Belgian Federal Police drone
A security researcher has figured out how to hack into professional-grade XBee drones from 2km away Reuters

An IBM researcher has figured out how to easily hack into and hijack expensive drones used by police and security agencies from 2km away, and it's all because of a lack of encryption.

IBM researcher Nills Rodday, who is based in Germany, has found a way to hack into $30,000 (£21,000) professional-grade quadcopters by exploiting the fact that on-board chips are not encrypted.

In order to control these drones and enable end-to-end wireless communication with the Android tablets used to control them, low-power XBee ZigBee RF chips are fitted to the unmanned aerial vehicles (UAV). But because the tablet doesn't have an XBee chip in it, an intermediary relay telemetry box fitted with both XBee and Wi-Fi intercepts radio signals from the drone and then relays them to the Android tablet via Wi-Fi.

Although XBee chips support encryption, in practice, that function is not activated on the drones because it affects their performance. The Wi-Fi part of the connection is secured at altitudes lower than 100m however, but the protection is provided by the Wired Equivalent Privacy (WEP) security protocol, which was originally designed for wireless local area networks.

WEP is not considered to be very secure, and today most Wi-Fi networks are secured using the Wi-Fi Protected Access (WPA) protocol instead, so this means that technically you could perform a man-in-the-middle attack and inject commands between the drone and the telemetry box.

Rodday bought $40 worth of hardware and using a simple understanding of radio communications, he was able to copy commands from the app on the Android tablet and use it to hijack the drone even from quite a distance away.

"On the Xbee link we can perform a man-in-the-middle attack and inject commands between the UAV and the telemetry box from up to 2km (1.2 miles) away," Rodday told The Register. "An attacker can re-route packets, block out [the operator], or let the packets go through, but I guess most attackers would [steal] it."

However, if the XBee encryption was to be applied to the drones, then it would prevent the man-in-the-middle attack from being possible. The unnamed drone manufacturer which supplied the UAV for Rodday to test is now evaluating how best to fix the problem, and Rodday says that the it would be easiest to encrypt communications within the Android app and within the drone's firmware.

The hacking technique was demonstrated by Rodday at the Black Hat Asia conference in Singapore. His presentation slides can be viewed here and his master thesis paper is available to download here.