Hacking Drones



    It is very strange that at hacker conferences there were one and a half speeches on hacking drones.
    I fussed around and made a selection of all available hacking cases. Both military and civilian.

    Some facts:
    • Today, more than 70 countries produce unmanned aerial vehicles (drones) for the needs of the army, police, the Ministry of Emergencies, etc.
    • 127,000 drones sold on eBay from March 2014 to February 2015
    • The warrior now has about 20,000 drones


    10 real and 2 invented cases of drone hacking. (I would be grateful for the additions)

    2009


    Location: Iraq, Afghanistan
    Model: Predator unmanned aircraft (US $ 4.03 million, 2010)
    Burglar: Iraqi hackers
    Vulnerability: data transmission channel from UAVs to the


    Wall Street Journal ground-based control center The

    first time the US military in Iraq faced video capture in 2008, when a rebel was taken prisoner, on whose laptop were stored images obtained from American drones. In the summer of 2009, computers were also discovered with several hours of video recordings from UAVs.

    According to the newspaper, citing data from senior military officials and intelligence officials, the rebels used unprotected communication channels with UAVs for video capture. At the same time, they used software such as, for example, SkyGrabber, which can be bought over the Internet for only $ 25.95.

    imageSkyGrabber, according to the description of the Russian manufacturer SkySoftware, "receives and processes the traffic transmitted from the satellite, extracts files from it and saves them to your hard disk in accordance with the configured filters."

    News on the Tape .

    2011


    Location: Iran
    Model: RQ-170 Sentinel
    Cracker: Persian specialists
    Vulnerability: GPS-spoofing
    RQ-170 Sentinel
    image
    Who will plant it? He is a monument

    Iran presented to the media a press release that spoke about the successful interception of an American unmanned aerial vehicle such as the RQ-170 Sentinel. Among other versions of the interception of the device, there was one that related to the use of special electronics, which drowned out the GPS satellite signal and replaced it with its own. As a result of these actions, the drone automatically, guided by the global navigation system, began to return home. Since the true signal of the satellites was drowned out by a false one, the RQ-170 sat on the Iranian airfield, taking it for its "native" one. However, this is only a version, although quite plausible. The first reports of this method of interception came soon after the publication of the press release and they were made with reference to a certain Iranian engineer,

    image

    Proof video





    Iranians are constantly trolling Americans. First, they wanted to massively sell toy RQ-170 Sentinel at a scale of 1:80, and in 2014 they saw a full-size copy of an

    article on Habr with a discussion of the possibility of hacking the GPS system RQ-170

    News on Tape .

    2012


    Location: Moscow, PHD
    Model: AR.Drone
    Burglar: Sergey Azovskov aka LAST_G
    Vulnerability: vulnerability of a mobile application


    According to the competition, the organizers launched a miniature aircraft controlled from a smartphone via a Wi-Fi network. Participants were invited to connect to the drone using their own programming knowledge, to deprive the organizers of the ability to control the device and switch control to their smartphone. According to Azovskov, the process of depriving the organizers of the rights to control the drone did not cause serious difficulties.

    “Problems arose with the mobile application that is used to control the drone. I downloaded it, installed it, and then it turned out that it works with errors that had to be fixed, ”Sergei Azovskov told RIA Novosti.





    Location: Texas
    Model: Helicopter for watering
    Burglar: Todd Humphreys
    Vulnerability: GPS spoofing

    In 2012, American scientists from the University of Texas at Austin proved the practical possibility of breaking and intercepting UAV control by GPS spoofing.
    GPS spoofing can only be carried out for those devices that use an unencrypted civil GPS signal.
    (+ $ 1,000 to scientists)

    Spoofing GPS attack is an attack that attempts to trick a GPS receiver into broadcasting a slightly more powerful signal than received from GPS satellites, such as resembling a series of normal GPS signals. These simulated signals are modified in such a way as to force the recipient to incorrectly determine their location, considering it the same as the attacker sends. Because GPS systems measure the time it takes for a signal to travel from a satellite to a receiver, successful spoofing requires the attacker to know exactly where its target is, so that the simulated signal can be structured with proper signal delays. The GPS spoofing attack begins by broadcasting a slightly more powerful signal that indicates the correct position, and then slowly deviates far to the position set by the attacker, because moving too fast will entail loss of signal blocking, and at this point the spoofer will only work as an interference transmitter. One version of the capture of the American drone Lockheed RQ 170 in northeastern Iran in December 2011, is the result of such an attack.

    Spoofing GPS has been predicted and discussed in the GPS community before, but no known example of such a malicious spoofing attack has yet been confirmed.

    University helicopter spoofing:



    2013


    Model: AR.Drone
    Burglar: Samy Kamkar
    Method: Aircrack-ng , Raspberry Pi installed on the drone, WiFi transmitter and receiver:

    image

    In his video, Kamkar said that he used the Aircrack-ng utility to break into a wireless network, and quadrocopters the network was able to detect due to the features of their MAC address. All quadrocopters of this type have the same type of address, which makes it possible to distinguish them from other wireless devices.

    Kamkar writes in his blog :
    “How fun it would be to seize the drone delivering the packages of Amazon, or any other drone and make them your own zombie army. Sumptuously."


    SkyJack monitors the MAC addresses of Wi-Fi networks in the signal coverage area, and then blocks them using its drone and disconnects the device from which it was controlled from the iOS or Android device. After that, the hacker can control the direction, speed and altitude of the drone, as well as receive images from cameras.


    Defcon 21 - Phantom Network Surveillance UAV / Drone
    Model: Phantom
    Hacker: Ricky Hill
    Method: Wispy spectrum analyzers and WiFi Pineapple:



    2014


    Location: United States
    Drones: Parrot AR.Drone and DJI Phantom
    Hackers: Hack5 YouTube Channel Leaders
    Method: WiFi Pineapple

    WiFi Pineapple is a product of enterprising Americans who ordered a Wi-Fi router with two wireless interfaces and one wired from the Chinese, wrote firmware for it based on OpenWRT and stuffed it with utilities for hacking / intercepting and analyzing traffic.

    The presenters fastened the WiFi Pineapple to the DJI Phantom and then chased the AR.Drone and knocked it out.



    Explains:






    Anti-drone system A

    image
    failed project on the Kickstarter

    Personal Drone Detection System could protect you from spying on your neighbors with drones.

    Locator equipment detects a flying device approaching you within a radius of 15 m with a range of fixed operating frequencies from 1 MHz to 6.8 GHz. In appearance, the system most resembles a large Wi-Fi router (individual devices of the Personal Drone Detection System interact with each other using Wi-Fi technology) and several conditional “walkie-talkies”, each of which is the same sensor for detecting malicious buzzing devices . The latter are detected by the system as sources of electromagnetic radiation moving in space.

    The main control module is able to interact with “portable locators” at a distance of up to 61 m. You just have to place two sensors around the perimeter of the house, use a command controller and synchronize with the anti-drone control module. The drone will be notified of the approaching sound by an appropriate sound signal and a notification sent to your personal mobile device.

    "Carpool"
    Russian "jammers". According to some reports, they lit up when intercepting drones.



    In addition to PVC windows and light fixtures, Kvant produces powerful noise interference stations, ground active interference stations, and AvtoBAZ ground-based radio intelligence systems.

    2015


    Cracker: Rahul Sasi
    Target: Parrot AR.Drone 2.0 and DJI Phantom
    Vulnerability: ARM Linux

    Sashi applied reverse engineering to the proprietary AR Drone program.elf

    Researcher claims that a “combined” attack using Maldrone and Skyjack will allow to intercept multiple targets and thus create a whole squadron of zombie drones. Given the growing interest in civilian UAVs from corporations such as DHL and Amazon, the picture is truly sinister. In addition, using Maldrone, an attacker can not only hijack the drones themselves, but also spy through the built-in cameras, intercepting video traffic from the attacked devices.

    “After my malware attacks the controllers, the engines stop and the drone starts to fall down with a brick,” the researcher explains. “However, the backdoor instantly takes control, and if the height is really big, there is enough time to avoid a fall.”



    The Maldrone virus (abbreviated from Malware Drone), developed by Sashi, is able to take control of this program and move the drone in any direction, potentially hijacking it from the owner.

    The disadvantage of Maldrone is that it takes a few moments to switch the control of the device’s navigation ports to itself. During this “interception”, the drone control is turned off and it falls vertically down, so it can crash if it is not high enough.

    Create a backdoor:

    The drone controller program.elf interacts with the navigation board using the ports:

    / dev / ttyO0 -> rotors and leds
    / dev / ttyO1 -> Nav board
    / dev / ttyPA1 -> Motor driver
    / dev / ttyPA2 -> accelerometer, gyrometer, and sonar sensors
    / dev / video0 ->
    / dev / video1 -> video4linux2 devices
    / dev / i2c-0
    / dev / i2c-1
    / dev / i2c-2
    / dev / usb-i2c
    image

    Maldrone Idea.

    Step 1: Kills program.elf
    Step 2: Setup a proxy serial port for navboard and others.
    Step 3: Redirect actual serial port communication to fake ports
    Step 4: patch program.elf and make it open our proxy serial ports.
    Step 5: Maldrone communicates to serial ports directly

    Now all communication from the navigation board goes through Maldrone. The backdoor can intercept and modify data on the fly and connect with botserver th .

    Hindu invited everyone to the conference , where he promisedgive details , but since then there is no news. Presentation only .

    2018


    DARPA launches unbreakable drones .


    DARPA project manager Ketlin Fisher talks about 2 cases of “hijacking” of military drones (2009 and 2011), and then a “hacker” clicks a button and breaks the “Toffee”


    2050


    Little data, it is known that:
    • a) drones fly
    • b) they are fully crackable, despite the best efforts of DARPA
    • c) hackers hunt for batteries
    • d) the interface is a little strange
    • d) laptops from DELL rule





    Remember that in the glove compartment of a normal farmer (astronaut), next to the spare wheel, there is always a directional antenna and a laptop stuffed with software. What if a drone?



    BlackHat PDA
    Similar gadgets will appear soon, but for now we are training in the simulator.
    This thing breaks equally easily quadrocopters, drones and real helicopters.
    Oh yes, she still knows how to crack electronics (guns, mines, etc.) through walls. Dreaming is not harmful.



    PS I
    asked a question about hacks to my friends from CopterTime.ru , they drag the latest quadrics to Moscow almost ahead of everyone, and they have their own workshop, very similar to the hack space for drones.
    They talked about how you can "hack" the Naza controller. Namely, how to overclock the older Naza Light ($ 170) to the newer Naza V2 ($ 300):

    image

    The fact is that dji blocked the bootloader from Naza-m lite bootloader and just didn’t download the update. Then the craftsmen figured out what was happening and launched the naza-upgrade.com project , where you can download software that allows you to upgrade the controller in a couple of clicks.

    The upgrade includes optimized algorithms for GPS positioning and altitude retention, the ability to connect peripherals via Bluetooth, Octocopter support, etc. Video

    upgrade manual:



    The flagship of civilian drones DJI Inspire 1
    There is such a drone in the US $ 3,000, it flies 18 minutes, but it can fly 13 km (6.5 km one way), this is a world record with a signal amplifier for the remote control. On a conventional transmitter, control is held for 2 km. That is, it is quite possible to hijack such a copter, it flies at a speed of 22m / s, so the owner, even if he has a bit prepared for such cases, is unlikely to catch up with him.

    (Read all the technical specifications of DJI Inspire 1 ).
    I can imagine how in the future a minivan drives (not AvtoBaza, of course), stuffed with equipment (pineapples, ubertus, hackerefs, jammers, etc.), and it doesn’t steal mopeds, but drones.



    Video with a world record of a flight range of 13.357 meters:



    PPS
    Goals for hacking (on click - big picture):


    Also popular now: