CODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONG
-
Upload
code-blue -
Category
Devices & Hardware
-
view
134 -
download
3
Transcript of CODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONG
Confidential to SEWORKS Copyright ©2014 SEWORKS Inc. All rights reserved.
SEWORKS INC. CTO
WOWHACKER TEAM
Dongcheol Hong
(hinehong)
3
Speaker Bio
• SEWORKS Inc. Chief Technology Officer
-‐ Develops the AnN-‐Decompiler and AnN-‐Reverse Engineering Tool
for Android and Unity applicaNons.
• WOWHACKER Admin.
-‐ Qualified for DEFCON CTF hacking contest finals five Nmes.
-‐ Organized SecuInside, CodeGate, ISEC hacking contests.
• Made Android and Windows mobile anNvirus applicaNons in 2009.
• Presented on many security conferences like SecuInside and HITCON.
3 Dongcheol Hong -‐ SEworks.Inc
4
Abstract
• The drone systems are used more frequently all around the world.
• There are possibiliNes that the drone can hack into other computers or
devices
• We can infect a malware called “HSDrone” to the AR.Drone 2.0, spread
malware to other drones, and control all of them.
4 Dongcheol Hong -‐ SEworks.Inc
5
Drone hacking
• Network
-‐ RC : Radio controller
-‐ WIFI : smart device
• Malware
-‐ Smart applicaNon
-‐ Drone executable file
• GPS or Gyro Sensor jamming
7
RC
• 2.4GHz 3 or 4CH
• NEC format
-‐ [Leader Code][Custom Code][Data Code]
-‐ Leader Code: IniNalizaNon of a signal
-‐ Custom code: IdenNfy a specific device
-‐ Data code : ExecuNon code
• ZigBee protocol
8
ZigBee
• One of the sensor networks
• Security support
• encrypNon : AES-‐CCM* 128
• Standard : 802.15.4
No Security AES-‐CBC-‐MAC-‐32 ~ 128 Message AuthenNcaNon AES-‐CTR EncrypNon Only AES-‐CCM-‐32 ~ 128 Message AuthenNcaNon & Enc
rypNon
9
WIFI
• Recent drone systems use WIFI connecNons, which are now used widely in
the today’s world.
• WIFI connecNon is convenient but people need to re-‐consider about its
security.
15
program.elf
• /bin/program.elf is an important file.
• Motor will not funcNon if program.elf process is killed by /bin/kk
21
Serial connect
• UART : Target host pc communicaNon.
• If drone does not support pp or telnet, serial connecNon has to be used.
• It was broken 3 Nmes, because of a wrong connecNon.
23
Pairing
• AR Drone has a pairing system for security.
• Android phone support pairing mode. iPhone does not support.
• Default Pairing sesng is “off”.
•
iPhone Android
28
AR. Drone
• Parrot AR. Drone is a commonly and widely used drone in the world.
• Can be connected through smart devices.
• Can be controlled by WIFI connecNon with a smart device.
30
How to infect drone 1
Infect
Drone
Drone malware
1. Fake App can infect drone
2. AAacker can infect from smart device at the drone's networks area.
Smart Device to Drone
31
How to infect drone 2
Infected Drone’s network area
Impacted Drone
Normal Drone
Normal Drone’s network area
Infect
Drone to Drone normal drones will be infected if a infected drone enters to the normal drone’s network area.
32
AcNvity
Infected Drone’s network area
Impacted Drone
Normal Drone
Normal Drone’s network area
1. Malware copy 2. Motor stop
1. Copy and replicate itself 2. Shutdown 3. Other working like GPS, DNS Pharming
35
Controller App modificaNon
• Recently, a lot of android apps are modified by cracker.
• AR. Drone 2.0 can be controlled by a smartphone app.
• Cracker modifies the control app and upload on the internet.
• Medium of Spread – internet, SMS, E-‐mail, market, etc.
• Drone is infected when a person uses the fake app.
36
Controller App modificaNon
• We can modify and repackage applicaNons by a freeware called Apktool.
46
Scanning
• Change network to “managed” mode.
• Drone repeat scan to other drones using fork funcNon.
50
AcNon
• Repeat unNl the aAacker drone scans to other drones.
• Connect to AR.Drone’s AP if found.
• FTP upload itself.
• Telnet connecNon.
• Permission sesng(execute).
• boot sesng.
56
AT Commands
• Drone command using UDP 5556 port
AT*PCMD_MAG=21625,1,0,0,0,0,0,0<CR>AT*REF=21626,290717696<CR>
AT*PCMD_MAG=xx,xx,−1085485875,xx,xx,xx,xx.
57
tcpdump
• Install tcpdump on drone.
• We can capture the network packet aper that.
• 192.168.1.5 is controller’s IP.
59
ConfiguraNon
• AlNtude max : drone can go fly Nll 100000 (which is 100 meters from the
ground)
• We can fly to some GPS locaNon with no obstacle
AT*CONFIG=605,"control:alNtude_max","3000"
AT*CONFIG=605,"control:alNtude_max", "100000"
60
GPS
-‐ AR. Drone 2.0 is supports GPS.
-‐ If we click a point to GPS on the smart device, drone will move to the
place requested.
-‐ The user can go back to the GPS registered "home“ by pressing the
"home" buAon.
-‐ Infected drones will come to my real home if there isn’t any obstacle.
62
DNS Pharming
No encrypNon Default password
Access administrator mode from wireless
• Drones can change some vulnerable AP’s DNS during the fly.
68
episode1
• Malware replicated itself like a worm and somehow destroyed bootloader and
made two drones brick.
• I tried serial communicaNon using UART in order to repair brick drones, but
devices was not even able to boot up.
• UART does not work when UART ports are misconfigured. I replaced once
because UART itself was a problem, and replaced again because the UART was
broken by wrong ports.
• One drone was bought in Korea and another drone was bought in other
country. The problem was that I was able to get a free replacement for the
drone which was bought in Korea, but I had to pay for the drone’s mainboard
which was bought outside Korea, since it does not support any A/S. I paid
170$ overall.
69
episode2
• Aper malware replicated itself, the network configuraNon broke out. I was
not able to control the drone at the end
• I had to wait for drone to drain its baAery since it was out of control.
(drone works properly for around 10 minutes)
70
Result
• Drone malware (HSDrone that I’ve made) can spread through wireless
networks.
-‐ Smart Device to Drone -‐ Drone to Drone
• Can control other drone UDP network command.
• Malware can aAack AP DNS Pharming.
• Drone malwares like this one could spread and aAack your computers,
APs, smart devices, drones, and everything in the future.
• It is dangerous, drone has an advantage of having physical distance for the
aAack to be done.