Embed Size (px)
Citation preview
SESSION ID:
#RSAC
Nils Rodday
Hacking a Professional Drone
HT-W03
IT Security Consultant
#RSAC
Goal
2
The goal of this talk is to give insights into the security of Unmanned Aerial Vehicles (UAVs) and to show that professional
UAVs are not as secure as one might think.
#RSAC
Agenda
3
Definition
Attack Vectors
The UAV
Attacks
Live Demonstration
Remediation
Impact
Lessons Learned
Q&A
#RSAC
Definition
4
Modelled after: R. Austin, Unmanned Aircraft Systems. UAVs Design, Development and Deployment
#RSAC
Example products – Physical attack vectors
5
©AP Photo/Francois Mori©Rapere
#RSAC
Example products – Logical attack vectors
6
Denial of Service
©Battelle
#RSAC
Mission statement
7
Take over the UAV
#RSAC
The UAV Under Investigation
8
#RSAC
The UAV – Specifications
9
25k – 30k €30k – 35k $
3kg Payload7lb Payload
30 – 45min Endurance
Advanced Features
Add-ons
#RSAC
10
The UAV
Remote Control
Not connected(two separate devices)
Telemetry Box
802.11 WiFi link (WEP)
XBee 868LP link
Video link
2.4 GhzRemote Control
link
Data flow
Data flow
GPS ReceiverData flow
©IEEE
#RSAC
11
The UAV – WiFi focus
802.11 WiFi link (WEP)
XBee 868LP link
Video link
2.4 GhzRemote Control
link
Data flow
Data flow
GPS ReceiverData flow
#RSAC
12
The UAV – WiFi attack
Original tablet
Communication route after attack
Original communication
route
Attacker's tablet
#RSAC
13
The UAV – XBee focus
802.11 WiFi link (WEP)
XBee 868LP link
Video link
2.4 GhzRemote Control
link
Data flow
Data flow
GPS ReceiverData flow
#RSAC
XBee – Chips
14
#RSAC
XBee – Using 3rd party hardware
15
Software Defined Radio (SDR)
#RSAC
XBee – Spectral analysis
16
#RSACXBee – Using XBee chip itself(Obtaining Connection Parameters)
17
0013A20040C6662C
18 * 10^18 tries(4.294.967.296 ^2)
0013A20040C6662C
16 * 10^6 tries(1 * 16.777.216)
0013A20040C6662C
42 * 10^8 tries(1 * 4.294.967.296)
#RSAC
XBee – Obtaining Connection Parameters
18
#RSAC
XBee – Reading the manual...
19
1. API mode
2. Broadcast
3. Remote AT Commands
It's not a bug, it's a feature
#RSAC
20
XBee – Man-in-the-Middle Attack
1. Broadcast3. Rem
ote AT Comm
and:Change DH + DL
5. Remote AT Com
mand:
Write
Communication route after attack
Original communication
route
Attacker
Tablet Remote Control UAV©IEEE
#RSAC
What´s next?
21
We can read/send data on the XBee channel.
But what does that data stream mean?
#RSAC
Decompilation of Android APK
22
#RSAC
Decompilation of Android APK
23
2457 49 46 49 XX XX XX
.
.
.
3687737073
paramByteparamByteparamByte
Decimal –> Hex
#RSAC
Example commands
24
24 57 49 46 49 89 89 89 (Start-Engines)
24 57 49 46 49 XX XX XX
24 57 49 46 49 58 58 58 (Auto-Takeoff)24 57 49 46 49 97 97 97 (Enable Autopilot)
#RSAC
Demonstration
25
#RSAC
Remediation – XBee onboard encryption
27
Secures Data ONLY on the XBee channel
Prevents Remote-AT-Commands
Mitigates Man-In-The-Middle
#RSAC
Remediation – Add. Hardware Encryption
28
Does NOT prevent Remote-AT-Commands
Does NOT mitigate Man-in-the-Middle
Ensures CONFIDENTIALITY
#RSAC
Remediation – Application-layer encryption
29
Does NOT prevent Remote-AT-Commands
Does NOT mitigate Man-in-the-Middle
Ensures CONFIDENTIALITY
#RSAC
Impact
30
Cost of attack: 40$
UAV is currently in use
Multiple manufacturers are using similarsetups
#RSAC
Lessons Learned
31
Use strongencryption
Alter passphrases
Test your product
#RSAC
Credits
32
Prof. Dr. Aiko Pras
Dr. Ricardo de O. Schmidt
Ruud Verbij
Matthieu Paques
Atul KumarAnnika Dahms
#RSAC
Contact Details
33
Nils Rodday
https://de.linkedin.com/in/nilsrodday
SESSION ID:
#RSAC
Nils Rodday
Hacking a Professional Drone
HT-W03
IT Security Consultant
#RSAC
Back-Up Slides
#RSAC
Back-Up – UAV Commands
36
#RSAC
References
37
Slide 04: Modelled after R. Austin. Unmanned Aircraft Systems. UAVs Design, Development and Deployment. Wiley, 2010. ISBN: 978-0-470-05819-0.
Slide 05: Photo credit to: Rapere
Slide 05: Photo credit to: AP Photo/Francois Mori
Slide 06: Photo credit to: Battelle
Slide 10 & 21: Photo credit to: 978-1-5090-0223-8/16/$31.00 © 2016 IEEE
