simply answering the OP question.

 

[Grayson]

I have no issues hijacking P3, inspire or the A2 ligtbridge setup. I will be submitting a talk at this next years black hat & DefCon conferences on my research. I have used some basic SDRs to frequency hop and understand the key exchange. It is a very simple Man-in-the-Middle attack and works a lot like a WPA brute force /de-auth. I am working on scripting a "land Command" at the moment based on RTH.

 

[43k]

Good to know there are people that scrutinize even non-standard/home brew protocols like this.
Looking forward to see DJI fix their protocols if you manage to hack it.

 

[ianwood]

I have no issues hijacking P3, inspire or the A2 ligtbridge setup. I will be submitting a talk at this next years black hat & DefCon conferences on my research. I have used some basic SDRs to frequency hop and understand the key exchange. It is a very simple Man-in-the-Middle attack and works a lot like a WPA brute force /de-auth. I am working on scripting a "land Command" at the moment based on RTH.

Looking forward to seeing it. Please post it here when you can. BTW, an even better hijack would be to set a new RTH location (your location) and then invoke RTH.

I didn't expect DJI's key exchange to be anything beyond basic. Their security has been through obscurity. I guess DJI has reached a tipping point where it will now be subject to more robust scrutiny and exploitation.

 

[43k]

A report of a successful hijacking will be presented at a security conference this week (although no P3 involved):

There's a new way to hijack drones in mid-flight

Hacker Says He Can Hijack a $35K Police Drone a Mile Away