back to article P0wning for the fjords: Malware turns drones into DEAD PARROT

Hacker Rahul Sasi has found and exploited a backdoor in Parrot AR Drones that allows the flying machines to be remotely hijacked. The Citrix engineer developed what he said was the first malware dubbed Maldrone which exploited a new backdoor in the drones. Sasi (@fb1h2s) said the backdoor could be exploited for Parrot drones …

  1. Ole Juul

    New sport

    Collect the whole set.

    1. VinceH

      Re: New sport

      Pokedrone - literally.

  2. Robert Helpmann??

    ,More, Commas, Please,,,

    The Citrix engineer developed what he said was the first malware dubbed Maldrone which exploited a new backdoor in the drones.

    There's other software out there also named Maldrone and but not exploiting a backdoor to drone control systems? It's a pretty cool exploit, though. Let's hope Amazon does a better job with security than the Parrot people when they go forward using them for deliveries. Perhaps this might mean a job opportunity for Sasi.

  3. Neil Barnes Silver badge

    He may have a customer already...

    1600 Pennsylvania Avenue?

    1. Crazy Operations Guy

      Re: He may have a customer already...

      I think they already have something to do that. The drone that crashed on the White House lawn did so because it lost control from the operator. SO its likely some kind of signal jammer in use at the White House was the cause for the crash.

  4. M7S


    You operate a drone, lets assume with any necessary licencing in place, and someone hijacks it, causing a crash with 3rd party injury or property damage as a consequence.

    Appreciating that there might not be much of the device left, it will be interesting to see how courts will determine wether or not the original operator (and/or their insurance, if any) is liable for any civil claims or possibly even criminal charges.

    1. macjules Silver badge
      Black Helicopters

      Re: Hmm

      Or worse. Your drone gets hijacked, the camera gets replaced with 1kg of explosive and flown into the nearest available helicopter just as wireless control is restored to you. Who gets the visit from homeland security?

  5. Anonymous Coward
    Anonymous Coward

    Can't get it up.

    I see flitetest mention the DJI Inspire refusing to arm if the firmware needed updating, could be interesting if your $3000 device refuses to play because it heard there was a newer firmware version from a man in the middle site.

    Won't be long before all UAV's are forced to have a backdoor for "Air safety".

    The fact gatherings and protests will only then be filmed from the authorities point of view is entirely coincidental.

    1. Jonathan Richards 1 Silver badge

      Re: Can't get it up.

      > The fact gatherings and protests will then only be filmed from the authorities' point of view is entirely coincidental. [punctuation added; I can't help it...]

      Really? How did anyone, authority or otherwise, ever get any footage of gatherings and protests in the past?

  6. Anonymous Coward

    Drones have been hacked and Jacked(tm) before.

  7. yakitoo

    Should help reduce the cost of the next Xmas present list.

  8. Anonymous Coward
    Anonymous Coward

    They're Out to Get You

    Fjords or Fnords?

  9. John Brown (no body) Silver badge

    which allows control via AT commands.

    So, set your phone to 9600 8n1, send ATZ and put your umbrella up

  10. imanidiot Silver badge

    Toys with wireless communications have bad crypto...

    Who knew?

  11. Crazy Operations Guy

    Mutual Authentication?

    Te best solution to prevent this sort of thing might be to have the drone and the controller authenticate themselves at the beginning of the flight and then to ignore commands from anything else until its safely on the ground and powered off.

    Or better yet not actually ave firmware on the drone and instead have it on the controller, you'd then plug in a cable to the drone form the controller, it'd copy the code into the drone's RAM and then proceed with startup. Part of this code would be a long symmetrical encryption key from the controller.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021