-
Notifications
You must be signed in to change notification settings - Fork 222
skyjack
Reimplementation of the original SkyJack attack by Samy Kamkar.
Demonstrates Wi-Fi control takeover of legacy Parrot AR.Drone platforms.
In 2013, security researcher Samy Kamkar released SkyJack, a proof-of-concept attack demonstrating how Parrot AR.Drone devices could be taken over wirelessly.
The drones exposed an open Wi-Fi access point with no authentication and accepted plaintext control commands over UDP/TCP.
SkyJack showed that:
- Drones could be forcibly disconnected from their controller
- An attacker could reconnect faster than the legitimate pilot
- Flight control commands could be injected remotely
This module is a modern ESP32-based educational reimplementation of that concept.
- Parrot AR.Drone 1.0
- Parrot AR.Drone 2.0
These models expose:
- Open Wi-Fi network (no encryption)
- Static IP gateway (
192.168.1.1) - AT command interface on port
5556
[1] Channel-by-channel Wi-Fi scan
│
▼
[2] Detect Parrot AR.Drone SSID/BSSID
│
▼
[3] Send targeted 802.11 deauthentication frames
│
▼
[4] Force disconnect of legitimate controller
│
▼
[5] Connect to drone open Wi-Fi
│
▼
[6] Send AT commands (EMERGENCY / LAND)
│
▼
[7] Release control and exit
- Wi-Fi scanning: brute-force scan across channels 1–13
- Vendor detection: BSSID prefix matching (Parrot OUIs)
- Deauthentication: raw 802.11 management frames
- Fast reconnection: ESP32 STA connects before pilot
- AT commands: plaintext flight control protocol
The goal is not long-term hijacking but demonstrating loss of control on insecure wireless systems.
The Cardputer displays a live scrolling console:
- Channel scan progress
- Drone detection (SSID / BSSID / channel)
- Deauthentication status
- Connection attempts
- Command injection feedback
All actions are also logged to the serial console.
Once connected, the module sends:
- EMERGENCY: immediately stops motors
- LAND: forces landing sequence
These commands are sent multiple times to ensure reception.
No. Modern drones use encrypted links, authentication, and signed firmware. This attack applies only to legacy Parrot AR.Drone models.
No. Control is temporary and ends when the module disconnects.
Yes — a design-level vulnerability: lack of authentication and trust in Wi-Fi connectivity.
This feature is included for:
- Security education
- Historical research
- Demonstrating why authentication matters
- Wireless attack surface awareness
This module interacts with airborne devices.
Do NOT use near people, animals, or property.
Use this feature only on devices you own or have explicit written authorization to test.
Unauthorized interference with drones may be illegal and dangerous.
-
Samy Kamkar — SkyJack: Autonomous Drone Hijacking
https://samy.pl/skyjack/ - DEF CON 21 — SkyJack Presentation
- Parrot AR.Drone Developer Documentation (legacy)
SkyJack remains a landmark demonstration of how convenience-first design can completely undermine security.
- Installation
- Slave
- ESP32 RIG Tutorial
- Scan WiFi
- Select WiFi
- Clone & Details
- Captive Portal Management
- Admin WebUI
- Check Credential
- Probes Attack
- Sniffing Probes
- Karma Attack
- Automated Karma Attack
- Karma Spear
- Bluetooth Serial Control
- Wardriving
- Wardriving Master
- Beacon Spam
- Deauther
- Auto Deauther
- Evil Twin
- Handshake Master
- WiFi Raw Sniffing
- Sniff Raw Client
- WiFi Channel Visualizer
- Client Sniff And Deauth
- Handshakes/Deauth sniffing
- Wall Of Flipper
- Send Tesla Code with RFunit
- SSH Shell
- Scan Network and Port
- Full Network Scan
- Web Crawler
- PwnGridSpam
- Skimmer Detector
- Mouse Jiggler
- BadUSB
- Bluetooth Keyboard
- Reverse TCP Tunnel
- DHCP Starvation Attack
- Rogue DHCP Server
- Switch DNS
- Network Hijacking
- Printer Attack
- Web Siphoning Cookie
- Honeypot
- LLM Chat Stream
- EvilChatMesh
- Responder
- WPAD Abuse
- Crack NTLMv2
- FileManager
- UART Shell
- SIP toolkit
- CCTV toolkit
- SSDP poisoning
- SkyJack
- Wifi Dead Drop
- BLENameFlood
- Wall Of Airtag
- FindMyEvil
- UPnP Mapping
- UPnP NAT
- LDAPDump
- IMSI Catcher
- Open Wifi Checker
- CIW ZeroClick
- Settings
- Installation
- Slave
- ESP32 RIG Tutorial
- Scan WiFi
- Select WiFi
- Clone & Details
- Captive Portal Management
- Admin WebUI
- Check Credential
- Probes Attack
- Sniffing Probes
- Karma Attack
- Automated Karma Attack
- Karma Spear
- Bluetooth Serial Control
- Wardriving
- Wardriving Master
- Beacon Spam
- Deauther
- Auto Deauther
- Evil Twin
- Handshake Master
- WiFi Raw Sniffing
- Sniff Raw Client
- WiFi Channel Visualizer
- Client Sniff And Deauth
- Handshakes/Deauth sniffing
- Wall Of Flipper
- Send Tesla Code with RFunit
- SSH Shell
- Scan Network and Port
- Full Network Scan
- Web Crawler
- PwnGridSpam
- Skimmer Detector
- Mouse Jiggler
- BadUSB
- Bluetooth Keyboard
- Reverse TCP Tunnel
- DHCP Starvation Attack
- Rogue DHCP Server
- Switch DNS
- Network Hijacking
- Printer Attack
- Web Siphoning Cookie
- Honeypot
- LLM Chat Stream
- EvilChatMesh
- Responder
- WPAD Abuse
- Crack NTLMv2
- FileManager
- UART Shell
- SIP toolkit
- CCTV toolkit
- SSDP poisoning
- SkyJack
- Wifi Dead Drop
- BLENameFlood
- Wall Of Airtag
- FindMyEvil
- UPnP Mapping
- UPnP NAT
- LDAPDump
- IMSI Catcher
- Open Wifi Checker
- CIW ZeroClick
- TagTinker ESL
- Settings