At a day-long workshop on drones and privacy in October, researchers from the Federal Trade Commission showed they were able to hack into three different off-the-shelf drones, all costing less than $200.
The three drones tested were the AR Drone Elite Quadcopter from Parrot, the Hawkeye II 2nd FPV Motion Sensing Quadcopter from DBPower and the oneCase CX-10w made by Cheerson, according to documents obtained by Recode from a Freedom of Information Act Request.
The FTC didn’t specify which hacks worked on which drones, which makes sense since the point was to demonstrate security vulnerabilities that could compromise consumer privacy.
As with all computers (think of drones as flying computers), privacy and security go hand in hand, in that privacy is compromised when devices get hacked. But with drones, hacking doesn’t just compromise privacy, it also means machines can fall from the sky or be reprogrammed to surveil people from above.
Here’s what the FTC shared at the workshop about the three drones they hacked.
- Researchers were able to take over the video feed on all three of the drones, since the data was sent unencrypted.
- With two of the drones, they were able to take control of the flight path, as well as turn off the aircraft, causing both to fall from the sky.
- All of the smartphone apps made for the devices gave no indication or inconsistent notifications when a third party was connecting to the drone, so the operator wouldn’t know if someone was watching the video feed.
- Each of the drones acted as a Wi-Fi access point, allowing devices to connect to the drone like a home router, but, according to the FTC, they required no password to actually connect.
Researchers from the FTC then demonstrated how they were able to connect to one of the drone’s camera feeds from any computer, since the drone’s Wi-Fi access point wasn’t password protected.
The researchers then demonstrated how they were able to interrupt the feed between a device controlling the drone, like a smartphone application, disabling the drone and causing it to crash. They accessed the drone’s control feed through the open Wi-Fi connection, allowing them to log into the drone and commandeer the aircraft.
Drone manufacturers can, however, make their drones more secure by encrypting the Wi-Fi signal and adding password protection, according to the FTC.
Recode reached out to Parrot, DBPower and Cheerson for comment about whether or not they’ve since taken measures to secure their drones, but did not immediately hear back.
This article originally appeared on Recode.net.