Wireless Attacks against Micro Aerial Drones

Motivation

The Defense Advanced Research Projects Agency (DARPA) originally introduced the concept of Micro Aerial Vehicle (MAV) for defense applications, with requirements including a maximum wingspan length of 15 cm and a weight of up to 100 g. These micro-sized devices can be carried easily, and they are best suited for specific applications (e.g., indoor navigation, warehouse operations, drone swarming). Recently, many companies, government laboratories, and researchers from academia have been active in designing and developing MAVs. However, the threats posed by the nature of wireless communications at the physical layer trigger a series of interference attacks, which are the most common types of attacks targeting MAVs. Indeed, the limited resources of such devices make it very challenging to integrate software or hardware-based security solutions.

Currently, Micro Aerial Vehicles are deployed in many civilian and military applications such as swarming, indoor navigation, and Search & Rescue missions. However, they can also be used to smuggle drugs, carry weapons, and spy in restricted facilities. In this context, we are motivated to explore the feasibility of two interference attacks against the Crazyflie quadcopter, which is one of the most popular Micro Aerial Drones. Specifically, we investigate whether the jamming and hijacking attacks hold for the Crazyflie drones in autonomous and non-autonomous flight modes.

Crazyflie UAV Development Platform

In this project, we considered a Crazyflie 2.1 drone flashed with the latest firmware version (v2022.09) as a case study to evaluate jamming and hijacking attacks. The Crazyflie ecosystem is one of the most popular Micro Aerial Drones and serves as our development platform for this work

The Crazyflie UAV development platform consists of:

• The Crazyflie drone: a nano‑quadcopter with an ultra-low-power nRF51822 2.4 GHz wireless System on Chip (SoC) transceiver
• The Ground Control Station (GCS): a ground‑based computer responsible for monitoring and remotely controlling the Crazyflie drone through the Crazyradio module
• The Crazyradio Module: a long‑range USB radio dongle with a Line‑of‑Sight (LoS) range of over 1 km

The Crazyflie ecosystem offers a rich client interface for the Ground Control Station (GCS), exposing unique features that make it ideal for research and rapid prototyping, notably:

• Real‑time logging: Continuously records telemetry, such as position, attitude, battery voltage, and sensor readings into timestamped logs. This enables detailed post‑flight analysis, anomaly detection, and tuning of control algorithms.
• Flight parameters: Exposes configurable settings (e.g., PID gains, radio channel, data rate) via the GCS GUI or an API, allowing on‑the‑fly adjustment of the drone’s dynamic response, communication link, and safety limits without reflashing firmware.
• Command‑based flight control: It provides a high‑level Python API for issuing real‑time movement commands such as roll, pitch, yaw, and thrust. These commands are coming directly from the GCS. Both autonomous and manual inputs are translated into CRTP packets that the Crazyfile drone executes instantly.

Threat Model

We consider an attacker within the radio range of the drones (i.e., 1 km line-of-sight to the Crazyflie drone) without physical access.

Attacker’s Capabilities:

• Remote transmission of malicious traffic to the Crazyflie drone and the Crazyradio module.
• Purchase similar or identical devices to develop and test the attacks offline.

Attacker’s Goal: 

• Compromise the Air‑to‑Ground communication link during the flight mission through a jamming or a hijacking attack.

Attack Implementation

Both attacks leverage a two‑phase workflow: a first reconnaissance of the drone’s URI and channel, then active interference. This highlights how an adversary can escalate from denial to full control of the drone.

Jamming Attack

The jamming attack consists of disrupting the flight mission by flooding the network bandwidth or by jamming the wireless communication between the end-to-end devices (e.g., GCS, UAVs).

Methodology:

• Broadcasting high-power interference signals to jam the wireless communication. (constant jamming using Gaussian noise).
• Using HackRF One (i.e., Software Defined Radio) and GNU Radio for signal transmission.

Hijacking Attack

The hijacking attack consists of taking over full control of the drones during the mid-flight, typically by spoofing their GPS locations or by exploiting the vulnerabilities of their communication protocols.

Methodology:

• First, we run the Crazyflie drone and establish the Air‑2‑Ground communication link. We can observe the normal behavior of the flight mission from the GCS side in both autonomous and non‑autonomous flight modes.
• Afterward, we perform a single‑tone attack through the Crazyradio‑sniffer module. In particular, we transmit a continuous single‑tone signal on the frequency of the targeted radio channel, where the signal strength of the Crazyradio‑sniffer module is higher than the legitimate Crazyradio module. As a result, interference occurs, and the GCS can no longer send or receive packets from the drone.
• Finally, by taking advantage of this behavior, we hijack the Crazyflie drone by establishing our malicious Air‑2‑Ground communication link through a second Crazyradio module.

Autonomous Mode: Both jamming and hijacking attacks cause an immediate shutdown of the drone, resulting in a crash down within seconds of the attack. The drone cannot recover without manual human intervention.

Non‑Autonomous Mode: The drone freezes in mid‑air, holding its last received command. The Ground Control Station cannot re‑establish the connection with the drone, leaving it vulnerable to additional attacks.

Cost‑Effectiveness: All attacks that we conducted were based on off‑the‑shelf hardware (e.g., HackRF One, Crazyradio PA modules) costing under $500 total, demonstrating that adversaries require minimal investment efforts.

Video: Live demonstration of jamming and hijacking attacks against Micro Aerial drone.

To effectively address the implemented attacks against the Crazyflie ecosystem, we present below potential mitigation strategies enabling a secure Crazyflie-based flight mission:

• Anti‑Jamming Strategies: Implementing intrusion detection (IDS) onboard or at the GCS, and adopting channel/frequency hopping, DSSS, or MIMO techniques.
• Hijacking Detection: Employing statistical analysis of flight patterns, GPS/IMU cross‑checks, and link‑integrity monitoring to detect unauthorized control frames.
• Safe‑Mode Failsafes: Enabling emergency landing, return‑home, and GPS‑location broadcasting features to recover from link compromise.

• We showed the feasibility of jamming and hijacking attacks against the Crazyflie 2.1 in both autonomous and non-autonomous modes.
• We demonstrated real‑world consequences of our attacks: crashes, freezes, and full adversarial control.
• We identified that low‑cost SDR hardware are enough to perform such attacks.
• We suggested practical shielding techniques to mitigate the security risks posed by these attacks.

We empirically studied and analyzed the physical layer security of Micro Aerial Drones. In particular, we demonstrated the feasibility of performing the jamming, and the hijacking attack in both autonomous and non-autonomous flight modes for Crazyflie drones. Our experimental results show that the root cause of such attacks comes from the inherent design of the Crazyflie drones’ physical layer. To address such issues, we suggested a set of potential defense mechanisms for each attack vector, which could be implemented within the CRTP communication protocol.