Presentation on theme: "Nate Krussel, Maxine Major, and Theora Rice"— Presentation transcript:
1 Nate Krussel, Maxine Major, and Theora Rice The Parrot AR.drone 2.0
2 Overview Parrot AR Drone 2.0 Purchased off Amazon Works out of the box ~ $300 for everybody2 day prime shippingWorks out of the boxNo assembly required, charge the battery, download the application and flyComes with special hull for flying indoorsEmbedded Linux on SOC Atheros chipset
3 Overview Free Flight App Runs on Android and IOS No Windows phone appUses gyros and accelerometers to control the flightFailsafe: if hands not on device, drone attempts to hover in place.
4 Early Thoughts Experiments Use Wireshark to sniff traffic Take over drone controlApp and PCHijack the videoHard crash the drone, similar to the emergency landing built into the drone
5 Wireshark Connected the AR.Drone wifi to sniff the traffic Pattern IdentificationWireshark didn’t show any trafficARP packets, not much else
6 WiresharkConclusionWireshark couldn’t identify packets used to transmit dataUsed a packet different from normal TCP/IP and didn’t know how to display itNeed to use a raw packet dump and try to analyze it that way
8 Drone Hacks \ Mods Hack#2: Program Drone over Wi-fi Packets sent as UDP/TCPSingle UDP contains 1+ command(s)AT*REF: takeoff, landing, reset, stopPorts:Port UDP packets with regular commandsPort Reply UDP data packets from AR.DronePort Reply video stream packets from AR.DronePort TCP packets for critical data that cannot be lost usually for configuration
9 Drone Hacks \ Mods Hack#3: Exploration of internals Airodump-ng capture of drone wifi Revealed open access pointAireplay -0 deauth attackArp scansNmapftp, telnet ports left open
13 Optional Modifications Blinking LED lightsUpgraded Blades/RotorsLong-life replacement batteries1000mAh standard, 1500mAhRF controller… for lights, etc.Radio upgradeProp axle brushing replacementUpgraded camera
14 AttacksUsing Telnet to get into the drone (no security, default is open)Typing “Reboot” will cause the drone to restart, and it will fall, but can reconnect after it finishes restarting.
15 AttacksUsing TelnetUsing “netstat –pantu” then identifying the connected person and their TCP stream.Then typing “Kill <pid>” will cause the drone to fall out of the sky, it needs to be restarted before it will fly again from any user.