
SkySafe – tech to take over badly behaved drones - cambridgemike
http://www.skysafe.io/
======
cannikin
Not sure if "taking control" of a drone would be considered a form a jamming,
but the FCC says:

> Federal law prohibits the operation, marketing, or sale of any type of
> jamming equipment, including devices that interfere with cellular and
> Personal Communication Services (PCS), police radar, Global Positioning
> Systems (GPS), and wireless networking services (Wi-Fi).[1]

The FCC just handed out their largest fine ever ($34.9 million) against a
Chinese company for selling jammers in the US capable of interfering with GPS
reception from a half mile away.[2]

I recently became a licensed amateur radio operator (W6AKJ) and was surprised
by how seriously the FCC takes enforcement of those radio bands that are
available for public use. I find it highly dubious that these guys would be
able to market and sell to the public a device that interferes with the lawful
use of a radio band used for remote control.

[1] [https://www.fcc.gov/encyclopedia/jammer-
enforcement](https://www.fcc.gov/encyclopedia/jammer-enforcement) [2]
[http://www.dronejournalism.org/news/2014/6/fccs-historic-
fin...](http://www.dronejournalism.org/news/2014/6/fccs-historic-fine-for-gps-
jamming-is-sign-of-hazards-ahead-for-drones)

~~~
justin66
> how seriously the FCC takes enforcement of those radio bands that are
> available for public use

Except CB. Listening to it, you'd never guess that they used to regulate
profanity and the use of illegal signal amplification.

------
bjt2n3904
> Safely take control of reckless or malicious drones.

What's the difference between that and recklessly or maliciously taking
control of safe drones?

~~~
kej
RFC 3514 could easily be adapted from IPv4 to whatever radio protocol these
drones use.

~~~
mentat
I find it both amusing and disturbing that I was sure which RFC this was just
by context.

------
melito
Giving people a button that would make a drone fall out of the sky sounds like
something that would need more regulation than the drones themselves

------
CraigJPerry
To defend against this, just change the password (3DR) or set a password (DJI)
on your quadcopter's wifi access point.

For homebuilt drones using Futaba or Spectrum links this system is ineffective
in its current form.

~~~
erobbins
It's also ineffective for true autonomous drones that are flying a
preprogrammed course with no input.

Interesting idea, but easy to avoid.

------
Someone1234
Seems like trying to take control of a drone might cause it to crash. So
whoever operates this might find themselves footing that bill or taking
responsibility if the drone then hit someone or something on the way down.

Plus drone manufacturers will take steps as soon as this is available. Basic
encryption and or frequency hopping is inexpensive these days.

~~~
jessaustin
ISTM that it would be impossible to determine that a drone had been taken over
in this fashion, and even harder to identify _who_ had taken it over. So, no
one would ever find herself footing that bill.

------
jessaustin
I'm disappointed that this didn't turn out to be an EMP gun.

------
thescriptkiddie
> SkyJack - tech to steal model aircraft for resale on ebay

FTFY

------
phire
This is the complete opposite of what we need.

------
mring33621
Welcome to yet another arms race...

------
rcurry
For the RF geeks here - can't manufacturers implement some kind of anti-
hijacking protocols into the RF I/O between the radio and the receiver? I
understand it's hard to defeat jamming if the attacker has more power at hand
than you do, but it seems like it would be easy to defeat devices that want to
try and MITM or otherwise usurp the actual control commands.

~~~
erobbins
frequency hopping spread spectrum radios do have a pairing that results in the
transmitter and receiver sharing a PRNG key, and switching frequencies at a
high rate.

They can still be jammed with broad spectrum high power transmissions, though.

~~~
Ao7bei3s
The hopping sequences are well-known, there is actually no PRNG involved.

Of course, it'd work, assuming it was a cryptographically safe PRNG, and there
was a safe key exchange.

Real-world (hobby) RC transmitters/receivers used today do not have any
security. At all. (The model bind feature available on most is a safety
feature only.)

(Also, there is no encryption and no authentication on _any_ currently
available (hobby) RC system I know of.

~~~
dingaling
> The hopping sequences are well-known, there is actually no PRNG involved.

For NATO kit it's actually the opposite; we know the frequency tables but not
the switching sequence which is PRNG-generated.

------
y-satellite
Who is the target customer here? Seems like it's probably aimed at operators
of parks, venues, etc., but I'm not sure.

~~~
ssully
A ton of people, including government and private industries and businesses.

One example would be power companies. Physical security is obviously big for
power plants. They are definitely afraid of drones both from a surveillance
stand point and also from fear of them being used to destroy equipment.

------
ddrum001
This seems very odd to me - isn't this regulated or standardized?

~~~
Natanael_L
It may very well fall under the standard hacking related laws

------
rememberlenny
Can someone explain how this technology works? I can assume, but I am
interested.

~~~
sslalready
I can only speculate but there is some prior work in this area, for instance
SkyJack ([http://samy.pl/skyjack/](http://samy.pl/skyjack/)).

Quote: _SkyJack (available from github) is primarily a perl application which
runs off of a Linux machine, runs aircrack-ng in order to get its wifi card
into monitor mode, detects all wireless networks and clients around,
deactivates any clients connected to Parrot AR.drones, connects to the now
free Parrot AR.Drone as its owner, then uses node.js with node-ar-drone to
control zombie drones._

There is also some info/links regarding DJI's Phantom line of drones on
[https://github.com/noahwilliamsson/dji-phantom-
vision](https://github.com/noahwilliamsson/dji-phantom-vision)

Quote: _The Range Extender is essentially a small Linux system based on
OpenWRT which provides a WiFi-network used by the Phantom and the DJI Vision
App. It 's reachable over SSH at 192.168.1.2 (root / 19881209). The WiFi-
network has no security by default and neither the Phantom nor the DJI Vision
app supports password protecting it. Additionally, it is required that the
network name is prefixed with "Phantom_" in order for the Phantom to find and
associate with it._

------
comrh
Pretty bare on any information about this at all.

------
markwakeford
Are we being trolled ?

------
vimalbhalodia
I can't speak to how their technology actually works, but here's a quick lay-
of-the-land for how it could work / how you could start your own similar
business:

The two most popular manufacturers of higher end drones - DJI and 3DR use
standard 802.11 radios for control, telemetry, and FPV video streaming if
supported. The manufacturer transmitters include slightly directional
amplified antennas so they get better range than your smartphone would, but
it's all IP over 802.11. This means all your standard WiFi hacking tricks are
perfectly useful here.

If you were looking to hijack a DJI drone,
[https://github.com/noahwilliamsson/dji-phantom-
vision](https://github.com/noahwilliamsson/dji-phantom-vision) would be a good
place to start. The only hardware you would need is a standard 802.11abgn
network card and a directional power-amplified antenna.

Most other higher-end drones use two separate radios - one for control
(typically running either the Spektrum or Futaba RF protocols over a 2.4GHz
link) and one for telemetry (typically running MAVLink over some sort of FHSS
link on 433MHz or 900MHz).

Hijacking the control side of one of these systems would require dedicated
radio equipment - in the case of Spektrum's DSM protocol, some sort of CYRF
wireless-USB chipset board. Spektrum's DSM/DSM2/DSMX protocol is not open-
source, but a lot of effort has been put into reverse-engineering it and you
can see sample DSM-compatible firmware for a CYRF-based USB transmitter board
here: [https://github.com/1bitsquared/superbitrf-
firmware](https://github.com/1bitsquared/superbitrf-firmware)

Hijacking the telemetry channel could also yield control over the drone -
depending on the flight controller and firmware used, you could issue MAVLink
commands to either return-to-home or fly to specific coordinates. MAVLink is a
serial protocol layered over a semi-reliable radio link - to interfere with
it, you'd first have to hop on the link and then intercept/override the serial
command stream.

MAVLink is awesome and open-source - one good resource to learn about it is
here:
[http://qgroundcontrol.org/mavlink/start](http://qgroundcontrol.org/mavlink/start)

Theoretically MAVLink can run on top of any radio which exposes a serial link
interface - some hobbyists use bluetooth, but most people eventually switch to
using longer-range telemetry radio modules running on either 433MHz or 900MHz
bands. Most of these radio modules run a particular open-source FHSS firmware
known as SiK -
[https://github.com/Dronecode/SiK](https://github.com/Dronecode/SiK)

If you look at the SiK source, you can see their implementation of FHSS and
should be able to figure out how to search for, lock onto, and potentially
interfere with a particular radio link.

Beyond the major manufacturers, there are hundreds of smaller drone
manufacturers, and the radio protocols and systems they use vary from
manufacturer to manufacturer and model to model. As a general rule, anyone
claiming "iPhone app control" is running some sort of 802.11-based protocol
(eg: Parrot / Bebop), while even smaller and cheaper drones are running custom
2.4GHz RF links.

One final consideration - most drones have varying degrees of failsafes
programmed into them in the event of a loss of control signal (potentially
through RF jamming). Cheaper drones will simply shut off and fall out of the
sky. More advanced drones / controllers can perform one of a number of
behaviors, including loitering in-place or returning to their original launch
location.

One more final consideration - most of the interference and hijacking methods
described here are very much of questionable legality in the FCC's eyes. Also
there are enough existing reasons drones fall out of the sky (bad piloting,
unreliable hardware, poor maintenance) - we don't need to add another reason.
Be safe, be responsible, and be legal.

