Believe It or Not: Wireless Walking on Air

Drones and Wireless Security

Wade TrappeSeptember 2018

Believe I or No : ireless Walking on Air

Drones and Wireless Security

l\µTGERS

WINLAB

UAVsu

~TGERS

WINLAB

UAVs change the wireless landscape and will have dramatic security implications

UAVs will come in a variety of sizes and

shapes, with a wide range of cyber-capabilities

– Tasks: environmental monitoring, item

delivery, recreation, etc.

– Use wireless for control

– Have the potential to cause physical harm

UAVs change the “wireless game”

– Require strict guarantees in

communication performance

– Have an elevated perspective that has

pros/cons

– Easy access by hobbyists

– Advanced “tactical” UAVs have quite

different security considerations (talk to

me offline!)

Drones are already commodity

technology:

– DJI Phantom, 3DR, etc…

easily accessible and

affordable

– Software kits available for app

development (e.g. 3DR’s

DroneKit API, DJI SDK)

UA V change th wi~ I land cape and ill hav dramatic ecurity implica ions

~TGERS

WINLAB

A Case Study illustrates the potential risks associated with UAV: Football Stadium

A recent Rutgers investigation into the use of

recreational drones near football arenas:

– Hobbyists try to fly drones over games to watch the

event

Safety: A crash can harm life and infrastructure

Revenue implications

– Sensors deployed around a stadium, with new

commercial software used to detect drones

Lessons learned:

– Most drone vendors use commodity wireless tech

(e.g. Wifi), and most detection uses “wireless” to find

the controller.

– Controller detection was usually successful within

30seconds, location within 150m about 80% of time.

– Detection performance is dependent upon

deployment “geometries”

– Having an up-to-date drone “RF” signature database

(MAC addresses, etc)

Pre-planned missions or many drones: Not easy to

detect need for other forms of drone detectionhttp://www.chicagotribune.com/sports/breaking/ct-spt-drones-theats-to-sports-stadiums-20180511-story.html#)

Legal limitations:

– The law limits what can be done

“to counteract” drones

– Can’t disarm or disable drones,

even if they would cause physical

harm

– FAA limitations are ignored by

hobbyists

– Concerns that anti-drone defense

systems (jammers) might impact

other societal systems

(navigation)

– Need to re-evaluate these limits

A Ca tudy illu trat th potential ri k as ociated ith UA V: Football tadium

~TGERS

WINLAB

It is relatively easy to pwn a drone… sort of.

In a separate study, Rutgers investigated the

susceptibility of commercial drones to simple,

cyber attacks

Goals:

– Analyze drone communications

– Understand attack vectors to control/disable

drone

Attack scenario:

– Laptop running Kali Linux

– Wireshark - packet capturer

– Aircrack-ng - wireless exploit suite

– 3DR Solo Drone

– Sololink - controller/drone wifi network

We were able to:

– Capture and replay packets (sent to the drone)

– Deauthenticate the drone

– Redirect the drone with the DroneKit API

Good news: Deauth on the drone did not lead to

a crash… drone hovers but does not have a

controlled descent.

I a y

~TGERS

n n

Run initial deauthentication to chec functionality

,1,

Stop deauthenticatlon & load sc ·pt to make drone

Ry to a set location

,. Contin e

deauthentication to prevent manual

override

2 e.oe35'82125 o.a e.o 255 255 255 2'5 3 8 .28228811• Senaottet_Sd .68 :dc Broadcast 4 7 8835411520 18 1 1 1 10 1 1 lOt'I

6 7 bOJ5977..iS 10 1 1 1 10 1 1 106

1011.1

1(:1,11.1

ltl Iii 11;!9320289 10.1 l.l 17 8 2i131&8222 18.1.1.1 1ee 3883'4a2611 10.11.1 1g 8 •Q0261JgJ 10.1 1 1 298.551861!il373 19.11-1 21 a eae3801os 10.1.1 1 22a eoaeg11" 1011.1

10 1 1 108

10 1 1 1

10 1,1 lOtl 10 1 1.106 10 1 1 1ee 10 1.1 l&e 18 11100 H> 1.1.18e 10 11 106

OHCP -""' lJOf'

UOP

UOr

0 of.

------CJ==-_·) Eiqnnlo11-

340 Ot1CP Request - frensacuon 10 8•1• 5305a •2~o hn 18.11.1~ Tell 18 1 . 1 .10

1223 523HI - 1"5'8 Len•ll81

1307 S2316 - 145~ Ll!n=12t.5

4~8 23UI - 14S~ Len,.JQtl

43cl tt2Jltl - 1455G LenoJQl;I 836 523115 - 1"558 Len•5!14 707 52318 - 14558 Lensl5155 638 523UI - 14558 Len•5Q• 1553 523115 - 1'1558 Len•l511 834 523115 - 1'1558 Len•7Q2 83• 52318 - 14558 Len•7g2

• Fr111e 1: 328 bytes on wue (2624 blts), 328 bytes uptured (2624 b1ts) on 1nterhte 8 • Ethernet IL Srt: senaoNet_Sd 60:dt (88:dc:1>6·3d:68:dt). Ott: eroadcnt (ff:ff ff·ff:ff : ff) • Internet P rototol ',,trsi.on 4, Srt: 8.8 8.8, Ost . 255.255.255.ffl • user D.cagr1111 l"rototol , Srt Pore: 68, Ost Port 67 • Bootstrap Prototol (Dntover)

ff ff ff ff ff ff 88 de 96 3d 60 dt ee oo 45 oo B~OOOOOOOO~ll~MOOOOOOOOHH ff ff 00 44 00 43 81 26 gt, 3d 01 01 ~ 00 11 f5 ~~-------••0000000000 ea oa ee oo oo eo ea dt 96 3d 60 dt oe oo oo oo 00000000000000000000000000000000 0000000000•00•0000000000000000 00000000000000000000000000000000

e 7 ~oneSUttupRHpOnu

.• , . y • o.c .

ez ..

E.

Px~lt 47 0ispl¥d: 47 (100.M) Lo.:ltmt: 0:0.1 Profile: Oe!M.Jll

WINLAB

Elevated implications on spectrum: a double-edged sword

UAVs are an elevated platform

– Able to receive RF signals from “further away”

– Able to transmit RF and impact receivers “further away”

Simple line of sight arguments imply a larger RF footprint/ radio

horizon for a drone

– Larger L1 interference footprint

– Larger L2 (MAC-layer) impact– think carrier sensing

– Larger L3 impact (everything is the drone’s neighbor)

The good:

– UAVs as mobile, emergency cellular basestations

– UAVs as repeater (bridge between two non-line-of-sight RX)

– Enhanced spectrum sensing (needs more research on signal

separation, spectrum cartography!)

The bad:

– But what about a rogue, software-based LTE basestation (e.g.

OpenAir LTE)?

– Jammers…

WINLAB spectrum sensing on a

drone

• GPS + RF SDR dongle

• Problems with weight, GPS

stability

Picture from Wikipedia

Elevated implication on pectrum. a doubl - dg d ord

~TGERS

"Any opinions, findings, conclusions or recommendations

expressed in this material are those of the author(s) and do not

necessarily reflect the views of the Networking and Information

Technology Research and Development Program."

The Networking and Information Technology Research and Development

(NITRD) Program

Mailing Address: NCO/NITRD, 2415 Eisenhower Avenue, Alexandria, VA 22314

Physical Address: 490 L'Enfant Plaza SW, Suite 8001, Washington, DC 20024, USA Tel: 202-459-9674,

Fax: 202-459-9673, Email: nco@nitrd.gov, Website: https://www.nitrd.gov