Presentation is loading. Please wait.

Presentation is loading. Please wait.

Nate Krussel, Maxine Major, and Theora Rice

Similar presentations

Presentation on theme: "Nate Krussel, Maxine Major, and Theora Rice"— Presentation transcript:

1 Nate Krussel, Maxine Major, and Theora Rice
The Parrot AR.drone 2.0

2 Overview Parrot AR Drone 2.0 Purchased off Amazon Works out of the box
~ $300 for everybody 2 day prime shipping Works out of the box No assembly required, charge the battery, download the application and fly Comes with special hull for flying indoors Embedded Linux on SOC Atheros chipset

3 Overview Free Flight App Runs on Android and IOS
No Windows phone app Uses gyros and accelerometers to control the flight Failsafe: if hands not on device, drone attempts to hover in place.

4 Early Thoughts Experiments Use Wireshark to sniff traffic
Take over drone control App and PC Hijack the video Hard crash the drone, similar to the emergency landing built into the drone

5 Wireshark Connected the AR.Drone wifi to sniff the traffic
Pattern Identification Wireshark didn’t show any traffic ARP packets, not much else

6 Wireshark Conclusion Wireshark couldn’t identify packets used to transmit data Used a packet different from normal TCP/IP and didn’t know how to display it Need to use a raw packet dump and try to analyze it that way

7 Drone Hacks \ Mods Hack#1: Program Drone over Wi-fi Node.js
Platform built on Chrome’s Javascript runtime Install AR Drone module Client for controlling AR Drone ( Save flight commands to file Auto-execute drone actions This method also included untrusted .js files

8 Drone Hacks \ Mods Hack#2: Program Drone over Wi-fi
Packets sent as UDP/TCP Single UDP contains 1+ command(s) AT*REF: takeoff, landing, reset, stop Ports: Port UDP packets with regular commands Port Reply UDP data packets from AR.Drone Port Reply video stream packets from AR.Drone Port TCP packets for critical data that cannot be lost usually for configuration

9 Drone Hacks \ Mods Hack#3: Exploration of internals
Airodump-ng capture of drone wifi Revealed open access point Aireplay -0 deauth attack Arp scans Nmap ftp, telnet ports left open

10 Projecting Video …The Hard Way

11 Projecting Video …The Easy Way
Telnet telnet ffplay (ffmpeg) ffplay tcp:// :5555

12 Video Demo

13 Optional Modifications
Blinking LED lights Upgraded Blades/Rotors Long-life replacement batteries 1000mAh standard, 1500mAh RF controller … for lights, etc. Radio upgrade Prop axle brushing replacement Upgraded camera

14 Attacks Using Telnet to get into the drone (no security, default is open) Typing “Reboot” will cause the drone to restart, and it will fall, but can reconnect after it finishes restarting.

15 Attacks Using Telnet Using “netstat –pantu” then identifying the connected person and their TCP stream. Then typing “Kill <pid>” will cause the drone to fall out of the sky, it needs to be restarted before it will fly again from any user.

16 Attack 1 Demo

17 Hardening Repeater AR.Assist – Windows Wizard Use to connect drone to WiFi hotspot Now locked to that hotspot Can be permanent

18 Hardening Reload the linux kernel Lots of time and effort

19 Operation Stux2bu Attack 1 Attack 2 Attack 3 Attack 4
No security, reboot with lock-out capability Responds to Telnet only Attack 2 With security, MAC Spoofing, Attack 1 Attack 3 Jamming the signal Attack 4 the rotors

20 Sources

Download ppt "Nate Krussel, Maxine Major, and Theora Rice"

Similar presentations

Ads by Google