Presentation on theme: "Nate Krussel, Maxine Major, and Theora Rice. Overview Parrot AR Drone 2.0 Purchased off Amazon ○ ~ $300 for everybody ○ 2 day prime shipping Works out."— Presentation transcript:
Nate Krussel, Maxine Major, and Theora Rice
Overview Parrot AR Drone 2.0 Purchased off Amazon ○ ~ $300 for everybody ○ 2 day prime shipping Works out of the box ○ No assembly required, charge the battery, download the application and fly ○ Comes with special hull for flying indoors Embedded Linux on SOC Atheros chipset
Overview Free Flight App Runs on Android and IOS ○ No Windows phone app Uses gyros and accelerometers to control the flight Failsafe: if hands not on device, drone attempts to hover in place.
Early Thoughts Experiments Use Wireshark to sniff traffic Take over drone control ○ App and PC Hijack the video Hard crash the drone, similar to the emergency landing built into the drone
Wireshark Connected the AR.Drone wifi to sniff the traffic Pattern Identification Wireshark didn’t show any traffic ARP packets, not much else
Wireshark Conclusion Wireshark couldn’t identify packets used to transmit data Used a packet different from normal TCP/IP and didn’t know how to display it Need to use a raw packet dump and try to analyze it that way
Drone Hacks \ Mods Hack#2: Program Drone over Wi-fi Packets sent as UDP/TCP Single UDP contains 1+ command(s) ○ AT*REF: takeoff, landing, reset, stop Ports: ○ Port UDP packets with regular commands ○ Port Reply UDP data packets from AR.Drone ○ Port Reply video stream packets from AR.Drone ○ Port TCP packets for critical data that cannot be lost usually for configuration
Drone Hacks \ Mods Hack#3: Exploration of internals Airodump-ng capture of drone wifi Revealed open access point Aireplay -0 deauth attack Arp scans Nmap ftp, telnet ports left open
Projecting Video … The Hard Way
Projecting Video … The Easy Way Telnet telnet ffplay (ffmpeg) ffplay tcp:// :5555
Optional Modifications Blinking LED lights Upgraded Blades/Rotors Long-life replacement batteries 1000mAh standard, 1500mAh RF controller … for lights, etc. Radio upgrade Prop axle brushing replacement Upgraded camera
Attacks Using Telnet to get into the drone (no security, default is open) Typing “Reboot” will cause the drone to restart, and it will fall, but can reconnect after it finishes restarting.
Attacks Using Telnet Using “netstat –pantu” then identifying the connected person and their TCP stream. Then typing “Kill ” will cause the drone to fall out of the sky, it needs to be restarted before it will fly again from any user.
Hardening Repeater AR.Assist – Windows Wizard ○ Use to connect drone to WiFi hotspot Now locked to that hotspot Can be permanent eb/post/2011/02/12/ARAssist- Infrastructure-Wi-Fi-Enabling-Your- ARDrone-Made-Easy.aspx eb/post/2011/02/12/ARAssist- Infrastructure-Wi-Fi-Enabling-Your- ARDrone-Made-Easy.aspx
Hardening Reload the linux kernel Lots of time and effort
Operation Stux2bu Attack 1 No security, reboot with lock-out capability ○ Responds to Telnet only Attack 2 With security, MAC Spoofing, Attack 1 Attack 3 Jamming the signal Attack 4 Floss...in the rotors