Welcome to PhantomPilots.com

Sign up for a weekly email of the latest drone news & information

Is it possible to hijack a P3?

Discussion in 'Pro/Adv Discussion' started by 43k, Aug 15, 2015.

  1. 43k

    43k

    Joined:
    Jul 3, 2015
    Messages:
    255
    Likes Received:
    95
    Location:
    Sweden
    Just wondering if anyone know how secure the protocol used to control the P3 is.

    How hard would it be to build some equipment that could somehow take control of a P3?

    And what about linking/pairing/binding the remote controller; would it be possible to bind another controller to the P3 without having access to the link button on the P3?

    Edit:
    http://arstechnica.com/security/201...ken-down-or-hijacked-researchers-demonstrate/
     
    #1 43k, Aug 15, 2015
    Last edited: Aug 15, 2015
    Fourprops likes this.
  2. bobmyers

    Joined:
    May 10, 2015
    Messages:
    3,611
    Likes Received:
    866
    Location:
    San Antonio, TX
    Yes, there are articles out -- read one on this forum-- regarding the hacking of drones-- and taking control -- don't know how that works and what the immediate risks are-- but it can be done according to the article.
     
  3. Buckaye

    Joined:
    Aug 24, 2014
    Messages:
    1,557
    Likes Received:
    420
    Location:
    Orlando
    I don't know that it's a paranoid question... it's just a question. If the OP was saying he was super worried about it... that might be different. But theoretically they could be hijacked - in fact they have recently reported that even car controls can be hacked into. doesn't mean it will happen... and if they start doing it (whoever they are) then I am sure DJI will increase their security protocol on the device.
     
  4. 43k

    43k

    Joined:
    Jul 3, 2015
    Messages:
    255
    Likes Received:
    95
    Location:
    Sweden
    No, not paranoid, and wtf are you rambling about?

    Was thinking more in the direction of others having their P3 fly away, one poster in another thread claims it flew away even before the remote controller was powered up.
    Others claiming fly away mid flight.
     
  5. Joao Carlos

    Joined:
    Aug 4, 2015
    Messages:
    186
    Likes Received:
    42
    Id imagine it is (possible), some idiot with nothing better to do is trying right now and soon it will be on the news. An isolated case? Surely nothing widespread with drones flying around like the apocalypse is coming. If it happens squawk 7500 and you should be fine.
     
  6. BenDronePilot

    Joined:
    Dec 7, 2013
    Messages:
    1,204
    Likes Received:
    131
    Myself and others think some of those claims may be full of it. Bs, nonsense, etc. if not that then random malfunction from use of 3rd party apps.
     
  7. 43k

    43k

    Joined:
    Jul 3, 2015
    Messages:
    255
    Likes Received:
    95
    Location:
    Sweden
    I'll just leave this here ...
    http://arstechnica.com/security/201...ken-down-or-hijacked-researchers-demonstrate/

     
    #7 43k, Aug 15, 2015
    Last edited: Aug 15, 2015
  8. Man.Of.Kent

    Joined:
    May 26, 2015
    Messages:
    266
    Likes Received:
    120
    Location:
    Kent, Engerland
    All wise advice seems to say that the controller should always be powered up before the quad. This is probably why.
     
  9. ianwood

    ianwood Taco Wrangler
    Staff Member

    Joined:
    Jan 7, 2014
    Messages:
    4,910
    Likes Received:
    1,789
    Location:
    Lost Angeles
    Parrot drones are Wi-Fi based and have left gaping holes in their IP implementation. Phantom 2 Vision also had (has?) some vulnerabilities. P3 would be a whole lot harder.

    Lightbridge is proprietary. To take control, you'd need to be able to replicate the protocol including TDM muxing, know the binding code (assuming it is some sort of pre-shared key) and the hash that is hopefully XORed with the PSK.

    Receiving and decoding your dowlink video and the telemetry encoded in the audio channel is probably a whole lot easier.
     
    SilverStone641 and Kmullins87 like this.
  10. Youngbill

    Joined:
    Jul 14, 2015
    Messages:
    158
    Likes Received:
    67
    Location:
    PA
    With the right equipment and being in range when you first turn on your P3, it is possible to hijack. But rest assured, it takes specialized equipment that most people would not have or know how to use.
     
  11. ianwood

    ianwood Taco Wrangler
    Staff Member

    Joined:
    Jan 7, 2014
    Messages:
    4,910
    Likes Received:
    1,789
    Location:
    Lost Angeles
    What equipment would that be? I know of no specialized equipment that talks Lightbridge other than Lightbridge.
     
  12. Oso

    Oso

    Joined:
    May 19, 2015
    Messages:
    2,526
    Likes Received:
    1,477
    Location:
    Sacramento CA
    Does it count as "hijacking" if it's the government taking control of your drone and flying it away from crowds/airports? Of course, you should not be flying there anyway so I guess you would then be bringing this "hijacking" upon yourself. Still count?

    http://www.reuters.com/article/2015/08/20/us-usa-drones-security-idUSKCN0QP0BB20150820

    "At crowded venues such as Times Square or the Super Bowl, police want to be able to take control of a drone, steer it safely away from the public and guide it back to the operators, who can then be identified, the sources said."
     
  13. Youngbill

    Joined:
    Jul 14, 2015
    Messages:
    158
    Likes Received:
    67
    Location:
    PA
    A P32 Space Modulator of course.....all kidding aside, there is equipment that can "talk lightbridge" but we don't call it lightbridge since that's DJI's term. I wouldn't expect you to know about it yet. We have a team of people, much smarter then I, who get to play with some very sophisticated software and proprietary chipsets. They seem to enjoy it!
     
  14. ianwood

    ianwood Taco Wrangler
    Staff Member

    Joined:
    Jan 7, 2014
    Messages:
    4,910
    Likes Received:
    1,789
    Location:
    Lost Angeles
    No disrespect intended, but translated through the Internet BS detector, that reads as:
    Lightbridge is proprietary. It's a home grown TDM OFDM/FHSS mash up. There are other MIMO OFDM wireless HD systems including DVB based ones but they are not Lightbridge and most are proprietary in the upper layers. Decoding a Lightbridge OFDM downlink is not the same as being able to demux the two-way communication or even transmit within the same session not to mention syncing TDM frames.
     
    SilverStone641 likes this.
  15. Take Flight

    Joined:
    Jul 6, 2015
    Messages:
    21
    Likes Received:
    5
    Reading this thread my first thought was, "I hope this thread does not teach someone how to hijack a P3." I think it's good to be aware it could happen, but I don't think discussing specifics on how it could be accomplished are in any of our best interest. Just my two cents...
     
  16. Youngbill

    Joined:
    Jul 14, 2015
    Messages:
    158
    Likes Received:
    67
    Location:
    PA
    Thank you for you "moderator" wisdom, Ian. Judging by your resume you know a bit about wireless protocols. Your entitled to your opinion of course, but you would have to agree that not everyone knows everything. I'm not here to have a pissing match with you. I was simply answering the OP question.
     
  17. Grayson

    Joined:
    Feb 16, 2016
    Messages:
    1
    Likes Received:
    3
    I have no issues hijacking P3, inspire or the A2 ligtbridge setup. I will be submitting a talk at this next years black hat & DefCon conferences on my research. I have used some basic SDRs to frequency hop and understand the key exchange. It is a very simple Man-in-the-Middle attack and works a lot like a WPA brute force /de-auth. I am working on scripting a "land Command" at the moment based on RTH.
     

    Attached Files:

    ianwood, 43k and ebf like this.
  18. 43k

    43k

    Joined:
    Jul 3, 2015
    Messages:
    255
    Likes Received:
    95
    Location:
    Sweden
    Good to know there are people that scrutinize even non-standard/home brew protocols like this.
    Looking forward to see DJI fix their protocols if you manage to hack it.
     
  19. ianwood

    ianwood Taco Wrangler
    Staff Member

    Joined:
    Jan 7, 2014
    Messages:
    4,910
    Likes Received:
    1,789
    Location:
    Lost Angeles
    Looking forward to seeing it. Please post it here when you can. BTW, an even better hijack would be to set a new RTH location (your location) and then invoke RTH.

    I didn't expect DJI's key exchange to be anything beyond basic. Their security has been through obscurity. I guess DJI has reached a tipping point where it will now be subject to more robust scrutiny and exploitation.
     
  20. 43k

    43k

    Joined:
    Jul 3, 2015
    Messages:
    255
    Likes Received:
    95
    Location:
    Sweden