220 likes | 774 Views
Nate Krussel , Maxine Major, and Theora Rice. The Parrot AR.drone 2.0. Overview. Parrot AR Drone 2.0 Purchased off Amazon ~ $300 for everybody 2 day prime shipping Works out of the box No assembly required, charge the battery, download the application and fly
E N D
Nate Krussel, Maxine Major, and Theora Rice The Parrot AR.drone 2.0
Overview • Parrot AR Drone 2.0 • Purchased off Amazon • ~ $300 for everybody • 2 day prime shipping • Works out of the box • No assembly required, charge the battery, download the application and fly • Comes with special hull for flying indoors • Embedded Linux on SOC Atheros chipset
Overview • Free Flight App • Runs on Android and IOS • No Windows phone app • Uses gyros and accelerometers to control the flight • Failsafe: if hands not on device, drone attempts to hover in place.
Early Thoughts • Experiments • Use Wireshark to sniff traffic • Take over drone control • App and PC • Hijack the video • Hard crash the drone, similar to the emergency landing built into the drone
Wireshark • Connected the AR.Drone wifi to sniff the traffic • Pattern Identification • Wireshark didn’t show any traffic • ARP packets, not much else
Wireshark • Conclusion • Wireshark couldn’t identify packets used to transmit data • Used a packet different from normal TCP/IP and didn’t know how to display it • Need to use a raw packet dump and try to analyze it that way
Drone Hacks \ Mods • Hack#1: Program Drone over Wi-fi • Node.js • Platform built on Chrome’s Javascript runtime • Install AR Drone module • Client for controlling AR Drone (nodecopter.com) • Save flight commands to file • Auto-execute drone actions • This method also included untrusted .js files
Drone Hacks \ Mods • Hack#2: Program Drone over Wi-fi • Packets sent as UDP/TCP • Single UDP contains 1+ command(s) • AT*REF: takeoff, landing, reset, stop • Ports: • Port 5556- UDP packets with regular commands • Port 5554- Reply UDP data packets from AR.Drone • Port 5555- Reply video stream packets from AR.Drone • Port 5559- TCP packets for critical data that cannot be lost usually for configuration
Drone Hacks \ Mods • Hack#3: Exploration of internals • Airodump-ng capture of drone wifiRevealed open access point • Aireplay -0 deauth attack • Arp scans • Nmap • ftp, telnet ports left open
Projecting Video …The Easy Way • Telnettelnet 192.168.1.1 • ffplay (ffmpeg)ffplay tcp://192.168.1.1:5555
Optional Modifications • Blinking LED lights • Upgraded Blades/Rotors • Long-life replacement batteries • 1000mAh standard, 1500mAh • RF controller • … for lights, etc. • Radio upgrade • Prop axle brushing replacement • Upgraded camera
Attacks • Using Telnet to get into the drone (no security, default is open) • Typing “Reboot” will cause the drone to restart, and it will fall, but can reconnect after it finishes restarting.
Attacks • Using Telnet • Using “netstat –pantu” then identifying the connected person and their TCP stream. • Then typing “Kill <pid>” will cause the drone to fall out of the sky, it needs to be restarted before it will fly again from any user.
Hardening • Repeater • AR.Assist – Windows Wizard • Use to connect drone to WiFi hotspot • Now locked to that hotspot • Can be permanent • http://www.shellware.com/BlogEngine.Web/post/2011/02/12/ARAssist-Infrastructure-Wi-Fi-Enabling-Your-ARDrone-Made-Easy.aspx
Hardening • Reload the linux kernel • Lots of time and effort
Operation Stux2bu • Attack 1 • No security, reboot with lock-out capability • Responds to Telnet only • Attack 2 • With security, MAC Spoofing, Attack 1 • Attack 3 • Jamming the signal • Attack 4 • Floss...in the rotors
Sources • http://www.shellware.com/BlogEngine.Web/post/2011/02/12/ARAssist-Infrastructure-Wi-Fi-Enabling-Your-ARDrone-Made-Easy.aspx • http://www.lawfareblog.com/2012/09/operation-stux2bu-layered-offense-and-defense-and-drone-cyberattacks/ • https://www.robotappstore.com/Knowledge-Base/How-to-Program-ARDrone-Remotely-Over-WIFI/96.html • http://www.libcrack.so/2012/10/13/hacking-the-ar-drone-parrot/ • http://dronemediaproject.com/resources-3/drone-hack/ • http://dronescapes.com/dronepage3.html • http://droneflyers.com/2013/02/ar-drone-modifications/