Researchers Tried To Hack Drones, Found It Very Easy

And companies should make them more secure before they are more commonplace

Hacked drone makes a crash landing — Illustration: Vocativ
Jun 12, 2016 at 8:00 AM ET

Soon, you might have to worry about a hungry hacker stealing your drone-delivered pizza and delivering it to himself. New research shows that some unmanned aerial vehicles are almost as easy to hack as they are to fly.

Hobbyists and corporations alike are excited about drones, and their popularity has exploded—the Federal Aviation Administration estimates that 2.5 million of them will be sold in 2016 and last week Walmart announced it might soon use flying drones in its distribution centers. But researchers at Johns Hopkins feared that, like with many new connected gadgets and appliances, a rushed production schedule didn’t include the implementation of proper technological safeguards.

To see how vulnerable drones can be, two cyber security experts, along with five masters students, attempted to hack and crash a quadcopter. The researchers tried three different attacks on a Parrot Bebop, a popular video-recording drone that retails for $350. In the first test, they bombarded the system with requests to take over its command, eventually causing the system to shut down and the drone to fall to the ground. In the second, the students sent a large packet of data to the drone, which overwhelmed its system and again caused a crash. In the final technique, the researchers programmed their computer to impersonate the drone itself. The controller severed its connection with the real drone, which then made an emergency landing.

The John Hopkins team shared the results in a press release and plan on presenting their work at an upcoming conference. These vulnerabilities are important for companies because many, such as Amazon and Domino’s Pizza, are hoping to start delivering goods to consumers via drone. Hackers might be interested in attacking those drones in order to intercept the packages, or simply to steal consumers’ information.

But hobbyists, too, should be wary. “The fear for the average user is that pictures and videos taken by drones could be stolen, the drone itself could be hacked and stolen, or the drone could be hacked and hijacked and used as a weapon to injure a crowd, either from it falling from a high elevation or from the rotors causing bodily harm,” Lanier Watkins, a research scientist specializing in information security at Johns Hopkins and one of the scientists behind the project, told Vocativ in an email. 

For flaws this big, security updates to existing software probably won’t help, according to Watkins. Ideally, drone software would be more immune to hacks when it leaves the factory. Average users are more at the mercy of drone manufacturers to make sure that their systems can’t be hacked. But companies considering using drones can start the trend towards requiring stronger security for all kinds of drones. Watkins has a few recommendations for these companies to minimize the risk of drone hacks. First, companies should require their drone vendors to conduct security testing before selling the drone to them, he says.

Companies that are particularly wary can employ “white hat” hackers—those who can hack systems in order to reveal security flaws, not to steal information—to be more certain that their drones are as hack-proof as possible.

The John Hopkins researchers recently began testing higher-priced drones for vulnerabilities. They hope that their work will be a wake-up call to drone manufacturers, companies that use drones, and hobbyists.

So far, they don’t seem to be having much success. Earlier in the year, the team alerted Parrot of their findings, in accordance with university policy. The company has yet to respond.