High-flying hack: Researcher shows how to seize control of a drone

German grad student Nils Rodday figured out how to intercept flight instructions and start flying a drone himself. He says the hardware he exploited is present in drones from various manufacturers.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
3 min read

Drones aren't just a hobby -- they're becoming an important part of fire fighting, search and rescue and policing. Nils Rodday worked with a drone manufacturer to find security holes in its unmanned flying vehicles.

© nasrul_effendy/RooM the Agency/Corbis

Drones -- those fearsome unmanned flying vehicles that ignite debates about privacy and the ethics of warfare -- now have something to fear themselves. That would be Nils Rodday, a German cybersecurity student who proved he can hack a drone.

Rodday found flaws in one drone model that let him send commands to it from more than a mile away, showing how a hacker could become a pilot from the ground. But Rodday isn't a hacker himself. He doesn't even like the idea of being called a hacker.

"I have no intention of harming anyone," he said.

Instead, he was working with the drone manufacturer, whom he declined to name because of a legal agreement with the company, to help make the device more secure.

Unless they're on a preprogrammed flight, drones have to receive commands from the ground. Those commands come from a chip that broadcasts messages up in the air for over a mile through something called an XBee channel. Rodday found he could intercept the broadcasts and learn the language that controls the drone. He could then send messages to the drone over the same channel himself, taking over the virtual pilot's role.

One way to protect from a takeover is through more secure communications, using encrypted radio signals. That option was available, but the drone manufacturer did not have it turned on, Rodday said.

As if we didn't have enough to worry about with drones, from fears of them crashing into us from the sky, to the chance they could be spying on us like a 21st century peeping tom. Now, there's the chance that the drones we should be able to trust -- the ones cops would use for law enforcement -- could end up being hijacked at the worst possible times. Thank goodness they're not armed. Yet.

Rodday did the research as part of a graduate program in the Netherlands, and he presented his findings at the RSA cybersecurity conference in San Francisco on Wednesday. But he'd already made an impression with his work; he's now four months into a job with IBM.

The manufacturer Rodday worked with handed him a drone and a manual and let him see what he could find. Even though he had access to all the goods, the vulnerability he found could be exploited remotely by anyone with the knowledge of how to do it. The company said it would fix the problem, according to Rodday.

Other drone manufacturers use the same chip to communicate commands to their high-flying products, Rodday found. He doesn't know if they have the exact same problem he pointed out in his research, but it's possible.

Many times when researchers find flaws in products, they say manufacturers see it as an attack. But Rodday said he was happy to work with a company that wanted him to break their toys to make them safer.

"I think they took the right point of view," Rodday said.

Correction, 4:40 p.m. PT: The original version of this story misreported the status of a fix for the problem with the drone. According to Rodday, the company behind the device said it would fix the issue. Also, the graduate program where Rodday did his research was located not where the story originally indicated, but in the Netherlands. The story has been changed to reflect these facts.

Update, March 4, 1:38 p.m. PT: This story has been updated to clarify that the drone manufacturer could have used encrypted radio signals using the XBee channel, but had that feature turned off, according to Rodday's research.