Hacking a Professional Drone

Preview:

Citation preview

SESSION ID:

#RSAC

Nils Rodday

Hacking a Professional Drone

HT-W03

IT Security Consultant

#RSAC

Goal

2

The goal of this talk is to give insights into the security of Unmanned Aerial Vehicles (UAVs) and to show that professional

UAVs are not as secure as one might think.

#RSAC

Agenda

3

Definition

Attack Vectors

The UAV

Attacks

Live Demonstration

Remediation

Impact

Lessons Learned

Q&A

#RSAC

Definition

4

Modelled after: R. Austin, Unmanned Aircraft Systems. UAVs Design, Development and Deployment

#RSAC

Example products – Physical attack vectors

5

©AP Photo/Francois Mori©Rapere

#RSAC

Example products – Logical attack vectors

6

Denial of Service

©Battelle

#RSAC

Mission statement

7

Take over the UAV

#RSAC

The UAV Under Investigation

8

#RSAC

The UAV – Specifications

9

25k – 30k €30k – 35k $

3kg Payload7lb Payload

30 – 45min Endurance

Advanced Features

Add-ons

#RSAC

10

The UAV

Remote Control

Not connected(two separate devices)

Telemetry Box

802.11 WiFi link (WEP)

XBee 868LP link

Video link

2.4 GhzRemote Control

link

Data flow

Data flow

GPS ReceiverData flow

©IEEE

#RSAC

11

The UAV – WiFi focus

802.11 WiFi link (WEP)

XBee 868LP link

Video link

2.4 GhzRemote Control

link

Data flow

Data flow

GPS ReceiverData flow

#RSAC

12

The UAV – WiFi attack

Original tablet

Communication route after attack

Original communication

route

Attacker's tablet

#RSAC

13

The UAV – XBee focus

802.11 WiFi link (WEP)

XBee 868LP link

Video link

2.4 GhzRemote Control

link

Data flow

Data flow

GPS ReceiverData flow

#RSAC

XBee – Chips

14

#RSAC

XBee – Using 3rd party hardware

15

Software Defined Radio (SDR)

#RSAC

XBee – Spectral analysis

16

#RSACXBee – Using XBee chip itself(Obtaining Connection Parameters)

17

0013A20040C6662C

18 * 10^18 tries(4.294.967.296 ^2)

0013A20040C6662C

16 * 10^6 tries(1 * 16.777.216)

0013A20040C6662C

42 * 10^8 tries(1 * 4.294.967.296)

#RSAC

XBee – Obtaining Connection Parameters

18

#RSAC

XBee – Reading the manual...

19

1. API mode

2. Broadcast

3. Remote AT Commands

It's not a bug, it's a feature

#RSAC

20

XBee – Man-in-the-Middle Attack

1. Broadcast3. Rem

ote AT Comm

and:Change DH + DL

5. Remote AT Com

mand:

Write

Communication route after attack

Original communication

route

Attacker

Tablet Remote Control UAV©IEEE

#RSAC

What´s next?

21

We can read/send data on the XBee channel.

But what does that data stream mean?

#RSAC

Decompilation of Android APK

22

#RSAC

Decompilation of Android APK

23

2457 49 46 49 XX XX XX

.

.

.

3687737073

paramByteparamByteparamByte

Decimal –> Hex

#RSAC

Example commands

24

24 57 49 46 49 89 89 89 (Start-Engines)

24 57 49 46 49 XX XX XX

24 57 49 46 49 58 58 58 (Auto-Takeoff)24 57 49 46 49 97 97 97 (Enable Autopilot)

#RSAC

Demonstration

25

#RSAC

Remediation – XBee onboard encryption

27

Secures Data ONLY on the XBee channel

Prevents Remote-AT-Commands

Mitigates Man-In-The-Middle

#RSAC

Remediation – Add. Hardware Encryption

28

Does NOT prevent Remote-AT-Commands

Does NOT mitigate Man-in-the-Middle

Ensures CONFIDENTIALITY

#RSAC

Remediation – Application-layer encryption

29

Does NOT prevent Remote-AT-Commands

Does NOT mitigate Man-in-the-Middle

Ensures CONFIDENTIALITY

#RSAC

Impact

30

Cost of attack: 40$

UAV is currently in use

Multiple manufacturers are using similarsetups

#RSAC

Lessons Learned

31

Use strongencryption

Alter passphrases

Test your product

#RSAC

Credits

32

Prof. Dr. Aiko Pras

Dr. Ricardo de O. Schmidt

Ruud Verbij

Matthieu Paques

Atul KumarAnnika Dahms

#RSAC

Contact Details

33

rodday@arcor.de

Nils Rodday

https://de.linkedin.com/in/nilsrodday

SESSION ID:

#RSAC

Nils Rodday

Hacking a Professional Drone

HT-W03

IT Security Consultant

#RSAC

Back-Up Slides

#RSAC

Back-Up – UAV Commands

36

#RSAC

References

37

Slide 04: Modelled after R. Austin. Unmanned Aircraft Systems. UAVs Design, Development and Deployment. Wiley, 2010. ISBN: 978-0-470-05819-0.

Slide 05: Photo credit to: Rapere

Slide 05: Photo credit to: AP Photo/Francois Mori

Slide 06: Photo credit to: Battelle

Slide 10 & 21: Photo credit to: 978-1-5090-0223-8/16/$31.00 © 2016 IEEE

Recommended