Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Believe It or Not: Wireless Walking on Air
Drones and Wireless Security
Wade TrappeSeptember 2018
Believe I or No : ireless Walking on Air
Drones and Wireless Security
l\µTGERS
WINLAB
UAVs change the wireless landscape and will have dramatic security implications
UAVs will come in a variety of sizes and
shapes, with a wide range of cyber-capabilities
– Tasks: environmental monitoring, item
delivery, recreation, etc.
– Use wireless for control
– Have the potential to cause physical harm
UAVs change the “wireless game”
– Require strict guarantees in
communication performance
– Have an elevated perspective that has
pros/cons
– Easy access by hobbyists
– Advanced “tactical” UAVs have quite
different security considerations (talk to
me offline!)
Drones are already commodity
technology:
– DJI Phantom, 3DR, etc…
easily accessible and
affordable
– Software kits available for app
development (e.g. 3DR’s
DroneKit API, DJI SDK)
UA V change th wi~ I land cape and ill hav dramatic ecurity implica ions
~TGERS
WINLAB
A Case Study illustrates the potential risks associated with UAV: Football Stadium
A recent Rutgers investigation into the use of
recreational drones near football arenas:
– Hobbyists try to fly drones over games to watch the
event
Safety: A crash can harm life and infrastructure
Revenue implications
– Sensors deployed around a stadium, with new
commercial software used to detect drones
Lessons learned:
– Most drone vendors use commodity wireless tech
(e.g. Wifi), and most detection uses “wireless” to find
the controller.
– Controller detection was usually successful within
30seconds, location within 150m about 80% of time.
– Detection performance is dependent upon
deployment “geometries”
– Having an up-to-date drone “RF” signature database
(MAC addresses, etc)
Pre-planned missions or many drones: Not easy to
detect need for other forms of drone detectionhttp://www.chicagotribune.com/sports/breaking/ct-spt-drones-theats-to-sports-stadiums-20180511-story.html#)
Legal limitations:
– The law limits what can be done
“to counteract” drones
– Can’t disarm or disable drones,
even if they would cause physical
harm
– FAA limitations are ignored by
hobbyists
– Concerns that anti-drone defense
systems (jammers) might impact
other societal systems
(navigation)
– Need to re-evaluate these limits
A Ca tudy illu trat th potential ri k as ociated ith UA V: Football tadium
~TGERS
WINLAB
It is relatively easy to pwn a drone… sort of.
In a separate study, Rutgers investigated the
susceptibility of commercial drones to simple,
cyber attacks
Goals:
– Analyze drone communications
– Understand attack vectors to control/disable
drone
Attack scenario:
– Laptop running Kali Linux
– Wireshark - packet capturer
– Aircrack-ng - wireless exploit suite
– 3DR Solo Drone
– Sololink - controller/drone wifi network
We were able to:
– Capture and replay packets (sent to the drone)
– Deauthenticate the drone
– Redirect the drone with the DroneKit API
Good news: Deauth on the drone did not lead to
a crash… drone hovers but does not have a
controlled descent.
I a y
~TGERS
n n
Run initial deauthentication to chec functionality
,1,
Stop deauthenticatlon & load sc ·pt to make drone
Ry to a set location
,. Contin e
deauthentication to prevent manual
override
2 e.oe35'82125 o.a e.o 255 255 255 2'5 3 8 .28228811• Senaottet_Sd .68 :dc Broadcast 4 7 8835411520 18 1 1 1 10 1 1 lOt'I
6 7 bOJ5977..iS 10 1 1 1 10 1 1 106
1011.1
1(:1,11.1
ltl Iii 11;!9320289 10.1 l.l 17 8 2i131&8222 18.1.1.1 1ee 3883'4a2611 10.11.1 1g 8 •Q0261JgJ 10.1 1 1 298.551861!il373 19.11-1 21 a eae3801os 10.1.1 1 22a eoaeg11" 1011.1
10 1 1 108
10 1 1 1
10 1,1 lOtl 10 1 1.106 10 1 1 1ee 10 1.1 l&e 18 11100 H> 1.1.18e 10 11 106
OHCP -""' lJOf'
UOP
UOr
0 of.
------CJ==-_·) Eiqnnlo11-
340 Ot1CP Request - frensacuon 10 8•1• 5305a •2~o hn 18.11.1~ Tell 18 1 . 1 .10
1223 523HI - 1"5'8 Len•ll81
1307 S2316 - 145~ Ll!n=12t.5
4~8 23UI - 14S~ Len,.JQtl
43cl tt2Jltl - 1455G LenoJQl;I 836 523115 - 1"558 Len•5!14 707 52318 - 14558 Lensl5155 638 523UI - 14558 Len•5Q• 1553 523115 - 1'1558 Len•l511 834 523115 - 1'1558 Len•7Q2 83• 52318 - 14558 Len•7g2
• Fr111e 1: 328 bytes on wue (2624 blts), 328 bytes uptured (2624 b1ts) on 1nterhte 8 • Ethernet IL Srt: senaoNet_Sd 60:dt (88:dc:1>6·3d:68:dt). Ott: eroadcnt (ff:ff ff·ff:ff : ff) • Internet P rototol ',,trsi.on 4, Srt: 8.8 8.8, Ost . 255.255.255.ffl • user D.cagr1111 l"rototol , Srt Pore: 68, Ost Port 67 • Bootstrap Prototol (Dntover)
ff ff ff ff ff ff 88 de 96 3d 60 dt ee oo 45 oo B~OOOOOOOO~ll~MOOOOOOOOHH ff ff 00 44 00 43 81 26 gt, 3d 01 01 ~ 00 11 f5 ~~-------••0000000000 ea oa ee oo oo eo ea dt 96 3d 60 dt oe oo oo oo 00000000000000000000000000000000 0000000000•00•0000000000000000 00000000000000000000000000000000
e 7 ~oneSUttupRHpOnu
.• , . y • o.c .
ez ..
E.
Px~lt 47 0ispl¥d: 47 (100.M) Lo.:ltmt: 0:0.1 Profile: Oe!M.Jll
WINLAB
Elevated implications on spectrum: a double-edged sword
UAVs are an elevated platform
– Able to receive RF signals from “further away”
– Able to transmit RF and impact receivers “further away”
Simple line of sight arguments imply a larger RF footprint/ radio
horizon for a drone
– Larger L1 interference footprint
– Larger L2 (MAC-layer) impact– think carrier sensing
– Larger L3 impact (everything is the drone’s neighbor)
The good:
– UAVs as mobile, emergency cellular basestations
– UAVs as repeater (bridge between two non-line-of-sight RX)
– Enhanced spectrum sensing (needs more research on signal
separation, spectrum cartography!)
The bad:
– But what about a rogue, software-based LTE basestation (e.g.
OpenAir LTE)?
– Jammers…
WINLAB spectrum sensing on a
drone
• GPS + RF SDR dongle
• Problems with weight, GPS
stability
Picture from Wikipedia
Elevated implication on pectrum. a doubl - dg d ord
~TGERS
"Any opinions, findings, conclusions or recommendations
expressed in this material are those of the author(s) and do not
necessarily reflect the views of the Networking and Information
Technology Research and Development Program."
The Networking and Information Technology Research and Development
(NITRD) Program
Mailing Address: NCO/NITRD, 2415 Eisenhower Avenue, Alexandria, VA 22314
Physical Address: 490 L'Enfant Plaza SW, Suite 8001, Washington, DC 20024, USA Tel: 202-459-9674,
Fax: 202-459-9673, Email: [email protected], Website: https://www.nitrd.gov