2. Presentation Overview
• How to hack a drone
• Famous Drone Hacks
• Mobile Apps
• Manufacturer’s SDKs
• Top 10 Mobile Security Risks
• Best Practices
• Resources
9/11/2017 Writing Secure Mobile Apps 2
4. How to hack a drone
• Connect via wifi (ssh/telnet)
9/11/2017 Writing Secure Mobile Apps 4
5. How to hack a drone
• Connect via wifi (ssh/telnet)
• Using RF (GNU Radio/Hack RF)
9/11/2017 Writing Secure Mobile Apps 5
6. How to hack a drone
• Connect via wifi (ssh/telnet)
• Using RF (GNU Radio/Hack RF)
• Hijack Video
9/11/2017 Writing Secure Mobile Apps 6
7. How to hack a drone
• Connect via wifi (ssh/telnet)
• Using RF (GNU Radio/Hack RF)
• Hijack Video
• Physical attack
9/11/2017 Writing Secure Mobile Apps 7
8. How to hack a drone
• Connect via wifi (ssh/telnet)
• Using RF (GNU Radio/Hack RF)
• Hijack Video
• Physical Attack
• Jamming
9/11/2017 Writing Secure Mobile Apps 8
9. How to hack a drone
• Connect via wifi (ssh/telnet)
• Using RF (GNU Radio/Hack RF)
• Hijack Video
• Physical Attack
• Jamming
• Mobile apps
9/11/2017 Writing Secure Mobile Apps 9
23. M2 – Insecure Data Storage
9/11/2017 Writing Secure Mobile Apps 23
24. M2 – Insecure Data Storage
9/11/2017 Writing Secure Mobile Apps 24
25. M2 – Insecure Data Storage
9/11/2017 Writing Secure Mobile Apps 25
• Don’t store passwords, SSNs etc.
• Use multi-factor authentication
• Client and Server side access control
• "Sensitive data should be encrypted and very sensitive data
should be stored on server" - Zapata
26. M3 – Insecure Communication
9/11/2017 Writing Secure Mobile Apps 26
27. M3 – Insecure Communication
9/11/2017 Writing Secure Mobile Apps 27
35. Best Practices
• Don’t store any sensitive user info locally
• No hard coding API keys
• Use SSL pinning and SafetyNet API
• Expire sessions
• Trust but verify
• Turn on obfuscation
9/11/2017 Writing Secure Mobile Apps 35
Connect via Wifi (ssh/telnet)
Using RF (Gnu Radio/ HackRF)
Eagles
GPS (confuse drones)
Looking for the weakest link
Cheap NTSC screen can sometimes pick up drone video if you’re close enough
And then there’s a straightforward physical attack, whether that’s an eagle, a gun shooting it out of the air or your next door neighbors dog.
Connect via Wifi (ssh/telnet)
Using RF (Gnu Radio/ HackRF)
Eagles
GPS (confuse drones)
3dr Solo Root Password – ssh into Drone and kill processes till 3dr goes home
Makezine Build a Wi-Fi Drone Disabler with Raspberry Pi
Icarus box - Attacking DSMx with SDR
But what I want to talk about is the last category we mentioned, namely mobile apps
Manufacturer’s through their SKDs provide a whole ecosystem for developers to leverage
Here’s a sample of some mobile apps, that are done by third parties using manufacturers SDKs
Litchi for DJI, Solex for 3dr Solo, Precision Flight again and Skydrones for DJI
They all offer something on top of DJI or 3dr Solo.
There are lots of others. But I think even Litchi on it’s own has proved that there’s significant business here.
So how to we create mobile apps that work with drones
Put a developer before the domain name to find the web address. I’m sure there are more or look at the resources.
Notable in its absence is the GoPro Karma drone.
So how to we create mobile apps that work with drones
There are 10 Risks but what it really boils down to are what static and dynamic information you have on the phone. By Static we mean what’s in the code – the APK or IPA – API keys etc. And by dynamic we mean what info is stored when someone uses the app. We’re also worried about the backend server, what’s in the cloud – video, images etc. - and how does it get there
M2 - This covers insecure data storage and unintended data leakage.
M3 – SSL – SSL IS BROKEN
M5 – poor crypto – are you using symmetric keys – cos if you are someone can find them
M6 – AWS again
M7 – hard coding keys
M9 – no obfuscation – I can see everything
These are typically used together
We’re talking about dynamic info here. If someone backs up your app on their phone they can see information similar to the above. Lots of databases, cached files and shared preferences. Be careful what you put here. Don’t put anything sensitive.
We’re talking about dynamic info here. If someone backs up your app on their phone they can see information similar to the above. Lots of databases, cached files and shared preferences. Be careful what you put here. Don’t put anything sensitive.
M2 - This covers insecure data storage and unintended data leakage.
M3 – SSL – WHY IS SSL BROKEN
M5 – poor crypto
M6 – AWS
M7 – hard coding keys
M9 – no obfuscation – I can see everything
These are typically used together
We’re not listening to people in a coffee shop. We’re listening to the traffic from the phone to the back end server to see if we can hack the back end server.
Talk about all the calls.
SSL works using certificates, certificates are created by certificate authorities or CAs. Some years ago hackers stole root certificated from a CA and can now allow anyone to pretend to be someone they are not. Which means that SSL is broken and unless you take steps to fix it your https request and responses can be seen.
This is an example from an old Delta app. Nothing to do with drones. But the point is still the same. If you’re going to encrypt your user data then make sure you’re not using symmetric keys. In other words you’re not putting the key in the iPhone or Android code as hackers will get it. Use asymmetric or public – private keys and leave the encryption key on the server.
Finding where the data goes is usually just the first part of the hack. We can then look at the code and insecure data storage to gain access to the back end server. In this case we’re using the shared prefs data and the source code to get videos and images from where they’re stored on Amazon. Using a brute force attack you can guess the id’s for other users and see their videos too.
Showing the precision flight app, using a tool called Jadx to reverse engineer the code. Much easier to see on Android than iOS.
Litchi app is obfuscated so it’s harder to see.
Works on iOS 10.2.x
So how to we create mobile apps that work with drones
So how to we create mobile apps that work with drones
Apple are offering huge bug bounties which will disincetivse Pangu and the like to produce tools for Jailbreaking phones
They’re much more likely to submit a bug bounty to Apple
In the past we’ve had jadx, jd-gui, charles proxy that can decomoile or proxy apps.
But there are new apps like Frida which will open up your app at the code level.
So how to we create mobile apps that work with drones