Technical Implementation
Hardware Components
The SkyJack project modifies a commercial drone platform to enable autonomous WiFi-based hacking of nearby Parrot AR.Drones, incorporating lightweight computing and wireless peripherals for onboard operation.[14] The core hardware setup leverages the drone's existing flight and networking capabilities while adding components for detection, deauthentication, and control, ensuring the total added weight remains minimal to preserve stability and flight time.[10]
At the foundation is the Parrot AR.Drone 2.0, which provides the aerial mobility, built-in WiFi access point, and compatibility with standard control apps, serving as the base vehicle for SkyJack to navigate and position itself within range of target drones.[14] This model, also backward-compatible with the AR.Drone 1.0, inherently broadcasts a WiFi network for user connection, which SkyJack exploits without requiring modifications to the drone's core avionics.[10]
The primary computing addition is a Raspberry Pi single-board computer (approximately 45g for the board), which runs the Linux-based SkyJack software stack, including tools for WiFi scanning and drone command issuance.[14] Connected via USB, it interfaces with peripherals and draws power efficiently, with its compact size allowing internal mounting within the drone's chassis without exceeding payload limits of around 100g.[10]
For wireless operations, an Alfa AWUS036H USB WiFi adapter is integrated, supporting monitor mode and packet injection essential for detecting Parrot drones via their manufacturer-specific MAC addresses and performing deauthentication attacks on owners' connections.[14] Complementing this, an Edimax EW-7811Un USB adapter launches SkyJack's own access point, enabling remote monitoring and control from devices like laptops or tablets.[10] Both adapters plug directly into the Raspberry Pi, enhancing range for the Alfa model in particular, which can operate at distances up to several hundred meters in open environments.[14]
Power for these additions comes from a lightweight USB battery pack, rated at approximately 1000mAh capacity to provide up to 1000mA output matching the ~500-1000mA draw of the Raspberry Pi and adapters combined, keeping the total added weight under 100g for sustained flight.[10] Alternatives like three AAA batteries were considered for even lighter setups, though with potential limitations on current delivery.[14] All components are secured internally to the drone frame using adhesive or custom mounts, maintaining aerodynamic balance and operational discretion during flight.[10]
The hardware configuration emphasizes affordability, with the added components—Raspberry Pi, WiFi adapters, and battery—collectively costing under $100 based on 2013 pricing, making the enhanced drone accessible for replication beyond the base AR.Drone's retail price.[14]
Software Components
The SkyJack project utilizes a software stack built primarily on open-source tools and custom scripts to enable autonomous drone detection and control, running on a Linux-based runtime environment such as a Raspberry Pi. Developed in 2013 by Samy Kamkar as a proof-of-concept, it demonstrates vulnerabilities in Parrot AR.Drones.[10] The core framework employs Node.js as the runtime for scripting drone interactions, facilitating JavaScript-based commands once a target is hijacked.[14] This environment supports lightweight execution on embedded hardware, allowing the system to operate either grounded or mounted on a seeker drone.[10]
For interfacing with Parrot AR.Drones, SkyJack integrates the node-ar-drone library, an open-source Node.js module that provides APIs for sending control commands such as takeoff, landing, and navigation to compatible drones over WiFi.[15] This library handles the low-level communication protocol, enabling seamless takeover after authentication.[14]
The attack infrastructure relies on the Aircrack-ng suite, a collection of tools for wireless network auditing, specifically leveraging aireplay-ng for deauthentication packet injection to disconnect legitimate owners from target drones.[10] This exploits the drones' WiFi reconnection behavior without requiring encryption keys.[14]
Custom SkyJack software, implemented in Perl and JavaScript, orchestrates the overall process through scripts that perform OUI-based scanning of MAC addresses to identify Parrot drones using the IEEE OUI registry.[10] These scripts include automated hijacking logic to monitor for deauthenticated targets, authenticate as the owner, and assume control, while supporting multi-drone fleet management by issuing synchronized commands to multiple "zombie" drones.[14] The full codebase, comprising approximately 59% JavaScript and 41% Perl, is publicly available on GitHub for replication and study.[14]
Hijacking Mechanism
SkyJack's hijacking mechanism operates as an autonomous sequence of wireless attacks targeting Parrot AR.Drone 2.0 (and compatible version 1.0) models, exploiting their reliance on unsecured WiFi networks for control. The process begins with passive scanning to identify vulnerable targets, followed by active disruption of existing connections, and culminates in unauthorized takeover, all executed without human intervention once initiated. This workflow leverages open-source tools and the inherent weaknesses in the IEEE 802.11 protocol, allowing a single attacking device—such as a modified Parrot drone or a grounded Linux system—to compromise multiple targets sequentially.[10]
In the detection phase, SkyJack configures a compatible wireless adapter (e.g., Alfa AWUS036H) into monitor mode using the aircrack-ng suite to passively scan for nearby WiFi beacons and client associations. It specifically filters for MAC addresses prefixed with one of Parrot's Organizationally Unique Identifiers (OUIs), such as 90:3A:E6 (per the IEEE registry), which uniquely identifies AR.Drone access points without requiring GPS coordinates, prior mapping, or active probing that could alert operators.[10][16] This method reliably detects drones within WiFi range (typically up to 50-100 meters, depending on environmental factors) by analyzing broadcast packets, enabling the system to locate both isolated drones and those actively controlled by legitimate pilots.[10]
Upon identifying a target drone and its connected controller, SkyJack initiates a deauthentication attack using aireplay-ng from aircrack-ng to forge and inject IEEE 802.11 deauthentication frames. These packets impersonate the drone's access point, tricking the pilot's device into believing the connection has been terminated, thereby severing the WiFi link and rendering the drone unresponsive to the original operator. The attack exploits the protocol's lack of authentication for management frames, allowing rapid disconnection—often within seconds—without needing the attacker's MAC address to be hidden or encrypted payloads. The drone, programmed to await reconnection, enters a vulnerable state, scanning for its owner's return.[10]
The takeover phase exploits this window by immediately associating with the drone's now-uncontested WiFi network, authenticating as the primary controller through simple WiFi association without additional credentials, as the AR.Drone does not implement further verification beyond initial linkage. Once connected, SkyJack employs the node-ar-drone Node.js library to interface with the drone's telnet and UDP-based command protocols, issuing flight commands, retrieving live camera feeds via RTP streams, and assuming full operational control. This seamless handoff transforms the target into a "zombie" drone under SkyJack's command, capable of relaying video and executing maneuvers as directed. The process repeats iteratively: the system scans for additional targets while maintaining control over hijacked units, potentially assembling a fleet of compromised drones for coordinated operations.[10]