My Phantom 4 uses watered-down Lightbridge[0] which I haven't looked at closely but which does tout at least some encryption. Its predecessor, on the other hand, my Phantom 2 Vision Plus, uses two completely open SSIDs (one hidden, one broadcast). I had a prototype of area denial for all Phantom drones that operated that way cooked up in about two days, so there's a lot of low-hanging fruit to reverse engineer here and not a lot of thought being put into security.
Control itself uses a different, "traditional R/C" path (itself ripe for disruption), but there's plenty of possibilities from being hooked up to a Phantom 2's SSID. There are two Linux-based computers on that network: the "guts" and the camera controller. The root password for both is wide knowledge, and you can brick an operating, in-flight Phantom 2 very easily with nothing but your laptop.
Hint, hint for a startup here, since I've been on three threads now where folks are looking for drone denial.
I did this a few years ago, but for the Microkopter boards. It's amazing what you can find while snooping the debug serial pins, and what you can ultimately still control during flight.
A cheaper and dirtier way to do this is to solder onto controller's pcb. Each joystick drives an X and a Y variable resistor, and measuring the voltage across output and gnd pins shows it ranges from 0 to 3.3V with 1.67V at neutral position. After removing these resistors from the board, you attach the pins to the arduino and you can analogwrite an output voltage[1] to mimic the joystick movements.
This of course flows through to the radio transmitter and onto the drone giving you computer control of the drone without reverse engineering radio and packets. I'll be writing a blog post on this soon. [Though I would be curious if anyone has done this with a Syma (D63) as it's a chinese company]
[1]: also need a low band pass filter (couple resistors and capacitor to trun the arduino's pwm into true analog voltage)
Control itself uses a different, "traditional R/C" path (itself ripe for disruption), but there's plenty of possibilities from being hooked up to a Phantom 2's SSID. There are two Linux-based computers on that network: the "guts" and the camera controller. The root password for both is wide knowledge, and you can brick an operating, in-flight Phantom 2 very easily with nothing but your laptop.
Hint, hint for a startup here, since I've been on three threads now where folks are looking for drone denial.
[0]: http://www.dji.com/product/dji-lightbridge