Writing Secure Mobile Apps for Drones
•Download as PPTX, PDF•
2 likes•2,103 views
Writing Secure Mobile Apps for Drones
Recommended
Recommended
More Related Content
What's hot
What's hot (18)
Similar to Writing Secure Mobile Apps for Drones
Similar to Writing Secure Mobile Apps for Drones (20)
More from Godfrey Nolan
More from Godfrey Nolan (20)
Recently uploaded
Recently uploaded (20)
Writing Secure Mobile Apps for Drones
- 1. Writing Secure Mobile Apps for Drones Godfrey Nolan
- 2. Presentation Overview • How to hack a drone • Famous Drone Hacks • Mobile Apps • Manufacturer’s SDKs • Top 10 Mobile Security Risks • Best Practices • Resources 9/11/2017 Writing Secure Mobile Apps 2
- 3. 01. How to hack a drone
- 4. How to hack a drone • Connect via wifi (ssh/telnet) 9/11/2017 Writing Secure Mobile Apps 4
- 5. How to hack a drone • Connect via wifi (ssh/telnet) • Using RF (GNU Radio/Hack RF) 9/11/2017 Writing Secure Mobile Apps 5
- 6. How to hack a drone • Connect via wifi (ssh/telnet) • Using RF (GNU Radio/Hack RF) • Hijack Video 9/11/2017 Writing Secure Mobile Apps 6
- 7. How to hack a drone • Connect via wifi (ssh/telnet) • Using RF (GNU Radio/Hack RF) • Hijack Video • Physical attack 9/11/2017 Writing Secure Mobile Apps 7
- 8. How to hack a drone • Connect via wifi (ssh/telnet) • Using RF (GNU Radio/Hack RF) • Hijack Video • Physical Attack • Jamming 9/11/2017 Writing Secure Mobile Apps 8
- 9. How to hack a drone • Connect via wifi (ssh/telnet) • Using RF (GNU Radio/Hack RF) • Hijack Video • Physical Attack • Jamming • Mobile apps 9/11/2017 Writing Secure Mobile Apps 9
- 11. Some (relatively) famous drone hacks 9/11/2017 Writing Secure Mobile Apps 11
- 12. Some (relatively) famous drone hacks 9/11/2017 Writing Secure Mobile Apps 12
- 13. Some (relatively) famous drone hacks 9/11/2017 Writing Secure Mobile Apps 13
- 14. 03. Mobile apps
- 15. Mobile Apps 9/11/2017 Writing Secure Mobile Apps 15
- 16. Mobile apps 9/11/2017 Writing Secure Mobile Apps 16
- 18. Manufacturer’s SDKs 9/11/2017 Writing Secure Mobile Apps 18
- 19. Manufacturer’s SDKs 9/11/2017 Writing Secure Mobile Apps 19
- 20. 05. Top 10 Mobile Security Risks
- 21. OWASP Top 10 Mobile Security Risks • M1 - Improper Platform Usage • M2 - Insecure Data Storage • M3 - Insecure Communication • M4 - Insecure Authentication • M5 - Insecure Cryptography • M6 – Insecure Authorization • M7 – Poor Code Quality • M8 – Code Tampering • M9 – Reverse Engineering • M10 – Extraneous Functionality 9/11/2017 Writing Secure Mobile Apps 21
- 22. OWASP Top 10 Mobile Security (for Drones) • M1 - Improper Platform Usage • M2 - Insecure Data Storage • M3 - Insecure Communication • M4 - Insecure Authentication • M5 - Insecure Cryptography • M6 – Insecure Authorization • M7 – Poor Code Quality • M8 – Code Tampering • M9 – Reverse Engineering • M10 – Extraneous Functionality 9/11/2017 Writing Secure Mobile Apps 22
- 23. M2 – Insecure Data Storage 9/11/2017 Writing Secure Mobile Apps 23
- 24. M2 – Insecure Data Storage 9/11/2017 Writing Secure Mobile Apps 24
- 25. M2 – Insecure Data Storage 9/11/2017 Writing Secure Mobile Apps 25 • Don’t store passwords, SSNs etc. • Use multi-factor authentication • Client and Server side access control • "Sensitive data should be encrypted and very sensitive data should be stored on server" - Zapata
- 26. M3 – Insecure Communication 9/11/2017 Writing Secure Mobile Apps 26
- 27. M3 – Insecure Communication 9/11/2017 Writing Secure Mobile Apps 27
- 28. M5 – Insecure Cryptography 9/11/2017 Writing Secure Mobile Apps 28
- 29. M6 – Insecure Authorization 9/11/2017 Writing Secure Mobile Apps 29
- 30. M9 – Reverse Engineering 9/11/2017 Writing Secure Mobile Apps 30
- 31. M9 – Reverse Engineering 9/11/2017 Writing Secure Mobile Apps 31
- 32. Jailbreaking & Rooting 9/11/2017 Writing Secure Mobile Apps 32
- 33. Jailbreaking & Rooting 9/11/2017 Writing Secure Mobile Apps 33
- 35. Best Practices • Don’t store any sensitive user info locally • No hard coding API keys • Use SSL pinning and SafetyNet API • Expire sessions • Trust but verify • Turn on obfuscation 9/11/2017 Writing Secure Mobile Apps 35
- 36. 07. Good News Bad News
- 37. Good News • Google and Apple are starting to help • SafetyNet checks that a phone is rooted 9/11/2017 Writing Secure Mobile Apps 37
- 38. Good News 9/11/2017 Writing Secure Mobile Apps 38
- 39. Bad News • Tools are still evolving 9/11/2017 Writing Secure Mobile Apps 39
- 42. Q&A • godfrey@riis.com • @godfreynolan • riis.com/blog • slides.com/godfreynolan 9/11/2017 Writing Secure Mobile Apps 42
Editor's Notes
- Connect via Wifi (ssh/telnet) Using RF (Gnu Radio/ HackRF) Eagles GPS (confuse drones)
- Looking for the weakest link
- Cheap NTSC screen can sometimes pick up drone video if you’re close enough
- And then there’s a straightforward physical attack, whether that’s an eagle, a gun shooting it out of the air or your next door neighbors dog.
- Connect via Wifi (ssh/telnet) Using RF (Gnu Radio/ HackRF) Eagles GPS (confuse drones)
- 3dr Solo Root Password – ssh into Drone and kill processes till 3dr goes home
- Makezine Build a Wi-Fi Drone Disabler with Raspberry Pi
- Icarus box - Attacking DSMx with SDR
- But what I want to talk about is the last category we mentioned, namely mobile apps Manufacturer’s through their SKDs provide a whole ecosystem for developers to leverage
- Here’s a sample of some mobile apps, that are done by third parties using manufacturers SDKs Litchi for DJI, Solex for 3dr Solo, Precision Flight again and Skydrones for DJI They all offer something on top of DJI or 3dr Solo. There are lots of others. But I think even Litchi on it’s own has proved that there’s significant business here.
- So how to we create mobile apps that work with drones
- Put a developer before the domain name to find the web address. I’m sure there are more or look at the resources. Notable in its absence is the GoPro Karma drone.
- So how to we create mobile apps that work with drones
- There are 10 Risks but what it really boils down to are what static and dynamic information you have on the phone. By Static we mean what’s in the code – the APK or IPA – API keys etc. And by dynamic we mean what info is stored when someone uses the app. We’re also worried about the backend server, what’s in the cloud – video, images etc. - and how does it get there
- M2 - This covers insecure data storage and unintended data leakage. M3 – SSL – SSL IS BROKEN M5 – poor crypto – are you using symmetric keys – cos if you are someone can find them M6 – AWS again M7 – hard coding keys M9 – no obfuscation – I can see everything These are typically used together
- We’re talking about dynamic info here. If someone backs up your app on their phone they can see information similar to the above. Lots of databases, cached files and shared preferences. Be careful what you put here. Don’t put anything sensitive.
- We’re talking about dynamic info here. If someone backs up your app on their phone they can see information similar to the above. Lots of databases, cached files and shared preferences. Be careful what you put here. Don’t put anything sensitive.
- M2 - This covers insecure data storage and unintended data leakage. M3 – SSL – WHY IS SSL BROKEN M5 – poor crypto M6 – AWS M7 – hard coding keys M9 – no obfuscation – I can see everything These are typically used together
- We’re not listening to people in a coffee shop. We’re listening to the traffic from the phone to the back end server to see if we can hack the back end server.
- Talk about all the calls. SSL works using certificates, certificates are created by certificate authorities or CAs. Some years ago hackers stole root certificated from a CA and can now allow anyone to pretend to be someone they are not. Which means that SSL is broken and unless you take steps to fix it your https request and responses can be seen.
- This is an example from an old Delta app. Nothing to do with drones. But the point is still the same. If you’re going to encrypt your user data then make sure you’re not using symmetric keys. In other words you’re not putting the key in the iPhone or Android code as hackers will get it. Use asymmetric or public – private keys and leave the encryption key on the server.
- Finding where the data goes is usually just the first part of the hack. We can then look at the code and insecure data storage to gain access to the back end server. In this case we’re using the shared prefs data and the source code to get videos and images from where they’re stored on Amazon. Using a brute force attack you can guess the id’s for other users and see their videos too.
- Showing the precision flight app, using a tool called Jadx to reverse engineer the code. Much easier to see on Android than iOS.
- Litchi app is obfuscated so it’s harder to see.
- Works on iOS 10.2.x
- So how to we create mobile apps that work with drones
- So how to we create mobile apps that work with drones
- Apple are offering huge bug bounties which will disincetivse Pangu and the like to produce tools for Jailbreaking phones They’re much more likely to submit a bug bounty to Apple
- In the past we’ve had jadx, jd-gui, charles proxy that can decomoile or proxy apps. But there are new apps like Frida which will open up your app at the code level.
- So how to we create mobile apps that work with drones