Presentation is loading. Please wait.

Presentation is loading. Please wait.

by Team Reaper Jacob, Kyle, and Scott

Similar presentations

Presentation on theme: "by Team Reaper Jacob, Kyle, and Scott"— Presentation transcript:

1 by Team Reaper Jacob, Kyle, and Scott
Hacking the Phantom by Team Reaper Jacob, Kyle, and Scott

2 Agenda Drone Overview Security Overview Hacking Plans
Hardening Options

3 Drone Overview Base Drone $479.00 GoPro Hero 3 Black $399.99 GoPro Hero 3 Black $399.99 64GB High Speed Micro SD $129.99 Spare 2200 mAH Battery $27.00 Complete Starter Package $

4 Drone Features Receiver Range GPS Wind Compensation
1000m (.6 miles) GPS Accurate Within .8 m Vertical 2.5m Horizontal Wind Compensation Max Speed 10m/sec (22mph) Payload 1000grams (2.2 pounds)

5 Drone Modifications 2 axis Gimble Fatshark First Person Video Motors
Zenmuse H3-2D $699 More control and less Jelloing Fatshark First Person Video Can Transmit from GoPro Live Flight View Can record video from goggles $299.99 Motors Blades Batteries

6 Drone Reactions People oblivious Turkey Police Neighborhood Spying

7 Current Hacks Unable to find documentation on attacking the drone’s wireless communication, only modifications

8 Communications – High Level

9 Communications – Protocol
2.4 GHz Direct Sequence Spread Spectrum Unlicensed ISM band (2.400 GHz to GHz)

10 Communications – Microcontroller
Atmel ATMEGA Microcontroller Gives interface to wireless module for drone’s Master Controller

11 Communications - Chip Cypress CYRF6936 – WirelessUSB LP 2.4 GHz Radio SoC Transmit power: up to +4 dBm Receive sensitivity: up to -97 dBm DSSS data rates up to 250 kbps, GFSK data rate of 1 Mbps 98 different channels available

12 Interface to Chip 4 MHz Serial Peripheral Interface (SPI)
4 pin serial communications protocol SCK, MISO, MOSI, SS Easily implemented (i.e. Raspberry Pi) Used to configure and send data to CYRF6936 Cypress Semiconductor Corporation - Document #: Rev. *J – page 1

13 Data Transmission Modes
GFSK (Gaussian frequency-shift keying) Mode 1 Mbps, no DSSS 8DR Mode 8 bits per symbol transmitted DDR Mode 2 bits per symbol transmitted SDR 1 bit per symbol transmitted Lower data rates reduce error rate

14 Typical Packet Structure
GFSK and 8DR have a max payload of 40 bytes DDR and SDR have a max payload of 16 bytes Optional packet framing SOP required in GFSK and 8DR, optional in DDR, not supported in SDR If SOP enabled, length field required Length field required in GFSK and 8DR modes CRC 16 has a configurable seed Cypress Semiconductor Corporation - Document #: Rev. *J – page 5

15 Potential Hacking Options
Targeted Take over control Interference Area of Effect Jamming the 2.4 GHz ISM frequency band

16 Targeted Attack Plan: Prototyping
Items needed: Two transceiver chips Two breakout boards Two sets of supporting circuitry Prototype both with Raspberry Pi

17 Prototyping Block Diagram

18 Targeted Attack Plan: System Investigation
Use an oscilloscope to see SPI signals from microcontroller to receiver chip on the DJI Phantom Determine how the CYRF6936 is configured for receiving data from the remote control Mimic the receiver chip configuration on the prototype system Stimulate remote control and see what actions on the remote control correspond to data payload content

19 System Investigation Block Diagram

20 Targeted Attack: Custom Control
Once we have an understanding of the packet payload and operating modes, we can simulate the remote control and send commands to the DJI Phantom We should receive some sort of acknowledge at least, hopefully some data feedback.

21 Targeted Attack: Field Trials
Use Raspberry Pi and CYRF6936 in transmit mode to interfere with existing communication between the remote control and DJI Phantom Change operating modes Send the DJI Phantom away, attempt to turn it off Send malformed packet payloads and see how it behaves.

22 Targeted Attack: Field Trial Block Diagram

23 Potential Challenges Payload data may be encrypted
Unlikely because of small microcontroller connected to CYRF6936 Scoping out SPI configuration may take a while Interference between Raspberry Pi and remote control may result in erratic and non-deterministic behavior. Range of Raspberry Pi will be shorter than remote control due to decreased signal integrity. If we were to build a custom PCB, we can overcome this and drastically increase the strength of the transmit signal with a power amplifier.

24 Cost of Development BOM: Time to develop estimated at 40 hours
2x 12 MHz Crystal (~$10) 2x CYRF6936 (~$10) 2x Breakout Board (~$25) 2x Antenna (~$5) 2x Passives (~10$) Total Cost ~$60 Time to develop estimated at 40 hours

25 Area of Effect: Jamming
Need a lot of power for a small radius of jamming (need to be close to operator) Possible to jam 2.4 GHz frequency band FCC violations, jamming 2.4 GHz band is illegal When the GoPro transmits the video via 2.4GHz band, the DJI Phantom has erratic behavior and flies off Would expect similar effect with jamming the transmitter

26 Hardening Encrypt packet payload
Requires more hardware, but possible Get a transceiver that has a wider bandwidth (1 GHz – 10 GHz) and implements dynamic frequency hopping May not exist, but if it does it probably violates FCC regulations

27 References

Download ppt "by Team Reaper Jacob, Kyle, and Scott"

Similar presentations

Ads by Google