Skip to main content

Security risks found in popular Holy Stone drone models

Avatar for Ishveena Singh  | Apr 1 2025 - 8:03 am PT
3 Comments
holy stone drone security risk report

If you own a Holy Stone drone, you might want to pay close attention. A new research paper has revealed some concerning findings about the security and reliability of Holy Stone drones, a popular budget-friendly brand in the consumer drone market. While Holy Stone has built a strong reputation among hobbyists, new evidence suggests that users should be cautious — especially when it comes to safety, connectivity, and data security.

Holy Stone has positioned itself as an affordable alternative to premium drone brands like DJI and Autel Robotics. While DJI dominates the industry with high-tech innovations, advanced flight controls, and industry-grade security, Holy Stone has gained a loyal following by offering easy-to-use drones at lower price points. But as this latest research suggests, that affordability might come at a hidden cost.

What the research says

Researchers at the Florida Institute of Technology conducted a series of cyber-attack simulations and forensic analyses of popular sub-250-gram Holy Stone models, such as the HS175D, HS430, and HS360S, as well as the heavier Holy Stone HS720. They found several issues that could leave drone operators vulnerable to unauthorized control and data breaches:

  1. Exposed Telnet Service (HS720 and HS175D)
    One of the most critical findings is the exposure of a Telnet service in both the HS720 and HS175D models. Telnet is an unsecured communication protocol that can allow attackers to gain unauthorized root access to a drone’s system. By exploiting this vulnerability, attackers can manipulate the drone’s core systems, disrupt Wi-Fi connections, and disable the drone’s application entirely, leading to a complete loss of control. This type of access opens the door for hackers to hijack the drone and control it remotely.
  2. Exposed RTSP Service (HS175D)
    The HS175D model, known for its live-streaming capabilities, has a significant vulnerability in its Real-Time Streaming Protocol (RTSP). RTSP is used to broadcast live video feeds to the user’s smartphone. The flaw lies in how the drone transmits the RTSP link between the drone and the mobile device. If attackers intercept this communication, they can gain unauthorized access to the live feed, posing a serious privacy risk. This vulnerability was demonstrated through the analysis of network traffic during the streaming process, where attackers could easily capture and exploit the RTSP link.
  3. Authentication Bypass (HS175D)
    Another alarming vulnerability in the HS175D model is the authentication bypass. This flaw allows users to control the drone using mobile apps designed for other brands. Popular drone apps like Bwine and Ruko MINI, available on both Android and iOS, can connect to the HS175D without needing authentication, granting unauthorized individuals complete control over the drone. This flaw presents a severe security concern as it allows anyone within range to hijack the drone without the owner’s knowledge.
  4. Ping of Death (HS175D, HS430, HS720)
    The “Ping of Death” attack targets all three of the aforementioned models. This cyber-attack involves sending oversized or malformed ICMP packets to overwhelm the drone’s system, causing it to crash or disrupt its operations. In this study, the attack led to the failure of the drones’ mobile applications, causing the drone to stop functioning mid-flight. This demonstrates the susceptibility of these drones to denial-of-service attacks.
  5. 802.11 De-authentication (HS175D, HS430, HS720)
    Another vulnerability observed across all three models is susceptibility to the 802.11 de-authentication attack. This attack works by sending de-authentication frames to disconnect the drone’s Wi-Fi network from the user’s device, effectively preventing the user from controlling the drone or accessing its live feed. The impact of this attack is particularly concerning for drone enthusiasts who rely on a stable connection for safe and efficient flight operations.

The vulnerabilities identified have significant implications for the confidentiality, integrity, and availability (CIA) of drone operations. For example:

Advertisement - scroll for more content
  • Confidentiality is compromised through exposed RTSP services, which allow attackers to access live video feeds.
  • Integrity is at risk due to the authentication bypass vulnerability, which can give unauthorized individuals control of the drone, potentially leading to malicious manipulation.
  • Availability is directly impacted by attacks like Ping of Death and de-authentication, which can cause drones to become unresponsive or disconnected from the user.

Why this matters

For many drone enthusiasts, reliability is everything. Whether you’re filming breathtaking aerial footage or simply enjoying a casual flight, the last thing you want is for your drone to suddenly lose control. DJI users often pay a premium for that level of security and control, while Holy Stone users might unknowingly be taking bigger risks.

In industries where drones are used for safety-critical tasks — such as search-and-rescue or infrastructure inspection — these reliability gaps become even more concerning. While Holy Stone drones are primarily aimed at hobbyists, the findings suggest that even casual users should be aware of these potential risks.

What should Holy Stone drone users do?

If you currently own a Holy Stone drone, don’t panic, but take some precautions:

  • Update your firmware: Ensure you’re running the latest firmware to patch any known issues.
  • Fly in open areas: Avoid flying in high-interference zones, such as areas with heavy Wi-Fi traffic.
  • Consider a signal booster: Some users have reported better stability using external signal boosters.
  • Limit sensitive data exposure: If you’re concerned about data security, avoid transmitting sensitive information through drone apps.

This report puts Holy Stone in a tricky spot. Will they step up their game and improve their security measures? Or will they continue to focus on budget-friendly models with basic features? As the consumer drone industry evolves, security and reliability will become even more crucial. For those who want to dive deeper, we encourage you to read the full research paper. Understanding these risks can help you make smarter, safer decisions when choosing your next drone.

Have you experienced issues with Holy Stone drones? Share your thoughts in the comments!

More: DJI Flip drone gets performance tune-up with new firmware update

Add DroneDJ to your Google News feed. 

FTC: We use income earning auto affiliate links. More.

You’re reading DroneDJ — experts who break news about DJI and the wider drone ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow DroneDJ on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel.

Subscribe to DroneDJ on YouTube for exclusive videos

Comments

Guides

Holy Stone

Holy Stone

Author

Avatar for Ishveena Singh Ishveena Singh

Ishveena Singh is a versatile journalist and writer with a passion for drones and location technologies. She has been named as one of the 50 Rising Stars of the geospatial industry for the year 2021 by Geospatial World magazine.

Ishveena Singh's favorite gear

dji mini 3 pro eu ce c0 class label deal

DJI Mini 3 Pro

The ultimate travel-friendly drone that can shoot vertical 4K videos for TikTok and Instagram!

dji mavic 3 ce class label

DJI Mavic 3

The most powerful folding camera drone from DJI is even better than what you’d expect.