SlideShare a Scribd company logo

A Drone Tale by Paolo Stagno - Sec-T 2018

Download as PPTX, PDF
Paolo Stagno
Paolo Stagno

In 2013, DJI Drones quickly gained the reputation as the most stable platform for use in aerial photography and other fields. Since then Drones have increased their field of application and are actively used across various industries (law enforcement and first responders, utility companies, governments and universities) to perform critical operations on daily basis. As a result of that, Drones security has also become a hot topic in the industry. This talk will provide a comprehensive overview of the security model and security issues affecting the underlying technologies, including existing vulnerabilities in the radio signals, Wi-Fi, Chipset, FPV system, GPS, App and SDK. As part of the presentation, we will discuss the architecture of one of the most famous and popular consumer drone product: the DJI Phantom 3. This model will be used to demonstrate each aspect of discovered security vulnerabilities, together with recommendations and mitigations. A special focus will be on the recent changes and countermeasures DJI has applied to the firmware of its products in order to harden the security, following the recent accusations and the US Army ban. While the topic of hacking drones by faking GPS signals has been shared before at major security conferences in the past, this talk will extend these aspects to include geo-fencing and no fly zones abuses.

Technology
1 of 64
Paolo Stagno paolo@doyensec.com Void_Sec voidsec.com
Agenda  Drone Intro  Vulnerability Research & Attack Vectors: o Radio/Wi-Fi o DJI GO (Android App) o Firmware o GPS  Reverse Engineering: o SDK  Forensics
Drone Intro •Law Enforcement •First Responder •Utility companies •Governments •Universities •Terrorism •Pentest/Red Team
DJI Phantom Intro
1,2 Kg 16 m/s 20-25 minutes ~400 g Phantom 3 Specs 500 m
FPV
Shooting
Shooting
Drone Architecture Drone • Flight controller • Radio module • GPS module and other sensors (Compass, Gyroscope, Accelerometer, Barometer) • Micro-USB & MicroSD Slug (firmware update and media storage only) Remote Controller • Radio module • USB Slug (firmware update and SDK only) App/SDK • Connect to Remote Control, display drone information (video feedback, GPS data and compass) • Drone Navigation (Drone Takeoff, RTH, Waypoint)
Network Map
Firmware V01.07.0090 • Nmap scan report for 192.168.1.1 - Controller 21/tcp open ftp vsftpd 3.0.2 22/tcp closed ssh 23/tcp closed telnet 2345/tcp open unknown 5678/tcp closed unknown • Nmap scan report for 192.168.1.2 - Aircraft 21/tcp open ftp vsftpd 3.0.2 22/tcp filtered ssh 23/tcp filtered telnet 2345/tcp filtered unknown 5678/tcp open unknown • Nmap scan report for 192.168.1.3 - Camera 21/tcp open ftp BusyBox ftpd | Anonymous FTP login allowed 22/tcp open ssh OpenSSH 6.2 23/tcp open telnet BusyBox telnetd 2345/tcp filtered unknown 5678/tcp filtered unknown
Latest Firmware V1.09.0200 • Nmap scan report for Controller 21/tcp open ftp 2345/tcp open unknown • Nmap scan report for Aircraft 21/tcp open ftp 5678/tcp open unknown • Nmap scan report for Camera 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet
Radio & Wi- Fi • Aircraft & Controller: Wi-Fi 5.725GHz – 5.825GHz (NOT the Lightbridge protocol) • Video Link: 2.400GHz – 2.483GHz • WPA2 encryption • Default SSID is derived from the MAC address of the remote controller. PHANTOM3_[6 last digits of MAC address]. • Default associated password is: 12341234
Wi-Fi Attacks • De-auth attacks • Controller > DJI GO • Drone has a client queue • If Wi-Fi is lost -> RTH
Wi-Fi Attacks Attack WEP Cannot be downgraded to WEP from settings WPS No WPS support WPA 2 4 way handshake brute-force KRACK Yes, AP & clients based on OpenWRT
Wi-Fi Attacks
Road to Shell I do not have any SSH/FTP/Telnet passwords so… DJI GO App Diving
NFZ & Geofencing
NFZ & Geofencing
DJI GO APP /res/raw/flyforbid.json "area_id":31681, "type":1, "shape":1, "lat":45.109444, "lng":7.641111, "radius":500, "warning":0, "level":2, Restricted Zone: Flight not permitted "disable":0, "updated_at":1447945800, 19 November 2015 "begin_at":0, "end_at":0, "name":"Juventus Stadium", "country":380, "city":"Turin", "points":null
DJI GO APP /res/raw/upgrade_config.json { "groupName": "GroundWifi", "weight": 20, "isCameraGroup": false, "isSingleFile": true, "upgradeMode": 0, "devices": ["2700"], "ftpDstFileName": "HG310.bin", "ftpPwd": "Big~9China", "ftpUrl": "192.168.1.1", "ftpUsername": "root", "pushDevice": 27 }
Road to Shell • Now I have the password • SSH & Telnet are filtered • FTP is chrooted Damn
Firmware I tried to replace the firmware with a modified version but the firmware have some checksum mechanism. Damn^2 Strings on .bin matching for common strings like: password, private, key, :::, root and so on looking for interesting stuff.
Password Cracking root:$6$zi2k1pqQ$aYoxWoM9suJzq4xcIz 0Uh/sMBQxIrM7QzqpNH.UMrX6TAmBx3 7jN0ygKlnpmHkgilWV5YzpfikkaylTWWo8 RU0:16184:0:99999:7::: Big~9China ftp:$6$Kt6U5MHk$aCy81r9Wz49TlfDwSP Hkx8bEouNFdt0khJg7Pj1HOJtECe5.t9Kf NWOKKQXnyVqjd5whliLQGTQkXfB8p3r BX/:10933:0:99999:7::: admin999 default::10933:0:99999:7::: none
Firmware Downgrading
Filesystem /etc/passwd root:x:0:0:root:/root:/bin/ash daemon:*:1:1:daemon:/var:/bin/false ftp:*:55:55:ftp:/home/ftp:/bin/false network:*:101:101:network:/var:/bin/f alse nobody:*:65534:65534:nobody:/var:/bin /false The drone underlying system is a fork of OpenWRT 14.07 Barrier Breaker, built for “ar71xx/generic“, same version for the controller.
Services • /etc/init.d/rcS • /etc/init.d/rcS_ap • /etc/init.d/rcS_aphand • /etc/init.d/rcS_cli These script runs during the boot process, adding this code will start the telnet server telnetd -l /bin/ash &
Shell Time
SDK We can isolate specific instructions sent to the drone with Wireshark, we can implement a custom application that sends only very specific commands. These commands could include changing the Wi-Fi password or even resetting the Wi-Fi connection. This knowledge can be leveraged into a full drone takeover.
SDK • DJI SDK Authentication Server • DJI APP perform Activation Request Crack the SDK Authentication Mechanism
Packet Structure
Packet Structure DJI Packet HEADER (4 Byte) PAYLOAD (variable length)
Header Structure Magic byte Packet length Version Custom crc8 0x55 0x0d 0x04 0x33 0101 0101 0000 1101 0000 0100 0011 0011 85 13 4 51
Payload Structure Sourc e Type Target Type Seq # Flag s CMD ID Opt. bytes 02 06 4e00 40 06 12 540 b 01: Camera 02: App 03: Fly Controller 04: Gimbal 06: Remote Controller 00: general command 01: special command 02: set camera 03: set fly controller 04: set gimbal 05: set battery 06: set remote controller 07: set wifi
GPS • GPS signal for civilian usage is unencrypted. • Replay Attack is the common GPS spoofing method. Software: gps-sdr-sim Hardware: HackRF One Which functions are associated with GPS? • No-fly zone • Return to home • Follow me • Waypoint
GPS 101 Ephemeris Data • GPS satellites transmit information about their location (current and predicted), timing and "health" via what is known as ephemeris data. • This data is used by the GPS receivers to estimate location relative to the satellites and thus position on earth. • Ephemeris data is considered good for up to 30 days (max).
GPS Replayin g
GPS Replayin g
GPS NFZ
GPS NFZ
PoC Time
Drone Takeover -15 -10 -5 0 5 10 15 20 -15 -10 -5 0 5 10 15 20
• Validate the GPS sub-frame • Validate the time between satellite time and real time on device • Check the speed between point to point Detect Fake GPS
Forensics Two proprietary file formats: • .dat file in non volatile memory • .txt file on mobile device
DAT Structure DROP (DRone Open source Parser) your drone: Forensic analysis of the DJI Phantom III Devon R. Clark*, Christopher Meffert, Ibrahim Baggili, Frank Breitinger
Flight Data • Photos & Video (GEO Tagging) • Flight Stats (compass, battery, etc) • Autopilot Data • GPS Data (location of drone) • Pitch, roll and yaw of Gimbal & aircraft • No-fly zones • User email addresses • Last known home point • Device serial number
Flight Data airdata.com
Flight Data airdata.com
Flight Data airdata.com
Flight Data airdata.com
Lost & Found •Images have no checksum mechanism. •We can show wrong images to the controller. •Compass e Magnetic fields (Compass Calibration)
Defenses •Drone netting •Drone shooting •Jamming •EMP •Cyber •Geofencing & NFZ •Laser •Missile
Drone Netting
Predator Bird
Confetti Gun
Jet Ski
Defenses Ref.
Further Work • Full Network protocol analysis, maybe build a ground station the through SDK • Binaries and services analysis and vulnerabilities research • Finding some cool exploits • Play with something more complex
Previous Work & References • DJI Phantom 3 • DROP (DRone Open source Parser) • dronesec.xyz • How Can Drones Be Hacked? • Defcon/Black Hat Drone/UAV Talks • Drone vs Patriot • GPS Spoofing • Hak5 Parrot AR • Skyjack • Maldrone • airdata.com • DJI CRC16 • dex2jar • Jadx • JD-GUI • GPS-SDR-SIM • GPSpoof • DJI No Fly Zone
FAQ Time Paolo Stagno paolo@doyensec.com doyensec.com Void_Sec voidsec.com
A Drone Tale by Paolo Stagno - Sec-T 2018

Recommended

Paolo Stagno - A Drone Tale: All Your Drones Belong To Us
Paolo Stagno - A Drone Tale: All Your Drones Belong To UsPaolo Stagno - A Drone Tale: All Your Drones Belong To Us
Paolo Stagno - A Drone Tale: All Your Drones Belong To Ushacktivity
 
A Drone Tale by Paolo Stagno - Hackinbo 2018
A Drone Tale by Paolo Stagno - Hackinbo 2018A Drone Tale by Paolo Stagno - Hackinbo 2018
A Drone Tale by Paolo Stagno - Hackinbo 2018Paolo Stagno
 
Drones in the Cloud
Drones in the CloudDrones in the Cloud
Drones in the CloudGuada Casuso
 
Drones on the beach
Drones on the beachDrones on the beach
Drones on the beachGuada Casuso
 
Emerging tech track kovar-david-forensics-kovar
Emerging tech track kovar-david-forensics-kovarEmerging tech track kovar-david-forensics-kovar
Emerging tech track kovar-david-forensics-kovarISSA LA
 
Birds of a Feather 2017: 邀請分享 IoT, SDR, and Car Security - Aaron
Birds of a Feather 2017: 邀請分享 IoT, SDR, and Car Security - AaronBirds of a Feather 2017: 邀請分享 IoT, SDR, and Car Security - Aaron
Birds of a Feather 2017: 邀請分享 IoT, SDR, and Car Security - AaronHITCON GIRLS
 
WE4.L09 - RECENT ADVANCES IN THE DEVELOPMENT OF THE OPEN SOURCE TOOLBOX FOR P...
WE4.L09 - RECENT ADVANCES IN THE DEVELOPMENT OF THE OPEN SOURCE TOOLBOX FOR P...WE4.L09 - RECENT ADVANCES IN THE DEVELOPMENT OF THE OPEN SOURCE TOOLBOX FOR P...
WE4.L09 - RECENT ADVANCES IN THE DEVELOPMENT OF THE OPEN SOURCE TOOLBOX FOR P...grssieee
 
Black Hat Europe 2015 - Time and Position Spoofing with Open Source Projects
Black Hat Europe 2015 - Time and Position Spoofing with Open Source ProjectsBlack Hat Europe 2015 - Time and Position Spoofing with Open Source Projects
Black Hat Europe 2015 - Time and Position Spoofing with Open Source ProjectsWang Kang
 

Recommended

Paolo Stagno - A Drone Tale: All Your Drones Belong To Us
Paolo Stagno - A Drone Tale: All Your Drones Belong To UsPaolo Stagno - A Drone Tale: All Your Drones Belong To Us
Paolo Stagno - A Drone Tale: All Your Drones Belong To Ushacktivity
 
A Drone Tale by Paolo Stagno - Hackinbo 2018
A Drone Tale by Paolo Stagno - Hackinbo 2018A Drone Tale by Paolo Stagno - Hackinbo 2018
A Drone Tale by Paolo Stagno - Hackinbo 2018Paolo Stagno
 
Drones in the Cloud
Drones in the CloudDrones in the Cloud
Drones in the CloudGuada Casuso
 
Drones on the beach
Drones on the beachDrones on the beach
Drones on the beachGuada Casuso
 
Emerging tech track kovar-david-forensics-kovar
Emerging tech track kovar-david-forensics-kovarEmerging tech track kovar-david-forensics-kovar
Emerging tech track kovar-david-forensics-kovarISSA LA
 
Birds of a Feather 2017: 邀請分享 IoT, SDR, and Car Security - Aaron
Birds of a Feather 2017: 邀請分享 IoT, SDR, and Car Security - AaronBirds of a Feather 2017: 邀請分享 IoT, SDR, and Car Security - Aaron
Birds of a Feather 2017: 邀請分享 IoT, SDR, and Car Security - AaronHITCON GIRLS
 
WE4.L09 - RECENT ADVANCES IN THE DEVELOPMENT OF THE OPEN SOURCE TOOLBOX FOR P...
WE4.L09 - RECENT ADVANCES IN THE DEVELOPMENT OF THE OPEN SOURCE TOOLBOX FOR P...WE4.L09 - RECENT ADVANCES IN THE DEVELOPMENT OF THE OPEN SOURCE TOOLBOX FOR P...
WE4.L09 - RECENT ADVANCES IN THE DEVELOPMENT OF THE OPEN SOURCE TOOLBOX FOR P...grssieee
 
Black Hat Europe 2015 - Time and Position Spoofing with Open Source Projects
Black Hat Europe 2015 - Time and Position Spoofing with Open Source ProjectsBlack Hat Europe 2015 - Time and Position Spoofing with Open Source Projects
Black Hat Europe 2015 - Time and Position Spoofing with Open Source ProjectsWang Kang
 
The Pegasus Mission - The Making of Pegasus II
The Pegasus Mission - The Making of Pegasus IIThe Pegasus Mission - The Making of Pegasus II
The Pegasus Mission - The Making of Pegasus IIMatt Long
 
Laser navigation 2016 technology overview short final
Laser navigation 2016 technology overview short finalLaser navigation 2016 technology overview short final
Laser navigation 2016 technology overview short finalRoberto Navoni
 
DEFCON 23 - Lin Huang Ging Yang - GPS spoofing
DEFCON 23 - Lin Huang Ging Yang - GPS spoofingDEFCON 23 - Lin Huang Ging Yang - GPS spoofing
DEFCON 23 - Lin Huang Ging Yang - GPS spoofingFelipe Prado
 
라이브드론맵 (Live Drone Map) - 실시간 드론 매핑 솔루션
라이브드론맵 (Live Drone Map) - 실시간 드론 매핑 솔루션라이브드론맵 (Live Drone Map) - 실시간 드론 매핑 솔루션
라이브드론맵 (Live Drone Map) - 실시간 드론 매핑 솔루션Impyeong Lee
 
(120303) #fitalk ip finder and geo ip for fun
(120303) #fitalk ip finder and geo ip for fun(120303) #fitalk ip finder and geo ip for fun
(120303) #fitalk ip finder and geo ip for funINSIGHT FORENSIC
 
(120303) #fitalk ip finder and geo ip for fun
(120303) #fitalk ip finder and geo ip for fun(120303) #fitalk ip finder and geo ip for fun
(120303) #fitalk ip finder and geo ip for funINSIGHT FORENSIC
 
Spec00389
Spec00389Spec00389
Spec00389guest2f67152
 
VizDyn and spatial utility Dec 2014
VizDyn and spatial utility Dec 2014VizDyn and spatial utility Dec 2014
VizDyn and spatial utility Dec 2014Jim Head
 
Defeating Drones
Defeating DronesDefeating Drones
Defeating Dronesn|u - The Open Security Community
 
Spark streaming for the internet of flying things 20160510.pptx
Spark streaming for the internet of flying things 20160510.pptxSpark streaming for the internet of flying things 20160510.pptx
Spark streaming for the internet of flying things 20160510.pptxPablo Francisco Pérez Hidalgo
 
OW2con'14 - XLcoud, 3D rendering in the cloud, Marius Preda, Institut Mines T...
OW2con'14 - XLcoud, 3D rendering in the cloud, Marius Preda, Institut Mines T...OW2con'14 - XLcoud, 3D rendering in the cloud, Marius Preda, Institut Mines T...
OW2con'14 - XLcoud, 3D rendering in the cloud, Marius Preda, Institut Mines T...xlcloud
 
WSE 6A-Octo-X Terrain Mapping UAV
WSE 6A-Octo-X Terrain Mapping UAVWSE 6A-Octo-X Terrain Mapping UAV
WSE 6A-Octo-X Terrain Mapping UAVManuel De La Cruz
 
Arctic Climatology Sensor Network
Arctic Climatology Sensor NetworkArctic Climatology Sensor Network
Arctic Climatology Sensor Networkandrewrettig
 
Introduction to Drone Tech
Introduction to Drone TechIntroduction to Drone Tech
Introduction to Drone TechAnuj Magazine
 
Fod detection
Fod detectionFod detection
Fod detectionOma Udeinya
 
Playing in a Satellite environment
Playing in a Satellite environmentPlaying in a Satellite environment
Playing in a Satellite environmentChristian Martorella
 
Where 2.0
Where 2.0Where 2.0
Where 2.0davejohnson
 
Open-Source Based Direct Georeferencing Thermal Camera System
Open-Source Based Direct Georeferencing Thermal Camera SystemOpen-Source Based Direct Georeferencing Thermal Camera System
Open-Source Based Direct Georeferencing Thermal Camera SystemCentre of Geographic Sciences (COGS)
 
SFScon 2020 - Alex Bojeri - BLUESLEMON project autonomous UAS for landslides ...
SFScon 2020 - Alex Bojeri - BLUESLEMON project autonomous UAS for landslides ...SFScon 2020 - Alex Bojeri - BLUESLEMON project autonomous UAS for landslides ...
SFScon 2020 - Alex Bojeri - BLUESLEMON project autonomous UAS for landslides ...South Tyrol Free Software Conference
 
FOSTER ITS _ a trusted GNSS module to secure ITS application
FOSTER ITS _ a trusted GNSS module to secure ITS applicationFOSTER ITS _ a trusted GNSS module to secure ITS application
FOSTER ITS _ a trusted GNSS module to secure ITS applicationThe European GNSS Agency (GSA)
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 

More Related Content

Similar to A Drone Tale by Paolo Stagno - Sec-T 2018

The Pegasus Mission - The Making of Pegasus II
The Pegasus Mission - The Making of Pegasus IIThe Pegasus Mission - The Making of Pegasus II
The Pegasus Mission - The Making of Pegasus IIMatt Long
 
Laser navigation 2016 technology overview short final
Laser navigation 2016 technology overview short finalLaser navigation 2016 technology overview short final
Laser navigation 2016 technology overview short finalRoberto Navoni
 
DEFCON 23 - Lin Huang Ging Yang - GPS spoofing
DEFCON 23 - Lin Huang Ging Yang - GPS spoofingDEFCON 23 - Lin Huang Ging Yang - GPS spoofing
DEFCON 23 - Lin Huang Ging Yang - GPS spoofingFelipe Prado
 
라이브드론맵 (Live Drone Map) - 실시간 드론 매핑 솔루션
라이브드론맵 (Live Drone Map) - 실시간 드론 매핑 솔루션라이브드론맵 (Live Drone Map) - 실시간 드론 매핑 솔루션
라이브드론맵 (Live Drone Map) - 실시간 드론 매핑 솔루션Impyeong Lee
 
(120303) #fitalk ip finder and geo ip for fun
(120303) #fitalk ip finder and geo ip for fun(120303) #fitalk ip finder and geo ip for fun
(120303) #fitalk ip finder and geo ip for funINSIGHT FORENSIC
 
(120303) #fitalk ip finder and geo ip for fun
(120303) #fitalk ip finder and geo ip for fun(120303) #fitalk ip finder and geo ip for fun
(120303) #fitalk ip finder and geo ip for funINSIGHT FORENSIC
 
VizDyn and spatial utility Dec 2014
VizDyn and spatial utility Dec 2014VizDyn and spatial utility Dec 2014
VizDyn and spatial utility Dec 2014Jim Head
 
Spark streaming for the internet of flying things 20160510.pptx
Spark streaming for the internet of flying things 20160510.pptxSpark streaming for the internet of flying things 20160510.pptx
Spark streaming for the internet of flying things 20160510.pptxPablo Francisco Pérez Hidalgo
 
OW2con'14 - XLcoud, 3D rendering in the cloud, Marius Preda, Institut Mines T...
OW2con'14 - XLcoud, 3D rendering in the cloud, Marius Preda, Institut Mines T...OW2con'14 - XLcoud, 3D rendering in the cloud, Marius Preda, Institut Mines T...
OW2con'14 - XLcoud, 3D rendering in the cloud, Marius Preda, Institut Mines T...xlcloud
 
WSE 6A-Octo-X Terrain Mapping UAV
WSE 6A-Octo-X Terrain Mapping UAVWSE 6A-Octo-X Terrain Mapping UAV
WSE 6A-Octo-X Terrain Mapping UAVManuel De La Cruz
 
Arctic Climatology Sensor Network
Arctic Climatology Sensor NetworkArctic Climatology Sensor Network
Arctic Climatology Sensor Networkandrewrettig
 
Introduction to Drone Tech
Introduction to Drone TechIntroduction to Drone Tech
Introduction to Drone TechAnuj Magazine
 
Playing in a Satellite environment
Playing in a Satellite environmentPlaying in a Satellite environment
Playing in a Satellite environmentChristian Martorella
 
SFScon 2020 - Alex Bojeri - BLUESLEMON project autonomous UAS for landslides ...
SFScon 2020 - Alex Bojeri - BLUESLEMON project autonomous UAS for landslides ...SFScon 2020 - Alex Bojeri - BLUESLEMON project autonomous UAS for landslides ...
SFScon 2020 - Alex Bojeri - BLUESLEMON project autonomous UAS for landslides ...South Tyrol Free Software Conference
 
FOSTER ITS _ a trusted GNSS module to secure ITS application
FOSTER ITS _ a trusted GNSS module to secure ITS applicationFOSTER ITS _ a trusted GNSS module to secure ITS application
FOSTER ITS _ a trusted GNSS module to secure ITS applicationThe European GNSS Agency (GSA)
 

Similar to A Drone Tale by Paolo Stagno - Sec-T 2018 (20)

The Pegasus Mission - The Making of Pegasus II
The Pegasus Mission - The Making of Pegasus IIThe Pegasus Mission - The Making of Pegasus II
The Pegasus Mission - The Making of Pegasus II
 
Laser navigation 2016 technology overview short final
Laser navigation 2016 technology overview short finalLaser navigation 2016 technology overview short final
Laser navigation 2016 technology overview short final
 
DEFCON 23 - Lin Huang Ging Yang - GPS spoofing
DEFCON 23 - Lin Huang Ging Yang - GPS spoofingDEFCON 23 - Lin Huang Ging Yang - GPS spoofing
DEFCON 23 - Lin Huang Ging Yang - GPS spoofing
 
라이브드론맵 (Live Drone Map) - 실시간 드론 매핑 솔루션
라이브드론맵 (Live Drone Map) - 실시간 드론 매핑 솔루션라이브드론맵 (Live Drone Map) - 실시간 드론 매핑 솔루션
라이브드론맵 (Live Drone Map) - 실시간 드론 매핑 솔루션
 
(120303) #fitalk ip finder and geo ip for fun
(120303) #fitalk ip finder and geo ip for fun(120303) #fitalk ip finder and geo ip for fun
(120303) #fitalk ip finder and geo ip for fun
 
(120303) #fitalk ip finder and geo ip for fun
(120303) #fitalk ip finder and geo ip for fun(120303) #fitalk ip finder and geo ip for fun
(120303) #fitalk ip finder and geo ip for fun
 
Spec00389
Spec00389Spec00389
Spec00389
 
VizDyn and spatial utility Dec 2014
VizDyn and spatial utility Dec 2014VizDyn and spatial utility Dec 2014
VizDyn and spatial utility Dec 2014
 
Defeating Drones
Defeating DronesDefeating Drones
Defeating Drones
 
Spark streaming for the internet of flying things 20160510.pptx
Spark streaming for the internet of flying things 20160510.pptxSpark streaming for the internet of flying things 20160510.pptx
Spark streaming for the internet of flying things 20160510.pptx
 
OW2con'14 - XLcoud, 3D rendering in the cloud, Marius Preda, Institut Mines T...
OW2con'14 - XLcoud, 3D rendering in the cloud, Marius Preda, Institut Mines T...OW2con'14 - XLcoud, 3D rendering in the cloud, Marius Preda, Institut Mines T...
OW2con'14 - XLcoud, 3D rendering in the cloud, Marius Preda, Institut Mines T...
 
WSE 6A-Octo-X Terrain Mapping UAV
WSE 6A-Octo-X Terrain Mapping UAVWSE 6A-Octo-X Terrain Mapping UAV
WSE 6A-Octo-X Terrain Mapping UAV
 
Arctic Climatology Sensor Network
Arctic Climatology Sensor NetworkArctic Climatology Sensor Network
Arctic Climatology Sensor Network
 
Introduction to Drone Tech
Introduction to Drone TechIntroduction to Drone Tech
Introduction to Drone Tech
 
Fod detection
Fod detectionFod detection
Fod detection
 
Playing in a Satellite environment
Playing in a Satellite environmentPlaying in a Satellite environment
Playing in a Satellite environment
 
Where 2.0
Where 2.0Where 2.0
Where 2.0
 
Open-Source Based Direct Georeferencing Thermal Camera System
Open-Source Based Direct Georeferencing Thermal Camera SystemOpen-Source Based Direct Georeferencing Thermal Camera System
Open-Source Based Direct Georeferencing Thermal Camera System
 
SFScon 2020 - Alex Bojeri - BLUESLEMON project autonomous UAS for landslides ...
SFScon 2020 - Alex Bojeri - BLUESLEMON project autonomous UAS for landslides ...SFScon 2020 - Alex Bojeri - BLUESLEMON project autonomous UAS for landslides ...
SFScon 2020 - Alex Bojeri - BLUESLEMON project autonomous UAS for landslides ...
 
FOSTER ITS _ a trusted GNSS module to secure ITS application
FOSTER ITS _ a trusted GNSS module to secure ITS applicationFOSTER ITS _ a trusted GNSS module to secure ITS application
FOSTER ITS _ a trusted GNSS module to secure ITS application
 

Recently uploaded

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 

Recently uploaded (20)

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 

A Drone Tale by Paolo Stagno - Sec-T 2018

Editor's Notes

  1. Good afternoon everybody. Today I will talk about drones and their possible attacks vectors. Hopefully it will be a nice trip, anyway please, fasten your seatbelts (break 1s)
  2. Before I start, a big shout out to all the people that helped me with this research and who have followed me in various field trip for all the tests. Some of them prefer to remain anonymous and, you know, GDPR... That’s why the black slide.
  3. Let me introduce myself for a moment, I'm Paolo Stagno, on internet I’m better known as voidsec. Do not be fooled by the picture, it makes me a lot like a door-to-door salesman but I can assure you that I’m a nerd like you, unfortunately it is the only decent photo that I have. Here you can also find some details and ways to contact me if you would like to ask me further questions (but also criticism and advice are welcome). Since the beginning of my career I have mainly dealt with penetration tests and red-teaming; now in Doyensec, I moved towards the research of new vulnerabilities and application security. My curiosity always pushed me to disassemble applications and hardware of our digital world in order to better understand how them works. I mainly focus on the offensive security sector because I have always considered it, feel free to contradict myself, more interesting as a field of study than its counterpart. I also own a blog voidsec.com where I publish articles, vulnerabilities and the results of my studies and research.
  4. I’m sorry, I know that some of you were waiting for this but during the talk I would not speak about it.
  5. While I will speak about drones in general I will detail the infrastructure of the drone in question, I will then tell you its main attack vectors We will go trough a bit of reverse engineering and Forensics and after the talk a small Q & A session
  6. Since their first introduction in the consumer markets we have seen drones used in the following sectors. Law enforcement, drones used for border control, patrolling, control of crowds Search for missing people in case of natural disasters A beautiful project that sees drones as portable defibrillators They were used by various companies to check the status of energy production plants, areas difficult to reach by a man (bridges, large infrastructures) Forest fire control, statistics on flora Unfortunately in 2017 in Syria and Iraq, ISIS has used modified versions of small commercial drones capable of dropping explosive projectile Obviously they were also used for all the creative ideas of aerial photos / videos Personally I used drones during red team engagements in order to map physical accesses of a big factory and, equipped with pineapple, to map Wi-Fi hotspots
  7. In this panorama, a Chinese company: DJI quickly gained fame and reputation as the most stable aerial platform for filming. What you see in the slide is the DJI phantom 3, the product on which all my research and this talk is based on. You can see the main body of the drone, its controller (or ground station) and other equipment
  8. These are some of the key points of this version: It weight 1.2kg including battery (800gr drone - 400 battery) Able to fly easily enough with a payload of other 400gr 500mt maximum range in open field It has an autonomy of 20-25 m (depending on weather conditions Its maximum speed is 16m/s ~ 57k/h I mentioned it earlier, it is an excellent aerial platform for the stability of its shots
  9. I'm joking, this is the video feedback of a race drone
  10. this is the video footage of a day on the sea and with a little wind. If you pay special attention to a certain point there is even a seagull passing by
  11. While these are photos in different type of weather, sun and wind conditions. Piazza Vittorio (left corner) in Turin,Italy (my home-town) UK hastings in the middle And the beautiful Superga
  12. Now I will introduces you the drone architecture in its components Despite all these technological components the drone is not equipped with a system able to detect obstacles (which was then integrated into next version) and it is therefore possible to safely operate it only in open field or in line of sight
  13. The first thing I did was to try to understand its network scheme Basically, the ground controller acts as an access point for the drone, the camera (which is separate from the aircraft), I think it was done to ensure that video feedback cannot interfere with the Flight Optional the use of the application on a mobile phone
  14. As you can see, this is the list of the exposed services within the network that I showed you before. Basically I have a flying ftp server. Interesting services like SSH and telnet are filtered. FTP instead is always reachable and in the case of the camera it is possible to log in with the combination anonymous:anonymous. Port 5678 is used by the android/ios application
  15. In the latest version of firmware on the other hand we can see that all the unnecessary services have been removed and they left only the core one. Specifically, the ftp server used to load the firmware, retrieve the flight logs and the media. And port 5678. This hardening is due to contrast the illegal mod market (that allowed changes of maximum altitude, frequency changes and the removal of limitations such as NFZ
  16. Regarding the communication between the aircraft and the controller, a Wi-Fi connection is established for both the transport of flight data and the video stream to the application on the phone. The drone does not use the Lightbridge protocol (a proprietary DJI protocol for long-distance stream that instead is mounted on the more expensive models for professional use, it ensures greater stability and fluidity of long-range communications, allows full hd feedback, master and slaves systems etc). The default SSID of the wifi network is derived from the MAC address of the remote controller. In the following format Phantom3_the last 6 digit of the mac address. The default password for the network is the evergreen strong password 12341234
  17. Obviously, drones are not exempt from the most classic Wi-Fi attacks, in particular we have predefined behaviours for the case of de-authentication attack (forcing the disconnection of the phone or controller from the drone): In the event that the phone is disconnected nothing happens, the ground controller has the priority and it can continue to drive the drone. As for the controller, if disconnected, the automatic Return to Home is triggered, RTH consists in bringing the drone to a predetermined altitude (default 30m) and flying in a straight line on the last GPS point set as home point (obviously this is not possible without the use of GPS) If we then try to add a new device to an existing network, aircraft maintains a queue of devices, thus leaving priority to the first connected phone. When the connection to the first device is interrupted the second device can connect (and exploit all the features of the app, video feedback, RTH, landing and in the case SDK navigation). The ground controller still maintains the priority on commands, but it makes the whole thing less manageable.
  18. Speaking about Wi-Fi attacks: The network cannot be downgraded to WEP from aircraft settings and there is no WPS support. It Is vulnerable to standard WPA2 4 way handshake brute force. Since, as we will see later, the system is based on OpenWRT and DJI never released a firmware update after the KRACK advisory, it is also vulnerable to KRACK (I would like to remember that Krack do not allow to recover plaintext pre-shared password)
  19. Using Fluxion and a good dictionary is a matter of some minutes to recover the pre-shared password
  20. Here my path to get a shell on the system of the aircraft started. In summary: I found some open and some filtered services for which I do not have the credentials. The first thing that came to my mind was to explore the application that DJI provides for video feedback and other assisted control
  21. Here a small digression, the Phantom 3 and later models provides a geofencing system or a in build no-fly zone list. No-fly zones are, as shown in the image, virtual fences with specific diameter which, the drone can not fly in. This makes it possible to exclude some locations like airports from drone flight
  22. Specifically, DJI makes available to its pilots a map where you can see country by country the NFZ in the area. Warning Zones. Green Zones, users will be prompted with a warning message. Example: A protected wildlife area. Authorization Zones: yellow one, users will be prompted with a warning and flight is limited by default. Authorization Zones may be unlocked using a DJI verified account. Example: model aircraft flying at an airport. Restricted Zones. Red Zones, users will be prompted with a warning message and flight is prevented. Restricted Zone: Washington D.C. Main problem as I mentioned before is that if there is no GPS coverage than the drone is not aware of its position and it can enter freely in NFZ area. In the case of ATT mode but with GPS fix the drone refuses to fly inside
  23. In order to update NFZs that are stored in the firmware as in case of temporary events or new locations, DJI is able to push NFZ during the mobile app updates. This is an example of NFZ in an update: In blue, info regarding the NFZ position ad radius In red the NFZ type, in this case since it is a stadium, the flight is not permitted In violet the info regarding the expiration time for temporary NFZ In green the name of the NFZ and the city where the NFZ is present The main problem arise since app's resources are not signed and therefore editable. So we can invalidate the introduction of these new NFZs
  24. Continuing the diving inside the app I found this configuration file with the root password of the aircraft. You know, Chinese products… (The password for previous models was only digits, so they are trying to improve)
  25. Perfect I tell myself, I have the root password! Yeah, too bad, SSH and Telnet are filtered and the FTP service is restricted to a single folder, I cannot navigate the filesystem.
  26. Ok, so I tried some simple firmware replacement attacks but there must be some checksum mechanism that prevents me to replace it. Since doing the firmware analysis would have been a long process, and I am lazy, I preferred to perform some preliminary analysis, for example I tried to grep for simple keywords and I was able to extract hashes of other users.
  27. Cracking Time ftp:admin999 default:"blank“ anonymous:anonymous
  28. Then I thought that some of the countermeasures such as the restricted ftp could have been introduced in later updates. It is not documented but I found that if you keep pressed the small three lines in the app, you can access a menu from which you can downgrade the firmware
  29. By downgrading the firmware to its previous version, the ftp service was no longer limited and as root I had access to the entire filesystem, which I then made a copy and started its analysis. Specifically, the system used by DJI is a fork of OpenWRT 14.07 "Barrier Breaker" its full of custom binaries
  30. I then found the following scripts that runs at boot time. The first file maintains the configurations and adding the following command (telnetd –l /bin/ash) I reactivated telnet to which I could finally connect.
  31. Finally ROOT Great, but my path was not finished yet, we have a third element of the DJI package that until now I have not considered as an attack vector.
  32. Sad story, the first time I tried to compile it, I received 11k warnings and errors, at the end I made it works The main idea of SDK as an attack vector was to isolate specific instructions sent to the drone, monitoring with Wireshark the communication, I would like to implement a custom application that could send specific commands (e.g. association with another Wi-Fi) to get a full takeover
  33. SDK have an "unlock" mechanism, it is necessary to have a DJI account and request an API. Fortunately in the versions prior to the last release it was enough to modify (Java Bytecode editor) the mechanism authentication request and set a variable directly as an unlocked.
  34. This is the communication flow between the app and the drone. I have filtered out all UDP traffic that is video feedback
  35. DJI uses a proprietary TCP-based protocol for flight controls. So, I started to do some reverse engineering. Fortunately it is very similar to the protocol used for previous versions of Phantom so some fields were already been identified by the community
  36. The header is made from the first byte which is a protocol magic number Then, the total length of the package, header + payload The protocol version and a custom DJI checksum derived from hardcoded values (that I retrieved from the SDK)
  37. Here you can see the payload structure: 00: getting the version, setting dates, pinging, retrieving some device info 01: firmware updates 02: to set camera modes and settings 03: status of the battery, motors, setting fly forbid areas 04: gimbal command set 05: Retrieving the history log and features of the battery 06: remote controller command set 07: Wifi signal status, getting and setting SSID
  38. GPS was the attack vector on which I focused most. Mainly because it is: completely remote, it does not have as prerequisite the access to the network of the drone. Furthermore, it is the most "common" method to hijack a civil drone as GPS signals are not encrypted. Speaking of GPS attacks the most common way is the replay attack, where a previously recorded signal is sent. I used the HACKRF, which Is kind of “cheap” ~ 300 € compared to other devices. It also has a small problem since its internal clock is not precise enough for GPS replying. I needed to buy an external clock for this attack
  39. To generate our signal we need to download basic data called ephemeris data. They are containing information about the location (current and future) of a satellite. They are used by the receivers to calculate the estimated position of the satellites and therefore their own position on earth
  40. This is the result of the GPS Soofing, the device thinks I am in Turkey.
  41. I would like to point out that also the time information is contained within the spoofed signal. So, we can spoof space and time
  42. The drone was in Turin, but since I was spoofing the location of the white house, that surprisingly, is also a no fly zone. If I try to fly:
  43. That’s the error message that I get back! Funny thing, DJI thinks that the White House is a Nucler Power Plant If we spoof a NFZ the drone cannot take off If the drone is at a forbidden location and we gave it a fake position via GPS spoofing it will be unlocked and able to fly.
  44. Since we are spoofing a no fly zone, the flying drone is forced to land. The video speeded since with my setup this attack would take ~ 10m or more
  45. This is the schema that can be used (with the right hardware equipment) to perform a complete takeover. The real drone position is on green mark A de-authentication attack is performed in order to trigger the RTH functionality. At the same time a GPS spoof attack is started. Now the drone believes to be on the red marker and try to fly home. Well, it is actually flying far more distant where it can be captured/shot down
  46. How can we notice a gps attack? We can validate GPS packet subframe of the data we are receiving, as you can see in red the subframe of a signal we are spoofing is all set to zero. We can also validate the time received with the time set on the device. We can validate the time spent travelling between two different GPS positions For example it is impossible to change your location from Sweden to Italy in one second
  47. With many increasing numbers of incidents, we now talk about forensics artefacts and where to find them. On DJI phantom 3, useful artefacts, are present in 3 locations: Camera on gimbal, media files, images and videos .Txt file on the mobile application .Dat file in a memory (un-documented) present on the motherboard (a real aircraft black box/flight recorder)
  48. The proprietary files are so structured, a great job has already been done to create a tool called DROP Drone Open Source Parser, the link is in the reference slides. This is the structure of the dat files present on the black box, a bit like the SDK packet structure, there is a magic byte, the indications on which specific component has issued the message and the actual message. Note that the oldest data is overwritten, but not only by deleting the file pointers, the space previously occupied by these files is zeroed out, thus reducing the chances of forensics recovery It is also possible, and I was a bit astonished and upset when I discovered it, to fly the drone without this memory, which can then be used as an anti-forensic technique
  49. These are all the data that can be extracted from both .DAT and .TXT What do they allow us to do by aggregating all this information?
  50. For example, show the flight path, with some statistics related to maximum altitude, speed, distance etc.
  51. Reconstructing entire sensor signals throughout the flight path. In this specific example the event “signal lost” is shown
  52. A list of all the events occurred in a given time frame, with altitude and distance from the home point
  53. Furthermore, by intersecting the gimbal data with the flight data and events in which photos or videos were taken, it is possible to reconstruct what the operator was able to see and photograph, better than CSI Now, if for dat files they remain stored exclusively on the internal memory of the drone and are not "shared". The txt files on the phone are those that feed the statistics of the DJI pilot account and that are uploaded in full even though only a small recap for flight is visible online. With all these details it is not difficult to understand the motivation of the US Army Ban carried out in the summer 2017.
  54. Things of minor importance that I have not previously said: The video feedback has no type of checksum, so we could potentially show on screen any type of image. Nyancat everywhere Another thing, the drone is very sensitive to electromagnetic fields, in fact its compass system requires a calibration before the first flight and whenever there is a deviation from the standard values. From experience can I tell you that if you try for example to turn it on next to a fridge or large metal masses the compass goes crazy and requires re-calibration.
  55. Ok, since we still have some time, I'll talk about drone countermeasures that have been created to defend against drones: Drone netting or, cannons that shoot nets to other drones to neutralize them. Common weapons to shoot down drones Jamming of radio frequencies to make the operator lose control Electromagnetic pulses with the purpose of destroying the on-board hardware Hacking of the on-board controller Creation of no fly zone on demand Laser and missile weapons Keep in mind that almost none of these countermeasures is effective in the case of very tiny drones or drone swarms
  56. This is an example of a drone developed to capture and neutralize another drone
  57. Then they started training eagles Keep in mind that eagles have an average life of 20 years, with only 10 years of mission, Well, after all, you will have a best friends
  58. While a confetti gun can be another effective choice
  59. Or a jet ski, now imagine the pain of the drone operator, 4k€ knocked down
  60. And this is what happens in reality, they hit the drones with 3 million dollar missile
  61. Some references and useful links
  62. And with this I end my talk. Are there any questions? Feel free to tweet me or send me an email if I do not have time to reply to everyone