Not sure if "taking control" of a drone would be considered a form a jamming, but the FCC says:
> Federal law prohibits the operation, marketing, or sale of any type of jamming equipment, including devices that interfere with cellular and Personal Communication Services (PCS), police radar, Global Positioning Systems (GPS), and wireless networking services (Wi-Fi).[1]
The FCC just handed out their largest fine ever ($34.9 million) against a Chinese company for selling jammers in the US capable of interfering with GPS reception from a half mile away.[2]
I recently became a licensed amateur radio operator (W6AKJ) and was surprised by how seriously the FCC takes enforcement of those radio bands that are available for public use. I find it highly dubious that these guys would be able to market and sell to the public a device that interferes with the lawful use of a radio band used for remote control.
Seems like trying to take control of a drone might cause it to crash. So whoever operates this might find themselves footing that bill or taking responsibility if the drone then hit someone or something on the way down.
Plus drone manufacturers will take steps as soon as this is available. Basic encryption and or frequency hopping is inexpensive these days.
ISTM that it would be impossible to determine that a drone had been taken over in this fashion, and even harder to identify who had taken it over. So, no one would ever find herself footing that bill.
For the RF geeks here - can't manufacturers implement some kind of anti-hijacking protocols into the RF I/O between the radio and the receiver? I understand it's hard to defeat jamming if the attacker has more power at hand than you do, but it seems like it would be easy to defeat devices that want to try and MITM or otherwise usurp the actual control commands.
frequency hopping spread spectrum radios do have a pairing that results in the transmitter and receiver sharing a PRNG key, and switching frequencies at a high rate.
They can still be jammed with broad spectrum high power transmissions, though.
A ton of people, including government and private industries and businesses.
One example would be power companies. Physical security is obviously big for power plants. They are definitely afraid of drones both from a surveillance stand point and also from fear of them being used to destroy equipment.
I can only speculate but there is some prior work in this area, for instance SkyJack (http://samy.pl/skyjack/).
Quote: SkyJack (available from github) is primarily a perl application which runs off of a Linux machine, runs aircrack-ng in order to get its wifi card into monitor mode, detects all wireless networks and clients around, deactivates any clients connected to Parrot AR.drones, connects to the now free Parrot AR.Drone as its owner, then uses node.js with node-ar-drone to control zombie drones.
Quote: The Range Extender is essentially a small Linux system based on OpenWRT which provides a WiFi-network used by the Phantom and the DJI Vision App. It's reachable over SSH at 192.168.1.2 (root / 19881209).
The WiFi-network has no security by default and neither the Phantom nor the DJI Vision app supports password protecting it. Additionally, it is required that the network name is prefixed with "Phantom_" in order for the Phantom to find and associate with it.
I can't speak to how their technology actually works, but here's a quick lay-of-the-land for how it could work / how you could start your own similar business:
The two most popular manufacturers of higher end drones - DJI and 3DR use standard 802.11 radios for control, telemetry, and FPV video streaming if supported. The manufacturer transmitters include slightly directional amplified antennas so they get better range than your smartphone would, but it's all IP over 802.11. This means all your standard WiFi hacking tricks are perfectly useful here.
If you were looking to hijack a DJI drone, https://github.com/noahwilliamsson/dji-phantom-vision would be a good place to start. The only hardware you would need is a standard 802.11abgn network card and a directional power-amplified antenna.
Most other higher-end drones use two separate radios - one for control (typically running either the Spektrum or Futaba RF protocols over a 2.4GHz link) and one for telemetry (typically running MAVLink over some sort of FHSS link on 433MHz or 900MHz).
Hijacking the control side of one of these systems would require dedicated radio equipment - in the case of Spektrum's DSM protocol, some sort of CYRF wireless-USB chipset board. Spektrum's DSM/DSM2/DSMX protocol is not open-source, but a lot of effort has been put into reverse-engineering it and you can see sample DSM-compatible firmware for a CYRF-based USB transmitter board here: https://github.com/1bitsquared/superbitrf-firmware
Hijacking the telemetry channel could also yield control over the drone - depending on the flight controller and firmware used, you could issue MAVLink commands to either return-to-home or fly to specific coordinates. MAVLink is a serial protocol layered over a semi-reliable radio link - to interfere with it, you'd first have to hop on the link and then intercept/override the serial command stream.
Theoretically MAVLink can run on top of any radio which exposes a serial link interface - some hobbyists use bluetooth, but most people eventually switch to using longer-range telemetry radio modules running on either 433MHz or 900MHz bands. Most of these radio modules run a particular open-source FHSS firmware known as SiK - https://github.com/Dronecode/SiK
If you look at the SiK source, you can see their implementation of FHSS and should be able to figure out how to search for, lock onto, and potentially interfere with a particular radio link.
Beyond the major manufacturers, there are hundreds of smaller drone manufacturers, and the radio protocols and systems they use vary from manufacturer to manufacturer and model to model. As a general rule, anyone claiming "iPhone app control" is running some sort of 802.11-based protocol (eg: Parrot / Bebop), while even smaller and cheaper drones are running custom 2.4GHz RF links.
One final consideration - most drones have varying degrees of failsafes programmed into them in the event of a loss of control signal (potentially through RF jamming). Cheaper drones will simply shut off and fall out of the sky. More advanced drones / controllers can perform one of a number of behaviors, including loitering in-place or returning to their original launch location.
One more final consideration - most of the interference and hijacking methods described here are very much of questionable legality in the FCC's eyes. Also there are enough existing reasons drones fall out of the sky (bad piloting, unreliable hardware, poor maintenance) - we don't need to add another reason. Be safe, be responsible, and be legal.
[+] [-] cannikin|10 years ago|reply
> Federal law prohibits the operation, marketing, or sale of any type of jamming equipment, including devices that interfere with cellular and Personal Communication Services (PCS), police radar, Global Positioning Systems (GPS), and wireless networking services (Wi-Fi).[1]
The FCC just handed out their largest fine ever ($34.9 million) against a Chinese company for selling jammers in the US capable of interfering with GPS reception from a half mile away.[2]
I recently became a licensed amateur radio operator (W6AKJ) and was surprised by how seriously the FCC takes enforcement of those radio bands that are available for public use. I find it highly dubious that these guys would be able to market and sell to the public a device that interferes with the lawful use of a radio band used for remote control.
[1] https://www.fcc.gov/encyclopedia/jammer-enforcement [2] http://www.dronejournalism.org/news/2014/6/fccs-historic-fin...
[+] [-] justin66|10 years ago|reply
Except CB. Listening to it, you'd never guess that they used to regulate profanity and the use of illegal signal amplification.
[+] [-] bjt2n3904|10 years ago|reply
What's the difference between that and recklessly or maliciously taking control of safe drones?
[+] [-] kej|10 years ago|reply
[+] [-] bhhaskin|10 years ago|reply
[+] [-] melito|10 years ago|reply
[+] [-] CraigJPerry|10 years ago|reply
For homebuilt drones using Futaba or Spectrum links this system is ineffective in its current form.
[+] [-] erobbins|10 years ago|reply
Interesting idea, but easy to avoid.
[+] [-] Someone1234|10 years ago|reply
Plus drone manufacturers will take steps as soon as this is available. Basic encryption and or frequency hopping is inexpensive these days.
[+] [-] jessaustin|10 years ago|reply
[+] [-] jessaustin|10 years ago|reply
[+] [-] thescriptkiddie|10 years ago|reply
FTFY
[+] [-] phire|10 years ago|reply
[+] [-] mring33621|10 years ago|reply
[+] [-] rcurry|10 years ago|reply
[+] [-] CraigJPerry|10 years ago|reply
But others use similar.
[+] [-] erobbins|10 years ago|reply
They can still be jammed with broad spectrum high power transmissions, though.
[+] [-] y-satellite|10 years ago|reply
[+] [-] ssully|10 years ago|reply
One example would be power companies. Physical security is obviously big for power plants. They are definitely afraid of drones both from a surveillance stand point and also from fear of them being used to destroy equipment.
[+] [-] ddrum001|10 years ago|reply
[+] [-] Natanael_L|10 years ago|reply
[+] [-] rememberlenny|10 years ago|reply
[+] [-] sslalready|10 years ago|reply
Quote: SkyJack (available from github) is primarily a perl application which runs off of a Linux machine, runs aircrack-ng in order to get its wifi card into monitor mode, detects all wireless networks and clients around, deactivates any clients connected to Parrot AR.drones, connects to the now free Parrot AR.Drone as its owner, then uses node.js with node-ar-drone to control zombie drones.
There is also some info/links regarding DJI's Phantom line of drones on https://github.com/noahwilliamsson/dji-phantom-vision
Quote: The Range Extender is essentially a small Linux system based on OpenWRT which provides a WiFi-network used by the Phantom and the DJI Vision App. It's reachable over SSH at 192.168.1.2 (root / 19881209). The WiFi-network has no security by default and neither the Phantom nor the DJI Vision app supports password protecting it. Additionally, it is required that the network name is prefixed with "Phantom_" in order for the Phantom to find and associate with it.
[+] [-] comrh|10 years ago|reply
[+] [-] markwakeford|10 years ago|reply
[+] [-] vimalbhalodia|10 years ago|reply
The two most popular manufacturers of higher end drones - DJI and 3DR use standard 802.11 radios for control, telemetry, and FPV video streaming if supported. The manufacturer transmitters include slightly directional amplified antennas so they get better range than your smartphone would, but it's all IP over 802.11. This means all your standard WiFi hacking tricks are perfectly useful here.
If you were looking to hijack a DJI drone, https://github.com/noahwilliamsson/dji-phantom-vision would be a good place to start. The only hardware you would need is a standard 802.11abgn network card and a directional power-amplified antenna.
Most other higher-end drones use two separate radios - one for control (typically running either the Spektrum or Futaba RF protocols over a 2.4GHz link) and one for telemetry (typically running MAVLink over some sort of FHSS link on 433MHz or 900MHz).
Hijacking the control side of one of these systems would require dedicated radio equipment - in the case of Spektrum's DSM protocol, some sort of CYRF wireless-USB chipset board. Spektrum's DSM/DSM2/DSMX protocol is not open-source, but a lot of effort has been put into reverse-engineering it and you can see sample DSM-compatible firmware for a CYRF-based USB transmitter board here: https://github.com/1bitsquared/superbitrf-firmware
Hijacking the telemetry channel could also yield control over the drone - depending on the flight controller and firmware used, you could issue MAVLink commands to either return-to-home or fly to specific coordinates. MAVLink is a serial protocol layered over a semi-reliable radio link - to interfere with it, you'd first have to hop on the link and then intercept/override the serial command stream.
MAVLink is awesome and open-source - one good resource to learn about it is here: http://qgroundcontrol.org/mavlink/start
Theoretically MAVLink can run on top of any radio which exposes a serial link interface - some hobbyists use bluetooth, but most people eventually switch to using longer-range telemetry radio modules running on either 433MHz or 900MHz bands. Most of these radio modules run a particular open-source FHSS firmware known as SiK - https://github.com/Dronecode/SiK
If you look at the SiK source, you can see their implementation of FHSS and should be able to figure out how to search for, lock onto, and potentially interfere with a particular radio link.
Beyond the major manufacturers, there are hundreds of smaller drone manufacturers, and the radio protocols and systems they use vary from manufacturer to manufacturer and model to model. As a general rule, anyone claiming "iPhone app control" is running some sort of 802.11-based protocol (eg: Parrot / Bebop), while even smaller and cheaper drones are running custom 2.4GHz RF links.
One final consideration - most drones have varying degrees of failsafes programmed into them in the event of a loss of control signal (potentially through RF jamming). Cheaper drones will simply shut off and fall out of the sky. More advanced drones / controllers can perform one of a number of behaviors, including loitering in-place or returning to their original launch location.
One more final consideration - most of the interference and hijacking methods described here are very much of questionable legality in the FCC's eyes. Also there are enough existing reasons drones fall out of the sky (bad piloting, unreliable hardware, poor maintenance) - we don't need to add another reason. Be safe, be responsible, and be legal.