UC Irvine’s FlyTrap Attack Defeats DJI Mini 4 Pro and HoverAir X1 Autonomous Tracking With an Ordinary Umbrella

The paper dropped this week at the Network and Distributed System Security Symposium in San Diego, and the finding is blunt: an ordinary umbrella covered with an AI-generated pattern can trick autonomous target-tracking drones into flying directly toward the person holding it. UC Irvine computer scientists call it FlyTrap, and they demonstrated it successfully on three commercial drones: the DJI Mini 4 Pro, the DJI Neo, and the HoverAir X1.

The attack doesn’t jam signals or hack firmware. It exploits the neural network at the core of camera-based autonomous tracking, the same technology marketed to consumers as Active Track and Dynamic Track, and increasingly deployed in border control, law enforcement surveillance, and public safety operations.

Here’s what that means in practice: open a specifically patterned umbrella in front of a tracking drone, and the aircraft’s computer logic interprets the visual pattern as a person walking away. To maintain its preset tracking distance, the drone moves steadily closer. At that point, the attacker captures it with a net gun or forces it to crash.

FlyTrap Exploits a Fundamental Flaw in Neural Network Tracking

The FlyTrap attack is a distance-pulling exploit that physically draws victim drones closer to an attacker by deceiving camera-based neural network tracking systems into misreading spatial distance. An umbrella bearing a specially designed AI-generated visual pattern causes the drone’s computer logic to conclude that its target is moving away, triggering the aircraft to close the gap until it can be captured or crashed. No wireless equipment, external signal, or network connection is required.

What makes this research significant is not that drones crash — we’ve documented that extensively in our own tracking tests. What makes it significant is that a completely passive, low-cost physical object can take consistent, deliberate control of a drone’s flight path. The UC Irvine team confirmed results across multiple drones and conditions, with attacks succeeding well enough to enable physical capture using net guns.

The system works in varied weather and lighting. It requires no technical expertise to deploy. And, crucially, it achieves something most drone countermeasures don’t: it doesn’t simply break tracking. It redirects the drone.

Three Commercial Drones Defeated in Field Testing

The UC Irvine team ran FlyTrap against the DJI Mini 4 Pro, the DJI Neo, and the HoverAir X1, testing at the campus’s Anteater Recreation Center field. All three drones were pulled close enough to either be captured with net guns or induced to crash. The researchers responsibly disclosed the vulnerabilities to both DJI and HoverAir before publication.

Anyone who has spent time with these drones in the field will recognize exactly what FlyTrap is exploiting. I’ve watched the Mini 4 Pro’s ActiveTrack 360 system make confident, committed decisions based entirely on visual input, and there are moments where that confidence exceeds what the camera data actually supports. The tracking logic trusts what it sees. FlyTrap feeds it a lie at the visual level, before the drone has any chance to cross-reference other sensors.

The HoverAir X1 presents a specific concern. As our own coverage has shown, the original X1 has no obstacle avoidance sensors of any kind — unlike the later Pro and Pro Max models that added a rear-facing sensor. The X1’s tracking camera is its only sensor. That architecture makes it especially susceptible to this kind of visual deception attack: there’s nothing else in the sensor stack to contradict what the camera is seeing.

The Military and Law Enforcement Problem Is Larger Than Consumer Risk

The UC Irvine paper focuses on Active Track and Dynamic Track as consumer features, but the researchers are clear that the same vulnerability exists wherever autonomous camera-based tracking is deployed. That includes border patrol drones, law enforcement surveillance aircraft, and security perimeter monitoring. Lead author Shaoyuan Xie stated directly that operating autonomous drones in public or critical security settings should be reconsidered until these vulnerabilities are addressed.

This is the same NDSS conference where, back in 2023, researchers from Ruhr University Bochum demonstrated how to decode DJI’s unencrypted DroneID broadcasts and expose pilot locations in real time. We covered that story when it broke, noting that the vulnerability exposed operators in conflict zones to serious risk. FlyTrap is a different class of attack, but the pattern is consistent: the security community is systematically working through the assumptions baked into drone design, and finding them wanting.

The paper also points out a two-sided reality. The same technique that lets a criminal evade a police tracking drone could let a stalking victim eliminate a drone following them. That ambiguity doesn’t reduce the seriousness of the vulnerability, but it does complicate any simple narrative about who benefits from this research becoming public.

What Fixes Look Like and Who Has to Build Them

The UC Irvine team published a dedicated FlyTrap project website, new datasets, demonstration videos, and an extended paper on arXiv. That arXiv preprint carries a September 2025 submission date — meaning this research sat in the pipeline for five months before the NDSS presentation this week. All drone experiments were completed before December 22, 2025, the date the FCC added foreign-produced UAS to its Covered List. That timing appears deliberate: the research predates the regulatory upheaval, which makes it harder to dismiss as a response to the current DJI ban debate. Funding came from NASA and the National Science Foundation.

The researchers call for “urgent security improvements” in autonomous target-tracking systems before wider deployment in critical infrastructure. What those improvements look like in practice is the harder question. Multi-sensor fusion, where tracking decisions require corroboration from GPS, IMU data, or depth sensors before acting on visual input alone, is one path. Better anomaly detection that flags physically implausible tracking trajectories is another. Neither is trivial to implement in lightweight consumer hardware.

DJI has a bug bounty program that has paid out over $150,000 since 2017, and the company has moved quickly on previous disclosures. But this isn’t a code vulnerability with a patch. It’s an architectural assumption about how visual tracking works, and fixing it may require rethinking how these systems are designed from the sensor level up. We’ve asked DJI for comment and will update this story if they respond.

DroneXL’s Take

I’ve tested enough autonomous tracking drones to know exactly what FlyTrap is exploiting. Put the Mavic 4 Pro or the HoverAir X1 Pro into Active Track, and the drone commits. It trusts its camera. When I ran the ActiveTrack 360 tutorial tests, what struck me was how confidently the system acted on ambiguous visual information — it would commit to a tracking path based on a partial subject lock that I, looking at the same footage, wasn’t confident about. FlyTrap doesn’t create ambiguity. It engineers false certainty. That’s a much harder thing to defend against.

What strikes me most here is the specificity of the attack. This isn’t about jamming a signal or crashing firmware. The drone doesn’t malfunction. It does exactly what it’s designed to do, with complete confidence, based on fraudulent visual input. That’s a fundamentally harder problem to solve than a software bug.

The timing matters too. The FCC added all foreign-produced UAS to its Covered List on December 22, 2025, and the ongoing firmware waiver runs only until January 2027. Washington is currently debating which drones are safe to fly over American infrastructure, largely on the basis of data security concerns. FlyTrap shows that data exfiltration is not the only threat vector worth worrying about. Physical capture and crash-on-demand are on the table too. Don’t expect that point to make it into congressional testimony anytime soon, but it should.

My prediction: within six months, we’ll see a second-generation FlyTrap-style technique demonstrated against a military or law enforcement drone in a security research context. The consumer drone attack just proved the concept. Someone is already working on the harder target.

Editorial Note: AI tools were used to assist with research and archive retrieval for this article. All reporting, analysis, and editorial perspectives are by Haye Kesteloo.