Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hacking the Phantom by Team Reaper Jacob, Kyle, and Scott 1.

Similar presentations


Presentation on theme: "Hacking the Phantom by Team Reaper Jacob, Kyle, and Scott 1."— Presentation transcript:

1 Hacking the Phantom by Team Reaper Jacob, Kyle, and Scott 1

2 Agenda Drone Overview Security Overview Hacking Plans Hardening Options 2

3 Drone Overview Base Drone $ o Dronefly.com GoPro Hero 3 Black $ GB High Speed Micro SD $ Spare 2200 mAH Battery $27.00 Complete Starter Package $

4 Drone Features Receiver Range o 1000m (.6 miles) GPS o Accurate Within.8 m Vertical 2.5m Horizontal Wind Compensation Max Speed 10m/sec (22mph) Payload o 1000grams (2.2 pounds) 4

5 Drone Modifications 2 axis Gimble o Zenmuse H3-2D $699 o More control and less Jelloing Fatshark First Person Video o Can Transmit from GoPro o Live Flight View o Can record video from goggles o $ Motors Blades Batteries 5

6 Drone Reactions People oblivious Turkey Police Neighborhood Spying Youtube 6

7 Current Hacks Unable to find documentation on attacking the drone’s wireless communication, only modifications 7

8 Communications – High Level 8

9 Communications – Protocol 2.4 GHz Direct Sequence Spread Spectrum o Unlicensed ISM band (2.400 GHz to GHz) 9

10 Communications – Microcontroller Atmel ATMEGA Microcontroller o Gives interface to wireless module for drone’s Master Controller 10

11 Communications - Chip Cypress CYRF6936 – WirelessUSB LP 2.4 GHz Radio SoC o Transmit power: up to +4 dBm o Receive sensitivity: up to -97 dBm o DSSS data rates up to 250 kbps, GFSK data rate of 1 Mbps o 98 different channels available 11

12 Interface to Chip 4 MHz Serial Peripheral Interface (SPI) o 4 pin serial communications protocol SCK, MISO, MOSI, SS o Easily implemented (i.e. Raspberry Pi) o Used to configure and send data to CYRF6936 Cypress Semiconductor Corporation - Document #: Rev. *J – page 1 12

13 Data Transmission Modes GFSK (Gaussian frequency-shift keying) Mode o 1 Mbps, no DSSS 8DR Mode o 8 bits per symbol transmitted DDR Mode o 2 bits per symbol transmitted SDR o 1 bit per symbol transmitted Lower data rates reduce error rate 13

14 Typical Packet Structure GFSK and 8DR have a max payload of 40 bytes DDR and SDR have a max payload of 16 bytes Optional packet framing o SOP required in GFSK and 8DR, optional in DDR, not supported in SDR o If SOP enabled, length field required o Length field required in GFSK and 8DR modes o CRC 16 has a configurable seed Cypress Semiconductor Corporation - Document #: Rev. *J – page 5 14

15 Potential Hacking Options Targeted o Take over control o Interference Area of Effect o Jamming the 2.4 GHz ISM frequency band 15

16 Targeted Attack Plan: Prototyping Items needed: o Two transceiver chips o Two breakout boards o Two sets of supporting circuitry Prototype both with Raspberry Pi 16

17 Prototyping Block Diagram 17

18 Targeted Attack Plan: System Investigation Use an oscilloscope to see SPI signals from microcontroller to receiver chip on the DJI Phantom o Determine how the CYRF6936 is configured for receiving data from the remote control Mimic the receiver chip configuration on the prototype system Stimulate remote control and see what actions on the remote control correspond to data payload content 18

19 System Investigation Block Diagram 19

20 Targeted Attack: Custom Control Once we have an understanding of the packet payload and operating modes, we can simulate the remote control and send commands to the DJI Phantom We should receive some sort of acknowledge at least, hopefully some data feedback. 20

21 Targeted Attack: Field Trials Use Raspberry Pi and CYRF6936 in transmit mode to interfere with existing communication between the remote control and DJI Phantom o Change operating modes o Send the DJI Phantom away, attempt to turn it off o Send malformed packet payloads and see how it behaves. 21

22 Targeted Attack: Field Trial Block Diagram 22

23 Potential Challenges Payload data may be encrypted o Unlikely because of small microcontroller connected to CYRF6936 Scoping out SPI configuration may take a while Interference between Raspberry Pi and remote control may result in erratic and non-deterministic behavior. Range of Raspberry Pi will be shorter than remote control due to decreased signal integrity. o If we were to build a custom PCB, we can overcome this and drastically increase the strength of the transmit signal with a power amplifier. 23

24 Cost of Development BOM: o 2x 12 MHz Crystal (~$10) o 2x CYRF6936 (~$10) o 2x Breakout Board (~$25) o 2x Antenna (~$5) o 2x Passives (~10$) o Total Cost ~$60 Time to develop estimated at 40 hours 24

25 Area of Effect: Jamming Need a lot of power for a small radius of jamming (need to be close to operator) Possible to jam 2.4 GHz frequency band o FCC violations, jamming 2.4 GHz band is illegal When the GoPro transmits the video via 2.4GHz band, the DJI Phantom has erratic behavior and flies off o Would expect similar effect with jamming the transmitter 25

26 Hardening Encrypt packet payload o Requires more hardware, but possible Get a transceiver that has a wider bandwidth (1 GHz – 10 GHz) and implements dynamic frequency hopping o May not exist, but if it does it probably violates FCC regulations

27 References onseCard_ html onseCard_ html https://sites.google.com/site/mrdunk/interfacing- cypress-cyrf6936-to-avr-microcontrollers https://sites.google.com/site/mrdunk/interfacing- cypress-cyrf6936-to-avr-microcontrollers https://sites.google.com/site/mrdunk/interfacing- cypress-cyrf6936-to-avr-microcontrollers https://sites.google.com/site/mrdunk/interfacing- cypress-cyrf6936-to-avr-microcontrollers 27


Download ppt "Hacking the Phantom by Team Reaper Jacob, Kyle, and Scott 1."

Similar presentations


Ads by Google