1 / 27

Hacking the Phantom

Hacking the Phantom. by Team Reaper Jacob, Kyle, and Scott. Agenda. Drone Overview Security Overview Hacking Plans Hardening Options. Drone Overview. Base Drone $479.00 Dronefly.com GoPro Hero 3 Black $399.99 64GB High Speed Micro SD $129.99 Spare 2200 mAH Battery $ 27.00

darren
Download Presentation

Hacking the Phantom

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hacking the Phantom by Team Reaper Jacob, Kyle, and Scott

  2. Agenda • Drone Overview • Security Overview • Hacking Plans • Hardening Options

  3. Drone Overview • Base Drone $479.00 • Dronefly.com • GoPro Hero 3 Black $399.99 • 64GB High Speed Micro SD $129.99 • Spare 2200 mAH Battery $27.00 • Complete Starter Package $1035.98

  4. Drone Features • Receiver Range • 1000m (.6 miles) • GPS • Accurate Within .8 m Vertical 2.5m Horizontal • Wind Compensation • Max Speed 10m/sec (22mph) • Payload • 1000grams (2.2 pounds)

  5. Drone Modifications • 2 axis Gimble • Zenmuse H3-2D $699 • More control and less Jelloing • Fatshark First Person Video • Can Transmit from GoPro • Live Flight View • Can record video from goggles • $299.99 • Motors • Blades • Batteries

  6. Drone Reactions • People oblivious • Turkey Police • Neighborhood Spying • Youtube

  7. Current Hacks • Unable to find documentation on attacking the drone’s wireless communication, only modifications

  8. Communications – High Level

  9. Communications – Protocol • 2.4 GHz Direct Sequence Spread Spectrum • Unlicensed ISM band (2.400 GHz to 2.483 GHz)

  10. Communications – Microcontroller • Atmel ATMEGA Microcontroller • Gives interface to wireless module for drone’s Master Controller

  11. Communications - Chip • Cypress CYRF6936 – WirelessUSB LP 2.4 GHz Radio SoC • Transmit power: up to +4 dBm • Receive sensitivity: up to -97 dBm • DSSS data rates up to 250 kbps, GFSK data rate of 1 Mbps • 98 different channels available

  12. Interface to Chip • 4 MHz Serial Peripheral Interface (SPI) • 4 pin serial communications protocol • SCK, MISO, MOSI, SS • Easily implemented (i.e. Raspberry Pi) • Used to configure and send data to CYRF6936 Cypress Semiconductor Corporation - Document #: 38-16015 Rev. *J – page 1

  13. Data Transmission Modes • GFSK (Gaussian frequency-shift keying) Mode • 1 Mbps, no DSSS • 8DR Mode • 8 bits per symbol transmitted • DDR Mode • 2 bits per symbol transmitted • SDR • 1 bit per symbol transmitted • Lower data rates reduce error rate

  14. Typical Packet Structure • GFSK and 8DR have a max payload of 40 bytes • DDR and SDR have a max payload of 16 bytes • Optional packet framing • SOP required in GFSK and 8DR, optional in DDR, not supported in SDR • If SOP enabled, length field required • Length field required in GFSK and 8DR modes • CRC 16 has a configurable seed Cypress Semiconductor Corporation - Document #: 38-16015 Rev. *J – page 5

  15. Potential Hacking Options • Targeted • Take over control • Interference • Area of Effect • Jamming the 2.4 GHz ISM frequency band

  16. Targeted Attack Plan: Prototyping • Items needed: • Two transceiver chips • Two breakout boards • Two sets of supporting circuitry • Prototype both with Raspberry Pi

  17. Prototyping Block Diagram

  18. Targeted Attack Plan: System Investigation • Use an oscilloscope to see SPI signals from microcontroller to receiver chip on the DJI Phantom • Determine how the CYRF6936 is configured for receiving data from the remote control • Mimic the receiver chip configuration on the prototype system • Stimulate remote control and see what actions on the remote control correspond to data payload content

  19. System Investigation Block Diagram

  20. Targeted Attack: Custom Control • Once we have an understanding of the packet payload and operating modes, we can simulate the remote control and send commands to the DJI Phantom • We should receive some sort of acknowledge at least, hopefully some data feedback.

  21. Targeted Attack: Field Trials • Use Raspberry Pi and CYRF6936 in transmit mode to interfere with existing communication between the remote control and DJI Phantom • Change operating modes • Send the DJI Phantom away, attempt to turn it off • Send malformed packet payloads and see how it behaves.

  22. Targeted Attack: Field Trial Block Diagram

  23. Potential Challenges • Payload data may be encrypted • Unlikely because of small microcontroller connected to CYRF6936 • Scoping out SPI configuration may take a while • Interference between Raspberry Pi and remote control may result in erratic and non-deterministic behavior. • Range of Raspberry Pi will be shorter than remote control due to decreased signal integrity. • If we were to build a custom PCB, we can overcome this and drastically increase the strength of the transmit signal with a power amplifier.

  24. Cost of Development • BOM: • 2x 12 MHz Crystal (~$10) • 2x CYRF6936 (~$10) • 2x Breakout Board (~$25) • 2x Antenna (~$5) • 2x Passives (~10$) • Total Cost ~$60 • Time to develop estimated at 40 hours

  25. Area of Effect: Jamming • Need a lot of power for a small radius of jamming (need to be close to operator) • Possible to jam 2.4 GHz frequency band • FCC violations, jamming 2.4 GHz band is illegal • When the GoPro transmits the video via 2.4GHz band, the DJI Phantom has erratic behavior and flies off • Would expect similar effect with jamming the transmitter

  26. Hardening • Encrypt packet payload • Requires more hardware, but possible • Get a transceiver that has a wider bandwidth (1 GHz – 10 GHz) and implements dynamic frequency hopping • May not exist, but if it does it probably violates FCC regulations

  27. References • http://www.dronefly.com • http://www.dji.com • http://www.cdc.gov/niosh/ershdb/EmergencyResponseCard_29750002.html • https://sites.google.com/site/mrdunk/interfacing-cypress-cyrf6936-to-avr-microcontrollers • http://www.cypress.com/?docID=30520 • https://sites.google.com/site/mrdunk/interfacing-cypress-cyrf6936-to-avr-microcontrollers • http://www.cypress.com/?docID=28606

More Related