Your UDI U818A Drone is Vulnerable. Don’t Get Hacked!

///Your UDI U818A Drone is Vulnerable. Don’t Get Hacked!

Your UDI U818A Drone is Vulnerable. Don’t Get Hacked!

UDI U818A HD+, Credit: AmazonIf you own a UDI U818A family drone, then you should read this article. Why? Because you are the proud owner of a very, very, very vulnerable drone. Consider yourself warned.

With so many reports of poor security on consumer drones, UAV enthusiasts would be forgiven for thinking manufacturers would have added mitigations against the most basic attacks. But, looking at one particularly popular model of drone, such hopes might be misplaced.

Earlier this month, the U.S. government-sponsored Carnegie Mellon Computer Emergency Response Team was compelled to put out a warning on the DBPOWER Quadcopter, which was vulnerable to a rudimentary attack that allowed anyone within range of the drone’s Wi-Fi connection to take it out of the sky. The researchers who uncovered the bug, from the Cyber-Physical Systems Security Lab at University of Texas at Dallas, put together a video for Forbes showing how they quickly obtained root access to the quadcopter and cut its power.

The Chinese-made drone is currently listed as a best seller at $140 on Amazon (though it’s been reduced to $80).

Watch A Very Vulnerable $140 Quadcopter Drone Get Hacked Out Of The Sky

The UDI U818A drone family features:

  • Intelligent Orientation Control/Headless – The UDI U818A HD has the Headless/IOC function. Usually, the forward direction of a flying multi-rotor is the same as the nose direction. By using Headless/IOC, the forward direction has nothing to do with nose direction. This lessens the steepness of the learning curve and allows the pilot to enjoy flight while slowly learning each specific orientation of the quadcopter.
  • 6-axis Gyro – Equipped with the latest 6-axis flight control systems, 3D lock, More scheduled flight, operating more to the force!
  • 360° Eversion – One key 360° roll, continuous roll for perfect action and wonderful performance
  • HD Video Camera – U818A HD equipped with 1MP HD video camera (Resolution: 1280 x 720; Frame rate: 30 Fps), lets you control the aircraft Enjoy taking pictures/video of the pleasure flights.
  • Upgraded Accessories – Extend your play time with two LiPO Battery and a upgraded 4GB Micro SD memory card.

It’s important to note I said “drone family” and not “drone.” Why? It appears the same core hardware is being resold by a number of different vendors,.

“The UDI U818A WiFi drone model appears to be very popular and sold by a variety of vendors,” noted UT Dallas’s Alvaro Cardenas. “It appears that what most vendors do is modify the U818A Wi-Fi model superficially (different colors, apps, etc.) but the core drone functionalities appear to be the same. We believe that this vulnerability would be applicable to all of these models.”

Watch A Very Vulnerable $140 Quadcopter Drone Get Hacked Out Of The Sky

Please don’t be fooled by the perceived “bang-for-your-buck” here, this is one vulnerable drone. Don’t just take my word for it, watch the video from the CY-PHY Security Lab @ UT Dallas below:

U818A WIFI quadcopter drone – vulnerability

We show in this video that a misconfigured FTP server allows us to overwrite system files on the Udirc U818A WIFI quadcopter drone.

In this demo, we overwrite the “/etc/shadow” to remove the password for the root user. As a result, we are able to remote login to the device as root and have full access to the operating system via telnet, and all the built-in utilities in the drone.

Here we show that we are able to take down a flying drone from the air. We do this by forcing the person who is flying the drone (via the proprietary app) to lose control of the drone. At that point the drone falls to the ground.

Devices affected:


This vulnerability was discovered and disclosed to US-CERT by Junia Valente, a Ph.D. candidate in software engineering at UT Dallas under the supervision of Dr. Alvaro Cardenas.

US-CERT has published a Note regarding this vulnerability:
DBPOWER U818A WIFI quadcopter drone allows full filesystem permissions to anonymous FTP

For more details on:
CWE-276: Incorrect Default Permissions – CVE-2017-3209

See the published Note:
https://www.kb.cert.org/vuls/id/334207


CY-PHY Security Lab @ UT Dallas


Video credit: Junia Valente (on the laptop), Paul Murley (flying the drone), and Travis Neyland Wright (on the camera). Junia is a doctoral candidate in Software Engineering at UT Dallas and Research Assistant at the CY-PHY Security Research Lab @ UT Dallas. Paul and Travis are students in Computer Science at UT Dallas but are not affiliated with the CY-PHY Security Research Lab.

U818A WIFI quadcopter drone – vulnerability

UDI U818A Box, Credit: AmazonWhile the original article I cited has pricing at $140, according to my research, pricing on U818A drones varies greatly. I’ve provided a few links below*:

With a documented vulnerability, I wouldn’t recommend that you purchase this drone for any reason other than research.

* Please note, my list is based on an Amazon search for U8181A, I have not validated the vulnerability works with all listed drones.

By | 2017-08-31T15:23:32+00:00 May 31st, 2017|Drone Security, Drones|Comments Off on Your UDI U818A Drone is Vulnerable. Don’t Get Hacked!

Share This Story, Choose Your Platform!

About the Author:

Sam Estrin
I'm an avid drone enthusiast and part-time drone blogger living outside of the DC area. I track drone news and write editorials and timely drone news stories that I find interesting. If you like my stories, you can follow me on Twitter or visit me at LinkedIn. If you'd like me to write for your drone oriented publication or blog, you can contact me at info@droneuniversities.com.