Presentation is loading. Please wait.

Presentation is loading. Please wait.

by Team Reaper Jacob, Kyle, and Scott

Published byHazel Callaway Modified over 9 years ago

Similar presentations

Presentation on theme: "by Team Reaper Jacob, Kyle, and Scott"— Presentation transcript:

1 by Team Reaper Jacob, Kyle, and Scott
Hacking the Phantom by Team Reaper Jacob, Kyle, and Scott

2 Agenda Drone Overview Security Overview Hacking Plans
Hardening Options

3 Drone Overview Base Drone $479.00 GoPro Hero 3 Black $399.99
Dronefly.com GoPro Hero 3 Black $399.99 64GB High Speed Micro SD $129.99 Spare 2200 mAH Battery $27.00 Complete Starter Package $

4 Drone Features Receiver Range GPS Wind Compensation
1000m (.6 miles) GPS Accurate Within .8 m Vertical 2.5m Horizontal Wind Compensation Max Speed 10m/sec (22mph) Payload 1000grams (2.2 pounds)

5 Drone Modifications 2 axis Gimble Fatshark First Person Video Motors
Zenmuse H3-2D $699 More control and less Jelloing Fatshark First Person Video Can Transmit from GoPro Live Flight View Can record video from goggles $299.99 Motors Blades Batteries

6 Drone Reactions People oblivious Turkey Police Neighborhood Spying
Youtube

7 Current Hacks Unable to find documentation on attacking the drone’s wireless communication, only modifications

8 Communications – High Level

9 Communications – Protocol
2.4 GHz Direct Sequence Spread Spectrum Unlicensed ISM band (2.400 GHz to GHz)

10 Communications – Microcontroller
Atmel ATMEGA Microcontroller Gives interface to wireless module for drone’s Master Controller

11 Communications - Chip Cypress CYRF6936 – WirelessUSB LP 2.4 GHz Radio SoC Transmit power: up to +4 dBm Receive sensitivity: up to -97 dBm DSSS data rates up to 250 kbps, GFSK data rate of 1 Mbps 98 different channels available

12 Interface to Chip 4 MHz Serial Peripheral Interface (SPI)
4 pin serial communications protocol SCK, MISO, MOSI, SS Easily implemented (i.e. Raspberry Pi) Used to configure and send data to CYRF6936 Cypress Semiconductor Corporation - Document #: Rev. *J – page 1

13 Data Transmission Modes
GFSK (Gaussian frequency-shift keying) Mode 1 Mbps, no DSSS 8DR Mode 8 bits per symbol transmitted DDR Mode 2 bits per symbol transmitted SDR 1 bit per symbol transmitted Lower data rates reduce error rate

14 Typical Packet Structure
GFSK and 8DR have a max payload of 40 bytes DDR and SDR have a max payload of 16 bytes Optional packet framing SOP required in GFSK and 8DR, optional in DDR, not supported in SDR If SOP enabled, length field required Length field required in GFSK and 8DR modes CRC 16 has a configurable seed Cypress Semiconductor Corporation - Document #: Rev. *J – page 5

15 Potential Hacking Options
Targeted Take over control Interference Area of Effect Jamming the 2.4 GHz ISM frequency band

16 Targeted Attack Plan: Prototyping
Items needed: Two transceiver chips Two breakout boards Two sets of supporting circuitry Prototype both with Raspberry Pi

17 Prototyping Block Diagram

18 Targeted Attack Plan: System Investigation
Use an oscilloscope to see SPI signals from microcontroller to receiver chip on the DJI Phantom Determine how the CYRF6936 is configured for receiving data from the remote control Mimic the receiver chip configuration on the prototype system Stimulate remote control and see what actions on the remote control correspond to data payload content

19 System Investigation Block Diagram

20 Targeted Attack: Custom Control
Once we have an understanding of the packet payload and operating modes, we can simulate the remote control and send commands to the DJI Phantom We should receive some sort of acknowledge at least, hopefully some data feedback.

21 Targeted Attack: Field Trials
Use Raspberry Pi and CYRF6936 in transmit mode to interfere with existing communication between the remote control and DJI Phantom Change operating modes Send the DJI Phantom away, attempt to turn it off Send malformed packet payloads and see how it behaves.

22 Targeted Attack: Field Trial Block Diagram

23 Potential Challenges Payload data may be encrypted
Unlikely because of small microcontroller connected to CYRF6936 Scoping out SPI configuration may take a while Interference between Raspberry Pi and remote control may result in erratic and non-deterministic behavior. Range of Raspberry Pi will be shorter than remote control due to decreased signal integrity. If we were to build a custom PCB, we can overcome this and drastically increase the strength of the transmit signal with a power amplifier.

24 Cost of Development BOM: Time to develop estimated at 40 hours
2x 12 MHz Crystal (~$10) 2x CYRF6936 (~$10) 2x Breakout Board (~$25) 2x Antenna (~$5) 2x Passives (~10$) Total Cost ~$60 Time to develop estimated at 40 hours

25 Area of Effect: Jamming
Need a lot of power for a small radius of jamming (need to be close to operator) Possible to jam 2.4 GHz frequency band FCC violations, jamming 2.4 GHz band is illegal When the GoPro transmits the video via 2.4GHz band, the DJI Phantom has erratic behavior and flies off Would expect similar effect with jamming the transmitter

26 Hardening Encrypt packet payload
Requires more hardware, but possible Get a transceiver that has a wider bandwidth (1 GHz – 10 GHz) and implements dynamic frequency hopping May not exist, but if it does it probably violates FCC regulations

27 References http://www.dronefly.com http://www.dji.com

Download ppt "by Team Reaper Jacob, Kyle, and Scott"

Similar presentations

Two Way Remote Control Dr. Abdelhafid Bouhraoua. Outline Context, Motivations and Applications Principle of Operation Components Implementation Problems.

Two Way Remote Control Dr. Abdelhafid Bouhraoua. Outline Context, Motivations and Applications Principle of Operation Components Implementation Problems.
IE 419/519 Wireless Networks Lecture Notes #6 Spread Spectrum.

IE 419/519 Wireless Networks Lecture Notes #6 Spread Spectrum.
BLUETOOTH TM :A new radio interface providing ubiquitous connectivity Jaap C.Haartsen Ericssion Radio System B.V. 2000 IEEE.

BLUETOOTH TM :A new radio interface providing ubiquitous connectivity Jaap C.Haartsen Ericssion Radio System B.V IEEE.
Anatomy of Radio LAN Onno W. Purbo

Anatomy of Radio LAN Onno W. Purbo
Tri-Band RF Transceivers for Dynamic Spectrum Access By Nishant Kumar and Yu-Dong Yao.

Tri-Band RF Transceivers for Dynamic Spectrum Access By Nishant Kumar and Yu-Dong Yao.
DATA COLLECTION USING ZIGBEE NETWORK Timothy Melton Moscow, ID.

DATA COLLECTION USING ZIGBEE NETWORK Timothy Melton Moscow, ID.
Software Defined Radio Testbed Team may11-18 Members: Alex Dolan, Mohammad Khan, Ahmet Unsal Adviser: Dr. Aditya Ramamoorthy.

Software Defined Radio Testbed Team may11-18 Members: Alex Dolan, Mohammad Khan, Ahmet Unsal Adviser: Dr. Aditya Ramamoorthy.
Page 1 CONFIDENTIAL EZRadioPRO EZRadioPRO™ December 2007.

Page 1 CONFIDENTIAL EZRadioPRO EZRadioPRO™ December 2007.
Oscilloscope Watch Teardown. Agenda History and General overview Hardware design: – Block diagram and general overview – Choice of the microcontroller.

Oscilloscope Watch Teardown. Agenda History and General overview Hardware design: – Block diagram and general overview – Choice of the microcontroller.
VIRGINIA POLYTECHNIC INSTITUTE & STATE UNIVERSITY MOBILE & PORTABLE RADIO RESEARCH GROUP MPRG Channel Frame Error Rate for Bluetooth in the Presence of.

VIRGINIA POLYTECHNIC INSTITUTE & STATE UNIVERSITY MOBILE & PORTABLE RADIO RESEARCH GROUP MPRG Channel Frame Error Rate for Bluetooth in the Presence of.
Robo Car Upgrade Peter Busha 4/15/2014. Background O Limited Mobility O Messy Connections O No Auto Power Switch.

Robo Car Upgrade Peter Busha 4/15/2014. Background O Limited Mobility O Messy Connections O No Auto Power Switch.
Wireless Networks and Spread Spectrum Technologies.

Wireless Networks and Spread Spectrum Technologies.
UNDER EMBARGO UNTIL OCTOBER 27, 2008 C Y F I ™ Low-Power RF Reliable. Simple. Power-Efficient.

UNDER EMBARGO UNTIL OCTOBER 27, 2008 C Y F I ™ Low-Power RF Reliable. Simple. Power-Efficient.
RADIO FREQUENCY MODULE. Introduction  An RF module is a small electronic circuit used to transmit and receive radio signals.  As the name suggests,

RADIO FREQUENCY MODULE. Introduction  An RF module is a small electronic circuit used to transmit and receive radio signals.  As the name suggests,
Sattam Al-Sahli – Emad Al-Hemyari –

Sattam Al-Sahli – Emad Al-Hemyari –
SDP 11 PDR Team Goeckel Group: Adebayo Adeyemi, Joseph Hayward, Mark Kohls, Simon McAuliffe Advisor: Dennis Goeckel PDR Keeping The Secret.

SDP 11 PDR Team Goeckel Group: Adebayo Adeyemi, Joseph Hayward, Mark Kohls, Simon McAuliffe Advisor: Dennis Goeckel PDR Keeping The Secret.
A Project Team Members: Shamlan AlbaharRifaah Alkhamis Doug BloomquistChris Deboer.

A Project Team Members: Shamlan AlbaharRifaah Alkhamis Doug BloomquistChris Deboer.
Wireless Sensors and Wireless Sensor Networks (WSN) Darrell Curry.

Wireless Sensors and Wireless Sensor Networks (WSN) Darrell Curry.
Integrated  -Wireless Communication Platform Jason Hill.

Integrated  -Wireless Communication Platform Jason Hill.
1 University of Freiburg Computer Networks and Telematics Prof. Christian Schindelhauer Wireless Sensor Networks 5th Lecture 08.11.2006 Christian Schindelhauer.

1 University of Freiburg Computer Networks and Telematics Prof. Christian Schindelhauer Wireless Sensor Networks 5th Lecture Christian Schindelhauer.

Similar presentations

Ads by Google