In 2013, DJI Drones quickly gained the reputation as the most stable platform for use in aerial photography and other fields. Since then Drones have increased their field of application and are actively used across various industries (law enforcement and first responders, utility companies, governments and universities) to perform critical operations on daily basis. As a result of that, Drones security has also become a hot topic in the industry.
This talk will provide a comprehensive overview of the security model and security issues affecting the underlying technologies, including existing vulnerabilities in the radio signals, Wi-Fi, Chipset, FPV system, GPS, App and SDK. As part of the presentation, we will discuss the architecture of one of the most famous and popular consumer drone product: the DJI Phantom 3. This model will be used to demonstrate each aspect of discovered security vulnerabilities, together with recommendations and mitigations.
A special focus will be on the recent changes and countermeasures DJI has applied to the firmware of its products in order to harden the security, following the recent accusations and the US Army ban. While the topic of hacking drones by faking GPS signals has been shared before at major security conferences in the past, this talk will extend these aspects to include geo-fencing and no fly zones abuses.
5. Agenda
Drone Intro
Vulnerability Research
& Attack Vectors:
o Radio/Wi-Fi
o DJI GO (Android
App)
o Firmware
o GPS
Reverse Engineering:
o SDK
Forensics
14. Firmware
V01.07.0090
• Nmap scan report for 192.168.1.1 - Controller
21/tcp open ftp vsftpd 3.0.2
22/tcp closed ssh
23/tcp closed telnet
2345/tcp open unknown
5678/tcp closed unknown
• Nmap scan report for 192.168.1.2 - Aircraft
21/tcp open ftp vsftpd 3.0.2
22/tcp filtered ssh
23/tcp filtered telnet
2345/tcp filtered unknown
5678/tcp open unknown
• Nmap scan report for 192.168.1.3 - Camera
21/tcp open ftp BusyBox ftpd
| Anonymous FTP login allowed
22/tcp open ssh OpenSSH 6.2
23/tcp open telnet BusyBox telnetd
2345/tcp filtered unknown
5678/tcp filtered unknown
15. Latest
Firmware
V1.09.0200
• Nmap scan report for Controller
21/tcp open ftp
2345/tcp open unknown
• Nmap scan report for Aircraft
21/tcp open ftp
5678/tcp open unknown
• Nmap scan report for Camera
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
16. Radio
& Wi-
Fi
• Aircraft & Controller:
Wi-Fi 5.725GHz – 5.825GHz
(NOT the Lightbridge protocol)
• Video Link: 2.400GHz – 2.483GHz
• WPA2 encryption
• Default SSID is derived from the MAC address
of the remote controller.
PHANTOM3_[6 last digits of MAC address].
• Default associated password is: 12341234
25. Road to Shell
• Now I have the
password
• SSH & Telnet are filtered
• FTP is chrooted
Damn
26. Firmware
I tried to replace the firmware with a
modified version but the firmware have
some checksum mechanism.
Damn^2
Strings on .bin matching for common
strings like: password, private, key,
:::, root and so on looking for
interesting stuff.
30. Services
• /etc/init.d/rcS
• /etc/init.d/rcS_ap
• /etc/init.d/rcS_aphand
• /etc/init.d/rcS_cli
These script runs during the boot process, adding
this code will start the telnet server
telnetd -l /bin/ash &
32. SDK
We can isolate specific instructions sent
to the drone with Wireshark, we can
implement a custom application that
sends only very specific commands.
These commands could include changing
the Wi-Fi password or even resetting the
Wi-Fi connection.
This knowledge can be leveraged into a
full drone takeover.
33. SDK
• DJI SDK Authentication Server
• DJI APP perform Activation Request
Crack the SDK Authentication Mechanism
37. Payload
Structure
Sourc
e
Type
Target
Type
Seq #
Flag
s
CMD ID
Opt.
bytes
02 06 4e00 40 06 12
540
b
01: Camera
02: App
03: Fly Controller
04: Gimbal
06: Remote Controller
00: general command
01: special command
02: set camera
03: set fly controller
04: set gimbal
05: set battery
06: set remote
controller
07: set wifi
38. GPS
• GPS signal for civilian usage is unencrypted.
• Replay Attack is the common GPS spoofing
method.
Software: gps-sdr-sim
Hardware: HackRF One
Which functions are
associated with GPS?
• No-fly zone
• Return to home
• Follow me
• Waypoint
39. GPS
101
Ephemeris Data
• GPS satellites transmit information about
their location (current and predicted),
timing and "health" via what is known as
ephemeris data.
• This data is used by the GPS receivers
to estimate location relative to the satellites
and thus position on earth.
• Ephemeris data is considered good for up
to 30 days (max).
46. • Validate the GPS sub-frame
• Validate the time between satellite time
and real time on device
• Check the speed between point to point
Detect
Fake
GPS
48. DAT
Structure
DROP (DRone Open source Parser) your
drone:
Forensic analysis of the DJI Phantom III
Devon R. Clark*, Christopher Meffert, Ibrahim Baggili, Frank Breitinger
49. Flight
Data
• Photos & Video (GEO Tagging)
• Flight Stats (compass, battery, etc)
• Autopilot Data
• GPS Data (location of drone)
• Pitch, roll and yaw of Gimbal & aircraft
• No-fly zones
• User email addresses
• Last known home point
• Device serial number
61. Further
Work
• Full Network protocol analysis,
maybe build a ground station the
through SDK
• Binaries and services analysis
and vulnerabilities research
• Finding some cool exploits
• Play with something more
complex
62. Previous
Work &
References
• DJI Phantom 3
• DROP (DRone
Open source Parser)
• dronesec.xyz
• How Can Drones Be
Hacked?
• Defcon/Black Hat
Drone/UAV Talks
• Drone vs Patriot
• GPS Spoofing
• Hak5 Parrot AR
• Skyjack
• Maldrone
• airdata.com
• DJI CRC16
• dex2jar
• Jadx
• JD-GUI
• GPS-SDR-SIM
• GPSpoof
• DJI No Fly Zone
Good afternoon everybody. Today I will talk about drones and their possible attacks vectors. Hopefully it will be a nice trip, anyway please, fasten your seatbelts (break 1s)
Before I start, a big shout out to all the people that helped me with this research and who have followed me in various field trip for all the tests. Some of them prefer to remain anonymous and, you know, GDPR... That’s why the black slide.
Let me introduce myself for a moment, I'm Paolo Stagno, on internet I’m better known as voidsec. Do not be fooled by the picture, it makes me a lot like a door-to-door salesman but I can assure you that I’m a nerd like you, unfortunately it is the only decent photo that I have. Here you can also find some details and ways to contact me if you would like to ask me further questions (but also criticism and advice are welcome). Since the beginning of my career I have mainly dealt with penetration tests and red-teaming; now in Doyensec, I moved towards the research of new vulnerabilities and application security.My curiosity always pushed me to disassemble applications and hardware of our digital world in order to better understand how them works. I mainly focus on the offensive security sector because I have always considered it, feel free to contradict myself, more interesting as a field of study than its counterpart. I also own a blog voidsec.com where I publish articles, vulnerabilities and the results of my studies and research.
I’m sorry, I know that some of you were waiting for this but during the talk I would not speak about it.
While I will speak about drones in generalI will detail the infrastructure of the drone in question, I will then tell you its main attack vectors
We will go trough a bit of reverse engineering and Forensics and after the talk a small Q & A session
Since their first introduction in the consumer markets we have seen drones used in the following sectors.Law enforcement, drones used for border control, patrolling, control of crowdsSearch for missing people in case of natural disasters
A beautiful project that sees drones as portable defibrillators
They were used by various companies to check the status of energy production plants, areas difficult to reach by a man (bridges, large infrastructures) Forest fire control, statistics on flora
Unfortunately in 2017 in Syria and Iraq, ISIS has used modified versions of small commercial drones capable of dropping explosive projectile
Obviously they were also used for all the creative ideas of aerial photos / videos
Personally I used drones during red team engagements in order to map physical accesses of a big factory and, equipped with pineapple, to map Wi-Fi hotspots
In this panorama, a Chinese company: DJI quickly gained fame and reputation as the most stable aerial platform for filming.What you see in the slide is the DJI phantom 3, the product on which all my research and this talk is based on.You can see the main body of the drone, its controller (or ground station) and other equipment
These are some of the key points of this version:It weight 1.2kg including battery (800gr drone - 400 battery)Able to fly easily enough with a payload of other 400gr500mt maximum range in open fieldIt has an autonomy of 20-25 m (depending on weather conditions
Its maximum speed is 16m/s ~ 57k/hI mentioned it earlier, it is an excellent aerial platform for the stability of its shots
I'm joking, this is the video feedback of a race drone
this is the video footage of a day on the sea and with a little wind.
If you pay special attention to a certain point there is even a seagull passing by
While these are photos in different type of weather, sun and wind conditions.
Piazza Vittorio (left corner) in Turin,Italy (my home-town)
UK hastings in the middle
And the beautiful Superga
Now I will introduces you the drone architecture in its components
Despite all these technological components the drone is not equipped with a system able to detect obstacles (which was then integrated into next version) and it is therefore possible to safely operate it only in open field or in line of sight
The first thing I did was to try to understand its network scheme
Basically, the ground controller acts as an access point for the drone, the camera (which is separate from the aircraft), I think it was done to ensure that video feedback cannot interfere with the Flight
Optional the use of the application on a mobile phone
As you can see, this is the list of the exposed services within the network that I showed you before. Basically I have a flying ftp server.
Interesting services like SSH and telnet are filtered. FTP instead is always reachable and in the case of the camera it is possible to log in with the combination anonymous:anonymous.Port 5678 is used by the android/ios application
In the latest version of firmware on the other hand we can see that all the unnecessary services have been removed and they left only the core one. Specifically, the ftp server used to load the firmware, retrieve the flight logs and the media. And port 5678.
This hardening is due to contrast the illegal mod market (that allowed changes of maximum altitude, frequency changes and the removal of limitations such as NFZ
Regarding the communication between the aircraft and the controller, a Wi-Fi connection is established for both the transport of flight data and the video stream to the application on the phone.
The drone does not use the Lightbridge protocol (a proprietary DJI protocol for long-distance stream that instead is mounted on the more expensive models for professional use, it ensures greater stability and fluidity of long-range communications, allows full hd feedback, master and slaves systems etc).The default SSID of the wifi network is derived from the MAC address of the remote controller. In the following format Phantom3_the last 6 digit of the mac address.The default password for the network is the evergreen strong password 12341234
Obviously, drones are not exempt from the most classic Wi-Fi attacks, in particular we have predefined behaviours for the case of de-authentication attack (forcing the disconnection of the phone or controller from the drone):In the event that the phone is disconnected nothing happens, the ground controller has the priority and it can continue to drive the drone.
As for the controller, if disconnected, the automatic Return to Home is triggered, RTH consists in bringing the drone to a predetermined altitude (default 30m) and flying in a straight line on the last GPS point set as home point (obviously this is not possible without the use of GPS)If we then try to add a new device to an existing network, aircraft maintains a queue of devices, thus leaving priority to the first connected phone.When the connection to the first device is interrupted the second device can connect (and exploit all the features of the app, video feedback, RTH, landing and in the case SDK navigation). The ground controller still maintains the priority on commands, but it makes the whole thing less manageable.
Speaking about Wi-Fi attacks:
The network cannot be downgraded to WEP from aircraft settings and there is no WPS support.
It Is vulnerable to standard WPA2 4 way handshake brute force.
Since, as we will see later, the system is based on OpenWRT and DJI never released a firmware update after the KRACK advisory, it is also vulnerable to KRACK (I would like to remember that Krack do not allow to recover plaintext pre-shared password)
Using Fluxion and a good dictionary is a matter of some minutes to recover the pre-shared password
Here my path to get a shell on the system of the aircraft started. In summary: I found some open and some filtered services for which I do not have the credentials. The first thing that came to my mind was to explore the application that DJI provides for video feedback and other assisted control
Here a small digression, the Phantom 3 and later models provides a geofencing system or a in build no-fly zone list.
No-fly zones are, as shown in the image, virtual fences with specific diameter which, the drone can not fly in. This makes it possible to exclude some locations like airports from drone flight
Specifically, DJI makes available to its pilots a map where you can see country by country the NFZ in the area.Warning Zones. Green Zones, users will be prompted with a warning message. Example: A protected wildlife area.Authorization Zones: yellow one, users will be prompted with a warning and flight is limited by default. Authorization Zones may be unlocked using a DJI verified account. Example: model aircraft flying at an airport.Restricted Zones. Red Zones, users will be prompted with a warning message and flight is prevented. Restricted Zone: Washington D.C.Main problem as I mentioned before is that if there is no GPS coverage than the drone is not aware of its position and it can enter freely in NFZ area. In the case of ATT mode but with GPS fix the drone refuses to fly inside
In order to update NFZs that are stored in the firmware as in case of temporary events or new locations, DJI is able to push NFZ during the mobile app updates.
This is an example of NFZ in an update:
In blue, info regarding the NFZ position ad radius
In red the NFZ type, in this case since it is a stadium, the flight is not permitted
In violet the info regarding the expiration time for temporary NFZ
In green the name of the NFZ and the city where the NFZ is present
The main problem arise since app's resources are not signed and therefore editable. So we can invalidate the introduction of these new NFZs
Continuing the diving inside the app I found this configuration file with the root password of the aircraft.
You know, Chinese products…
(The password for previous models was only digits, so they are trying to improve)
Perfect I tell myself, I have the root password!
Yeah, too bad, SSH and Telnet are filtered and the FTP service is restricted to a single folder, I cannot navigate the filesystem.
Ok, so I tried some simple firmware replacement attacks but there must be some checksum mechanism that prevents me to replace it. Since doing the firmware analysis would have been a long process, and I am lazy, I preferred to perform some preliminary analysis, for example I tried to grep for simple keywords and I was able to extract hashes of other users.
Cracking Time
ftp:admin999
default:"blank“anonymous:anonymous
Then I thought that some of the countermeasures such as the restricted ftp could have been introduced in later updates.
It is not documented but I found that if you keep pressed the small three lines in the app, you can access a menu from which you can downgrade the firmware
By downgrading the firmware to its previous version, the ftp service was no longer limited and as root I had access to the entire filesystem, which I then made a copy and started its analysis.
Specifically, the system used by DJI is a fork of OpenWRT 14.07 "Barrier Breaker" its full of custom binaries
I then found the following scripts that runs at boot time. The first file maintains the configurations and adding the following command (telnetd –l /bin/ash) I reactivated telnet to which I could finally connect.
Finally ROOTGreat, but my path was not finished yet, we have a third element of the DJI package that until now I have not considered as an attack vector.
Sad story, the first time I tried to compile it, I received 11k warnings and errors, at the end I made it worksThe main idea of SDK as an attack vector was to isolate specific instructions sent to the drone, monitoring with Wireshark the communication, I would like to implement a custom application that could send specific commands (e.g. association with another Wi-Fi) to get a full takeover
SDK have an "unlock" mechanism, it is necessary to have a DJI account and request an API.
Fortunately in the versions prior to the last release it was enough to modify (Java Bytecode editor) the mechanism authentication request and set a variable directly as an unlocked.
This is the communication flow between the app and the drone. I have filtered out all UDP traffic that is video feedback
DJI uses a proprietary TCP-based protocol for flight controls. So, I started to do some reverse engineering. Fortunately it is very similar to the protocol used for previous versions of Phantom so some fields were already been identified by the community
The header is made from the first byte which is a protocol magic numberThen, the total length of the package, header + payloadThe protocol version and a custom DJI checksum derived from hardcoded values (that I retrieved from the SDK)
Here you can see the payload structure:
00: getting the version, setting dates, pinging, retrieving some device info
01: firmware updates
02: to set camera modes and settings
03: status of the battery, motors, setting fly forbid areas
04: gimbal command set
05: Retrieving the history log and features of the battery
06: remote controller command set
07: Wifi signal status, getting and setting SSID
GPS was the attack vector on which I focused most. Mainly because it is: completely remote, it does not have as prerequisite the access to the network of the drone.Furthermore, it is the most "common" method to hijack a civil drone as GPS signals are not encrypted.Speaking of GPS attacks the most common way is the replay attack, where a previously recorded signal is sent.I used the HACKRF, which Is kind of “cheap” ~ 300 € compared to other devices.
It also has a small problem since its internal clock is not precise enough for GPS replying. I needed to buy an external clock for this attack
To generate our signal we need to download basic data called ephemeris data. They are containing information about the location (current and future) of a satellite.They are used by the receivers to calculate the estimated position of the satellites and therefore their own position on earth
This is the result of the GPS Soofing, the device thinks I am in Turkey.
I would like to point out that also the time information is contained within the spoofed signal.So, we can spoof space and time
The drone was in Turin, but since I was spoofing the location of the white house, that surprisingly, is also a no fly zone.
If I try to fly:
That’s the error message that I get back!
Funny thing, DJI thinks that the White House is a Nucler Power Plant
If we spoof a NFZ the drone cannot take off
If the drone is at a forbidden location and we gave it a fake position via GPS spoofing it will be unlocked and able to fly.
Since we are spoofing a no fly zone, the flying drone is forced to land. The video speeded since with my setup this attack would take ~ 10m or more
This is the schema that can be used (with the right hardware equipment) to perform a complete takeover.
The real drone position is on green mark
A de-authentication attack is performed in order to trigger the RTH functionality. At the same time a GPS spoof attack is started.
Now the drone believes to be on the red marker and try to fly home. Well, it is actually flying far more distant where it can be captured/shot down
How can we notice a gps attack?
We can validate GPS packet subframe of the data we are receiving, as you can see in red the subframe of a signal we are spoofing is all set to zero.
We can also validate the time received with the time set on the device.
We can validate the time spent travelling between two different GPS positions For example it is impossible to change your location from Sweden to Italy in one second
With many increasing numbers of incidents, we now talk about forensics artefacts and where to find them. On DJI phantom 3, useful artefacts, are present in 3 locations:
Camera on gimbal, media files, images and videos
.Txt file on the mobile application
.Dat file in a memory (un-documented) present on the motherboard (a real aircraft black box/flight recorder)
The proprietary files are so structured, a great job has already been done to create a tool called DROP Drone Open Source Parser, the link is in the reference slides.
This is the structure of the dat files present on the black box, a bit like the SDK packet structure, there is a magic byte, the indications on which specific component has issued the message and the actual message.
Note that the oldest data is overwritten, but not only by deleting the file pointers, the space previously occupied by these files is zeroed out, thus reducing the chances of forensics recovery
It is also possible, and I was a bit astonished and upset when I discovered it, to fly the drone without this memory, which can then be used as an anti-forensic technique
These are all the data that can be extracted from both .DAT and .TXT
What do they allow us to do by aggregating all this information?
For example, show the flight path, with some statistics related to maximum altitude, speed, distance etc.
Reconstructing entire sensor signals throughout the flight path. In this specific example the event “signal lost” is shown
A list of all the events occurred in a given time frame, with altitude and distance from the home point
Furthermore, by intersecting the gimbal data with the flight data and events in which photos or videos were taken, it is possible to reconstruct what the operator was able to see and photograph, better than CSI
Now, if for dat files they remain stored exclusively on the internal memory of the drone and are not "shared". The txt files on the phone are those that feed the statistics of the DJI pilot account and that are uploaded in full even though only a small recap for flight is visible online.
With all these details it is not difficult to understand the motivation of the US Army Ban carried out in the summer 2017.
Things of minor importance that I have not previously said: The video feedback has no type of checksum, so we could potentially show on screen any type of image. Nyancat everywhere
Another thing, the drone is very sensitive to electromagnetic fields, in fact its compass system requires a calibration before the first flight and whenever there is a deviation from the standard values. From experience can I tell you that if you try for example to turn it on next to a fridge or large metal masses the compass goes crazy and requires re-calibration.
Ok, since we still have some time, I'll talk about drone countermeasures that have been created to defend against drones:
Drone netting or, cannons that shoot nets to other drones to neutralize them.
Common weapons to shoot down drones
Jamming of radio frequencies to make the operator lose control
Electromagnetic pulses with the purpose of destroying the on-board hardware
Hacking of the on-board controller
Creation of no fly zone on demand
Laser and missile weapons
Keep in mind that almost none of these countermeasures is effective in the case of very tiny drones or drone swarms
This is an example of a drone developed to capture and neutralize another drone
Then they started training eagles
Keep in mind that eagles have an average life of 20 years, with only 10 years of mission,
Well, after all, you will have a best friends
While a confetti gun can be another effective choice
Or a jet ski, now imagine the pain of the drone operator, 4k€ knocked down
And this is what happens in reality, they hit the drones with 3 million dollar missile
Some references and useful links
And with this I end my talk. Are there any questions?
Feel free to tweet me or send me an email if I do not have time to reply to everyone