SkyJack Hijacks Parrot AR.Drones and Turns Them Into Zombie Drones

By Wesley Fenlon

Hacker Samy Kamkar uses a drone to take over other drones mid-flight.

Drones are cool. Drones are a little scary. Drones are...zombies? Ars Technica writes that hacker Samy Kamkar has written a piece of software called SkyJack that turns Parrot AR.Drones quadcopters into flying hackers. Kamkar paired his software with some off-the-shelf hardware--a Raspberry Pi and some wireless transmitters--and attached it to a Parrot AR.Drone. When this Trojan Horse of a quadcopter comes within range of other hapless Parrot Ar.Drones, it hacks them, wresting them from their owners' control and turning them into mindless followers.

A drone outfitted with Skyjack can "seek out wireless signals of nearby Parrot drones, hijack the wireless connections used to control them, and commandeer the victims' flight-control and camera systems," Ars writes. "SkyJack will also run on land-based Linux devices and hack drones within radio range."

Photo via flickr user Ry-2k.

Kamkar's blog goes into more detail about SkyJack, explaining some of the software that makes it tick. "I use aircrack-ng to put our wireless device into monitor mode to find our drones and drone owners," he writes. "I then use aireplay-ng to deauthenticate the true owner of the drone I'm targeting. Once deauthenticated, I can connect as the drone is waiting for its owner to reconnect. I use node-ar-drone to control the newly enslaved drone via Javascript and node.js."

That's all software you can download yourself. It's free. And so is SkyJack, which Kamkar uploaded to github. He describes the software as "primarily a perl application which runs off of a Linux machine, runs aircrack-ng in order to get its wifi card into monitor mode, detects all wireless networks and clients around, deactivates any clients connected to Parrot AR.drones, connects to the now free Parrot AR.Drone as its owner, then uses node.js with node-ar-drone to control zombie drones. I detect drones by seeking out any wireless connections from MAC addresses owned by the Parrot company, which you can find defined in the Registration Authority OUI."

As Kamkar explains on Ars, Parrot AR.Drones support no encryption, and all Parrot drones are required to have their MAC addresses registered in the public OUI database. The wi-fi chipset he's using can detect those addresses, identifying any Parrot drone, and taking it over. That means, for now, the hack is limited to Parrot's drones that belong to that specific range of MAC addresses. But any other drones with publicly available addresses would, theoretically, be susceptible to the hack, too.

If you're the type to worry about an impending drone takeover and/or zombie apocalypse, the future just got a whole lot scarier.

Check out the video below for Kamkar excited walkthrough of Skyjack.