Drone-Pwn: taking security to the skies.
A hands-on look at hacking flying routers, how a stock consumer drone becomes a research target, and what happened when we built our own tooling to talk to one in real time. Presented to educators and the wider security community at VACyberEduCon.
Most people see a drone as a toy or a camera. We looked at it and saw a flying, Wi-Fi-connected computer, a router with propellers, and asked the obvious question: what can you do once you're talking to it directly?
The talk opened where the research did: we knew basically nothing, and that was fine. What we did know was enough to start, that you can run code on many drones through their SDK, that most of them talk over Wi-Fi or RF, and that public exploits already exist. Everything else, we worked out by poking at the thing.
#Learning the aircraft
The test units were Ryze Tello drones, loaned by Radford University. A good starting point was DroneBlocks, a Scratch-style app where you drag blocks to script a drone mission, then flip a toggle to see the actual Python running underneath. That peek at the source made it clear how the drone receives its instructions.
From there we moved to the Tello SDK 2.0, which defines every command the drone understands, pitch, yaw, speed, how far it moves, plus the queries that read back its state: battery, height, current speed, and so on. Useful, but with a catch.
The SDK only let you send a pre-compiled script to the drone. Iterating meant writing a whole program, shipping it, watching it fail, and starting over, no way to fire one command, see the response, and adjust. For research, that's death by a thousand round-trips.
#Building "Drone Commander"
So we built our own. Drone Commander put the Tello into a receptive state and held it there, waiting for commands one at a time, sending each instruction live and printing the drone's response straight back to us. Suddenly we could isolate the behaviour of a single command, prove a concept on the spot, and actually learn the aircraft instead of guessing at it in batches.
The build order was honest about how research really goes: we stood up a proof of concept with nothing but the SDK, Python 3, and stubbornness, hardened it into a real tool with the crew, then made the whole thing Hollywood-hacker style, real-time control, live responses, the works.
The parts that fought back
- Figuring out how the drones actually worked, from zero
- The
commandcommand and its ~15-second stall-out - Bugs baked into the compiled-script PoCs floating around online
- Converting data to raw bytes instead of string literals
- Standing up a UDP server to listen and manage socket connections
- ...and, inevitably, a few of the Git pushes along the way
#Where it's headed
Drone Commander was the foundation, not the finish line. The open questions are the interesting ones: can we escape the access the SDK gives us (yes, with known CVEs), move laterally from the drone to the controlling phone, reliably take a drone over remotely, and then patch what we find. The plan is unglamorous and effective, read past CVEs and recreate their methodology, review the RF literature, and build a repeatable process for attacking an aircraft, up to cracking a Wi-Fi-protected drone with the usual airmon / aircrack toolkit.
Further out sits the fun stuff: 3D-printing replacement props for the drones we've broken in testing, GPS spoofing, and a wardriving drone that echoes commands from one aircraft to another, a tiny drone network with obvious implications.
// SSHad0w / drone-pwn Flying router hacking, source, notes, scans, and the Tello tooling. View repo → ▶ Demo video Drone Commander driving a Tello in real time. Watch →The point was never the drone. It was showing a room full of educators that curiosity plus a little tooling beats waiting for permission to understand how something works.
